[ { "path": ".cirrus.yml", "content": "freebsd_task:\n name: FreeBSD\n\n matrix:\n - name: FreeBSD 14.3\n freebsd_instance:\n image_family: freebsd-14-3\n\n pkginstall_script:\n - pkg update -f\n - pkg install -y go125\n - pkg install -y git\n\n setup_script:\n - ln -s /usr/local/bin/go125 /usr/local/bin/go\n - pw groupadd sftpgo\n - pw useradd sftpgo -g sftpgo -w none -m\n - mkdir /home/sftpgo/sftpgo\n - cp -R . /home/sftpgo/sftpgo\n - chown -R sftpgo:sftpgo /home/sftpgo/sftpgo\n\n compile_script:\n - su sftpgo -c 'cd ~/sftpgo && go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo'\n - su sftpgo -c 'cd ~/sftpgo/tests/eventsearcher && go build -trimpath -ldflags \"-s -w\" -o eventsearcher'\n - su sftpgo -c 'cd ~/sftpgo/tests/ipfilter && go build -trimpath -ldflags \"-s -w\" -o ipfilter'\n\n check_script:\n - su sftpgo -c 'cd ~/sftpgo && ./sftpgo initprovider && ./sftpgo resetprovider --force'\n\n test_script:\n - su sftpgo -c 'cd ~/sftpgo && go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 20m ./... -coverprofile=coverage.txt -covermode=atomic'\n" }, { "path": ".github/FUNDING.yml", "content": "# These are supported funding model platforms\n\ngithub: [drakkan] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]\npatreon: # Replace with a single Patreon username\nopen_collective: # Replace with a single Open Collective username\nko_fi: # Replace with a single Ko-fi username\ntidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel\ncommunity_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry\nliberapay: # Replace with a single Liberapay username\nissuehunt: # Replace with a single IssueHunt username\notechie: # Replace with a single Otechie username\ncustom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.yml", "content": "name: Open Source Bug Report\ndescription: \"Submit a report and help us improve SFTPGo\"\ntitle: \"[Bug]: \"\nlabels: [\"bug\"]\nbody:\n - type: markdown\n attributes:\n value: |\n ### 👍 Thank you for contributing to our project!\n Before asking for help please check our [support policy](https://github.com/drakkan/sftpgo?tab=readme-ov-file#support).\n If you are a [commercial user](https://sftpgo.com/) please contact us using the dedicated [email address](mailto:support@sftpgo.com).\n If you'd like to contribute code, please make sure to read and understand our [Contributor License Agreement (CLA)](https://sftpgo.com/cla.html).\n You’ll be asked to accept it when submitting a pull request.\n - type: checkboxes\n id: before-posting\n attributes:\n label: \"⚠️ This issue respects the following points: ⚠️\"\n description: All conditions are **required**.\n options:\n - label: This is a **bug**, not a question or a configuration issue.\n required: true\n - label: This issue is **not** already reported on Github _(I've searched it)_.\n required: true\n - type: textarea\n id: bug-description\n attributes:\n label: Bug description\n description: |\n Provide a description of the bug you're experiencing.\n Don't just expect someone will guess what your specific problem is and provide full details.\n validations:\n required: true\n - type: textarea\n id: reproduce\n attributes:\n label: Steps to reproduce\n description: |\n Describe the steps to reproduce the bug.\n The better your description is the fastest you'll get an _(accurate)_ answer.\n value: |\n 1.\n 2.\n 3.\n validations:\n required: true\n - type: textarea\n id: expected-behavior\n attributes:\n label: Expected behavior\n description: Describe what you expected to happen instead.\n validations:\n required: true\n - type: input\n id: version\n attributes:\n label: SFTPGo version\n validations:\n required: true\n - type: input\n id: data-provider\n attributes:\n label: Data provider\n validations:\n required: true\n - type: dropdown\n id: install-method\n attributes:\n label: Installation method\n description: |\n Select installation method you've used.\n _Describe the method in the \"Additional info\" section if you chose \"Other\"._\n options:\n - \"Community Docker image\"\n - \"Community Deb package\"\n - \"Community RPM package\"\n - \"Other\"\n validations:\n required: true\n - type: textarea\n attributes:\n label: Configuration\n description: \"Describe your customizations to the configuration: both config file changes and overrides via environment variables\"\n value: config\n validations:\n required: true\n - type: textarea\n id: logs\n attributes:\n label: Relevant log output\n description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.\n render: shell\n - type: dropdown\n id: usecase\n attributes:\n label: What are you using SFTPGo for?\n description: We'd like to understand your SFTPGo usecase more\n multiple: true\n options:\n - \"Private user, home usecase (home backup/VPS)\"\n - \"Professional user, 1 person business\"\n - \"Small business (3-person firm with file exchange?)\"\n - \"Medium business\"\n - \"Enterprise\"\n validations:\n required: true\n - type: textarea\n id: additional-info\n attributes:\n label: Additional info\n description: Any additional information related to the issue." }, { "path": ".github/ISSUE_TEMPLATE/config.yml", "content": "blank_issues_enabled: false\ncontact_links:\n - name: Commercial Support\n url: https://sftpgo.com/\n about: >\n If you need Professional support, so your reports are prioritized and resolved more quickly.\n - name: GitHub Community Discussions\n url: https://github.com/drakkan/sftpgo/discussions\n about: Please ask and answer questions here.\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.yml", "content": "name: 🚀 Feature request\ndescription: Suggest an idea for SFTPGo\nlabels: [\"suggestion\"]\nbody:\n - type: markdown\n attributes:\n value: |\n ### 👍 Thank you for contributing to our project!\n Before asking for help please check our [support policy](https://github.com/drakkan/sftpgo?tab=readme-ov-file#support).\n If you are a [commercial user](https://sftpgo.com/) please contact us using the dedicated [email address](mailto:support@sftpgo.com).\n If you'd like to contribute code, please make sure to read and understand our [Contributor License Agreement (CLA)](https://sftpgo.com/cla.html).\n You’ll be asked to accept it when submitting a pull request.\n - type: textarea\n attributes:\n label: Is your feature request related to a problem? Please describe.\n description: A clear and concise description of what the problem is.\n validations:\n required: false\n - type: textarea\n attributes:\n label: Describe the solution you'd like\n description: A clear and concise description of what you want to happen.\n validations:\n required: true\n - type: textarea\n attributes:\n label: Describe alternatives you've considered\n description: A clear and concise description of any alternative solutions or features you've considered.\n validations:\n required: false\n - type: dropdown\n id: usecase\n attributes:\n label: What are you using SFTPGo for?\n description: We'd like to understand your SFTPGo usecase more\n multiple: true\n options:\n - \"Private user, home usecase (home backup/VPS)\"\n - \"Professional user, 1 person business\"\n - \"Small business (3-person firm with file exchange?)\"\n - \"Medium business\"\n - \"Enterprise\"\n validations:\n required: true\n - type: textarea\n attributes:\n label: Additional context\n description: Add any other context or screenshots about the feature request here.\n validations:\n required: false" }, { "path": ".github/PULL_REQUEST_TEMPLATE.md", "content": "# Checklist for Pull Requests\n\n- [ ] Have you signed the [Contributor License Agreement](https://sftpgo.com/cla.html)?\n\n---\n" }, { "path": ".github/dependabot.yml", "content": "version: 2\n\nupdates:\n #- package-ecosystem: \"gomod\"\n # directory: \"/\"\n # schedule:\n # interval: \"weekly\"\n # open-pull-requests-limit: 2\n\n - package-ecosystem: \"docker\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n open-pull-requests-limit: 2\n\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n open-pull-requests-limit: 2\n" }, { "path": ".github/workflows/.editorconfig", "content": "[*.yml]\nindent_size = 2\n" }, { "path": ".github/workflows/codeql.yml", "content": "name: \"Code scanning - action\"\n\non:\n push:\n pull_request:\n schedule:\n - cron: '30 1 * * 6'\n\njobs:\n CodeQL-Build:\n runs-on: ubuntu-latest\n\n permissions:\n security-events: write\n\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '1.25'\n\n - name: Initialize CodeQL\n uses: github/codeql-action/init@v4\n with:\n languages: go\n\n - name: Autobuild\n uses: github/codeql-action/autobuild@v4\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@v4" }, { "path": ".github/workflows/development.yml", "content": "name: CI\n\non:\n push:\n branches: [main]\n pull_request:\n\npermissions:\n id-token: write\n contents: read\n\njobs:\n test-deploy:\n name: Test and deploy\n runs-on: ${{ matrix.os }}\n strategy:\n matrix:\n go: ['1.26']\n os: [ubuntu-latest, macos-latest]\n\n steps:\n - uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: ${{ matrix.go }}\n\n - name: Build for Linux/macOS x86_64\n run: |\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n cd tests/eventsearcher\n go build -trimpath -ldflags \"-s -w\" -o eventsearcher\n cd -\n cd tests/ipfilter\n go build -trimpath -ldflags \"-s -w\" -o ipfilter\n cd -\n ./sftpgo initprovider\n ./sftpgo resetprovider --force\n\n - name: Build for macOS arm64\n if: startsWith(matrix.os, 'macos-') == true\n run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo_arm64\n\n - name: Run test cases using SQLite provider\n run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic\n\n - name: Upload coverage to Codecov\n uses: codecov/codecov-action@v5\n with:\n files: ./coverage.txt\n fail_ci_if_error: false\n token: ${{ secrets.CODECOV_TOKEN }}\n\n - name: Run test cases using bolt provider\n run: |\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/common -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/httpd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 8m ./internal/sftpd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/ftpd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/webdavd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/telemetry -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/mfa -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/command -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: bolt\n SFTPGO_DATA_PROVIDER__NAME: 'sftpgo_bolt.db'\n\n - name: Run test cases using memory provider\n run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: memory\n SFTPGO_DATA_PROVIDER__NAME: ''\n\n - name: Prepare build artifact for macOS\n if: startsWith(matrix.os, 'macos-') == true\n run: |\n mkdir -p output/{init,bash_completion,zsh_completion}\n cp sftpgo output/sftpgo_x86_64\n cp sftpgo_arm64 output/\n cp sftpgo.json output/\n cp -r templates output/\n cp -r static output/\n cp -r openapi output/\n cp init/com.github.drakkan.sftpgo.plist output/init/\n ./sftpgo gen completion bash > output/bash_completion/sftpgo\n ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo\n ./sftpgo gen man -d output/man/man1\n gzip output/man/man1/*\n\n - name: Upload build artifact\n if: startsWith(matrix.os, 'ubuntu-') != true\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo-${{ matrix.os }}-go-${{ matrix.go }}\n path: output\n\n test-deploy-windows:\n name: Test and deploy Windows\n runs-on: windows-latest\n\n steps:\n - uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '1.26'\n\n - name: Run test cases using SQLite provider\n run: |\n cd tests/eventsearcher\n go build -trimpath -ldflags \"-s -w\" -o eventsearcher.exe\n cd ../..\n cd tests/ipfilter\n go build -trimpath -ldflags \"-s -w\" -o ipfilter.exe\n cd ../..\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic\n\n - name: Run test cases using bolt provider\n run: |\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/common -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/httpd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 8m ./internal/sftpd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/ftpd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/webdavd -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/telemetry -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/mfa -covermode=atomic\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/command -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: bolt\n SFTPGO_DATA_PROVIDER__NAME: 'sftpgo_bolt.db'\n\n - name: Run test cases using memory provider\n run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: memory\n SFTPGO_DATA_PROVIDER__NAME: ''\n\n - name: Build\n run: |\n $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String\n $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString(\"yyyy-MM-ddTHH:mm:ssZ\")) | Out-String\n $LATEST_TAG = ((git describe --tags $(git rev-list --tags --max-count=1)) | Out-String).Trim()\n $REV_LIST=$LATEST_TAG+\"..HEAD\"\n $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()\n $FILE_VERSION = $LATEST_TAG.substring(1) + \".\" + $COMMITS_FROM_TAG\n go install github.com/tc-hib/go-winres@latest\n go-winres simply --arch amd64 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version \"$FILE_VERSION\" --file-description \"SFTPGo server\" --product-name SFTPGo --copyright \"2019-2025 Nicola Murino\" --original-filename sftpgo.exe --icon .\\windows-installer\\icon.ico\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME\" -o sftpgo.exe\n mkdir arm64\n $Env:CGO_ENABLED='0'\n $Env:GOOS='windows'\n $Env:GOARCH='arm64'\n go-winres simply --arch arm64 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version \"$FILE_VERSION\" --file-description \"SFTPGo server\" --product-name SFTPGo --copyright \"2019-2025 Nicola Murino\" --original-filename sftpgo.exe --icon .\\windows-installer\\icon.ico\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME\" -o .\\arm64\\sftpgo.exe\n mkdir x86\n $Env:GOARCH='386'\n go-winres simply --arch 386 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version \"$FILE_VERSION\" --file-description \"SFTPGo server\" --product-name SFTPGo --copyright \"2019-2025 Nicola Murino\" --original-filename sftpgo.exe --icon .\\windows-installer\\icon.ico\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME\" -o .\\x86\\sftpgo.exe\n Remove-Item Env:\\CGO_ENABLED\n Remove-Item Env:\\GOOS\n Remove-Item Env:\\GOARCH\n\n - name: Initialize data provider\n run: |\n rm sftpgo.db\n ./sftpgo initprovider\n shell: bash\n\n - name: Prepare Windows installers\n if: ${{ github.event_name != 'pull_request' }}\n run: |\n choco install innosetup\n Remove-Item -LiteralPath \"output\" -Force -Recurse -ErrorAction Ignore\n mkdir output\n copy .\\sftpgo.exe .\\output\n copy .\\sftpgo.json .\\output\n copy .\\sftpgo.db .\\output\n copy .\\LICENSE .\\output\\LICENSE.txt\n copy .\\NOTICE .\\output\\NOTICE.txt\n mkdir output\\templates\n xcopy .\\templates .\\output\\templates\\ /E\n mkdir output\\static\n xcopy .\\static .\\output\\static\\ /E\n mkdir output\\openapi\n xcopy .\\openapi .\\output\\openapi\\ /E\n $LATEST_TAG = ((git describe --tags $(git rev-list --tags --max-count=1)) | Out-String).Trim()\n $REV_LIST=$LATEST_TAG+\"..HEAD\"\n $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()\n $Env:SFTPGO_ISS_DEV_VERSION = $LATEST_TAG + \".\" + $COMMITS_FROM_TAG\n iscc .\\windows-installer\\sftpgo.iss\n\n rm .\\output\\sftpgo.exe\n rm .\\output\\sftpgo.db\n copy .\\arm64\\sftpgo.exe .\\output\n (Get-Content .\\output\\sftpgo.json).replace('\"sqlite\"', '\"bolt\"') | Set-Content .\\output\\sftpgo.json\n $Env:SFTPGO_DATA_PROVIDER__DRIVER='bolt'\n $Env:SFTPGO_DATA_PROVIDER__NAME='.\\output\\sftpgo.db'\n .\\sftpgo.exe initprovider\n Remove-Item Env:\\SFTPGO_DATA_PROVIDER__DRIVER\n Remove-Item Env:\\SFTPGO_DATA_PROVIDER__NAME\n $Env:SFTPGO_ISS_ARCH='arm64'\n iscc .\\windows-installer\\sftpgo.iss\n\n rm .\\output\\sftpgo.exe\n copy .\\x86\\sftpgo.exe .\\output\n $Env:SFTPGO_ISS_ARCH='x86'\n iscc .\\windows-installer\\sftpgo.iss\n\n - name: Upload Windows installer x86_64 artifact\n if: ${{ github.event_name != 'pull_request' }}\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_windows_installer_x86_64\n path: ./sftpgo_windows_x86_64.exe\n\n - name: Upload Windows installer arm64 artifact\n if: ${{ github.event_name != 'pull_request' }}\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_windows_installer_arm64\n path: ./sftpgo_windows_arm64.exe\n\n - name: Upload Windows installer x86 artifact\n if: ${{ github.event_name != 'pull_request' }}\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_windows_installer_x86\n path: ./sftpgo_windows_x86.exe\n\n - name: Prepare build artifact for Windows\n run: |\n Remove-Item -LiteralPath \"output\" -Force -Recurse -ErrorAction Ignore\n mkdir output\n copy .\\sftpgo.exe .\\output\n mkdir output\\arm64\n copy .\\arm64\\sftpgo.exe .\\output\\arm64\n mkdir output\\x86\n copy .\\x86\\sftpgo.exe .\\output\\x86\n copy .\\sftpgo.json .\\output\n (Get-Content .\\output\\sftpgo.json).replace('\"sqlite\"', '\"bolt\"') | Set-Content .\\output\\sftpgo.json\n mkdir output\\templates\n xcopy .\\templates .\\output\\templates\\ /E\n mkdir output\\static\n xcopy .\\static .\\output\\static\\ /E\n mkdir output\\openapi\n xcopy .\\openapi .\\output\\openapi\\ /E\n\n - name: Upload build artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo-windows-portable\n path: output\n\n test-build-flags:\n name: Test build flags\n runs-on: ubuntu-latest\n\n steps:\n - uses: actions/checkout@v6\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '1.26'\n\n - name: Build\n run: |\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nogcs,nos3,noportable,nobolt,nomysql,nopgsql,nosqlite,nometrics,noazblob,unixcrypt -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n ./sftpgo -v\n cp -r openapi static templates internal/bundle/\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,bundle -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n ./sftpgo -v\n\n test-postgresql-mysql-crdb:\n name: Test with PgSQL/MySQL/Cockroach\n runs-on: ubuntu-latest\n\n services:\n postgres:\n image: postgres:latest\n env:\n POSTGRES_PASSWORD: postgres\n POSTGRES_DB: sftpgo\n options: >-\n --health-cmd pg_isready\n --health-interval 10s\n --health-timeout 5s\n --health-retries 5\n ports:\n - 5432:5432\n\n mariadb:\n image: mariadb:latest\n env:\n MYSQL_ROOT_PASSWORD: mysql\n MYSQL_DATABASE: sftpgo\n MYSQL_USER: sftpgo\n MYSQL_PASSWORD: sftpgo\n options: >-\n --health-cmd \"mariadb-admin status -h 127.0.0.1 -P 3306 -u root -p$MYSQL_ROOT_PASSWORD\"\n --health-interval 10s\n --health-timeout 5s\n --health-retries 6\n ports:\n - 3307:3306\n\n mysql:\n image: mysql:latest\n env:\n MYSQL_ROOT_PASSWORD: mysql\n MYSQL_DATABASE: sftpgo\n MYSQL_USER: sftpgo\n MYSQL_PASSWORD: sftpgo\n options: >-\n --health-cmd \"mysqladmin status -h 127.0.0.1 -P 3306 -u root -p$MYSQL_ROOT_PASSWORD\"\n --health-interval 10s\n --health-timeout 5s\n --health-retries 6\n ports:\n - 3308:3306\n\n steps:\n - uses: actions/checkout@v6\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '1.26'\n\n - name: Build\n run: |\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n cd tests/eventsearcher\n go build -trimpath -ldflags \"-s -w\" -o eventsearcher\n cd -\n cd tests/ipfilter\n go build -trimpath -ldflags \"-s -w\" -o ipfilter\n cd -\n\n - name: Run tests using MySQL provider\n run: |\n ./sftpgo initprovider\n ./sftpgo resetprovider --force\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: mysql\n SFTPGO_DATA_PROVIDER__NAME: sftpgo\n SFTPGO_DATA_PROVIDER__HOST: localhost\n SFTPGO_DATA_PROVIDER__PORT: 3308\n SFTPGO_DATA_PROVIDER__USERNAME: sftpgo\n SFTPGO_DATA_PROVIDER__PASSWORD: sftpgo\n\n - name: Run tests using PostgreSQL provider\n run: |\n ./sftpgo initprovider\n ./sftpgo resetprovider --force\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: postgresql\n SFTPGO_DATA_PROVIDER__NAME: sftpgo\n SFTPGO_DATA_PROVIDER__HOST: localhost\n SFTPGO_DATA_PROVIDER__PORT: 5432\n SFTPGO_DATA_PROVIDER__USERNAME: postgres\n SFTPGO_DATA_PROVIDER__PASSWORD: postgres\n\n - name: Run tests using MariaDB provider\n run: |\n ./sftpgo initprovider\n ./sftpgo resetprovider --force\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: mysql\n SFTPGO_DATA_PROVIDER__NAME: sftpgo\n SFTPGO_DATA_PROVIDER__HOST: localhost\n SFTPGO_DATA_PROVIDER__PORT: 3307\n SFTPGO_DATA_PROVIDER__USERNAME: sftpgo\n SFTPGO_DATA_PROVIDER__PASSWORD: sftpgo\n SFTPGO_DATA_PROVIDER__SQL_TABLES_PREFIX: prefix_\n\n - name: Run tests using CockroachDB provider\n run: |\n docker run --rm --name crdb --health-cmd \"curl -I http://127.0.0.1:8080\" --health-interval 10s --health-timeout 5s --health-retries 6 -p 26257:26257 -d cockroachdb/cockroach:latest start-single-node --insecure --listen-addr :26257\n sleep 10\n docker exec crdb cockroach sql --insecure -e 'create database \"sftpgo\"'\n ./sftpgo initprovider\n ./sftpgo resetprovider --force\n go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic\n docker stop crdb\n env:\n SFTPGO_DATA_PROVIDER__DRIVER: cockroachdb\n SFTPGO_DATA_PROVIDER__NAME: sftpgo\n SFTPGO_DATA_PROVIDER__HOST: localhost\n SFTPGO_DATA_PROVIDER__PORT: 26257\n SFTPGO_DATA_PROVIDER__USERNAME: root\n SFTPGO_DATA_PROVIDER__PASSWORD:\n SFTPGO_DATA_PROVIDER__TARGET_SESSION_ATTRS: any\n SFTPGO_DATA_PROVIDER__SQL_TABLES_PREFIX: prefix_\n\n build-linux-packages:\n name: Build Linux packages\n runs-on: ubuntu-latest\n strategy:\n matrix:\n include:\n - arch: amd64\n distro: ubuntu:18.04\n go: latest\n go-arch: amd64\n - arch: aarch64\n distro: ubuntu18.04\n go: latest\n go-arch: arm64\n - arch: ppc64le\n distro: ubuntu18.04\n go: latest\n go-arch: ppc64le\n - arch: armv7\n distro: ubuntu18.04\n go: latest\n go-arch: arm7\n steps:\n - uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Get commit SHA\n id: get_commit\n run: echo \"COMMIT=${GITHUB_SHA::8}\" >> $GITHUB_OUTPUT\n shell: bash\n\n - name: Build on amd64\n if: ${{ matrix.arch == 'amd64' }}\n run: |\n echo '#!/bin/bash' > build.sh\n echo '' >> build.sh\n echo 'set -e' >> build.sh\n echo 'apt-get update -q -y' >> build.sh\n echo 'apt-get install -q -y curl gcc' >> build.sh\n if [ ${{ matrix.go }} == 'latest' ]\n then\n echo 'GO_VERSION=$(curl -L https://go.dev/VERSION?m=text | head -n 1)' >> build.sh\n else\n echo 'GO_VERSION=${{ matrix.go }}' >> build.sh\n fi\n echo 'GO_DOWNLOAD_ARCH=${{ matrix.go-arch }}' >> build.sh\n echo 'curl --retry 5 --retry-delay 2 --connect-timeout 10 -o go.tar.gz -L https://go.dev/dl/${GO_VERSION}.linux-${GO_DOWNLOAD_ARCH}.tar.gz' >> build.sh\n echo 'tar -C /usr/local -xzf go.tar.gz' >> build.sh\n echo 'export PATH=$PATH:/usr/local/go/bin' >> build.sh\n echo 'go version' >> build.sh\n echo 'cd /usr/local/src' >> build.sh\n echo 'go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_commit.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo' >> build.sh\n\n chmod 755 build.sh\n docker run --rm --name ubuntu-build --mount type=bind,source=`pwd`,target=/usr/local/src ${{ matrix.distro }} /usr/local/src/build.sh\n mkdir -p output/{init,bash_completion,zsh_completion}\n cp sftpgo.json output/\n cp -r templates output/\n cp -r static output/\n cp -r openapi output/\n cp init/sftpgo.service output/init/\n ./sftpgo gen completion bash > output/bash_completion/sftpgo\n ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo\n ./sftpgo gen man -d output/man/man1\n gzip output/man/man1/*\n cp sftpgo output/\n\n - uses: uraimo/run-on-arch-action@v3\n if: ${{ matrix.arch != 'amd64' }}\n name: Build for ${{ matrix.arch }}\n id: build\n with:\n arch: ${{ matrix.arch }}\n distro: ${{ matrix.distro }}\n setup: |\n mkdir -p \"${PWD}/output\"\n dockerRunArgs: |\n --volume \"${PWD}/output:/output\"\n shell: /bin/bash\n install: |\n apt-get update -q -y\n apt-get install -q -y curl gcc\n if [ ${{ matrix.go }} == 'latest' ]\n then\n GO_VERSION=$(curl -L https://go.dev/VERSION?m=text | head -n 1)\n else\n GO_VERSION=${{ matrix.go }}\n fi\n GO_DOWNLOAD_ARCH=${{ matrix.go-arch }}\n if [ ${{ matrix.arch}} == 'armv7' ]\n then\n GO_DOWNLOAD_ARCH=armv6l\n fi\n curl --retry 5 --retry-delay 2 --connect-timeout 10 -o go.tar.gz -L https://go.dev/dl/${GO_VERSION}.linux-${GO_DOWNLOAD_ARCH}.tar.gz\n tar -C /usr/local -xzf go.tar.gz\n run: |\n export PATH=$PATH:/usr/local/go/bin\n go version\n if [ ${{ matrix.arch}} == 'armv7' ]\n then\n export GOARM=7\n fi\n go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_commit.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n mkdir -p output/{init,bash_completion,zsh_completion}\n cp sftpgo.json output/\n cp -r templates output/\n cp -r static output/\n cp -r openapi output/\n cp init/sftpgo.service output/init/\n ./sftpgo gen completion bash > output/bash_completion/sftpgo\n ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo\n ./sftpgo gen man -d output/man/man1\n gzip output/man/man1/*\n cp sftpgo output/\n\n - name: Upload build artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo-linux-${{ matrix.arch }}-go-${{ matrix.go }}\n path: output\n\n - name: Build Packages\n id: build_linux_pkgs\n run: |\n export NFPM_ARCH=${{ matrix.go-arch }}\n cd pkgs\n ./build.sh\n PKG_VERSION=$(cat dist/version)\n echo \"pkg-version=${PKG_VERSION}\" >> $GITHUB_OUTPUT\n\n - name: Upload Debian Package\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo-${{ steps.build_linux_pkgs.outputs.pkg-version }}-${{ matrix.go-arch }}-deb\n path: pkgs/dist/deb/*\n\n - name: Upload RPM Package\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo-${{ steps.build_linux_pkgs.outputs.pkg-version }}-${{ matrix.go-arch }}-rpm\n path: pkgs/dist/rpm/*\n\n golangci-lint:\n name: golangci-lint\n runs-on: ubuntu-latest\n steps:\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '1.26'\n - uses: actions/checkout@v6\n - name: Run golangci-lint\n uses: golangci/golangci-lint-action@v9\n with:\n version: latest\n" }, { "path": ".github/workflows/docker.yml", "content": "name: Docker\n\non:\n #schedule:\n # - cron: '0 4 * * *' # everyday at 4:00 AM UTC\n push:\n branches:\n - main\n tags:\n - v*\n pull_request:\n\njobs:\n build:\n name: Build\n runs-on: ${{ matrix.os }}\n strategy:\n matrix:\n os:\n - ubuntu-latest\n docker_pkg:\n - debian\n - alpine\n optional_deps:\n - true\n - false\n include:\n - os: ubuntu-latest\n docker_pkg: distroless\n optional_deps: false\n - os: ubuntu-latest\n docker_pkg: debian-plugins\n optional_deps: true\n steps:\n - name: Checkout\n uses: actions/checkout@v6\n\n - name: Gather image information\n id: info\n run: |\n VERSION=noop\n DOCKERFILE=Dockerfile\n MINOR=\"\"\n MAJOR=\"\"\n FEATURES=\"nopgxregisterdefaulttypes,disable_grpc_modules\"\n if [ \"${{ github.event_name }}\" = \"schedule\" ]; then\n VERSION=nightly\n elif [[ $GITHUB_REF == refs/tags/* ]]; then\n VERSION=${GITHUB_REF#refs/tags/}\n elif [[ $GITHUB_REF == refs/heads/* ]]; then\n VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')\n if [ \"${{ github.event.repository.default_branch }}\" = \"$VERSION\" ]; then\n VERSION=edge\n fi\n elif [[ $GITHUB_REF == refs/pull/* ]]; then\n VERSION=pr-${{ github.event.number }}\n fi\n if [[ $VERSION =~ ^v[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$ ]]; then\n MINOR=${VERSION%.*}\n MAJOR=${MINOR%.*}\n fi\n VERSION_SLIM=\"${VERSION}-slim\"\n if [[ $DOCKER_PKG == alpine ]]; then\n VERSION=\"${VERSION}-alpine\"\n VERSION_SLIM=\"${VERSION}-slim\"\n DOCKERFILE=Dockerfile.alpine\n elif [[ $DOCKER_PKG == distroless ]]; then\n VERSION=\"${VERSION}-distroless\"\n VERSION_SLIM=\"${VERSION}-slim\"\n DOCKERFILE=Dockerfile.distroless\n FEATURES=\"${FEATURES},nosqlite\"\n elif [[ $DOCKER_PKG == debian-plugins ]]; then\n VERSION=\"${VERSION}-plugins\"\n VERSION_SLIM=\"${VERSION}-slim\"\n FEATURES=\"${FEATURES},unixcrypt\"\n elif [[ $DOCKER_PKG == debian ]]; then\n FEATURES=\"${FEATURES},unixcrypt\"\n fi\n DOCKER_IMAGES=(\"drakkan/sftpgo\" \"ghcr.io/drakkan/sftpgo\")\n TAGS=\"${DOCKER_IMAGES[0]}:${VERSION}\"\n TAGS_SLIM=\"${DOCKER_IMAGES[0]}:${VERSION_SLIM}\"\n\n for DOCKER_IMAGE in ${DOCKER_IMAGES[@]}; do\n if [[ ${DOCKER_IMAGE} != ${DOCKER_IMAGES[0]} ]]; then\n TAGS=\"${TAGS},${DOCKER_IMAGE}:${VERSION}\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:${VERSION_SLIM}\"\n fi\n if [[ $GITHUB_REF == refs/tags/* ]]; then\n if [[ $DOCKER_PKG == debian ]]; then\n if [[ -n $MAJOR && -n $MINOR ]]; then\n TAGS=\"${TAGS},${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR}\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:${MINOR}-slim,${DOCKER_IMAGE}:${MAJOR}-slim\"\n fi\n TAGS=\"${TAGS},${DOCKER_IMAGE}:latest\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:slim\"\n elif [[ $DOCKER_PKG == distroless ]]; then\n if [[ -n $MAJOR && -n $MINOR ]]; then\n TAGS=\"${TAGS},${DOCKER_IMAGE}:${MINOR}-distroless,${DOCKER_IMAGE}:${MAJOR}-distroless\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:${MINOR}-distroless-slim,${DOCKER_IMAGE}:${MAJOR}-distroless-slim\"\n fi\n TAGS=\"${TAGS},${DOCKER_IMAGE}:distroless\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:distroless-slim\"\n elif [[ $DOCKER_PKG == debian-plugins ]]; then\n if [[ -n $MAJOR && -n $MINOR ]]; then\n TAGS=\"${TAGS},${DOCKER_IMAGE}:${MINOR}-plugins,${DOCKER_IMAGE}:${MAJOR}-plugins\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:${MINOR}-plugins-slim,${DOCKER_IMAGE}:${MAJOR}-plugins-slim\"\n fi\n TAGS=\"${TAGS},${DOCKER_IMAGE}:plugins\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:plugins-slim\"\n else\n if [[ -n $MAJOR && -n $MINOR ]]; then\n TAGS=\"${TAGS},${DOCKER_IMAGE}:${MINOR}-alpine,${DOCKER_IMAGE}:${MAJOR}-alpine\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:${MINOR}-alpine-slim,${DOCKER_IMAGE}:${MAJOR}-alpine-slim\"\n fi\n TAGS=\"${TAGS},${DOCKER_IMAGE}:alpine\"\n TAGS_SLIM=\"${TAGS_SLIM},${DOCKER_IMAGE}:alpine-slim\"\n fi\n fi\n done\n\n if [[ $OPTIONAL_DEPS == true ]]; then\n echo \"version=${VERSION}\" >> $GITHUB_OUTPUT\n echo \"tags=${TAGS}\" >> $GITHUB_OUTPUT\n echo \"full=true\" >> $GITHUB_OUTPUT\n else\n echo \"version=${VERSION_SLIM}\" >> $GITHUB_OUTPUT\n echo \"tags=${TAGS_SLIM}\" >> $GITHUB_OUTPUT\n echo \"full=false\" >> $GITHUB_OUTPUT\n fi\n if [[ $DOCKER_PKG == debian-plugins ]]; then\n echo \"plugins=true\" >> $GITHUB_OUTPUT\n else\n echo \"plugins=false\" >> $GITHUB_OUTPUT\n fi\n echo \"dockerfile=${DOCKERFILE}\" >> $GITHUB_OUTPUT\n echo \"features=${FEATURES}\" >> $GITHUB_OUTPUT\n echo \"created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\" >> $GITHUB_OUTPUT\n echo \"sha=${GITHUB_SHA::8}\" >> $GITHUB_OUTPUT\n env:\n DOCKER_PKG: ${{ matrix.docker_pkg }}\n OPTIONAL_DEPS: ${{ matrix.optional_deps }}\n\n - name: Set up QEMU\n uses: docker/setup-qemu-action@v4\n\n - name: Set up builder\n uses: docker/setup-buildx-action@v4\n id: builder\n\n - name: Login to Docker Hub\n uses: docker/login-action@v4\n with:\n username: ${{ secrets.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n if: ${{ github.event_name != 'pull_request' }}\n\n - name: Login to GitHub Container Registry\n uses: docker/login-action@v4\n with:\n registry: ghcr.io\n username: ${{ github.repository_owner }}\n password: ${{ secrets.GITHUB_TOKEN }}\n if: ${{ github.event_name != 'pull_request' }}\n\n - name: Build and push\n uses: docker/build-push-action@v7\n with:\n context: .\n builder: ${{ steps.builder.outputs.name }}\n file: ./${{ steps.info.outputs.dockerfile }}\n platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v7\n push: ${{ github.event_name != 'pull_request' }}\n tags: ${{ steps.info.outputs.tags }}\n build-args: |\n COMMIT_SHA=${{ steps.info.outputs.sha }}\n INSTALL_OPTIONAL_PACKAGES=${{ steps.info.outputs.full }}\n DOWNLOAD_PLUGINS=${{ steps.info.outputs.plugins }}\n FEATURES=${{ steps.info.outputs.features }}\n labels: |\n org.opencontainers.image.title=SFTPGo\n org.opencontainers.image.description=Full-featured and highly configurable file transfer server: SFTP, HTTP/S,FTP/S, WebDAV\n org.opencontainers.image.url=https://github.com/drakkan/sftpgo\n org.opencontainers.image.documentation=https://github.com/drakkan/sftpgo/blob/${{ github.sha }}/docker/README.md\n org.opencontainers.image.source=https://github.com/drakkan/sftpgo\n org.opencontainers.image.version=${{ steps.info.outputs.version }}\n org.opencontainers.image.created=${{ steps.info.outputs.created }}\n org.opencontainers.image.revision=${{ github.sha }}\n org.opencontainers.image.licenses=AGPL-3.0-only" }, { "path": ".github/workflows/release.yml", "content": "name: Release\n\non:\n push:\n tags: 'v*'\n\npermissions:\n id-token: write\n contents: write\n\nenv:\n GO_VERSION: 1.25.8\n\njobs:\n prepare-sources-with-deps:\n name: Prepare sources with deps\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: ${{ env.GO_VERSION }}\n\n - name: Get SFTPGo version\n id: get_version\n run: echo \"VERSION=${GITHUB_REF/refs\\/tags\\//}\" >> $GITHUB_OUTPUT\n\n - name: Prepare release\n run: |\n go mod vendor\n echo \"${SFTPGO_VERSION}\" > VERSION.txt\n echo \"${GITHUB_SHA::8}\" >> VERSION.txt\n tar cJvf sftpgo_${SFTPGO_VERSION}_src_with_deps.tar.xz *\n env:\n SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}\n\n - name: Upload build artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_src_with_deps.tar.xz\n path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_src_with_deps.tar.xz\n retention-days: 1\n\n prepare-windows:\n name: Prepare Windows binaries\n runs-on: windows-2022\n\n steps:\n - uses: actions/checkout@v6\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: ${{ env.GO_VERSION }}\n\n - name: Get SFTPGo version\n id: get_version\n run: echo \"VERSION=${GITHUB_REF/refs\\/tags\\//}\" >> $GITHUB_OUTPUT\n shell: bash\n\n - name: Build\n run: |\n $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String\n $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString(\"yyyy-MM-ddTHH:mm:ssZ\")) | Out-String\n $FILE_VERSION = $Env:SFTPGO_VERSION.substring(1) + \".0\"\n go install github.com/tc-hib/go-winres@latest\n go-winres simply --arch amd64 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version \"$FILE_VERSION\" --file-description \"SFTPGo server\" --product-name SFTPGo --copyright \"2019-2025 Nicola Murino\" --original-filename sftpgo.exe --icon .\\windows-installer\\icon.ico\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME\" -o sftpgo.exe\n mkdir arm64\n $Env:CGO_ENABLED='0'\n $Env:GOOS='windows'\n $Env:GOARCH='arm64'\n go-winres simply --arch arm64 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version \"$FILE_VERSION\" --file-description \"SFTPGo server\" --product-name SFTPGo --copyright \"2019-2025 Nicola Murino\" --original-filename sftpgo.exe --icon .\\windows-installer\\icon.ico\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME\" -o .\\arm64\\sftpgo.exe\n mkdir x86\n $Env:GOARCH='386'\n go-winres simply --arch 386 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version \"$FILE_VERSION\" --file-description \"SFTPGo server\" --product-name SFTPGo --copyright \"2019-2025 Nicola Murino\" --original-filename sftpgo.exe --icon .\\windows-installer\\icon.ico\n go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME\" -o .\\x86\\sftpgo.exe\n Remove-Item Env:\\CGO_ENABLED\n Remove-Item Env:\\GOOS\n Remove-Item Env:\\GOARCH\n env:\n SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}\n\n - name: Initialize data provider\n run: ./sftpgo initprovider\n shell: bash\n\n - name: Prepare Release\n run: |\n mkdir output\n copy .\\sftpgo.exe .\\output\n copy .\\sftpgo.json .\\output\n copy .\\sftpgo.db .\\output\n copy .\\LICENSE .\\output\\LICENSE.txt\n copy .\\NOTICE .\\output\\NOTICE.txt\n mkdir output\\templates\n xcopy .\\templates .\\output\\templates\\ /E\n mkdir output\\static\n xcopy .\\static .\\output\\static\\ /E\n mkdir output\\openapi\n xcopy .\\openapi .\\output\\openapi\\ /E\n iscc .\\windows-installer\\sftpgo.iss\n rm .\\output\\sftpgo.exe\n rm .\\output\\sftpgo.db\n copy .\\arm64\\sftpgo.exe .\\output\n (Get-Content .\\output\\sftpgo.json).replace('\"sqlite\"', '\"bolt\"') | Set-Content .\\output\\sftpgo.json\n $Env:SFTPGO_DATA_PROVIDER__DRIVER='bolt'\n $Env:SFTPGO_DATA_PROVIDER__NAME='.\\output\\sftpgo.db'\n .\\sftpgo.exe initprovider\n Remove-Item Env:\\SFTPGO_DATA_PROVIDER__DRIVER\n Remove-Item Env:\\SFTPGO_DATA_PROVIDER__NAME\n $Env:SFTPGO_ISS_ARCH='arm64'\n iscc .\\windows-installer\\sftpgo.iss\n\n rm .\\output\\sftpgo.exe\n copy .\\x86\\sftpgo.exe .\\output\n $Env:SFTPGO_ISS_ARCH='x86'\n iscc .\\windows-installer\\sftpgo.iss\n env:\n SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}\n\n - name: Prepare Portable Release\n run: |\n mkdir win-portable\n copy .\\sftpgo.exe .\\win-portable\n mkdir win-portable\\arm64\n copy .\\arm64\\sftpgo.exe .\\win-portable\\arm64\n mkdir win-portable\\x86\n copy .\\x86\\sftpgo.exe .\\win-portable\\x86\n copy .\\sftpgo.json .\\win-portable\n (Get-Content .\\win-portable\\sftpgo.json).replace('\"sqlite\"', '\"bolt\"') | Set-Content .\\win-portable\\sftpgo.json\n copy .\\output\\sftpgo.db .\\win-portable\n copy .\\LICENSE .\\win-portable\\LICENSE.txt\n copy .\\NOTICE .\\win-portable\\NOTICE.txt\n mkdir win-portable\\templates\n xcopy .\\templates .\\win-portable\\templates\\ /E\n mkdir win-portable\\static\n xcopy .\\static .\\win-portable\\static\\ /E\n mkdir win-portable\\openapi\n xcopy .\\openapi .\\win-portable\\openapi\\ /E\n Compress-Archive .\\win-portable\\* sftpgo_portable.zip\n\n - name: Upload Windows installer x86_64 artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_x86_64.exe\n path: ./sftpgo_windows_x86_64.exe\n retention-days: 1\n\n - name: Upload Windows installer arm64 artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_arm64.exe\n path: ./sftpgo_windows_arm64.exe\n retention-days: 1\n\n - name: Upload Windows installer x86 artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_x86.exe\n path: ./sftpgo_windows_x86.exe\n retention-days: 1\n\n - name: Upload Windows portable artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_portable.zip\n path: ./sftpgo_portable.zip\n retention-days: 1\n\n prepare-mac:\n name: Prepare macOS binaries\n runs-on: macos-14\n\n steps:\n - uses: actions/checkout@v6\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: ${{ env.GO_VERSION }}\n\n - name: Get SFTPGo version\n id: get_version\n run: echo \"VERSION=${GITHUB_REF/refs\\/tags\\//}\" >> $GITHUB_OUTPUT\n shell: bash\n\n - name: Build for macOS x86_64\n run: go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n\n - name: Build for macOS arm64\n run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo_arm64\n\n - name: Initialize data provider\n run: ./sftpgo initprovider\n shell: bash\n\n - name: Prepare Release\n run: |\n mkdir -p output/{init,sqlite,bash_completion,zsh_completion}\n echo \"For documentation please take a look here:\" > output/README.txt\n echo \"\" >> output/README.txt\n echo \"https://docs.sftpgo.com\" >> output/README.txt\n cp LICENSE output/\n cp NOTICE output/\n cp sftpgo output/\n cp sftpgo.json output/\n cp sftpgo.db output/sqlite/\n cp -r static output/\n cp -r openapi output/\n cp -r templates output/\n cp init/com.github.drakkan.sftpgo.plist output/init/\n ./sftpgo gen completion bash > output/bash_completion/sftpgo\n ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo\n ./sftpgo gen man -d output/man/man1\n gzip output/man/man1/*\n cd output\n tar cJvf ../sftpgo_${SFTPGO_VERSION}_macOS_x86_64.tar.xz *\n cd ..\n cp sftpgo_arm64 output/sftpgo\n cd output\n tar cJvf ../sftpgo_${SFTPGO_VERSION}_macOS_arm64.tar.xz *\n cd ..\n env:\n SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}\n\n - name: Upload macOS x86_64 artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_x86_64.tar.xz\n path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_x86_64.tar.xz\n retention-days: 1\n\n - name: Upload macOS arm64 artifact\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_arm64.tar.xz\n path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_arm64.tar.xz\n retention-days: 1\n\n prepare-linux:\n name: Prepare Linux binaries\n runs-on: ubuntu-latest\n strategy:\n matrix:\n include:\n - arch: amd64\n distro: ubuntu:18.04\n go-arch: amd64\n deb-arch: amd64\n rpm-arch: x86_64\n tar-arch: x86_64\n - arch: aarch64\n distro: ubuntu18.04\n go-arch: arm64\n deb-arch: arm64\n rpm-arch: aarch64\n tar-arch: arm64\n - arch: ppc64le\n distro: ubuntu18.04\n go-arch: ppc64le\n deb-arch: ppc64el\n rpm-arch: ppc64le\n tar-arch: ppc64le\n - arch: armv7\n distro: ubuntu18.04\n go-arch: arm7\n deb-arch: armhf\n rpm-arch: armv7hl\n tar-arch: armv7\n\n steps:\n - uses: actions/checkout@v6\n\n - name: Get versions\n id: get_version\n run: |\n echo \"SFTPGO_VERSION=${GITHUB_REF/refs\\/tags\\//}\" >> $GITHUB_OUTPUT\n echo \"GO_VERSION=${GO_VERSION}\" >> $GITHUB_OUTPUT\n echo \"COMMIT=${GITHUB_SHA::8}\" >> $GITHUB_OUTPUT\n shell: bash\n env:\n GO_VERSION: ${{ env.GO_VERSION }}\n\n - name: Build on amd64\n if: ${{ matrix.arch == 'amd64' }}\n run: |\n echo '#!/bin/bash' > build.sh\n echo '' >> build.sh\n echo 'set -e' >> build.sh\n echo 'apt-get update -q -y' >> build.sh\n echo 'apt-get install -q -y curl gcc' >> build.sh\n echo 'curl --retry 5 --retry-delay 2 --connect-timeout 10 -o go.tar.gz -L https://go.dev/dl/go${{ steps.get_version.outputs.GO_VERSION }}.linux-${{ matrix.go-arch }}.tar.gz' >> build.sh\n echo 'tar -C /usr/local -xzf go.tar.gz' >> build.sh\n echo 'export PATH=$PATH:/usr/local/go/bin' >> build.sh\n echo 'go version' >> build.sh\n echo 'cd /usr/local/src' >> build.sh\n echo 'go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_version.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo' >> build.sh\n\n chmod 755 build.sh\n docker run --rm --name ubuntu-build --mount type=bind,source=`pwd`,target=/usr/local/src ${{ matrix.distro }} /usr/local/src/build.sh\n mkdir -p output/{init,sqlite,bash_completion,zsh_completion}\n echo \"For documentation please take a look here:\" > output/README.txt\n echo \"\" >> output/README.txt\n echo \"https://github.com/drakkan/sftpgo/blob/${SFTPGO_VERSION}/README.md\" >> output/README.txt\n cp LICENSE output/\n cp NOTICE output/\n cp sftpgo.json output/\n cp -r templates output/\n cp -r static output/\n cp -r openapi output/\n cp init/sftpgo.service output/init/\n ./sftpgo initprovider\n ./sftpgo gen completion bash > output/bash_completion/sftpgo\n ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo\n ./sftpgo gen man -d output/man/man1\n gzip output/man/man1/*\n cp sftpgo output/\n cp sftpgo.db output/sqlite/\n cd output\n tar cJvf sftpgo_${SFTPGO_VERSION}_linux_${{ matrix.tar-arch }}.tar.xz *\n cd ..\n env:\n SFTPGO_VERSION: ${{ steps.get_version.outputs.SFTPGO_VERSION }}\n\n - uses: uraimo/run-on-arch-action@v3\n if: ${{ matrix.arch != 'amd64' }}\n name: Build for ${{ matrix.arch }}\n id: build\n with:\n arch: ${{ matrix.arch }}\n distro: ${{ matrix.distro }}\n setup: |\n mkdir -p \"${PWD}/output\"\n dockerRunArgs: |\n --volume \"${PWD}/output:/output\"\n shell: /bin/bash\n install: |\n apt-get update -q -y\n apt-get install -q -y curl gcc xz-utils\n GO_DOWNLOAD_ARCH=${{ matrix.go-arch }}\n if [ ${{ matrix.arch}} == 'armv7' ]\n then\n GO_DOWNLOAD_ARCH=armv6l\n fi\n curl --retry 5 --retry-delay 2 --connect-timeout 10 -o go.tar.gz -L https://go.dev/dl/go${{ steps.get_version.outputs.GO_VERSION }}.linux-${GO_DOWNLOAD_ARCH}.tar.gz\n tar -C /usr/local -xzf go.tar.gz\n run: |\n export PATH=$PATH:/usr/local/go/bin\n go version\n go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_version.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -o sftpgo\n mkdir -p output/{init,sqlite,bash_completion,zsh_completion}\n echo \"For documentation please take a look here:\" > output/README.txt\n echo \"\" >> output/README.txt\n echo \"https://github.com/drakkan/sftpgo/blob/${{ steps.get_version.outputs.SFTPGO_VERSION }}/README.md\" >> output/README.txt\n cp LICENSE output/\n cp NOTICE output/\n cp sftpgo.json output/\n cp -r templates output/\n cp -r static output/\n cp -r openapi output/\n cp init/sftpgo.service output/init/\n ./sftpgo initprovider\n ./sftpgo gen completion bash > output/bash_completion/sftpgo\n ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo\n ./sftpgo gen man -d output/man/man1\n gzip output/man/man1/*\n cp sftpgo output/\n cp sftpgo.db output/sqlite/\n cd output\n tar cJvf sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_${{ matrix.tar-arch }}.tar.xz *\n cd ..\n\n - name: Upload build artifact for ${{ matrix.arch }}\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_${{ matrix.tar-arch }}.tar.xz\n path: ./output/sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_${{ matrix.tar-arch }}.tar.xz\n retention-days: 1\n\n - name: Build Packages\n id: build_linux_pkgs\n run: |\n export NFPM_ARCH=${{ matrix.go-arch }}\n cd pkgs\n ./build.sh\n PKG_VERSION=${SFTPGO_VERSION:1}\n echo \"pkg-version=${PKG_VERSION}\" >> $GITHUB_OUTPUT\n env:\n SFTPGO_VERSION: ${{ steps.get_version.outputs.SFTPGO_VERSION }}\n\n - name: Upload Deb Package\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.build_linux_pkgs.outputs.pkg-version }}-1_${{ matrix.deb-arch}}.deb\n path: ./pkgs/dist/deb/sftpgo_${{ steps.build_linux_pkgs.outputs.pkg-version }}-1_${{ matrix.deb-arch}}.deb\n retention-days: 1\n\n - name: Upload RPM Package\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo-${{ steps.build_linux_pkgs.outputs.pkg-version }}-1.${{ matrix.rpm-arch}}.rpm\n path: ./pkgs/dist/rpm/sftpgo-${{ steps.build_linux_pkgs.outputs.pkg-version }}-1.${{ matrix.rpm-arch}}.rpm\n retention-days: 1\n\n prepare-linux-bundle:\n name: Prepare Linux bundle\n needs: prepare-linux\n runs-on: ubuntu-latest\n\n steps:\n - name: Get versions\n id: get_version\n run: |\n echo \"SFTPGO_VERSION=${GITHUB_REF/refs\\/tags\\//}\" >> $GITHUB_OUTPUT\n shell: bash\n\n - name: Download amd64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_x86_64.tar.xz\n\n - name: Download arm64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_arm64.tar.xz\n\n - name: Download ppc64le artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_ppc64le.tar.xz\n\n - name: Download armv7 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_armv7.tar.xz\n\n - name: Build bundle\n shell: bash\n run: |\n mkdir -p bundle/{arm64,ppc64le,armv7}\n cd bundle\n tar xvf ../sftpgo_${SFTPGO_VERSION}_linux_x86_64.tar.xz\n cd arm64\n tar xvf ../../sftpgo_${SFTPGO_VERSION}_linux_arm64.tar.xz sftpgo\n cd ../ppc64le\n tar xvf ../../sftpgo_${SFTPGO_VERSION}_linux_ppc64le.tar.xz sftpgo\n cd ../armv7\n tar xvf ../../sftpgo_${SFTPGO_VERSION}_linux_armv7.tar.xz sftpgo\n cd ..\n tar cJvf sftpgo_${SFTPGO_VERSION}_linux_bundle.tar.xz *\n cd ..\n env:\n SFTPGO_VERSION: ${{ steps.get_version.outputs.SFTPGO_VERSION }}\n\n - name: Upload Linux bundle\n uses: actions/upload-artifact@v7\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_bundle.tar.xz\n path: ./bundle/sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_bundle.tar.xz\n retention-days: 1\n\n create-release:\n name: Release\n needs: [prepare-linux-bundle, prepare-sources-with-deps, prepare-mac, prepare-windows]\n runs-on: ubuntu-latest\n\n steps:\n - uses: actions/checkout@v6\n - name: Get versions\n id: get_version\n run: |\n SFTPGO_VERSION=${GITHUB_REF/refs\\/tags\\//}\n PKG_VERSION=${SFTPGO_VERSION:1}\n echo \"SFTPGO_VERSION=${SFTPGO_VERSION}\" >> $GITHUB_OUTPUT\n echo \"PKG_VERSION=${PKG_VERSION}\" >> $GITHUB_OUTPUT\n shell: bash\n\n - name: Download amd64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_x86_64.tar.xz\n\n - name: Download arm64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_arm64.tar.xz\n\n - name: Download ppc64le artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_ppc64le.tar.xz\n\n - name: Download armv7 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_armv7.tar.xz\n\n - name: Download Linux bundle artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_linux_bundle.tar.xz\n\n - name: Download Deb amd64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.PKG_VERSION }}-1_amd64.deb\n\n - name: Download Deb arm64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.PKG_VERSION }}-1_arm64.deb\n\n - name: Download Deb ppc64le artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.PKG_VERSION }}-1_ppc64el.deb\n\n - name: Download Deb armv7 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.PKG_VERSION }}-1_armhf.deb\n\n - name: Download RPM x86_64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo-${{ steps.get_version.outputs.PKG_VERSION }}-1.x86_64.rpm\n\n - name: Download RPM aarch64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo-${{ steps.get_version.outputs.PKG_VERSION }}-1.aarch64.rpm\n\n - name: Download RPM ppc64le artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo-${{ steps.get_version.outputs.PKG_VERSION }}-1.ppc64le.rpm\n\n - name: Download RPM armv7 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo-${{ steps.get_version.outputs.PKG_VERSION }}-1.armv7hl.rpm\n\n - name: Download macOS x86_64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_macOS_x86_64.tar.xz\n\n - name: Download macOS arm64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_macOS_arm64.tar.xz\n\n - name: Download Windows installer x86_64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_windows_x86_64.exe\n\n - name: Download Windows installer arm64 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_windows_arm64.exe\n\n - name: Download Windows installer x86 artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_windows_x86.exe\n\n - name: Download Windows portable artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_windows_portable.zip\n\n - name: Download source with deps artifact\n uses: actions/download-artifact@v8\n with:\n name: sftpgo_${{ steps.get_version.outputs.SFTPGO_VERSION }}_src_with_deps.tar.xz\n\n - name: Create release\n run: |\n mv sftpgo_windows_x86_64.exe sftpgo_${SFTPGO_VERSION}_windows_x86_64.exe\n mv sftpgo_windows_arm64.exe sftpgo_${SFTPGO_VERSION}_windows_arm64.exe\n mv sftpgo_windows_x86.exe sftpgo_${SFTPGO_VERSION}_windows_x86.exe\n mv sftpgo_portable.zip sftpgo_${SFTPGO_VERSION}_windows_portable.zip\n gh release create \"${SFTPGO_VERSION}\" -t \"${SFTPGO_VERSION}\"\n gh release upload \"${SFTPGO_VERSION}\" sftpgo_*.xz --clobber\n gh release upload \"${SFTPGO_VERSION}\" sftpgo-*.rpm --clobber\n gh release upload \"${SFTPGO_VERSION}\" sftpgo_*.deb --clobber\n gh release upload \"${SFTPGO_VERSION}\" sftpgo_*.exe --clobber\n gh release upload \"${SFTPGO_VERSION}\" sftpgo_*.zip --clobber\n gh release view \"${SFTPGO_VERSION}\"\n env:\n GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}\n SFTPGO_VERSION: ${{ steps.get_version.outputs.SFTPGO_VERSION }}" }, { "path": ".gitignore", "content": "# compilation output\nsftpgo\nsftpgo.exe\n" }, { "path": ".golangci.yml", "content": "version: \"2\"\nrun:\n issues-exit-code: 1\n tests: true\nlinters:\n enable:\n - bodyclose\n - dogsled\n - dupl\n - goconst\n - gocyclo\n - misspell\n - revive\n - rowserrcheck\n - unconvert\n - unparam\n - whitespace\n settings:\n dupl:\n threshold: 150\n errcheck:\n check-type-assertions: false\n check-blank: false\n goconst:\n min-len: 3\n min-occurrences: 3\n gocyclo:\n min-complexity: 15\n # https://golangci-lint.run/usage/linters/#revive\n revive:\n rules:\n - name: var-naming\n severity: warning\n disabled: true\n exclude: [\"\"]\n arguments:\n - [\"ID\"] # AllowList\n - [\"VM\"] # DenyList\n - - upper-case-const: true\n - - skip-package-name-checks: true\n exclusions:\n generated: lax\n presets:\n - common-false-positives\n - legacy\n - std-error-handling\n paths:\n - third_party$\n - builtin$\n - examples$\nformatters:\n enable:\n - gofmt\n - goimports\n settings:\n gofmt:\n simplify: true\n goimports:\n local-prefixes:\n - github.com/drakkan/sftpgo\n exclusions:\n generated: lax\n paths:\n - third_party$\n - builtin$\n - examples$\n" }, { "path": "CODEOWNERS", "content": "* @drakkan\n" }, { "path": "CODE_OF_CONDUCT.md", "content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participation in our\ncommunity a harassment-free experience for everyone, regardless of age, body\nsize, visible or invisible disability, ethnicity, sex characteristics, gender\nidentity and expression, level of experience, education, socio-economic status,\nnationality, personal appearance, race, religion, or sexual identity\nand orientation.\n\nWe pledge to act and interact in ways that contribute to an open, welcoming,\ndiverse, inclusive, and healthy community.\n\n## Our Standards\n\nExamples of behavior that contributes to a positive environment for our\ncommunity include:\n\n* Demonstrating empathy and kindness toward other people\n* Being respectful of differing opinions, viewpoints, and experiences\n* Giving and gracefully accepting constructive feedback\n* Accepting responsibility and apologizing to those affected by our mistakes,\n and learning from the experience\n* Focusing on what is best not just for us as individuals, but for the\n overall community\n\nExamples of unacceptable behavior include:\n\n* The use of sexualized language or imagery, and sexual attention or\n advances of any kind\n* Trolling, insulting or derogatory comments, and personal or political attacks\n* Public or private harassment\n* Publishing others' private information, such as a physical or email\n address, without their explicit permission\n* Other conduct which could reasonably be considered inappropriate in a\n professional setting\n\n## Enforcement Responsibilities\n\nCommunity leaders are responsible for clarifying and enforcing our standards of\nacceptable behavior and will take appropriate and fair corrective action in\nresponse to any behavior that they deem inappropriate, threatening, offensive,\nor harmful.\n\nCommunity leaders have the right and responsibility to remove, edit, or reject\ncomments, commits, code, wiki edits, issues, and other contributions that are\nnot aligned to this Code of Conduct, and will communicate reasons for moderation\ndecisions when appropriate.\n\n## Scope\n\nThis Code of Conduct applies within all community spaces, and also applies when\nan individual is officially representing the community in public spaces.\nExamples of representing our community include using an official e-mail address,\nposting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported to the community leaders responsible for enforcement at\nsupport@sftpgo.com.\nAll complaints will be reviewed and investigated promptly and fairly.\n\nAll community leaders are obligated to respect the privacy and security of the\nreporter of any incident.\n\n## Enforcement Guidelines\n\nCommunity leaders will follow these Community Impact Guidelines in determining\nthe consequences for any action they deem in violation of this Code of Conduct:\n\n### 1. Correction\n\n**Community Impact**: Use of inappropriate language or other behavior deemed\nunprofessional or unwelcome in the community.\n\n**Consequence**: A private, written warning from community leaders, providing\nclarity around the nature of the violation and an explanation of why the\nbehavior was inappropriate. A public apology may be requested.\n\n### 2. Warning\n\n**Community Impact**: A violation through a single incident or series\nof actions.\n\n**Consequence**: A warning with consequences for continued behavior. No\ninteraction with the people involved, including unsolicited interaction with\nthose enforcing the Code of Conduct, for a specified period of time. This\nincludes avoiding interactions in community spaces as well as external channels\nlike social media. Violating these terms may lead to a temporary or\npermanent ban.\n\n### 3. Temporary Ban\n\n**Community Impact**: A serious violation of community standards, including\nsustained inappropriate behavior.\n\n**Consequence**: A temporary ban from any sort of interaction or public\ncommunication with the community for a specified period of time. No public or\nprivate interaction with the people involved, including unsolicited interaction\nwith those enforcing the Code of Conduct, is allowed during this period.\nViolating these terms may lead to a permanent ban.\n\n### 4. Permanent Ban\n\n**Community Impact**: Demonstrating a pattern of violation of community\nstandards, including sustained inappropriate behavior, harassment of an\nindividual, or aggression toward or disparagement of classes of individuals.\n\n**Consequence**: A permanent ban from any sort of public interaction within\nthe community.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage],\nversion 2.0, available at\nhttps://www.contributor-covenant.org/version/2/0/code_of_conduct.html.\n\nCommunity Impact Guidelines were inspired by [Mozilla's code of conduct\nenforcement ladder](https://github.com/mozilla/diversity).\n\n[homepage]: https://www.contributor-covenant.org\n\nFor answers to common questions about this code of conduct, see the FAQ at\nhttps://www.contributor-covenant.org/faq. Translations are available at\nhttps://www.contributor-covenant.org/translations.\n" }, { "path": "Dockerfile", "content": "FROM golang:1.26-trixie AS builder\n\nENV GOFLAGS=\"-mod=readonly\"\n\nRUN apt-get update && apt-get -y upgrade && rm -rf /var/lib/apt/lists/*\n\nRUN mkdir -p /workspace\nWORKDIR /workspace\n\nARG GOPROXY\n\nCOPY go.mod go.sum ./\nRUN go mod download && go mod verify\n\nARG COMMIT_SHA\n\n# This ARG allows to disable some optional features and it might be useful if you build the image yourself.\n# For example you can disable S3 and GCS support like this:\n# --build-arg FEATURES=nos3,nogcs\nARG FEATURES\n\nCOPY . .\n\nRUN set -xe && \\\n export COMMIT_SHA=${COMMIT_SHA:-$(git describe --always --abbrev=8 --dirty)} && \\\n go build $(if [ -n \"${FEATURES}\" ]; then echo \"-tags ${FEATURES}\"; fi) -trimpath -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${COMMIT_SHA} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -v -o sftpgo\n\n# Set to \"true\" to download the \"official\" plugins in /usr/local/bin\nARG DOWNLOAD_PLUGINS=false\n\nRUN if [ \"${DOWNLOAD_PLUGINS}\" = \"true\" ]; then apt-get update && apt-get install --no-install-recommends -y curl && ./docker/scripts/download-plugins.sh; fi\n\nFROM debian:trixie-slim\n\n# Set to \"true\" to install jq\nARG INSTALL_OPTIONAL_PACKAGES=false\n\nRUN apt-get update && apt-get -y upgrade && apt-get install --no-install-recommends -y ca-certificates media-types && rm -rf /var/lib/apt/lists/*\n\nRUN if [ \"${INSTALL_OPTIONAL_PACKAGES}\" = \"true\" ]; then apt-get update && apt-get install --no-install-recommends -y jq && rm -rf /var/lib/apt/lists/*; fi\n\nRUN mkdir -p /etc/sftpgo /var/lib/sftpgo /usr/share/sftpgo /srv/sftpgo/data /srv/sftpgo/backups\n\nRUN groupadd --system -g 1000 sftpgo && \\\n useradd --system --gid sftpgo --no-create-home \\\n --home-dir /var/lib/sftpgo --shell /usr/sbin/nologin \\\n --comment \"SFTPGo user\" --uid 1000 sftpgo\n\nCOPY --from=builder /workspace/sftpgo.json /etc/sftpgo/sftpgo.json\nCOPY --from=builder /workspace/templates /usr/share/sftpgo/templates\nCOPY --from=builder /workspace/static /usr/share/sftpgo/static\nCOPY --from=builder /workspace/openapi /usr/share/sftpgo/openapi\nCOPY --from=builder /workspace/sftpgo /usr/local/bin/sftpgo-plugin-* /usr/local/bin/\n\n# Log to the stdout so the logs will be available using docker logs\nENV SFTPGO_LOG_FILE_PATH=\"\"\n\n# Modify the default configuration file\nRUN sed -i 's|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\",|' /etc/sftpgo/sftpgo.json && \\\n sed -i 's|\"backups\"|\"/srv/sftpgo/backups\"|' /etc/sftpgo/sftpgo.json\n\nRUN chown -R sftpgo:sftpgo /etc/sftpgo /srv/sftpgo && chown sftpgo:sftpgo /var/lib/sftpgo && chmod 700 /srv/sftpgo/backups\n\nWORKDIR /var/lib/sftpgo\nUSER 1000:1000\n\nCMD [\"sftpgo\", \"serve\"]\n" }, { "path": "Dockerfile.alpine", "content": "FROM golang:1.26-alpine3.23 AS builder\n\nENV GOFLAGS=\"-mod=readonly\"\n\nRUN apk -U upgrade --no-cache && apk add --update --no-cache bash ca-certificates curl git gcc g++\n\nRUN mkdir -p /workspace\nWORKDIR /workspace\n\nARG GOPROXY\n\nCOPY go.mod go.sum ./\nRUN go mod download && go mod verify\n\nARG COMMIT_SHA\n\n# This ARG allows to disable some optional features and it might be useful if you build the image yourself.\n# For example you can disable S3 and GCS support like this:\n# --build-arg FEATURES=nos3,nogcs\nARG FEATURES\n\nCOPY . .\n\nRUN set -xe && \\\n export COMMIT_SHA=${COMMIT_SHA:-$(git describe --always --abbrev=8 --dirty)} && \\\n go build $(if [ -n \"${FEATURES}\" ]; then echo \"-tags ${FEATURES}\"; fi) -trimpath -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${COMMIT_SHA} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -v -o sftpgo\n\nFROM alpine:3.23\n\n# Set to \"true\" to install jq\nARG INSTALL_OPTIONAL_PACKAGES=false\n\nRUN apk -U upgrade --no-cache && apk add --update --no-cache ca-certificates tzdata mailcap\n\nRUN if [ \"${INSTALL_OPTIONAL_PACKAGES}\" = \"true\" ]; then apk add --update --no-cache jq; fi\n\nRUN mkdir -p /etc/sftpgo /var/lib/sftpgo /usr/share/sftpgo /srv/sftpgo/data /srv/sftpgo/backups\n\nRUN addgroup -g 1000 -S sftpgo && \\\n adduser -u 1000 -h /var/lib/sftpgo -s /sbin/nologin -G sftpgo -S -D -H -g \"SFTPGo user\" sftpgo\n\nCOPY --from=builder /workspace/sftpgo.json /etc/sftpgo/sftpgo.json\nCOPY --from=builder /workspace/templates /usr/share/sftpgo/templates\nCOPY --from=builder /workspace/static /usr/share/sftpgo/static\nCOPY --from=builder /workspace/openapi /usr/share/sftpgo/openapi\nCOPY --from=builder /workspace/sftpgo /usr/local/bin/\n\n# Log to the stdout so the logs will be available using docker logs\nENV SFTPGO_LOG_FILE_PATH=\"\"\n\n# Modify the default configuration file\nRUN sed -i 's|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\",|' /etc/sftpgo/sftpgo.json && \\\n sed -i 's|\"backups\"|\"/srv/sftpgo/backups\"|' /etc/sftpgo/sftpgo.json\n\nRUN chown -R sftpgo:sftpgo /etc/sftpgo /srv/sftpgo && chown sftpgo:sftpgo /var/lib/sftpgo && chmod 700 /srv/sftpgo/backups\n\nWORKDIR /var/lib/sftpgo\nUSER 1000:1000\n\nCMD [\"sftpgo\", \"serve\"]\n" }, { "path": "Dockerfile.distroless", "content": "FROM golang:1.26-trixie AS builder\n\nENV CGO_ENABLED=0 GOFLAGS=\"-mod=readonly\"\n\nRUN apt-get update && apt-get -y upgrade && apt-get install --no-install-recommends -y media-types && rm -rf /var/lib/apt/lists/*\n\nRUN mkdir -p /workspace\nWORKDIR /workspace\n\nARG GOPROXY\n\nCOPY go.mod go.sum ./\nRUN go mod download && go mod verify\n\nARG COMMIT_SHA\n\n# This ARG allows to disable some optional features and it might be useful if you build the image yourself.\n# For this variant we disable SQLite support since it requires CGO and so a C runtime which is not installed\n# in distroless/static-* images\nARG FEATURES\n\nCOPY . .\n\nRUN set -xe && \\\n export COMMIT_SHA=${COMMIT_SHA:-$(git describe --always --abbrev=8 --dirty)} && \\\n go build $(if [ -n \"${FEATURES}\" ]; then echo \"-tags ${FEATURES}\"; fi) -trimpath -ldflags \"-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${COMMIT_SHA} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`\" -v -o sftpgo\n\n# Modify the default configuration file\nRUN sed -i 's|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\",|' sftpgo.json && \\\n sed -i 's|\"backups\"|\"/srv/sftpgo/backups\"|' sftpgo.json && \\\n sed -i 's|\"sqlite\"|\"bolt\"|' sftpgo.json\n\nRUN mkdir /etc/sftpgo /var/lib/sftpgo /srv/sftpgo\n\nFROM gcr.io/distroless/static-debian13\n\nCOPY --from=builder --chown=1000:1000 /etc/sftpgo /etc/sftpgo\nCOPY --from=builder --chown=1000:1000 /srv/sftpgo /srv/sftpgo\nCOPY --from=builder --chown=1000:1000 /var/lib/sftpgo /var/lib/sftpgo\nCOPY --from=builder --chown=1000:1000 /workspace/sftpgo.json /etc/sftpgo/sftpgo.json\nCOPY --from=builder /workspace/templates /usr/share/sftpgo/templates\nCOPY --from=builder /workspace/static /usr/share/sftpgo/static\nCOPY --from=builder /workspace/openapi /usr/share/sftpgo/openapi\nCOPY --from=builder /workspace/sftpgo /usr/local/bin/\nCOPY --from=builder /etc/mime.types /etc/mime.types\n\n# Log to the stdout so the logs will be available using docker logs\nENV SFTPGO_LOG_FILE_PATH=\"\"\n# These env vars are required to avoid the following error when calling user.Current():\n# unable to get the current user: user: Current requires cgo or $USER set in environment\nENV USER=sftpgo\nENV HOME=/var/lib/sftpgo\n\nWORKDIR /var/lib/sftpgo\nUSER 1000:1000\n\nCMD [\"sftpgo\", \"serve\"]" }, { "path": "LICENSE", "content": " GNU AFFERO GENERAL PUBLIC LICENSE\n Version 3, 19 November 2007\n\n Copyright (C) 2007 Free Software Foundation, Inc. \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The GNU Affero General Public License is a free, copyleft license for\nsoftware and other kinds of works, specifically designed to ensure\ncooperation with the community in the case of network server software.\n\n The licenses for most software and other practical works are designed\nto take away your freedom to share and change the works. By contrast,\nour General Public Licenses are intended to guarantee your freedom to\nshare and change all versions of a program--to make sure it remains free\nsoftware for all its users.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthem if you wish), that you receive source code or can get it if you\nwant it, that you can change the software or use pieces of it in new\nfree programs, and that you know you can do these things.\n\n Developers that use our General Public Licenses protect your rights\nwith two steps: (1) assert copyright on the software, and (2) offer\nyou this License which gives you legal permission to copy, distribute\nand/or modify the software.\n\n A secondary benefit of defending all users' freedom is that\nimprovements made in alternate versions of the program, if they\nreceive widespread use, become available for other developers to\nincorporate. Many developers of free software are heartened and\nencouraged by the resulting cooperation. However, in the case of\nsoftware used on network servers, this result may fail to come about.\nThe GNU General Public License permits making a modified version and\nletting the public access it on a server without ever releasing its\nsource code to the public.\n\n The GNU Affero General Public License is designed specifically to\nensure that, in such cases, the modified source code becomes available\nto the community. It requires the operator of a network server to\nprovide the source code of the modified version running there to the\nusers of that server. Therefore, public use of a modified version, on\na publicly accessible server, gives the public access to the source\ncode of the modified version.\n\n An older license, called the Affero General Public License and\npublished by Affero, was designed to accomplish similar goals. This is\na different license, not a version of the Affero GPL, but Affero has\nreleased a new version of the Affero GPL which permits relicensing under\nthis license.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n TERMS AND CONDITIONS\n\n 0. Definitions.\n\n \"This License\" refers to version 3 of the GNU Affero General Public License.\n\n \"Copyright\" also means copyright-like laws that apply to other kinds of\nworks, such as semiconductor masks.\n\n \"The Program\" refers to any copyrightable work licensed under this\nLicense. Each licensee is addressed as \"you\". \"Licensees\" and\n\"recipients\" may be individuals or organizations.\n\n To \"modify\" a work means to copy from or adapt all or part of the work\nin a fashion requiring copyright permission, other than the making of an\nexact copy. The resulting work is called a \"modified version\" of the\nearlier work or a work \"based on\" the earlier work.\n\n A \"covered work\" means either the unmodified Program or a work based\non the Program.\n\n To \"propagate\" a work means to do anything with it that, without\npermission, would make you directly or secondarily liable for\ninfringement under applicable copyright law, except executing it on a\ncomputer or modifying a private copy. Propagation includes copying,\ndistribution (with or without modification), making available to the\npublic, and in some countries other activities as well.\n\n To \"convey\" a work means any kind of propagation that enables other\nparties to make or receive copies. Mere interaction with a user through\na computer network, with no transfer of a copy, is not conveying.\n\n An interactive user interface displays \"Appropriate Legal Notices\"\nto the extent that it includes a convenient and prominently visible\nfeature that (1) displays an appropriate copyright notice, and (2)\ntells the user that there is no warranty for the work (except to the\nextent that warranties are provided), that licensees may convey the\nwork under this License, and how to view a copy of this License. If\nthe interface presents a list of user commands or options, such as a\nmenu, a prominent item in the list meets this criterion.\n\n 1. Source Code.\n\n The \"source code\" for a work means the preferred form of the work\nfor making modifications to it. \"Object code\" means any non-source\nform of a work.\n\n A \"Standard Interface\" means an interface that either is an official\nstandard defined by a recognized standards body, or, in the case of\ninterfaces specified for a particular programming language, one that\nis widely used among developers working in that language.\n\n The \"System Libraries\" of an executable work include anything, other\nthan the work as a whole, that (a) is included in the normal form of\npackaging a Major Component, but which is not part of that Major\nComponent, and (b) serves only to enable use of the work with that\nMajor Component, or to implement a Standard Interface for which an\nimplementation is available to the public in source code form. A\n\"Major Component\", in this context, means a major essential component\n(kernel, window system, and so on) of the specific operating system\n(if any) on which the executable work runs, or a compiler used to\nproduce the work, or an object code interpreter used to run it.\n\n The \"Corresponding Source\" for a work in object code form means all\nthe source code needed to generate, install, and (for an executable\nwork) run the object code and to modify the work, including scripts to\ncontrol those activities. However, it does not include the work's\nSystem Libraries, or general-purpose tools or generally available free\nprograms which are used unmodified in performing those activities but\nwhich are not part of the work. For example, Corresponding Source\nincludes interface definition files associated with source files for\nthe work, and the source code for shared libraries and dynamically\nlinked subprograms that the work is specifically designed to require,\nsuch as by intimate data communication or control flow between those\nsubprograms and other parts of the work.\n\n The Corresponding Source need not include anything that users\ncan regenerate automatically from other parts of the Corresponding\nSource.\n\n The Corresponding Source for a work in source code form is that\nsame work.\n\n 2. Basic Permissions.\n\n All rights granted under this License are granted for the term of\ncopyright on the Program, and are irrevocable provided the stated\nconditions are met. This License explicitly affirms your unlimited\npermission to run the unmodified Program. The output from running a\ncovered work is covered by this License only if the output, given its\ncontent, constitutes a covered work. This License acknowledges your\nrights of fair use or other equivalent, as provided by copyright law.\n\n You may make, run and propagate covered works that you do not\nconvey, without conditions so long as your license otherwise remains\nin force. You may convey covered works to others for the sole purpose\nof having them make modifications exclusively for you, or provide you\nwith facilities for running those works, provided that you comply with\nthe terms of this License in conveying all material for which you do\nnot control copyright. Those thus making or running the covered works\nfor you must do so exclusively on your behalf, under your direction\nand control, on terms that prohibit them from making any copies of\nyour copyrighted material outside their relationship with you.\n\n Conveying under any other circumstances is permitted solely under\nthe conditions stated below. Sublicensing is not allowed; section 10\nmakes it unnecessary.\n\n 3. Protecting Users' Legal Rights From Anti-Circumvention Law.\n\n No covered work shall be deemed part of an effective technological\nmeasure under any applicable law fulfilling obligations under article\n11 of the WIPO copyright treaty adopted on 20 December 1996, or\nsimilar laws prohibiting or restricting circumvention of such\nmeasures.\n\n When you convey a covered work, you waive any legal power to forbid\ncircumvention of technological measures to the extent such circumvention\nis effected by exercising rights under this License with respect to\nthe covered work, and you disclaim any intention to limit operation or\nmodification of the work as a means of enforcing, against the work's\nusers, your or third parties' legal rights to forbid circumvention of\ntechnological measures.\n\n 4. Conveying Verbatim Copies.\n\n You may convey verbatim copies of the Program's source code as you\nreceive it, in any medium, provided that you conspicuously and\nappropriately publish on each copy an appropriate copyright notice;\nkeep intact all notices stating that this License and any\nnon-permissive terms added in accord with section 7 apply to the code;\nkeep intact all notices of the absence of any warranty; and give all\nrecipients a copy of this License along with the Program.\n\n You may charge any price or no price for each copy that you convey,\nand you may offer support or warranty protection for a fee.\n\n 5. Conveying Modified Source Versions.\n\n You may convey a work based on the Program, or the modifications to\nproduce it from the Program, in the form of source code under the\nterms of section 4, provided that you also meet all of these conditions:\n\n a) The work must carry prominent notices stating that you modified\n it, and giving a relevant date.\n\n b) The work must carry prominent notices stating that it is\n released under this License and any conditions added under section\n 7. This requirement modifies the requirement in section 4 to\n \"keep intact all notices\".\n\n c) You must license the entire work, as a whole, under this\n License to anyone who comes into possession of a copy. This\n License will therefore apply, along with any applicable section 7\n additional terms, to the whole of the work, and all its parts,\n regardless of how they are packaged. This License gives no\n permission to license the work in any other way, but it does not\n invalidate such permission if you have separately received it.\n\n d) If the work has interactive user interfaces, each must display\n Appropriate Legal Notices; however, if the Program has interactive\n interfaces that do not display Appropriate Legal Notices, your\n work need not make them do so.\n\n A compilation of a covered work with other separate and independent\nworks, which are not by their nature extensions of the covered work,\nand which are not combined with it such as to form a larger program,\nin or on a volume of a storage or distribution medium, is called an\n\"aggregate\" if the compilation and its resulting copyright are not\nused to limit the access or legal rights of the compilation's users\nbeyond what the individual works permit. Inclusion of a covered work\nin an aggregate does not cause this License to apply to the other\nparts of the aggregate.\n\n 6. Conveying Non-Source Forms.\n\n You may convey a covered work in object code form under the terms\nof sections 4 and 5, provided that you also convey the\nmachine-readable Corresponding Source under the terms of this License,\nin one of these ways:\n\n a) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by the\n Corresponding Source fixed on a durable physical medium\n customarily used for software interchange.\n\n b) Convey the object code in, or embodied in, a physical product\n (including a physical distribution medium), accompanied by a\n written offer, valid for at least three years and valid for as\n long as you offer spare parts or customer support for that product\n model, to give anyone who possesses the object code either (1) a\n copy of the Corresponding Source for all the software in the\n product that is covered by this License, on a durable physical\n medium customarily used for software interchange, for a price no\n more than your reasonable cost of physically performing this\n conveying of source, or (2) access to copy the\n Corresponding Source from a network server at no charge.\n\n c) Convey individual copies of the object code with a copy of the\n written offer to provide the Corresponding Source. This\n alternative is allowed only occasionally and noncommercially, and\n only if you received the object code with such an offer, in accord\n with subsection 6b.\n\n d) Convey the object code by offering access from a designated\n place (gratis or for a charge), and offer equivalent access to the\n Corresponding Source in the same way through the same place at no\n further charge. You need not require recipients to copy the\n Corresponding Source along with the object code. If the place to\n copy the object code is a network server, the Corresponding Source\n may be on a different server (operated by you or a third party)\n that supports equivalent copying facilities, provided you maintain\n clear directions next to the object code saying where to find the\n Corresponding Source. Regardless of what server hosts the\n Corresponding Source, you remain obligated to ensure that it is\n available for as long as needed to satisfy these requirements.\n\n e) Convey the object code using peer-to-peer transmission, provided\n you inform other peers where the object code and Corresponding\n Source of the work are being offered to the general public at no\n charge under subsection 6d.\n\n A separable portion of the object code, whose source code is excluded\nfrom the Corresponding Source as a System Library, need not be\nincluded in conveying the object code work.\n\n A \"User Product\" is either (1) a \"consumer product\", which means any\ntangible personal property which is normally used for personal, family,\nor household purposes, or (2) anything designed or sold for incorporation\ninto a dwelling. In determining whether a product is a consumer product,\ndoubtful cases shall be resolved in favor of coverage. For a particular\nproduct received by a particular user, \"normally used\" refers to a\ntypical or common use of that class of product, regardless of the status\nof the particular user or of the way in which the particular user\nactually uses, or expects or is expected to use, the product. A product\nis a consumer product regardless of whether the product has substantial\ncommercial, industrial or non-consumer uses, unless such uses represent\nthe only significant mode of use of the product.\n\n \"Installation Information\" for a User Product means any methods,\nprocedures, authorization keys, or other information required to install\nand execute modified versions of a covered work in that User Product from\na modified version of its Corresponding Source. The information must\nsuffice to ensure that the continued functioning of the modified object\ncode is in no case prevented or interfered with solely because\nmodification has been made.\n\n If you convey an object code work under this section in, or with, or\nspecifically for use in, a User Product, and the conveying occurs as\npart of a transaction in which the right of possession and use of the\nUser Product is transferred to the recipient in perpetuity or for a\nfixed term (regardless of how the transaction is characterized), the\nCorresponding Source conveyed under this section must be accompanied\nby the Installation Information. But this requirement does not apply\nif neither you nor any third party retains the ability to install\nmodified object code on the User Product (for example, the work has\nbeen installed in ROM).\n\n The requirement to provide Installation Information does not include a\nrequirement to continue to provide support service, warranty, or updates\nfor a work that has been modified or installed by the recipient, or for\nthe User Product in which it has been modified or installed. Access to a\nnetwork may be denied when the modification itself materially and\nadversely affects the operation of the network or violates the rules and\nprotocols for communication across the network.\n\n Corresponding Source conveyed, and Installation Information provided,\nin accord with this section must be in a format that is publicly\ndocumented (and with an implementation available to the public in\nsource code form), and must require no special password or key for\nunpacking, reading or copying.\n\n 7. Additional Terms.\n\n \"Additional permissions\" are terms that supplement the terms of this\nLicense by making exceptions from one or more of its conditions.\nAdditional permissions that are applicable to the entire Program shall\nbe treated as though they were included in this License, to the extent\nthat they are valid under applicable law. If additional permissions\napply only to part of the Program, that part may be used separately\nunder those permissions, but the entire Program remains governed by\nthis License without regard to the additional permissions.\n\n When you convey a copy of a covered work, you may at your option\nremove any additional permissions from that copy, or from any part of\nit. (Additional permissions may be written to require their own\nremoval in certain cases when you modify the work.) You may place\nadditional permissions on material, added by you to a covered work,\nfor which you have or can give appropriate copyright permission.\n\n Notwithstanding any other provision of this License, for material you\nadd to a covered work, you may (if authorized by the copyright holders of\nthat material) supplement the terms of this License with terms:\n\n a) Disclaiming warranty or limiting liability differently from the\n terms of sections 15 and 16 of this License; or\n\n b) Requiring preservation of specified reasonable legal notices or\n author attributions in that material or in the Appropriate Legal\n Notices displayed by works containing it; or\n\n c) Prohibiting misrepresentation of the origin of that material, or\n requiring that modified versions of such material be marked in\n reasonable ways as different from the original version; or\n\n d) Limiting the use for publicity purposes of names of licensors or\n authors of the material; or\n\n e) Declining to grant rights under trademark law for use of some\n trade names, trademarks, or service marks; or\n\n f) Requiring indemnification of licensors and authors of that\n material by anyone who conveys the material (or modified versions of\n it) with contractual assumptions of liability to the recipient, for\n any liability that these contractual assumptions directly impose on\n those licensors and authors.\n\n All other non-permissive additional terms are considered \"further\nrestrictions\" within the meaning of section 10. If the Program as you\nreceived it, or any part of it, contains a notice stating that it is\ngoverned by this License along with a term that is a further\nrestriction, you may remove that term. If a license document contains\na further restriction but permits relicensing or conveying under this\nLicense, you may add to a covered work material governed by the terms\nof that license document, provided that the further restriction does\nnot survive such relicensing or conveying.\n\n If you add terms to a covered work in accord with this section, you\nmust place, in the relevant source files, a statement of the\nadditional terms that apply to those files, or a notice indicating\nwhere to find the applicable terms.\n\n Additional terms, permissive or non-permissive, may be stated in the\nform of a separately written license, or stated as exceptions;\nthe above requirements apply either way.\n\n 8. Termination.\n\n You may not propagate or modify a covered work except as expressly\nprovided under this License. Any attempt otherwise to propagate or\nmodify it is void, and will automatically terminate your rights under\nthis License (including any patent licenses granted under the third\nparagraph of section 11).\n\n However, if you cease all violation of this License, then your\nlicense from a particular copyright holder is reinstated (a)\nprovisionally, unless and until the copyright holder explicitly and\nfinally terminates your license, and (b) permanently, if the copyright\nholder fails to notify you of the violation by some reasonable means\nprior to 60 days after the cessation.\n\n Moreover, your license from a particular copyright holder is\nreinstated permanently if the copyright holder notifies you of the\nviolation by some reasonable means, this is the first time you have\nreceived notice of violation of this License (for any work) from that\ncopyright holder, and you cure the violation prior to 30 days after\nyour receipt of the notice.\n\n Termination of your rights under this section does not terminate the\nlicenses of parties who have received copies or rights from you under\nthis License. If your rights have been terminated and not permanently\nreinstated, you do not qualify to receive new licenses for the same\nmaterial under section 10.\n\n 9. Acceptance Not Required for Having Copies.\n\n You are not required to accept this License in order to receive or\nrun a copy of the Program. Ancillary propagation of a covered work\noccurring solely as a consequence of using peer-to-peer transmission\nto receive a copy likewise does not require acceptance. However,\nnothing other than this License grants you permission to propagate or\nmodify any covered work. These actions infringe copyright if you do\nnot accept this License. Therefore, by modifying or propagating a\ncovered work, you indicate your acceptance of this License to do so.\n\n 10. Automatic Licensing of Downstream Recipients.\n\n Each time you convey a covered work, the recipient automatically\nreceives a license from the original licensors, to run, modify and\npropagate that work, subject to this License. You are not responsible\nfor enforcing compliance by third parties with this License.\n\n An \"entity transaction\" is a transaction transferring control of an\norganization, or substantially all assets of one, or subdividing an\norganization, or merging organizations. If propagation of a covered\nwork results from an entity transaction, each party to that\ntransaction who receives a copy of the work also receives whatever\nlicenses to the work the party's predecessor in interest had or could\ngive under the previous paragraph, plus a right to possession of the\nCorresponding Source of the work from the predecessor in interest, if\nthe predecessor has it or can get it with reasonable efforts.\n\n You may not impose any further restrictions on the exercise of the\nrights granted or affirmed under this License. For example, you may\nnot impose a license fee, royalty, or other charge for exercise of\nrights granted under this License, and you may not initiate litigation\n(including a cross-claim or counterclaim in a lawsuit) alleging that\nany patent claim is infringed by making, using, selling, offering for\nsale, or importing the Program or any portion of it.\n\n 11. Patents.\n\n A \"contributor\" is a copyright holder who authorizes use under this\nLicense of the Program or a work on which the Program is based. The\nwork thus licensed is called the contributor's \"contributor version\".\n\n A contributor's \"essential patent claims\" are all patent claims\nowned or controlled by the contributor, whether already acquired or\nhereafter acquired, that would be infringed by some manner, permitted\nby this License, of making, using, or selling its contributor version,\nbut do not include claims that would be infringed only as a\nconsequence of further modification of the contributor version. For\npurposes of this definition, \"control\" includes the right to grant\npatent sublicenses in a manner consistent with the requirements of\nthis License.\n\n Each contributor grants you a non-exclusive, worldwide, royalty-free\npatent license under the contributor's essential patent claims, to\nmake, use, sell, offer for sale, import and otherwise run, modify and\npropagate the contents of its contributor version.\n\n In the following three paragraphs, a \"patent license\" is any express\nagreement or commitment, however denominated, not to enforce a patent\n(such as an express permission to practice a patent or covenant not to\nsue for patent infringement). To \"grant\" such a patent license to a\nparty means to make such an agreement or commitment not to enforce a\npatent against the party.\n\n If you convey a covered work, knowingly relying on a patent license,\nand the Corresponding Source of the work is not available for anyone\nto copy, free of charge and under the terms of this License, through a\npublicly available network server or other readily accessible means,\nthen you must either (1) cause the Corresponding Source to be so\navailable, or (2) arrange to deprive yourself of the benefit of the\npatent license for this particular work, or (3) arrange, in a manner\nconsistent with the requirements of this License, to extend the patent\nlicense to downstream recipients. \"Knowingly relying\" means you have\nactual knowledge that, but for the patent license, your conveying the\ncovered work in a country, or your recipient's use of the covered work\nin a country, would infringe one or more identifiable patents in that\ncountry that you have reason to believe are valid.\n\n If, pursuant to or in connection with a single transaction or\narrangement, you convey, or propagate by procuring conveyance of, a\ncovered work, and grant a patent license to some of the parties\nreceiving the covered work authorizing them to use, propagate, modify\nor convey a specific copy of the covered work, then the patent license\nyou grant is automatically extended to all recipients of the covered\nwork and works based on it.\n\n A patent license is \"discriminatory\" if it does not include within\nthe scope of its coverage, prohibits the exercise of, or is\nconditioned on the non-exercise of one or more of the rights that are\nspecifically granted under this License. You may not convey a covered\nwork if you are a party to an arrangement with a third party that is\nin the business of distributing software, under which you make payment\nto the third party based on the extent of your activity of conveying\nthe work, and under which the third party grants, to any of the\nparties who would receive the covered work from you, a discriminatory\npatent license (a) in connection with copies of the covered work\nconveyed by you (or copies made from those copies), or (b) primarily\nfor and in connection with specific products or compilations that\ncontain the covered work, unless you entered into that arrangement,\nor that patent license was granted, prior to 28 March 2007.\n\n Nothing in this License shall be construed as excluding or limiting\nany implied license or other defenses to infringement that may\notherwise be available to you under applicable patent law.\n\n 12. No Surrender of Others' Freedom.\n\n If conditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot convey a\ncovered work so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you may\nnot convey it at all. For example, if you agree to terms that obligate you\nto collect a royalty for further conveying from those to whom you convey\nthe Program, the only way you could satisfy both those terms and this\nLicense would be to refrain entirely from conveying the Program.\n\n 13. Remote Network Interaction; Use with the GNU General Public License.\n\n Notwithstanding any other provision of this License, if you modify the\nProgram, your modified version must prominently offer all users\ninteracting with it remotely through a computer network (if your version\nsupports such interaction) an opportunity to receive the Corresponding\nSource of your version by providing access to the Corresponding Source\nfrom a network server at no charge, through some standard or customary\nmeans of facilitating copying of software. This Corresponding Source\nshall include the Corresponding Source for any work covered by version 3\nof the GNU General Public License that is incorporated pursuant to the\nfollowing paragraph.\n\n Notwithstanding any other provision of this License, you have\npermission to link or combine any covered work with a work licensed\nunder version 3 of the GNU General Public License into a single\ncombined work, and to convey the resulting work. The terms of this\nLicense will continue to apply to the part which is the covered work,\nbut the work with which it is combined will remain governed by version\n3 of the GNU General Public License.\n\n 14. Revised Versions of this License.\n\n The Free Software Foundation may publish revised and/or new versions of\nthe GNU Affero General Public License from time to time. Such new versions\nwill be similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\n Each version is given a distinguishing version number. If the\nProgram specifies that a certain numbered version of the GNU Affero General\nPublic License \"or any later version\" applies to it, you have the\noption of following the terms and conditions either of that numbered\nversion or of any later version published by the Free Software\nFoundation. If the Program does not specify a version number of the\nGNU Affero General Public License, you may choose any version ever published\nby the Free Software Foundation.\n\n If the Program specifies that a proxy can decide which future\nversions of the GNU Affero General Public License can be used, that proxy's\npublic statement of acceptance of a version permanently authorizes you\nto choose that version for the Program.\n\n Later license versions may give you additional or different\npermissions. However, no additional obligations are imposed on any\nauthor or copyright holder as a result of your choosing to follow a\nlater version.\n\n 15. Disclaimer of Warranty.\n\n THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY\nAPPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT\nHOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY\nOF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,\nTHE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\nPURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM\nIS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF\nALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n 16. Limitation of Liability.\n\n IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS\nTHE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY\nGENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE\nUSE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF\nDATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD\nPARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),\nEVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF\nSUCH DAMAGES.\n\n 17. Interpretation of Sections 15 and 16.\n\n If the disclaimer of warranty and limitation of liability provided\nabove cannot be given local legal effect according to their terms,\nreviewing courts shall apply local law that most closely approximates\nan absolute waiver of all civil liability in connection with the\nProgram, unless a warranty or assumption of liability accompanies a\ncopy of the Program in return for a fee.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nstate the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n \n Copyright (C) \n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU Affero General Public License as published\n by the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU Affero General Public License for more details.\n\n You should have received a copy of the GNU Affero General Public License\n along with this program. If not, see .\n\nAlso add information on how to contact you by electronic and paper mail.\n\n If your software can interact with users remotely through a computer\nnetwork, you should also make sure that it provides a way for users to\nget its source. For example, if your program is a web application, its\ninterface could display a \"Source\" link that leads users to an archive\nof the code. There are many ways you could offer source, and different\nsolutions will be better for different programs; see section 13 for the\nspecific requirements.\n\n You should also get your employer (if you work as a programmer) or school,\nif any, to sign a \"copyright disclaimer\" for the program, if necessary.\nFor more information on this, and how to apply and follow the GNU AGPL, see\n." }, { "path": "NOTICE", "content": "Additional terms under GNU AGPL version 3 section 7.3(b) and 13.1:\n\nIf you have included SFTPGo so that it is offered through any network\ninteractions, including by means of an external user interface, or\nany other integration, even without modifying its source code and then\nSFTPGo is partially, fully or optionally configured via your frontend,\nyou must provide reasonable but clear attribution to the SFTPGo project\nand its author(s), not imply any endorsement by or affiliation with the\nSFTPGo project, and you must prominently offer all users interacting\nwith it remotely through a computer network an opportunity to receive\nthe Corresponding Source of the SFTPGo version you include by providing\na link to the Corresponding Source in the SFTPGo source code repository.\n" }, { "path": "README.md", "content": "# SFTPGo\n\n[![CI Status](https://github.com/drakkan/sftpgo/workflows/CI/badge.svg)](https://github.com/drakkan/sftpgo/workflows/CI/badge.svg)\n[![License: AGPL-3.0-only](https://img.shields.io/badge/License-AGPLv3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)\n[![Mentioned in Awesome Go](https://awesome.re/mentioned-badge.svg)](https://github.com/avelino/awesome-go)\n\nFull-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. Storage backends: local filesystem, encrypted local filesystem, S3 (compatible) Object Storage, Google Cloud Storage, Azure Blob Storage, other SFTP servers.\n\nWith SFTPGo you can leverage local and cloud storage backends for exchanging and storing files internally or with business partners using the same tools and processes you are already familiar with.\n\n## Project Status & Editions\n\nSFTPGo is an open-source project with a sustainable business model. We offer two editions to suit different requirements, ensuring the project remains healthy and maintained for everyone.\n\n### Open Source (Community)\n\nFree, Copyleft (AGPLv3), Community Supported. The Community edition is a fully functional, production-ready solution widely adopted worldwide. It includes all the core protocols, storage backends, and the WebAdmin/WebClient UIs. It is ideal for:\n\n- Standard file transfer needs.\n- Integrating storage backends (S3, GCS, Azure Blob) with legacy protocols.\n- Projects that are comfortable with AGPLv3 licensing.\n\n### SFTPGo Enterprise\n\nCommercial License, Professional Support, ISO 27001 Vendor. The Enterprise edition is built on the same core but extends it for mission-critical environments, compliance-heavy industries, and advanced workflows. It is a drop-in replacement (seamless upgrade).\n\n| Feature | Open Source (Community) | Enterprise Edition |\n| :--- | :--- | :--- |\n| **License Type** | AGPLv3 (Copyleft) | **Commercial License**
Proprietary/No Copyleft |\n| **Vendor Compliance** | Not Applicable
Community Project | **Certified Vendor**
ISO 27001 & Supply Chain Validation |\n| **Support** | Community (GitHub) | **Direct from Authors** |\n| **Cloud Storage Engine** | Standard | **High Performance & Scalable**
In-memory streaming (no local temp files) and up to 70% faster |\n| **High Availability (HA)** | Standard
Shared DB & Storage | **Advanced**
Enhanced event handling and optimized instance coordination |\n| **Automation Logic** | Simple Placeholders | **Dynamic Logic & Virtual Folders**
Conditions, loops, route data across storage backends |\n| **Data Lifecycle** | Delete / Retain | **Smart Archiving**
Move data to external Cloud/SFTP storage via Virtual Folders |\n| **Email Data Ingestion** | - | **Native IMAP Integration**
Auto-extract attachments from email to storage |\n| **Public Sharing** | Standard Links | **Advanced & Collaborative**
Email Authentication & Group Delegation |\n| **Data Protection** | - | **Encryption & Scanning**
Automated PGP, Antivirus & DLP via ICAP |\n| **Advanced Identity (SSO)** | Standard | **Extended Controls**
Advanced Single Sign-On parameters |\n| **Document Editing** | - | **Included**
View, edit, and co-author in browser |\n\n**Note**: We are committed to keeping the Open Source edition powerful and maintained. The Enterprise edition helps fund the development of the entire SFTPGo ecosystem.\n\n## Sponsors\n\nIf you rely on SFTPGo in your projects, consider becoming a [sponsor](https://github.com/sponsors/drakkan).\n\nYour sponsorship helps cover maintenance, security updates and ongoing development of the open-source edition.\n\n### Thank you to our sponsors\n\n#### Platinum sponsors\n\n[\"Aledade](https://www.aledade.com/)\n

\n[\"Jump](https://www.jumptrading.com/)\n

\n[\"WP](https://wpengine.com/)\n\n#### Silver sponsors\n\n[\"IDCS](https://idcs.ip-paris.fr/)\n\n#### Bronze sponsors\n\n[\"7digital](https://www.7digital.com/)\n

\n[\"servinga](https://servinga.com/)\n

\n[\"ReUI](https://www.reui.io/)\n\n## Documentation\n\nYou can explore all supported features and configuration options at [docs.sftpgo.com](https://docs.sftpgo.com/latest/).\n\n**Note:** The link above refers to the **Community Edition**.\nFor details on **Enterprise Edition**, please refer to the [Enterprise Documentation](https://docs.sftpgo.com/enterprise/).\n\n## Support\n\n- **Community Support**: use [GitHub Discussions](https://github.com/drakkan/sftpgo/discussions) to ask questions, share feedback, and engage with other users.\n- **Commercial Support**: If you require guaranteed SLAs, expert guidance, or the advanced features listed above, check out [SFTPGo Enterprise](https://sftpgo.com).\n\nSFTPGo Enterprise is available as:\n\n- On-premises: Full control on your infrastructure. More details: [sftpgo.com/on-premises](https://sftpgo.com/on-premises)\n- Fully managed SaaS: We handle the infrastructure. More details: [sftpgo.com/saas](https://sftpgo.com/saas)\n\n## Internationalization\n\nThe translations are available via [Crowdin](https://crowdin.com/project/sftpgo), who have granted us an open source license.\n\nBefore translating please take a look at our contribution [guidelines](https://docs.sftpgo.com/latest/web-interfaces/#internationalization).\n\n## Release Cadence\n\nSFTPGo follows a feature-driven release cycle.\n\n- Enterprise Edition: Receives major new features first and follows a faster [release cadence](https://docs.sftpgo.com/enterprise/changelog/).\n- Community Edition: Remains maintained, receiving bug fixes, security updates, and updates to core features.\n\n## Acknowledgements\n\nSFTPGo makes use of the third party libraries listed inside [go.mod](./go.mod).\n\nWe are very grateful to all the people who contributed with ideas and/or pull requests.\n\nThank you to [ysura](https://www.ysura.com/) for granting us stable access to a test AWS S3 account.\n\nThank you to [KeenThemes](https://keenthemes.com/) for granting us a custom license to use their amazing [themes](https://keenthemes.com/bootstrap-templates) for the SFTPGo WebAdmin and WebClient user interfaces, across both the Open Source and Open Core versions.\n\nThank you to [Crowdin](https://crowdin.com/) for granting us an Open Source License.\n\nThank you to [Incode](https://www.incode.it/) for helping us to improve the UI/UX.\n\n## License\n\nSFTPGo source code is licensed under the GNU AGPL-3.0-only with [additional terms](./NOTICE).\n\nThe [theme](https://keenthemes.com/bootstrap-templates) used in WebAdmin and WebClient user interfaces is proprietary, this means:\n\n- KeenThemes HTML/CSS/JS components are allowed for use only within the SFTPGo product and restricted to be used in a resealable HTML template that can compete with KeenThemes products anyhow.\n- The SFTPGo WebAdmin and WebClient user interfaces (HTML, CSS and JS components) based on this theme are allowed for use only within the SFTPGo product and therefore cannot be used in derivative works/products without an explicit grant from the [SFTPGo Team](mailto:support@sftpgo.com).\n\nMore information about [compliance](https://sftpgo.com/compliance.html).\n\n**Note:** We do not provide legal advice. If you have questions about license compliance or whether your use case is permitted under the license terms, please consult your legal team.\n\n## Copyright\n\nCopyright (C) 2019 - 2026 Nicola Murino\n" }, { "path": "SECURITY.md", "content": "# Security Policy\n\n## Supported Versions\n\nWe actively maintain the latest stable release of SFTPGo. While we strive to keep the Open Source version secure and up-to-date, maintenance is performed on a best-effort basis by the community and contributors.\n\n## Scope and Dependency Policy\n\nOur security advisories focus on vulnerabilities found within the **SFTPGo codebase itself**.\n\nTo ensure the long-term sustainability of the project, we handle upstream dependencies (like the Go standard library, external packages, or Docker base images) as follows:\n\n- Community Updates: For the Open Source version, vulnerabilities in upstream components (such as the Go standard library or third-party packages) are addressed during our **regular release cycles**. We generally do not provide immediate, out-of-band or ad-hoc releases to address dependency-only CVEs.\n- Empowering Users: One of the strengths of SFTPGo being open-source is that you have full control. If your security scanners require an immediate fix, you can always rebuild the project using the latest patched Go toolchain or updated dependencies.\n- Compatibility: We are committed to keeping SFTPGo compatible with the latest stable Go compiler. If an upstream fix breaks SFTPGo, fixing that becomes a priority for us.\n- Professional Needs: We understand that some organizations have strict compliance requirements or internal SLAs that require guaranteed, immediate response times and out-of-band patches. For these cases, we offer [SFTPGo Enterprise](https://sftpgo.com/on-premises) to cover the additional maintenance and support overhead.\n\n## Reporting a Vulnerability\n\nTo report (possible) security issues in SFTPGo, please either send a mail to the [SFTPGo Team](mailto:support@sftpgo.com) or use Github's [private reporting feature](https://github.com/drakkan/sftpgo/security/advisories/new).\n" }, { "path": "crowdin.yml", "content": "project_id_env: CROWDIN_PROJECT_ID\napi_token_env: CROWDIN_PERSONAL_TOKEN\nfiles:\n - source: /static/locales/en/translation.json\n translation: /static/locales/%two_letters_code%/%original_file_name%\n type: i18next_json\n" }, { "path": "docker/scripts/download-plugins.sh", "content": "#!/usr/bin/env bash\nset -euo pipefail\n\nARCH=$(uname -m)\n\ncase ${ARCH} in\n x86_64)\n SUFFIX=amd64\n ;;\n aarch64)\n SUFFIX=arm64\n ;;\n *)\n SUFFIX=ppc64le\n ;;\nesac\n\necho \"Downloading plugins for arch ${SUFFIX}\"\n\nPLUGINS=(geoipfilter kms pubsub eventstore eventsearch auth)\n\nfor PLUGIN in \"${PLUGINS[@]}\"; do\n URL=\"https://github.com/sftpgo/sftpgo-plugin-${PLUGIN}/releases/latest/download/sftpgo-plugin-${PLUGIN}-linux-${SUFFIX}\"\n DEST=\"/usr/local/bin/sftpgo-plugin-${PLUGIN}\"\n\n echo \"Downloading ${PLUGIN}...\"\n if curl --fail --silent --show-error -L \"${URL}\" --output \"${DEST}\"; then\n chmod 755 \"${DEST}\"\n else\n echo \"Error: Failed to download ${PLUGIN}\" >&2\n exit 1\n fi\ndone\n\necho \"All plugins downloaded successfully\"\n" }, { "path": "examples/OTP/authy/README.md", "content": "# Authy\n\nThese example show how-to integrate [Twilio Authy API](https://www.twilio.com/docs/authy/api) for One-Time-Password logins.\n\nThe examples assume that the user has the free [Authy app](https://authy.com/) installed and uses it to generate offline [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) codes (soft tokens).\n\nYou first need to [create an Authy Application in the Twilio Console](https://twilio.com/console/authy/applications?_ga=2.205553366.451688189.1597667213-1526360003.1597667213), then you can create a new Authy user and store a reference to the matching SFTPGo account.\n\nVerify that your Authy application is successfully registered:\n\n```bash\nexport AUTHY_API_KEY=\ncurl 'https://api.authy.com/protected/json/app/details' -H \"X-Authy-API-Key: $AUTHY_API_KEY\"\n```\n\nnow create an Authy user:\n\n```bash\ncurl -XPOST \"https://api.authy.com/protected/json/users/new\" \\\n-H \"X-Authy-API-Key: $AUTHY_API_KEY\" \\\n--data-urlencode user[email]=\"user@domain.com\" \\\n--data-urlencode user[cellphone]=\"317-338-9302\" \\\n--data-urlencode user[country_code]=\"54\"\n```\n\nThe response is something like this:\n\n```json\n{\"message\":\"User created successfully.\",\"user\":{\"id\":xxxxxxxx},\"success\":true}\n```\n\nSave the user id somewhere and add a reference to the matching SFTPGo account. You could also store this ID in the `additional_info` SFTPGo user field.\n\nAfter this step you can use the Authy app installed on your phone to generate TOTP codes.\n\nNow you can verify the token using an HTTP GET request:\n\n```bash\nexport TOKEN=\nexport AUTHY_ID=\ncurl -i \"https://api.authy.com/protected/json/verify/${TOKEN}/${AUTHY_ID}\" \\\n -H \"X-Authy-API-Key: $AUTHY_API_KEY\"\n```\n\nSo inside your hook you need to check:\n\n- the HTTP response code for the verify request, it must be `200`\n- the JSON response body, it must contains the key `success` with the value `true` (as string)\n\nIf these conditions are met the token is valid and you allow the user to login.\n\nWe provide the following examples:\n\n- [Keyboard interactive authentication](./keyint/README.md) for 2FA using password + Authy one time token.\n- [External authentication](./extauth/README.md) using Authy one time tokens as passwords.\n- [Check password hook](./checkpwd/README.md) for 2FA using a password consisting of a fixed string and a One Time Token.\n\nPlease note that these are sample programs not intended for production use, you should write your own hook based on them and you should prefer HTTP based hooks if performance is a concern.\n\n:warning: SFTPGo has also built-in 2FA support.\n" }, { "path": "examples/OTP/authy/checkpwd/README.md", "content": "# Authy 2FA via check password hook\n\nThis example shows how to use 2FA via the check password hook using a password consisting of a fixed part and an Authy TOTP token. The hook will check the TOTP token using the Authy API and SFTPGo will check the fixed part. Please read the [sample code](./main.go), it should be self explanatory.\n" }, { "path": "examples/OTP/authy/checkpwd/go.mod", "content": "module github.com/drakkan/sftpgo/authy/checkpwd\n\ngo 1.22.2\n" }, { "path": "examples/OTP/authy/checkpwd/main.go", "content": "package main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"net/http\"\n\t\"os\"\n\t\"time\"\n)\n\ntype userMapping struct {\n\tSFTPGoUsername string\n\tAuthyID int64\n\tAuthyAPIKey string\n}\n\ntype checkPasswordResponse struct {\n\t// 0 KO, 1 OK, 2 partial success\n\tStatus int `json:\"status\"`\n\t// for status == 2 this is the password that SFTPGo will check against the one stored\n\t// inside the data provider\n\tToVerify string `json:\"to_verify\"`\n}\n\nvar (\n\tmapping []userMapping\n)\n\nfunc init() {\n\t// this is for demo only, you probably want to get this mapping dynamically, for example using a database query\n\tmapping = append(mapping, userMapping{\n\t\tSFTPGoUsername: \"\",\n\t\tAuthyID: 1234567,\n\t\tAuthyAPIKey: \"\",\n\t})\n}\n\nfunc printResponse(status int, toVerify string) {\n\tr := checkPasswordResponse{\n\t\tStatus: status,\n\t\tToVerify: toVerify,\n\t}\n\tresp, _ := json.Marshal(r)\n\tfmt.Printf(\"%v\\n\", string(resp))\n\tif status > 0 {\n\t\tos.Exit(0)\n\t} else {\n\t\tos.Exit(1)\n\t}\n}\n\nfunc main() {\n\t// get credentials from env vars\n\tusername := os.Getenv(\"SFTPGO_AUTHD_USERNAME\")\n\tpassword := os.Getenv(\"SFTPGO_AUTHD_PASSWORD\")\n\n\tfor _, m := range mapping {\n\t\tif m.SFTPGoUsername == username {\n\t\t\t// Authy token len is 7, we assume that we have the password followed by the token\n\t\t\tpwdLen := len(password)\n\t\t\tif pwdLen <= 7 {\n\t\t\t\tprintResponse(0, \"\")\n\t\t\t}\n\t\t\tpwd := password[:pwdLen-7]\n\t\t\tauthyToken := password[pwdLen-7:]\n\t\t\t// now verify the authy token and instruct SFTPGo to check the password if the token is OK\n\t\t\turl := fmt.Sprintf(\"https://api.authy.com/protected/json/verify/%v/%v\", authyToken, m.AuthyID)\n\t\t\treq, err := http.NewRequest(http.MethodGet, url, nil)\n\t\t\tif err != nil {\n\t\t\t\tlog.Fatal(err)\n\t\t\t}\n\t\t\treq.Header.Set(\"X-Authy-API-Key\", m.AuthyAPIKey)\n\t\t\thttpClient := &http.Client{\n\t\t\t\tTimeout: 10 * time.Second,\n\t\t\t}\n\t\t\tresp, err := httpClient.Do(req)\n\t\t\tif err != nil {\n\t\t\t\tprintResponse(0, \"\")\n\t\t\t}\n\t\t\tdefer resp.Body.Close()\n\t\t\tif resp.StatusCode != http.StatusOK {\n\t\t\t\t// status code 200 is expected\n\t\t\t\tprintResponse(0, \"\")\n\t\t\t}\n\t\t\tvar authyResponse map[string]interface{}\n\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\tif err != nil {\n\t\t\t\tprintResponse(0, \"\")\n\t\t\t}\n\t\t\terr = json.Unmarshal(respBody, &authyResponse)\n\t\t\tif err != nil {\n\t\t\t\tprintResponse(0, \"\")\n\t\t\t}\n\t\t\tif authyResponse[\"success\"].(string) == \"true\" {\n\t\t\t\tprintResponse(2, pwd)\n\t\t\t}\n\t\t\tprintResponse(0, \"\")\n\t\t\tbreak\n\t\t}\n\t}\n\n\t// no mapping found\n\tprintResponse(0, \"\")\n}\n" }, { "path": "examples/OTP/authy/extauth/README.md", "content": "# Authy external authentication\n\nThis example shows how to use Authy TOTP token as password for SFTPGo users. Please read the [sample code](./main.go), it should be self explanatory.\n" }, { "path": "examples/OTP/authy/extauth/go.mod", "content": "module github.com/drakkan/sftpgo/authy/extauth\n\ngo 1.22.2\n" }, { "path": "examples/OTP/authy/extauth/main.go", "content": "package main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"time\"\n)\n\ntype userMapping struct {\n\tSFTPGoUsername string\n\tAuthyID int64\n\tAuthyAPIKey string\n}\n\n// we assume that the SFTPGo already exists, we only check the one time token.\n// If you need to create the SFTPGo user more fields are needed here\ntype minimalSFTPGoUser struct {\n\tStatus int `json:\"status,omitempty\"`\n\tUsername string `json:\"username\"`\n\tHomeDir string `json:\"home_dir,omitempty\"`\n\tPermissions map[string][]string `json:\"permissions\"`\n}\n\nvar (\n\tmapping []userMapping\n)\n\nfunc init() {\n\t// this is for demo only, you probably want to get this mapping dynamically, for example using a database query\n\tmapping = append(mapping, userMapping{\n\t\tSFTPGoUsername: \"\",\n\t\tAuthyID: 1234567,\n\t\tAuthyAPIKey: \"\",\n\t})\n}\n\nfunc printResponse(username string) {\n\tu := minimalSFTPGoUser{\n\t\tUsername: username,\n\t\tStatus: 1,\n\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{\"*\"}\n\tresp, _ := json.Marshal(u)\n\tfmt.Printf(\"%v\\n\", string(resp))\n\tif len(username) > 0 {\n\t\tos.Exit(0)\n\t} else {\n\t\tos.Exit(1)\n\t}\n}\n\nfunc main() {\n\t// get credentials from env vars\n\tusername := os.Getenv(\"SFTPGO_AUTHD_USERNAME\")\n\tpassword := os.Getenv(\"SFTPGO_AUTHD_PASSWORD\")\n\tif len(password) == 0 {\n\t\t// login method is not password\n\t\tprintResponse(\"\")\n\t\treturn\n\t}\n\n\tfor _, m := range mapping {\n\t\tif m.SFTPGoUsername == username {\n\t\t\t// mapping found we can now verify the token\n\t\t\turl := fmt.Sprintf(\"https://api.authy.com/protected/json/verify/%v/%v\", password, m.AuthyID)\n\t\t\treq, err := http.NewRequest(http.MethodGet, url, nil)\n\t\t\tif err != nil {\n\t\t\t\tlog.Fatal(err)\n\t\t\t}\n\t\t\treq.Header.Set(\"X-Authy-API-Key\", m.AuthyAPIKey)\n\t\t\thttpClient := &http.Client{\n\t\t\t\tTimeout: 10 * time.Second,\n\t\t\t}\n\t\t\tresp, err := httpClient.Do(req)\n\t\t\tif err != nil {\n\t\t\t\tprintResponse(\"\")\n\t\t\t}\n\t\t\tdefer resp.Body.Close()\n\t\t\tif resp.StatusCode != http.StatusOK {\n\t\t\t\t// status code 200 is expected\n\t\t\t\tprintResponse(\"\")\n\t\t\t}\n\t\t\tvar authyResponse map[string]interface{}\n\t\t\trespBody, err := io.ReadAll(resp.Body)\n\t\t\tif err != nil {\n\t\t\t\tprintResponse(\"\")\n\t\t\t}\n\t\t\terr = json.Unmarshal(respBody, &authyResponse)\n\t\t\tif err != nil {\n\t\t\t\tprintResponse(\"\")\n\t\t\t}\n\t\t\tif authyResponse[\"success\"].(string) == \"true\" {\n\t\t\t\tprintResponse(username)\n\t\t\t}\n\t\t\tprintResponse(\"\")\n\t\t\tbreak\n\t\t}\n\t}\n\n\t// no mapping found\n\tprintResponse(\"\")\n}\n" }, { "path": "examples/OTP/authy/keyint/README.md", "content": "# Authy 2FA using keyboard interactive authentication\n\nThis example shows how to authenticate SFTP users using 2FA (password + Authy token). Please read the [sample code](./main.go), it should be self explanatory.\n" }, { "path": "examples/OTP/authy/keyint/go.mod", "content": "module github.com/drakkan/sftpgo/authy/keyint\n\ngo 1.22.2\n" }, { "path": "examples/OTP/authy/keyint/main.go", "content": "package main\n\nimport (\n\t\"bufio\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"time\"\n)\n\ntype userMapping struct {\n\tSFTPGoUsername string\n\tAuthyID int64\n\tAuthyAPIKey string\n}\n\ntype keyboardAuthHookResponse struct {\n\tInstruction string `json:\"instruction,omitempty\"`\n\tQuestions []string `json:\"questions,omitempty\"`\n\tEchos []bool `json:\"echos,omitempty\"`\n\tAuthResult int `json:\"auth_result\"`\n\tCheckPwd int `json:\"check_password,omitempty\"`\n}\n\nvar (\n\tmapping []userMapping\n)\n\nfunc init() {\n\t// this is for demo only, you probably want to get this mapping dynamically, for example using a database query\n\tmapping = append(mapping, userMapping{\n\t\tSFTPGoUsername: \"\",\n\t\tAuthyID: 1234567,\n\t\tAuthyAPIKey: \"\",\n\t})\n}\n\nfunc printAuthResponse(result int) {\n\tresp, _ := json.Marshal(keyboardAuthHookResponse{\n\t\tAuthResult: result,\n\t})\n\tfmt.Printf(\"%v\\n\", string(resp))\n\tif result == 1 {\n\t\tos.Exit(0)\n\t} else {\n\t\tos.Exit(1)\n\t}\n}\n\nfunc main() {\n\t// get credentials from env vars\n\tusername := os.Getenv(\"SFTPGO_AUTHD_USERNAME\")\n\tvar userMap userMapping\n\tfor _, m := range mapping {\n\t\tif m.SFTPGoUsername == username {\n\t\t\tuserMap = m\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif userMap.SFTPGoUsername != username {\n\t\t// no mapping found\n\t\tos.Exit(1)\n\t}\n\n\tcheckPwdQuestion := keyboardAuthHookResponse{\n\t\tInstruction: \"This is a sample keyboard authentication program that ask for your password + Authy token\",\n\t\tQuestions: []string{\"Your password: \"},\n\t\tEchos: []bool{false},\n\t\tCheckPwd: 1,\n\t\tAuthResult: 0,\n\t}\n\n\tq, _ := json.Marshal(checkPwdQuestion)\n\tfmt.Printf(\"%v\\n\", string(q))\n\n\t// in a real world app you probably want to use a read timeout\n\tscanner := bufio.NewScanner(os.Stdin)\n\tscanner.Scan()\n\tif scanner.Err() != nil {\n\t\tprintAuthResponse(-1)\n\t}\n\tresponse := scanner.Text()\n\tif response != \"OK\" {\n\t\tprintAuthResponse(-1)\n\t}\n\n\tcheckTokenQuestion := keyboardAuthHookResponse{\n\t\tInstruction: \"\",\n\t\tQuestions: []string{\"Authy token: \"},\n\t\tEchos: []bool{false},\n\t\tCheckPwd: 0,\n\t\tAuthResult: 0,\n\t}\n\n\tq, _ = json.Marshal(checkTokenQuestion)\n\tfmt.Printf(\"%v\\n\", string(q))\n\tscanner.Scan()\n\tif scanner.Err() != nil {\n\t\tprintAuthResponse(-1)\n\t}\n\tauthyToken := scanner.Text()\n\n\turl := fmt.Sprintf(\"https://api.authy.com/protected/json/verify/%v/%v\", authyToken, userMap.AuthyID)\n\treq, err := http.NewRequest(http.MethodGet, url, nil)\n\tif err != nil {\n\t\tprintAuthResponse(-1)\n\t}\n\treq.Header.Set(\"X-Authy-API-Key\", userMap.AuthyAPIKey)\n\thttpClient := &http.Client{\n\t\tTimeout: 10 * time.Second,\n\t}\n\tresp, err := httpClient.Do(req)\n\tif err != nil {\n\t\tprintAuthResponse(-1)\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\t// status code 200 is expected\n\t\tprintAuthResponse(-1)\n\t}\n\tvar authyResponse map[string]interface{}\n\trespBody, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\tprintAuthResponse(-1)\n\t}\n\terr = json.Unmarshal(respBody, &authyResponse)\n\tif err != nil {\n\t\tprintAuthResponse(-1)\n\t}\n\tif authyResponse[\"success\"].(string) == \"true\" {\n\t\tprintAuthResponse(1)\n\t}\n\tprintAuthResponse(-1)\n}\n" }, { "path": "examples/backup/README.md", "content": "# Data Backup\n\n:warning: Since v2.4.0 you can use the [EventManager](https://docs.sftpgo.com/latest/eventmanager/) to schedule backups.\n\nThe `backup` example script shows how to use the SFTPGo REST API to backup your data.\n\nThe script is written in Python and has the following requirements:\n\n- python3 or python2\n- python [Requests](https://requests.readthedocs.io/en/master/) module\n\nThe provided example tries to connect to an SFTPGo instance running on `127.0.0.1:8080` using the following credentials:\n\n- username: `admin`\n- password: `password`\n\nand, if you execute it daily, it saves a different backup file for each day of the week. The backups will be saved within the configured `backups_path`.\n\nPlease edit the script according to your needs.\n" }, { "path": "examples/backup/backup", "content": "#!/usr/bin/env python\n\nfrom datetime import datetime\nimport sys\n\nimport requests\n\ntry:\n\timport urllib.parse as urlparse\nexcept ImportError:\n\timport urlparse\n\n# change base_url to point to your SFTPGo installation\nbase_url = \"http://127.0.0.1:8080\"\n# set to False if you want to skip TLS certificate validation\nverify_tls_cert = True\n# set the credentials for a valid admin here\nadmin_user = \"admin\"\nadmin_password = \"password\"\n\n# get a JWT token\nauth = requests.auth.HTTPBasicAuth(admin_user, admin_password)\nr = requests.get(urlparse.urljoin(base_url, \"api/v2/token\"), auth=auth, verify=verify_tls_cert, timeout=10)\nif r.status_code != 200:\n\tprint(\"error getting access token: {}\".format(r.text))\n\tsys.exit(1)\naccess_token = r.json()[\"access_token\"]\nauth_header = {\"Authorization\": \"Bearer \" + access_token}\n\nr = requests.get(urlparse.urljoin(base_url, \"api/v2/dumpdata\"),\n\t\t\t\t\tparams={\"output-file\":\"backup_{}.json\".format(datetime.today().strftime('%w'))},\n\t\t\t\t\theaders=auth_header, verify=verify_tls_cert, timeout=10)\nif r.status_code == 200:\n\tprint(\"backup OK\")\nelse:\n\tprint(\"backup error, status {}, response: {}\".format(r.status_code, r.text))\n" }, { "path": "examples/bulkupdate/README.md", "content": "# Bulk user update\n\nThe `bulkuserupdate` example script shows how to use the SFTPGo REST API to easily update some common parameters for multiple users while preserving the others.\n\nThe script is written in Python and has the following requirements:\n\n- python3 or python2\n- python [Requests](https://requests.readthedocs.io/en/master/) module\n\nThe provided example tries to connect to an SFTPGo instance running on `127.0.0.1:8080` using the following credentials:\n\n- username: `admin`\n- password: `password`\n\nand it updates some fields for `user1`, `user2` and `user3`.\n\nPlease edit the script according to your needs.\n" }, { "path": "examples/bulkupdate/bulkuserupdate", "content": "#!/usr/bin/env python\n\nimport posixpath\nimport sys\n\nimport requests\n\ntry:\n\timport urllib.parse as urlparse\nexcept ImportError:\n\timport urlparse\n\n# change base_url to point to your SFTPGo installation\nbase_url = \"http://127.0.0.1:8080\"\n# set to False if you want to skip TLS certificate validation\nverify_tls_cert = True\n# set the credentials for a valid admin here\nadmin_user = \"admin\"\nadmin_password = \"password\"\n# insert here the users you want to update\nusers_to_update = [\"user1\", \"user2\", \"user3\"]\n# set here the fields you need to update\nfields_to_update = {\"status\":0, \"quota_files\": 1000, \"additional_info\":\"updated using the bulkuserupdate example script\"}\n\n# get a JWT token\nauth = requests.auth.HTTPBasicAuth(admin_user, admin_password)\nr = requests.get(urlparse.urljoin(base_url, \"api/v2/token\"), auth=auth, verify=verify_tls_cert, timeout=10)\nif r.status_code != 200:\n\tprint(\"error getting access token: {}\".format(r.text))\n\tsys.exit(1)\naccess_token = r.json()[\"access_token\"]\nauth_header = {\"Authorization\": \"Bearer \" + access_token}\n\nfor username in users_to_update:\n\tr = requests.get(urlparse.urljoin(base_url, posixpath.join(\"api/v2/users\", username)),\n\t\t\t\t\theaders=auth_header, verify=verify_tls_cert, timeout=10)\n\tif r.status_code != 200:\n\t\tprint(\"error getting user {}: {}\".format(username, r.text))\n\t\tcontinue\n\tuser = r.json()\n\tuser.update(fields_to_update)\n\tr = requests.put(urlparse.urljoin(base_url, posixpath.join(\"api/v2/users\", username)),\n\t\t\t\t\theaders=auth_header, verify=verify_tls_cert, json=user, timeout=10)\n\tif r.status_code == 200:\n\t\tprint(\"user {} updated\".format(username))\n\telse:\n\t\tprint(\"error updating user {}, response code: {} response text: {}\".format(username,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tr.status_code,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tr.text))\n" }, { "path": "examples/convertusers/README.md", "content": "# Import users from other stores\n\n`convertusers` is a very simple command line client, written in python, to import users from other stores. It requires `python3` or `python2`.\n\nHere is the usage:\n\n```console\nusage: convertusers [-h] [--min-uid MIN_UID] [--max-uid MAX_UID] [--usernames USERNAMES [USERNAMES ...]]\n [--force-uid FORCE_UID] [--force-gid FORCE_GID]\n input_file {unix-passwd,pure-ftpd,proftpd} output_file\n\nConvert users to a JSON format suitable to use with loadddata\n\npositional arguments:\n input_file\n {unix-passwd,pure-ftpd,proftpd}\n To import from unix-passwd format you need the permission to read /etc/shadow that is typically\n granted to the root user only\n output_file\n\noptional arguments:\n -h, --help show this help message and exit\n --min-uid MIN_UID if >= 0 only import users with UID greater or equal to this value. Default: -1\n --max-uid MAX_UID if >= 0 only import users with UID lesser or equal to this value. Default: -1\n --usernames USERNAMES [USERNAMES ...]\n Only import users with these usernames. Default: []\n --force-uid FORCE_UID\n if >= 0 the imported users will have this UID in SFTPGo. Default: -1\n --force-gid FORCE_GID\n if >= 0 the imported users will have this GID in SFTPGo. Default: -1\n```\n\nLet's see some examples:\n\n```console\npython convertusers \"\" unix-passwd unix_users.json --min-uid 500 --force-uid 1000 --force-gid 1000\n```\n\n```console\npython convertusers pureftpd.passwd pure-ftpd pure_users.json --usernames \"user1\" \"user2\"\n```\n\n```console\npython convertusers proftpd.passwd proftpd pro_users.json\n```\n\nThe generated json file can be used as input for the `loaddata` REST API.\n\nPlease note that when importing Linux/Unix users the input file is not required: `/etc/passwd` and `/etc/shadow` are automatically parsed. `/etc/shadow` read permission is typically granted to the `root` user only, so you need to execute `convertusers` as `root`.\n\n:warning: SFTPGo does not currently support `yescrypt` hashed passwords.\n" }, { "path": "examples/convertusers/convertusers", "content": "#!/usr/bin/env python\n\nimport argparse\nimport json\nimport sys\nimport time\n\ntry:\n\timport pwd\n\timport spwd\nexcept ImportError:\n\tpwd = None\n\n\nclass ConvertUsers:\n\n\tdef __init__(self, input_file, users_format, output_file, min_uid, max_uid, usernames, force_uid, force_gid):\n\t\tself.input_file = input_file\n\t\tself.users_format = users_format\n\t\tself.output_file = output_file\n\t\tself.min_uid = min_uid\n\t\tself.max_uid = max_uid\n\t\tself.usernames = usernames\n\t\tself.force_uid = force_uid\n\t\tself.force_gid = force_gid\n\t\tself.SFTPGoUsers = []\n\n\tdef buildUserObject(self, username, password, home_dir, uid, gid, max_sessions, quota_size, quota_files, upload_bandwidth,\n\t\t\t\t\tdownload_bandwidth, status, expiration_date, allowed_ip=[], denied_ip=[]):\n\t\treturn {'id':0, 'username':username, 'password':password, 'home_dir':home_dir, 'uid':uid, 'gid':gid,\n\t\t\t'max_sessions':max_sessions, 'quota_size':quota_size, 'quota_files':quota_files, 'permissions':{'/':[\"*\"]},\n\t\t\t'upload_bandwidth':upload_bandwidth, 'download_bandwidth':download_bandwidth,\n\t\t\t'status':status, 'expiration_date':expiration_date,\n\t\t\t'filters':{'allowed_ip':allowed_ip, 'denied_ip':denied_ip}}\n\n\tdef addUser(self, user):\n\t\tuser['id'] = len(self.SFTPGoUsers) + 1\n\t\tprint('')\n\t\tprint('New user imported: {}'.format(user))\n\t\tprint('')\n\t\tself.SFTPGoUsers.append(user)\n\n\tdef saveUsers(self):\n\t\tif self.SFTPGoUsers:\n\t\t\tdata = {'users':self.SFTPGoUsers}\n\t\t\tjsonData = json.dumps(data)\n\t\t\twith open(self.output_file, 'w') as f:\n\t\t\t\tf.write(jsonData)\n\t\t\tprint()\n\t\t\tprint('Number of users saved to \"{}\": {}. You can import them using loaddata'.format(self.output_file,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tlen(self.SFTPGoUsers)))\n\t\t\tprint()\n\t\t\tsys.exit(0)\n\t\telse:\n\t\t\tprint('No user imported')\n\t\t\tsys.exit(1)\n\n\tdef convert(self):\n\t\tif self.users_format == 'unix-passwd':\n\t\t\tself.convertFromUnixPasswd()\n\t\telif self.users_format == 'pure-ftpd':\n\t\t\tself.convertFromPureFTPD()\n\t\telse:\n\t\t\tself.convertFromProFTPD()\n\t\tself.saveUsers()\n\n\tdef isUserValid(self, username, uid):\n\t\tif self.usernames and not username in self.usernames:\n\t\t\treturn False\n\t\tif self.min_uid >= 0 and uid < self.min_uid:\n\t\t\treturn False\n\t\tif self.max_uid >= 0 and uid > self.max_uid:\n\t\t\treturn False\n\t\treturn True\n\n\tdef convertFromUnixPasswd(self):\n\t\tdays_from_epoch_time = time.time() / 86400\n\t\tfor user in pwd.getpwall():\n\t\t\tusername = user.pw_name\n\t\t\tpassword = user.pw_passwd\n\t\t\tuid = user.pw_uid\n\t\t\tgid = user.pw_gid\n\t\t\thome_dir = user.pw_dir\n\t\t\tstatus = 1\n\t\t\texpiration_date = 0\n\t\t\tif not self.isUserValid(username, uid):\n\t\t\t\tcontinue\n\t\t\tif self.force_uid >= 0:\n\t\t\t\tuid = self.force_uid\n\t\t\tif self.force_gid >= 0:\n\t\t\t\tgid = self.force_gid\n\t\t\t# FIXME: if the passwords aren't in /etc/shadow they are probably DES encrypted and we don't support them\n\t\t\tif password == 'x' or password == '*':\n\t\t\t\tuser_info = spwd.getspnam(username)\n\t\t\t\tpassword = user_info.sp_pwdp\n\t\t\t\tif not password or password == '!!' or password == '!*':\n\t\t\t\t\tprint('cannot import user \"{}\" without a password'.format(username))\n\t\t\t\t\tcontinue\n\t\t\t\tif user_info.sp_inact > 0:\n\t\t\t\t\tlast_pwd_change_diff = days_from_epoch_time - user_info.sp_lstchg\n\t\t\t\t\tif last_pwd_change_diff > user_info.sp_inact:\n\t\t\t\t\t\tstatus = 0\n\t\t\t\tif user_info.sp_expire > 0:\n\t\t\t\t\texpiration_date = user_info.sp_expire * 86400\n\t\t\tself.addUser(self.buildUserObject(username, password, home_dir, uid, gid, 0, 0, 0, 0, 0, status,\n\t\t\t\t\t\t\t\t\t\t\texpiration_date))\n\n\tdef convertFromProFTPD(self):\n\t\twith open(self.input_file, 'r') as f:\n\t\t\tfor line in f:\n\t\t\t\tfields = line.split(':')\n\t\t\t\tif len(fields) > 6:\n\t\t\t\t\tusername = fields[0]\n\t\t\t\t\tpassword = fields[1]\n\t\t\t\t\tuid = int(fields[2])\n\t\t\t\t\tgid = int(fields[3])\n\t\t\t\t\thome_dir = fields[5]\n\t\t\t\t\tif not self.isUserValid(username, uid):\n\t\t\t\t\t\tcontinue\n\t\t\t\t\tif self.force_uid >= 0:\n\t\t\t\t\t\tuid = self.force_uid\n\t\t\t\t\tif self.force_gid >= 0:\n\t\t\t\t\t\tgid = self.force_gid\n\t\t\t\t\tself.addUser(self.buildUserObject(username, password, home_dir, uid, gid, 0, 0, 0, 0, 0, 1, 0))\n\n\tdef convertPureFTPDIP(self, fields):\n\t\tresult = []\n\t\tif not fields:\n\t\t\treturn result\n\t\tfor v in fields.split(','):\n\t\t\tip_mask = v.strip()\n\t\t\tif not ip_mask:\n\t\t\t\tcontinue\n\t\t\tif ip_mask.count('.') < 3 and ip_mask.count(':') < 3:\n\t\t\t\tprint('cannot import pure-ftpd IP: {}'.format(ip_mask))\n\t\t\t\tcontinue\n\t\t\tif '/' not in ip_mask:\n\t\t\t\tip_mask += '/32'\n\t\t\tresult.append(ip_mask)\n\t\treturn result\n\n\tdef convertFromPureFTPD(self):\n\t\twith open(self.input_file, 'r') as f:\n\t\t\tfor line in f:\n\t\t\t\tfields = line.split(':')\n\t\t\t\tif len(fields) > 16:\n\t\t\t\t\tusername = fields[0]\n\t\t\t\t\tpassword = fields[1]\n\t\t\t\t\tuid = int(fields[2])\n\t\t\t\t\tgid = int(fields[3])\n\t\t\t\t\thome_dir = fields[5]\n\t\t\t\t\tupload_bandwidth = 0\n\t\t\t\t\tif fields[6]:\n\t\t\t\t\t\tupload_bandwidth = int(int(fields[6]) / 1024)\n\t\t\t\t\tdownload_bandwidth = 0\n\t\t\t\t\tif fields[7]:\n\t\t\t\t\t\tdownload_bandwidth = int(int(fields[7]) / 1024)\n\t\t\t\t\tmax_sessions = 0\n\t\t\t\t\tif fields[10]:\n\t\t\t\t\t\tmax_sessions = int(fields[10])\n\t\t\t\t\tquota_files = 0\n\t\t\t\t\tif fields[11]:\n\t\t\t\t\t\tquota_files = int(fields[11])\n\t\t\t\t\tquota_size = 0\n\t\t\t\t\tif fields[12]:\n\t\t\t\t\t\tquota_size = int(fields[12])\n\t\t\t\t\tallowed_ip = self.convertPureFTPDIP(fields[15])\n\t\t\t\t\tdenied_ip = self.convertPureFTPDIP(fields[16])\n\t\t\t\t\tif not self.isUserValid(username, uid):\n\t\t\t\t\t\tcontinue\n\t\t\t\t\tif self.force_uid >= 0:\n\t\t\t\t\t\tuid = self.force_uid\n\t\t\t\t\tif self.force_gid >= 0:\n\t\t\t\t\t\tgid = self.force_gid\n\t\t\t\t\tself.addUser(self.buildUserObject(username, password, home_dir, uid, gid, max_sessions, quota_size,\n\t\t\t\t\t\t\t\t\t\t\t\t\t quota_files, upload_bandwidth, download_bandwidth, 1, 0, allowed_ip,\n\t\t\t\t\t\t\t\t\t\t\t\t\t denied_ip))\n\n\nif __name__ == '__main__':\n\tparser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\n\t\t\t\t\t\t\t\t\t'Convert users to a JSON format suitable to use with loadddata')\n\tsupportedUsersFormats = []\n\thelp_text = ''\n\tif pwd is not None:\n\t\tsupportedUsersFormats.append('unix-passwd')\n\t\thelp_text = 'To import from unix-passwd format you need the permission to read /etc/shadow that is typically granted to the root user only'\n\tsupportedUsersFormats.append('pure-ftpd')\n\tsupportedUsersFormats.append('proftpd')\n\tparser.add_argument('input_file', type=str)\n\tparser.add_argument('users_format', type=str, choices=supportedUsersFormats, help=help_text)\n\tparser.add_argument('output_file', type=str)\n\tparser.add_argument('--min-uid', type=int, default=-1, help='if >= 0 only import users with UID greater or equal ' +\n\t\t\t\t\t\t\t\t'to this value. Default: %(default)s')\n\tparser.add_argument('--max-uid', type=int, default=-1, help='if >= 0 only import users with UID lesser or equal ' +\n\t\t\t\t\t\t\t\t'to this value. Default: %(default)s')\n\tparser.add_argument('--usernames', type=str, nargs='+', default=[], help='Only import users with these usernames. ' +\n\t\t\t\t\t\t\t\t'Default: %(default)s')\n\tparser.add_argument('--force-uid', type=int, default=-1, help='if >= 0 the imported users will have this UID in ' +\n\t\t\t\t\t\t\t\t'SFTPGo. Default: %(default)s')\n\tparser.add_argument('--force-gid', type=int, default=-1, help='if >= 0 the imported users will have this GID in ' +\n\t\t\t\t\t\t\t\t'SFTPGo. Default: %(default)s')\n\n\targs = parser.parse_args()\n\n\tconvertUsers = ConvertUsers(args.input_file, args.users_format, args.output_file, args.min_uid, args.max_uid,\n\t\t\t\t\t\t\t\targs.usernames, args.force_uid, args.force_gid)\n\tconvertUsers.convert()\n" }, { "path": "examples/ldapauth/README.md", "content": "# LDAPAuth\n\nThis is an example for an external authentication program. It performs authentication against an LDAP server.\nIt is tested against [389ds](https://directory.fedoraproject.org/) and can be used as starting point to authenticate using any LDAP server including Active Directory.\n\nYou need to change the LDAP connection parameters and the user search query to match your environment.\nYou can build this example using the following command:\n\n```console\ngo build -ldflags \"-s -w\" -o ldapauth\n```\n\nThis program assumes that the 389ds schema was extended to add support for public keys using the following ldif file placed in `/etc/dirsrv/schema/98openssh-ldap.ldif`:\n\n```console\ndn: cn=schema\nchangetype: modify\nadd: attributetypes\nattributetypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )\n-\nadd: objectclasses\nobjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MUST ( uid ) MAY ( sshPublicKey ) )\n-\n\ndn: cn=sshpublickey,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config\nchangetype: add\ncn: sshpublickey\nnsIndexType: eq\nnsIndexType: pres\nnsSystemIndex: false\nobjectClass: top\nobjectClass: nsIndex\n\ndn: cn=sshpublickey_self_manage,ou=groups,dc=example,dc=com\nchangetype: add\nobjectClass: top\nobjectClass: groupofuniquenames\ncn: sshpublickey_self_manage\ndescription: Members of this group gain the ability to edit their own sshPublicKey field\n\ndn: dc=example,dc=com\nchangetype: modify\nadd: aci\naci: (targetattr = \"sshPublicKey\") (version 3.0; acl \"Allow members of sshpublickey_self_manage to edit their keys\"; allow(write) (groupdn = \"ldap:///cn=sshpublickey_self_manage,ou=groups,dc=example,dc=com\" and userdn=\"ldap:///self\" ); )\n-\n```\n\n:warning: A plugin for LDAP/Active Directory authentication is also [available](https://github.com/sftpgo/sftpgo-plugin-auth).\n" }, { "path": "examples/ldapauth/go.mod", "content": "module github.com/drakkan/ldapauth\n\ngo 1.25.0\n\nrequire (\n\tgithub.com/go-ldap/ldap/v3 v3.4.13\n\tgolang.org/x/crypto v0.49.0\n)\n\nrequire (\n\tgithub.com/Azure/go-ntlmssp v0.1.0 // indirect\n\tgithub.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect\n\tgithub.com/google/uuid v1.6.0 // indirect\n\tgolang.org/x/sys v0.42.0 // indirect\n)\n" }, { "path": "examples/ldapauth/go.sum", "content": "github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=\ngithub.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=\ngithub.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=\ngithub.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=\ngithub.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=\ngithub.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=\ngithub.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=\ngithub.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=\ngithub.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=\ngithub.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=\ngithub.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=\ngithub.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=\ngithub.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=\ngithub.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=\ngithub.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=\ngithub.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=\ngithub.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=\ngithub.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=\ngithub.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=\ngithub.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=\ngithub.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=\ngithub.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=\ngithub.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=\ngolang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=\ngolang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=\ngolang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=\ngolang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=\ngolang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=\ngolang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=\ngolang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=\ngolang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\n" }, { "path": "examples/ldapauth/main.go", "content": "package main\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"log\"\n\t\"log/syslog\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/go-ldap/ldap/v3\"\n\t\"golang.org/x/crypto/ssh\"\n)\n\nconst (\n\trootDN = \"dc=example,dc=com\"\n\tbindUsername = \"cn=sftpgo,\" + rootDN\n\tbindURL = \"ldap:///\" // That is, the server on the default port of localhost.\n\tpasswordFile = \"/etc/sftpgo/admin-password.txt\" // make this file readable only by the server\n\tpublicDir = \"/var/www/webdav/public\"\n)\n\ntype userFilters struct {\n\tDeniedLoginMethods []string `json:\"denied_login_methods,omitempty\"`\n}\n\ntype minimalSFTPGoUser struct {\n\tStatus int `json:\"status,omitempty\"`\n\tUsername string `json:\"username\"`\n\tHomeDir string `json:\"home_dir,omitempty\"`\n\tUID int `json:\"uid,omitempty\"`\n\tGID int `json:\"gid,omitempty\"`\n\tPermissions map[string][]string `json:\"permissions\"`\n\tFilters userFilters `json:\"filters\"`\n}\n\nfunc exitError() {\n\tlog.Printf(\"exitError\\n\")\n\tu := minimalSFTPGoUser{\n\t\tUsername: \"\",\n\t}\n\tresp, _ := json.Marshal(u)\n\tfmt.Printf(\"%v\\n\", string(resp))\n\tos.Exit(1)\n}\n\nfunc printSuccessResponse(username, homeDir string, uid, gid int, permissions []string) {\n\tu := minimalSFTPGoUser{\n\t\tUsername: username,\n\t\tHomeDir: homeDir,\n\t\tUID: uid,\n\t\tGID: gid,\n\t\tStatus: 1,\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = permissions\n\t// uncomment the next line to require publickey+password authentication\n\t//u.Filters.DeniedLoginMethods = []string{\"publickey\", \"password\", \"keyboard-interactive\", \"publickey+keyboard-interactive\"}\n\tresp, _ := json.Marshal(u)\n\tlog.Printf(\"%v\\n\", string(resp))\n\tfmt.Printf(\"%v\\n\", string(resp))\n\tos.Exit(0)\n}\n\nfunc main() {\n\tlogWriter, err := syslog.New(syslog.LOG_NOTICE, \"sftpgo\")\n\tif err == nil {\n\t\tlog.SetOutput(logWriter)\n\t}\n\t// get credentials from env vars\n\tusername := os.Getenv(\"SFTPGO_AUTHD_USERNAME\")\n\tpassword := os.Getenv(\"SFTPGO_AUTHD_PASSWORD\")\n\tpublickey := os.Getenv(\"SFTPGO_AUTHD_PUBLIC_KEY\")\n\tif strings.ToLower(username) == \"anonymous\" {\n\t\tprintSuccessResponse(\"anonymous\", publicDir, 0, 0, []string{\"list\", \"download\"})\n\t\treturn\n\t}\n\tl, err := ldap.DialURL(bindURL)\n\tif err != nil {\n\t\tlog.Printf(\"DialURL: %s\\n\", err.Error())\n\t\texitError()\n\t}\n\tdefer l.Close()\n\t// bind to the ldap server with an account that can read users\n\tbindPassword, err := os.ReadFile(passwordFile)\n\tif err != nil {\n\t\tlog.Printf(\"ReadFile(%s): %s\\n\", passwordFile, err.Error())\n\t\texitError()\n\t}\n\terr = l.Bind(bindUsername, string(bindPassword))\n\tif err != nil {\n\t\tlog.Printf(\"Bind(%s): %s\\n\", bindUsername, err.Error())\n\t\texitError()\n\t}\n\n\t// search the user trying to login and fetch some attributes, this search string is tested against 389ds using the default configuration\n\tlog.Printf(\"username=%s\\n\", username)\n\tsearchFilter := fmt.Sprintf(\"(uid=%s)\", ldap.EscapeFilter(username))\n\tsearchRequest := ldap.NewSearchRequest(\n\t\t\"ou=people,\" + rootDN,\n\t\tldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,\n\t\tsearchFilter,\n\t\t[]string{\"dn\", \"uid\", \"homeDirectory\", \"uidNumber\", \"gidNumber\", \"nsSshPublicKey\"},\n\t\tnil,\n\t)\n\n\tsr, err := l.Search(searchRequest)\n\tif err != nil {\n\t\tlog.Printf(\"Search(%s): %s\\n\", searchFilter, err.Error())\n\t\texitError()\n\t}\n\n\t// we expect exactly one user\n\tif len(sr.Entries) != 1 {\n\t\tlog.Printf(\"Search(%s): %d entries\\n\", searchFilter, len(sr.Entries))\n\t\texitError()\n\t}\n\n\tif len(publickey) > 0 {\n\t\t// check public key\n\t\tuserKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(publickey))\n\t\tif err != nil {\n\t\t\tlog.Printf(\"ParseAuthorizedKey(%s): %s\\n\", publickey, err.Error())\n\t\t\texitError()\n\t\t}\n\t\tauthOk := false\n\t\tfor _, k := range sr.Entries[0].GetAttributeValues(\"nsSshPublicKey\") {\n\t\t\tkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))\n\t\t\t// we skip an invalid public key stored inside the LDAP server\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif bytes.Equal(key.Marshal(), userKey.Marshal()) {\n\t\t\t\tauthOk = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !authOk {\n\t\t\tlog.Printf(\"publickey %s !authOk\\n\", publickey)\n\t\t\texitError()\n\t\t}\n\t} else {\n\t\t// bind to the LDAP server with the user dn and the given password to check the password\n\t\tuserdn := sr.Entries[0].DN\n\t\t// log.Printf(\"password=%s\\n\", password)\n\t\terr = l.Bind(userdn, password)\n\t\tif err != nil {\n\t\t\tlog.Printf(\"Bind(%s): %s\\n\", userdn, err.Error())\n\t\t\texitError()\n\t\t}\n\t}\n\n\t// People in the LDAP directory aren't necessarily Linux users;\n\t// so they might not have a uidNumber or gidNumber.\n\tuidNumber := sr.Entries[0].GetAttributeValue(\"uidNumber\")\n\tuid, err := strconv.Atoi(uidNumber)\n\tif err != nil {\n\t\t//log.Printf(\"uid Atoi(%s) = %s\\n\", uidNumber, err.Error())\n\t\tuid = 0\n\t}\n\tgidNumber := sr.Entries[0].GetAttributeValue(\"gidNumber\")\n\tgid, err := strconv.Atoi(gidNumber)\n\tif err != nil {\n\t\t//log.Printf(\"gid Atoi(%s) = %s\\n\", gidNumber, err.Error())\n\t\tgid = 0\n\t}\n\thomeDir := sr.Entries[0].GetAttributeValue(\"homeDirectory\")\n\tif (len(homeDir) <= 0) {\n\t\thomeDir = publicDir // homeDir is a required attribute.\n\t}\n\t// return the authenticated user\n\tprintSuccessResponse(sr.Entries[0].GetAttributeValue(\"uid\"), homeDir, uid, gid, []string{\"*\"})\n}\n" }, { "path": "examples/ldapauthserver/README.md", "content": "# LDAPAuthServer\n\nThis is an example for an HTTP server to use as external authentication HTTP hook. It performs authentication against an LDAP server.\nIt is tested against [389ds](https://directory.fedoraproject.org/) and can be used as starting point to authenticate using any LDAP server including Active Directory.\n\nYou can configure the server using the [ldapauth.toml](./ldapauth.toml) configuration file.\nYou can build this example using the following command:\n\n```console\ngo build -ldflags \"-s -w\" -o ldapauthserver\n```\n\n:warning: A plugin for LDAP/Active Directory authentication is also [available](https://github.com/sftpgo/sftpgo-plugin-auth).\n" }, { "path": "examples/ldapauthserver/cmd/root.go", "content": "package cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/config\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/utils\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n)\n\nconst (\n\tlogSender = \"cmd\"\n\tconfigDirFlag = \"config-dir\"\n\tconfigDirKey = \"config_dir\"\n\tconfigFileFlag = \"config-file\"\n\tconfigFileKey = \"config_file\"\n\tlogFilePathFlag = \"log-file-path\"\n\tlogFilePathKey = \"log_file_path\"\n\tlogMaxSizeFlag = \"log-max-size\"\n\tlogMaxSizeKey = \"log_max_size\"\n\tlogMaxBackupFlag = \"log-max-backups\"\n\tlogMaxBackupKey = \"log_max_backups\"\n\tlogMaxAgeFlag = \"log-max-age\"\n\tlogMaxAgeKey = \"log_max_age\"\n\tlogCompressFlag = \"log-compress\"\n\tlogCompressKey = \"log_compress\"\n\tlogVerboseFlag = \"log-verbose\"\n\tlogVerboseKey = \"log_verbose\"\n\tprofilerFlag = \"profiler\"\n\tprofilerKey = \"profiler\"\n\tdefaultConfigDir = \".\"\n\tdefaultConfigName = config.DefaultConfigName\n\tdefaultLogFile = \"ldapauth.log\"\n\tdefaultLogMaxSize = 10\n\tdefaultLogMaxBackup = 5\n\tdefaultLogMaxAge = 28\n\tdefaultLogCompress = false\n\tdefaultLogVerbose = true\n)\n\nvar (\n\tconfigDir string\n\tconfigFile string\n\tlogFilePath string\n\tlogMaxSize int\n\tlogMaxBackups int\n\tlogMaxAge int\n\tlogCompress bool\n\tlogVerbose bool\n\n\trootCmd = &cobra.Command{\n\t\tUse: \"ldapauthserver\",\n\t\tShort: \"LDAP Authentication Server for SFTPGo\",\n\t}\n)\n\nfunc init() {\n\tversion := utils.GetAppVersion()\n\trootCmd.Flags().BoolP(\"version\", \"v\", false, \"\")\n\trootCmd.Version = version.GetVersionAsString()\n\trootCmd.SetVersionTemplate(`{{printf \"LDAP Authentication Server version: \"}}{{printf \"%s\" .Version}}\n`)\n}\n\n// Execute adds all child commands to the root command and sets flags appropriately.\n// This is called by main.main(). It only needs to happen once to the rootCmd.\nfunc Execute() {\n\tif err := rootCmd.Execute(); err != nil {\n\t\tfmt.Println(err)\n\t\tos.Exit(1)\n\t}\n}\n\nfunc addConfigFlags(cmd *cobra.Command) {\n\tviper.SetDefault(configDirKey, defaultConfigDir)\n\tviper.BindEnv(configDirKey, \"LDAPAUTH_CONFIG_DIR\")\n\tcmd.Flags().StringVarP(&configDir, configDirFlag, \"c\", viper.GetString(configDirKey),\n\t\t`Location for the config dir. This directory\nshould contain the \"ldapauth\" configuration\nfile or the configured config-file. This flag\ncan be set using LDAPAUTH_CONFIG_DIR env var too.\n`)\n\tviper.BindPFlag(configDirKey, cmd.Flags().Lookup(configDirFlag))\n\n\tviper.SetDefault(configFileKey, defaultConfigName)\n\tviper.BindEnv(configFileKey, \"LDAPAUTH_CONFIG_FILE\")\n\tcmd.Flags().StringVarP(&configFile, configFileFlag, \"f\", viper.GetString(configFileKey),\n\t\t`Name for the configuration file. It must be\nthe name of a file stored in config-dir not\nthe absolute path to the configuration file.\nThe specified file name must have no extension\nwe automatically load JSON, YAML, TOML, HCL and\nJava properties. Therefore if you set \\\"ldapauth\\\"\nthen \\\"ldapauth.toml\\\", \\\"ldapauth.yaml\\\" and\nso on are searched. This flag can be set using\nLDAPAUTH_CONFIG_FILE env var too.\n`)\n\tviper.BindPFlag(configFileKey, cmd.Flags().Lookup(configFileFlag))\n}\n\nfunc addServeFlags(cmd *cobra.Command) {\n\taddConfigFlags(cmd)\n\n\tviper.SetDefault(logFilePathKey, defaultLogFile)\n\tviper.BindEnv(logFilePathKey, \"LDAPAUTH_LOG_FILE_PATH\")\n\tcmd.Flags().StringVarP(&logFilePath, logFilePathFlag, \"l\", viper.GetString(logFilePathKey),\n\t\t`Location for the log file. Leave empty to write\nlogs to the standard output. This flag can be\nset using LDAPAUTH_LOG_FILE_PATH env var too.\n`)\n\tviper.BindPFlag(logFilePathKey, cmd.Flags().Lookup(logFilePathFlag))\n\n\tviper.SetDefault(logMaxSizeKey, defaultLogMaxSize)\n\tviper.BindEnv(logMaxSizeKey, \"LDAPAUTH_LOG_MAX_SIZE\")\n\tcmd.Flags().IntVarP(&logMaxSize, logMaxSizeFlag, \"s\", viper.GetInt(logMaxSizeKey),\n\t\t`Maximum size in megabytes of the log file\nbefore it gets rotated. This flag can be set\nusing LDAPAUTH_LOG_MAX_SIZE env var too. It\nis unused if log-file-path is empty.`)\n\tviper.BindPFlag(logMaxSizeKey, cmd.Flags().Lookup(logMaxSizeFlag))\n\n\tviper.SetDefault(logMaxBackupKey, defaultLogMaxBackup)\n\tviper.BindEnv(logMaxBackupKey, \"LDAPAUTH_LOG_MAX_BACKUPS\")\n\tcmd.Flags().IntVarP(&logMaxBackups, \"log-max-backups\", \"b\", viper.GetInt(logMaxBackupKey),\n\t\t`Maximum number of old log files to retain.\nThis flag can be set using LDAPAUTH_LOG_MAX_BACKUPS\nenv var too. It is unused if log-file-path is\nempty.`)\n\tviper.BindPFlag(logMaxBackupKey, cmd.Flags().Lookup(logMaxBackupFlag))\n\n\tviper.SetDefault(logMaxAgeKey, defaultLogMaxAge)\n\tviper.BindEnv(logMaxAgeKey, \"LDAPAUTH_LOG_MAX_AGE\")\n\tcmd.Flags().IntVarP(&logMaxAge, \"log-max-age\", \"a\", viper.GetInt(logMaxAgeKey),\n\t\t`Maximum number of days to retain old log files.\nThis flag can be set using LDAPAUTH_LOG_MAX_AGE\nenv var too. It is unused if log-file-path is\nempty.`)\n\tviper.BindPFlag(logMaxAgeKey, cmd.Flags().Lookup(logMaxAgeFlag))\n\n\tviper.SetDefault(logCompressKey, defaultLogCompress)\n\tviper.BindEnv(logCompressKey, \"LDAPAUTH_LOG_COMPRESS\")\n\tcmd.Flags().BoolVarP(&logCompress, logCompressFlag, \"z\", viper.GetBool(logCompressKey),\n\t\t`Determine if the rotated log files\nshould be compressed using gzip. This flag can\nbe set using LDAPAUTH_LOG_COMPRESS env var too.\nIt is unused if log-file-path is empty.`)\n\tviper.BindPFlag(logCompressKey, cmd.Flags().Lookup(logCompressFlag))\n\n\tviper.SetDefault(logVerboseKey, defaultLogVerbose)\n\tviper.BindEnv(logVerboseKey, \"LDAPAUTH_LOG_VERBOSE\")\n\tcmd.Flags().BoolVarP(&logVerbose, logVerboseFlag, \"v\", viper.GetBool(logVerboseKey),\n\t\t`Enable verbose logs. This flag can be set\nusing LDAPAUTH_LOG_VERBOSE env var too.\n`)\n\tviper.BindPFlag(logVerboseKey, cmd.Flags().Lookup(logVerboseFlag))\n}\n" }, { "path": "examples/ldapauthserver/cmd/serve.go", "content": "package cmd\n\nimport (\n\t\"path/filepath\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/config\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/httpd\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/logger\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/utils\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n)\n\nvar (\n\tserveCmd = &cobra.Command{\n\t\tUse: \"serve\",\n\t\tShort: \"Start the LDAP Authentication Server\",\n\t\tLong: `To start the server with the default values for the command line flags simply use:\n\nldapauthserver serve\n\nPlease take a look at the usage below to customize the startup options`,\n\t\tRun: func(cmd *cobra.Command, args []string) {\n\t\t\tstartServer()\n\t\t},\n\t}\n)\n\nfunc init() {\n\trootCmd.AddCommand(serveCmd)\n\taddServeFlags(serveCmd)\n}\n\nfunc startServer() error {\n\tlogLevel := zerolog.DebugLevel\n\tif !logVerbose {\n\t\tlogLevel = zerolog.InfoLevel\n\t}\n\tif !filepath.IsAbs(logFilePath) && utils.IsFileInputValid(logFilePath) {\n\t\tlogFilePath = filepath.Join(configDir, logFilePath)\n\t}\n\tlogger.InitLogger(logFilePath, logMaxSize, logMaxBackups, logMaxAge, logCompress, logLevel)\n\tversion := utils.GetAppVersion()\n\tlogger.Info(logSender, \"\", \"starting LDAP Auth Server %v, config dir: %v, config file: %v, log max size: %v log max backups: %v \"+\n\t\t\"log max age: %v log verbose: %v, log compress: %v\", version.GetVersionAsString(), configDir, configFile, logMaxSize,\n\t\tlogMaxBackups, logMaxAge, logVerbose, logCompress)\n\tconfig.LoadConfig(configDir, configFile)\n\treturn httpd.StartHTTPServer(configDir, config.GetHTTPDConfig())\n}\n" }, { "path": "examples/ldapauthserver/config/config.go", "content": "package config\n\nimport (\n\t\"strings\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/logger\"\n\t\"github.com/spf13/viper\"\n)\n\nconst (\n\tlogSender = \"config\"\n\t// DefaultConfigName defines the name for the default config file.\n\t// This is the file name without extension, we use viper and so we\n\t// support all the config files format supported by viper\n\tDefaultConfigName = \"ldapauth\"\n\t// ConfigEnvPrefix defines a prefix that ENVIRONMENT variables will use\n\tconfigEnvPrefix = \"ldapauth\"\n)\n\n// HTTPDConfig defines configuration for the HTTPD server\ntype HTTPDConfig struct {\n\tBindAddress string `mapstructure:\"bind_address\"`\n\tBindPort int `mapstructure:\"bind_port\"`\n\tAuthUserFile string `mapstructure:\"auth_user_file\"`\n\tCertificateFile string `mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `mapstructure:\"certificate_key_file\"`\n}\n\n// LDAPConfig defines the configuration parameters for LDAP connections and searches\ntype LDAPConfig struct {\n\tBaseDN string `mapstructure:\"basedn\"`\n\tBindURL string `mapstructure:\"bind_url\"`\n\tBindUsername string `mapstructure:\"bind_username\"`\n\tBindPassword string `mapstructure:\"bind_password\"`\n\tSearchFilter string `mapstructure:\"search_filter\"`\n\tSearchBaseAttrs []string `mapstructure:\"search_base_attrs\"`\n\tDefaultUID int `mapstructure:\"default_uid\"`\n\tDefaultGID int `mapstructure:\"default_gid\"`\n\tForceDefaultUID bool `mapstructure:\"force_default_uid\"`\n\tForceDefaultGID bool `mapstructure:\"force_default_gid\"`\n\tInsecureSkipVerify bool `mapstructure:\"insecure_skip_verify\"`\n\tCACertificates []string `mapstructure:\"ca_certificates\"`\n}\n\ntype appConfig struct {\n\tHTTPD HTTPDConfig `mapstructure:\"httpd\"`\n\tLDAP LDAPConfig `mapstructure:\"ldap\"`\n}\n\nvar conf appConfig\n\nfunc init() {\n\tconf = appConfig{\n\t\tHTTPD: HTTPDConfig{\n\t\t\tBindAddress: \"\",\n\t\t\tBindPort: 9000,\n\t\t\tAuthUserFile: \"\",\n\t\t\tCertificateFile: \"\",\n\t\t\tCertificateKeyFile: \"\",\n\t\t},\n\t\tLDAP: LDAPConfig{\n\t\t\tBaseDN: \"dc=example,dc=com\",\n\t\t\tBindURL: \"ldap://192.168.1.103:389\",\n\t\t\tBindUsername: \"cn=Directory Manager\",\n\t\t\tBindPassword: \"YOUR_ADMIN_PASSWORD_HERE\",\n\t\t\tSearchFilter: \"(&(objectClass=nsPerson)(uid=%s))\",\n\t\t\tSearchBaseAttrs: []string{\n\t\t\t\t\"dn\",\n\t\t\t\t\"homeDirectory\",\n\t\t\t\t\"uidNumber\",\n\t\t\t\t\"gidNumber\",\n\t\t\t\t\"nsSshPublicKey\",\n\t\t\t},\n\t\t\tDefaultUID: 0,\n\t\t\tDefaultGID: 0,\n\t\t\tForceDefaultUID: true,\n\t\t\tForceDefaultGID: true,\n\t\t\tInsecureSkipVerify: false,\n\t\t\tCACertificates: nil,\n\t\t},\n\t}\n\tviper.SetEnvPrefix(configEnvPrefix)\n\treplacer := strings.NewReplacer(\".\", \"__\")\n\tviper.SetEnvKeyReplacer(replacer)\n\tviper.SetConfigName(DefaultConfigName)\n\tviper.AutomaticEnv()\n\tviper.AllowEmptyEnv(true)\n}\n\n// GetHomeDirectory returns the configured name for the LDAP field to use as home directory\nfunc (l *LDAPConfig) GetHomeDirectory() string {\n\tif len(l.SearchBaseAttrs) > 1 {\n\t\treturn l.SearchBaseAttrs[1]\n\t}\n\treturn \"homeDirectory\"\n}\n\n// GetUIDNumber returns the configured name for the LDAP field to use as UID\nfunc (l *LDAPConfig) GetUIDNumber() string {\n\tif len(l.SearchBaseAttrs) > 2 {\n\t\treturn l.SearchBaseAttrs[2]\n\t}\n\treturn \"uidNumber\"\n}\n\n// GetGIDNumber returns the configured name for the LDAP field to use as GID\nfunc (l *LDAPConfig) GetGIDNumber() string {\n\tif len(l.SearchBaseAttrs) > 3 {\n\t\treturn l.SearchBaseAttrs[3]\n\t}\n\treturn \"gidNumber\"\n}\n\n// GetPublicKey returns the configured name for the LDAP field to use as public keys\nfunc (l *LDAPConfig) GetPublicKey() string {\n\tif len(l.SearchBaseAttrs) > 4 {\n\t\treturn l.SearchBaseAttrs[4]\n\t}\n\treturn \"nsSshPublicKey\"\n}\n\n// GetHTTPDConfig returns the configuration for the HTTP server\nfunc GetHTTPDConfig() HTTPDConfig {\n\treturn conf.HTTPD\n}\n\n// GetLDAPConfig returns LDAP related settings\nfunc GetLDAPConfig() LDAPConfig {\n\treturn conf.LDAP\n}\n\nfunc getRedactedConf() appConfig {\n\tc := conf\n\treturn c\n}\n\n// LoadConfig loads the configuration\nfunc LoadConfig(configDir, configName string) error {\n\tvar err error\n\tviper.AddConfigPath(configDir)\n\tviper.AddConfigPath(\".\")\n\tviper.SetConfigName(configName)\n\tif err = viper.ReadInConfig(); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error loading configuration file: %v. Default configuration will be used: %+v\",\n\t\t\terr, getRedactedConf())\n\t\tlogger.WarnToConsole(\"error loading configuration file: %v. Default configuration will be used.\", err)\n\t\treturn err\n\t}\n\terr = viper.Unmarshal(&conf)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error parsing configuration file: %v. Default configuration will be used: %+v\",\n\t\t\terr, getRedactedConf())\n\t\tlogger.WarnToConsole(\"error parsing configuration file: %v. Default configuration will be used.\", err)\n\t\treturn err\n\t}\n\tlogger.Debug(logSender, \"\", \"config file used: '%q', config loaded: %+v\", viper.ConfigFileUsed(), getRedactedConf())\n\treturn err\n}\n" }, { "path": "examples/ldapauthserver/go.mod", "content": "module github.com/drakkan/sftpgo/ldapauthserver\n\ngo 1.25.0\n\nrequire (\n\tgithub.com/go-chi/chi/v5 v5.2.5\n\tgithub.com/go-chi/render v1.0.3\n\tgithub.com/go-ldap/ldap/v3 v3.4.13\n\tgithub.com/nathanaelle/password/v2 v2.0.1\n\tgithub.com/rs/zerolog v1.34.0\n\tgithub.com/spf13/cobra v1.10.2\n\tgithub.com/spf13/viper v1.21.0\n\tgolang.org/x/crypto v0.49.0\n\tgopkg.in/natefinch/lumberjack.v2 v2.2.1\n)\n\nrequire (\n\tgithub.com/Azure/go-ntlmssp v0.1.0 // indirect\n\tgithub.com/ajg/form v1.7.1 // indirect\n\tgithub.com/fsnotify/fsnotify v1.9.0 // indirect\n\tgithub.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect\n\tgithub.com/go-viper/mapstructure/v2 v2.5.0 // indirect\n\tgithub.com/google/uuid v1.6.0 // indirect\n\tgithub.com/inconshreveable/mousetrap v1.1.0 // indirect\n\tgithub.com/mattn/go-colorable v0.1.14 // indirect\n\tgithub.com/mattn/go-isatty v0.0.20 // indirect\n\tgithub.com/pelletier/go-toml/v2 v2.2.4 // indirect\n\tgithub.com/sagikazarmark/locafero v0.12.0 // indirect\n\tgithub.com/spf13/afero v1.15.0 // indirect\n\tgithub.com/spf13/cast v1.10.0 // indirect\n\tgithub.com/spf13/pflag v1.0.10 // indirect\n\tgithub.com/subosito/gotenv v1.6.0 // indirect\n\tgo.yaml.in/yaml/v3 v3.0.4 // indirect\n\tgolang.org/x/sys v0.42.0 // indirect\n\tgolang.org/x/text v0.35.0 // indirect\n\tgopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect\n)\n" }, { "path": "examples/ldapauthserver/go.sum", "content": "github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=\ngithub.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=\ngithub.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=\ngithub.com/ajg/form v1.7.1 h1:OsnBDzTkrWdrxvEnO68I72ZVGJGNaMwPhoAm0V+llgc=\ngithub.com/ajg/form v1.7.1/go.mod h1:HL757PzLyNkj5AIfptT6L+iGNeXTlnrr/oDePGc/y7Q=\ngithub.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=\ngithub.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=\ngithub.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=\ngithub.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=\ngithub.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=\ngithub.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=\ngithub.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=\ngithub.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=\ngithub.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=\ngithub.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=\ngithub.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=\ngithub.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=\ngithub.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=\ngithub.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=\ngithub.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=\ngithub.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=\ngithub.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=\ngithub.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=\ngithub.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=\ngithub.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=\ngithub.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=\ngithub.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=\ngithub.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=\ngithub.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=\ngithub.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=\ngithub.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=\ngithub.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=\ngithub.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=\ngithub.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=\ngithub.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=\ngithub.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=\ngithub.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=\ngithub.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=\ngithub.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=\ngithub.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=\ngithub.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=\ngithub.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=\ngithub.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=\ngithub.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/nathanaelle/password/v2 v2.0.1 h1:ItoCTdsuIWzilYmllQPa3DR3YoCXcpfxScWLqr8Ii2s=\ngithub.com/nathanaelle/password/v2 v2.0.1/go.mod h1:eaoT+ICQEPNtikBRIAatN8ThWwMhVG+r1jTw60BvPJk=\ngithub.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=\ngithub.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=\ngithub.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=\ngithub.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=\ngithub.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=\ngithub.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=\ngithub.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=\ngithub.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=\ngithub.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=\ngithub.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=\ngithub.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=\ngithub.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=\ngithub.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=\ngithub.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=\ngithub.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=\ngithub.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=\ngithub.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=\ngithub.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=\ngo.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=\ngo.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=\ngolang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=\ngolang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=\ngolang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=\ngolang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=\ngolang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=\ngolang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=\ngolang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=\ngopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=\ngopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\n" }, { "path": "examples/ldapauthserver/httpd/auth.go", "content": "package httpd\n\nimport (\n\t\"encoding/csv\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"os\"\n\t\"sync\"\n\n\tunixcrypt \"github.com/nathanaelle/password/v2\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/logger\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/utils\"\n\t\"golang.org/x/crypto/bcrypt\"\n)\n\nconst (\n\tauthenticationHeader = \"WWW-Authenticate\"\n\tauthenticationRealm = \"LDAP Auth Server\"\n\tunauthResponse = \"Unauthorized\"\n)\n\nvar (\n\tmd5CryptPwdPrefixes = []string{\"$1$\", \"$apr1$\"}\n\tbcryptPwdPrefixes = []string{\"$2a$\", \"$2$\", \"$2x$\", \"$2y$\", \"$2b$\"}\n)\n\ntype httpAuthProvider interface {\n\tgetHashedPassword(username string) (string, bool)\n\tisEnabled() bool\n}\n\ntype basicAuthProvider struct {\n\tPath string\n\tsync.RWMutex\n\tInfo os.FileInfo\n\tUsers map[string]string\n}\n\nfunc newBasicAuthProvider(authUserFile string) (httpAuthProvider, error) {\n\tbasicAuthProvider := basicAuthProvider{\n\t\tPath: authUserFile,\n\t\tInfo: nil,\n\t\tUsers: make(map[string]string),\n\t}\n\treturn &basicAuthProvider, basicAuthProvider.loadUsers()\n}\n\nfunc (p *basicAuthProvider) isEnabled() bool {\n\treturn len(p.Path) > 0\n}\n\nfunc (p *basicAuthProvider) isReloadNeeded(info os.FileInfo) bool {\n\tp.RLock()\n\tdefer p.RUnlock()\n\treturn p.Info == nil || p.Info.ModTime() != info.ModTime() || p.Info.Size() != info.Size()\n}\n\nfunc (p *basicAuthProvider) loadUsers() error {\n\tif !p.isEnabled() {\n\t\treturn nil\n\t}\n\tinfo, err := os.Stat(p.Path)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to stat basic auth users file: %v\", err)\n\t\treturn err\n\t}\n\tif p.isReloadNeeded(info) {\n\t\tr, err := os.Open(p.Path)\n\t\tif err != nil {\n\t\t\tlogger.Debug(logSender, \"\", \"unable to open basic auth users file: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tdefer r.Close()\n\t\treader := csv.NewReader(r)\n\t\treader.Comma = ':'\n\t\treader.Comment = '#'\n\t\treader.TrimLeadingSpace = true\n\t\trecords, err := reader.ReadAll()\n\t\tif err != nil {\n\t\t\tlogger.Debug(logSender, \"\", \"unable to parse basic auth users file: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tp.Lock()\n\t\tdefer p.Unlock()\n\t\tp.Users = make(map[string]string)\n\t\tfor _, record := range records {\n\t\t\tif len(record) == 2 {\n\t\t\t\tp.Users[record[0]] = record[1]\n\t\t\t}\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"number of users loaded for httpd basic auth: %v\", len(p.Users))\n\t\tp.Info = info\n\t}\n\treturn nil\n}\n\nfunc (p *basicAuthProvider) getHashedPassword(username string) (string, bool) {\n\terr := p.loadUsers()\n\tif err != nil {\n\t\treturn \"\", false\n\t}\n\tp.RLock()\n\tdefer p.RUnlock()\n\tpwd, ok := p.Users[username]\n\treturn pwd, ok\n}\n\nfunc checkAuth(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif !validateCredentials(r) {\n\t\t\tw.Header().Set(authenticationHeader, fmt.Sprintf(\"Basic realm=\\\"%v\\\"\", authenticationRealm))\n\t\t\tsendAPIResponse(w, r, errors.New(unauthResponse), \"\", http.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc validateCredentials(r *http.Request) bool {\n\tif !httpAuth.isEnabled() {\n\t\treturn true\n\t}\n\tusername, password, ok := r.BasicAuth()\n\tif !ok {\n\t\treturn false\n\t}\n\tif hashedPwd, ok := httpAuth.getHashedPassword(username); ok {\n\t\tif utils.IsStringPrefixInSlice(hashedPwd, bcryptPwdPrefixes) {\n\t\t\terr := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(password))\n\t\t\treturn err == nil\n\t\t}\n\t\tif utils.IsStringPrefixInSlice(hashedPwd, md5CryptPwdPrefixes) {\n\t\t\tcrypter, ok := unixcrypt.MD5.CrypterFound(hashedPwd)\n\t\t\tif !ok {\n\t\t\t\terr := errors.New(\"cannot found matching MD5 crypter\")\n\t\t\t\tlogger.Debug(logSender, \"\", \"error comparing password with MD5 crypt hash: %v\", err)\n\t\t\t\treturn false\n\t\t\t}\n\t\t\treturn crypter.Verify([]byte(password))\n\t\t}\n\t}\n\treturn false\n}\n" }, { "path": "examples/ldapauthserver/httpd/httpd.go", "content": "package httpd\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/config\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/logger\"\n\t\"github.com/drakkan/sftpgo/ldapauthserver/utils\"\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-chi/render\"\n)\n\nconst (\n\tlogSender = \"httpd\"\n\tversionPath = \"/api/v1/version\"\n\tcheckAuthPath = \"/api/v1/check_auth\"\n\tmaxRequestSize = 1 << 18 // 256KB\n)\n\nvar (\n\tldapConfig config.LDAPConfig\n\thttpAuth httpAuthProvider\n\tcertMgr *certManager\n\trootCAs *x509.CertPool\n)\n\n// StartHTTPServer initializes and starts the HTTP Server\nfunc StartHTTPServer(configDir string, httpConfig config.HTTPDConfig) error {\n\tvar err error\n\tauthUserFile := getConfigPath(httpConfig.AuthUserFile, configDir)\n\thttpAuth, err = newBasicAuthProvider(authUserFile)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\trouter := chi.NewRouter()\n\trouter.Use(middleware.RequestID)\n\trouter.Use(middleware.RealIP)\n\trouter.Use(logger.NewStructuredLogger(logger.GetLogger()))\n\trouter.Use(middleware.Recoverer)\n\n\trouter.NotFound(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tsendAPIResponse(w, r, nil, \"Not Found\", http.StatusNotFound)\n\t}))\n\n\trouter.MethodNotAllowed(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tsendAPIResponse(w, r, nil, \"Method not allowed\", http.StatusMethodNotAllowed)\n\t}))\n\n\trouter.Get(versionPath, func(w http.ResponseWriter, r *http.Request) {\n\t\trender.JSON(w, r, utils.GetAppVersion())\n\t})\n\n\trouter.Group(func(router chi.Router) {\n\t\trouter.Use(checkAuth)\n\n\t\trouter.Post(checkAuthPath, checkSFTPGoUserAuth)\n\t})\n\n\tldapConfig = config.GetLDAPConfig()\n\tloadCACerts(configDir)\n\n\tcertificateFile := getConfigPath(httpConfig.CertificateFile, configDir)\n\tcertificateKeyFile := getConfigPath(httpConfig.CertificateKeyFile, configDir)\n\n\thttpServer := &http.Server{\n\t\tAddr: fmt.Sprintf(\"%s:%d\", httpConfig.BindAddress, httpConfig.BindPort),\n\t\tHandler: router,\n\t\tReadTimeout: 70 * time.Second,\n\t\tWriteTimeout: 70 * time.Second,\n\t\tIdleTimeout: 120 * time.Second,\n\t\tMaxHeaderBytes: 1 << 16, // 64KB\n\t}\n\tif len(certificateFile) > 0 && len(certificateKeyFile) > 0 {\n\t\tcertMgr, err = newCertManager(certificateFile, certificateKeyFile)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconfig := &tls.Config{\n\t\t\tGetCertificate: certMgr.GetCertificateFunc(),\n\t\t\tMinVersion: tls.VersionTLS12,\n\t\t}\n\t\thttpServer.TLSConfig = config\n\t\treturn httpServer.ListenAndServeTLS(\"\", \"\")\n\t}\n\treturn httpServer.ListenAndServe()\n}\n\nfunc sendAPIResponse(w http.ResponseWriter, r *http.Request, err error, message string, code int) {\n\tvar errorString string\n\tif err != nil {\n\t\terrorString = err.Error()\n\t}\n\tresp := apiResponse{\n\t\tError: errorString,\n\t\tMessage: message,\n\t\tHTTPStatus: code,\n\t}\n\tctx := context.WithValue(r.Context(), render.StatusCtxKey, code)\n\trender.JSON(w, r.WithContext(ctx), resp)\n}\n\nfunc loadCACerts(configDir string) error {\n\tvar err error\n\trootCAs, err = x509.SystemCertPool()\n\tif err != nil {\n\t\trootCAs = x509.NewCertPool()\n\t}\n\tfor _, ca := range ldapConfig.CACertificates {\n\t\tcaPath := getConfigPath(ca, configDir)\n\t\tcerts, err := os.ReadFile(caPath)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"error loading ca cert %q: %v\", caPath, err)\n\t\t\treturn err\n\t\t}\n\t\tif !rootCAs.AppendCertsFromPEM(certs) {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to add ca cert %q\", caPath)\n\t\t} else {\n\t\t\tlogger.Debug(logSender, \"\", \"ca cert %q added to the trusted certificates\", caPath)\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// ReloadTLSCertificate reloads the TLS certificate and key from the configured paths\nfunc ReloadTLSCertificate() {\n\tif certMgr != nil {\n\t\tcertMgr.loadCertificate()\n\t}\n}\n\nfunc getConfigPath(name, configDir string) string {\n\tif !utils.IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif len(name) > 0 && !filepath.IsAbs(name) {\n\t\treturn filepath.Join(configDir, name)\n\t}\n\treturn name\n}\n" }, { "path": "examples/ldapauthserver/httpd/ldapauth.go", "content": "package httpd\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/logger\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-chi/render\"\n\t\"github.com/go-ldap/ldap/v3\"\n\t\"golang.org/x/crypto/ssh\"\n)\n\nfunc getSFTPGoUser(entry *ldap.Entry, username string) (SFTPGoUser, error) {\n\tvar err error\n\tvar user SFTPGoUser\n\tuid := ldapConfig.DefaultUID\n\tgid := ldapConfig.DefaultGID\n\tstatus := 1\n\n\tif !ldapConfig.ForceDefaultUID {\n\t\tuid, err = strconv.Atoi(entry.GetAttributeValue(ldapConfig.GetUIDNumber()))\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t}\n\n\tif !ldapConfig.ForceDefaultGID {\n\t\tuid, err = strconv.Atoi(entry.GetAttributeValue(ldapConfig.GetGIDNumber()))\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t}\n\n\tsftpgoUser := SFTPGoUser{\n\t\tUsername: username,\n\t\tHomeDir: entry.GetAttributeValue(ldapConfig.GetHomeDirectory()),\n\t\tUID: uid,\n\t\tGID: gid,\n\t\tStatus: status,\n\t}\n\tsftpgoUser.Permissions = make(map[string][]string)\n\tsftpgoUser.Permissions[\"/\"] = []string{\"*\"}\n\treturn sftpgoUser, nil\n}\n\nfunc checkSFTPGoUserAuth(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvar authReq externalAuthRequest\n\terr := render.DecodeJSON(r.Body, &authReq)\n\tif err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"error decoding auth request: %v\", err)\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tl, err := ldap.DialURL(ldapConfig.BindURL, ldap.DialWithTLSConfig(&tls.Config{\n\t\tInsecureSkipVerify: ldapConfig.InsecureSkipVerify,\n\t\tRootCAs: rootCAs,\n\t}))\n\tif err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"error connecting to the LDAP server: %v\", err)\n\t\tsendAPIResponse(w, r, err, \"Error connecting to the LDAP server\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\tdefer l.Close()\n\n\terr = l.Bind(ldapConfig.BindUsername, ldapConfig.BindPassword)\n\tif err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"error binding to the LDAP server: %v\", err)\n\t\tsendAPIResponse(w, r, err, \"Error binding to the LDAP server\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\n\tsearchRequest := ldap.NewSearchRequest(\n\t\tldapConfig.BaseDN,\n\t\tldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,\n\t\tstrings.Replace(ldapConfig.SearchFilter, \"%s\", ldap.EscapeFilter(authReq.Username), 1),\n\t\tldapConfig.SearchBaseAttrs,\n\t\tnil,\n\t)\n\n\tsr, err := l.Search(searchRequest)\n\tif err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"error searching LDAP user %q: %v\", authReq.Username, err)\n\t\tsendAPIResponse(w, r, err, \"Error searching LDAP user\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\n\tif len(sr.Entries) != 1 {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"expected one user, found: %v\", len(sr.Entries))\n\t\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"Expected one user, found: %v\", len(sr.Entries)), http.StatusNotFound)\n\t\treturn\n\t}\n\n\tif len(authReq.PublicKey) > 0 {\n\t\tuserKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(authReq.PublicKey))\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"invalid public key for user %q: %v\", authReq.Username, err)\n\t\t\tsendAPIResponse(w, r, err, \"Invalid public key\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t\tauthOk := false\n\t\tfor _, k := range sr.Entries[0].GetAttributeValues(ldapConfig.GetPublicKey()) {\n\t\t\tkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))\n\t\t\t// we skip an invalid public key stored inside the LDAP server\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif bytes.Equal(key.Marshal(), userKey.Marshal()) {\n\t\t\t\tauthOk = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !authOk {\n\t\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"public key authentication failed for user: %q\", authReq.Username)\n\t\t\tsendAPIResponse(w, r, nil, \"public key authentication failed\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t} else {\n\t\t// bind to the LDAP server with the user dn and the given password to check the password\n\t\tuserdn := sr.Entries[0].DN\n\t\terr = l.Bind(userdn, authReq.Password)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"password authentication failed for user: %q\", authReq.Username)\n\t\t\tsendAPIResponse(w, r, nil, \"password authentication failed\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t}\n\n\tuser, err := getSFTPGoUser(sr.Entries[0], authReq.Username)\n\tif err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"get user from LDAP entry failed for username %q: %v\",\n\t\t\tauthReq.Username, err)\n\t\tsendAPIResponse(w, r, err, \"mapping LDAP user failed\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\n\trender.JSON(w, r, user)\n}\n" }, { "path": "examples/ldapauthserver/httpd/models.go", "content": "package httpd\n\ntype apiResponse struct {\n\tError string `json:\"error\"`\n\tMessage string `json:\"message\"`\n\tHTTPStatus int `json:\"status\"`\n}\n\ntype externalAuthRequest struct {\n\tUsername string `json:\"username\"`\n\tPassword string `json:\"password\"`\n\tPublicKey string `json:\"public_key\"`\n}\n\n// SFTPGoExtensionsFilter defines filters based on file extensions\ntype SFTPGoExtensionsFilter struct {\n\tPath string `json:\"path\"`\n\tAllowedExtensions []string `json:\"allowed_extensions,omitempty\"`\n\tDeniedExtensions []string `json:\"denied_extensions,omitempty\"`\n}\n\n// SFTPGoUserFilters defines additional restrictions for an SFTPGo user\ntype SFTPGoUserFilters struct {\n\tAllowedIP []string `json:\"allowed_ip,omitempty\"`\n\tDeniedIP []string `json:\"denied_ip,omitempty\"`\n\tDeniedLoginMethods []string `json:\"denied_login_methods,omitempty\"`\n\tFileExtensions []SFTPGoExtensionsFilter `json:\"file_extensions,omitempty\"`\n}\n\n// S3FsConfig defines the configuration for S3 based filesystem\ntype S3FsConfig struct {\n\tBucket string `json:\"bucket,omitempty\"`\n\tKeyPrefix string `json:\"key_prefix,omitempty\"`\n\tRegion string `json:\"region,omitempty\"`\n\tAccessKey string `json:\"access_key,omitempty\"`\n\tAccessSecret string `json:\"access_secret,omitempty\"`\n\tEndpoint string `json:\"endpoint,omitempty\"`\n\tStorageClass string `json:\"storage_class,omitempty\"`\n\tUploadPartSize int64 `json:\"upload_part_size,omitempty\"`\n\tUploadConcurrency int `json:\"upload_concurrency,omitempty\"`\n}\n\n// GCSFsConfig defines the configuration for Google Cloud Storage based filesystem\ntype GCSFsConfig struct {\n\tBucket string `json:\"bucket,omitempty\"`\n\tKeyPrefix string `json:\"key_prefix,omitempty\"`\n\tCredentials string `json:\"credentials,omitempty\"`\n\tAutomaticCredentials int `json:\"automatic_credentials,omitempty\"`\n\tStorageClass string `json:\"storage_class,omitempty\"`\n}\n\n// SFTPGoFilesystem defines cloud storage filesystem details\ntype SFTPGoFilesystem struct {\n\t// 0 local filesystem, 1 AWS S3 compatible, 2 Google Cloud Storage\n\tProvider int `json:\"provider\"`\n\tS3Config S3FsConfig `json:\"s3config,omitempty\"`\n\tGCSConfig GCSFsConfig `json:\"gcsconfig,omitempty\"`\n}\n\ntype virtualFolder struct {\n\tVirtualPath string `json:\"virtual_path\"`\n\tMappedPath string `json:\"mapped_path\"`\n}\n\n// SFTPGoUser defines an SFTPGo user\ntype SFTPGoUser struct {\n\t// Database unique identifier\n\tID int64 `json:\"id\"`\n\t// 1 enabled, 0 disabled (login is not allowed)\n\tStatus int `json:\"status\"`\n\t// Username\n\tUsername string `json:\"username\"`\n\t// Account expiration date as unix timestamp in milliseconds. An expired account cannot login.\n\t// 0 means no expiration\n\tExpirationDate int64 `json:\"expiration_date\"`\n\tPassword string `json:\"password,omitempty\"`\n\tPublicKeys []string `json:\"public_keys,omitempty\"`\n\tHomeDir string `json:\"home_dir\"`\n\t// Mapping between virtual paths and filesystem paths outside the home directory. Supported for local filesystem only\n\tVirtualFolders []virtualFolder `json:\"virtual_folders,omitempty\"`\n\t// If sftpgo runs as root system user then the created files and directories will be assigned to this system UID\n\tUID int `json:\"uid\"`\n\t// If sftpgo runs as root system user then the created files and directories will be assigned to this system GID\n\tGID int `json:\"gid\"`\n\t// Maximum concurrent sessions. 0 means unlimited\n\tMaxSessions int `json:\"max_sessions\"`\n\t// Maximum size allowed as bytes. 0 means unlimited\n\tQuotaSize int64 `json:\"quota_size\"`\n\t// Maximum number of files allowed. 0 means unlimited\n\tQuotaFiles int `json:\"quota_files\"`\n\t// List of the granted permissions\n\tPermissions map[string][]string `json:\"permissions\"`\n\t// Used quota as bytes\n\tUsedQuotaSize int64 `json:\"used_quota_size\"`\n\t// Used quota as number of files\n\tUsedQuotaFiles int `json:\"used_quota_files\"`\n\t// Last quota update as unix timestamp in milliseconds\n\tLastQuotaUpdate int64 `json:\"last_quota_update\"`\n\t// Maximum upload bandwidth as KB/s, 0 means unlimited\n\tUploadBandwidth int64 `json:\"upload_bandwidth\"`\n\t// Maximum download bandwidth as KB/s, 0 means unlimited\n\tDownloadBandwidth int64 `json:\"download_bandwidth\"`\n\t// Last login as unix timestamp in milliseconds\n\tLastLogin int64 `json:\"last_login\"`\n\t// Additional restrictions\n\tFilters SFTPGoUserFilters `json:\"filters\"`\n\t// Filesystem configuration details\n\tFsConfig SFTPGoFilesystem `json:\"filesystem\"`\n}\n" }, { "path": "examples/ldapauthserver/httpd/tlsutils.go", "content": "package httpd\n\nimport (\n\t\"crypto/tls\"\n\t\"sync\"\n\n\t\"github.com/drakkan/sftpgo/ldapauthserver/logger\"\n)\n\ntype certManager struct {\n\tcertPath string\n\tkeyPath string\n\tsync.RWMutex\n\tcert *tls.Certificate\n}\n\nfunc (m *certManager) loadCertificate() error {\n\tnewCert, err := tls.LoadX509KeyPair(m.certPath, m.keyPath)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to load https certificate: %v\", err)\n\t\treturn err\n\t}\n\tlogger.Debug(logSender, \"\", \"https certificate successfully loaded\")\n\tm.Lock()\n\tdefer m.Unlock()\n\tm.cert = &newCert\n\treturn nil\n}\n\nfunc (m *certManager) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {\n\treturn func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {\n\t\tm.RLock()\n\t\tdefer m.RUnlock()\n\t\treturn m.cert, nil\n\t}\n}\n\nfunc newCertManager(certificateFile, certificateKeyFile string) (*certManager, error) {\n\tmanager := &certManager{\n\t\tcert: nil,\n\t\tcertPath: certificateFile,\n\t\tkeyPath: certificateKeyFile,\n\t}\n\terr := manager.loadCertificate()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn manager, nil\n}\n" }, { "path": "examples/ldapauthserver/ldapauth.toml", "content": "[httpd]\nbind_address = \"\"\nbind_port = 9000\n# Path to a file used to store usernames and passwords for basic authentication. It can be generated using the Apache htpasswd tool\nauth_user_file = \"\"\n# If both the certificate and the private key are provided, the server will expect HTTPS connections\ncertificate_file = \"\"\ncertificate_key_file = \"\"\n\n[ldap]\nbasedn = \"dc=example,dc=com\"\nbind_url = \"ldap://127.0.0.1:389\"\nbind_username = \"cn=Directory Manager\"\nbind_password = \"YOUR_ADMIN_PASSWORD_HERE\"\nsearch_filter = \"(&(objectClass=nsPerson)(uid=%s))\"\n# you can change the name of the search base attributes to adapt them to your schema but the order must remain the same\nsearch_base_attrs = [\n \"dn\",\n \"homeDirectory\",\n \"uidNumber\",\n \"gidNumber\",\n \"nsSshPublicKey\"\n]\ndefault_uid = 0\ndefault_gid = 0\nforce_default_uid = true\nforce_default_gid = true\n# if true, ldaps accepts any certificate presented by the LDAP server and any host name in that certificate.\n# This should be used only for testing\ninsecure_skip_verify = false\n# list of root CA to use for ldaps connections\n# If you use a self signed certificate is better to add the root CA to this list than set insecure_skip_verify to true\nca_certificates = []\n" }, { "path": "examples/ldapauthserver/logger/logger.go", "content": "package logger\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\n\t\"github.com/rs/zerolog\"\n\tlumberjack \"gopkg.in/natefinch/lumberjack.v2\"\n)\n\nconst (\n\tdateFormat = \"2006-01-02T15:04:05.000\" // YYYY-MM-DDTHH:MM:SS.ZZZ\n)\n\nvar (\n\tlogger zerolog.Logger\n\tconsoleLogger zerolog.Logger\n)\n\n// GetLogger get the configured logger instance\nfunc GetLogger() *zerolog.Logger {\n\treturn &logger\n}\n\n// InitLogger initialize loggers\nfunc InitLogger(logFilePath string, logMaxSize, logMaxBackups, logMaxAge int, logCompress bool, level zerolog.Level) {\n\tzerolog.TimeFieldFormat = dateFormat\n\tif isLogFilePathValid(logFilePath) {\n\t\tlogger = zerolog.New(&lumberjack.Logger{\n\t\t\tFilename: logFilePath,\n\t\t\tMaxSize: logMaxSize,\n\t\t\tMaxBackups: logMaxBackups,\n\t\t\tMaxAge: logMaxAge,\n\t\t\tCompress: logCompress,\n\t\t})\n\t\tEnableConsoleLogger(level)\n\t} else {\n\t\tlogger = zerolog.New(&logSyncWrapper{\n\t\t\toutput: os.Stdout,\n\t\t})\n\t\tconsoleLogger = zerolog.Nop()\n\t}\n\tlogger.Level(level)\n}\n\n// DisableLogger disable the main logger.\n// ConsoleLogger will not be affected\nfunc DisableLogger() {\n\tlogger = zerolog.Nop()\n}\n\n// EnableConsoleLogger enables the console logger\nfunc EnableConsoleLogger(level zerolog.Level) {\n\tconsoleOutput := zerolog.ConsoleWriter{\n\t\tOut: os.Stdout,\n\t\tTimeFormat: dateFormat,\n\t\tNoColor: runtime.GOOS == \"windows\",\n\t}\n\tconsoleLogger = zerolog.New(consoleOutput).With().Timestamp().Logger().Level(level)\n}\n\n// Debug logs at debug level for the specified sender\nfunc Debug(prefix, requestID string, format string, v ...interface{}) {\n\tlogger.Debug().\n\t\tTimestamp().\n\t\tStr(\"sender\", prefix).\n\t\tStr(\"request_id\", requestID).\n\t\tMsg(fmt.Sprintf(format, v...))\n}\n\n// Info logs at info level for the specified sender\nfunc Info(prefix, requestID string, format string, v ...interface{}) {\n\tlogger.Info().\n\t\tTimestamp().\n\t\tStr(\"sender\", prefix).\n\t\tStr(\"request_id\", requestID).\n\t\tMsg(fmt.Sprintf(format, v...))\n}\n\n// Warn logs at warn level for the specified sender\nfunc Warn(prefix, requestID string, format string, v ...interface{}) {\n\tlogger.Warn().\n\t\tTimestamp().\n\t\tStr(\"sender\", prefix).\n\t\tStr(\"request_id\", requestID).\n\t\tMsg(fmt.Sprintf(format, v...))\n}\n\n// Error logs at error level for the specified sender\nfunc Error(prefix, requestID string, format string, v ...interface{}) {\n\tlogger.Error().\n\t\tTimestamp().\n\t\tStr(\"sender\", prefix).\n\t\tStr(\"request_id\", requestID).\n\t\tMsg(fmt.Sprintf(format, v...))\n}\n\n// DebugToConsole logs at debug level to stdout\nfunc DebugToConsole(format string, v ...interface{}) {\n\tconsoleLogger.Debug().Msg(fmt.Sprintf(format, v...))\n}\n\n// InfoToConsole logs at info level to stdout\nfunc InfoToConsole(format string, v ...interface{}) {\n\tconsoleLogger.Info().Msg(fmt.Sprintf(format, v...))\n}\n\n// WarnToConsole logs at info level to stdout\nfunc WarnToConsole(format string, v ...interface{}) {\n\tconsoleLogger.Warn().Msg(fmt.Sprintf(format, v...))\n}\n\n// ErrorToConsole logs at error level to stdout\nfunc ErrorToConsole(format string, v ...interface{}) {\n\tconsoleLogger.Error().Msg(fmt.Sprintf(format, v...))\n}\n\nfunc isLogFilePathValid(logFilePath string) bool {\n\tcleanInput := filepath.Clean(logFilePath)\n\tif cleanInput == \".\" || cleanInput == \"..\" {\n\t\treturn false\n\t}\n\treturn true\n}\n" }, { "path": "examples/ldapauthserver/logger/request_logger.go", "content": "package logger\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/rs/zerolog\"\n)\n\n// StructuredLogger defines a simple wrapper around zerolog logger.\n// It implements chi.middleware.LogFormatter interface\ntype StructuredLogger struct {\n\tLogger *zerolog.Logger\n}\n\n// StructuredLoggerEntry ...\ntype StructuredLoggerEntry struct {\n\tLogger *zerolog.Logger\n\tfields map[string]interface{}\n}\n\n// NewStructuredLogger returns a chi.middleware.RequestLogger using our StructuredLogger.\n// This structured logger is called by the chi.middleware.Logger handler to log each HTTP request\nfunc NewStructuredLogger(logger *zerolog.Logger) func(next http.Handler) http.Handler {\n\treturn middleware.RequestLogger(&StructuredLogger{logger})\n}\n\n// NewLogEntry creates a new log entry for an HTTP request\nfunc (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {\n\tscheme := \"http\"\n\tif r.TLS != nil {\n\t\tscheme = \"https\"\n\t}\n\n\tfields := map[string]interface{}{\n\t\t\"remote_addr\": r.RemoteAddr,\n\t\t\"proto\": r.Proto,\n\t\t\"method\": r.Method,\n\t\t\"user_agent\": r.UserAgent(),\n\t\t\"uri\": fmt.Sprintf(\"%s://%s%s\", scheme, r.Host, r.RequestURI)}\n\n\treqID := middleware.GetReqID(r.Context())\n\tif reqID != \"\" {\n\t\tfields[\"request_id\"] = reqID\n\t}\n\n\treturn &StructuredLoggerEntry{Logger: l.Logger, fields: fields}\n}\n\n// Write logs a new entry at the end of the HTTP request\nfunc (l *StructuredLoggerEntry) Write(status, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {\n\tl.Logger.Info().\n\t\tTimestamp().\n\t\tStr(\"sender\", \"httpd\").\n\t\tFields(l.fields).\n\t\tInt(\"resp_status\", status).\n\t\tInt(\"resp_size\", bytes).\n\t\tInt64(\"elapsed_ms\", elapsed.Nanoseconds()/1000000).\n\t\tSend()\n}\n\n// Panic logs panics\nfunc (l *StructuredLoggerEntry) Panic(v interface{}, stack []byte) {\n\tl.Logger.Error().\n\t\tTimestamp().\n\t\tStr(\"sender\", \"httpd\").\n\t\tFields(l.fields).\n\t\tStr(\"stack\", string(stack)).\n\t\tStr(\"panic\", fmt.Sprintf(\"%+v\", v)).\n\t\tSend()\n}\n" }, { "path": "examples/ldapauthserver/logger/sync_wrapper.go", "content": "package logger\n\nimport (\n\t\"os\"\n\t\"sync\"\n)\n\ntype logSyncWrapper struct {\n\tsync.Mutex\n\toutput *os.File\n}\n\nfunc (l *logSyncWrapper) Write(b []byte) (n int, err error) {\n\tl.Lock()\n\tdefer l.Unlock()\n\treturn l.output.Write(b)\n}\n" }, { "path": "examples/ldapauthserver/main.go", "content": "package main\n\nimport \"github.com/drakkan/sftpgo/ldapauthserver/cmd\"\n\nfunc main() {\n\tcmd.Execute()\n}\n" }, { "path": "examples/ldapauthserver/utils/utils.go", "content": "package utils\n\nimport (\n\t\"path/filepath\"\n\t\"strings\"\n)\n\n// IsFileInputValid returns true this is a valid file name.\n// This method must be used before joining a file name, generally provided as\n// user input, with a directory\nfunc IsFileInputValid(fileInput string) bool {\n\tcleanInput := filepath.Clean(fileInput)\n\tif cleanInput == \".\" || cleanInput == \"..\" {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// IsStringPrefixInSlice searches a string prefix in a slice and returns true\n// if a matching prefix is found\nfunc IsStringPrefixInSlice(obj string, list []string) bool {\n\tfor _, v := range list {\n\t\tif strings.HasPrefix(obj, v) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n" }, { "path": "examples/ldapauthserver/utils/version.go", "content": "package utils\n\nconst version = \"0.1.0-dev\"\n\nvar (\n\tcommit = \"\"\n\tdate = \"\"\n\tversionInfo VersionInfo\n)\n\n// VersionInfo defines version details\ntype VersionInfo struct {\n\tVersion string `json:\"version\"`\n\tBuildDate string `json:\"build_date\"`\n\tCommitHash string `json:\"commit_hash\"`\n}\n\nfunc init() {\n\tversionInfo = VersionInfo{\n\t\tVersion: version,\n\t\tCommitHash: commit,\n\t\tBuildDate: date,\n\t}\n}\n\n// GetVersionAsString returns the string representation of the VersionInfo struct\nfunc (v *VersionInfo) GetVersionAsString() string {\n\tversionString := v.Version\n\tif len(v.CommitHash) > 0 {\n\t\tversionString += \"-\" + v.CommitHash\n\t}\n\tif len(v.BuildDate) > 0 {\n\t\tversionString += \"-\" + v.BuildDate\n\t}\n\treturn versionString\n}\n\n// GetAppVersion returns VersionInfo struct\nfunc GetAppVersion() VersionInfo {\n\treturn versionInfo\n}\n" }, { "path": "examples/php-activedirectory-http-server/README.md", "content": "# SFTPGo on Windows with Active Directory Integration + Caddy Static File Server Example\n\n[![SFTPGo on Windows with Active Directory Integration + Caddy Static File Server Example](https://img.youtube.com/vi/M5UcJI8t4AI/0.jpg)](https://www.youtube.com/watch?v=M5UcJI8t4AI)\n\nThis is similar to the ldapauthserver example, but is more specific to using Active Directory along with using SFTPGo on a Windows Server.\n\nThe Youtube Walkthrough/Tutorial video above goes into considerable more detail, but in short, it walks through setting up SFTPGo on a new Windows Server, and enables the External Authentication feature within SFTPGo, along with my `sftpgo-ldap-http-server` project, to allow for user authentication into SFTPGo to occur through one or more Active Directory connections.\n\nAdditionally, I go through using the Caddy web server, to help enable serving of static files, if this is something that would be of interest for you.\n\nTo get started, you'll want to download the latest release ZIP package from the [sftpgo-ldap-http-server repository](https://github.com/orware/sftpgo-ldap-http-server).\n\nThe ZIP itself contains the `sftpgo-ldap-http-server.exe` file, along with an `OpenLDAP` folder (mainly to help if you want to use TLS for your LDAP connections), and a `Data` which contains a logs folder, a configuration.example.php file, a functions.php file, and the LICENSE and README files.\n\nThe video above goes through the whole process, but to get started you'll want to install SFTPGo on your server, and then extract the `sftpgo-ldap-http-server` ZIP file on the server as well into a separate folder. Then you'll want to copy the configuration.example.php file and name it `configuration.php` and begin customizing the settings (e.g. add in your own LDAP settings, along with how you may want to have your folders be created). At the very minimum you'll want to make sure that the home directories are set correctly to how you want the folders to be created for your environment (you don't have to use the virtual folders or really any of the other functionality if you don't need it).\n\nOnce configured, from a command prompt window, if you are already in the same folder as where you extracted the `sftpgo-ldap-http-server` ZIP, you may simply call the `sftpgo-ldap-http-server.exe` and it should start up a simple HTTP server on Port 9001 running on localhost (the port can be adjusted via the `configuration.php` file as well). Now all you have to do is point SFTPGo's `external_auth_hook` option to point to `http://localhost:9001/` and you should be able to run some authentication tests (assuming you have all of your settings correct and there are no intermediate issues).\n\nThe video above definitely goes through some troubleshooting situations you might find yourself coming across, so while it is long (at about 1 hour, 42 minutes), it may be helpful to review and avoid some issues and just to learn a bit more about SFTPGo and the integration above.\n\n## Example Virtual Folders Configuration (Allowing for Both a Public and Private Folder)\n\nThe following can be utilized if you'd like to assign your users both a Private Virtual Folder and Public Virtual Folder.\n\nBy itself, the Public Virtual Folder isn't necessarily public, so keep that in mind. Only by combining things together with the Caddy web server (and Caddyfile example configuration down below) can you be successful in making the `F:\\files\\public` folder from the example public.\n\n```php\n$virtual_folders['example'] = [\n [\n //\"id\" => 0,\n \"name\" => \"private-#USERNAME#\",\n \"mapped_path\" => 'F:\\files\\private\\#USERNAME#',\n //\"used_quota_size\" => 0,\n //\"used_quota_files\" => 0,\n //\"last_quota_update\" => 0,\n \"virtual_path\" => \"/_private\",\n \"quota_size\" => -1,\n \"quota_files\" => -1\n ],\n\t[\n //\"id\" => 0,\n \"name\" => \"public-#USERNAME#\",\n \"mapped_path\" => 'F:\\files\\public\\#USERNAME#',\n //\"used_quota_size\" => 0,\n //\"used_quota_files\" => 0,\n //\"last_quota_update\" => 0,\n \"virtual_path\" => \"/_public\",\n \"quota_size\" => -1,\n \"quota_files\" => -1\n ]\n];\n```\n\n## Example Connection \"Output Object\" Allowing For No Files in the User's Home Directory (\"Root Directory\") but Allowing for Files in the Public/Private Virtual Folders\n\nThe magic here happens in the \"permissions\" value, by limiting the root/home directory to just the list/download permissions, and then allowing all permissions on the Public/Private virtual folders.\n\n```php\n$connection_output_objects['example'] = [\n 'status' => 1,\n 'username' => '',\n 'expiration_date' => 0,\n 'home_dir' => '',\n 'uid' => 0,\n 'gid' => 0,\n 'max_sessions' => 0,\n 'quota_size' => 0,\n 'quota_files' => 100000,\n 'permissions' => [\n \"/\" => [\"list\", \"download\"],\n \"/_private\" => [\"*\"],\n \"/_public\" => [\"*\"],\n ],\n 'upload_bandwidth' => 0,\n 'download_bandwidth' => 0,\n 'filters' => [\n 'allowed_ip' => [],\n 'denied_ip' => [],\n ],\n 'public_keys' => [],\n];\n```\n\n## Recommended Usage of Automatic Groups Mode (Limiting by Group Prefix)\n\nThe `sftpgo-ldap-http-server` project is able to automatically create virtual folders for any groups your user is a memberof if the automatic mode is turned on. However, by having a specific set of allowed prefixes defined, you can limit things to just those groups that begin with the prefixes you've listed, which can be helpful. The prefix itself will be removed from the group name when added as a virtual folder for the user.\n\n```php\n// If automatic groups mode is disabled, then you have to manually add the allowed groups into $allowed_groups down below:\n// If enabled, then any groups you are a memberof will automatically be added in using the template below.\n$auto_groups_mode = true;\n\n$auto_groups_mode_virtual_folder_template = [\n [\n //\"id\" => 0,\n \"name\" => \"groups-#GROUP#\",\n \"mapped_path\" => 'F:\\files\\groups\\#GROUP#',\n //\"used_quota_size\" => 0,\n //\"used_quota_files\" => 0,\n //\"last_quota_update\" => 0,\n \"virtual_path\" => \"/groups/#GROUP#\",\n \"quota_size\" => 0,\n \"quota_files\" => 100000\n ]\n];\n\n// Used only when auto groups mode is enabled and will help prevent all your groups from being\n// added into SFTPGo since only groups with the prefixes defined here will be automatically added\n// with prefixes automatically removed when listed as a virtual folder (e.g. a group with name\n// \"sftpgo-example\" would simply become \"example\").\n$allowed_group_prefixes = [\n 'sftpgo-'\n];\n```\n\n## Example Caddyfile Configuration You Can Adapt for Your Needs\n\n```shell\n### Re-usable snippets:\n\n(add_static_file_serving_features) {\n\n\t# Allow accessing files without requiring .html:\n\ttry_files {path} {path}.html\n\n\t# Enable Static File Server and Directory Browsing:\n\tfile_server browse\n\n\t# Enable templating functionality:\n\ttemplates\n\n\t# Enable Compression for Output:\n\tencode zstd gzip\n\n\thandle_errors {\n\t\trespond \"
{http.error.status_code} {http.error.status_text}
\"\n\t}\n}\n\n(add_hsts_headers) {\n\theader {\n\t\t# Enable HTTP Strict Transport Security (HSTS) to force clients to always\n\n\t\t# connect via HTTPS (do not use if only testing)\n\t\tStrict-Transport-Security \"max-age=31536000; includeSubDomains\"\n\n\t\t# Enable cross-site filter (XSS) and tell browser to block detected attacks\n\t\tX-XSS-Protection \"1; mode=block\"\n\n\t\t# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type\n\t\tX-Content-Type-Options \"nosniff\"\n\n\t\t# Disallow the site to be rendered within a frame (clickjacking protection)\n\t\tX-Frame-Options \"DENY\"\n\n\t\t# keep referrer data off of HTTP connections\n\t\tReferrer-Policy no-referrer-when-downgrade\n\t}\n}\n\n(add_logging_with_path) {\n\tlog {\n\t\toutput file \"{args.0}\" {\n\t\t\troll_size 100mb\n\t\t\troll_keep 5\n\t\t\troll_keep_for 720h\n\t\t}\n\n\t\tformat json\n\t\t#format console\n\t\t#format single_field common_log\n\t}\n}\n\n### Site Definitions:\n\npublic.example.com {\n\n\t# Site Root:\n\troot * F:\\files\\public\n\n\timport add_logging_with_path \"F:\\caddy\\logs\\public_example_com_access.log\"\n\timport add_static_file_serving_features\n\timport add_hsts_headers\n}\n\n\n### Reverse Proxy Definitions:\n\nwebdav.example.com {\n\treverse_proxy localhost:9000\n\n\timport add_logging_with_path \"F:\\caddy\\logs\\webdav_example_com_access.log\"\n}\n```\n" }, { "path": "examples/quotascan/README.md", "content": "# Update user quota\n\n:warning: Since v2.4.0 you can use the [EventManager](https://docs.sftpgo.com/latest/eventmanager/) to schedule quota scans.\n\nThe `scanuserquota` example script shows how to use the SFTPGo REST API to update the users' quota.\n\nThe stored quota may be incorrect for several reasons, such as an unexpected shutdown while uploading files, temporary provider failures, files copied outside of SFTPGo, and so on.\n\nA quota scan updates the number of files and their total size for the specified user and the virtual folders, if any, included in his quota.\n\nIf you want to track quotas, a scheduled quota scan is recommended. You can use this example as a starting point.\n\nThe script is written in Python and has the following requirements:\n\n- python3 or python2\n- python [Requests](https://requests.readthedocs.io/en/master/) module\n\nThe provided example tries to connect to an SFTPGo instance running on `127.0.0.1:8080` using the following credentials:\n\n- username: `admin`\n- password: `password`\n\nPlease edit the script according to your needs.\n" }, { "path": "examples/quotascan/scanuserquota", "content": "#!/usr/bin/env python\n\nfrom datetime import datetime\nimport sys\nimport time\n\nimport pytz\nimport requests\n\ntry:\n\timport urllib.parse as urlparse\nexcept ImportError:\n\timport urlparse\n\n# change base_url to point to your SFTPGo installation\nbase_url = \"http://127.0.0.1:8080\"\n# set to False if you want to skip TLS certificate validation\nverify_tls_cert = True\n# set the credentials for a valid admin here\nadmin_user = \"admin\"\nadmin_password = \"password\"\n\n\n# set your update conditions here\ndef needQuotaUpdate(user):\n\tif user[\"status\"] == 0: # inactive user\n\t\treturn False\n\tif user[\"quota_size\"] == 0 and user[\"quota_files\"] == 0: # no quota restrictions\n\t\treturn False\n\treturn True\n\n\nclass UpdateQuota:\n\n\tdef __init__(self):\n\t\tself.limit = 100\n\t\tself.offset = 0\n\t\tself.access_token = \"\"\n\t\tself.access_token_expiration = None\n\n\tdef printLog(self, message):\n\t\tprint(\"{} - {}\".format(datetime.now(), message))\n\n\tdef checkAccessToken(self):\n\t\tif self.access_token != \"\" and self.access_token_expiration:\n\t\t\texpire_diff = self.access_token_expiration - datetime.now(tz=pytz.UTC)\n\t\t\t# we don't use total_seconds to be python 2 compatible\n\t\t\tseconds_to_expire = expire_diff.days * 86400 + expire_diff.seconds\n\t\t\tif seconds_to_expire > 180:\n\t\t\t\treturn\n\n\t\tauth = requests.auth.HTTPBasicAuth(admin_user, admin_password)\n\t\tr = requests.get(urlparse.urljoin(base_url, \"api/v2/token\"), auth=auth, verify=verify_tls_cert, timeout=10)\n\t\tif r.status_code != 200:\n\t\t\tself.printLog(\"error getting access token: {}\".format(r.text))\n\t\t\tsys.exit(1)\n\t\tself.access_token = r.json()[\"access_token\"]\n\t\tself.access_token_expiration = pytz.timezone(\"UTC\").localize(datetime.strptime(r.json()[\"expires_at\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"%Y-%m-%dT%H:%M:%SZ\"))\n\n\tdef getAuthHeader(self):\n\t\tself.checkAccessToken()\n\t\treturn {\"Authorization\": \"Bearer \" + self.access_token}\n\n\tdef waitForQuotaUpdate(self, username):\n\t\twhile True:\n\t\t\tauth_header = self.getAuthHeader()\n\t\t\tr = requests.get(urlparse.urljoin(base_url, \"api/v2/quotas/users/scans\"), headers=auth_header, verify=verify_tls_cert,\n\t\t\t\t\t\t\ttimeout=10)\n\t\t\tif r.status_code != 200:\n\t\t\t\tself.printLog(\"error getting quota scans while waiting for {}: {}\".format(username, r.text))\n\t\t\t\tsys.exit(1)\n\n\t\t\tscanning = False\n\t\t\tfor scan in r.json():\n\t\t\t\tif scan[\"username\"] == username:\n\t\t\t\t\tscanning = True\n\t\t\tif not scanning:\n\t\t\t\tbreak\n\t\t\tself.printLog(\"waiting for the quota scan to complete for user {}\".format(username))\n\t\t\ttime.sleep(2)\n\n\t\tself.printLog(\"quota update for user {} finished\".format(username))\n\n\tdef updateUserQuota(self, username):\n\t\tself.printLog(\"starting quota update for user {}\".format(username))\n\t\tauth_header = self.getAuthHeader()\n\t\tr = requests.post(urlparse.urljoin(base_url, \"api/v2/quotas/users/\" + username + \"/scan\"), headers=auth_header,\n\t\t\t\t\t\t verify=verify_tls_cert, timeout=10)\n\t\tif r.status_code != 202:\n\t\t\tself.printLog(\"error starting quota scan for user {}: {}\".format(username, r.text))\n\t\t\tsys.exit(1)\n\t\tself.waitForQuotaUpdate(username)\n\n\tdef updateUsersQuota(self):\n\t\twhile True:\n\t\t\tself.printLog(\"get users, limit {} offset {}\".format(self.limit, self.offset))\n\t\t\tauth_header = self.getAuthHeader()\n\t\t\tpayload = {\"limit\":self.limit, \"offset\":self.offset}\n\t\t\tr = requests.get(urlparse.urljoin(base_url, \"api/v2/users\"), headers=auth_header, params=payload,\n\t\t\t\t\t\tverify=verify_tls_cert, timeout=10)\n\t\t\tif r.status_code != 200:\n\t\t\t\tself.printLog(\"error getting users: {}\".format(r.text))\n\t\t\t\tsys.exit(1)\n\t\t\tusers = r.json()\n\t\t\tfor user in users:\n\t\t\t\tif needQuotaUpdate(user):\n\t\t\t\t\tself.updateUserQuota(user[\"username\"])\n\t\t\t\telse:\n\t\t\t\t\tself.printLog(\"user {} does not need a quota update\".format(user[\"username\"]))\n\n\t\t\tself.offset += len(users)\n\t\t\tif len(users) < self.limit:\n\t\t\t\tbreak\n\n\nif __name__ == '__main__':\n\tq = UpdateQuota()\n\tq.updateUsersQuota()\n" }, { "path": "go.mod", "content": "module github.com/drakkan/sftpgo/v2\n\ngo 1.25.0\n\nrequire (\n\tcloud.google.com/go/storage v1.60.0\n\tgithub.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0\n\tgithub.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1\n\tgithub.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4\n\tgithub.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5\n\tgithub.com/alexedwards/argon2id v1.0.0\n\tgithub.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964\n\tgithub.com/aws/aws-sdk-go-v2 v1.41.4\n\tgithub.com/aws/aws-sdk-go-v2/config v1.32.12\n\tgithub.com/aws/aws-sdk-go-v2/credentials v1.19.12\n\tgithub.com/aws/aws-sdk-go-v2/service/s3 v1.97.1\n\tgithub.com/aws/aws-sdk-go-v2/service/sts v1.41.9\n\tgithub.com/bmatcuk/doublestar/v4 v4.10.0\n\tgithub.com/cockroachdb/cockroach-go/v2 v2.4.3\n\tgithub.com/coreos/go-oidc/v3 v3.17.0\n\tgithub.com/drakkan/webdav v0.0.0-20241026165615-b8b8f74ae71b\n\tgithub.com/eikenb/pipeat v0.0.0-20251030185646-385cd3c3e07b\n\tgithub.com/fclairamb/ftpserverlib v0.30.0\n\tgithub.com/go-acme/lego/v4 v4.33.0\n\tgithub.com/go-chi/chi/v5 v5.2.5\n\tgithub.com/go-chi/render v1.0.3\n\tgithub.com/go-jose/go-jose/v4 v4.1.3\n\tgithub.com/go-sql-driver/mysql v1.9.3\n\tgithub.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510\n\tgithub.com/google/uuid v1.6.0\n\tgithub.com/hashicorp/go-hclog v1.6.3\n\tgithub.com/hashicorp/go-plugin v1.7.0\n\tgithub.com/hashicorp/go-retryablehttp v0.7.8\n\tgithub.com/jackc/pgx/v5 v5.8.0\n\tgithub.com/jlaffaye/ftp v0.2.0\n\tgithub.com/klauspost/compress v1.18.4\n\tgithub.com/lithammer/shortuuid/v4 v4.2.0\n\tgithub.com/mattn/go-sqlite3 v1.14.37\n\tgithub.com/mhale/smtpd v0.8.3\n\tgithub.com/minio/sio v0.4.3\n\tgithub.com/otiai10/copy v1.14.1\n\tgithub.com/pires/go-proxyproto v0.11.0\n\tgithub.com/pkg/sftp v1.13.10\n\tgithub.com/pquerna/otp v1.5.0\n\tgithub.com/prometheus/client_golang v1.23.2\n\tgithub.com/robfig/cron/v3 v3.0.1\n\tgithub.com/rs/cors v1.11.1\n\tgithub.com/rs/xid v1.6.0\n\tgithub.com/rs/zerolog v1.34.0\n\tgithub.com/sftpgo/sdk v0.1.9\n\tgithub.com/shirou/gopsutil/v3 v3.24.5\n\tgithub.com/spf13/afero v1.15.0\n\tgithub.com/spf13/cobra v1.10.2\n\tgithub.com/spf13/viper v1.21.0\n\tgithub.com/stretchr/testify v1.11.1\n\tgithub.com/studio-b12/gowebdav v0.12.0\n\tgithub.com/subosito/gotenv v1.6.0\n\tgithub.com/unrolled/secure v1.17.0\n\tgithub.com/wagslane/go-password-validator v0.3.0\n\tgithub.com/wneessen/go-mail v0.7.2\n\tgithub.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a\n\tgo.etcd.io/bbolt v1.4.3\n\tgocloud.dev v0.45.0\n\tgolang.org/x/crypto v0.49.0\n\tgolang.org/x/net v0.52.0\n\tgolang.org/x/oauth2 v0.36.0\n\tgolang.org/x/sys v0.42.0\n\tgolang.org/x/term v0.41.0\n\tgolang.org/x/time v0.15.0\n\tgoogle.golang.org/api v0.272.0\n\tgopkg.in/natefinch/lumberjack.v2 v2.2.1\n)\n\nrequire (\n\tcel.dev/expr v0.25.1 // indirect\n\tcloud.google.com/go v0.123.0 // indirect\n\tcloud.google.com/go/auth v0.18.2 // indirect\n\tcloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect\n\tcloud.google.com/go/compute/metadata v0.9.0 // indirect\n\tcloud.google.com/go/iam v1.5.3 // indirect\n\tcloud.google.com/go/monitoring v1.24.3 // indirect\n\tfilippo.io/edwards25519 v1.2.0 // indirect\n\tgithub.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect\n\tgithub.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 // indirect\n\tgithub.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect\n\tgithub.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 // indirect\n\tgithub.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 // indirect\n\tgithub.com/ajg/form v1.7.1 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect\n\tgithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect\n\tgithub.com/aws/smithy-go v1.24.2 // indirect\n\tgithub.com/beorn7/perks v1.0.1 // indirect\n\tgithub.com/boombuler/barcode v1.1.0 // indirect\n\tgithub.com/cenkalti/backoff/v5 v5.0.3 // indirect\n\tgithub.com/cespare/xxhash/v2 v2.3.0 // indirect\n\tgithub.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect\n\tgithub.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect\n\tgithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect\n\tgithub.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect\n\tgithub.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect\n\tgithub.com/fatih/color v1.18.0 // indirect\n\tgithub.com/felixge/httpsnoop v1.0.4 // indirect\n\tgithub.com/fsnotify/fsnotify v1.9.0 // indirect\n\tgithub.com/go-logr/logr v1.4.3 // indirect\n\tgithub.com/go-logr/stdr v1.2.2 // indirect\n\tgithub.com/go-ole/go-ole v1.3.0 // indirect\n\tgithub.com/go-viper/mapstructure/v2 v2.5.0 // indirect\n\tgithub.com/golang-jwt/jwt/v5 v5.3.1 // indirect\n\tgithub.com/golang/protobuf v1.5.4 // indirect\n\tgithub.com/google/s2a-go v0.1.9 // indirect\n\tgithub.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect\n\tgithub.com/googleapis/gax-go/v2 v2.19.0 // indirect\n\tgithub.com/hashicorp/errwrap v1.1.0 // indirect\n\tgithub.com/hashicorp/go-cleanhttp v0.5.2 // indirect\n\tgithub.com/hashicorp/go-multierror v1.1.1 // indirect\n\tgithub.com/hashicorp/yamux v0.1.2 // indirect\n\tgithub.com/inconshreveable/mousetrap v1.1.0 // indirect\n\tgithub.com/jackc/pgpassfile v1.0.0 // indirect\n\tgithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect\n\tgithub.com/jackc/puddle/v2 v2.2.2 // indirect\n\tgithub.com/kr/fs v0.1.0 // indirect\n\tgithub.com/kylelemons/godebug v1.1.0 // indirect\n\tgithub.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88 // indirect\n\tgithub.com/mattn/go-colorable v0.1.14 // indirect\n\tgithub.com/mattn/go-isatty v0.0.20 // indirect\n\tgithub.com/miekg/dns v1.1.72 // indirect\n\tgithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect\n\tgithub.com/oklog/run v1.2.0 // indirect\n\tgithub.com/otiai10/mint v1.6.3 // indirect\n\tgithub.com/pelletier/go-toml/v2 v2.2.4 // indirect\n\tgithub.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect\n\tgithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect\n\tgithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect\n\tgithub.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect\n\tgithub.com/prometheus/client_model v0.6.2 // indirect\n\tgithub.com/prometheus/common v0.67.5 // indirect\n\tgithub.com/prometheus/procfs v0.20.1 // indirect\n\tgithub.com/russross/blackfriday/v2 v2.1.0 // indirect\n\tgithub.com/sagikazarmark/locafero v0.12.0 // indirect\n\tgithub.com/shoenig/go-m1cpu v0.2.1 // indirect\n\tgithub.com/spf13/cast v1.10.0 // indirect\n\tgithub.com/spf13/pflag v1.0.10 // indirect\n\tgithub.com/spiffe/go-spiffe/v2 v2.6.0 // indirect\n\tgithub.com/tklauser/go-sysconf v0.3.16 // indirect\n\tgithub.com/tklauser/numcpus v0.11.0 // indirect\n\tgithub.com/yusufpapurcu/wmi v1.2.4 // indirect\n\tgo.opentelemetry.io/auto/sdk v1.2.1 // indirect\n\tgo.opentelemetry.io/contrib/detectors/gcp v1.42.0 // indirect\n\tgo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect\n\tgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect\n\tgo.opentelemetry.io/otel v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/metric v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/sdk v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect\n\tgo.opentelemetry.io/otel/trace v1.42.0 // indirect\n\tgo.yaml.in/yaml/v2 v2.4.4 // indirect\n\tgo.yaml.in/yaml/v3 v3.0.4 // indirect\n\tgolang.org/x/mod v0.34.0 // indirect\n\tgolang.org/x/sync v0.20.0 // indirect\n\tgolang.org/x/text v0.35.0 // indirect\n\tgolang.org/x/tools v0.43.0 // indirect\n\tgolang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect\n\tgoogle.golang.org/genproto v0.0.0-20260319171110-e3a33c96fb44 // indirect\n\tgoogle.golang.org/genproto/googleapis/api v0.0.0-20260319171110-e3a33c96fb44 // indirect\n\tgoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260319171110-e3a33c96fb44 // indirect\n\tgoogle.golang.org/grpc v1.79.3 // indirect\n\tgoogle.golang.org/protobuf v1.36.11 // indirect\n\tgopkg.in/yaml.v3 v3.0.1 // indirect\n)\n\nreplace (\n\tgithub.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20240430173938-7ba8270c8e7f\n\tgithub.com/robfig/cron/v3 => github.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0\n)\n" }, { "path": "go.sum", "content": "cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=\ncel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=\ncloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=\ncloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=\ncloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=\ncloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=\ncloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=\ncloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=\ncloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=\ncloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=\ncloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=\ncloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=\ncloud.google.com/go/kms v1.26.0 h1:cK9mN2cf+9V63D3H1f6koxTatWy39aTI/hCjz1I+adU=\ncloud.google.com/go/kms v1.26.0/go.mod h1:pHKOdFJm63hxBsiPkYtowZPltu9dW0MWvBa6IA4HM58=\ncloud.google.com/go/logging v1.13.2 h1:qqlHCBvieJT9Cdq4QqYx1KPadCQ2noD4FK02eNqHAjA=\ncloud.google.com/go/logging v1.13.2/go.mod h1:zaybliM3yun1J8mU2dVQ1/qDzjbOqEijZCn6hSBtKak=\ncloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=\ncloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=\ncloud.google.com/go/monitoring v1.24.3 h1:dde+gMNc0UhPZD1Azu6at2e79bfdztVDS5lvhOdsgaE=\ncloud.google.com/go/monitoring v1.24.3/go.mod h1:nYP6W0tm3N9H/bOw8am7t62YTzZY+zUeQ+Bi6+2eonI=\ncloud.google.com/go/storage v1.60.0 h1:oBfZrSOCimggVNz9Y/bXY35uUcts7OViubeddTTVzQ8=\ncloud.google.com/go/storage v1.60.0/go.mod h1:q+5196hXfejkctrnx+VYU8RKQr/L3c0cBIlrjmiAKE0=\ncloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U=\ncloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s=\nfilippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=\nfilippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=\ngithub.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=\ngithub.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28=\ngithub.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=\ngithub.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=\ngithub.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=\ngithub.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=\ngithub.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=\ngithub.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=\ngithub.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4 h1:jWQK1GI+LeGGUKBADtcH2rRqPxYB1Ljwms5gFA2LqrM=\ngithub.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4/go.mod h1:8mwH4klAm9DUgR2EEHyEEAQlRDvLPyg5fQry3y+cDew=\ngithub.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=\ngithub.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=\ngithub.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 h1:4iB+IesclUXdP0ICgAabvq2FYLXrJWKx1fJQ+GxSo3Y=\ngithub.com/AzureAD/microsoft-authentication-library-for-go v1.7.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=\ngithub.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=\ngithub.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0 h1:UnDZ/zFfG1JhH/DqxIZYU/1CUAlTUScoXD/LcM2Ykk8=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.55.0/go.mod h1:IA1C1U7jO/ENqm/vhi7V9YYpBsp+IMyqNrEN94N7tVc=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0 h1:7t/qx5Ost0s0wbA/VDrByOooURhp+ikYwv20i9Y07TQ=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.55.0/go.mod h1:vB2GH9GAYYJTO3mEn8oYwzEdhlayZIdQz6zdzgUIRvA=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0 h1:0s6TxfCu2KHkkZPnBfsQ2y5qia0jl3MMrmBhu3nCOYk=\ngithub.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.55.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc=\ngithub.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=\ngithub.com/ajg/form v1.7.1 h1:OsnBDzTkrWdrxvEnO68I72ZVGJGNaMwPhoAm0V+llgc=\ngithub.com/ajg/form v1.7.1/go.mod h1:HL757PzLyNkj5AIfptT6L+iGNeXTlnrr/oDePGc/y7Q=\ngithub.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHcQQP0w=\ngithub.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=\ngithub.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 h1:I9YN9WMo3SUh7p/4wKeNvD/IQla3U3SUa61U7ul+xM4=\ngithub.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964/go.mod h1:eFiR01PwTcpbzXtdMces7zxg6utvFM5puiWHpWB8D/k=\ngithub.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1hH/k=\ngithub.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=\ngithub.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7 h1:3kGOqnh1pPeddVa/E37XNTaWJ8W6vrbYV9lJEkCnhuY=\ngithub.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.7/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=\ngithub.com/aws/aws-sdk-go-v2/config v1.32.12 h1:O3csC7HUGn2895eNrLytOJQdoL2xyJy0iYXhoZ1OmP0=\ngithub.com/aws/aws-sdk-go-v2/config v1.32.12/go.mod h1:96zTvoOFR4FURjI+/5wY1vc1ABceROO4lWgWJuxgy0g=\ngithub.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=\ngithub.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=\ngithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=\ngithub.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=\ngithub.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc=\ngithub.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o=\ngithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw=\ngithub.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20/go.mod h1:YJ898MhD067hSHA6xYCx5ts/jEd8BSOLtQDL3iZsvbc=\ngithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=\ngithub.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=\ngithub.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21 h1:SwGMTMLIlvDNyhMteQ6r8IJSBPlRdXX5d4idhIGbkXA=\ngithub.com/aws/aws-sdk-go-v2/internal/v4a v1.4.21/go.mod h1:UUxgWxofmOdAMuqEsSppbDtGKLfR04HGsD0HXzvhI1k=\ngithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=\ngithub.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=\ngithub.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12 h1:qtJZ70afD3ISKWnoX3xB0J2otEqu3LqicRcDBqsj0hQ=\ngithub.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12/go.mod h1:v2pNpJbRNl4vEUWEh5ytQok0zACAKfdmKS51Hotc3pQ=\ngithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=\ngithub.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=\ngithub.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20 h1:siU1A6xjUZ2N8zjTHSXFhB9L/2OY8Dqs0xXiLjF30jA=\ngithub.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20/go.mod h1:4TLZCmVJDM3FOu5P5TJP0zOlu9zWgDWU7aUxWbr+rcw=\ngithub.com/aws/aws-sdk-go-v2/service/s3 v1.97.1 h1:csi9NLpFZXb9fxY7rS1xVzgPRGMt7MSNWeQ6eo247kE=\ngithub.com/aws/aws-sdk-go-v2/service/s3 v1.97.1/go.mod h1:qXVal5H0ChqXP63t6jze5LmFalc7+ZE7wOdLtZ0LCP0=\ngithub.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=\ngithub.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=\ngithub.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=\ngithub.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=\ngithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=\ngithub.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=\ngithub.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=\ngithub.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=\ngithub.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=\ngithub.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=\ngithub.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=\ngithub.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=\ngithub.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=\ngithub.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=\ngithub.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=\ngithub.com/boombuler/barcode v1.1.0 h1:ChaYjBR63fr4LFyGn8E8nt7dBSt3MiU3zMOZqFvVkHo=\ngithub.com/boombuler/barcode v1.1.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=\ngithub.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw=\ngithub.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c=\ngithub.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=\ngithub.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=\ngithub.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=\ngithub.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 h1:aBangftG7EVZoUb69Os8IaYg++6uMOdKK83QtkkvJik=\ngithub.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2/go.mod h1:qwXFYgsP6T7XnJtbKlf1HP8AjxZZyzxMmc+Lq5GjlU4=\ngithub.com/cockroachdb/cockroach-go/v2 v2.4.3 h1:LJO3K3jC5WXvMePRQSJE1NsIGoFGcEx1LW83W6RAlhw=\ngithub.com/cockroachdb/cockroach-go/v2 v2.4.3/go.mod h1:9U179XbCx4qFWtNhc7BiWLPfuyMVQ7qdAhfrwLz1vH0=\ngithub.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=\ngithub.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=\ngithub.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=\ngithub.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=\ngithub.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0 h1:EW9gIJRmt9lzk66Fhh4S8VEtURA6QHZqGeSRE9Nb2/U=\ngithub.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=\ngithub.com/drakkan/ftp v0.0.0-20240430173938-7ba8270c8e7f h1:S9JUlrOzjK58UKoLqqb40YLyVlt0bcIFtYrvnanV3zc=\ngithub.com/drakkan/ftp v0.0.0-20240430173938-7ba8270c8e7f/go.mod h1:4p8lUl4vQ80L598CygL+3IFtm+3nggvvW/palOlViwE=\ngithub.com/drakkan/webdav v0.0.0-20241026165615-b8b8f74ae71b h1:Y1tLiQ8fnxM5f3wiBjAXsHzHNwiY9BR+mXZA75nZwrs=\ngithub.com/drakkan/webdav v0.0.0-20241026165615-b8b8f74ae71b/go.mod h1:zOVb1QDhwwqWn2L2qZ0U3swMSO4GTSNyIwXCGO/UGWE=\ngithub.com/eikenb/pipeat v0.0.0-20251030185646-385cd3c3e07b h1:G2Mm3YhlyjkFrNnvu5E6LtNcPJtggXL1i5ekDV4hDD4=\ngithub.com/eikenb/pipeat v0.0.0-20251030185646-385cd3c3e07b/go.mod h1:XccPiThW83W5pzeOCsJAylEUtWeH+3zQVwiO402FXXc=\ngithub.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=\ngithub.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=\ngithub.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ=\ngithub.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=\ngithub.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=\ngithub.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=\ngithub.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=\ngithub.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=\ngithub.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=\ngithub.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=\ngithub.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=\ngithub.com/fclairamb/ftpserverlib v0.30.0 h1:caB9sDn1Au//q0j2ev/icPn388qPuk4k1ajSvglDcMQ=\ngithub.com/fclairamb/ftpserverlib v0.30.0/go.mod h1:QmogtltTOgkihyKza0GNo37Mu4AEzbJ+sH6W9Y0MBIQ=\ngithub.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=\ngithub.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=\ngithub.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=\ngithub.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=\ngithub.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=\ngithub.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=\ngithub.com/go-acme/lego/v4 v4.33.0 h1:2KrRKieG+VczT4zvVXKAY7Tp/S3XLvh/QImofBALRAM=\ngithub.com/go-acme/lego/v4 v4.33.0/go.mod h1:lI2fZNdgeM/ymf9xQ9YKbgZm6MeDuf91UrohMQE4DhI=\ngithub.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=\ngithub.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=\ngithub.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=\ngithub.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=\ngithub.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=\ngithub.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=\ngithub.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=\ngithub.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=\ngithub.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=\ngithub.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=\ngithub.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=\ngithub.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=\ngithub.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=\ngithub.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=\ngithub.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=\ngithub.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=\ngithub.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=\ngithub.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=\ngithub.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=\ngithub.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=\ngithub.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=\ngithub.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=\ngithub.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=\ngithub.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=\ngithub.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=\ngithub.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\ngithub.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=\ngithub.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=\ngithub.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=\ngithub.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=\ngithub.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=\ngithub.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/google/wire v0.7.0 h1:JxUKI6+CVBgCO2WToKy/nQk0sS+amI9z9EjVmdaocj4=\ngithub.com/google/wire v0.7.0/go.mod h1:n6YbUQD9cPKTnHXEBN2DXlOp/mVADhVErcMFb0v3J18=\ngithub.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=\ngithub.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=\ngithub.com/googleapis/gax-go/v2 v2.19.0 h1:fYQaUOiGwll0cGj7jmHT/0nPlcrZDFPrZRhTsoCr8hE=\ngithub.com/googleapis/gax-go/v2 v2.19.0/go.mod h1:w2ROXVdfGEVFXzmlciUU4EdjHgWvB5h2n6x/8XSTTJA=\ngithub.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=\ngithub.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=\ngithub.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=\ngithub.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=\ngithub.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=\ngithub.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=\ngithub.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=\ngithub.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=\ngithub.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=\ngithub.com/hashicorp/go-plugin v1.7.0 h1:YghfQH/0QmPNc/AZMTFE3ac8fipZyZECHdDPshfk+mA=\ngithub.com/hashicorp/go-plugin v1.7.0/go.mod h1:BExt6KEaIYx804z8k4gRzRLEvxKVb+kn0NMcihqOqb8=\ngithub.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=\ngithub.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=\ngithub.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=\ngithub.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=\ngithub.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=\ngithub.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=\ngithub.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=\ngithub.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=\ngithub.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=\ngithub.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=\ngithub.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=\ngithub.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=\ngithub.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=\ngithub.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94=\ngithub.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8=\ngithub.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=\ngithub.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=\ngithub.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=\ngithub.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=\ngithub.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=\ngithub.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=\ngithub.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=\ngithub.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=\ngithub.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=\ngithub.com/lithammer/shortuuid/v4 v4.2.0 h1:LMFOzVB3996a7b8aBuEXxqOBflbfPQAiVzkIcHO0h8c=\ngithub.com/lithammer/shortuuid/v4 v4.2.0/go.mod h1:D5noHZ2oFw/YaKCfGy0YxyE7M0wMbezmMjPdhyEFe6Y=\ngithub.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88 h1:PTw+yKnXcOFCR6+8hHTyWBeQ/P4Nb7dd4/0ohEcWQuM=\ngithub.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=\ngithub.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=\ngithub.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=\ngithub.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=\ngithub.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=\ngithub.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=\ngithub.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=\ngithub.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=\ngithub.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=\ngithub.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mattn/go-sqlite3 v1.14.37 h1:3DOZp4cXis1cUIpCfXLtmlGolNLp2VEqhiB/PARNBIg=\ngithub.com/mattn/go-sqlite3 v1.14.37/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=\ngithub.com/mhale/smtpd v0.8.3 h1:8j8YNXajksoSLZja3HdwvYVZPuJSqAxFsib3adzRRt8=\ngithub.com/mhale/smtpd v0.8.3/go.mod h1:MQl+y2hwIEQCXtNhe5+55n0GZOjSmeqORDIXbqUL3x4=\ngithub.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=\ngithub.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=\ngithub.com/minio/sio v0.4.3 h1:JqyID1XM86KwBZox5RAdLD4MLPIDoCY2cke2CXCJCkg=\ngithub.com/minio/sio v0.4.3/go.mod h1:4ANoe4CCXqnt1FCiLM0+vlBUhhWZzVOhYCz0069KtFc=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=\ngithub.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=\ngithub.com/oklog/run v1.2.0 h1:O8x3yXwah4A73hJdlrwo/2X6J62gE5qTMusH0dvz60E=\ngithub.com/oklog/run v1.2.0/go.mod h1:mgDbKRSwPhJfesJ4PntqFUbKQRZ50NgmZTSPlFA0YFk=\ngithub.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=\ngithub.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=\ngithub.com/otiai10/mint v1.6.3 h1:87qsV/aw1F5as1eH1zS/yqHY85ANKVMgkDrf9rcxbQs=\ngithub.com/otiai10/mint v1.6.3/go.mod h1:MJm72SBthJjz8qhefc4z1PYEieWmy8Bku7CjcAqyUSM=\ngithub.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=\ngithub.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=\ngithub.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=\ngithub.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=\ngithub.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=\ngithub.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pkg/sftp v1.13.10 h1:+5FbKNTe5Z9aspU88DPIKJ9z2KZoaGCu6Sr6kKR/5mU=\ngithub.com/pkg/sftp v1.13.10/go.mod h1:bJ1a7uDhrX/4OII+agvy28lzRvQrmIQuaHrcI1HbeGA=\ngithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=\ngithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=\ngithub.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=\ngithub.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=\ngithub.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=\ngithub.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=\ngithub.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=\ngithub.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=\ngithub.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=\ngithub.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=\ngithub.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=\ngithub.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=\ngithub.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=\ngithub.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=\ngithub.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=\ngithub.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=\ngithub.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=\ngithub.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=\ngithub.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=\ngithub.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=\ngithub.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=\ngithub.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=\ngithub.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=\ngithub.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=\ngithub.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=\ngithub.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJxNzj3QBOf7dZwupeVC+mG1Lo=\ngithub.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4/go.mod h1:MnkX001NG75g3p8bhFycnyIjeQoOjGL6CEIsdE/nKSY=\ngithub.com/sftpgo/sdk v0.1.9 h1:onBWfibCt34xHeKC2KFYPZ1DBqXGl9um/cAw+AVdgzY=\ngithub.com/sftpgo/sdk v0.1.9/go.mod h1:ehimvlTP+XTEiE3t1CPwWx9n7+6A6OGvMGlZ7ouvKFk=\ngithub.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=\ngithub.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=\ngithub.com/shoenig/go-m1cpu v0.2.1 h1:yqRB4fvOge2+FyRXFkXqsyMoqPazv14Yyy+iyccT2E4=\ngithub.com/shoenig/go-m1cpu v0.2.1/go.mod h1:KkDOw6m3ZJQAPHbrzkZki4hnx+pDRR1Lo+ldA56wD5w=\ngithub.com/shoenig/test v1.7.0 h1:eWcHtTXa6QLnBvm0jgEabMRN/uJ4DMV3M8xUGgRkZmk=\ngithub.com/shoenig/test v1.7.0/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=\ngithub.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=\ngithub.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=\ngithub.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=\ngithub.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=\ngithub.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=\ngithub.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=\ngithub.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=\ngithub.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=\ngithub.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=\ngithub.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=\ngithub.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=\ngithub.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=\ngithub.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=\ngithub.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/studio-b12/gowebdav v0.12.0 h1:kFRtQECt8jmVAvA6RHBz3geXUGJHUZA6/IKpOVUs5kM=\ngithub.com/studio-b12/gowebdav v0.12.0/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=\ngithub.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=\ngithub.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=\ngithub.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=\ngithub.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=\ngithub.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=\ngithub.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ=\ngithub.com/unrolled/secure v1.17.0 h1:Io7ifFgo99Bnh0J7+Q+qcMzWM6kaDPCA5FroFZEdbWU=\ngithub.com/unrolled/secure v1.17.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=\ngithub.com/wagslane/go-password-validator v0.3.0 h1:vfxOPzGHkz5S146HDpavl0cw1DSVP061Ry2PX0/ON6I=\ngithub.com/wagslane/go-password-validator v0.3.0/go.mod h1:TI1XJ6T5fRdRnHqHt14pvy1tNVnrwe7m3/f1f2fDphQ=\ngithub.com/wneessen/go-mail v0.7.2 h1:xxPnhZ6IZLSgxShebmZ6DPKh1b6OJcoHfzy7UjOkzS8=\ngithub.com/wneessen/go-mail v0.7.2/go.mod h1:+TkW6QP3EVkgTEqHtVmnAE/1MRhmzb8Y9/W3pweuS+k=\ngithub.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a h1:XfF01GyP+0eWCaVp0y6rNN+kFp7pt9Da4UUYrJ5XPWA=\ngithub.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a/go.mod h1:aXb8yZQEWo1XHGMf1qQfnb83GR/EJ2EBlwtUgAaNBoE=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngithub.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=\ngithub.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=\ngo.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=\ngo.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=\ngo.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=\ngo.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=\ngo.opentelemetry.io/contrib/detectors/gcp v1.42.0 h1:kpt2PEJuOuqYkPcktfJqWWDjTEd/FNgrxcniL7kQrXQ=\ngo.opentelemetry.io/contrib/detectors/gcp v1.42.0/go.mod h1:W9zQ439utxymRrXsUOzZbFX4JhLxXU4+ZnCt8GG7yA8=\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=\ngo.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=\ngo.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=\ngo.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8=\ngo.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI=\ngo.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=\ngo.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=\ngo.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=\ngo.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=\ngo.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=\ngo.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=\ngo.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=\ngo.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=\ngo.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=\ngo.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=\ngo.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=\ngo.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=\ngo.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=\ngo.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=\ngocloud.dev v0.45.0 h1:WknIK8IbRdmynDvara3Q7G6wQhmEiOGwpgJufbM39sY=\ngocloud.dev v0.45.0/go.mod h1:0kXKmkCLG6d31N7NyLZWzt7jDSQura9zD/mWgiB6THI=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=\ngolang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=\ngolang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=\ngolang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=\ngolang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=\ngolang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=\ngolang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=\ngolang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=\ngolang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=\ngolang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=\ngolang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=\ngolang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=\ngolang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=\ngolang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=\ngolang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=\ngolang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=\ngolang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=\ngolang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=\ngolang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=\ngolang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=\ngolang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=\ngolang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=\ngolang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY=\ngolang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=\ngonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=\ngonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=\ngoogle.golang.org/api v0.272.0 h1:eLUQZGnAS3OHn31URRf9sAmRk3w2JjMx37d2k8AjJmA=\ngoogle.golang.org/api v0.272.0/go.mod h1:wKjowi5LNJc5qarNvDCvNQBn3rVK8nSy6jg2SwRwzIA=\ngoogle.golang.org/genproto v0.0.0-20260319171110-e3a33c96fb44 h1:5F2rCQQSavqKBEvXvkLt9Lc61ldIzythnt3+ucqJWG8=\ngoogle.golang.org/genproto v0.0.0-20260319171110-e3a33c96fb44/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260319171110-e3a33c96fb44 h1:3r0atjZtaSjEuUu8NNhKvvnFh8ad9PHWsN9VRotabFU=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260319171110-e3a33c96fb44/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260319171110-e3a33c96fb44 h1:sRy++txmErSjyVWlIgQB5nB+U75+Di+AH7eEZ002B/s=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260319171110-e3a33c96fb44/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=\ngoogle.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=\ngoogle.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=\ngoogle.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=\ngoogle.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=\ngopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=\ngopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=\ngopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\n" }, { "path": "init/com.github.drakkan.sftpgo.plist", "content": "\n\n\n\n Label\n com.github.drakkan.sftpgo\n EnvironmentVariables\n \n SFTPGO_CONFIG_DIR\n /usr/local/opt/sftpgo/etc\n SFTPGO_LOG_FILE_PATH\n /usr/local/opt/sftpgo/var/log/sftpgo.log\n SFTPGO_HTTPD__TEMPLATES_PATH\n /usr/local/opt/sftpgo/usr/share/templates\n SFTPGO_HTTPD__STATIC_FILES_PATH\n /usr/local/opt/sftpgo/usr/share/static\n SFTPGO_HTTPD__OPENAPI_PATH\n /usr/local/opt/sftpgo/usr/share/openapi\n SFTPGO_HTTPD__BACKUPS_PATH\n /usr/local/opt/sftpgo/var/lib/backups\n SFTPGO_DATA_PROVIDER__CREDENTIALS_PATH\n /usr/local/opt/sftpgo/var/lib/credentials\n \n WorkingDirectory\n /usr/local/opt/sftpgo/etc\n ProgramArguments\n \n /usr/local/opt/sftpgo/bin/sftpgo\n serve\n \n KeepAlive\n \n ThrottleInterval\n 10\n\n\n" }, { "path": "init/sftpgo.service", "content": "[Unit]\nDescription=SFTPGo Server\nAfter=network.target\n\n[Service]\nUser=sftpgo\nGroup=sftpgo\nType=simple\nWorkingDirectory=/etc/sftpgo\nRuntimeDirectory=sftpgo\nEnvironment=SFTPGO_CONFIG_DIR=/etc/sftpgo/\nEnvironment=SFTPGO_LOG_FILE_PATH=\nEnvironmentFile=-/etc/sftpgo/sftpgo.env\nExecStart=/usr/bin/sftpgo serve\nExecReload=/bin/kill -s HUP $MAINPID\nLimitNOFILE=8192\nKillMode=mixed\nPrivateTmp=true\nRestart=always\nRestartSec=10s\nNoNewPrivileges=yes\nPrivateDevices=yes\nDevicePolicy=closed\nProtectSystem=true\nRestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX\nAmbientCapabilities=CAP_NET_BIND_SERVICE\n\n[Install]\nWantedBy=multi-user.target\n" }, { "path": "internal/acme/account.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage acme\n\nimport (\n\t\"crypto\"\n\n\t\"github.com/go-acme/lego/v4/registration\"\n)\n\ntype account struct {\n\tEmail string `json:\"email\"`\n\tRegistration *registration.Resource `json:\"registration\"`\n\tkey crypto.PrivateKey\n}\n\n/** Implementation of the registration.User interface **/\n\n// GetEmail returns the email address for the account.\nfunc (a *account) GetEmail() string {\n\treturn a.Email\n}\n\n// GetRegistration returns the server registration.\nfunc (a *account) GetRegistration() *registration.Resource {\n\treturn a.Registration\n}\n\n// GetPrivateKey returns the private account key.\nfunc (a *account) GetPrivateKey() crypto.PrivateKey {\n\treturn a.key\n}\n\n/** End **/\n" }, { "path": "internal/acme/acme.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package acme provides automatic access to certificates from Let's Encrypt and any other ACME-based CA\n// The code here is largely coiped from https://github.com/go-acme/lego/tree/master/cmd\n// This package is intended to provide basic functionality for obtaining and renewing certificates\n// and implements the \"HTTP-01\" and \"TLSALPN-01\" challenge types.\n// For more advanced features use external tools such as \"lego\"\npackage acme\n\nimport (\n\t\"crypto\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-acme/lego/v4/certcrypto\"\n\t\"github.com/go-acme/lego/v4/certificate\"\n\t\"github.com/go-acme/lego/v4/challenge\"\n\t\"github.com/go-acme/lego/v4/challenge/http01\"\n\t\"github.com/go-acme/lego/v4/challenge/tlsalpn01\"\n\t\"github.com/go-acme/lego/v4/lego\"\n\t\"github.com/go-acme/lego/v4/log\"\n\t\"github.com/go-acme/lego/v4/providers/http/webroot\"\n\t\"github.com/go-acme/lego/v4/registration\"\n\t\"github.com/hashicorp/go-retryablehttp\"\n\t\"github.com/robfig/cron/v3\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/telemetry\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\tlogSender = \"acme\"\n)\n\nvar (\n\tconfig *Configuration\n\tinitialConfig Configuration\n\tscheduler *cron.Cron\n\tlogMode int\n\tsupportedKeyTypes = []string{\n\t\tstring(certcrypto.EC256),\n\t\tstring(certcrypto.EC384),\n\t\tstring(certcrypto.RSA2048),\n\t\tstring(certcrypto.RSA3072),\n\t\tstring(certcrypto.RSA4096),\n\t\tstring(certcrypto.RSA8192),\n\t}\n\tfnReloadHTTPDCerts func() error\n)\n\n// SetReloadHTTPDCertsFn set the function to call to reload HTTPD certificates\nfunc SetReloadHTTPDCertsFn(fn func() error) {\n\tfnReloadHTTPDCerts = fn\n}\n\n// GetCertificates tries to obtain the certificates using the global configuration\nfunc GetCertificates() error {\n\tif config == nil {\n\t\treturn errors.New(\"acme is disabled\")\n\t}\n\treturn config.getCertificates()\n}\n\n// GetCertificatesForConfig tries to obtain the certificates using the provided\n// configuration override. This is a NOOP if we already have certificates\nfunc GetCertificatesForConfig(c *dataprovider.ACMEConfigs, configDir string) error {\n\tif c.Domain == \"\" {\n\t\tacmeLog(logger.LevelDebug, \"no domain configured, nothing to do\")\n\t\treturn nil\n\t}\n\tconfig := mergeConfig(getConfiguration(), c)\n\tif err := config.Initialize(configDir); err != nil {\n\t\treturn err\n\t}\n\thasCerts, err := config.hasCertificates(c.Domain)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to check if we already have certificates for domain %q: %w\", c.Domain, err)\n\t}\n\tif hasCerts {\n\t\treturn nil\n\t}\n\treturn config.getCertificates()\n}\n\n// GetHTTP01WebRoot returns the web root for HTTP-01 challenge\nfunc GetHTTP01WebRoot() string {\n\treturn initialConfig.HTTP01Challenge.WebRoot\n}\n\nfunc mergeConfig(config Configuration, c *dataprovider.ACMEConfigs) Configuration {\n\tconfig.Domains = []string{c.Domain}\n\tconfig.Email = c.Email\n\tconfig.HTTP01Challenge.Port = c.HTTP01Challenge.Port\n\tconfig.TLSALPN01Challenge.Port = 0\n\treturn config\n}\n\n// getConfiguration returns the configuration set using config file and env vars\nfunc getConfiguration() Configuration {\n\treturn initialConfig\n}\n\nfunc loadProviderConf(c Configuration) (Configuration, error) {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\treturn c, fmt.Errorf(\"unable to load config from provider: %w\", err)\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif configs.ACME.Domain == \"\" {\n\t\treturn c, nil\n\t}\n\treturn mergeConfig(c, configs.ACME), nil\n}\n\n// Initialize validates and set the configuration\nfunc Initialize(c Configuration, configDir string, checkRenew bool) error {\n\tconfig = nil\n\tinitialConfig = c\n\tc, err := loadProviderConf(c)\n\tif err != nil {\n\t\treturn err\n\t}\n\tutil.CertsBasePath = \"\"\n\tsetLogMode(checkRenew)\n\n\tif err := c.Initialize(configDir); err != nil {\n\t\treturn err\n\t}\n\tif len(c.Domains) == 0 {\n\t\treturn nil\n\t}\n\tutil.CertsBasePath = c.CertsPath\n\tacmeLog(logger.LevelInfo, \"configured domains: %+v, certs base path %q\", c.Domains, c.CertsPath)\n\tconfig = &c\n\tif checkRenew {\n\t\treturn startScheduler()\n\t}\n\treturn nil\n}\n\n// HTTP01Challenge defines the configuration for HTTP-01 challenge type\ntype HTTP01Challenge struct {\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\tWebRoot string `json:\"webroot\" mapstructure:\"webroot\"`\n\tProxyHeader string `json:\"proxy_header\" mapstructure:\"proxy_header\"`\n}\n\nfunc (c *HTTP01Challenge) isEnabled() bool {\n\treturn c.Port > 0 || c.WebRoot != \"\"\n}\n\nfunc (c *HTTP01Challenge) validate() error {\n\tif !c.isEnabled() {\n\t\treturn nil\n\t}\n\tif c.WebRoot != \"\" {\n\t\tif !filepath.IsAbs(c.WebRoot) {\n\t\t\treturn fmt.Errorf(\"invalid HTTP-01 challenge web root, please set an absolute path\")\n\t\t}\n\t\t_, err := os.Stat(c.WebRoot)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"invalid HTTP-01 challenge web root: %w\", err)\n\t\t}\n\t} else {\n\t\tif c.Port > 65535 {\n\t\t\treturn fmt.Errorf(\"invalid HTTP-01 challenge port: %d\", c.Port)\n\t\t}\n\t}\n\treturn nil\n}\n\n// TLSALPN01Challenge defines the configuration for TLSALPN-01 challenge type\ntype TLSALPN01Challenge struct {\n\tPort int `json:\"port\" mapstructure:\"port\"`\n}\n\nfunc (c *TLSALPN01Challenge) isEnabled() bool {\n\treturn c.Port > 0\n}\n\nfunc (c *TLSALPN01Challenge) validate() error {\n\tif !c.isEnabled() {\n\t\treturn nil\n\t}\n\tif c.Port > 65535 {\n\t\treturn fmt.Errorf(\"invalid TLSALPN-01 challenge port: %d\", c.Port)\n\t}\n\treturn nil\n}\n\n// Configuration holds the ACME configuration\ntype Configuration struct {\n\tEmail string `json:\"email\" mapstructure:\"email\"`\n\tKeyType string `json:\"key_type\" mapstructure:\"key_type\"`\n\tCertsPath string `json:\"certs_path\" mapstructure:\"certs_path\"`\n\tCAEndpoint string `json:\"ca_endpoint\" mapstructure:\"ca_endpoint\"`\n\t// if a certificate is to be valid for multiple domains specify the names separated by commas,\n\t// for example: example.com,www.example.com\n\tDomains []string `json:\"domains\" mapstructure:\"domains\"`\n\tRenewDays int `json:\"renew_days\" mapstructure:\"renew_days\"`\n\tHTTP01Challenge HTTP01Challenge `json:\"http01_challenge\" mapstructure:\"http01_challenge\"`\n\tTLSALPN01Challenge TLSALPN01Challenge `json:\"tls_alpn01_challenge\" mapstructure:\"tls_alpn01_challenge\"`\n\taccountConfigPath string\n\taccountKeyPath string\n\tlockPath string\n\ttempDir string\n}\n\n// Initialize validates and initialize the configuration\nfunc (c *Configuration) Initialize(configDir string) error {\n\tc.checkDomains()\n\tif len(c.Domains) == 0 {\n\t\tacmeLog(logger.LevelInfo, \"no domains configured, acme disabled\")\n\t\treturn nil\n\t}\n\tif c.Email == \"\" || !util.IsEmailValid(c.Email) {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid email address %q\", c.Email),\n\t\t\tutil.I18nErrorInvalidEmail,\n\t\t)\n\t}\n\tif c.RenewDays < 1 {\n\t\treturn fmt.Errorf(\"invalid number of days remaining before renewal: %d\", c.RenewDays)\n\t}\n\tif !slices.Contains(supportedKeyTypes, c.KeyType) {\n\t\treturn fmt.Errorf(\"invalid key type %q\", c.KeyType)\n\t}\n\tcaURL, err := url.Parse(c.CAEndpoint)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid CA endopoint: %w\", err)\n\t}\n\tif !util.IsFileInputValid(c.CertsPath) {\n\t\treturn fmt.Errorf(\"invalid certs path %q\", c.CertsPath)\n\t}\n\tif !filepath.IsAbs(c.CertsPath) {\n\t\tc.CertsPath = filepath.Join(configDir, c.CertsPath)\n\t}\n\terr = os.MkdirAll(c.CertsPath, 0700)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to create certs path %q: %w\", c.CertsPath, err)\n\t}\n\tc.tempDir = filepath.Join(c.CertsPath, \"temp\")\n\terr = os.MkdirAll(c.CertsPath, 0700)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to create certs temp path %q: %w\", c.tempDir, err)\n\t}\n\tserverPath := strings.NewReplacer(\":\", \"_\", \"/\", string(os.PathSeparator)).Replace(caURL.Host)\n\taccountPath := filepath.Join(c.CertsPath, serverPath)\n\terr = os.MkdirAll(accountPath, 0700)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to create account path %q: %w\", accountPath, err)\n\t}\n\tc.accountConfigPath = filepath.Join(accountPath, c.Email+\".json\")\n\tc.accountKeyPath = filepath.Join(accountPath, c.Email+\".key\")\n\tc.lockPath = filepath.Join(c.CertsPath, \"lock\")\n\n\treturn c.validateChallenges()\n}\n\nfunc (c *Configuration) validateChallenges() error {\n\tif !c.HTTP01Challenge.isEnabled() && !c.TLSALPN01Challenge.isEnabled() {\n\t\treturn fmt.Errorf(\"no challenge type defined\")\n\t}\n\tif err := c.HTTP01Challenge.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn c.TLSALPN01Challenge.validate()\n}\n\nfunc (c *Configuration) checkDomains() {\n\tvar domains []string\n\tfor _, domain := range c.Domains {\n\t\tdomain = strings.TrimSpace(domain)\n\t\tif domain == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tif d, ok := isDomainValid(domain); ok {\n\t\t\tdomains = append(domains, d)\n\t\t}\n\t}\n\tc.Domains = util.RemoveDuplicates(domains, true)\n}\n\nfunc (c *Configuration) setLockTime() error {\n\tlockTime := fmt.Sprintf(\"%v\", util.GetTimeAsMsSinceEpoch(time.Now()))\n\terr := os.WriteFile(c.lockPath, []byte(lockTime), 0600)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to save lock time to %q: %v\", c.lockPath, err)\n\t\treturn fmt.Errorf(\"unable to save lock time: %w\", err)\n\t}\n\tacmeLog(logger.LevelDebug, \"lock time saved: %q\", lockTime)\n\treturn nil\n}\n\nfunc (c *Configuration) getLockTime() (time.Time, error) {\n\tcontent, err := os.ReadFile(c.lockPath)\n\tif err != nil {\n\t\tif os.IsNotExist(err) {\n\t\t\tacmeLog(logger.LevelDebug, \"lock file %q not found\", c.lockPath)\n\t\t\treturn time.Time{}, nil\n\t\t}\n\t\tacmeLog(logger.LevelError, \"unable to read lock file %q: %v\", c.lockPath, err)\n\t\treturn time.Time{}, err\n\t}\n\tmsec, err := strconv.ParseInt(strings.TrimSpace(util.BytesToString(content)), 10, 64)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to parse lock time: %v\", err)\n\t\treturn time.Time{}, fmt.Errorf(\"unable to parse lock time: %w\", err)\n\t}\n\treturn util.GetTimeFromMsecSinceEpoch(msec), nil\n}\n\nfunc (c *Configuration) saveAccount(account *account) error {\n\tjsonBytes, err := json.MarshalIndent(account, \"\", \"\\t\")\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = os.WriteFile(c.accountConfigPath, jsonBytes, 0600)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to save account to file %q: %v\", c.accountConfigPath, err)\n\t\treturn fmt.Errorf(\"unable to save account: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc (c *Configuration) getAccount(privateKey crypto.PrivateKey) (account, error) {\n\t_, err := os.Stat(c.accountConfigPath)\n\tif err != nil && os.IsNotExist(err) {\n\t\tacmeLog(logger.LevelDebug, \"account does not exist\")\n\t\treturn account{Email: c.Email, key: privateKey}, nil\n\t}\n\tvar account account\n\tfileBytes, err := os.ReadFile(c.accountConfigPath)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to read account from file %q: %v\", c.accountConfigPath, err)\n\t\treturn account, fmt.Errorf(\"unable to read account from file: %w\", err)\n\t}\n\terr = json.Unmarshal(fileBytes, &account)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"invalid account file content: %v\", err)\n\t\treturn account, fmt.Errorf(\"unable to parse account file as JSON: %w\", err)\n\t}\n\taccount.key = privateKey\n\tif account.Registration == nil || account.Registration.Body.Status == \"\" {\n\t\tacmeLog(logger.LevelInfo, \"couldn't load account but got a key. Try to look the account up\")\n\t\treg, err := c.tryRecoverRegistration(privateKey)\n\t\tif err != nil {\n\t\t\tacmeLog(logger.LevelError, \"unable to look the account up: %v\", err)\n\t\t\treturn account, fmt.Errorf(\"unable to look the account up: %w\", err)\n\t\t}\n\t\taccount.Registration = reg\n\t\terr = c.saveAccount(&account)\n\t\tif err != nil {\n\t\t\treturn account, err\n\t\t}\n\t}\n\n\treturn account, nil\n}\n\nfunc (c *Configuration) loadPrivateKey() (crypto.PrivateKey, error) {\n\tkeyBytes, err := os.ReadFile(c.accountKeyPath)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to read account key from file %q: %v\", c.accountKeyPath, err)\n\t\treturn nil, fmt.Errorf(\"unable to read account key: %w\", err)\n\t}\n\n\tkeyBlock, _ := pem.Decode(keyBytes)\n\tif keyBlock == nil {\n\t\tacmeLog(logger.LevelError, \"unable to parse private key from file %q: pem decoding failed\", c.accountKeyPath)\n\t\treturn nil, errors.New(\"pem decoding failed\")\n\t}\n\n\tvar privateKey crypto.PrivateKey\n\tswitch keyBlock.Type {\n\tcase \"RSA PRIVATE KEY\":\n\t\tprivateKey, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)\n\tcase \"EC PRIVATE KEY\":\n\t\tprivateKey, err = x509.ParseECPrivateKey(keyBlock.Bytes)\n\tdefault:\n\t\terr = fmt.Errorf(\"unknown private key type %q\", keyBlock.Type)\n\t}\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to parse private key from file %q: %v\", c.accountKeyPath, err)\n\t\treturn privateKey, fmt.Errorf(\"unable to parse private key: %w\", err)\n\t}\n\treturn privateKey, nil\n}\n\nfunc (c *Configuration) generatePrivateKey() (crypto.PrivateKey, error) {\n\tprivateKey, err := certcrypto.GeneratePrivateKey(certcrypto.KeyType(c.KeyType))\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to generate private key: %v\", err)\n\t\treturn nil, fmt.Errorf(\"unable to generate private key: %w\", err)\n\t}\n\tcertOut, err := os.Create(c.accountKeyPath)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to save private key to file %q: %v\", c.accountKeyPath, err)\n\t\treturn nil, fmt.Errorf(\"unable to save private key: %w\", err)\n\t}\n\tdefer certOut.Close()\n\n\tpemKey := certcrypto.PEMBlock(privateKey)\n\terr = pem.Encode(certOut, pemKey)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to encode private key: %v\", err)\n\t\treturn nil, fmt.Errorf(\"unable to encode private key: %w\", err)\n\t}\n\tacmeLog(logger.LevelDebug, \"new account private key generated\")\n\n\treturn privateKey, nil\n}\n\nfunc (c *Configuration) getPrivateKey() (crypto.PrivateKey, error) {\n\t_, err := os.Stat(c.accountKeyPath)\n\tif err != nil && os.IsNotExist(err) {\n\t\tacmeLog(logger.LevelDebug, \"private key file %q does not exist, generating new private key\", c.accountKeyPath)\n\t\treturn c.generatePrivateKey()\n\t}\n\tacmeLog(logger.LevelDebug, \"loading private key from file %q, stat error: %v\", c.accountKeyPath, err)\n\treturn c.loadPrivateKey()\n}\n\nfunc (c *Configuration) loadCertificatesForDomain(domain string) ([]*x509.Certificate, error) {\n\tdomain = util.SanitizeDomain(domain)\n\tacmeLog(logger.LevelDebug, \"loading certificates for domain %q\", domain)\n\tcontent, err := os.ReadFile(filepath.Join(c.CertsPath, domain+\".crt\"))\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to load certificates for domain %q: %v\", domain, err)\n\t\treturn nil, fmt.Errorf(\"unable to load certificates for domain %q: %w\", domain, err)\n\t}\n\tcerts, err := certcrypto.ParsePEMBundle(content)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to parse certificates for domain %q: %v\", domain, err)\n\t\treturn certs, fmt.Errorf(\"unable to parse certificates for domain %q: %w\", domain, err)\n\t}\n\treturn certs, nil\n}\n\nfunc (c *Configuration) needRenewal(x509Cert *x509.Certificate, domain string) bool {\n\tif x509Cert.IsCA {\n\t\tacmeLog(logger.LevelError, \"certificate bundle starts with a CA certificate, cannot renew domain %v\", domain)\n\t\treturn false\n\t}\n\tnotAfter := int(time.Until(x509Cert.NotAfter).Hours() / 24.0)\n\tif notAfter > c.RenewDays {\n\t\tacmeLog(logger.LevelDebug, \"the certificate for domain %q expires in %d days, no renewal\", domain, notAfter)\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (c *Configuration) setup() (*account, *lego.Client, error) {\n\tprivateKey, err := c.getPrivateKey()\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\taccount, err := c.getAccount(privateKey)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tconfig := lego.NewConfig(&account)\n\tconfig.CADirURL = c.CAEndpoint\n\tconfig.Certificate.KeyType = certcrypto.KeyType(c.KeyType)\n\tconfig.Certificate.OverallRequestLimit = 6\n\tconfig.UserAgent = version.GetServerVersion(\"/\", false)\n\n\tretryClient := retryablehttp.NewClient()\n\tretryClient.Logger = &logger.LeveledLogger{Sender: \"RetryableHTTPClient\"}\n\tretryClient.RetryMax = 5\n\tretryClient.HTTPClient = config.HTTPClient\n\n\tconfig.HTTPClient = retryClient.StandardClient()\n\n\tclient, err := lego.NewClient(config)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to get ACME client: %v\", err)\n\t\treturn nil, nil, fmt.Errorf(\"unable to get ACME client: %w\", err)\n\t}\n\terr = c.setupChalleges(client)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\treturn &account, client, nil\n}\n\nfunc (c *Configuration) setupChalleges(client *lego.Client) error {\n\tclient.Challenge.Remove(challenge.DNS01)\n\tif c.HTTP01Challenge.isEnabled() {\n\t\tif c.HTTP01Challenge.WebRoot != \"\" {\n\t\t\tacmeLog(logger.LevelDebug, \"configuring HTTP-01 web root challenge, path %q\", c.HTTP01Challenge.WebRoot)\n\t\t\tproviderServer, err := webroot.NewHTTPProvider(c.HTTP01Challenge.WebRoot)\n\t\t\tif err != nil {\n\t\t\t\tacmeLog(logger.LevelError, \"unable to create HTTP-01 web root challenge provider from path %q: %v\",\n\t\t\t\t\tc.HTTP01Challenge.WebRoot, err)\n\t\t\t\treturn fmt.Errorf(\"unable to create HTTP-01 web root challenge provider: %w\", err)\n\t\t\t}\n\t\t\terr = client.Challenge.SetHTTP01Provider(providerServer)\n\t\t\tif err != nil {\n\t\t\t\tacmeLog(logger.LevelError, \"unable to set HTTP-01 challenge provider: %v\", err)\n\t\t\t\treturn fmt.Errorf(\"unable to set HTTP-01 challenge provider: %w\", err)\n\t\t\t}\n\t\t} else {\n\t\t\tacmeLog(logger.LevelDebug, \"configuring HTTP-01 challenge, port %d\", c.HTTP01Challenge.Port)\n\t\t\tproviderServer := http01.NewProviderServer(\"\", fmt.Sprintf(\"%d\", c.HTTP01Challenge.Port))\n\t\t\tif c.HTTP01Challenge.ProxyHeader != \"\" {\n\t\t\t\tacmeLog(logger.LevelDebug, \"setting proxy header to \\\"%s\\\"\", c.HTTP01Challenge.ProxyHeader)\n\t\t\t\tproviderServer.SetProxyHeader(c.HTTP01Challenge.ProxyHeader)\n\t\t\t}\n\t\t\terr := client.Challenge.SetHTTP01Provider(providerServer)\n\t\t\tif err != nil {\n\t\t\t\tacmeLog(logger.LevelError, \"unable to set HTTP-01 challenge provider: %v\", err)\n\t\t\t\treturn fmt.Errorf(\"unable to set HTTP-01 challenge provider: %w\", err)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tclient.Challenge.Remove(challenge.HTTP01)\n\t}\n\tif c.TLSALPN01Challenge.isEnabled() {\n\t\tacmeLog(logger.LevelDebug, \"configuring TLSALPN-01 challenge, port %d\", c.TLSALPN01Challenge.Port)\n\t\terr := client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer(\"\", fmt.Sprintf(\"%d\", c.TLSALPN01Challenge.Port)))\n\t\tif err != nil {\n\t\t\tacmeLog(logger.LevelError, \"unable to set TLSALPN-01 challenge provider: %v\", err)\n\t\t\treturn fmt.Errorf(\"unable to set TLSALPN-01 challenge provider: %w\", err)\n\t\t}\n\t} else {\n\t\tclient.Challenge.Remove(challenge.TLSALPN01)\n\t}\n\n\treturn nil\n}\n\nfunc (c *Configuration) register(client *lego.Client) (*registration.Resource, error) {\n\treturn client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})\n}\n\nfunc (c *Configuration) tryRecoverRegistration(privateKey crypto.PrivateKey) (*registration.Resource, error) {\n\tconfig := lego.NewConfig(&account{key: privateKey})\n\tconfig.CADirURL = c.CAEndpoint\n\tconfig.UserAgent = version.GetServerVersion(\"/\", false)\n\n\tretryClient := retryablehttp.NewClient()\n\tretryClient.Logger = &logger.LeveledLogger{Sender: \"RetryableHTTPClient\"}\n\tretryClient.RetryMax = 5\n\tretryClient.HTTPClient = config.HTTPClient\n\n\tconfig.HTTPClient = retryClient.StandardClient()\n\n\tclient, err := lego.NewClient(config)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to get the ACME client: %v\", err)\n\t\treturn nil, err\n\t}\n\n\treturn client.Registration.ResolveAccountByKey()\n}\n\nfunc (c *Configuration) getCrtPath(domain string) string {\n\treturn filepath.Join(c.CertsPath, domain+\".crt\")\n}\n\nfunc (c *Configuration) getKeyPath(domain string) string {\n\treturn filepath.Join(c.CertsPath, domain+\".key\")\n}\n\nfunc (c *Configuration) getResourcePath(domain string) string {\n\treturn filepath.Join(c.CertsPath, domain+\".json\")\n}\n\nfunc (c *Configuration) obtainAndSaveCertificate(client *lego.Client, domain string) error {\n\tdomains := getDomains(domain)\n\tacmeLog(logger.LevelInfo, \"requesting certificates for domains %+v\", domains)\n\trequest := certificate.ObtainRequest{\n\t\tDomains: domains,\n\t\tBundle: true,\n\t\tMustStaple: false,\n\t\tPreferredChain: \"\",\n\t\tAlwaysDeactivateAuthorizations: false,\n\t}\n\tcert, err := client.Certificate.Obtain(request)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to obtain certificates for domains %+v: %v\", domains, err)\n\t\treturn fmt.Errorf(\"unable to obtain certificates: %w\", err)\n\t}\n\tdomain = util.SanitizeDomain(domain)\n\terr = os.WriteFile(c.getCrtPath(domain), cert.Certificate, 0600)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to save certificate for domain %s: %v\", domain, err)\n\t\treturn fmt.Errorf(\"unable to save certificate: %w\", err)\n\t}\n\terr = os.WriteFile(c.getKeyPath(domain), cert.PrivateKey, 0600)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to save private key for domain %s: %v\", domain, err)\n\t\treturn fmt.Errorf(\"unable to save private key: %w\", err)\n\t}\n\tjsonBytes, err := json.MarshalIndent(cert, \"\", \"\\t\")\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to marshal certificate resources for domain %v: %v\", domain, err)\n\t\treturn err\n\t}\n\terr = os.WriteFile(c.getResourcePath(domain), jsonBytes, 0600)\n\tif err != nil {\n\t\tacmeLog(logger.LevelError, \"unable to save certificate resources for domain %v: %v\", domain, err)\n\t\treturn fmt.Errorf(\"unable to save certificate resources: %w\", err)\n\t}\n\n\tacmeLog(logger.LevelInfo, \"certificates for domains %+v saved\", domains)\n\treturn nil\n}\n\n// hasCertificates returns true if certificates for the specified domain has already been issued\nfunc (c *Configuration) hasCertificates(domain string) (bool, error) {\n\tdomain = util.SanitizeDomain(domain)\n\tif _, err := os.Stat(c.getCrtPath(domain)); err != nil {\n\t\tif os.IsNotExist(err) {\n\t\t\treturn false, nil\n\t\t}\n\t\treturn false, err\n\t}\n\tif _, err := os.Stat(c.getKeyPath(domain)); err != nil {\n\t\tif os.IsNotExist(err) {\n\t\t\treturn false, nil\n\t\t}\n\t\treturn false, err\n\t}\n\treturn true, nil\n}\n\n// getCertificates tries to obtain the certificates for the configured domains\nfunc (c *Configuration) getCertificates() error {\n\taccount, client, err := c.setup()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif account.Registration == nil {\n\t\treg, err := c.register(client)\n\t\tif err != nil {\n\t\t\tacmeLog(logger.LevelError, \"unable to register account: %v\", err)\n\t\t\treturn fmt.Errorf(\"unable to register account: %w\", err)\n\t\t}\n\t\taccount.Registration = reg\n\t\terr = c.saveAccount(account)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tfor _, domain := range c.Domains {\n\t\terr = c.obtainAndSaveCertificate(client, domain)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *Configuration) notifyCertificateRenewal(domain string, err error) {\n\tif domain == \"\" {\n\t\tdomain = strings.Join(c.Domains, \",\")\n\t}\n\tparams := common.EventParams{\n\t\tName: domain,\n\t\tEvent: \"Certificate renewal\",\n\t\tTimestamp: time.Now(),\n\t}\n\tif err != nil {\n\t\tparams.Status = 2\n\t\tparams.AddError(err)\n\t} else {\n\t\tparams.Status = 1\n\t}\n\tcommon.HandleCertificateEvent(params)\n}\n\nfunc (c *Configuration) renewCertificates() error {\n\tlockTime, err := c.getLockTime()\n\tif err != nil {\n\t\treturn err\n\t}\n\tacmeLog(logger.LevelDebug, \"certificate renew lock time %v\", lockTime)\n\tif lockTime.Add(-30*time.Second).Before(time.Now()) && lockTime.Add(5*time.Minute).After(time.Now()) {\n\t\tacmeLog(logger.LevelInfo, \"certificate renew skipped, lock time too close: %v\", lockTime)\n\t\treturn nil\n\t}\n\terr = c.setLockTime()\n\tif err != nil {\n\t\tc.notifyCertificateRenewal(\"\", err)\n\t\treturn err\n\t}\n\taccount, client, err := c.setup()\n\tif err != nil {\n\t\tc.notifyCertificateRenewal(\"\", err)\n\t\treturn err\n\t}\n\tif account.Registration == nil {\n\t\tacmeLog(logger.LevelError, \"cannot renew certificates, your account is not registered\")\n\t\terr = errors.New(\"cannot renew certificates, your account is not registered\")\n\t\tc.notifyCertificateRenewal(\"\", err)\n\t\treturn err\n\t}\n\tvar errRenew error\n\tneedReload := false\n\tfor _, domain := range c.Domains {\n\t\tcertificates, err := c.loadCertificatesForDomain(domain)\n\t\tif err != nil {\n\t\t\tc.notifyCertificateRenewal(domain, err)\n\t\t\terrRenew = err\n\t\t\tcontinue\n\t\t}\n\t\tcert := certificates[0]\n\t\tif !c.needRenewal(cert, domain) {\n\t\t\tcontinue\n\t\t}\n\t\terr = c.obtainAndSaveCertificate(client, domain)\n\t\tif err != nil {\n\t\t\tc.notifyCertificateRenewal(domain, err)\n\t\t\terrRenew = err\n\t\t} else {\n\t\t\tc.notifyCertificateRenewal(domain, nil)\n\t\t\tneedReload = true\n\t\t}\n\t}\n\tif needReload {\n\t\t// at least one certificate has been renewed, sends a reload to all services that may be using certificates\n\t\terr = ftpd.ReloadCertificateMgr()\n\t\tacmeLog(logger.LevelInfo, \"ftpd certificate manager reloaded , error: %v\", err)\n\t\tif fnReloadHTTPDCerts != nil {\n\t\t\terr = fnReloadHTTPDCerts()\n\t\t\tacmeLog(logger.LevelInfo, \"httpd certificates manager reloaded , error: %v\", err)\n\t\t}\n\t\terr = webdavd.ReloadCertificateMgr()\n\t\tacmeLog(logger.LevelInfo, \"webdav certificates manager reloaded , error: %v\", err)\n\t\terr = telemetry.ReloadCertificateMgr()\n\t\tacmeLog(logger.LevelInfo, \"telemetry certificates manager reloaded , error: %v\", err)\n\t}\n\n\treturn errRenew\n}\n\nfunc isDomainValid(domain string) (string, bool) {\n\tisValid := false\n\tfor d := range strings.SplitSeq(domain, \",\") {\n\t\td = strings.TrimSpace(d)\n\t\tif d != \"\" {\n\t\t\tisValid = true\n\t\t\tbreak\n\t\t}\n\t}\n\treturn domain, isValid\n}\n\nfunc getDomains(domain string) []string {\n\tvar domains []string\n\n\tdelimiter := \",\"\n\tif !strings.Contains(domain, \",\") && strings.Contains(domain, \" \") {\n\t\tdelimiter = \" \"\n\t}\n\n\tfor d := range strings.SplitSeq(domain, delimiter) {\n\t\td = strings.TrimSpace(d)\n\t\tif d != \"\" {\n\t\t\tdomains = append(domains, d)\n\t\t}\n\t}\n\treturn util.RemoveDuplicates(domains, false)\n}\n\nfunc stopScheduler() {\n\tif scheduler != nil {\n\t\tscheduler.Stop()\n\t\tscheduler = nil\n\t}\n}\n\nfunc startScheduler() error {\n\tstopScheduler()\n\n\trandSecs := rand.Intn(59)\n\tscheduler = cron.New(cron.WithLocation(time.UTC), cron.WithLogger(cron.DiscardLogger))\n\t_, err := scheduler.AddFunc(fmt.Sprintf(\"@every 12h0m%ds\", randSecs), renewCertificates)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to schedule certificates renewal: %w\", err)\n\t}\n\n\tacmeLog(logger.LevelInfo, \"starting scheduler, initial certificates check in %d seconds\", randSecs)\n\tinitialTimer := time.NewTimer(time.Duration(randSecs) * time.Second)\n\tgo func() {\n\t\t<-initialTimer.C\n\t\trenewCertificates()\n\t}()\n\n\tscheduler.Start()\n\treturn nil\n}\n\nfunc renewCertificates() {\n\tif config != nil {\n\t\tif err := config.renewCertificates(); err != nil {\n\t\t\tacmeLog(logger.LevelError, \"unable to renew certificates: %v\", err)\n\t\t}\n\t}\n}\n\nfunc setLogMode(checkRenew bool) {\n\tif checkRenew {\n\t\tlogMode = 1\n\t} else {\n\t\tlogMode = 2\n\t}\n\tlog.Logger = &logger.LegoAdapter{\n\t\tLogToConsole: logMode != 1,\n\t}\n}\n\nfunc acmeLog(level logger.LogLevel, format string, v ...any) {\n\tif logMode == 1 {\n\t\tlogger.Log(level, logSender, \"\", format, v...)\n\t} else {\n\t\tswitch level {\n\t\tcase logger.LevelDebug:\n\t\t\tlogger.DebugToConsole(format, v...)\n\t\tcase logger.LevelInfo:\n\t\t\tlogger.InfoToConsole(format, v...)\n\t\tcase logger.LevelWarn:\n\t\t\tlogger.WarnToConsole(format, v...)\n\t\tdefault:\n\t\t\tlogger.ErrorToConsole(format, v...)\n\t\t}\n\t}\n}\n" }, { "path": "internal/bundle/bundle.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build bundle\n\npackage bundle\n\nimport (\n\t\"embed\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"net/http\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"+bundle\")\n}\n\n//go:embed templates/*\nvar templatesFs embed.FS\n\n//go:embed static/*\nvar staticFs embed.FS\n\n//go:embed openapi/*\nvar openapiFs embed.FS\n\n// GetTemplatesFs returns the embedded filesystem with the SFTPGo templates\nfunc GetTemplatesFs() embed.FS {\n\treturn templatesFs\n}\n\n// GetStaticFs return the http Filesystem with the embedded static files\nfunc GetStaticFs() http.FileSystem {\n\tfsys, err := fs.Sub(staticFs, \"static\")\n\tif err != nil {\n\t\terr = fmt.Errorf(\"unable to get embedded filesystem for static files: %w\", err)\n\t\tpanic(err)\n\t}\n\treturn http.FS(fsys)\n}\n\n// GetOpenAPIFs return the http Filesystem with the embedded static files\nfunc GetOpenAPIFs() http.FileSystem {\n\tfsys, err := fs.Sub(openapiFs, \"openapi\")\n\tif err != nil {\n\t\terr = fmt.Errorf(\"unable to get embedded filesystem for OpenAPI files: %w\", err)\n\t\tpanic(err)\n\t}\n\treturn http.FS(fsys)\n}\n" }, { "path": "internal/cmd/acme.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tacmeCmd = &cobra.Command{\n\t\tUse: \"acme\",\n\t\tShort: \"Obtain TLS certificates from ACME-based CAs like Let's Encrypt\",\n\t}\n\tacmeRunCmd = &cobra.Command{\n\t\tUse: \"run\",\n\t\tShort: \"Register your account and obtain certificates\",\n\t\tLong: `This command must be run to obtain TLS certificates the first time or every\ntime you add a new domain to your configuration file.\nCertificates are saved in the configured \"certs_path\".\nAfter this initial step, the certificates are automatically checked and\nrenewed by the SFTPGo service\n`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize ACME, config load error: %v\", err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tkmsConfig := config.GetKMSConfig()\n\t\t\terr = kmsConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"unable to initialize KMS: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tif config.HasKMSPlugin() {\n\t\t\t\tif err := plugin.Initialize(config.GetPluginsConfig(), \"debug\"); err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"unable to initialize plugin system: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tregisterSignals()\n\t\t\t\tdefer plugin.Handler.Cleanup()\n\t\t\t}\n\n\t\t\tmfaConfig := config.GetMFAConfig()\n\t\t\terr = mfaConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize MFA: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\terr = dataprovider.Initialize(providerConf, configDir, false)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tacmeConfig := config.GetACMEConfig()\n\t\t\terr = acme.Initialize(acmeConfig, configDir, false)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize ACME configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tif err = acme.GetCertificates(); err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Cannot get certificates: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\taddConfigFlags(acmeRunCmd)\n\tacmeCmd.AddCommand(acmeRunCmd)\n\trootCmd.AddCommand(acmeCmd)\n}\n" }, { "path": "internal/cmd/gen.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport \"github.com/spf13/cobra\"\n\nvar genCmd = &cobra.Command{\n\tUse: \"gen\",\n\tShort: \"A collection of useful generators\",\n}\n\nfunc init() {\n\trootCmd.AddCommand(genCmd)\n}\n" }, { "path": "internal/cmd/gencompletion.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n)\n\nvar genCompletionCmd = &cobra.Command{\n\tUse: \"completion [bash|zsh|fish|powershell]\",\n\tShort: \"Generate the autocompletion script for the specified shell\",\n\tLong: `Generate the autocompletion script for sftpgo for the specified shell.\n\nSee each sub-command's help for details on how to use the generated script.\n`,\n}\n\nvar genCompletionBashCmd = &cobra.Command{\n\tUse: \"bash\",\n\tShort: \"Generate the autocompletion script for bash\",\n\tLong: `Generate the autocompletion script for the bash shell.\n\nThis script depends on the 'bash-completion' package.\nIf it is not installed already, you can install it via your OS's package\nmanager.\n\nTo load completions in your current shell session:\n\n$ source <(sftpgo gen completion bash)\n\nTo load completions for every new session, execute once:\n\nLinux:\n $ sudo sftpgo gen completion bash > /usr/share/bash-completion/completions/sftpgo\n\nMacOS:\n $ sudo sftpgo gen completion bash > /usr/local/etc/bash_completion.d/sftpgo\n\nYou will need to start a new shell for this setup to take effect.\n`,\n\tDisableFlagsInUseLine: true,\n\tRunE: func(cmd *cobra.Command, _ []string) error {\n\t\treturn cmd.Root().GenBashCompletionV2(os.Stdout, true)\n\t},\n}\n\nvar genCompletionZshCmd = &cobra.Command{\n\tUse: \"zsh\",\n\tShort: \"Generate the autocompletion script for zsh\",\n\tLong: `Generate the autocompletion script for the zsh shell.\n\nIf shell completion is not already enabled in your environment you will need\nto enable it. You can execute the following once:\n\n$ echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n\nTo load completions for every new session, execute once:\n\nLinux:\n $ sftpgo gen completion zsh > > \"${fpath[1]}/_sftpgo\"\n\nmacOS:\n $ sudo sftpgo gen completion zsh > /usr/local/share/zsh/site-functions/_sftpgo\n\nYou will need to start a new shell for this setup to take effect.\n`,\n\tDisableFlagsInUseLine: true,\n\tRunE: func(cmd *cobra.Command, _ []string) error {\n\t\treturn cmd.Root().GenZshCompletion(os.Stdout)\n\t},\n}\n\nvar genCompletionFishCmd = &cobra.Command{\n\tUse: \"fish\",\n\tShort: \"Generate the autocompletion script for fish\",\n\tLong: `Generate the autocompletion script for the fish shell.\n\nTo load completions in your current shell session:\n\n$ sftpgo gen completion fish | source\n\nTo load completions for every new session, execute once:\n\n$ sftpgo gen completion fish > ~/.config/fish/completions/sftpgo.fish\n\nYou will need to start a new shell for this setup to take effect.\n`,\n\tDisableFlagsInUseLine: true,\n\tRunE: func(cmd *cobra.Command, _ []string) error {\n\t\treturn cmd.Root().GenFishCompletion(os.Stdout, true)\n\t},\n}\n\nvar genCompletionPowerShellCmd = &cobra.Command{\n\tUse: \"powershell\",\n\tShort: \"Generate the autocompletion script for powershell\",\n\tLong: `Generate the autocompletion script for powershell.\n\nTo load completions in your current shell session:\n\nPS C:\\> sftpgo gen completion powershell | Out-String | Invoke-Expression\n\nTo load completions for every new session, add the output of the above command\nto your powershell profile.\n`,\n\tDisableFlagsInUseLine: true,\n\tRunE: func(cmd *cobra.Command, _ []string) error {\n\t\treturn cmd.Root().GenPowerShellCompletionWithDesc(os.Stdout)\n\t},\n}\n\nfunc init() {\n\tgenCompletionCmd.AddCommand(genCompletionBashCmd)\n\tgenCompletionCmd.AddCommand(genCompletionZshCmd)\n\tgenCompletionCmd.AddCommand(genCompletionFishCmd)\n\tgenCompletionCmd.AddCommand(genCompletionPowerShellCmd)\n\n\tgenCmd.AddCommand(genCompletionCmd)\n}\n" }, { "path": "internal/cmd/genman.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/cobra/doc\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nvar (\n\tmanDir string\n\tgenManCmd = &cobra.Command{\n\t\tUse: \"man\",\n\t\tShort: \"Generate man pages for sftpgo\",\n\t\tLong: `This command automatically generates up-to-date man pages of SFTPGo's\ncommand-line interface.\nBy default, it creates the man page files in the \"man\" directory under the\ncurrent directory.\n`,\n\t\tRun: func(cmd *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tif _, err := os.Stat(manDir); errors.Is(err, fs.ErrNotExist) {\n\t\t\t\terr = os.MkdirAll(manDir, os.ModePerm)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogger.WarnToConsole(\"Unable to generate man page files: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t}\n\t\t\theader := &doc.GenManHeader{\n\t\t\t\tSection: \"1\",\n\t\t\t\tManual: \"SFTPGo Manual\",\n\t\t\t\tSource: fmt.Sprintf(\"SFTPGo %v\", version.Get().Version),\n\t\t\t}\n\t\t\tcmd.Root().DisableAutoGenTag = true\n\t\t\terr := doc.GenManTree(cmd.Root(), header, manDir)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Unable to generate man page files: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tgenManCmd.Flags().StringVarP(&manDir, \"dir\", \"d\", \"man\", \"The directory to write the man pages\")\n\tgenCmd.AddCommand(genManCmd)\n}\n" }, { "path": "internal/cmd/initprovider.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tinitProviderCmd = &cobra.Command{\n\t\tUse: \"initprovider\",\n\t\tShort: \"Initialize and/or updates the configured data provider\",\n\t\tLong: `This command reads the data provider connection details from the specified\nconfiguration file and creates the initial structure or update the existing one,\nas needed.\n\nSome data providers such as bolt and memory does not require an initialization\nbut they could require an update to the existing data after upgrading SFTPGo.\n\nFor SQLite/bolt providers the database file will be auto-created if missing.\n\nFor PostgreSQL and MySQL providers you need to create the configured database,\nthis command will create/update the required tables as needed.\n\nTo initialize/update the data provider from the configuration directory simply use:\n\n$ sftpgo initprovider\n\nAny defined action is ignored.\nPlease take a look at the usage below to customize the options.`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize data provider, config load error: %v\", err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tkmsConfig := config.GetKMSConfig()\n\t\t\terr = kmsConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize KMS: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tif config.HasKMSPlugin() {\n\t\t\t\tif err := plugin.Initialize(config.GetPluginsConfig(), \"debug\"); err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"unable to initialize plugin system: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tregisterSignals()\n\t\t\t\tdefer plugin.Handler.Cleanup()\n\t\t\t}\n\n\t\t\tmfaConfig := config.GetMFAConfig()\n\t\t\terr = mfaConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize MFA: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\t// ignore actions\n\t\t\tproviderConf.Actions.Hook = \"\"\n\t\t\tproviderConf.Actions.ExecuteFor = nil\n\t\t\tproviderConf.Actions.ExecuteOn = nil\n\t\t\tlogger.InfoToConsole(\"Initializing provider: %q config file: %q\", providerConf.Driver, viper.ConfigFileUsed())\n\t\t\terr = dataprovider.InitializeDatabase(providerConf, configDir)\n\t\t\tswitch err {\n\t\t\tcase nil:\n\t\t\t\tlogger.InfoToConsole(\"Data provider successfully initialized/updated\")\n\t\t\tcase dataprovider.ErrNoInitRequired:\n\t\t\t\tlogger.InfoToConsole(\"%v\", err.Error())\n\t\t\tdefault:\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize/update the data provider: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tif providerConf.Driver != dataprovider.MemoryDataProviderName && loadDataFrom != \"\" {\n\t\t\t\tif err := common.Initialize(config.GetCommonConfig(), providerConf.GetShared()); err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"%v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tservice := service.Service{\n\t\t\t\t\tLoadDataFrom: loadDataFrom,\n\t\t\t\t\tLoadDataMode: loadDataMode,\n\t\t\t\t\tLoadDataQuotaScan: loadDataQuotaScan,\n\t\t\t\t\tLoadDataClean: loadDataClean,\n\t\t\t\t}\n\t\t\t\tif err = service.LoadInitialData(); err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"Cannot load initial data: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\trootCmd.AddCommand(initProviderCmd)\n\taddConfigFlags(initProviderCmd)\n\taddBaseLoadDataFlags(initProviderCmd)\n}\n" }, { "path": "internal/cmd/install_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tinstallCmd = &cobra.Command{\n\t\tUse: \"install\",\n\t\tShort: \"Install SFTPGo as Windows Service\",\n\t\tLong: `To install the SFTPGo Windows Service with the default values for the command\nline flags simply use:\n\nsftpgo service install\n\nPlease take a look at the usage below to customize the startup options`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\ts := service.Service{\n\t\t\t\tConfigDir: util.CleanDirInput(configDir),\n\t\t\t\tConfigFile: configFile,\n\t\t\t\tLogFilePath: logFilePath,\n\t\t\t\tLogMaxSize: logMaxSize,\n\t\t\t\tLogMaxBackups: logMaxBackups,\n\t\t\t\tLogMaxAge: logMaxAge,\n\t\t\t\tLogCompress: logCompress,\n\t\t\t\tLogLevel: logLevel,\n\t\t\t\tLogUTCTime: logUTCTime,\n\t\t\t\tShutdown: make(chan bool),\n\t\t\t}\n\t\t\twinService := service.WindowsService{\n\t\t\t\tService: s,\n\t\t\t}\n\t\t\tserviceArgs := []string{\"service\", \"start\"}\n\t\t\tcustomFlags := getCustomServeFlags()\n\t\t\tif len(customFlags) > 0 {\n\t\t\t\tserviceArgs = append(serviceArgs, customFlags...)\n\t\t\t}\n\t\t\terr := winService.Install(serviceArgs...)\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error installing service: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Service installed!\\r\\n\")\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(installCmd)\n\taddServeFlags(installCmd)\n}\n\nfunc getCustomServeFlags() []string {\n\tresult := []string{}\n\tif configDir != defaultConfigDir {\n\t\tconfigDir = util.CleanDirInput(configDir)\n\t\tresult = append(result, \"--\"+configDirFlag)\n\t\tresult = append(result, configDir)\n\t}\n\tif configFile != defaultConfigFile {\n\t\tresult = append(result, \"--\"+configFileFlag)\n\t\tresult = append(result, configFile)\n\t}\n\tif logFilePath != defaultLogFile {\n\t\tresult = append(result, \"--\"+logFilePathFlag)\n\t\tresult = append(result, logFilePath)\n\t}\n\tif logMaxSize != defaultLogMaxSize {\n\t\tresult = append(result, \"--\"+logMaxSizeFlag)\n\t\tresult = append(result, strconv.Itoa(logMaxSize))\n\t}\n\tif logMaxBackups != defaultLogMaxBackup {\n\t\tresult = append(result, \"--\"+logMaxBackupFlag)\n\t\tresult = append(result, strconv.Itoa(logMaxBackups))\n\t}\n\tif logMaxAge != defaultLogMaxAge {\n\t\tresult = append(result, \"--\"+logMaxAgeFlag)\n\t\tresult = append(result, strconv.Itoa(logMaxAge))\n\t}\n\tif logLevel != defaultLogLevel {\n\t\tresult = append(result, \"--\"+logLevelFlag)\n\t\tresult = append(result, logLevel)\n\t}\n\tif logUTCTime != defaultLogUTCTime {\n\t\tresult = append(result, \"--\"+logUTCTimeFlag+\"=true\")\n\t}\n\tif logCompress != defaultLogCompress {\n\t\tresult = append(result, \"--\"+logCompressFlag+\"=true\")\n\t}\n\tif graceTime != defaultGraceTime {\n\t\tresult = append(result, \"--\"+graceTimeFlag)\n\t\tresult = append(result, strconv.Itoa(graceTime))\n\t}\n\treturn result\n}\n" }, { "path": "internal/cmd/ping.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getHealthzURLFromBindings(bindings []httpd.Binding) string {\n\tfor _, b := range bindings {\n\t\tif b.Port > 0 && b.IsValid() {\n\t\t\tvar url string\n\t\t\tif b.EnableHTTPS {\n\t\t\t\turl = \"https://\"\n\t\t\t} else {\n\t\t\t\turl = \"http://\"\n\t\t\t}\n\t\t\tif b.Address == \"\" {\n\t\t\t\turl += \"127.0.0.1\"\n\t\t\t} else {\n\t\t\t\turl += b.Address\n\t\t\t}\n\t\t\turl += fmt.Sprintf(\":%d\", b.Port)\n\t\t\turl += \"/healthz\"\n\t\t\treturn url\n\t\t}\n\t}\n\treturn \"\"\n}\n\nvar (\n\tpingCmd = &cobra.Command{\n\t\tUse: \"ping\",\n\t\tShort: \"Issues an health check to SFTPGo\",\n\t\tLong: `This command is only useful in environments where system commands like\n\"curl\", \"wget\" and similar are not available.\nChecks over UNIX domain sockets are not supported`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Unable to load configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\thttpConfig := config.GetHTTPConfig()\n\t\t\terr = httpConfig.Initialize(configDir)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"error initializing http client: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\ttelemetryConfig := config.GetTelemetryConfig()\n\t\t\tvar url string\n\t\t\tif telemetryConfig.BindPort > 0 {\n\t\t\t\tif telemetryConfig.CertificateFile != \"\" && telemetryConfig.CertificateKeyFile != \"\" {\n\t\t\t\t\turl += \"https://\"\n\t\t\t\t} else {\n\t\t\t\t\turl += \"http://\"\n\t\t\t\t}\n\t\t\t\tif telemetryConfig.BindAddress == \"\" {\n\t\t\t\t\turl += \"127.0.0.1\"\n\t\t\t\t} else {\n\t\t\t\t\turl += telemetryConfig.BindAddress\n\t\t\t\t}\n\t\t\t\turl += fmt.Sprintf(\":%d\", telemetryConfig.BindPort)\n\t\t\t\turl += \"/healthz\"\n\t\t\t}\n\t\t\tif url == \"\" {\n\t\t\t\thttpdConfig := config.GetHTTPDConfig()\n\t\t\t\turl = getHealthzURLFromBindings(httpdConfig.Bindings)\n\t\t\t}\n\t\t\tif url == \"\" {\n\t\t\t\tlogger.ErrorToConsole(\"no suitable configuration found, please enable the telemetry server or REST API over HTTP/S\")\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\n\t\t\tlogger.DebugToConsole(\"Health Check URL %q\", url)\n\t\t\tresp, err := httpclient.RetryableGet(url)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to connect to SFTPGo: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tdefer resp.Body.Close()\n\t\t\tif resp.StatusCode != http.StatusOK {\n\t\t\t\tlogger.ErrorToConsole(\"Unexpected status code %d\", resp.StatusCode)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"OK\")\n\t\t},\n\t}\n)\n\nfunc init() {\n\taddConfigFlags(pingCmd)\n\trootCmd.AddCommand(pingCmd)\n}\n" }, { "path": "internal/cmd/portable.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !noportable\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\tdirectoryToServe string\n\tportableSFTPDPort int\n\tportableUsername string\n\tportablePassword string\n\tportablePasswordFile string\n\tportableStartDir string\n\tportableLogFile string\n\tportableLogLevel string\n\tportableLogUTCTime bool\n\tportablePublicKeys []string\n\tportablePermissions []string\n\tportableSSHCommands []string\n\tportableAllowedPatterns []string\n\tportableDeniedPatterns []string\n\tportableFsProvider string\n\tportableS3Bucket string\n\tportableS3Region string\n\tportableS3AccessKey string\n\tportableS3AccessSecret string\n\tportableS3RoleARN string\n\tportableS3Endpoint string\n\tportableS3StorageClass string\n\tportableS3ACL string\n\tportableS3KeyPrefix string\n\tportableS3ULPartSize int\n\tportableS3ULConcurrency int\n\tportableS3ForcePathStyle bool\n\tportableS3SkipTLSVerify bool\n\tportableGCSBucket string\n\tportableGCSCredentialsFile string\n\tportableGCSAutoCredentials int\n\tportableGCSStorageClass string\n\tportableGCSKeyPrefix string\n\tportableFTPDPort int\n\tportableFTPSCert string\n\tportableFTPSKey string\n\tportableWebDAVPort int\n\tportableWebDAVCert string\n\tportableWebDAVKey string\n\tportableHTTPPort int\n\tportableHTTPSCert string\n\tportableHTTPSKey string\n\tportableAzContainer string\n\tportableAzAccountName string\n\tportableAzAccountKey string\n\tportableAzEndpoint string\n\tportableAzAccessTier string\n\tportableAzSASURL string\n\tportableAzKeyPrefix string\n\tportableAzULPartSize int\n\tportableAzULConcurrency int\n\tportableAzDLPartSize int\n\tportableAzDLConcurrency int\n\tportableAzUseEmulator bool\n\tportableCryptPassphrase string\n\tportableSFTPEndpoint string\n\tportableSFTPUsername string\n\tportableSFTPPassword string\n\tportableSFTPPrivateKeyPath string\n\tportableSFTPFingerprints []string\n\tportableSFTPPrefix string\n\tportableSFTPDisableConcurrentReads bool\n\tportableSFTPDBufferSize int64\n\tportableCmd = &cobra.Command{\n\t\tUse: \"portable\",\n\t\tShort: \"Serve a single directory/account\",\n\t\tLong: `To serve the current working directory with auto generated credentials simply\nuse:\n\n$ sftpgo portable\n\nPlease take a look at the usage below to customize the serving parameters`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tportableDir := directoryToServe\n\t\t\tfsProvider := dataprovider.GetProviderFromValue(convertFsProvider())\n\t\t\tif !filepath.IsAbs(portableDir) {\n\t\t\t\tif fsProvider == sdk.LocalFilesystemProvider {\n\t\t\t\t\tportableDir, _ = filepath.Abs(portableDir)\n\t\t\t\t} else {\n\t\t\t\t\tportableDir = os.TempDir()\n\t\t\t\t}\n\t\t\t}\n\t\t\tpermissions := make(map[string][]string)\n\t\t\tpermissions[\"/\"] = portablePermissions\n\t\t\tportableGCSCredentials := \"\"\n\t\t\tif fsProvider == sdk.GCSFilesystemProvider && portableGCSCredentialsFile != \"\" {\n\t\t\t\tcontents, err := getFileContents(portableGCSCredentialsFile)\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Printf(\"Unable to get GCS credentials: %v\\n\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tportableGCSCredentials = contents\n\t\t\t\tportableGCSAutoCredentials = 0\n\t\t\t}\n\t\t\tportableSFTPPrivateKey := \"\"\n\t\t\tif fsProvider == sdk.SFTPFilesystemProvider && portableSFTPPrivateKeyPath != \"\" {\n\t\t\t\tcontents, err := getFileContents(portableSFTPPrivateKeyPath)\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Printf(\"Unable to get SFTP private key: %v\\n\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tportableSFTPPrivateKey = contents\n\t\t\t}\n\t\t\tif portableFTPDPort >= 0 && portableFTPSCert != \"\" && portableFTPSKey != \"\" {\n\t\t\t\tkeyPairs := []common.TLSKeyPair{\n\t\t\t\t\t{\n\t\t\t\t\t\tCert: portableFTPSCert,\n\t\t\t\t\t\tKey: portableFTPSKey,\n\t\t\t\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\t_, err := common.NewCertManager(keyPairs, filepath.Clean(defaultConfigDir),\n\t\t\t\t\t\"FTP portable\")\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Printf(\"Unable to load FTPS key pair, cert file %q key file %q error: %v\\n\",\n\t\t\t\t\t\tportableFTPSCert, portableFTPSKey, err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t}\n\t\t\tif portableWebDAVPort >= 0 && portableWebDAVCert != \"\" && portableWebDAVKey != \"\" {\n\t\t\t\tkeyPairs := []common.TLSKeyPair{\n\t\t\t\t\t{\n\t\t\t\t\t\tCert: portableWebDAVCert,\n\t\t\t\t\t\tKey: portableWebDAVKey,\n\t\t\t\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\t_, err := common.NewCertManager(keyPairs, filepath.Clean(defaultConfigDir),\n\t\t\t\t\t\"WebDAV portable\")\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Printf(\"Unable to load WebDAV key pair, cert file %q key file %q error: %v\\n\",\n\t\t\t\t\t\tportableWebDAVCert, portableWebDAVKey, err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t}\n\t\t\tif portableHTTPPort >= 0 && portableHTTPSCert != \"\" && portableHTTPSKey != \"\" {\n\t\t\t\tkeyPairs := []common.TLSKeyPair{\n\t\t\t\t\t{\n\t\t\t\t\t\tCert: portableHTTPSCert,\n\t\t\t\t\t\tKey: portableHTTPSKey,\n\t\t\t\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t\t_, err := common.NewCertManager(keyPairs, filepath.Clean(defaultConfigDir),\n\t\t\t\t\t\"HTTP portable\")\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Printf(\"Unable to load HTTPS key pair, cert file %q key file %q error: %v\\n\",\n\t\t\t\t\t\tportableHTTPSCert, portableHTTPSKey, err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t}\n\t\t\tpwd := portablePassword\n\t\t\tif portablePasswordFile != \"\" {\n\t\t\t\tcontent, err := os.ReadFile(portablePasswordFile)\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Printf(\"Unable to read password file %q: %v\", portablePasswordFile, err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tpwd = strings.TrimSpace(util.BytesToString(content))\n\t\t\t}\n\t\t\tservice.SetGraceTime(graceTime)\n\t\t\tservice := service.Service{\n\t\t\t\tConfigDir: util.CleanDirInput(configDir),\n\t\t\t\tConfigFile: configFile,\n\t\t\t\tLogFilePath: portableLogFile,\n\t\t\t\tLogMaxSize: defaultLogMaxSize,\n\t\t\t\tLogMaxBackups: defaultLogMaxBackup,\n\t\t\t\tLogMaxAge: defaultLogMaxAge,\n\t\t\t\tLogCompress: defaultLogCompress,\n\t\t\t\tLogLevel: portableLogLevel,\n\t\t\t\tLogUTCTime: portableLogUTCTime,\n\t\t\t\tShutdown: make(chan bool),\n\t\t\t\tPortableMode: 1,\n\t\t\t\tPortableUser: dataprovider.User{\n\t\t\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\t\t\tUsername: portableUsername,\n\t\t\t\t\t\tPassword: pwd,\n\t\t\t\t\t\tPublicKeys: portablePublicKeys,\n\t\t\t\t\t\tPermissions: permissions,\n\t\t\t\t\t\tHomeDir: portableDir,\n\t\t\t\t\t\tStatus: 1,\n\t\t\t\t\t},\n\t\t\t\t\tFilters: dataprovider.UserFilters{\n\t\t\t\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\t\t\t\tFilePatterns: parsePatternsFilesFilters(),\n\t\t\t\t\t\t\tStartDirectory: portableStartDir,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\t\t\tProvider: fsProvider,\n\t\t\t\t\t\tS3Config: vfs.S3FsConfig{\n\t\t\t\t\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\t\t\t\t\tBucket: portableS3Bucket,\n\t\t\t\t\t\t\t\tRegion: portableS3Region,\n\t\t\t\t\t\t\t\tAccessKey: portableS3AccessKey,\n\t\t\t\t\t\t\t\tRoleARN: portableS3RoleARN,\n\t\t\t\t\t\t\t\tEndpoint: portableS3Endpoint,\n\t\t\t\t\t\t\t\tStorageClass: portableS3StorageClass,\n\t\t\t\t\t\t\t\tACL: portableS3ACL,\n\t\t\t\t\t\t\t\tKeyPrefix: portableS3KeyPrefix,\n\t\t\t\t\t\t\t\tUploadPartSize: int64(portableS3ULPartSize),\n\t\t\t\t\t\t\t\tUploadConcurrency: portableS3ULConcurrency,\n\t\t\t\t\t\t\t\tForcePathStyle: portableS3ForcePathStyle,\n\t\t\t\t\t\t\t\tSkipTLSVerify: portableS3SkipTLSVerify,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tAccessSecret: kms.NewPlainSecret(portableS3AccessSecret),\n\t\t\t\t\t\t},\n\t\t\t\t\t\tGCSConfig: vfs.GCSFsConfig{\n\t\t\t\t\t\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\t\t\t\t\t\tBucket: portableGCSBucket,\n\t\t\t\t\t\t\t\tAutomaticCredentials: portableGCSAutoCredentials,\n\t\t\t\t\t\t\t\tStorageClass: portableGCSStorageClass,\n\t\t\t\t\t\t\t\tKeyPrefix: portableGCSKeyPrefix,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tCredentials: kms.NewPlainSecret(portableGCSCredentials),\n\t\t\t\t\t\t},\n\t\t\t\t\t\tAzBlobConfig: vfs.AzBlobFsConfig{\n\t\t\t\t\t\t\tBaseAzBlobFsConfig: sdk.BaseAzBlobFsConfig{\n\t\t\t\t\t\t\t\tContainer: portableAzContainer,\n\t\t\t\t\t\t\t\tAccountName: portableAzAccountName,\n\t\t\t\t\t\t\t\tEndpoint: portableAzEndpoint,\n\t\t\t\t\t\t\t\tAccessTier: portableAzAccessTier,\n\t\t\t\t\t\t\t\tKeyPrefix: portableAzKeyPrefix,\n\t\t\t\t\t\t\t\tUseEmulator: portableAzUseEmulator,\n\t\t\t\t\t\t\t\tUploadPartSize: int64(portableAzULPartSize),\n\t\t\t\t\t\t\t\tUploadConcurrency: portableAzULConcurrency,\n\t\t\t\t\t\t\t\tDownloadPartSize: int64(portableAzDLPartSize),\n\t\t\t\t\t\t\t\tDownloadConcurrency: portableAzDLConcurrency,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tAccountKey: kms.NewPlainSecret(portableAzAccountKey),\n\t\t\t\t\t\t\tSASURL: kms.NewPlainSecret(portableAzSASURL),\n\t\t\t\t\t\t},\n\t\t\t\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\t\t\t\tPassphrase: kms.NewPlainSecret(portableCryptPassphrase),\n\t\t\t\t\t\t},\n\t\t\t\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\t\t\t\tEndpoint: portableSFTPEndpoint,\n\t\t\t\t\t\t\t\tUsername: portableSFTPUsername,\n\t\t\t\t\t\t\t\tFingerprints: portableSFTPFingerprints,\n\t\t\t\t\t\t\t\tPrefix: portableSFTPPrefix,\n\t\t\t\t\t\t\t\tDisableCouncurrentReads: portableSFTPDisableConcurrentReads,\n\t\t\t\t\t\t\t\tBufferSize: portableSFTPDBufferSize,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tPassword: kms.NewPlainSecret(portableSFTPPassword),\n\t\t\t\t\t\t\tPrivateKey: kms.NewPlainSecret(portableSFTPPrivateKey),\n\t\t\t\t\t\t\tKeyPassphrase: kms.NewEmptySecret(),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := service.StartPortableMode(portableSFTPDPort, portableFTPDPort, portableWebDAVPort, portableHTTPPort,\n\t\t\t\tportableSSHCommands, portableFTPSCert, portableFTPSKey, portableWebDAVCert, portableWebDAVKey,\n\t\t\t\tportableHTTPSCert, portableHTTPSKey)\n\t\t\tif err == nil {\n\t\t\t\tservice.Wait()\n\t\t\t\tif service.Error == nil {\n\t\t\t\t\tos.Exit(0)\n\t\t\t\t}\n\t\t\t}\n\t\t\tos.Exit(1)\n\t\t},\n\t}\n)\n\nfunc init() {\n\tversion.AddFeature(\"+portable\")\n\n\tportableCmd.Flags().StringVarP(&directoryToServe, \"directory\", \"d\", \".\", `Path to the directory to serve.\nThis can be an absolute path or a path\nrelative to the current directory\n`)\n\tportableCmd.Flags().StringVar(&portableStartDir, \"start-directory\", \"/\", `Alternate start directory.\nThis is a virtual path not a filesystem\npath`)\n\tportableCmd.Flags().IntVarP(&portableSFTPDPort, \"sftpd-port\", \"s\", 0, `0 means a random unprivileged port,\n< 0 disabled`)\n\tportableCmd.Flags().IntVar(&portableFTPDPort, \"ftpd-port\", -1, `0 means a random unprivileged port,\n< 0 disabled`)\n\tportableCmd.Flags().IntVar(&portableWebDAVPort, \"webdav-port\", -1, `0 means a random unprivileged port,\n< 0 disabled`)\n\tportableCmd.Flags().IntVar(&portableHTTPPort, \"httpd-port\", -1, `0 means a random unprivileged port,\n< 0 disabled`)\n\tportableCmd.Flags().StringSliceVar(&portableSSHCommands, \"ssh-commands\", sftpd.GetDefaultSSHCommands(),\n\t\t`SSH commands to enable.\n\"*\" means any supported SSH command\nincluding scp\n`)\n\tportableCmd.Flags().StringVarP(&portableUsername, \"username\", \"u\", \"\", `Leave empty to use an auto generated\nvalue`)\n\tportableCmd.Flags().StringVarP(&portablePassword, \"password\", \"p\", \"\", `Leave empty to use an auto generated\nvalue`)\n\tportableCmd.Flags().StringVar(&portablePasswordFile, \"password-file\", \"\", `Read the password from the specified\nfile path. Leave empty to use an auto\ngenerated value`)\n\tportableCmd.Flags().StringVarP(&portableLogFile, logFilePathFlag, \"l\", \"\", \"Leave empty to disable logging\")\n\tportableCmd.Flags().StringVar(&portableLogLevel, logLevelFlag, defaultLogLevel, `Set the log level.\nSupported values:\n\ndebug, info, warn, error.\n`)\n\tportableCmd.Flags().BoolVar(&portableLogUTCTime, logUTCTimeFlag, false, \"Use UTC time for logging\")\n\tportableCmd.Flags().StringSliceVarP(&portablePublicKeys, \"public-key\", \"k\", []string{}, \"\")\n\tportableCmd.Flags().StringSliceVarP(&portablePermissions, \"permissions\", \"g\", []string{\"list\", \"download\"},\n\t\t`User's permissions. \"*\" means any\npermission`)\n\tportableCmd.Flags().StringArrayVar(&portableAllowedPatterns, \"allowed-patterns\", []string{},\n\t\t`Allowed file patterns case insensitive.\nThe format is:\n/dir::pattern1,pattern2.\nFor example: \"/somedir::*.jpg,a*b?.png\"`)\n\tportableCmd.Flags().StringArrayVar(&portableDeniedPatterns, \"denied-patterns\", []string{},\n\t\t`Denied file patterns case insensitive.\nThe format is:\n/dir::pattern1,pattern2.\nFor example: \"/somedir::*.jpg,a*b?.png\"`)\n\tportableCmd.Flags().StringVarP(&portableFsProvider, \"fs-provider\", \"f\", \"osfs\", `osfs => local filesystem (legacy value: 0)\ns3fs => AWS S3 compatible (legacy: 1)\ngcsfs => Google Cloud Storage (legacy: 2)\nazblobfs => Azure Blob Storage (legacy: 3)\ncryptfs => Encrypted local filesystem (legacy: 4)\nsftpfs => SFTP (legacy: 5)`)\n\tportableCmd.Flags().StringVar(&portableS3Bucket, \"s3-bucket\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3Region, \"s3-region\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3AccessKey, \"s3-access-key\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3AccessSecret, \"s3-access-secret\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3RoleARN, \"s3-role-arn\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3Endpoint, \"s3-endpoint\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3StorageClass, \"s3-storage-class\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3ACL, \"s3-acl\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableS3KeyPrefix, \"s3-key-prefix\", \"\", `Allows to restrict access to the\nvirtual folder identified by this\nprefix and its contents`)\n\tportableCmd.Flags().IntVar(&portableS3ULPartSize, \"s3-upload-part-size\", 5, `The buffer size for multipart uploads\n(MB)`)\n\tportableCmd.Flags().IntVar(&portableS3ULConcurrency, \"s3-upload-concurrency\", 2, `How many parts are uploaded in\nparallel`)\n\tportableCmd.Flags().BoolVar(&portableS3ForcePathStyle, \"s3-force-path-style\", false, `Force path style bucket URL`)\n\tportableCmd.Flags().BoolVar(&portableS3SkipTLSVerify, \"s3-skip-tls-verify\", false, `If enabled the S3 client accepts any TLS\ncertificate presented by the server and\nany host name in that certificate.\nIn this mode, TLS is susceptible to\nman-in-the-middle attacks.\nThis should be used only for testing.\n`)\n\tportableCmd.Flags().StringVar(&portableGCSBucket, \"gcs-bucket\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableGCSStorageClass, \"gcs-storage-class\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableGCSKeyPrefix, \"gcs-key-prefix\", \"\", `Allows to restrict access to the\nvirtual folder identified by this\nprefix and its contents`)\n\tportableCmd.Flags().StringVar(&portableGCSCredentialsFile, \"gcs-credentials-file\", \"\", `Google Cloud Storage JSON credentials\nfile`)\n\tportableCmd.Flags().IntVar(&portableGCSAutoCredentials, \"gcs-automatic-credentials\", 1, `0 means explicit credentials using\na JSON credentials file, 1 automatic\n`)\n\tportableCmd.Flags().StringVar(&portableFTPSCert, \"ftpd-cert\", \"\", \"Path to the certificate file for FTPS\")\n\tportableCmd.Flags().StringVar(&portableFTPSKey, \"ftpd-key\", \"\", \"Path to the key file for FTPS\")\n\tportableCmd.Flags().StringVar(&portableWebDAVCert, \"webdav-cert\", \"\", `Path to the certificate file for WebDAV\nover HTTPS`)\n\tportableCmd.Flags().StringVar(&portableWebDAVKey, \"webdav-key\", \"\", `Path to the key file for WebDAV over\nHTTPS`)\n\tportableCmd.Flags().StringVar(&portableHTTPSCert, \"httpd-cert\", \"\", `Path to the certificate file for WebClient\nover HTTPS`)\n\tportableCmd.Flags().StringVar(&portableHTTPSKey, \"httpd-key\", \"\", `Path to the key file for WebClient over\nHTTPS`)\n\tportableCmd.Flags().StringVar(&portableAzContainer, \"az-container\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableAzAccountName, \"az-account-name\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableAzAccountKey, \"az-account-key\", \"\", \"\")\n\tportableCmd.Flags().StringVar(&portableAzSASURL, \"az-sas-url\", \"\", `Shared access signature URL`)\n\tportableCmd.Flags().StringVar(&portableAzEndpoint, \"az-endpoint\", \"\", `Leave empty to use the default:\n\"blob.core.windows.net\"`)\n\tportableCmd.Flags().StringVar(&portableAzAccessTier, \"az-access-tier\", \"\", `Leave empty to use the default\ncontainer setting`)\n\tportableCmd.Flags().StringVar(&portableAzKeyPrefix, \"az-key-prefix\", \"\", `Allows to restrict access to the\nvirtual folder identified by this\nprefix and its contents`)\n\tportableCmd.Flags().IntVar(&portableAzULPartSize, \"az-upload-part-size\", 5, `The buffer size for multipart uploads\n(MB)`)\n\tportableCmd.Flags().IntVar(&portableAzULConcurrency, \"az-upload-concurrency\", 5, `How many parts are uploaded in\nparallel`)\n\tportableCmd.Flags().IntVar(&portableAzDLPartSize, \"az-download-part-size\", 5, `The buffer size for multipart downloads\n(MB)`)\n\tportableCmd.Flags().IntVar(&portableAzDLConcurrency, \"az-download-concurrency\", 5, `How many parts are downloaded in\nparallel`)\n\tportableCmd.Flags().BoolVar(&portableAzUseEmulator, \"az-use-emulator\", false, \"\")\n\tportableCmd.Flags().StringVar(&portableCryptPassphrase, \"crypto-passphrase\", \"\", `Passphrase for encryption/decryption`)\n\tportableCmd.Flags().StringVar(&portableSFTPEndpoint, \"sftp-endpoint\", \"\", `SFTP endpoint as host:port for SFTP\nprovider`)\n\tportableCmd.Flags().StringVar(&portableSFTPUsername, \"sftp-username\", \"\", `SFTP user for SFTP provider`)\n\tportableCmd.Flags().StringVar(&portableSFTPPassword, \"sftp-password\", \"\", `SFTP password for SFTP provider`)\n\tportableCmd.Flags().StringVar(&portableSFTPPrivateKeyPath, \"sftp-key-path\", \"\", `SFTP private key path for SFTP provider`)\n\tportableCmd.Flags().StringSliceVar(&portableSFTPFingerprints, \"sftp-fingerprints\", []string{}, `SFTP fingerprints to verify remote host\nkey for SFTP provider`)\n\tportableCmd.Flags().StringVar(&portableSFTPPrefix, \"sftp-prefix\", \"\", `SFTP prefix allows restrict all\noperations to a given path within the\nremote SFTP server`)\n\tportableCmd.Flags().BoolVar(&portableSFTPDisableConcurrentReads, \"sftp-disable-concurrent-reads\", false, `Concurrent reads are safe to use and\ndisabling them will degrade performance.\nDisable for read once servers`)\n\tportableCmd.Flags().Int64Var(&portableSFTPDBufferSize, \"sftp-buffer-size\", 0, `The size of the buffer (in MB) to use\nfor transfers. By enabling buffering,\nthe reads and writes, from/to the\nremote SFTP server, are split in\nmultiple concurrent requests and this\nallows data to be transferred at a\nfaster rate, over high latency networks,\nby overlapping round-trip times`)\n\tportableCmd.Flags().IntVar(&graceTime, graceTimeFlag, 0,\n\t\t`This grace time defines the number of\nseconds allowed for existing transfers\nto get completed before shutting down.\nA graceful shutdown is triggered by an\ninterrupt signal.\n`)\n\taddConfigFlags(portableCmd)\n\trootCmd.AddCommand(portableCmd)\n}\n\nfunc parsePatternsFilesFilters() []sdk.PatternsFilter {\n\tvar patterns []sdk.PatternsFilter\n\tfor _, val := range portableAllowedPatterns {\n\t\tp, exts := getPatternsFilterValues(strings.TrimSpace(val))\n\t\tif p != \"\" {\n\t\t\tpatterns = append(patterns, sdk.PatternsFilter{\n\t\t\t\tPath: path.Clean(p),\n\t\t\t\tAllowedPatterns: exts,\n\t\t\t\tDeniedPatterns: []string{},\n\t\t\t})\n\t\t}\n\t}\n\tfor _, val := range portableDeniedPatterns {\n\t\tp, exts := getPatternsFilterValues(strings.TrimSpace(val))\n\t\tif p != \"\" {\n\t\t\tfound := false\n\t\t\tfor index, e := range patterns {\n\t\t\t\tif path.Clean(e.Path) == path.Clean(p) {\n\t\t\t\t\tpatterns[index].DeniedPatterns = append(patterns[index].DeniedPatterns, exts...)\n\t\t\t\t\tfound = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\tif !found {\n\t\t\t\tpatterns = append(patterns, sdk.PatternsFilter{\n\t\t\t\t\tPath: path.Clean(p),\n\t\t\t\t\tAllowedPatterns: []string{},\n\t\t\t\t\tDeniedPatterns: exts,\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\treturn patterns\n}\n\nfunc getPatternsFilterValues(value string) (string, []string) {\n\tif strings.Contains(value, \"::\") {\n\t\tdirExts := strings.Split(value, \"::\")\n\t\tif len(dirExts) > 1 {\n\t\t\tdir := strings.TrimSpace(dirExts[0])\n\t\t\texts := []string{}\n\t\t\tfor e := range strings.SplitSeq(dirExts[1], \",\") {\n\t\t\t\tcleanedExt := strings.TrimSpace(e)\n\t\t\t\tif cleanedExt != \"\" {\n\t\t\t\t\texts = append(exts, cleanedExt)\n\t\t\t\t}\n\t\t\t}\n\t\t\tif dir != \"\" && len(exts) > 0 {\n\t\t\t\treturn dir, exts\n\t\t\t}\n\t\t}\n\t}\n\treturn \"\", nil\n}\n\nfunc getFileContents(name string) (string, error) {\n\tfi, err := os.Stat(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif fi.Size() > 1048576 {\n\t\treturn \"\", fmt.Errorf(\"%q is too big %v/1048576 bytes\", name, fi.Size())\n\t}\n\tcontents, err := os.ReadFile(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn util.BytesToString(contents), nil\n}\n\nfunc convertFsProvider() string {\n\tswitch portableFsProvider {\n\tcase \"osfs\", \"6\": // httpfs (6) is not supported in portable mode, so return the default\n\t\treturn \"0\"\n\tcase \"s3fs\":\n\t\treturn \"1\"\n\tcase \"gcsfs\":\n\t\treturn \"2\"\n\tcase \"azblobfs\":\n\t\treturn \"3\"\n\tcase \"cryptfs\":\n\t\treturn \"4\"\n\tcase \"sftpfs\":\n\t\treturn \"5\"\n\tdefault:\n\t\treturn portableFsProvider\n\t}\n}\n" }, { "path": "internal/cmd/portable_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build noportable\n\npackage cmd\n\nimport \"github.com/drakkan/sftpgo/v2/internal/version\"\n\nfunc init() {\n\tversion.AddFeature(\"-portable\")\n}\n" }, { "path": "internal/cmd/reload_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n)\n\nvar (\n\treloadCmd = &cobra.Command{\n\t\tUse: \"reload\",\n\t\tShort: \"Reload the SFTPGo Windows Service sending a \\\"paramchange\\\" request\",\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\ts := service.WindowsService{\n\t\t\t\tService: service.Service{\n\t\t\t\t\tShutdown: make(chan bool),\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := s.Reload()\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error sending reload signal: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Reload signal sent!\\r\\n\")\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(reloadCmd)\n}\n" }, { "path": "internal/cmd/resetprovider.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"bufio\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tresetProviderForce bool\n\tresetProviderCmd = &cobra.Command{\n\t\tUse: \"resetprovider\",\n\t\tShort: \"Reset the configured provider, any data will be lost\",\n\t\tLong: `This command reads the data provider connection details from the specified\nconfiguration file and resets the provider by deleting all data and schemas.\nThis command is not supported for the memory provider.\n\nPlease take a look at the usage below to customize the options.`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Unable to load configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tkmsConfig := config.GetKMSConfig()\n\t\t\terr = kmsConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"unable to initialize KMS: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\tif !resetProviderForce {\n\t\t\t\tlogger.WarnToConsole(\"You are about to delete all the SFTPGo data for provider %q, config file: %q\",\n\t\t\t\t\tproviderConf.Driver, viper.ConfigFileUsed())\n\t\t\t\tlogger.WarnToConsole(\"Are you sure? (Y/n)\")\n\t\t\t\treader := bufio.NewReader(os.Stdin)\n\t\t\t\tanswer, err := reader.ReadString('\\n')\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"unable to read your answer: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tif strings.ToUpper(strings.TrimSpace(answer)) != \"Y\" {\n\t\t\t\t\tlogger.InfoToConsole(\"command aborted\")\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"Resetting provider: %q, config file: %q\", providerConf.Driver, viper.ConfigFileUsed())\n\t\t\terr = dataprovider.ResetDatabase(providerConf, configDir)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Error resetting provider: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"Tha data provider was successfully reset\")\n\t\t},\n\t}\n)\n\nfunc init() {\n\taddConfigFlags(resetProviderCmd)\n\tresetProviderCmd.Flags().BoolVar(&resetProviderForce, \"force\", false, `reset the provider without asking for confirmation`)\n\n\trootCmd.AddCommand(resetProviderCmd)\n}\n" }, { "path": "internal/cmd/resetpwd.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n\t\"golang.org/x/term\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tresetPwdAdmin string\n\tresetPwdCmd = &cobra.Command{\n\t\tUse: \"resetpwd\",\n\t\tShort: \"Reset the password for the specified administrator\",\n\t\tLong: `This command reads the data provider connection details from the specified\nconfiguration file and resets the password for the specified administrator.\nTwo-factor authentication is also disabled.\nThis command is not supported for the memory provider.\nFor embedded providers like bolt and SQLite you should stop the running SFTPGo\ninstance to avoid database corruption.\n\nPlease take a look at the usage below to customize the options.`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Unable to load configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tkmsConfig := config.GetKMSConfig()\n\t\t\terr = kmsConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"unable to initialize KMS: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tif config.HasKMSPlugin() {\n\t\t\t\tif err := plugin.Initialize(config.GetPluginsConfig(), \"debug\"); err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"unable to initialize plugin system: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tregisterSignals()\n\t\t\t\tdefer plugin.Handler.Cleanup()\n\t\t\t}\n\n\t\t\tmfaConfig := config.GetMFAConfig()\n\t\t\terr = mfaConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize MFA: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\tif providerConf.Driver == dataprovider.MemoryDataProviderName {\n\t\t\t\tlogger.ErrorToConsole(\"memory provider is not supported\")\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"Initializing provider: %q config file: %q\", providerConf.Driver, viper.ConfigFileUsed())\n\t\t\terr = dataprovider.Initialize(providerConf, configDir, false)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize data provider: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tadmin, err := dataprovider.AdminExists(resetPwdAdmin)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to get admin %q: %v\", resetPwdAdmin, err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tfmt.Printf(\"Enter Password: \")\n\t\t\tpwd, err := term.ReadPassword(int(os.Stdin.Fd()))\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to read the password: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tfmt.Println(\"\")\n\t\t\tfmt.Printf(\"Confirm Password: \")\n\t\t\tconfirmPwd, err := term.ReadPassword(int(os.Stdin.Fd()))\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to read the password: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tfmt.Println(\"\")\n\t\t\tif !bytes.Equal(pwd, confirmPwd) {\n\t\t\t\tlogger.ErrorToConsole(\"Passwords do not match\")\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tadmin.Password = string(pwd)\n\t\t\tadmin.Filters.TOTPConfig.Enabled = false\n\t\t\tif err := dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSystem, \"\", \"\"); err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to update password: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"Password updated for admin %q\", resetPwdAdmin)\n\t\t},\n\t}\n)\n\nfunc init() {\n\taddConfigFlags(resetPwdCmd)\n\tresetPwdCmd.Flags().StringVar(&resetPwdAdmin, \"admin\", \"\", `Administrator username whose password to reset`)\n\tresetPwdCmd.MarkFlagRequired(\"admin\") //nolint:errcheck\n\n\trootCmd.AddCommand(resetPwdCmd)\n}\n" }, { "path": "internal/cmd/revertprovider.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\trevertProviderTargetVersion int\n\trevertProviderCmd = &cobra.Command{\n\t\tUse: \"revertprovider\",\n\t\tShort: \"Revert the configured data provider to a previous version\",\n\t\tLong: `This command reads the data provider connection details from the specified\nconfiguration file and restore the provider schema and/or data to a previous version.\nThis command is not supported for the memory provider.\n\nPlease take a look at the usage below to customize the options.`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tif revertProviderTargetVersion != 33 {\n\t\t\t\tlogger.WarnToConsole(\"Unsupported target version, 33 is the only supported one\")\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Unable to load configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tkmsConfig := config.GetKMSConfig()\n\t\t\terr = kmsConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"unable to initialize KMS: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tif config.HasKMSPlugin() {\n\t\t\t\tif err := plugin.Initialize(config.GetPluginsConfig(), \"debug\"); err != nil {\n\t\t\t\t\tlogger.ErrorToConsole(\"unable to initialize plugin system: %v\", err)\n\t\t\t\t\tos.Exit(1)\n\t\t\t\t}\n\t\t\t\tregisterSignals()\n\t\t\t\tdefer plugin.Handler.Cleanup()\n\t\t\t}\n\n\t\t\tmfaConfig := config.GetMFAConfig()\n\t\t\terr = mfaConfig.Initialize()\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to initialize MFA: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\tlogger.InfoToConsole(\"Reverting provider: %q config file: %q target version %d\", providerConf.Driver,\n\t\t\t\tviper.ConfigFileUsed(), revertProviderTargetVersion)\n\t\t\terr = dataprovider.RevertDatabase(providerConf, configDir, revertProviderTargetVersion)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Error reverting provider: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"Data provider successfully reverted\")\n\t\t},\n\t}\n)\n\nfunc init() {\n\taddConfigFlags(revertProviderCmd)\n\trevertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, \"to-version\", 33, `33 means the version supported in v2.7.x`)\n\n\trootCmd.AddCommand(revertProviderCmd)\n}\n" }, { "path": "internal/cmd/root.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package cmd provides Command Line Interface support\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\t\"github.com/spf13/viper\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tconfigDirFlag = \"config-dir\"\n\tconfigDirKey = \"config_dir\"\n\tconfigFileFlag = \"config-file\"\n\tconfigFileKey = \"config_file\"\n\tlogFilePathFlag = \"log-file-path\"\n\tlogFilePathKey = \"log_file_path\"\n\tlogMaxSizeFlag = \"log-max-size\"\n\tlogMaxSizeKey = \"log_max_size\"\n\tlogMaxBackupFlag = \"log-max-backups\"\n\tlogMaxBackupKey = \"log_max_backups\"\n\tlogMaxAgeFlag = \"log-max-age\"\n\tlogMaxAgeKey = \"log_max_age\"\n\tlogCompressFlag = \"log-compress\"\n\tlogCompressKey = \"log_compress\"\n\tlogLevelFlag = \"log-level\"\n\tlogLevelKey = \"log_level\"\n\tlogUTCTimeFlag = \"log-utc-time\"\n\tlogUTCTimeKey = \"log_utc_time\"\n\tloadDataFromFlag = \"loaddata-from\"\n\tloadDataFromKey = \"loaddata_from\"\n\tloadDataModeFlag = \"loaddata-mode\"\n\tloadDataModeKey = \"loaddata_mode\"\n\tloadDataQuotaScanFlag = \"loaddata-scan\"\n\tloadDataQuotaScanKey = \"loaddata_scan\"\n\tloadDataCleanFlag = \"loaddata-clean\"\n\tloadDataCleanKey = \"loaddata_clean\"\n\tgraceTimeFlag = \"grace-time\"\n\tgraceTimeKey = \"grace_time\"\n\tdefaultConfigDir = \".\"\n\tdefaultConfigFile = \"\"\n\tdefaultLogFile = \"sftpgo.log\"\n\tdefaultLogMaxSize = 10\n\tdefaultLogMaxBackup = 5\n\tdefaultLogMaxAge = 28\n\tdefaultLogCompress = false\n\tdefaultLogLevel = \"debug\"\n\tdefaultLogUTCTime = false\n\tdefaultLoadDataFrom = \"\"\n\tdefaultLoadDataMode = 1\n\tdefaultLoadDataQuotaScan = 0\n\tdefaultLoadDataClean = false\n\tdefaultGraceTime = 0\n)\n\nvar (\n\tconfigDir string\n\tconfigFile string\n\tlogFilePath string\n\tlogMaxSize int\n\tlogMaxBackups int\n\tlogMaxAge int\n\tlogCompress bool\n\tlogLevel string\n\tlogUTCTime bool\n\tloadDataFrom string\n\tloadDataMode int\n\tloadDataQuotaScan int\n\tloadDataClean bool\n\tgraceTime int\n\n\trootCmd = &cobra.Command{\n\t\tUse: \"sftpgo\",\n\t\tShort: \"Full-featured and highly configurable file transfer server\",\n\t}\n)\n\nfunc init() {\n\trootCmd.CompletionOptions.DisableDefaultCmd = true\n\trootCmd.Flags().BoolP(\"version\", \"v\", false, \"\")\n\trootCmd.Version = version.GetAsString()\n\trootCmd.SetVersionTemplate(`{{printf \"SFTPGo \"}}{{printf \"%s\" .Version}}\n`)\n}\n\n// Execute adds all child commands to the root command and sets flags appropriately.\n// This is called by main.main(). It only needs to happen once to the rootCmd.\nfunc Execute() {\n\tif err := rootCmd.Execute(); err != nil {\n\t\tfmt.Println(err)\n\t\tos.Exit(1)\n\t}\n}\n\nfunc addConfigFlags(cmd *cobra.Command) {\n\tviper.SetDefault(configDirKey, defaultConfigDir)\n\tviper.BindEnv(configDirKey, \"SFTPGO_CONFIG_DIR\") //nolint:errcheck // err is not nil only if the key to bind is missing\n\tcmd.Flags().StringVarP(&configDir, configDirFlag, \"c\", viper.GetString(configDirKey),\n\t\t`Location of the config dir. This directory\nis used as the base for files with a relative\npath, e.g. the private keys for the SFTP\nserver or the database file if you use a\nfile-based data provider.\nThe configuration file, if not explicitly set,\nis looked for in this dir. We support reading\nfrom JSON, TOML, YAML, HCL, envfile and Java\nproperties config files. The default config\nfile name is \"sftpgo\" and therefore\n\"sftpgo.json\", \"sftpgo.yaml\" and so on are\nsearched.\nThis flag can be set using SFTPGO_CONFIG_DIR\nenv var too.`)\n\tviper.BindPFlag(configDirKey, cmd.Flags().Lookup(configDirFlag)) //nolint:errcheck\n\n\tviper.SetDefault(configFileKey, defaultConfigFile)\n\tviper.BindEnv(configFileKey, \"SFTPGO_CONFIG_FILE\") //nolint:errcheck\n\tcmd.Flags().StringVar(&configFile, configFileFlag, viper.GetString(configFileKey),\n\t\t`Path to SFTPGo configuration file.\nThis flag explicitly defines the path, name\nand extension of the config file. If must be\nan absolute path or a path relative to the\nconfiguration directory. The specified file\nname must have a supported extension (JSON,\nYAML, TOML, HCL or Java properties).\nThis flag can be set using SFTPGO_CONFIG_FILE\nenv var too.`)\n\tviper.BindPFlag(configFileKey, cmd.Flags().Lookup(configFileFlag)) //nolint:errcheck\n}\n\nfunc addBaseLoadDataFlags(cmd *cobra.Command) {\n\tviper.SetDefault(loadDataFromKey, defaultLoadDataFrom)\n\tviper.BindEnv(loadDataFromKey, \"SFTPGO_LOADDATA_FROM\") //nolint:errcheck\n\tcmd.Flags().StringVar(&loadDataFrom, loadDataFromFlag, viper.GetString(loadDataFromKey),\n\t\t`Load users and folders from this file.\nThe file must be specified as absolute path\nand it must contain a backup obtained using\nthe \"dumpdata\" REST API or compatible content.\nThis flag can be set using SFTPGO_LOADDATA_FROM\nenv var too.\n`)\n\tviper.BindPFlag(loadDataFromKey, cmd.Flags().Lookup(loadDataFromFlag)) //nolint:errcheck\n\n\tviper.SetDefault(loadDataModeKey, defaultLoadDataMode)\n\tviper.BindEnv(loadDataModeKey, \"SFTPGO_LOADDATA_MODE\") //nolint:errcheck\n\tcmd.Flags().IntVar(&loadDataMode, loadDataModeFlag, viper.GetInt(loadDataModeKey),\n\t\t`Restore mode for data to load:\n 0 - new users are added, existing users are\n updated\n 1 - New users are added, existing users are\n\t not modified\nThis flag can be set using SFTPGO_LOADDATA_MODE\nenv var too.\n`)\n\tviper.BindPFlag(loadDataModeKey, cmd.Flags().Lookup(loadDataModeFlag)) //nolint:errcheck\n\n\tviper.SetDefault(loadDataCleanKey, defaultLoadDataClean)\n\tviper.BindEnv(loadDataCleanKey, \"SFTPGO_LOADDATA_CLEAN\") //nolint:errcheck\n\tcmd.Flags().BoolVar(&loadDataClean, loadDataCleanFlag, viper.GetBool(loadDataCleanKey),\n\t\t`Determine if the loaddata-from file should\nbe removed after a successful load. This flag\ncan be set using SFTPGO_LOADDATA_CLEAN env var\ntoo. (default \"false\")\n`)\n\tviper.BindPFlag(loadDataCleanKey, cmd.Flags().Lookup(loadDataCleanFlag)) //nolint:errcheck\n}\n\nfunc addServeFlags(cmd *cobra.Command) {\n\taddConfigFlags(cmd)\n\n\tviper.SetDefault(logFilePathKey, defaultLogFile)\n\tviper.BindEnv(logFilePathKey, \"SFTPGO_LOG_FILE_PATH\") //nolint:errcheck\n\tcmd.Flags().StringVarP(&logFilePath, logFilePathFlag, \"l\", viper.GetString(logFilePathKey),\n\t\t`Location for the log file. Leave empty to write\nlogs to the standard output. This flag can be\nset using SFTPGO_LOG_FILE_PATH env var too.\n`)\n\tviper.BindPFlag(logFilePathKey, cmd.Flags().Lookup(logFilePathFlag)) //nolint:errcheck\n\n\tviper.SetDefault(logMaxSizeKey, defaultLogMaxSize)\n\tviper.BindEnv(logMaxSizeKey, \"SFTPGO_LOG_MAX_SIZE\") //nolint:errcheck\n\tcmd.Flags().IntVarP(&logMaxSize, logMaxSizeFlag, \"s\", viper.GetInt(logMaxSizeKey),\n\t\t`Maximum size in megabytes of the log file\nbefore it gets rotated. This flag can be set\nusing SFTPGO_LOG_MAX_SIZE env var too. It is\nunused if log-file-path is empty.\n`)\n\tviper.BindPFlag(logMaxSizeKey, cmd.Flags().Lookup(logMaxSizeFlag)) //nolint:errcheck\n\n\tviper.SetDefault(logMaxBackupKey, defaultLogMaxBackup)\n\tviper.BindEnv(logMaxBackupKey, \"SFTPGO_LOG_MAX_BACKUPS\") //nolint:errcheck\n\tcmd.Flags().IntVarP(&logMaxBackups, \"log-max-backups\", \"b\", viper.GetInt(logMaxBackupKey),\n\t\t`Maximum number of old log files to retain.\nThis flag can be set using SFTPGO_LOG_MAX_BACKUPS\nenv var too. It is unused if log-file-path is\nempty.`)\n\tviper.BindPFlag(logMaxBackupKey, cmd.Flags().Lookup(logMaxBackupFlag)) //nolint:errcheck\n\n\tviper.SetDefault(logMaxAgeKey, defaultLogMaxAge)\n\tviper.BindEnv(logMaxAgeKey, \"SFTPGO_LOG_MAX_AGE\") //nolint:errcheck\n\tcmd.Flags().IntVarP(&logMaxAge, \"log-max-age\", \"a\", viper.GetInt(logMaxAgeKey),\n\t\t`Maximum number of days to retain old log files.\nThis flag can be set using SFTPGO_LOG_MAX_AGE env\nvar too. It is unused if log-file-path is empty.\n`)\n\tviper.BindPFlag(logMaxAgeKey, cmd.Flags().Lookup(logMaxAgeFlag)) //nolint:errcheck\n\n\tviper.SetDefault(logCompressKey, defaultLogCompress)\n\tviper.BindEnv(logCompressKey, \"SFTPGO_LOG_COMPRESS\") //nolint:errcheck\n\tcmd.Flags().BoolVarP(&logCompress, logCompressFlag, \"z\", viper.GetBool(logCompressKey),\n\t\t`Determine if the rotated log files\nshould be compressed using gzip. This flag can\nbe set using SFTPGO_LOG_COMPRESS env var too.\nIt is unused if log-file-path is empty.\n`)\n\tviper.BindPFlag(logCompressKey, cmd.Flags().Lookup(logCompressFlag)) //nolint:errcheck\n\n\tviper.SetDefault(logLevelKey, defaultLogLevel)\n\tviper.BindEnv(logLevelKey, \"SFTPGO_LOG_LEVEL\") //nolint:errcheck\n\tcmd.Flags().StringVar(&logLevel, logLevelFlag, viper.GetString(logLevelKey),\n\t\t`Set the log level. Supported values:\n\ndebug, info, warn, error.\n\nThis flag can be set\nusing SFTPGO_LOG_LEVEL env var too.\n`)\n\tviper.BindPFlag(logLevelKey, cmd.Flags().Lookup(logLevelFlag)) //nolint:errcheck\n\n\tviper.SetDefault(logUTCTimeKey, defaultLogUTCTime)\n\tviper.BindEnv(logUTCTimeKey, \"SFTPGO_LOG_UTC_TIME\") //nolint:errcheck\n\tcmd.Flags().BoolVar(&logUTCTime, logUTCTimeFlag, viper.GetBool(logUTCTimeKey),\n\t\t`Use UTC time for logging. This flag can be set\nusing SFTPGO_LOG_UTC_TIME env var too.\n`)\n\tviper.BindPFlag(logUTCTimeKey, cmd.Flags().Lookup(logUTCTimeFlag)) //nolint:errcheck\n\n\taddBaseLoadDataFlags(cmd)\n\n\tviper.SetDefault(loadDataQuotaScanKey, defaultLoadDataQuotaScan)\n\tviper.BindEnv(loadDataQuotaScanKey, \"SFTPGO_LOADDATA_QUOTA_SCAN\") //nolint:errcheck\n\tcmd.Flags().IntVar(&loadDataQuotaScan, loadDataQuotaScanFlag, viper.GetInt(loadDataQuotaScanKey),\n\t\t`Quota scan mode after data load:\n 0 - no quota scan\n 1 - scan quota\n 2 - scan quota if the user has quota restrictions\nThis flag can be set using SFTPGO_LOADDATA_QUOTA_SCAN\nenv var too.\n(default 0)`)\n\tviper.BindPFlag(loadDataQuotaScanKey, cmd.Flags().Lookup(loadDataQuotaScanFlag)) //nolint:errcheck\n\n\tviper.SetDefault(graceTimeKey, defaultGraceTime)\n\tviper.BindEnv(graceTimeKey, \"SFTPGO_GRACE_TIME\") //nolint:errcheck\n\tcmd.Flags().IntVar(&graceTime, graceTimeFlag, viper.GetInt(graceTimeKey),\n\t\t`Graceful shutdown is an option to initiate a\nshutdown without abrupt cancellation of the\ncurrently ongoing client-initiated transfer\nsessions.\nThis grace time defines the number of seconds\nallowed for existing transfers to get\ncompleted before shutting down.\nA graceful shutdown is triggered by an\ninterrupt signal.\nThis flag can be set using SFTPGO_GRACE_TIME env\nvar too. 0 means disabled. (default 0)`)\n\tviper.BindPFlag(graceTimeKey, cmd.Flags().Lookup(graceTimeFlag)) //nolint:errcheck\n}\n" }, { "path": "internal/cmd/rotatelogs_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n)\n\nvar (\n\trotateLogCmd = &cobra.Command{\n\t\tUse: \"rotatelogs\",\n\t\tShort: \"Signal to the running service to rotate the logs\",\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\ts := service.WindowsService{\n\t\t\t\tService: service.Service{\n\t\t\t\t\tShutdown: make(chan bool),\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := s.RotateLogFile()\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error sending rotate log file signal to the service: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Rotate log file signal sent!\\r\\n\")\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(rotateLogCmd)\n}\n" }, { "path": "internal/cmd/serve.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/spf13/cobra\"\n\t\"github.com/subosito/gotenv\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tenvFileMaxSize = 1048576\n)\n\nvar (\n\tserveCmd = &cobra.Command{\n\t\tUse: \"serve\",\n\t\tShort: \"Start the SFTPGo service\",\n\t\tLong: `To start the SFTPGo with the default values for the command line flags simply\nuse:\n\n$ sftpgo serve\n\nPlease take a look at the usage below to customize the startup options`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tconfigDir := util.CleanDirInput(configDir)\n\t\t\tcheckServeParamsFromEnvFiles(configDir)\n\t\t\tservice.SetGraceTime(graceTime)\n\t\t\tservice := service.Service{\n\t\t\t\tConfigDir: configDir,\n\t\t\t\tConfigFile: configFile,\n\t\t\t\tLogFilePath: logFilePath,\n\t\t\t\tLogMaxSize: logMaxSize,\n\t\t\t\tLogMaxBackups: logMaxBackups,\n\t\t\t\tLogMaxAge: logMaxAge,\n\t\t\t\tLogCompress: logCompress,\n\t\t\t\tLogLevel: logLevel,\n\t\t\t\tLogUTCTime: logUTCTime,\n\t\t\t\tLoadDataFrom: loadDataFrom,\n\t\t\t\tLoadDataMode: loadDataMode,\n\t\t\t\tLoadDataQuotaScan: loadDataQuotaScan,\n\t\t\t\tLoadDataClean: loadDataClean,\n\t\t\t\tShutdown: make(chan bool),\n\t\t\t}\n\t\t\tif err := service.Start(); err == nil {\n\t\t\t\tservice.Wait()\n\t\t\t\tif service.Error == nil {\n\t\t\t\t\tos.Exit(0)\n\t\t\t\t}\n\t\t\t}\n\t\t\tos.Exit(1)\n\t\t},\n\t}\n)\n\nfunc setIntFromEnv(receiver *int, val string) {\n\tconverted, err := strconv.Atoi(val)\n\tif err == nil {\n\t\t*receiver = converted\n\t}\n}\n\nfunc setBoolFromEnv(receiver *bool, val string) {\n\tconverted, err := strconv.ParseBool(strings.TrimSpace(val))\n\tif err == nil {\n\t\t*receiver = converted\n\t}\n}\n\nfunc checkServeParamsFromEnvFiles(configDir string) { //nolint:gocyclo\n\t// The logger is not yet initialized here, we have no way to report errors.\n\tenvd := filepath.Join(configDir, \"env.d\")\n\tentries, err := os.ReadDir(envd)\n\tif err != nil {\n\t\treturn\n\t}\n\tfor _, entry := range entries {\n\t\tinfo, err := entry.Info()\n\t\tif err == nil && info.Mode().IsRegular() {\n\t\t\tenvFile := filepath.Join(envd, entry.Name())\n\t\t\tif info.Size() > envFileMaxSize {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tenvVars, err := gotenv.Read(envFile)\n\t\t\tif err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tfor k, v := range envVars {\n\t\t\t\tif _, isSet := os.LookupEnv(k); isSet {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tswitch k {\n\t\t\t\tcase \"SFTPGO_LOG_FILE_PATH\":\n\t\t\t\t\tlogFilePath = v\n\t\t\t\tcase \"SFTPGO_LOG_MAX_SIZE\":\n\t\t\t\t\tsetIntFromEnv(&logMaxSize, v)\n\t\t\t\tcase \"SFTPGO_LOG_MAX_BACKUPS\":\n\t\t\t\t\tsetIntFromEnv(&logMaxBackups, v)\n\t\t\t\tcase \"SFTPGO_LOG_MAX_AGE\":\n\t\t\t\t\tsetIntFromEnv(&logMaxAge, v)\n\t\t\t\tcase \"SFTPGO_LOG_COMPRESS\":\n\t\t\t\t\tsetBoolFromEnv(&logCompress, v)\n\t\t\t\tcase \"SFTPGO_LOG_LEVEL\":\n\t\t\t\t\tlogLevel = v\n\t\t\t\tcase \"SFTPGO_LOG_UTC_TIME\":\n\t\t\t\t\tsetBoolFromEnv(&logUTCTime, v)\n\t\t\t\tcase \"SFTPGO_CONFIG_FILE\":\n\t\t\t\t\tconfigFile = v\n\t\t\t\tcase \"SFTPGO_LOADDATA_FROM\":\n\t\t\t\t\tloadDataFrom = v\n\t\t\t\tcase \"SFTPGO_LOADDATA_MODE\":\n\t\t\t\t\tsetIntFromEnv(&loadDataMode, v)\n\t\t\t\tcase \"SFTPGO_LOADDATA_CLEAN\":\n\t\t\t\t\tsetBoolFromEnv(&loadDataClean, v)\n\t\t\t\tcase \"SFTPGO_LOADDATA_QUOTA_SCAN\":\n\t\t\t\t\tsetIntFromEnv(&loadDataQuotaScan, v)\n\t\t\t\tcase \"SFTPGO_GRACE_TIME\":\n\t\t\t\t\tsetIntFromEnv(&graceTime, v)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc init() {\n\trootCmd.AddCommand(serveCmd)\n\taddServeFlags(serveCmd)\n}\n" }, { "path": "internal/cmd/service_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"github.com/spf13/cobra\"\n)\n\nvar (\n\tserviceCmd = &cobra.Command{\n\t\tUse: \"service\",\n\t\tShort: \"Manage the SFTPGo Windows Service\",\n\t}\n)\n\nfunc init() {\n\trootCmd.AddCommand(serviceCmd)\n}\n" }, { "path": "internal/cmd/signals_unix.go", "content": "// Copyright (C) 2025 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !windows\n\npackage cmd\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n)\n\nfunc registerSignals() {\n\tc := make(chan os.Signal, 1)\n\tsignal.Notify(c, syscall.SIGINT, syscall.SIGTERM)\n\tgo func() {\n\t\tfor sig := range c {\n\t\t\tswitch sig {\n\t\t\tcase syscall.SIGINT, syscall.SIGTERM:\n\t\t\t\tlogger.DebugToConsole(\"Received interrupt request\")\n\t\t\t\tplugin.Handler.Cleanup()\n\t\t\t\tos.Exit(0)\n\t\t\t}\n\t\t}\n\t}()\n}\n" }, { "path": "internal/cmd/signals_windows.go", "content": "// Copyright (C) 2025 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n)\n\nfunc registerSignals() {\n\tc := make(chan os.Signal, 1)\n\tsignal.Notify(c, os.Interrupt)\n\n\tgo func() {\n\t\tfor range c {\n\t\t\tlogger.DebugToConsole(\"Received interrupt request\")\n\t\t\tplugin.Handler.Cleanup()\n\t\t\tos.Exit(0)\n\t\t}\n\t}()\n}\n" }, { "path": "internal/cmd/smtptest.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"os\"\n\n\t\"github.com/rs/zerolog\"\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tsmtpTestRecipient string\n\tsmtpTestCmd = &cobra.Command{\n\t\tUse: \"smtptest\",\n\t\tShort: \"Test the SMTP configuration\",\n\t\tLong: `SFTPGo will try to send a test email to the specified recipient.\nIf the SMTP configuration is correct you should receive this email.`,\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tlogger.DisableLogger()\n\t\t\tlogger.EnableConsoleLogger(zerolog.DebugLevel)\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\terr := config.LoadConfig(configDir, configFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"Unable to load configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\terr = dataprovider.Initialize(providerConf, configDir, false)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tsmtpConfig := config.GetSMTPConfig()\n\t\t\tsmtpConfig.Debug = 1\n\t\t\terr = smtpConfig.Initialize(configDir, false)\n\t\t\tif err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"unable to initialize SMTP configuration: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\terr = smtp.SendEmail([]string{smtpTestRecipient}, nil, \"SFTPGo - Testing Email Settings\", \"It appears your SFTPGo email is setup correctly!\",\n\t\t\t\tsmtp.EmailContentTypeTextPlain)\n\t\t\tif err != nil {\n\t\t\t\tlogger.WarnToConsole(\"Error sending email: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t\tlogger.InfoToConsole(\"No errors were reported while sending the test email. Please check your inbox to make sure.\")\n\t\t},\n\t}\n)\n\nfunc init() {\n\taddConfigFlags(smtpTestCmd)\n\tsmtpTestCmd.Flags().StringVar(&smtpTestRecipient, \"recipient\", \"\", `email address to send the test e-mail to`)\n\tsmtpTestCmd.MarkFlagRequired(\"recipient\") //nolint:errcheck\n\n\trootCmd.AddCommand(smtpTestCmd)\n}\n" }, { "path": "internal/cmd/start_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tstartCmd = &cobra.Command{\n\t\tUse: \"start\",\n\t\tShort: \"Start the SFTPGo Windows Service\",\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\tconfigDir = util.CleanDirInput(configDir)\n\t\t\tcheckServeParamsFromEnvFiles(configDir)\n\t\t\tservice.SetGraceTime(graceTime)\n\t\t\ts := service.Service{\n\t\t\t\tConfigDir: configDir,\n\t\t\t\tConfigFile: configFile,\n\t\t\t\tLogFilePath: logFilePath,\n\t\t\t\tLogMaxSize: logMaxSize,\n\t\t\t\tLogMaxBackups: logMaxBackups,\n\t\t\t\tLogMaxAge: logMaxAge,\n\t\t\t\tLogCompress: logCompress,\n\t\t\t\tLogLevel: logLevel,\n\t\t\t\tLogUTCTime: logUTCTime,\n\t\t\t\tLoadDataFrom: loadDataFrom,\n\t\t\t\tLoadDataMode: loadDataMode,\n\t\t\t\tLoadDataQuotaScan: loadDataQuotaScan,\n\t\t\t\tLoadDataClean: loadDataClean,\n\t\t\t\tShutdown: make(chan bool),\n\t\t\t}\n\t\t\twinService := service.WindowsService{\n\t\t\t\tService: s,\n\t\t\t}\n\t\t\terr := winService.RunService()\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error starting service: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Service started!\\r\\n\")\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(startCmd)\n\taddServeFlags(startCmd)\n}\n" }, { "path": "internal/cmd/status_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n)\n\nvar (\n\tstatusCmd = &cobra.Command{\n\t\tUse: \"status\",\n\t\tShort: \"Retrieve the status for the SFTPGo Windows Service\",\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\ts := service.WindowsService{\n\t\t\t\tService: service.Service{\n\t\t\t\t\tShutdown: make(chan bool),\n\t\t\t\t},\n\t\t\t}\n\t\t\tstatus, err := s.Status()\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error querying service status: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Service status: %q\\r\\n\", status.String())\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(statusCmd)\n}\n" }, { "path": "internal/cmd/stop_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n)\n\nvar (\n\tstopCmd = &cobra.Command{\n\t\tUse: \"stop\",\n\t\tShort: \"Stop the SFTPGo Windows Service\",\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\ts := service.WindowsService{\n\t\t\t\tService: service.Service{\n\t\t\t\t\tShutdown: make(chan bool),\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := s.Stop()\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error stopping service: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Service stopped!\\r\\n\")\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(stopCmd)\n}\n" }, { "path": "internal/cmd/uninstall_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/spf13/cobra\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/service\"\n)\n\nvar (\n\tuninstallCmd = &cobra.Command{\n\t\tUse: \"uninstall\",\n\t\tShort: \"Uninstall the SFTPGo Windows Service\",\n\t\tRun: func(_ *cobra.Command, _ []string) {\n\t\t\ts := service.WindowsService{\n\t\t\t\tService: service.Service{\n\t\t\t\t\tShutdown: make(chan bool),\n\t\t\t\t},\n\t\t\t}\n\t\t\terr := s.Uninstall()\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"Error removing service: %v\\r\\n\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"Service uninstalled\\r\\n\")\n\t\t\t}\n\t\t},\n\t}\n)\n\nfunc init() {\n\tserviceCmd.AddCommand(uninstallCmd)\n}\n" }, { "path": "internal/command/command.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package command provides command configuration for SFTPGo hooks\npackage command\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n)\n\nconst (\n\tminTimeout = 1\n\tmaxTimeout = 300\n\tdefaultTimeout = 30\n)\n\n// Supported hook names\nconst (\n\tHookFsActions = \"fs_actions\"\n\tHookProviderActions = \"provider_actions\"\n\tHookStartup = \"startup\"\n\tHookPostConnect = \"post_connect\"\n\tHookPostDisconnect = \"post_disconnect\"\n\tHookCheckPassword = \"check_password\"\n\tHookPreLogin = \"pre_login\"\n\tHookPostLogin = \"post_login\"\n\tHookExternalAuth = \"external_auth\"\n\tHookKeyboardInteractive = \"keyboard_interactive\"\n)\n\nvar (\n\tconfig Config\n\tsupportedHooks = []string{HookFsActions, HookProviderActions, HookStartup, HookPostConnect, HookPostDisconnect,\n\t\tHookCheckPassword, HookPreLogin, HookPostLogin, HookExternalAuth, HookKeyboardInteractive}\n)\n\n// Command define the configuration for a specific commands\ntype Command struct {\n\t// Path is the command path as defined in the hook configuration\n\tPath string `json:\"path\" mapstructure:\"path\"`\n\t// Timeout specifies a time limit, in seconds, for the command execution.\n\t// This value overrides the global timeout if set.\n\t// Do not use variables with the SFTPGO_ prefix to avoid conflicts with env\n\t// vars that SFTPGo sets\n\tTimeout int `json:\"timeout\" mapstructure:\"timeout\"`\n\t// Env defines environment variable for the command.\n\t// Each entry is of the form \"key=value\".\n\t// These values are added to the global environment variables if any\n\tEnv []string `json:\"env\" mapstructure:\"env\"`\n\t// Args defines arguments to pass to the specified command\n\tArgs []string `json:\"args\" mapstructure:\"args\"`\n\t// if not empty both command path and hook name must match\n\tHook string `json:\"hook\" mapstructure:\"hook\"`\n}\n\n// Config defines the configuration for external commands such as\n// program based hooks\ntype Config struct {\n\t// Timeout specifies a global time limit, in seconds, for the external commands execution\n\tTimeout int `json:\"timeout\" mapstructure:\"timeout\"`\n\t// Env defines environment variable for the commands.\n\t// Each entry is of the form \"key=value\".\n\t// Do not use variables with the SFTPGO_ prefix to avoid conflicts with env\n\t// vars that SFTPGo sets\n\tEnv []string `json:\"env\" mapstructure:\"env\"`\n\t// Commands defines configuration for specific commands\n\tCommands []Command `json:\"commands\" mapstructure:\"commands\"`\n}\n\nfunc init() {\n\tconfig = Config{\n\t\tTimeout: defaultTimeout,\n\t}\n}\n\n// Initialize configures commands\nfunc (c Config) Initialize() error {\n\tif c.Timeout < minTimeout || c.Timeout > maxTimeout {\n\t\treturn fmt.Errorf(\"invalid timeout %v\", c.Timeout)\n\t}\n\tfor _, env := range c.Env {\n\t\tif len(strings.SplitN(env, \"=\", 2)) != 2 {\n\t\t\treturn fmt.Errorf(\"invalid env var %q\", env)\n\t\t}\n\t}\n\tfor idx, cmd := range c.Commands {\n\t\tif cmd.Path == \"\" {\n\t\t\treturn fmt.Errorf(\"invalid path %q\", cmd.Path)\n\t\t}\n\t\tif cmd.Timeout == 0 {\n\t\t\tc.Commands[idx].Timeout = c.Timeout\n\t\t} else {\n\t\t\tif cmd.Timeout < minTimeout || cmd.Timeout > maxTimeout {\n\t\t\t\treturn fmt.Errorf(\"invalid timeout %v for command %q\", cmd.Timeout, cmd.Path)\n\t\t\t}\n\t\t}\n\t\tfor _, env := range cmd.Env {\n\t\t\tif len(strings.SplitN(env, \"=\", 2)) != 2 {\n\t\t\t\treturn fmt.Errorf(\"invalid env var %q for command %q\", env, cmd.Path)\n\t\t\t}\n\t\t}\n\t\t// don't validate args, we allow to pass empty arguments\n\t\tif cmd.Hook != \"\" {\n\t\t\tif !slices.Contains(supportedHooks, cmd.Hook) {\n\t\t\t\treturn fmt.Errorf(\"invalid hook name %q, supported values: %+v\", cmd.Hook, supportedHooks)\n\t\t\t}\n\t\t}\n\t}\n\tconfig = c\n\treturn nil\n}\n\n// GetConfig returns the configuration for the specified command\nfunc GetConfig(command, hook string) (time.Duration, []string, []string) {\n\tenv := []string{}\n\tvar args []string\n\ttimeout := time.Duration(config.Timeout) * time.Second\n\tenv = append(env, config.Env...)\n\tfor _, cmd := range config.Commands {\n\t\tif cmd.Path == command {\n\t\t\tif cmd.Hook == \"\" || cmd.Hook == hook {\n\t\t\t\ttimeout = time.Duration(cmd.Timeout) * time.Second\n\t\t\t\tenv = append(env, cmd.Env...)\n\t\t\t\targs = cmd.Args\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\treturn timeout, env, args\n}\n" }, { "path": "internal/command/command_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage command\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestCommandConfig(t *testing.T) {\n\trequire.Equal(t, defaultTimeout, config.Timeout)\n\tcfg := Config{\n\t\tTimeout: 10,\n\t\tEnv: []string{\"a=b\"},\n\t}\n\terr := cfg.Initialize()\n\trequire.NoError(t, err)\n\tassert.Equal(t, cfg.Timeout, config.Timeout)\n\tassert.Equal(t, cfg.Env, config.Env)\n\tassert.Len(t, cfg.Commands, 0)\n\ttimeout, env, args := GetConfig(\"cmd\", \"\")\n\tassert.Equal(t, time.Duration(config.Timeout)*time.Second, timeout)\n\tassert.Contains(t, env, \"a=b\")\n\tassert.Len(t, args, 0)\n\n\tcfg.Commands = []Command{\n\t\t{\n\t\t\tPath: \"cmd1\",\n\t\t\tTimeout: 30,\n\t\t\tEnv: []string{\"c=d\"},\n\t\t\tArgs: []string{\"1\", \"\", \"2\"},\n\t\t},\n\t\t{\n\t\t\tPath: \"cmd2\",\n\t\t\tTimeout: 0,\n\t\t\tEnv: []string{\"e=f\"},\n\t\t},\n\t}\n\terr = cfg.Initialize()\n\trequire.NoError(t, err)\n\tassert.Equal(t, cfg.Timeout, config.Timeout)\n\tassert.Equal(t, cfg.Env, config.Env)\n\tif assert.Len(t, config.Commands, 2) {\n\t\tassert.Equal(t, cfg.Commands[0].Path, config.Commands[0].Path)\n\t\tassert.Equal(t, cfg.Commands[0].Timeout, config.Commands[0].Timeout)\n\t\tassert.Equal(t, cfg.Commands[0].Env, config.Commands[0].Env)\n\t\tassert.Equal(t, cfg.Commands[0].Args, config.Commands[0].Args)\n\t\tassert.Equal(t, cfg.Commands[1].Path, config.Commands[1].Path)\n\t\tassert.Equal(t, cfg.Timeout, config.Commands[1].Timeout)\n\t\tassert.Equal(t, cfg.Commands[1].Env, config.Commands[1].Env)\n\t\tassert.Equal(t, cfg.Commands[1].Args, config.Commands[1].Args)\n\t}\n\ttimeout, env, args = GetConfig(\"cmd1\", \"\")\n\tassert.Equal(t, time.Duration(config.Commands[0].Timeout)*time.Second, timeout)\n\tassert.Contains(t, env, \"a=b\")\n\tassert.Contains(t, env, \"c=d\")\n\tassert.NotContains(t, env, \"e=f\")\n\tif assert.Len(t, args, 3) {\n\t\tassert.Equal(t, \"1\", args[0])\n\t\tassert.Empty(t, args[1])\n\t\tassert.Equal(t, \"2\", args[2])\n\t}\n\ttimeout, env, args = GetConfig(\"cmd2\", \"\")\n\tassert.Equal(t, time.Duration(config.Timeout)*time.Second, timeout)\n\tassert.Contains(t, env, \"a=b\")\n\tassert.NotContains(t, env, \"c=d\")\n\tassert.Contains(t, env, \"e=f\")\n\tassert.Len(t, args, 0)\n\n\tcfg.Commands = []Command{\n\t\t{\n\t\t\tPath: \"cmd1\",\n\t\t\tTimeout: 30,\n\t\t\tEnv: []string{\"c=d\"},\n\t\t\tArgs: []string{\"1\", \"\", \"2\"},\n\t\t\tHook: HookCheckPassword,\n\t\t},\n\t\t{\n\t\t\tPath: \"cmd1\",\n\t\t\tTimeout: 0,\n\t\t\tEnv: []string{\"e=f\"},\n\t\t\tHook: HookExternalAuth,\n\t\t},\n\t}\n\terr = cfg.Initialize()\n\trequire.NoError(t, err)\n\ttimeout, env, args = GetConfig(\"cmd1\", \"\")\n\tassert.Equal(t, time.Duration(config.Timeout)*time.Second, timeout)\n\tassert.Contains(t, env, \"a=b\")\n\tassert.NotContains(t, env, \"c=d\")\n\tassert.NotContains(t, env, \"e=f\")\n\tassert.Len(t, args, 0)\n\ttimeout, env, args = GetConfig(\"cmd1\", HookCheckPassword)\n\tassert.Equal(t, time.Duration(config.Commands[0].Timeout)*time.Second, timeout)\n\tassert.Contains(t, env, \"a=b\")\n\tassert.Contains(t, env, \"c=d\")\n\tassert.NotContains(t, env, \"e=f\")\n\tif assert.Len(t, args, 3) {\n\t\tassert.Equal(t, \"1\", args[0])\n\t\tassert.Empty(t, args[1])\n\t\tassert.Equal(t, \"2\", args[2])\n\t}\n\ttimeout, env, args = GetConfig(\"cmd1\", HookExternalAuth)\n\tassert.Equal(t, time.Duration(cfg.Timeout)*time.Second, timeout)\n\tassert.Contains(t, env, \"a=b\")\n\tassert.NotContains(t, env, \"c=d\")\n\tassert.Contains(t, env, \"e=f\")\n\tassert.Len(t, args, 0)\n}\n\nfunc TestConfigErrors(t *testing.T) {\n\tc := Config{}\n\terr := c.Initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid timeout\")\n\t}\n\tc.Timeout = 10\n\tc.Env = []string{\"a\"}\n\terr = c.Initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid env var\")\n\t}\n\tc.Env = nil\n\tc.Commands = []Command{\n\t\t{\n\t\t\tPath: \"\",\n\t\t},\n\t}\n\terr = c.Initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid path\")\n\t}\n\tc.Commands = []Command{\n\t\t{\n\t\t\tPath: \"path\",\n\t\t\tTimeout: 10000,\n\t\t},\n\t}\n\terr = c.Initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid timeout\")\n\t}\n\tc.Commands = []Command{\n\t\t{\n\t\t\tPath: \"path\",\n\t\t\tTimeout: 30,\n\t\t\tEnv: []string{\"b\"},\n\t\t},\n\t}\n\terr = c.Initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid env var\")\n\t}\n\tc.Commands = []Command{\n\t\t{\n\t\t\tPath: \"path\",\n\t\t\tTimeout: 30,\n\t\t\tEnv: []string{\"a=b\"},\n\t\t\tHook: \"invali\",\n\t\t},\n\t}\n\terr = c.Initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid hook name\")\n\t}\n}\n" }, { "path": "internal/common/actions.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/command\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n)\n\nvar (\n\terrUnexpectedHTTResponse = errors.New(\"unexpected HTTP hook response code\")\n\thooksConcurrencyGuard = make(chan struct{}, 150)\n\tactiveHooks atomic.Int32\n)\n\nfunc startNewHook() {\n\tactiveHooks.Add(1)\n\thooksConcurrencyGuard <- struct{}{}\n}\n\nfunc hookEnded() {\n\tactiveHooks.Add(-1)\n\t<-hooksConcurrencyGuard\n}\n\n// ProtocolActions defines the action to execute on file operations and SSH commands\ntype ProtocolActions struct {\n\t// Valid values are download, upload, pre-delete, delete, rename, ssh_cmd. Empty slice to disable\n\tExecuteOn []string `json:\"execute_on\" mapstructure:\"execute_on\"`\n\t// Actions to be performed synchronously.\n\t// The pre-delete action is always executed synchronously while the other ones are asynchronous.\n\t// Executing an action synchronously means that SFTPGo will not return a result code to the client\n\t// (which is waiting for it) until your hook have completed its execution.\n\tExecuteSync []string `json:\"execute_sync\" mapstructure:\"execute_sync\"`\n\t// Absolute path to an external program or an HTTP URL\n\tHook string `json:\"hook\" mapstructure:\"hook\"`\n}\n\nvar actionHandler ActionHandler = &defaultActionHandler{}\n\n// InitializeActionHandler lets the user choose an action handler implementation.\n//\n// Do NOT call this function after application initialization.\nfunc InitializeActionHandler(handler ActionHandler) {\n\tactionHandler = handler\n}\n\n// ExecutePreAction executes a pre-* action and returns the result.\n// The returned status has the following meaning:\n// - 0 not executed\n// - 1 executed using an external hook\n// - 2 executed using the event manager\nfunc ExecutePreAction(conn *BaseConnection, operation, filePath, virtualPath string, fileSize int64, openFlags int) (int, error) {\n\tvar event *notifier.FsEvent\n\thasNotifiersPlugin := plugin.Handler.HasNotifiers()\n\thasHook := slices.Contains(Config.Actions.ExecuteOn, operation)\n\thasRules := eventManager.hasFsRules()\n\tif !hasHook && !hasNotifiersPlugin && !hasRules {\n\t\treturn 0, nil\n\t}\n\tdateTime := time.Now()\n\tevent = newActionNotification(&conn.User, operation, filePath, virtualPath, \"\", \"\", \"\",\n\t\tconn.protocol, conn.GetRemoteIP(), conn.ID, fileSize, openFlags, conn.getNotificationStatus(nil), 0, dateTime, nil)\n\tif hasNotifiersPlugin {\n\t\tplugin.Handler.NotifyFsEvent(event)\n\t}\n\tif hasRules {\n\t\tparams := EventParams{\n\t\t\tName: event.Username,\n\t\t\tGroups: conn.User.Groups,\n\t\t\tEvent: event.Action,\n\t\t\tStatus: event.Status,\n\t\t\tVirtualPath: event.VirtualPath,\n\t\t\tFsPath: event.Path,\n\t\t\tVirtualTargetPath: event.VirtualTargetPath,\n\t\t\tFsTargetPath: event.TargetPath,\n\t\t\tObjectName: path.Base(event.VirtualPath),\n\t\t\tExtension: path.Ext(event.VirtualPath),\n\t\t\tFileSize: event.FileSize,\n\t\t\tProtocol: event.Protocol,\n\t\t\tIP: event.IP,\n\t\t\tRole: event.Role,\n\t\t\tTimestamp: dateTime,\n\t\t\tEmail: conn.User.Email,\n\t\t\tObject: nil,\n\t\t}\n\t\texecutedSync, err := eventManager.handleFsEvent(params)\n\t\tif executedSync {\n\t\t\treturn 2, err\n\t\t}\n\t}\n\tif !hasHook {\n\t\treturn 0, nil\n\t}\n\treturn actionHandler.Handle(event)\n}\n\n// ExecuteActionNotification executes the defined hook, if any, for the specified action\nfunc ExecuteActionNotification(conn *BaseConnection, operation, filePath, virtualPath, target, virtualTarget, sshCmd string,\n\tfileSize int64, err error, elapsed int64, metadata map[string]string,\n) error {\n\thasNotifiersPlugin := plugin.Handler.HasNotifiers()\n\thasHook := slices.Contains(Config.Actions.ExecuteOn, operation)\n\thasRules := eventManager.hasFsRules()\n\tif !hasHook && !hasNotifiersPlugin && !hasRules {\n\t\treturn nil\n\t}\n\tdateTime := time.Now()\n\tnotification := newActionNotification(&conn.User, operation, filePath, virtualPath, target, virtualTarget, sshCmd,\n\t\tconn.protocol, conn.GetRemoteIP(), conn.ID, fileSize, 0, conn.getNotificationStatus(err), elapsed, dateTime, metadata)\n\tif hasNotifiersPlugin {\n\t\tplugin.Handler.NotifyFsEvent(notification)\n\t}\n\tif hasRules {\n\t\tparams := EventParams{\n\t\t\tName: notification.Username,\n\t\t\tGroups: conn.User.Groups,\n\t\t\tEvent: notification.Action,\n\t\t\tStatus: notification.Status,\n\t\t\tVirtualPath: notification.VirtualPath,\n\t\t\tFsPath: notification.Path,\n\t\t\tVirtualTargetPath: notification.VirtualTargetPath,\n\t\t\tFsTargetPath: notification.TargetPath,\n\t\t\tObjectName: path.Base(notification.VirtualPath),\n\t\t\tExtension: path.Ext(notification.VirtualPath),\n\t\t\tFileSize: notification.FileSize,\n\t\t\tElapsed: notification.Elapsed,\n\t\t\tProtocol: notification.Protocol,\n\t\t\tIP: notification.IP,\n\t\t\tRole: notification.Role,\n\t\t\tTimestamp: dateTime,\n\t\t\tEmail: conn.User.Email,\n\t\t\tObject: nil,\n\t\t\tMetadata: metadata,\n\t\t}\n\t\tif err != nil {\n\t\t\tparams.AddError(fmt.Errorf(\"%q failed: %w\", params.Event, err))\n\t\t}\n\t\texecutedSync, err := eventManager.handleFsEvent(params)\n\t\tif executedSync {\n\t\t\treturn err\n\t\t}\n\t}\n\tif hasHook {\n\t\tif slices.Contains(Config.Actions.ExecuteSync, operation) {\n\t\t\t_, err := actionHandler.Handle(notification)\n\t\t\treturn err\n\t\t}\n\t\tgo func() {\n\t\t\tstartNewHook()\n\t\t\tdefer hookEnded()\n\n\t\t\tactionHandler.Handle(notification) //nolint:errcheck\n\t\t}()\n\t}\n\treturn nil\n}\n\n// ActionHandler handles a notification for a Protocol Action.\ntype ActionHandler interface {\n\tHandle(notification *notifier.FsEvent) (int, error)\n}\n\nfunc newActionNotification(\n\tuser *dataprovider.User,\n\toperation, filePath, virtualPath, target, virtualTarget, sshCmd, protocol, ip, sessionID string,\n\tfileSize int64,\n\topenFlags, status int, elapsed int64,\n\tdatetime time.Time,\n\tmetadata map[string]string,\n) *notifier.FsEvent {\n\tvar bucket, endpoint string\n\n\tfsConfig := user.GetFsConfigForPath(virtualPath)\n\n\tswitch fsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tbucket = fsConfig.S3Config.Bucket\n\t\tendpoint = fsConfig.S3Config.Endpoint\n\tcase sdk.GCSFilesystemProvider:\n\t\tbucket = fsConfig.GCSConfig.Bucket\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tbucket = fsConfig.AzBlobConfig.Container\n\t\tif fsConfig.AzBlobConfig.Endpoint != \"\" {\n\t\t\tendpoint = fsConfig.AzBlobConfig.Endpoint\n\t\t}\n\tcase sdk.SFTPFilesystemProvider:\n\t\tendpoint = fsConfig.SFTPConfig.Endpoint\n\tcase sdk.HTTPFilesystemProvider:\n\t\tendpoint = fsConfig.HTTPConfig.Endpoint\n\t}\n\n\treturn ¬ifier.FsEvent{\n\t\tAction: operation,\n\t\tUsername: user.Username,\n\t\tPath: filePath,\n\t\tTargetPath: target,\n\t\tVirtualPath: virtualPath,\n\t\tVirtualTargetPath: virtualTarget,\n\t\tSSHCmd: sshCmd,\n\t\tFileSize: fileSize,\n\t\tFsProvider: int(fsConfig.Provider),\n\t\tBucket: bucket,\n\t\tEndpoint: endpoint,\n\t\tStatus: status,\n\t\tProtocol: protocol,\n\t\tIP: ip,\n\t\tSessionID: sessionID,\n\t\tOpenFlags: openFlags,\n\t\tRole: user.Role,\n\t\tTimestamp: datetime.UnixNano(),\n\t\tElapsed: elapsed,\n\t\tMetadata: metadata,\n\t}\n}\n\ntype defaultActionHandler struct{}\n\nfunc (h *defaultActionHandler) Handle(event *notifier.FsEvent) (int, error) {\n\tif !slices.Contains(Config.Actions.ExecuteOn, event.Action) {\n\t\treturn 0, nil\n\t}\n\n\tif Config.Actions.Hook == \"\" {\n\t\tlogger.Warn(event.Protocol, \"\", \"Unable to send notification, no hook is defined\")\n\n\t\treturn 0, nil\n\t}\n\n\tif strings.HasPrefix(Config.Actions.Hook, \"http\") {\n\t\terr := h.handleHTTP(event)\n\t\treturn 1, err\n\t}\n\n\terr := h.handleCommand(event)\n\treturn 1, err\n}\n\nfunc (h *defaultActionHandler) handleHTTP(event *notifier.FsEvent) error {\n\tu, err := url.Parse(Config.Actions.Hook)\n\tif err != nil {\n\t\tlogger.Error(event.Protocol, \"\", \"Invalid hook %q for operation %q: %v\",\n\t\t\tConfig.Actions.Hook, event.Action, err)\n\t\treturn err\n\t}\n\n\tstartTime := time.Now()\n\trespCode := 0\n\n\tvar b bytes.Buffer\n\t_ = json.NewEncoder(&b).Encode(event)\n\n\tresp, err := httpclient.RetryablePost(Config.Actions.Hook, \"application/json\", &b)\n\tif err == nil {\n\t\trespCode = resp.StatusCode\n\t\tresp.Body.Close()\n\n\t\tif respCode != http.StatusOK {\n\t\t\terr = errUnexpectedHTTResponse\n\t\t}\n\t}\n\n\tlogger.Debug(event.Protocol, \"\", \"notified operation %q to URL: %s status code: %d, elapsed: %s err: %v\",\n\t\tevent.Action, u.Redacted(), respCode, time.Since(startTime), err)\n\n\treturn err\n}\n\nfunc (h *defaultActionHandler) handleCommand(event *notifier.FsEvent) error {\n\tif !filepath.IsAbs(Config.Actions.Hook) {\n\t\terr := fmt.Errorf(\"invalid notification command %q\", Config.Actions.Hook)\n\t\tlogger.Warn(event.Protocol, \"\", \"unable to execute notification command: %v\", err)\n\n\t\treturn err\n\t}\n\n\ttimeout, env, args := command.GetConfig(Config.Actions.Hook, command.HookFsActions)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, Config.Actions.Hook, args...)\n\tcmd.Env = append(env, notificationAsEnvVars(event)...)\n\n\tstartTime := time.Now()\n\terr := cmd.Run()\n\n\tlogger.Debug(event.Protocol, \"\", \"executed command %q, elapsed: %s, error: %v\",\n\t\tConfig.Actions.Hook, time.Since(startTime), err)\n\n\treturn err\n}\n\nfunc notificationAsEnvVars(event *notifier.FsEvent) []string {\n\tresult := []string{\n\t\tfmt.Sprintf(\"SFTPGO_ACTION=%s\", event.Action),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_USERNAME=%s\", event.Username),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_PATH=%s\", event.Path),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_TARGET=%s\", event.TargetPath),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_VIRTUAL_PATH=%s\", event.VirtualPath),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_VIRTUAL_TARGET=%s\", event.VirtualTargetPath),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_SSH_CMD=%s\", event.SSHCmd),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_FILE_SIZE=%d\", event.FileSize),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_ELAPSED=%d\", event.Elapsed),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_FS_PROVIDER=%d\", event.FsProvider),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_BUCKET=%s\", event.Bucket),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_ENDPOINT=%s\", event.Endpoint),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_STATUS=%d\", event.Status),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_PROTOCOL=%s\", event.Protocol),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_IP=%s\", event.IP),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_SESSION_ID=%s\", event.SessionID),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_OPEN_FLAGS=%d\", event.OpenFlags),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_TIMESTAMP=%d\", event.Timestamp),\n\t\tfmt.Sprintf(\"SFTPGO_ACTION_ROLE=%s\", event.Role),\n\t}\n\tif len(event.Metadata) > 0 {\n\t\tdata, err := json.Marshal(event.Metadata)\n\t\tif err == nil {\n\t\t\tresult = append(result, fmt.Sprintf(\"SFTPGO_ACTION_METADATA=%s\", data))\n\t\t}\n\t}\n\treturn result\n}\n" }, { "path": "internal/common/actions_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/lithammer/shortuuid/v4\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc TestNewActionNotification(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"username\",\n\t\t},\n\t}\n\tuser.FsConfig.Provider = sdk.LocalFilesystemProvider\n\tuser.FsConfig.S3Config = vfs.S3FsConfig{\n\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\tBucket: \"s3bucket\",\n\t\t\tEndpoint: \"endpoint\",\n\t\t},\n\t}\n\tuser.FsConfig.GCSConfig = vfs.GCSFsConfig{\n\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\tBucket: \"gcsbucket\",\n\t\t},\n\t}\n\tuser.FsConfig.AzBlobConfig = vfs.AzBlobFsConfig{\n\t\tBaseAzBlobFsConfig: sdk.BaseAzBlobFsConfig{\n\t\t\tContainer: \"azcontainer\",\n\t\t\tEndpoint: \"azendpoint\",\n\t\t},\n\t}\n\tuser.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: \"sftpendpoint\",\n\t\t},\n\t}\n\tuser.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: \"httpendpoint\",\n\t\t},\n\t}\n\tc := NewBaseConnection(\"id\", ProtocolSSH, \"\", \"\", user)\n\tsessionID := xid.New().String()\n\ta := newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSFTP, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(errors.New(\"fake error\")), 0, time.Now(), nil)\n\tassert.Equal(t, user.Username, a.Username)\n\tassert.Equal(t, 0, len(a.Bucket))\n\tassert.Equal(t, 0, len(a.Endpoint))\n\tassert.Equal(t, 2, a.Status)\n\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSSH, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)\n\tassert.Equal(t, \"s3bucket\", a.Bucket)\n\tassert.Equal(t, \"endpoint\", a.Endpoint)\n\tassert.Equal(t, 1, a.Status)\n\n\tuser.FsConfig.Provider = sdk.GCSFilesystemProvider\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSCP, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(ErrQuotaExceeded), 0, time.Now(), nil)\n\tassert.Equal(t, \"gcsbucket\", a.Bucket)\n\tassert.Equal(t, 0, len(a.Endpoint))\n\tassert.Equal(t, 3, a.Status)\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSCP, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(fmt.Errorf(\"wrapper quota error: %w\", ErrQuotaExceeded)), 0, time.Now(), nil)\n\tassert.Equal(t, \"gcsbucket\", a.Bucket)\n\tassert.Equal(t, 0, len(a.Endpoint))\n\tassert.Equal(t, 3, a.Status)\n\n\tuser.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSSH, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)\n\tassert.Equal(t, \"httpendpoint\", a.Endpoint)\n\tassert.Equal(t, 1, a.Status)\n\n\tuser.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSCP, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)\n\tassert.Equal(t, \"azcontainer\", a.Bucket)\n\tassert.Equal(t, \"azendpoint\", a.Endpoint)\n\tassert.Equal(t, 1, a.Status)\n\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSCP, \"\", sessionID,\n\t\t123, os.O_APPEND, c.getNotificationStatus(nil), 0, time.Now(), nil)\n\tassert.Equal(t, \"azcontainer\", a.Bucket)\n\tassert.Equal(t, \"azendpoint\", a.Endpoint)\n\tassert.Equal(t, 1, a.Status)\n\tassert.Equal(t, os.O_APPEND, a.OpenFlags)\n\n\tuser.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\ta = newActionNotification(&user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSFTP, \"\", sessionID,\n\t\t123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)\n\tassert.Equal(t, \"sftpendpoint\", a.Endpoint)\n}\n\nfunc TestActionHTTP(t *testing.T) {\n\tactionsCopy := Config.Actions\n\n\tConfig.Actions = ProtocolActions{\n\t\tExecuteOn: []string{operationDownload},\n\t\tHook: fmt.Sprintf(\"http://%v\", httpAddr),\n\t}\n\tuser := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"username\",\n\t\t},\n\t}\n\ta := newActionNotification(user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSFTP, \"\",\n\t\txid.New().String(), 123, 0, 1, 0, time.Now(), nil)\n\tstatus, err := actionHandler.Handle(a)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, status)\n\n\tConfig.Actions.Hook = \"http://invalid:1234\"\n\tstatus, err = actionHandler.Handle(a)\n\tassert.Error(t, err)\n\tassert.Equal(t, 1, status)\n\n\tConfig.Actions.Hook = fmt.Sprintf(\"http://%v/404\", httpAddr)\n\tstatus, err = actionHandler.Handle(a)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, errUnexpectedHTTResponse.Error())\n\t}\n\tassert.Equal(t, 1, status)\n\n\tConfig.Actions = actionsCopy\n}\n\nfunc TestActionCMD(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tactionsCopy := Config.Actions\n\n\thookCmd, err := exec.LookPath(\"true\")\n\tassert.NoError(t, err)\n\n\tConfig.Actions = ProtocolActions{\n\t\tExecuteOn: []string{operationDownload},\n\t\tHook: hookCmd,\n\t}\n\tuser := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"username\",\n\t\t},\n\t}\n\tsessionID := shortuuid.New()\n\ta := newActionNotification(user, operationDownload, \"path\", \"vpath\", \"target\", \"\", \"\", ProtocolSFTP, \"\", sessionID,\n\t\t123, 0, 1, 0, time.Now(), map[string]string{\"key\": \"value\"})\n\tstatus, err := actionHandler.Handle(a)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, status)\n\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", *user)\n\terr = ExecuteActionNotification(c, OperationSSHCmd, \"path\", \"vpath\", \"target\", \"vtarget\", \"sha1sum\", 0, nil, 0, nil)\n\tassert.NoError(t, err)\n\n\terr = ExecuteActionNotification(c, operationDownload, \"path\", \"vpath\", \"\", \"\", \"\", 0, nil, 0, nil)\n\tassert.NoError(t, err)\n\n\tConfig.Actions = actionsCopy\n}\n\nfunc TestWrongActions(t *testing.T) {\n\tactionsCopy := Config.Actions\n\n\tbadCommand := \"/bad/command\"\n\tif runtime.GOOS == osWindows {\n\t\tbadCommand = \"C:\\\\bad\\\\command\"\n\t}\n\tConfig.Actions = ProtocolActions{\n\t\tExecuteOn: []string{operationUpload},\n\t\tHook: badCommand,\n\t}\n\tuser := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"username\",\n\t\t},\n\t}\n\n\ta := newActionNotification(user, operationUpload, \"\", \"\", \"\", \"\", \"\", ProtocolSFTP, \"\", xid.New().String(),\n\t\t123, 0, 1, 0, time.Now(), nil)\n\tstatus, err := actionHandler.Handle(a)\n\tassert.Error(t, err, \"action with bad command must fail\")\n\tassert.Equal(t, 1, status)\n\n\ta.Action = operationDelete\n\tstatus, err = actionHandler.Handle(a)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, status)\n\n\tConfig.Actions.Hook = \"http://foo\\x7f.com/\"\n\ta.Action = operationUpload\n\tstatus, err = actionHandler.Handle(a)\n\tassert.Error(t, err, \"action with bad url must fail\")\n\tassert.Equal(t, 1, status)\n\n\tConfig.Actions.Hook = \"\"\n\tstatus, err = actionHandler.Handle(a)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, status)\n\n\tConfig.Actions.Hook = \"relative path\"\n\tstatus, err = actionHandler.Handle(a)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, fmt.Sprintf(\"invalid notification command %q\", Config.Actions.Hook))\n\t}\n\tassert.Equal(t, 1, status)\n\n\tConfig.Actions = actionsCopy\n}\n\nfunc TestPreDeleteAction(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tactionsCopy := Config.Actions\n\n\thookCmd, err := exec.LookPath(\"true\")\n\tassert.NoError(t, err)\n\tConfig.Actions = ProtocolActions{\n\t\tExecuteOn: []string{operationPreDelete},\n\t\tHook: \"missing hook\",\n\t}\n\thomeDir := filepath.Join(os.TempDir(), \"test_user\")\n\terr = os.MkdirAll(homeDir, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"username\",\n\t\t\tHomeDir: homeDir,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := vfs.NewOsFs(\"id\", homeDir, \"\", nil)\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", user)\n\n\ttestfile := filepath.Join(user.HomeDir, \"testfile\")\n\terr = os.WriteFile(testfile, []byte(\"test\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tinfo, err := os.Stat(testfile)\n\tassert.NoError(t, err)\n\terr = c.RemoveFile(fs, testfile, \"testfile\", info)\n\tassert.ErrorIs(t, err, c.GetPermissionDeniedError())\n\tassert.FileExists(t, testfile)\n\tConfig.Actions.Hook = hookCmd\n\terr = c.RemoveFile(fs, testfile, \"testfile\", info)\n\tassert.NoError(t, err)\n\tassert.NoFileExists(t, testfile)\n\n\tos.RemoveAll(homeDir)\n\n\tConfig.Actions = actionsCopy\n}\n\nfunc TestUnconfiguredHook(t *testing.T) {\n\tactionsCopy := Config.Actions\n\n\tConfig.Actions = ProtocolActions{\n\t\tExecuteOn: []string{operationDownload},\n\t\tHook: \"\",\n\t}\n\tpluginsConfig := []plugin.Config{\n\t\t{\n\t\t\tType: \"notifier\",\n\t\t},\n\t}\n\terr := plugin.Initialize(pluginsConfig, \"debug\")\n\tassert.Error(t, err)\n\tassert.True(t, plugin.Handler.HasNotifiers())\n\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", dataprovider.User{})\n\tstatus, err := ExecutePreAction(c, OperationPreDownload, \"\", \"\", 0, 0)\n\tassert.NoError(t, err)\n\tassert.Equal(t, status, 0)\n\tstatus, err = ExecutePreAction(c, operationPreDelete, \"\", \"\", 0, 0)\n\tassert.NoError(t, err)\n\tassert.Equal(t, status, 0)\n\n\terr = ExecuteActionNotification(c, operationDownload, \"\", \"\", \"\", \"\", \"\", 0, nil, 0, nil)\n\tassert.NoError(t, err)\n\n\terr = plugin.Initialize(nil, \"debug\")\n\tassert.NoError(t, err)\n\tassert.False(t, plugin.Handler.HasNotifiers())\n\n\tConfig.Actions = actionsCopy\n}\n\ntype actionHandlerStub struct {\n\tcalled bool\n}\n\nfunc (h *actionHandlerStub) Handle(_ *notifier.FsEvent) (int, error) {\n\th.called = true\n\n\treturn 1, nil\n}\n\nfunc TestInitializeActionHandler(t *testing.T) {\n\thandler := &actionHandlerStub{}\n\n\tInitializeActionHandler(handler)\n\tt.Cleanup(func() {\n\t\tInitializeActionHandler(&defaultActionHandler{})\n\t})\n\n\tstatus, err := actionHandler.Handle(¬ifier.FsEvent{})\n\tassert.NoError(t, err)\n\tassert.True(t, handler.called)\n\tassert.Equal(t, 1, status)\n}\n" }, { "path": "internal/common/clientsmap.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"sync\"\n\t\"sync/atomic\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// clienstMap is a struct containing the map of the connected clients\ntype clientsMap struct {\n\ttotalConnections atomic.Int32\n\tmu sync.RWMutex\n\tclients map[string]int\n}\n\nfunc (c *clientsMap) add(source string) {\n\tc.totalConnections.Add(1)\n\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tc.clients[source]++\n}\n\nfunc (c *clientsMap) remove(source string) {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tif val, ok := c.clients[source]; ok {\n\t\tc.totalConnections.Add(-1)\n\t\tc.clients[source]--\n\t\tif val > 1 {\n\t\t\treturn\n\t\t}\n\t\tdelete(c.clients, source)\n\t} else {\n\t\tlogger.Warn(logSender, \"\", \"cannot remove client %v it is not mapped\", source)\n\t}\n}\n\nfunc (c *clientsMap) getTotal() int32 {\n\treturn c.totalConnections.Load()\n}\n\nfunc (c *clientsMap) getTotalFrom(source string) int {\n\tc.mu.RLock()\n\tdefer c.mu.RUnlock()\n\n\treturn c.clients[source]\n}\n" }, { "path": "internal/common/clientsmap_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestClientsMap(t *testing.T) {\n\tm := clientsMap{\n\t\tclients: make(map[string]int),\n\t}\n\tip1 := \"192.168.1.1\"\n\tip2 := \"192.168.1.2\"\n\tm.add(ip1)\n\tassert.Equal(t, int32(1), m.getTotal())\n\tassert.Equal(t, 1, m.getTotalFrom(ip1))\n\tassert.Equal(t, 0, m.getTotalFrom(ip2))\n\n\tm.add(ip1)\n\tm.add(ip2)\n\tassert.Equal(t, int32(3), m.getTotal())\n\tassert.Equal(t, 2, m.getTotalFrom(ip1))\n\tassert.Equal(t, 1, m.getTotalFrom(ip2))\n\n\tm.add(ip1)\n\tm.add(ip1)\n\tm.add(ip2)\n\tassert.Equal(t, int32(6), m.getTotal())\n\tassert.Equal(t, 4, m.getTotalFrom(ip1))\n\tassert.Equal(t, 2, m.getTotalFrom(ip2))\n\n\tm.remove(ip2)\n\tassert.Equal(t, int32(5), m.getTotal())\n\tassert.Equal(t, 4, m.getTotalFrom(ip1))\n\tassert.Equal(t, 1, m.getTotalFrom(ip2))\n\n\tm.remove(\"unknown\")\n\tassert.Equal(t, int32(5), m.getTotal())\n\tassert.Equal(t, 4, m.getTotalFrom(ip1))\n\tassert.Equal(t, 1, m.getTotalFrom(ip2))\n\n\tm.remove(ip2)\n\tassert.Equal(t, int32(4), m.getTotal())\n\tassert.Equal(t, 4, m.getTotalFrom(ip1))\n\tassert.Equal(t, 0, m.getTotalFrom(ip2))\n\n\tm.remove(ip1)\n\tm.remove(ip1)\n\tm.remove(ip1)\n\tassert.Equal(t, int32(1), m.getTotal())\n\tassert.Equal(t, 1, m.getTotalFrom(ip1))\n\tassert.Equal(t, 0, m.getTotalFrom(ip2))\n\n\tm.remove(ip1)\n\tassert.Equal(t, int32(0), m.getTotal())\n\tassert.Equal(t, 0, m.getTotalFrom(ip1))\n\tassert.Equal(t, 0, m.getTotalFrom(ip2))\n}\n" }, { "path": "internal/common/common.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package common defines code shared among file transfer packages and protocols\npackage common\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/pires/go-proxyproto\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/command\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// constants\nconst (\n\tlogSender = \"common\"\n\tuploadLogSender = \"Upload\"\n\tdownloadLogSender = \"Download\"\n\trenameLogSender = \"Rename\"\n\trmdirLogSender = \"Rmdir\"\n\tmkdirLogSender = \"Mkdir\"\n\tsymlinkLogSender = \"Symlink\"\n\tremoveLogSender = \"Remove\"\n\tchownLogSender = \"Chown\"\n\tchmodLogSender = \"Chmod\"\n\tchtimesLogSender = \"Chtimes\"\n\tcopyLogSender = \"Copy\"\n\ttruncateLogSender = \"Truncate\"\n\toperationDownload = \"download\"\n\toperationUpload = \"upload\"\n\toperationFirstDownload = \"first-download\"\n\toperationFirstUpload = \"first-upload\"\n\toperationDelete = \"delete\"\n\toperationCopy = \"copy\"\n\t// Pre-download action name\n\tOperationPreDownload = \"pre-download\"\n\t// Pre-upload action name\n\tOperationPreUpload = \"pre-upload\"\n\toperationPreDelete = \"pre-delete\"\n\toperationRename = \"rename\"\n\toperationMkdir = \"mkdir\"\n\toperationRmdir = \"rmdir\"\n\t// SSH command action name\n\tOperationSSHCmd = \"ssh_cmd\"\n\tchtimesFormat = \"2006-01-02T15:04:05\" // YYYY-MM-DDTHH:MM:SS\n\tidleTimeoutCheckInterval = 3 * time.Minute\n\tperiodicTimeoutCheckInterval = 1 * time.Minute\n)\n\n// Stat flags\nconst (\n\tStatAttrUIDGID = 1\n\tStatAttrPerms = 2\n\tStatAttrTimes = 4\n\tStatAttrSize = 8\n)\n\n// Transfer types\nconst (\n\tTransferUpload = iota\n\tTransferDownload\n)\n\n// Supported protocols\nconst (\n\tProtocolSFTP = \"SFTP\"\n\tProtocolSCP = \"SCP\"\n\tProtocolSSH = \"SSH\"\n\tProtocolFTP = \"FTP\"\n\tProtocolWebDAV = \"DAV\"\n\tProtocolHTTP = \"HTTP\"\n\tProtocolHTTPShare = \"HTTPShare\"\n\tProtocolDataRetention = \"DataRetention\"\n\tProtocolOIDC = \"OIDC\"\n\tprotocolEventAction = \"EventAction\"\n)\n\n// Upload modes\nconst (\n\tUploadModeStandard = 0\n\tUploadModeAtomic = 1\n\tUploadModeAtomicWithResume = 2\n\tUploadModeS3StoreOnError = 4\n\tUploadModeGCSStoreOnError = 8\n\tUploadModeAzureBlobStoreOnError = 16\n)\n\nfunc init() {\n\tConnections.clients = clientsMap{\n\t\tclients: make(map[string]int),\n\t}\n\tConnections.transfers = clientsMap{\n\t\tclients: make(map[string]int),\n\t}\n\tConnections.perUserConns = make(map[string]int)\n\tConnections.mapping = make(map[string]int)\n\tConnections.sshMapping = make(map[string]int)\n}\n\n// errors definitions\nvar (\n\tErrPermissionDenied = errors.New(\"permission denied\")\n\tErrNotExist = errors.New(\"no such file or directory\")\n\tErrOpUnsupported = errors.New(\"operation unsupported\")\n\tErrGenericFailure = errors.New(\"failure\")\n\tErrQuotaExceeded = errors.New(\"denying write due to space limit\")\n\tErrReadQuotaExceeded = errors.New(\"denying read due to quota limit\")\n\tErrConnectionDenied = errors.New(\"you are not allowed to connect\")\n\tErrNoBinding = errors.New(\"no binding configured\")\n\tErrCrtRevoked = errors.New(\"your certificate has been revoked\")\n\tErrNoCredentials = errors.New(\"no credential provided\")\n\tErrInternalFailure = errors.New(\"internal failure\")\n\tErrTransferAborted = errors.New(\"transfer aborted\")\n\tErrShuttingDown = errors.New(\"the service is shutting down\")\n\terrNoTransfer = errors.New(\"requested transfer not found\")\n\terrTransferMismatch = errors.New(\"transfer mismatch\")\n)\n\nvar (\n\t// Config is the configuration for the supported protocols\n\tConfig Configuration\n\t// Connections is the list of active connections\n\tConnections ActiveConnections\n\t// QuotaScans is the list of active quota scans\n\tQuotaScans ActiveScans\n\ttransfersChecker TransfersChecker\n\tsupportedProtocols = []string{ProtocolSFTP, ProtocolSCP, ProtocolSSH, ProtocolFTP, ProtocolWebDAV,\n\t\tProtocolHTTP, ProtocolHTTPShare, ProtocolOIDC}\n\tdisconnHookProtocols = []string{ProtocolSFTP, ProtocolSCP, ProtocolSSH, ProtocolFTP}\n\t// the map key is the protocol, for each protocol we can have multiple rate limiters\n\trateLimiters map[string][]*rateLimiter\n\tisShuttingDown atomic.Bool\n\tftpLoginCommands = []string{\"PASS\", \"USER\"}\n\tfnUpdateBranding func(*dataprovider.BrandingConfigs)\n)\n\n// SetUpdateBrandingFn sets the function to call to update branding configs.\nfunc SetUpdateBrandingFn(fn func(*dataprovider.BrandingConfigs)) {\n\tfnUpdateBranding = fn\n}\n\n// Initialize sets the common configuration\nfunc Initialize(c Configuration, isShared int) error {\n\tisShuttingDown.Store(false)\n\tutil.SetUmask(c.Umask)\n\tversion.SetConfig(c.ServerVersion)\n\tdataprovider.SetTZ(c.TZ)\n\tConfig = c\n\tConfig.Actions.ExecuteOn = util.RemoveDuplicates(Config.Actions.ExecuteOn, true)\n\tConfig.Actions.ExecuteSync = util.RemoveDuplicates(Config.Actions.ExecuteSync, true)\n\tConfig.ProxyAllowed = util.RemoveDuplicates(Config.ProxyAllowed, true)\n\tConfig.idleLoginTimeout = 2 * time.Minute\n\tConfig.idleTimeoutAsDuration = time.Duration(Config.IdleTimeout) * time.Minute\n\tstartPeriodicChecks(periodicTimeoutCheckInterval, isShared)\n\tConfig.defender = nil\n\tConfig.allowList = nil\n\tConfig.rateLimitersList = nil\n\trateLimiters = make(map[string][]*rateLimiter)\n\tfor _, rlCfg := range c.RateLimitersConfig {\n\t\tif rlCfg.isEnabled() {\n\t\t\tif err := rlCfg.validate(); err != nil {\n\t\t\t\treturn fmt.Errorf(\"rate limiters initialization error: %w\", err)\n\t\t\t}\n\t\t\trateLimiter := rlCfg.getLimiter()\n\t\t\tfor _, protocol := range rlCfg.Protocols {\n\t\t\t\trateLimiters[protocol] = append(rateLimiters[protocol], rateLimiter)\n\t\t\t}\n\t\t}\n\t}\n\tif len(rateLimiters) > 0 {\n\t\trateLimitersList, err := dataprovider.NewIPList(dataprovider.IPListTypeRateLimiterSafeList)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to initialize ratelimiters list: %w\", err)\n\t\t}\n\t\tConfig.rateLimitersList = rateLimitersList\n\t}\n\tif c.DefenderConfig.Enabled {\n\t\tif !slices.Contains(supportedDefenderDrivers, c.DefenderConfig.Driver) {\n\t\t\treturn fmt.Errorf(\"unsupported defender driver %q\", c.DefenderConfig.Driver)\n\t\t}\n\t\tvar defender Defender\n\t\tvar err error\n\t\tswitch c.DefenderConfig.Driver {\n\t\tcase DefenderDriverProvider:\n\t\t\tdefender, err = newDBDefender(&c.DefenderConfig)\n\t\tdefault:\n\t\t\tdefender, err = newInMemoryDefender(&c.DefenderConfig)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"defender initialization error: %v\", err)\n\t\t}\n\t\tlogger.Info(logSender, \"\", \"defender initialized with config %+v\", c.DefenderConfig)\n\t\tConfig.defender = defender\n\t}\n\tif c.AllowListStatus > 0 {\n\t\tallowList, err := dataprovider.NewIPList(dataprovider.IPListTypeAllowList)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to initialize the allow list: %w\", err)\n\t\t}\n\t\tlogger.Info(logSender, \"\", \"allow list initialized\")\n\t\tConfig.allowList = allowList\n\t}\n\tif err := c.initializeProxyProtocol(); err != nil {\n\t\treturn err\n\t}\n\tif err := c.EventManager.validate(); err != nil {\n\t\treturn err\n\t}\n\tvfs.SetTempPath(c.TempPath)\n\tdataprovider.SetTempPath(c.TempPath)\n\tvfs.SetAllowSelfConnections(c.AllowSelfConnections)\n\tvfs.SetRenameMode(c.RenameMode)\n\tvfs.SetReadMetadataMode(c.Metadata.Read)\n\tvfs.SetResumeMaxSize(c.ResumeMaxSize)\n\tvfs.SetUploadMode(c.UploadMode)\n\tdataprovider.SetAllowSelfConnections(c.AllowSelfConnections)\n\tdataprovider.EnabledActionCommands = c.EventManager.EnabledCommands\n\ttransfersChecker = getTransfersChecker(isShared)\n\treturn nil\n}\n\n// CheckClosing returns an error if the service is closing\nfunc CheckClosing() error {\n\tif isShuttingDown.Load() {\n\t\treturn ErrShuttingDown\n\t}\n\treturn nil\n}\n\n// WaitForTransfers waits, for the specified grace time, for currently ongoing\n// client-initiated transfer sessions to completes.\n// A zero graceTime means no wait\nfunc WaitForTransfers(graceTime int) {\n\tif graceTime == 0 {\n\t\treturn\n\t}\n\tif isShuttingDown.Swap(true) {\n\t\treturn\n\t}\n\n\tif activeHooks.Load() == 0 && getActiveConnections() == 0 {\n\t\treturn\n\t}\n\n\tgraceTimer := time.NewTimer(time.Duration(graceTime) * time.Second)\n\tticker := time.NewTicker(3 * time.Second)\n\n\tfor {\n\t\tselect {\n\t\tcase <-ticker.C:\n\t\t\thooks := activeHooks.Load()\n\t\t\tlogger.Info(logSender, \"\", \"active hooks: %d\", hooks)\n\t\t\tif hooks == 0 && getActiveConnections() == 0 {\n\t\t\t\tlogger.Info(logSender, \"\", \"no more active connections, graceful shutdown\")\n\t\t\t\tticker.Stop()\n\t\t\t\tgraceTimer.Stop()\n\t\t\t\treturn\n\t\t\t}\n\t\tcase <-graceTimer.C:\n\t\t\tlogger.Info(logSender, \"\", \"grace time expired, hard shutdown\")\n\t\t\tticker.Stop()\n\t\t\treturn\n\t\t}\n\t}\n}\n\n// getActiveConnections returns the number of connections with active transfers\nfunc getActiveConnections() int {\n\tvar activeConns int\n\n\tConnections.RLock()\n\tfor _, c := range Connections.connections {\n\t\tif len(c.GetTransfers()) > 0 {\n\t\t\tactiveConns++\n\t\t}\n\t}\n\tConnections.RUnlock()\n\n\tlogger.Info(logSender, \"\", \"number of connections with active transfers: %d\", activeConns)\n\treturn activeConns\n}\n\n// LimitRate blocks until all the configured rate limiters\n// allow one event to happen.\n// It returns an error if the time to wait exceeds the max\n// allowed delay\nfunc LimitRate(protocol, ip string) (time.Duration, error) {\n\tif Config.rateLimitersList != nil {\n\t\tisListed, _, err := Config.rateLimitersList.IsListed(ip, protocol)\n\t\tif err == nil && isListed {\n\t\t\treturn 0, nil\n\t\t}\n\t}\n\tfor _, limiter := range rateLimiters[protocol] {\n\t\tif delay, err := limiter.Wait(ip, protocol); err != nil {\n\t\t\tlogger.Debug(logSender, \"\", \"protocol %s ip %s: %v\", protocol, ip, err)\n\t\t\treturn delay, err\n\t\t}\n\t}\n\treturn 0, nil\n}\n\n// Reload reloads the whitelist, the IP filter plugin and the defender's block and safe lists\nfunc Reload() error {\n\tplugin.Handler.ReloadFilter()\n\treturn nil\n}\n\n// DelayLogin applies the configured login delay\nfunc DelayLogin(err error) {\n\tif Config.defender != nil {\n\t\tConfig.defender.DelayLogin(err)\n\t}\n}\n\n// IsBanned returns true if the specified IP address is banned\nfunc IsBanned(ip, protocol string) bool {\n\tif plugin.Handler.IsIPBanned(ip, protocol) {\n\t\treturn true\n\t}\n\tif Config.defender == nil {\n\t\treturn false\n\t}\n\n\treturn Config.defender.IsBanned(ip, protocol)\n}\n\n// GetDefenderBanTime returns the ban time for the given IP\n// or nil if the IP is not banned or the defender is disabled\nfunc GetDefenderBanTime(ip string) (*time.Time, error) {\n\tif Config.defender == nil {\n\t\treturn nil, nil\n\t}\n\n\treturn Config.defender.GetBanTime(ip)\n}\n\n// GetDefenderHosts returns hosts that are banned or for which some violations have been detected\nfunc GetDefenderHosts() ([]dataprovider.DefenderEntry, error) {\n\tif Config.defender == nil {\n\t\treturn nil, nil\n\t}\n\n\treturn Config.defender.GetHosts()\n}\n\n// GetDefenderHost returns a defender host by ip, if any\nfunc GetDefenderHost(ip string) (dataprovider.DefenderEntry, error) {\n\tif Config.defender == nil {\n\t\treturn dataprovider.DefenderEntry{}, errors.New(\"defender is disabled\")\n\t}\n\n\treturn Config.defender.GetHost(ip)\n}\n\n// DeleteDefenderHost removes the specified IP address from the defender lists\nfunc DeleteDefenderHost(ip string) bool {\n\tif Config.defender == nil {\n\t\treturn false\n\t}\n\n\treturn Config.defender.DeleteHost(ip)\n}\n\n// GetDefenderScore returns the score for the given IP\nfunc GetDefenderScore(ip string) (int, error) {\n\tif Config.defender == nil {\n\t\treturn 0, nil\n\t}\n\n\treturn Config.defender.GetScore(ip)\n}\n\n// AddDefenderEvent adds the specified defender event for the given IP.\n// Returns true if the IP is in the defender's safe list.\nfunc AddDefenderEvent(ip, protocol string, event HostEvent) bool {\n\tif Config.defender == nil {\n\t\treturn false\n\t}\n\n\treturn Config.defender.AddEvent(ip, protocol, event)\n}\n\nfunc reloadProviderConfigs() {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to load config from provider: %v\", err)\n\t\treturn\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif fnUpdateBranding != nil {\n\t\tfnUpdateBranding(configs.Branding)\n\t}\n\tif err := configs.SMTP.TryDecrypt(); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to decrypt smtp config: %v\", err)\n\t\treturn\n\t}\n\tsmtp.Activate(configs.SMTP)\n}\n\nfunc startPeriodicChecks(duration time.Duration, isShared int) {\n\tstartEventScheduler()\n\tspec := fmt.Sprintf(\"@every %s\", duration)\n\t_, err := eventScheduler.AddFunc(spec, Connections.checkTransfers)\n\tutil.PanicOnError(err)\n\tlogger.Info(logSender, \"\", \"scheduled overquota transfers check, schedule %q\", spec)\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"add reload configs task\")\n\t\t_, err := eventScheduler.AddFunc(\"@every 10m\", reloadProviderConfigs)\n\t\tutil.PanicOnError(err)\n\t}\n\tif Config.IdleTimeout > 0 {\n\t\tratio := idleTimeoutCheckInterval / periodicTimeoutCheckInterval\n\t\tspec = fmt.Sprintf(\"@every %s\", duration*ratio)\n\t\t_, err = eventScheduler.AddFunc(spec, Connections.checkIdles)\n\t\tutil.PanicOnError(err)\n\t\tlogger.Info(logSender, \"\", \"scheduled idle connections check, schedule %q\", spec)\n\t}\n}\n\n// ActiveTransfer defines the interface for the current active transfers\ntype ActiveTransfer interface {\n\tGetID() int64\n\tGetType() int\n\tGetSize() int64\n\tGetDownloadedSize() int64\n\tGetUploadedSize() int64\n\tGetVirtualPath() string\n\tGetFsPath() string\n\tGetStartTime() time.Time\n\tSignalClose(err error)\n\tTruncate(fsPath string, size int64) (int64, error)\n\tGetRealFsPath(fsPath string) string\n\tSetTimes(fsPath string, atime time.Time, mtime time.Time) bool\n\tGetTruncatedSize() int64\n\tHasSizeLimit() bool\n}\n\n// ActiveConnection defines the interface for the current active connections\ntype ActiveConnection interface {\n\tGetID() string\n\tGetUsername() string\n\tGetRole() string\n\tGetMaxSessions() int\n\tGetLocalAddress() string\n\tGetRemoteAddress() string\n\tGetClientVersion() string\n\tGetProtocol() string\n\tGetConnectionTime() time.Time\n\tGetLastActivity() time.Time\n\tGetCommand() string\n\tDisconnect() error\n\tAddTransfer(t ActiveTransfer)\n\tRemoveTransfer(t ActiveTransfer)\n\tGetTransfers() []ConnectionTransfer\n\tSignalTransferClose(transferID int64, err error)\n\tCloseFS() error\n\tisAccessAllowed() bool\n}\n\n// StatAttributes defines the attributes for set stat commands\ntype StatAttributes struct {\n\tMode os.FileMode\n\tAtime time.Time\n\tMtime time.Time\n\tUID int\n\tGID int\n\tFlags int\n\tSize int64\n}\n\n// ConnectionTransfer defines the trasfer details\ntype ConnectionTransfer struct {\n\tID int64 `json:\"-\"`\n\tOperationType string `json:\"operation_type\"`\n\tStartTime int64 `json:\"start_time\"`\n\tSize int64 `json:\"size\"`\n\tVirtualPath string `json:\"path\"`\n\tHasSizeLimit bool `json:\"-\"`\n\tULSize int64 `json:\"-\"`\n\tDLSize int64 `json:\"-\"`\n}\n\n// EventManagerConfig defines the configuration for the EventManager\ntype EventManagerConfig struct {\n\t// EnabledCommands defines the system commands that can be executed via EventManager,\n\t// an empty list means that any command is allowed to be executed.\n\t// Commands must be set as an absolute path\n\tEnabledCommands []string `json:\"enabled_commands\" mapstructure:\"enabled_commands\"`\n}\n\nfunc (c *EventManagerConfig) validate() error {\n\tfor _, c := range c.EnabledCommands {\n\t\tif !filepath.IsAbs(c) {\n\t\t\treturn fmt.Errorf(\"invalid command %q: it must be an absolute path\", c)\n\t\t}\n\t}\n\treturn nil\n}\n\n// MetadataConfig defines how to handle metadata for cloud storage backends\ntype MetadataConfig struct {\n\t// If not zero the metadata will be read before downloads and will be\n\t// available in notifications\n\tRead int `json:\"read\" mapstructure:\"read\"`\n}\n\n// Configuration defines configuration parameters common to all supported protocols\ntype Configuration struct {\n\t// Maximum idle timeout as minutes. If a client is idle for a time that exceeds this setting it will be disconnected.\n\t// 0 means disabled\n\tIdleTimeout int `json:\"idle_timeout\" mapstructure:\"idle_timeout\"`\n\t// UploadMode 0 means standard, the files are uploaded directly to the requested path.\n\t// 1 means atomic: the files are uploaded to a temporary path and renamed to the requested path\n\t// when the client ends the upload. Atomic mode avoid problems such as a web server that\n\t// serves partial files when the files are being uploaded.\n\t// In atomic mode if there is an upload error the temporary file is deleted and so the requested\n\t// upload path will not contain a partial file.\n\t// 2 means atomic with resume support: as atomic but if there is an upload error the temporary\n\t// file is renamed to the requested path and not deleted, this way a client can reconnect and resume\n\t// the upload.\n\t// 4 means files for S3 backend are stored even if a client-side upload error is detected.\n\t// 8 means files for Google Cloud Storage backend are stored even if a client-side upload error is detected.\n\t// 16 means files for Azure Blob backend are stored even if a client-side upload error is detected.\n\tUploadMode int `json:\"upload_mode\" mapstructure:\"upload_mode\"`\n\t// Actions to execute for SFTP file operations and SSH commands\n\tActions ProtocolActions `json:\"actions\" mapstructure:\"actions\"`\n\t// SetstatMode 0 means \"normal mode\": requests for changing permissions and owner/group are executed.\n\t// 1 means \"ignore mode\": requests for changing permissions and owner/group are silently ignored.\n\t// 2 means \"ignore mode for cloud fs\": requests for changing permissions and owner/group are\n\t// silently ignored for cloud based filesystem such as S3, GCS, Azure Blob. Requests for changing\n\t// modification times are ignored for cloud based filesystem if they are not supported.\n\tSetstatMode int `json:\"setstat_mode\" mapstructure:\"setstat_mode\"`\n\t// RenameMode defines how to handle directory renames. By default, renaming of non-empty directories\n\t// is not allowed for cloud storage providers (S3, GCS, Azure Blob). Set to 1 to enable recursive\n\t// renames for these providers, they may be slow, there is no atomic rename API like for local\n\t// filesystem, so SFTPGo will recursively list the directory contents and do a rename for each entry\n\tRenameMode int `json:\"rename_mode\" mapstructure:\"rename_mode\"`\n\t// ResumeMaxSize defines the maximum size allowed, in bytes, to resume uploads on storage backends\n\t// with immutable objects. By default, resuming uploads is not allowed for cloud storage providers\n\t// (S3, GCS, Azure Blob) because SFTPGo must rewrite the entire file.\n\t// Set to a value greater than 0 to allow resuming uploads of files smaller than or equal to the\n\t// defined size.\n\tResumeMaxSize int64 `json:\"resume_max_size\" mapstructure:\"resume_max_size\"`\n\t// TempPath defines the path for temporary files such as those used for atomic uploads or file pipes.\n\t// If you set this option you must make sure that the defined path exists, is accessible for writing\n\t// by the user running SFTPGo, and is on the same filesystem as the users home directories otherwise\n\t// the renaming for atomic uploads will become a copy and therefore may take a long time.\n\t// The temporary files are not namespaced. The default is generally fine. Leave empty for the default.\n\tTempPath string `json:\"temp_path\" mapstructure:\"temp_path\"`\n\t// Support for HAProxy PROXY protocol.\n\t// If you are running SFTPGo behind a proxy server such as HAProxy, AWS ELB or NGNIX, you can enable\n\t// the proxy protocol. It provides a convenient way to safely transport connection information\n\t// such as a client's address across multiple layers of NAT or TCP proxies to get the real\n\t// client IP address instead of the proxy IP. Both protocol versions 1 and 2 are supported.\n\t// - 0 means disabled\n\t// - 1 means proxy protocol enabled. Proxy header will be used and requests without proxy header will be accepted.\n\t// - 2 means proxy protocol required. Proxy header will be used and requests without proxy header will be rejected.\n\t// If the proxy protocol is enabled in SFTPGo then you have to enable the protocol in your proxy configuration too,\n\t// for example for HAProxy add \"send-proxy\" or \"send-proxy-v2\" to each server configuration line.\n\tProxyProtocol int `json:\"proxy_protocol\" mapstructure:\"proxy_protocol\"`\n\t// List of IP addresses and IP ranges allowed to send the proxy header.\n\t// If proxy protocol is set to 1 and we receive a proxy header from an IP that is not in the list then the\n\t// connection will be accepted and the header will be ignored.\n\t// If proxy protocol is set to 2 and we receive a proxy header from an IP that is not in the list then the\n\t// connection will be rejected.\n\tProxyAllowed []string `json:\"proxy_allowed\" mapstructure:\"proxy_allowed\"`\n\t// List of IP addresses and IP ranges for which not to read the proxy header\n\tProxySkipped []string `json:\"proxy_skipped\" mapstructure:\"proxy_skipped\"`\n\t// Absolute path to an external program or an HTTP URL to invoke as soon as SFTPGo starts.\n\t// If you define an HTTP URL it will be invoked using a `GET` request.\n\t// Please note that SFTPGo services may not yet be available when this hook is run.\n\t// Leave empty do disable.\n\tStartupHook string `json:\"startup_hook\" mapstructure:\"startup_hook\"`\n\t// Absolute path to an external program or an HTTP URL to invoke after a user connects\n\t// and before he tries to login. It allows you to reject the connection based on the source\n\t// ip address. Leave empty do disable.\n\tPostConnectHook string `json:\"post_connect_hook\" mapstructure:\"post_connect_hook\"`\n\t// Absolute path to an external program or an HTTP URL to invoke after an SSH/FTP connection ends.\n\t// Leave empty do disable.\n\tPostDisconnectHook string `json:\"post_disconnect_hook\" mapstructure:\"post_disconnect_hook\"`\n\t// Maximum number of concurrent client connections. 0 means unlimited\n\tMaxTotalConnections int `json:\"max_total_connections\" mapstructure:\"max_total_connections\"`\n\t// Maximum number of concurrent client connections from the same host (IP). 0 means unlimited\n\tMaxPerHostConnections int `json:\"max_per_host_connections\" mapstructure:\"max_per_host_connections\"`\n\t// Defines the status of the global allow list. 0 means disabled, 1 enabled.\n\t// If enabled, only the listed IPs/networks can access the configured services, all other\n\t// client connections will be dropped before they even try to authenticate.\n\t// Ensure to enable this setting only after adding some allowed ip/networks from the WebAdmin/REST API\n\tAllowListStatus int `json:\"allowlist_status\" mapstructure:\"allowlist_status\"`\n\t// Allow users on this instance to use other users/virtual folders on this instance as storage backend.\n\t// Enable this setting if you know what you are doing.\n\tAllowSelfConnections int `json:\"allow_self_connections\" mapstructure:\"allow_self_connections\"`\n\t// Defender configuration\n\tDefenderConfig DefenderConfig `json:\"defender\" mapstructure:\"defender\"`\n\t// Rate limiter configurations\n\tRateLimitersConfig []RateLimiterConfig `json:\"rate_limiters\" mapstructure:\"rate_limiters\"`\n\t// Umask for new uploads. Leave blank to use the system default.\n\tUmask string `json:\"umask\" mapstructure:\"umask\"`\n\t// Defines the server version\n\tServerVersion string `json:\"server_version\" mapstructure:\"server_version\"`\n\t// TZ defines the time zone to use for the EventManager scheduler and to\n\t// control time-based access restrictions. Set to \"local\" to use the\n\t// server's local time, otherwise UTC will be used.\n\tTZ string `json:\"tz\" mapstructure:\"tz\"`\n\t// Metadata configuration\n\tMetadata MetadataConfig `json:\"metadata\" mapstructure:\"metadata\"`\n\t// EventManager configuration\n\tEventManager EventManagerConfig `json:\"event_manager\" mapstructure:\"event_manager\"`\n\tidleTimeoutAsDuration time.Duration\n\tidleLoginTimeout time.Duration\n\tdefender Defender\n\tallowList *dataprovider.IPList\n\trateLimitersList *dataprovider.IPList\n\tproxyAllowed []func(net.IP) bool\n\tproxySkipped []func(net.IP) bool\n}\n\n// IsAtomicUploadEnabled returns true if atomic upload is enabled\nfunc (c *Configuration) IsAtomicUploadEnabled() bool {\n\treturn c.UploadMode&UploadModeAtomic != 0 || c.UploadMode&UploadModeAtomicWithResume != 0\n}\n\nfunc (c *Configuration) initializeProxyProtocol() error {\n\tif c.ProxyProtocol > 0 {\n\t\tallowed, err := util.ParseAllowedIPAndRanges(c.ProxyAllowed)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"invalid proxy allowed: %w\", err)\n\t\t}\n\t\tskipped, err := util.ParseAllowedIPAndRanges(c.ProxySkipped)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"invalid proxy skipped: %w\", err)\n\t\t}\n\t\tConfig.proxyAllowed = allowed\n\t\tConfig.proxySkipped = skipped\n\t}\n\treturn nil\n}\n\n// GetProxyListener returns a wrapper for the given listener that supports the\n// HAProxy Proxy Protocol\nfunc (c *Configuration) GetProxyListener(listener net.Listener) (net.Listener, error) {\n\tif c.ProxyProtocol > 0 {\n\t\tdefaultPolicy := proxyproto.REQUIRE\n\t\tif c.ProxyProtocol == 1 {\n\t\t\tdefaultPolicy = proxyproto.IGNORE\n\t\t}\n\n\t\treturn &proxyproto.Listener{\n\t\t\tListener: listener,\n\t\t\tConnPolicy: getProxyPolicy(c.proxyAllowed, c.proxySkipped, defaultPolicy),\n\t\t\tReadHeaderTimeout: 10 * time.Second,\n\t\t}, nil\n\t}\n\treturn nil, errors.New(\"proxy protocol not configured\")\n}\n\n// GetRateLimitersStatus returns the rate limiters status\nfunc (c *Configuration) GetRateLimitersStatus() (bool, []string) {\n\tenabled := false\n\tvar protocols []string\n\tfor _, rlCfg := range c.RateLimitersConfig {\n\t\tif rlCfg.isEnabled() {\n\t\t\tenabled = true\n\t\t\tprotocols = append(protocols, rlCfg.Protocols...)\n\t\t}\n\t}\n\treturn enabled, util.RemoveDuplicates(protocols, false)\n}\n\n// IsAllowListEnabled returns true if the global allow list is enabled\nfunc (c *Configuration) IsAllowListEnabled() bool {\n\treturn c.AllowListStatus > 0\n}\n\n// ExecuteStartupHook runs the startup hook if defined\nfunc (c *Configuration) ExecuteStartupHook() error {\n\tif c.StartupHook == \"\" {\n\t\treturn nil\n\t}\n\tif strings.HasPrefix(c.StartupHook, \"http\") {\n\t\tvar url *url.URL\n\t\turl, err := url.Parse(c.StartupHook)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"Invalid startup hook %q: %v\", c.StartupHook, err)\n\t\t\treturn err\n\t\t}\n\t\tstartTime := time.Now()\n\t\tresp, err := httpclient.RetryableGet(url.String())\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"Error executing startup hook: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\tlogger.Debug(logSender, \"\", \"Startup hook executed, elapsed: %v, response code: %v\", time.Since(startTime), resp.StatusCode)\n\t\treturn nil\n\t}\n\tif !filepath.IsAbs(c.StartupHook) {\n\t\terr := fmt.Errorf(\"invalid startup hook %q\", c.StartupHook)\n\t\tlogger.Warn(logSender, \"\", \"Invalid startup hook %q\", c.StartupHook)\n\t\treturn err\n\t}\n\tstartTime := time.Now()\n\ttimeout, env, args := command.GetConfig(c.StartupHook, command.HookStartup)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, c.StartupHook, args...)\n\tcmd.Env = env\n\terr := cmd.Run()\n\tlogger.Debug(logSender, \"\", \"Startup hook executed, elapsed: %s, error: %v\", time.Since(startTime), err)\n\treturn nil\n}\n\nfunc (c *Configuration) executePostDisconnectHook(remoteAddr, protocol, username, connID string, connectionTime time.Time) {\n\tstartNewHook()\n\tdefer hookEnded()\n\n\tipAddr := util.GetIPFromRemoteAddress(remoteAddr)\n\tconnDuration := int64(time.Since(connectionTime) / time.Millisecond)\n\n\tif strings.HasPrefix(c.PostDisconnectHook, \"http\") {\n\t\tvar url *url.URL\n\t\turl, err := url.Parse(c.PostDisconnectHook)\n\t\tif err != nil {\n\t\t\tlogger.Warn(protocol, connID, \"Invalid post disconnect hook %q: %v\", c.PostDisconnectHook, err)\n\t\t\treturn\n\t\t}\n\t\tq := url.Query()\n\t\tq.Add(\"ip\", ipAddr)\n\t\tq.Add(\"protocol\", protocol)\n\t\tq.Add(\"username\", username)\n\t\tq.Add(\"connection_duration\", strconv.FormatInt(connDuration, 10))\n\t\turl.RawQuery = q.Encode()\n\t\tstartTime := time.Now()\n\t\tresp, err := httpclient.RetryableGet(url.String())\n\t\trespCode := 0\n\t\tif err == nil {\n\t\t\trespCode = resp.StatusCode\n\t\t\tresp.Body.Close()\n\t\t}\n\t\tlogger.Debug(protocol, connID, \"Post disconnect hook response code: %v, elapsed: %v, err: %v\",\n\t\t\trespCode, time.Since(startTime), err)\n\t\treturn\n\t}\n\tif !filepath.IsAbs(c.PostDisconnectHook) {\n\t\tlogger.Debug(protocol, connID, \"invalid post disconnect hook %q\", c.PostDisconnectHook)\n\t\treturn\n\t}\n\ttimeout, env, args := command.GetConfig(c.PostDisconnectHook, command.HookPostDisconnect)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tstartTime := time.Now()\n\tcmd := exec.CommandContext(ctx, c.PostDisconnectHook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_CONNECTION_IP=%s\", ipAddr),\n\t\tfmt.Sprintf(\"SFTPGO_CONNECTION_USERNAME=%s\", username),\n\t\tfmt.Sprintf(\"SFTPGO_CONNECTION_DURATION=%d\", connDuration),\n\t\tfmt.Sprintf(\"SFTPGO_CONNECTION_PROTOCOL=%s\", protocol))\n\terr := cmd.Run()\n\tlogger.Debug(protocol, connID, \"Post disconnect hook executed, elapsed: %s error: %v\", time.Since(startTime), err)\n}\n\nfunc (c *Configuration) checkPostDisconnectHook(remoteAddr, protocol, username, connID string, connectionTime time.Time) {\n\tif c.PostDisconnectHook == \"\" {\n\t\treturn\n\t}\n\tif !slices.Contains(disconnHookProtocols, protocol) {\n\t\treturn\n\t}\n\tgo c.executePostDisconnectHook(remoteAddr, protocol, username, connID, connectionTime)\n}\n\n// ExecutePostConnectHook executes the post connect hook if defined\nfunc (c *Configuration) ExecutePostConnectHook(ipAddr, protocol string) error {\n\tif c.PostConnectHook == \"\" {\n\t\treturn nil\n\t}\n\tif strings.HasPrefix(c.PostConnectHook, \"http\") {\n\t\tvar url *url.URL\n\t\turl, err := url.Parse(c.PostConnectHook)\n\t\tif err != nil {\n\t\t\tlogger.Warn(protocol, \"\", \"Login from ip %q denied, invalid post connect hook %q: %v\",\n\t\t\t\tipAddr, c.PostConnectHook, err)\n\t\t\treturn getPermissionDeniedError(protocol)\n\t\t}\n\t\tq := url.Query()\n\t\tq.Add(\"ip\", ipAddr)\n\t\tq.Add(\"protocol\", protocol)\n\t\turl.RawQuery = q.Encode()\n\n\t\tresp, err := httpclient.RetryableGet(url.String())\n\t\tif err != nil {\n\t\t\tlogger.Warn(protocol, \"\", \"Login from ip %q denied, error executing post connect hook: %v\", ipAddr, err)\n\t\t\treturn getPermissionDeniedError(protocol)\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\tif resp.StatusCode != http.StatusOK {\n\t\t\tlogger.Warn(protocol, \"\", \"Login from ip %q denied, post connect hook response code: %v\", ipAddr, resp.StatusCode)\n\t\t\treturn getPermissionDeniedError(protocol)\n\t\t}\n\t\treturn nil\n\t}\n\tif !filepath.IsAbs(c.PostConnectHook) {\n\t\terr := fmt.Errorf(\"invalid post connect hook %q\", c.PostConnectHook)\n\t\tlogger.Warn(protocol, \"\", \"Login from ip %q denied: %v\", ipAddr, err)\n\t\treturn getPermissionDeniedError(protocol)\n\t}\n\ttimeout, env, args := command.GetConfig(c.PostConnectHook, command.HookPostConnect)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, c.PostConnectHook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_CONNECTION_IP=%s\", ipAddr),\n\t\tfmt.Sprintf(\"SFTPGO_CONNECTION_PROTOCOL=%s\", protocol))\n\terr := cmd.Run()\n\tif err != nil {\n\t\tlogger.Warn(protocol, \"\", \"Login from ip %q denied, connect hook error: %v\", ipAddr, err)\n\t\treturn getPermissionDeniedError(protocol)\n\t}\n\treturn nil\n}\n\nfunc getProxyPolicy(allowed, skipped []func(net.IP) bool, def proxyproto.Policy) proxyproto.ConnPolicyFunc {\n\treturn func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {\n\t\tupstreamIP, err := util.GetIPFromNetAddr(connPolicyOptions.Upstream)\n\t\tif err != nil {\n\t\t\t// Something is wrong with the source IP, better reject the\n\t\t\t// connection.\n\t\t\tlogger.Error(logSender, \"\", \"reject connection from ip %q, err: %v\", connPolicyOptions.Upstream, err)\n\t\t\treturn proxyproto.REJECT, proxyproto.ErrInvalidUpstream\n\t\t}\n\n\t\tfor _, skippedFrom := range skipped {\n\t\t\tif skippedFrom(upstreamIP) {\n\t\t\t\treturn proxyproto.SKIP, nil\n\t\t\t}\n\t\t}\n\n\t\tfor _, allowFrom := range allowed {\n\t\t\tif allowFrom(upstreamIP) {\n\t\t\t\tif def == proxyproto.REQUIRE {\n\t\t\t\t\treturn proxyproto.REQUIRE, nil\n\t\t\t\t}\n\t\t\t\treturn proxyproto.USE, nil\n\t\t\t}\n\t\t}\n\n\t\tif def == proxyproto.REQUIRE {\n\t\t\tlogger.Debug(logSender, \"\", \"reject connection from ip %q: proxy protocol signature required and not set\",\n\t\t\t\tupstreamIP)\n\t\t\treturn proxyproto.REJECT, proxyproto.ErrInvalidUpstream\n\t\t}\n\t\treturn def, nil\n\t}\n}\n\n// SSHConnection defines an ssh connection.\n// Each SSH connection can open several channels for SFTP or SSH commands\ntype SSHConnection struct {\n\tid string\n\tconn io.Closer\n\tlastActivity atomic.Int64\n}\n\n// NewSSHConnection returns a new SSHConnection\nfunc NewSSHConnection(id string, conn io.Closer) *SSHConnection {\n\tc := &SSHConnection{\n\t\tid: id,\n\t\tconn: conn,\n\t}\n\tc.lastActivity.Store(time.Now().UnixNano())\n\treturn c\n}\n\n// GetID returns the ID for this SSHConnection\nfunc (c *SSHConnection) GetID() string {\n\treturn c.id\n}\n\n// UpdateLastActivity updates last activity for this connection\nfunc (c *SSHConnection) UpdateLastActivity() {\n\tc.lastActivity.Store(time.Now().UnixNano())\n}\n\n// GetLastActivity returns the last connection activity\nfunc (c *SSHConnection) GetLastActivity() time.Time {\n\treturn time.Unix(0, c.lastActivity.Load())\n}\n\n// Close closes the underlying network connection\nfunc (c *SSHConnection) Close() error {\n\treturn c.conn.Close()\n}\n\n// ActiveConnections holds the currect active connections with the associated transfers\ntype ActiveConnections struct {\n\t// clients contains both authenticated and estabilished connections and the ones waiting\n\t// for authentication\n\tclients clientsMap\n\t// transfers contains active transfers, total and per-user\n\ttransfers clientsMap\n\ttransfersCheckStatus atomic.Bool\n\tsync.RWMutex\n\tconnections []ActiveConnection\n\tmapping map[string]int\n\tsshConnections []*SSHConnection\n\tsshMapping map[string]int\n\tperUserConns map[string]int\n}\n\n// internal method, must be called within a locked block\nfunc (conns *ActiveConnections) addUserConnection(username string) {\n\tif username == \"\" {\n\t\treturn\n\t}\n\tconns.perUserConns[username]++\n}\n\n// internal method, must be called within a locked block\nfunc (conns *ActiveConnections) removeUserConnection(username string) {\n\tif username == \"\" {\n\t\treturn\n\t}\n\tif val, ok := conns.perUserConns[username]; ok {\n\t\tconns.perUserConns[username]--\n\t\tif val > 1 {\n\t\t\treturn\n\t\t}\n\t\tdelete(conns.perUserConns, username)\n\t}\n}\n\n// GetActiveSessions returns the number of active sessions for the given username.\n// We return the open sessions for any protocol\nfunc (conns *ActiveConnections) GetActiveSessions(username string) int {\n\tconns.RLock()\n\tdefer conns.RUnlock()\n\n\treturn conns.perUserConns[username]\n}\n\n// Add adds a new connection to the active ones\nfunc (conns *ActiveConnections) Add(c ActiveConnection) error {\n\tconns.Lock()\n\tdefer conns.Unlock()\n\n\tif username := c.GetUsername(); username != \"\" {\n\t\tif maxSessions := c.GetMaxSessions(); maxSessions > 0 {\n\t\t\tif val := conns.perUserConns[username]; val >= maxSessions {\n\t\t\t\treturn fmt.Errorf(\"too many open sessions: %d/%d\", val, maxSessions)\n\t\t\t}\n\t\t\tif val := conns.transfers.getTotalFrom(username); val >= maxSessions {\n\t\t\t\treturn fmt.Errorf(\"too many open transfers: %d/%d\", val, maxSessions)\n\t\t\t}\n\t\t}\n\t\tconns.addUserConnection(username)\n\t}\n\tconns.mapping[c.GetID()] = len(conns.connections)\n\tconns.connections = append(conns.connections, c)\n\tmetric.UpdateActiveConnectionsSize(len(conns.connections))\n\tlogger.Debug(c.GetProtocol(), c.GetID(), \"connection added, local address %q, remote address %q, num open connections: %d\",\n\t\tc.GetLocalAddress(), c.GetRemoteAddress(), len(conns.connections))\n\treturn nil\n}\n\n// Swap replaces an existing connection with the given one.\n// This method is useful if you have to change some connection details\n// for example for FTP is used to update the connection once the user\n// authenticates\nfunc (conns *ActiveConnections) Swap(c ActiveConnection) error {\n\tconns.Lock()\n\tdefer conns.Unlock()\n\n\tif idx, ok := conns.mapping[c.GetID()]; ok {\n\t\tconn := conns.connections[idx]\n\t\tconns.removeUserConnection(conn.GetUsername())\n\t\tif username := c.GetUsername(); username != \"\" {\n\t\t\tif maxSessions := c.GetMaxSessions(); maxSessions > 0 {\n\t\t\t\tif val, ok := conns.perUserConns[username]; ok && val >= maxSessions {\n\t\t\t\t\tconns.addUserConnection(conn.GetUsername())\n\t\t\t\t\treturn fmt.Errorf(\"too many open sessions: %d/%d\", val, maxSessions)\n\t\t\t\t}\n\t\t\t}\n\t\t\tconns.addUserConnection(username)\n\t\t}\n\t\terr := conn.CloseFS()\n\t\tconns.connections[idx] = c\n\t\tlogger.Debug(logSender, c.GetID(), \"connection swapped, close fs error: %v\", err)\n\t\tconn = nil\n\t\treturn nil\n\t}\n\n\treturn errors.New(\"connection to swap not found\")\n}\n\n// Remove removes a connection from the active ones\nfunc (conns *ActiveConnections) Remove(connectionID string) {\n\tconns.Lock()\n\tdefer conns.Unlock()\n\n\tif idx, ok := conns.mapping[connectionID]; ok {\n\t\tconn := conns.connections[idx]\n\t\terr := conn.CloseFS()\n\t\tlastIdx := len(conns.connections) - 1\n\t\tconns.connections[idx] = conns.connections[lastIdx]\n\t\tconns.connections[lastIdx] = nil\n\t\tconns.connections = conns.connections[:lastIdx]\n\t\tdelete(conns.mapping, connectionID)\n\t\tif idx != lastIdx {\n\t\t\tconns.mapping[conns.connections[idx].GetID()] = idx\n\t\t}\n\t\tconns.removeUserConnection(conn.GetUsername())\n\t\tmetric.UpdateActiveConnectionsSize(lastIdx)\n\t\tlogger.Debug(conn.GetProtocol(), conn.GetID(), \"connection removed, local address %q, remote address %q close fs error: %v, num open connections: %d\",\n\t\t\tconn.GetLocalAddress(), conn.GetRemoteAddress(), err, lastIdx)\n\t\tif conn.GetProtocol() == ProtocolFTP && conn.GetUsername() == \"\" && !slices.Contains(ftpLoginCommands, conn.GetCommand()) {\n\t\t\tip := util.GetIPFromRemoteAddress(conn.GetRemoteAddress())\n\t\t\tlogger.ConnectionFailedLog(\"\", ip, dataprovider.LoginMethodNoAuthTried, ProtocolFTP,\n\t\t\t\tdataprovider.ErrNoAuthTried.Error())\n\t\t\tmetric.AddNoAuthTried()\n\t\t\tAddDefenderEvent(ip, ProtocolFTP, HostEventNoLoginTried)\n\t\t\tdataprovider.ExecutePostLoginHook(&dataprovider.User{}, dataprovider.LoginMethodNoAuthTried, ip,\n\t\t\t\tProtocolFTP, dataprovider.ErrNoAuthTried)\n\t\t\tplugin.Handler.NotifyLogEvent(notifier.LogEventTypeNoLoginTried, ProtocolFTP, \"\", ip, \"\",\n\t\t\t\tdataprovider.ErrNoAuthTried)\n\t\t}\n\t\tConfig.checkPostDisconnectHook(conn.GetRemoteAddress(), conn.GetProtocol(), conn.GetUsername(),\n\t\t\tconn.GetID(), conn.GetConnectionTime())\n\t\treturn\n\t}\n\n\tlogger.Debug(logSender, \"\", \"connection id %q to remove not found!\", connectionID)\n}\n\n// Close closes an active connection.\n// It returns true on success\nfunc (conns *ActiveConnections) Close(connectionID, role string) bool {\n\tconns.RLock()\n\n\tvar result bool\n\n\tif idx, ok := conns.mapping[connectionID]; ok {\n\t\tc := conns.connections[idx]\n\n\t\tif role == \"\" || c.GetRole() == role {\n\t\t\tdefer func(conn ActiveConnection) {\n\t\t\t\terr := conn.Disconnect()\n\t\t\t\tlogger.Debug(conn.GetProtocol(), conn.GetID(), \"close connection requested, close err: %v\", err)\n\t\t\t}(c)\n\t\t\tresult = true\n\t\t}\n\t}\n\n\tconns.RUnlock()\n\treturn result\n}\n\n// AddSSHConnection adds a new ssh connection to the active ones\nfunc (conns *ActiveConnections) AddSSHConnection(c *SSHConnection) {\n\tconns.Lock()\n\tdefer conns.Unlock()\n\n\tconns.sshMapping[c.GetID()] = len(conns.sshConnections)\n\tconns.sshConnections = append(conns.sshConnections, c)\n\tlogger.Debug(logSender, c.GetID(), \"ssh connection added, num open connections: %d\", len(conns.sshConnections))\n}\n\n// RemoveSSHConnection removes a connection from the active ones\nfunc (conns *ActiveConnections) RemoveSSHConnection(connectionID string) {\n\tconns.Lock()\n\tdefer conns.Unlock()\n\n\tif idx, ok := conns.sshMapping[connectionID]; ok {\n\t\tlastIdx := len(conns.sshConnections) - 1\n\t\tconns.sshConnections[idx] = conns.sshConnections[lastIdx]\n\t\tconns.sshConnections[lastIdx] = nil\n\t\tconns.sshConnections = conns.sshConnections[:lastIdx]\n\t\tdelete(conns.sshMapping, connectionID)\n\t\tif idx != lastIdx {\n\t\t\tconns.sshMapping[conns.sshConnections[idx].GetID()] = idx\n\t\t}\n\t\tlogger.Debug(logSender, connectionID, \"ssh connection removed, num open ssh connections: %d\", lastIdx)\n\t\treturn\n\t}\n\tlogger.Warn(logSender, \"\", \"ssh connection to remove with id %q not found!\", connectionID)\n}\n\nfunc (conns *ActiveConnections) checkIdles() {\n\tconns.RLock()\n\n\tfor _, sshConn := range conns.sshConnections {\n\t\tidleTime := time.Since(sshConn.GetLastActivity())\n\t\tif idleTime > Config.idleTimeoutAsDuration {\n\t\t\t// we close an SSH connection if it has no active connections associated\n\t\t\tidToMatch := fmt.Sprintf(\"_%s_\", sshConn.GetID())\n\t\t\ttoClose := true\n\t\t\tfor _, conn := range conns.connections {\n\t\t\t\tif strings.Contains(conn.GetID(), idToMatch) {\n\t\t\t\t\tif time.Since(conn.GetLastActivity()) <= Config.idleTimeoutAsDuration {\n\t\t\t\t\t\ttoClose = false\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif toClose {\n\t\t\t\tdefer func(c *SSHConnection) {\n\t\t\t\t\terr := c.Close()\n\t\t\t\t\tlogger.Debug(logSender, c.GetID(), \"close idle SSH connection, idle time: %v, close err: %v\",\n\t\t\t\t\t\ttime.Since(c.GetLastActivity()), err)\n\t\t\t\t}(sshConn)\n\t\t\t}\n\t\t}\n\t}\n\n\tfor _, c := range conns.connections {\n\t\tidleTime := time.Since(c.GetLastActivity())\n\t\tisUnauthenticatedFTPUser := (c.GetProtocol() == ProtocolFTP && c.GetUsername() == \"\")\n\n\t\tif idleTime > Config.idleTimeoutAsDuration || (isUnauthenticatedFTPUser && idleTime > Config.idleLoginTimeout) {\n\t\t\tdefer func(conn ActiveConnection) {\n\t\t\t\terr := conn.Disconnect()\n\t\t\t\tlogger.Debug(conn.GetProtocol(), conn.GetID(), \"close idle connection, idle time: %s, username: %q close err: %v\",\n\t\t\t\t\ttime.Since(conn.GetLastActivity()), conn.GetUsername(), err)\n\t\t\t}(c)\n\t\t} else if !isUnauthenticatedFTPUser && !c.isAccessAllowed() {\n\t\t\tdefer func(conn ActiveConnection) {\n\t\t\t\terr := conn.Disconnect()\n\t\t\t\tlogger.Info(conn.GetProtocol(), conn.GetID(), \"access conditions not met for user: %q close connection err: %v\",\n\t\t\t\t\tconn.GetUsername(), err)\n\t\t\t}(c)\n\t\t}\n\t}\n\n\tconns.RUnlock()\n}\n\nfunc (conns *ActiveConnections) checkTransfers() {\n\tif conns.transfersCheckStatus.Load() {\n\t\tlogger.Warn(logSender, \"\", \"the previous transfer check is still running, skipping execution\")\n\t\treturn\n\t}\n\tconns.transfersCheckStatus.Store(true)\n\tdefer conns.transfersCheckStatus.Store(false)\n\n\tconns.RLock()\n\n\tif len(conns.connections) < 2 {\n\t\tconns.RUnlock()\n\t\treturn\n\t}\n\tvar wg sync.WaitGroup\n\tlogger.Debug(logSender, \"\", \"start concurrent transfers check\")\n\n\t// update the current size for transfers to monitors\n\tfor _, c := range conns.connections {\n\t\tfor _, t := range c.GetTransfers() {\n\t\t\tif t.HasSizeLimit {\n\t\t\t\twg.Add(1)\n\n\t\t\t\tgo func(transfer ConnectionTransfer, connID string) {\n\t\t\t\t\tdefer wg.Done()\n\t\t\t\t\ttransfersChecker.UpdateTransferCurrentSizes(transfer.ULSize, transfer.DLSize, transfer.ID, connID)\n\t\t\t\t}(t, c.GetID())\n\t\t\t}\n\t\t}\n\t}\n\n\tconns.RUnlock()\n\tlogger.Debug(logSender, \"\", \"waiting for the update of the transfers current size\")\n\twg.Wait()\n\n\tlogger.Debug(logSender, \"\", \"getting overquota transfers\")\n\toverquotaTransfers := transfersChecker.GetOverquotaTransfers()\n\tlogger.Debug(logSender, \"\", \"number of overquota transfers: %v\", len(overquotaTransfers))\n\tif len(overquotaTransfers) == 0 {\n\t\treturn\n\t}\n\n\tconns.RLock()\n\tdefer conns.RUnlock()\n\n\tfor _, c := range conns.connections {\n\t\tfor _, overquotaTransfer := range overquotaTransfers {\n\t\t\tif c.GetID() == overquotaTransfer.ConnID {\n\t\t\t\tlogger.Info(logSender, c.GetID(), \"user %q is overquota, try to close transfer id %v\",\n\t\t\t\t\tc.GetUsername(), overquotaTransfer.TransferID)\n\t\t\t\tvar err error\n\t\t\t\tif overquotaTransfer.TransferType == TransferDownload {\n\t\t\t\t\terr = getReadQuotaExceededError(c.GetProtocol())\n\t\t\t\t} else {\n\t\t\t\t\terr = getQuotaExceededError(c.GetProtocol())\n\t\t\t\t}\n\t\t\t\tc.SignalTransferClose(overquotaTransfer.TransferID, err)\n\t\t\t}\n\t\t}\n\t}\n\tlogger.Debug(logSender, \"\", \"transfers check completed\")\n}\n\n// AddClientConnection stores a new client connection\nfunc (conns *ActiveConnections) AddClientConnection(ipAddr string) {\n\tconns.clients.add(ipAddr)\n}\n\n// RemoveClientConnection removes a disconnected client from the tracked ones\nfunc (conns *ActiveConnections) RemoveClientConnection(ipAddr string) {\n\tconns.clients.remove(ipAddr)\n}\n\n// GetClientConnections returns the total number of client connections\nfunc (conns *ActiveConnections) GetClientConnections() int32 {\n\treturn conns.clients.getTotal()\n}\n\n// GetTotalTransfers returns the total number of active transfers\nfunc (conns *ActiveConnections) GetTotalTransfers() int32 {\n\treturn conns.transfers.getTotal()\n}\n\n// IsNewTransferAllowed returns an error if the maximum number of concurrent allowed\n// transfers is exceeded\nfunc (conns *ActiveConnections) IsNewTransferAllowed(username string) error {\n\tif isShuttingDown.Load() {\n\t\treturn ErrShuttingDown\n\t}\n\tif Config.MaxTotalConnections == 0 && Config.MaxPerHostConnections == 0 {\n\t\treturn nil\n\t}\n\tif Config.MaxPerHostConnections > 0 {\n\t\tif transfers := conns.transfers.getTotalFrom(username); transfers >= Config.MaxPerHostConnections {\n\t\t\tlogger.Info(logSender, \"\", \"active transfers from user %q: %d/%d\", username, transfers, Config.MaxPerHostConnections)\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\t}\n\tif Config.MaxTotalConnections > 0 {\n\t\tif transfers := conns.transfers.getTotal(); transfers >= int32(Config.MaxTotalConnections) {\n\t\t\tlogger.Info(logSender, \"\", \"active transfers %d/%d\", transfers, Config.MaxTotalConnections)\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\t}\n\treturn nil\n}\n\n// IsNewConnectionAllowed returns an error if the maximum number of concurrent allowed\n// connections is exceeded or a whitelist is defined and the specified ipAddr is not listed\n// or the service is shutting down\nfunc (conns *ActiveConnections) IsNewConnectionAllowed(ipAddr, protocol string) error {\n\tif isShuttingDown.Load() {\n\t\treturn ErrShuttingDown\n\t}\n\tif Config.allowList != nil {\n\t\tisListed, _, err := Config.allowList.IsListed(ipAddr, protocol)\n\t\tif err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to query allow list, connection denied, ip %q, protocol %s, err: %v\",\n\t\t\t\tipAddr, protocol, err)\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\t\tif !isListed {\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\t}\n\tif Config.MaxTotalConnections == 0 && Config.MaxPerHostConnections == 0 {\n\t\treturn nil\n\t}\n\n\tif Config.MaxPerHostConnections > 0 {\n\t\tif total := conns.clients.getTotalFrom(ipAddr); total > Config.MaxPerHostConnections {\n\t\t\tif !AddDefenderEvent(ipAddr, protocol, HostEventLimitExceeded) {\n\t\t\t\tlogger.Warn(logSender, \"\", \"connection denied, active connections from IP %q: %d/%d\",\n\t\t\t\t\tipAddr, total, Config.MaxPerHostConnections)\n\t\t\t\treturn ErrConnectionDenied\n\t\t\t}\n\t\t\tlogger.Info(logSender, \"\", \"active connections from safe IP %q: %d\", ipAddr, total)\n\t\t}\n\t}\n\n\tif Config.MaxTotalConnections > 0 {\n\t\tif total := conns.clients.getTotal(); total > int32(Config.MaxTotalConnections) {\n\t\t\tlogger.Info(logSender, \"\", \"active client connections %d/%d\", total, Config.MaxTotalConnections)\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\n\t\t// on a single SFTP connection we could have multiple SFTP channels or commands\n\t\t// so we check the estabilished connections and active uploads too\n\t\tif transfers := conns.transfers.getTotal(); transfers >= int32(Config.MaxTotalConnections) {\n\t\t\tlogger.Info(logSender, \"\", \"active transfers %d/%d\", transfers, Config.MaxTotalConnections)\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\n\t\tconns.RLock()\n\t\tdefer conns.RUnlock()\n\n\t\tif sess := len(conns.connections); sess >= Config.MaxTotalConnections {\n\t\t\tlogger.Info(logSender, \"\", \"active client sessions %d/%d\", sess, Config.MaxTotalConnections)\n\t\t\treturn ErrConnectionDenied\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// GetStats returns stats for active connections\nfunc (conns *ActiveConnections) GetStats(role string) []ConnectionStatus {\n\tconns.RLock()\n\tdefer conns.RUnlock()\n\n\tstats := make([]ConnectionStatus, 0, len(conns.connections))\n\tnode := dataprovider.GetNodeName()\n\tfor _, c := range conns.connections {\n\t\tif role == \"\" || c.GetRole() == role {\n\t\t\tstat := ConnectionStatus{\n\t\t\t\tUsername: c.GetUsername(),\n\t\t\t\tConnectionID: c.GetID(),\n\t\t\t\tClientVersion: c.GetClientVersion(),\n\t\t\t\tRemoteAddress: c.GetRemoteAddress(),\n\t\t\t\tConnectionTime: util.GetTimeAsMsSinceEpoch(c.GetConnectionTime()),\n\t\t\t\tLastActivity: util.GetTimeAsMsSinceEpoch(c.GetLastActivity()),\n\t\t\t\tCurrentTime: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\t\tProtocol: c.GetProtocol(),\n\t\t\t\tCommand: c.GetCommand(),\n\t\t\t\tTransfers: c.GetTransfers(),\n\t\t\t\tNode: node,\n\t\t\t}\n\t\t\tstats = append(stats, stat)\n\t\t}\n\t}\n\treturn stats\n}\n\n// ConnectionStatus returns the status for an active connection\ntype ConnectionStatus struct {\n\t// Logged in username\n\tUsername string `json:\"username\"`\n\t// Unique identifier for the connection\n\tConnectionID string `json:\"connection_id\"`\n\t// client's version string\n\tClientVersion string `json:\"client_version,omitempty\"`\n\t// Remote address for this connection\n\tRemoteAddress string `json:\"remote_address\"`\n\t// Connection time as unix timestamp in milliseconds\n\tConnectionTime int64 `json:\"connection_time\"`\n\t// Last activity as unix timestamp in milliseconds\n\tLastActivity int64 `json:\"last_activity\"`\n\t// Current time as unix timestamp in milliseconds\n\tCurrentTime int64 `json:\"current_time\"`\n\t// Protocol for this connection\n\tProtocol string `json:\"protocol\"`\n\t// active uploads/downloads\n\tTransfers []ConnectionTransfer `json:\"active_transfers,omitempty\"`\n\t// SSH command or WebDAV method\n\tCommand string `json:\"command,omitempty\"`\n\t// Node identifier, omitted for single node installations\n\tNode string `json:\"node,omitempty\"`\n}\n\n// ActiveQuotaScan defines an active quota scan for a user\ntype ActiveQuotaScan struct {\n\t// Username to which the quota scan refers\n\tUsername string `json:\"username\"`\n\t// quota scan start time as unix timestamp in milliseconds\n\tStartTime int64 `json:\"start_time\"`\n\tRole string `json:\"-\"`\n}\n\n// ActiveVirtualFolderQuotaScan defines an active quota scan for a virtual folder\ntype ActiveVirtualFolderQuotaScan struct {\n\t// folder name to which the quota scan refers\n\tName string `json:\"name\"`\n\t// quota scan start time as unix timestamp in milliseconds\n\tStartTime int64 `json:\"start_time\"`\n}\n\n// ActiveScans holds the active quota scans\ntype ActiveScans struct {\n\tsync.RWMutex\n\tUserScans []ActiveQuotaScan\n\tFolderScans []ActiveVirtualFolderQuotaScan\n}\n\n// GetUsersQuotaScans returns the active users quota scans\nfunc (s *ActiveScans) GetUsersQuotaScans(role string) []ActiveQuotaScan {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\tscans := make([]ActiveQuotaScan, 0, len(s.UserScans))\n\tfor _, scan := range s.UserScans {\n\t\tif role == \"\" || role == scan.Role {\n\t\t\tscans = append(scans, ActiveQuotaScan{\n\t\t\t\tUsername: scan.Username,\n\t\t\t\tStartTime: scan.StartTime,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn scans\n}\n\n// AddUserQuotaScan adds a user to the ones with active quota scans.\n// Returns false if the user has a quota scan already running\nfunc (s *ActiveScans) AddUserQuotaScan(username, role string) bool {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\tfor _, scan := range s.UserScans {\n\t\tif scan.Username == username {\n\t\t\treturn false\n\t\t}\n\t}\n\ts.UserScans = append(s.UserScans, ActiveQuotaScan{\n\t\tUsername: username,\n\t\tStartTime: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tRole: role,\n\t})\n\treturn true\n}\n\n// RemoveUserQuotaScan removes a user from the ones with active quota scans.\n// Returns false if the user has no active quota scans\nfunc (s *ActiveScans) RemoveUserQuotaScan(username string) bool {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\tfor idx, scan := range s.UserScans {\n\t\tif scan.Username == username {\n\t\t\tlastIdx := len(s.UserScans) - 1\n\t\t\ts.UserScans[idx] = s.UserScans[lastIdx]\n\t\t\ts.UserScans = s.UserScans[:lastIdx]\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\n// GetVFoldersQuotaScans returns the active quota scans for virtual folders\nfunc (s *ActiveScans) GetVFoldersQuotaScans() []ActiveVirtualFolderQuotaScan {\n\ts.RLock()\n\tdefer s.RUnlock()\n\tscans := make([]ActiveVirtualFolderQuotaScan, len(s.FolderScans))\n\tcopy(scans, s.FolderScans)\n\treturn scans\n}\n\n// AddVFolderQuotaScan adds a virtual folder to the ones with active quota scans.\n// Returns false if the folder has a quota scan already running\nfunc (s *ActiveScans) AddVFolderQuotaScan(folderName string) bool {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\tfor _, scan := range s.FolderScans {\n\t\tif scan.Name == folderName {\n\t\t\treturn false\n\t\t}\n\t}\n\ts.FolderScans = append(s.FolderScans, ActiveVirtualFolderQuotaScan{\n\t\tName: folderName,\n\t\tStartTime: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\treturn true\n}\n\n// RemoveVFolderQuotaScan removes a folder from the ones with active quota scans.\n// Returns false if the folder has no active quota scans\nfunc (s *ActiveScans) RemoveVFolderQuotaScan(folderName string) bool {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\tfor idx, scan := range s.FolderScans {\n\t\tif scan.Name == folderName {\n\t\t\tlastIdx := len(s.FolderScans) - 1\n\t\t\ts.FolderScans[idx] = s.FolderScans[lastIdx]\n\t\t\ts.FolderScans = s.FolderScans[:lastIdx]\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "internal/common/common_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/alexedwards/argon2id\"\n\t\"github.com/pires/go-proxyproto\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/crypto/bcrypt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tlogSenderTest = \"common_test\"\n\thttpAddr = \"127.0.0.1:9999\"\n\tosWindows = \"windows\"\n\tuserTestUsername = \"common_test_username\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n)\n\ntype fakeConnection struct {\n\t*BaseConnection\n\tcommand string\n}\n\nfunc (c *fakeConnection) AddUser(user dataprovider.User) error {\n\t_, err := user.GetFilesystem(c.GetID())\n\tif err != nil {\n\t\treturn err\n\t}\n\tc.User = user\n\treturn nil\n}\n\nfunc (c *fakeConnection) Disconnect() error {\n\tConnections.Remove(c.GetID())\n\treturn nil\n}\n\nfunc (c *fakeConnection) GetClientVersion() string {\n\treturn \"\"\n}\n\nfunc (c *fakeConnection) GetCommand() string {\n\treturn c.command\n}\n\nfunc (c *fakeConnection) GetLocalAddress() string {\n\treturn \"\"\n}\n\nfunc (c *fakeConnection) GetRemoteAddress() string {\n\treturn \"\"\n}\n\ntype customNetConn struct {\n\tnet.Conn\n\tid string\n\tisClosed bool\n}\n\nfunc (c *customNetConn) Close() error {\n\tConnections.RemoveSSHConnection(c.id)\n\tc.isClosed = true\n\treturn c.Conn.Close()\n}\n\nfunc TestConnections(t *testing.T) {\n\tc1 := &fakeConnection{\n\t\tBaseConnection: NewBaseConnection(\"id1\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: userTestUsername,\n\t\t\t},\n\t\t}),\n\t}\n\tc2 := &fakeConnection{\n\t\tBaseConnection: NewBaseConnection(\"id2\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: userTestUsername,\n\t\t\t},\n\t\t}),\n\t}\n\tc3 := &fakeConnection{\n\t\tBaseConnection: NewBaseConnection(\"id3\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: userTestUsername,\n\t\t\t},\n\t\t}),\n\t}\n\tc4 := &fakeConnection{\n\t\tBaseConnection: NewBaseConnection(\"id4\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: userTestUsername,\n\t\t\t},\n\t\t}),\n\t}\n\tassert.Equal(t, \"SFTP_id1\", c1.GetID())\n\tassert.Equal(t, \"SFTP_id2\", c2.GetID())\n\tassert.Equal(t, \"SFTP_id3\", c3.GetID())\n\tassert.Equal(t, \"SFTP_id4\", c4.GetID())\n\terr := Connections.Add(c1)\n\tassert.NoError(t, err)\n\terr = Connections.Add(c2)\n\tassert.NoError(t, err)\n\terr = Connections.Add(c3)\n\tassert.NoError(t, err)\n\terr = Connections.Add(c4)\n\tassert.NoError(t, err)\n\n\tConnections.RLock()\n\tassert.Len(t, Connections.connections, 4)\n\tassert.Len(t, Connections.mapping, 4)\n\t_, ok := Connections.mapping[c1.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.mapping[c1.GetID()])\n\tassert.Equal(t, 1, Connections.mapping[c2.GetID()])\n\tassert.Equal(t, 2, Connections.mapping[c3.GetID()])\n\tassert.Equal(t, 3, Connections.mapping[c4.GetID()])\n\tConnections.RUnlock()\n\n\tc2 = &fakeConnection{\n\t\tBaseConnection: NewBaseConnection(\"id2\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: userTestUsername + \"_mod\",\n\t\t\t},\n\t\t}),\n\t}\n\terr = Connections.Swap(c2)\n\tassert.NoError(t, err)\n\n\tConnections.RLock()\n\tassert.Len(t, Connections.connections, 4)\n\tassert.Len(t, Connections.mapping, 4)\n\t_, ok = Connections.mapping[c1.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.mapping[c1.GetID()])\n\tassert.Equal(t, 1, Connections.mapping[c2.GetID()])\n\tassert.Equal(t, 2, Connections.mapping[c3.GetID()])\n\tassert.Equal(t, 3, Connections.mapping[c4.GetID()])\n\tassert.Equal(t, userTestUsername+\"_mod\", Connections.connections[1].GetUsername())\n\tConnections.RUnlock()\n\n\tConnections.Remove(c2.GetID())\n\n\tConnections.RLock()\n\tassert.Len(t, Connections.connections, 3)\n\tassert.Len(t, Connections.mapping, 3)\n\t_, ok = Connections.mapping[c1.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.mapping[c1.GetID()])\n\tassert.Equal(t, 1, Connections.mapping[c4.GetID()])\n\tassert.Equal(t, 2, Connections.mapping[c3.GetID()])\n\tConnections.RUnlock()\n\n\tConnections.Remove(c3.GetID())\n\n\tConnections.RLock()\n\tassert.Len(t, Connections.connections, 2)\n\tassert.Len(t, Connections.mapping, 2)\n\t_, ok = Connections.mapping[c1.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.mapping[c1.GetID()])\n\tassert.Equal(t, 1, Connections.mapping[c4.GetID()])\n\tConnections.RUnlock()\n\n\tConnections.Remove(c1.GetID())\n\n\tConnections.RLock()\n\tassert.Len(t, Connections.connections, 1)\n\tassert.Len(t, Connections.mapping, 1)\n\t_, ok = Connections.mapping[c4.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.mapping[c4.GetID()])\n\tConnections.RUnlock()\n\n\tConnections.Remove(c4.GetID())\n\n\tConnections.RLock()\n\tassert.Len(t, Connections.connections, 0)\n\tassert.Len(t, Connections.mapping, 0)\n\tConnections.RUnlock()\n}\n\nfunc TestEventManagerCommandsInitialization(t *testing.T) {\n\tconfigCopy := Config\n\n\tc := Configuration{\n\t\tEventManager: EventManagerConfig{\n\t\t\tEnabledCommands: []string{\"ls\"}, // not an absolute path\n\t\t},\n\t}\n\terr := Initialize(c, 0)\n\tassert.ErrorContains(t, err, \"invalid command\")\n\n\tvar commands []string\n\tif runtime.GOOS == osWindows {\n\t\tcommands = []string{\"C:\\\\command\"}\n\t} else {\n\t\tcommands = []string{\"/bin/ls\"}\n\t}\n\n\tc.EventManager.EnabledCommands = commands\n\terr = Initialize(c, 0)\n\tassert.NoError(t, err)\n\tassert.Equal(t, commands, dataprovider.EnabledActionCommands)\n\n\tdataprovider.EnabledActionCommands = configCopy.EventManager.EnabledCommands\n\tConfig = configCopy\n}\n\nfunc TestInitializationProxyErrors(t *testing.T) {\n\tconfigCopy := Config\n\n\tc := Configuration{\n\t\tProxyProtocol: 1,\n\t\tProxyAllowed: []string{\"1.1.1.1111\"},\n\t}\n\terr := Initialize(c, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid proxy allowed\")\n\t}\n\tc.ProxyAllowed = nil\n\tc.ProxySkipped = []string{\"invalid\"}\n\terr = Initialize(c, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid proxy skipped\")\n\t}\n\tc.ProxyAllowed = []string{\"1.1.1.1\"}\n\tc.ProxySkipped = []string{\"2.2.2.2\", \"10.8.0.0/24\"}\n\terr = Initialize(c, 0)\n\tassert.NoError(t, err)\n\tassert.Len(t, Config.proxyAllowed, 1)\n\tassert.Len(t, Config.proxySkipped, 2)\n\n\tConfig = configCopy\n\tassert.Equal(t, 0, Config.ProxyProtocol)\n\tassert.Len(t, Config.proxyAllowed, 0)\n\tassert.Len(t, Config.proxySkipped, 0)\n}\n\nfunc TestInitializationClosedProvider(t *testing.T) {\n\tconfigCopy := Config\n\n\tproviderConf := dataprovider.GetProviderConfig()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\n\tconfig := Configuration{\n\t\tAllowListStatus: 1,\n\t}\n\terr = Initialize(config, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to initialize the allow list\")\n\t}\n\n\tconfig.AllowListStatus = 0\n\tconfig.RateLimitersConfig = []RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 100,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 5,\n\t\t\tType: int(rateLimiterTypeGlobal),\n\t\t\tProtocols: rateLimiterProtocolValues,\n\t\t},\n\t}\n\terr = Initialize(config, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to initialize ratelimiters list\")\n\t}\n\n\tconfig.RateLimitersConfig = nil\n\tconfig.DefenderConfig = DefenderConfig{\n\t\tEnabled: true,\n\t\tDriver: DefenderDriverProvider,\n\t\tBanTime: 10,\n\t\tBanTimeIncrement: 50,\n\t\tThreshold: 10,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreNoAuth: 2,\n\t\tObservationTime: 15,\n\t\tEntriesSoftLimit: 100,\n\t\tEntriesHardLimit: 150,\n\t}\n\terr = Initialize(config, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"defender initialization error\")\n\t}\n\tconfig.DefenderConfig.Driver = DefenderDriverMemory\n\terr = Initialize(config, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"defender initialization error\")\n\t}\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tConfig = configCopy\n}\n\nfunc TestSSHConnections(t *testing.T) {\n\tconn1, conn2 := net.Pipe()\n\tnow := time.Now()\n\tsshConn1 := NewSSHConnection(\"id1\", conn1)\n\tsshConn2 := NewSSHConnection(\"id2\", conn2)\n\tsshConn3 := NewSSHConnection(\"id3\", conn2)\n\tassert.Equal(t, \"id1\", sshConn1.GetID())\n\tassert.Equal(t, \"id2\", sshConn2.GetID())\n\tassert.Equal(t, \"id3\", sshConn3.GetID())\n\tsshConn1.UpdateLastActivity()\n\tassert.GreaterOrEqual(t, sshConn1.GetLastActivity().UnixNano(), now.UnixNano())\n\tConnections.AddSSHConnection(sshConn1)\n\tConnections.AddSSHConnection(sshConn2)\n\tConnections.AddSSHConnection(sshConn3)\n\tConnections.RLock()\n\tassert.Len(t, Connections.sshConnections, 3)\n\t_, ok := Connections.sshMapping[sshConn1.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.sshMapping[sshConn1.GetID()])\n\tassert.Equal(t, 1, Connections.sshMapping[sshConn2.GetID()])\n\tassert.Equal(t, 2, Connections.sshMapping[sshConn3.GetID()])\n\tConnections.RUnlock()\n\tConnections.RemoveSSHConnection(sshConn1.id)\n\tConnections.RLock()\n\tassert.Len(t, Connections.sshConnections, 2)\n\tassert.Equal(t, sshConn3.id, Connections.sshConnections[0].id)\n\tassert.Equal(t, sshConn2.id, Connections.sshConnections[1].id)\n\t_, ok = Connections.sshMapping[sshConn3.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.sshMapping[sshConn3.GetID()])\n\tassert.Equal(t, 1, Connections.sshMapping[sshConn2.GetID()])\n\tConnections.RUnlock()\n\tConnections.RemoveSSHConnection(sshConn1.id)\n\tConnections.RLock()\n\tassert.Len(t, Connections.sshConnections, 2)\n\tassert.Equal(t, sshConn3.id, Connections.sshConnections[0].id)\n\tassert.Equal(t, sshConn2.id, Connections.sshConnections[1].id)\n\t_, ok = Connections.sshMapping[sshConn3.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.sshMapping[sshConn3.GetID()])\n\tassert.Equal(t, 1, Connections.sshMapping[sshConn2.GetID()])\n\tConnections.RUnlock()\n\tConnections.RemoveSSHConnection(sshConn2.id)\n\tConnections.RLock()\n\tassert.Len(t, Connections.sshConnections, 1)\n\tassert.Equal(t, sshConn3.id, Connections.sshConnections[0].id)\n\t_, ok = Connections.sshMapping[sshConn3.GetID()]\n\tassert.True(t, ok)\n\tassert.Equal(t, 0, Connections.sshMapping[sshConn3.GetID()])\n\tConnections.RUnlock()\n\tConnections.RemoveSSHConnection(sshConn3.id)\n\tConnections.RLock()\n\tassert.Len(t, Connections.sshConnections, 0)\n\tassert.Len(t, Connections.sshMapping, 0)\n\tConnections.RUnlock()\n\tassert.NoError(t, sshConn1.Close())\n\tassert.NoError(t, sshConn2.Close())\n\tassert.NoError(t, sshConn3.Close())\n}\n\nfunc TestDefenderIntegration(t *testing.T) {\n\t// by default defender is nil\n\tconfigCopy := Config\n\n\twdPath, err := os.Getwd()\n\trequire.NoError(t, err)\n\tpluginsConfig := []plugin.Config{\n\t\t{\n\t\t\tType: \"ipfilter\",\n\t\t\tCmd: filepath.Join(wdPath, \"..\", \"..\", \"tests\", \"ipfilter\", \"ipfilter\"),\n\t\t\tAutoMTLS: true,\n\t\t},\n\t}\n\tif runtime.GOOS == osWindows {\n\t\tpluginsConfig[0].Cmd += \".exe\"\n\t}\n\terr = plugin.Initialize(pluginsConfig, \"debug\")\n\trequire.NoError(t, err)\n\n\tip := \"127.1.1.1\"\n\n\tassert.Nil(t, Reload())\n\t// 192.168.1.12 is banned from the ipfilter plugin\n\tassert.True(t, IsBanned(\"192.168.1.12\", ProtocolFTP))\n\n\tAddDefenderEvent(ip, ProtocolFTP, HostEventNoLoginTried)\n\tassert.False(t, IsBanned(ip, ProtocolFTP))\n\n\tbanTime, err := GetDefenderBanTime(ip)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\tassert.False(t, DeleteDefenderHost(ip))\n\tscore, err := GetDefenderScore(ip)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n\t_, err = GetDefenderHost(ip)\n\tassert.Error(t, err)\n\thosts, err := GetDefenderHosts()\n\tassert.NoError(t, err)\n\tassert.Nil(t, hosts)\n\n\tConfig.DefenderConfig = DefenderConfig{\n\t\tEnabled: true,\n\t\tDriver: DefenderDriverProvider,\n\t\tBanTime: 10,\n\t\tBanTimeIncrement: 50,\n\t\tThreshold: 0,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreNoAuth: 2,\n\t\tObservationTime: 15,\n\t\tEntriesSoftLimit: 100,\n\t\tEntriesHardLimit: 150,\n\t\tLoginDelay: LoginDelay{\n\t\t\tPasswordFailed: 200,\n\t\t},\n\t}\n\terr = Initialize(Config, 0)\n\t// ScoreInvalid cannot be greater than threshold\n\tassert.Error(t, err)\n\tConfig.DefenderConfig.Driver = \"unsupported\"\n\terr = Initialize(Config, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported defender driver\")\n\t}\n\tConfig.DefenderConfig.Driver = DefenderDriverMemory\n\terr = Initialize(Config, 0)\n\t// ScoreInvalid cannot be greater than threshold\n\tassert.Error(t, err)\n\tConfig.DefenderConfig.Threshold = 3\n\n\terr = Initialize(Config, 0)\n\tassert.NoError(t, err)\n\tassert.Nil(t, Reload())\n\n\tAddDefenderEvent(ip, ProtocolSSH, HostEventNoLoginTried)\n\tassert.False(t, IsBanned(ip, ProtocolSSH))\n\tscore, err = GetDefenderScore(ip)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2, score)\n\tentry, err := GetDefenderHost(ip)\n\tassert.NoError(t, err)\n\tasJSON, err := json.Marshal(&entry)\n\tassert.NoError(t, err)\n\tassert.Equal(t, `{\"id\":\"3132372e312e312e31\",\"ip\":\"127.1.1.1\",\"score\":2}`, string(asJSON), \"entry %v\", entry)\n\tassert.True(t, DeleteDefenderHost(ip))\n\tbanTime, err = GetDefenderBanTime(ip)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\n\tAddDefenderEvent(ip, ProtocolHTTP, HostEventLoginFailed)\n\tAddDefenderEvent(ip, ProtocolHTTP, HostEventNoLoginTried)\n\tassert.True(t, IsBanned(ip, ProtocolHTTP))\n\tscore, err = GetDefenderScore(ip)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n\tbanTime, err = GetDefenderBanTime(ip)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, banTime)\n\thosts, err = GetDefenderHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 1)\n\tentry, err = GetDefenderHost(ip)\n\tassert.NoError(t, err)\n\tassert.False(t, entry.BanTime.IsZero())\n\tassert.True(t, DeleteDefenderHost(ip))\n\thosts, err = GetDefenderHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 0)\n\tbanTime, err = GetDefenderBanTime(ip)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\tassert.False(t, DeleteDefenderHost(ip))\n\n\tstartTime := time.Now()\n\tDelayLogin(nil)\n\telapsed := time.Since(startTime)\n\tassert.Less(t, elapsed, time.Millisecond*50)\n\n\tstartTime = time.Now()\n\tDelayLogin(ErrInternalFailure)\n\telapsed = time.Since(startTime)\n\tassert.Greater(t, elapsed, time.Millisecond*150)\n\n\tConfig = configCopy\n}\n\nfunc TestRateLimitersIntegration(t *testing.T) {\n\tconfigCopy := Config\n\n\tenabled, protocols := Config.GetRateLimitersStatus()\n\tassert.False(t, enabled)\n\tassert.Len(t, protocols, 0)\n\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"172.16.24.7/32\",\n\t\t\tType: dataprovider.IPListTypeRateLimiterSafeList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.0.0/16\",\n\t\t\tType: dataprovider.IPListTypeRateLimiterSafeList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t}\n\n\tfor idx := range entries {\n\t\te := entries[idx]\n\t\terr := dataprovider.AddIPListEntry(&e, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\tConfig.RateLimitersConfig = []RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 100,\n\t\t\tPeriod: 10,\n\t\t\tBurst: 5,\n\t\t\tType: int(rateLimiterTypeGlobal),\n\t\t\tProtocols: rateLimiterProtocolValues,\n\t\t},\n\t\t{\n\t\t\tAverage: 1,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 1,\n\t\t\tType: int(rateLimiterTypeSource),\n\t\t\tProtocols: []string{ProtocolWebDAV, ProtocolWebDAV, ProtocolFTP},\n\t\t\tGenerateDefenderEvents: true,\n\t\t\tEntriesSoftLimit: 100,\n\t\t\tEntriesHardLimit: 150,\n\t\t},\n\t}\n\terr := Initialize(Config, 0)\n\tassert.Error(t, err)\n\tConfig.RateLimitersConfig[0].Period = 1000\n\n\terr = Initialize(Config, 0)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, Config.rateLimitersList)\n\n\tassert.Len(t, rateLimiters, 4)\n\tassert.Len(t, rateLimiters[ProtocolSSH], 1)\n\tassert.Len(t, rateLimiters[ProtocolFTP], 2)\n\tassert.Len(t, rateLimiters[ProtocolWebDAV], 2)\n\tassert.Len(t, rateLimiters[ProtocolHTTP], 1)\n\n\tenabled, protocols = Config.GetRateLimitersStatus()\n\tassert.True(t, enabled)\n\tassert.Len(t, protocols, 4)\n\tassert.Contains(t, protocols, ProtocolFTP)\n\tassert.Contains(t, protocols, ProtocolSSH)\n\tassert.Contains(t, protocols, ProtocolHTTP)\n\tassert.Contains(t, protocols, ProtocolWebDAV)\n\n\tsource1 := \"127.1.1.1\"\n\tsource2 := \"127.1.1.2\"\n\tsource3 := \"172.16.24.7\" // in safelist\n\n\t_, err = LimitRate(ProtocolSSH, source1)\n\tassert.NoError(t, err)\n\t_, err = LimitRate(ProtocolFTP, source1)\n\tassert.NoError(t, err)\n\t// sleep to allow the add configured burst to the token.\n\t// This sleep is not enough to add the per-source burst\n\ttime.Sleep(20 * time.Millisecond)\n\t_, err = LimitRate(ProtocolWebDAV, source2)\n\tassert.NoError(t, err)\n\t_, err = LimitRate(ProtocolFTP, source1)\n\tassert.Error(t, err)\n\t_, err = LimitRate(ProtocolWebDAV, source2)\n\tassert.Error(t, err)\n\t_, err = LimitRate(ProtocolSSH, source1)\n\tassert.NoError(t, err)\n\t_, err = LimitRate(ProtocolSSH, source2)\n\tassert.NoError(t, err)\n\tfor i := 0; i < 10; i++ {\n\t\t_, err = LimitRate(ProtocolWebDAV, source3)\n\t\tassert.NoError(t, err)\n\t}\n\tfor _, e := range entries {\n\t\terr := dataprovider.DeleteIPListEntry(e.IPOrNet, e.Type, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\tassert.Nil(t, configCopy.rateLimitersList)\n\tConfig = configCopy\n}\n\nfunc TestUserMaxSessions(t *testing.T) {\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t\tMaxSessions: 1,\n\t\t},\n\t})\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr := Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\terr = Connections.Add(fakeConn)\n\tassert.Error(t, err)\n\terr = Connections.Swap(fakeConn)\n\tassert.NoError(t, err)\n\tConnections.Remove(fakeConn.GetID())\n\tConnections.Lock()\n\tConnections.removeUserConnection(userTestUsername)\n\tConnections.Unlock()\n\tassert.Len(t, Connections.GetStats(\"\"), 0)\n}\n\nfunc TestMaxConnections(t *testing.T) {\n\toldValue := Config.MaxTotalConnections\n\tperHost := Config.MaxPerHostConnections\n\n\tConfig.MaxPerHostConnections = 0\n\n\tipAddr := \"192.168.7.8\"\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolFTP))\n\tassert.NoError(t, Connections.IsNewTransferAllowed(userTestUsername))\n\n\tConfig.MaxTotalConnections = 1\n\tConfig.MaxPerHostConnections = perHost\n\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolHTTP))\n\tassert.NoError(t, Connections.IsNewTransferAllowed(userTestUsername))\n\tisShuttingDown.Store(true)\n\tassert.ErrorIs(t, Connections.IsNewTransferAllowed(userTestUsername), ErrShuttingDown)\n\tisShuttingDown.Store(false)\n\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", dataprovider.User{})\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr := Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tassert.Len(t, Connections.GetStats(\"\"), 1)\n\tassert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))\n\tConnections.transfers.add(userTestUsername)\n\tassert.Error(t, Connections.IsNewTransferAllowed(userTestUsername))\n\tConnections.transfers.remove(userTestUsername)\n\tassert.Equal(t, int32(0), Connections.GetTotalTransfers())\n\n\tres := Connections.Close(fakeConn.GetID(), \"\")\n\tassert.True(t, res)\n\tassert.Eventually(t, func() bool { return len(Connections.GetStats(\"\")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)\n\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))\n\tConnections.AddClientConnection(ipAddr)\n\tConnections.AddClientConnection(ipAddr)\n\tassert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))\n\tConnections.RemoveClientConnection(ipAddr)\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolWebDAV))\n\tConnections.transfers.add(userTestUsername)\n\tassert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))\n\tConnections.transfers.remove(userTestUsername)\n\tConnections.RemoveClientConnection(ipAddr)\n\n\tConfig.MaxTotalConnections = oldValue\n}\n\nfunc TestConnectionRoles(t *testing.T) {\n\tusername := \"testUsername\"\n\trole1 := \"testRole1\"\n\trole2 := \"testRole2\"\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tRole: role1,\n\t\t},\n\t})\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr := Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tassert.Len(t, Connections.GetStats(\"\"), 1)\n\tassert.Len(t, Connections.GetStats(role1), 1)\n\tassert.Len(t, Connections.GetStats(role2), 0)\n\n\tres := Connections.Close(fakeConn.GetID(), role2)\n\tassert.False(t, res)\n\tassert.Len(t, Connections.GetStats(\"\"), 1)\n\tres = Connections.Close(fakeConn.GetID(), role1)\n\tassert.True(t, res)\n\tassert.Eventually(t, func() bool { return len(Connections.GetStats(\"\")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)\n}\n\nfunc TestMaxConnectionPerHost(t *testing.T) {\n\tdefender, err := newInMemoryDefender(&DefenderConfig{\n\t\tEnabled: true,\n\t\tDriver: DefenderDriverMemory,\n\t\tBanTime: 30,\n\t\tBanTimeIncrement: 50,\n\t\tThreshold: 15,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreLimitExceeded: 3,\n\t\tObservationTime: 30,\n\t\tEntriesSoftLimit: 100,\n\t\tEntriesHardLimit: 150,\n\t})\n\trequire.NoError(t, err)\n\n\toldMaxPerHostConn := Config.MaxPerHostConnections\n\toldDefender := Config.defender\n\n\tConfig.MaxPerHostConnections = 2\n\tConfig.defender = defender\n\n\tipAddr := \"192.168.9.9\"\n\tConnections.AddClientConnection(ipAddr)\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))\n\n\tConnections.AddClientConnection(ipAddr)\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolWebDAV))\n\n\tConnections.AddClientConnection(ipAddr)\n\tassert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolFTP))\n\tassert.Equal(t, int32(3), Connections.GetClientConnections())\n\t// Add the IP to the defender safe list\n\tentry := dataprovider.IPListEntry{\n\t\tIPOrNet: ipAddr,\n\t\tType: dataprovider.IPListTypeDefender,\n\t\tMode: dataprovider.ListModeAllow,\n\t}\n\terr = dataprovider.AddIPListEntry(&entry, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tConnections.AddClientConnection(ipAddr)\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))\n\n\terr = dataprovider.DeleteIPListEntry(entry.IPOrNet, dataprovider.IPListTypeDefender, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tConnections.RemoveClientConnection(ipAddr)\n\tConnections.RemoveClientConnection(ipAddr)\n\tConnections.RemoveClientConnection(ipAddr)\n\tConnections.RemoveClientConnection(ipAddr)\n\n\tassert.Equal(t, int32(0), Connections.GetClientConnections())\n\n\tConfig.MaxPerHostConnections = oldMaxPerHostConn\n\tConfig.defender = oldDefender\n}\n\nfunc TestIdleConnections(t *testing.T) {\n\tconfigCopy := Config\n\n\tConfig.IdleTimeout = 1\n\terr := Initialize(Config, 0)\n\tassert.NoError(t, err)\n\n\tconn1, conn2 := net.Pipe()\n\tcustomConn1 := &customNetConn{\n\t\tConn: conn1,\n\t\tid: \"id1\",\n\t}\n\tcustomConn2 := &customNetConn{\n\t\tConn: conn2,\n\t\tid: \"id2\",\n\t}\n\tsshConn1 := NewSSHConnection(customConn1.id, customConn1)\n\tsshConn2 := NewSSHConnection(customConn2.id, customConn2)\n\n\tusername := \"test_user\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tStatus: 1,\n\t\t},\n\t}\n\tc := NewBaseConnection(sshConn1.id+\"_1\", ProtocolSFTP, \"\", \"\", user)\n\tc.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano())\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\t// both ssh connections are expired but they should get removed only\n\t// if there is no associated connection\n\tsshConn1.lastActivity.Store(c.lastActivity.Load())\n\tsshConn2.lastActivity.Store(c.lastActivity.Load())\n\tConnections.AddSSHConnection(sshConn1)\n\terr = Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tassert.Equal(t, Connections.GetActiveSessions(username), 1)\n\tc = NewBaseConnection(sshConn2.id+\"_1\", ProtocolSSH, \"\", \"\", user)\n\tfakeConn = &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\tConnections.AddSSHConnection(sshConn2)\n\terr = Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tassert.Equal(t, Connections.GetActiveSessions(username), 2)\n\n\tcFTP := NewBaseConnection(\"id2\", ProtocolFTP, \"\", \"\", dataprovider.User{})\n\tcFTP.lastActivity.Store(time.Now().UnixNano())\n\tfakeConn = &fakeConnection{\n\t\tBaseConnection: cFTP,\n\t}\n\terr = Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\t// the user is expired, this connection will be removed\n\tcDAV := NewBaseConnection(\"id3\", ProtocolWebDAV, \"\", \"\", dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username + \"_2\",\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour)),\n\t\t},\n\t})\n\tcDAV.lastActivity.Store(time.Now().UnixNano())\n\tfakeConn = &fakeConnection{\n\t\tBaseConnection: cDAV,\n\t}\n\terr = Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\n\tassert.Equal(t, 2, Connections.GetActiveSessions(username))\n\tassert.Len(t, Connections.GetStats(\"\"), 4)\n\tConnections.RLock()\n\tassert.Len(t, Connections.sshConnections, 2)\n\tConnections.RUnlock()\n\n\tstartPeriodicChecks(100*time.Millisecond, 0)\n\tassert.Eventually(t, func() bool { return Connections.GetActiveSessions(username) == 1 }, 2*time.Second, 200*time.Millisecond)\n\tassert.Eventually(t, func() bool {\n\t\tConnections.RLock()\n\t\tdefer Connections.RUnlock()\n\t\treturn len(Connections.sshConnections) == 1\n\t}, 1*time.Second, 200*time.Millisecond)\n\tstopEventScheduler()\n\tassert.Len(t, Connections.GetStats(\"\"), 2)\n\tc.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano())\n\tcFTP.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano())\n\tsshConn2.lastActivity.Store(c.lastActivity.Load())\n\tstartPeriodicChecks(100*time.Millisecond, 1)\n\tassert.Eventually(t, func() bool { return len(Connections.GetStats(\"\")) == 0 }, 2*time.Second, 200*time.Millisecond)\n\tassert.Eventually(t, func() bool {\n\t\tConnections.RLock()\n\t\tdefer Connections.RUnlock()\n\t\treturn len(Connections.sshConnections) == 0\n\t}, 1*time.Second, 200*time.Millisecond)\n\tassert.Equal(t, int32(0), Connections.GetClientConnections())\n\tstopEventScheduler()\n\tassert.True(t, customConn1.isClosed)\n\tassert.True(t, customConn2.isClosed)\n\n\tConfig = configCopy\n}\n\nfunc TestCloseConnection(t *testing.T) {\n\tc := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", dataprovider.User{})\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\tassert.NoError(t, Connections.IsNewConnectionAllowed(\"127.0.0.1\", ProtocolHTTP))\n\terr := Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tassert.Len(t, Connections.GetStats(\"\"), 1)\n\tres := Connections.Close(fakeConn.GetID(), \"\")\n\tassert.True(t, res)\n\tassert.Eventually(t, func() bool { return len(Connections.GetStats(\"\")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)\n\tres = Connections.Close(fakeConn.GetID(), \"\")\n\tassert.False(t, res)\n\tConnections.Remove(fakeConn.GetID())\n}\n\nfunc TestSwapConnection(t *testing.T) {\n\tc := NewBaseConnection(\"id\", ProtocolFTP, \"\", \"\", dataprovider.User{})\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr := Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tif assert.Len(t, Connections.GetStats(\"\"), 1) {\n\t\tassert.Equal(t, \"\", Connections.GetStats(\"\")[0].Username)\n\t}\n\tc = NewBaseConnection(\"id\", ProtocolFTP, \"\", \"\", dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t\tMaxSessions: 1,\n\t\t},\n\t})\n\tfakeConn = &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\tc1 := NewBaseConnection(\"id1\", ProtocolFTP, \"\", \"\", dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t},\n\t})\n\tfakeConn1 := &fakeConnection{\n\t\tBaseConnection: c1,\n\t}\n\terr = Connections.Add(fakeConn1)\n\tassert.NoError(t, err)\n\terr = Connections.Swap(fakeConn)\n\tassert.Error(t, err)\n\tConnections.Remove(fakeConn1.ID)\n\terr = Connections.Swap(fakeConn)\n\tassert.NoError(t, err)\n\tif assert.Len(t, Connections.GetStats(\"\"), 1) {\n\t\tassert.Equal(t, userTestUsername, Connections.GetStats(\"\")[0].Username)\n\t}\n\tres := Connections.Close(fakeConn.GetID(), \"\")\n\tassert.True(t, res)\n\tassert.Eventually(t, func() bool { return len(Connections.GetStats(\"\")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)\n\terr = Connections.Swap(fakeConn)\n\tassert.Error(t, err)\n}\n\nfunc TestAtomicUpload(t *testing.T) {\n\tconfigCopy := Config\n\n\tConfig.UploadMode = UploadModeStandard\n\tassert.False(t, Config.IsAtomicUploadEnabled())\n\tConfig.UploadMode = UploadModeAtomic\n\tassert.True(t, Config.IsAtomicUploadEnabled())\n\tConfig.UploadMode = UploadModeAtomicWithResume\n\tassert.True(t, Config.IsAtomicUploadEnabled())\n\n\tConfig = configCopy\n}\n\nfunc TestConnectionStatus(t *testing.T) {\n\tusername := \"test_user\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tc1 := NewBaseConnection(\"id1\", ProtocolSFTP, \"\", \"\", user)\n\tfakeConn1 := &fakeConnection{\n\t\tBaseConnection: c1,\n\t}\n\tt1 := NewBaseTransfer(nil, c1, nil, \"/p1\", \"/p1\", \"/r1\", TransferUpload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\tt1.BytesReceived.Store(123)\n\tt2 := NewBaseTransfer(nil, c1, nil, \"/p2\", \"/p2\", \"/r2\", TransferDownload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\tt2.BytesSent.Store(456)\n\tc2 := NewBaseConnection(\"id2\", ProtocolSSH, \"\", \"\", user)\n\tfakeConn2 := &fakeConnection{\n\t\tBaseConnection: c2,\n\t\tcommand: \"md5sum\",\n\t}\n\tc3 := NewBaseConnection(\"id3\", ProtocolWebDAV, \"\", \"\", user)\n\tfakeConn3 := &fakeConnection{\n\t\tBaseConnection: c3,\n\t\tcommand: \"PROPFIND\",\n\t}\n\tt3 := NewBaseTransfer(nil, c3, nil, \"/p2\", \"/p2\", \"/r2\", TransferDownload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\terr := Connections.Add(fakeConn1)\n\tassert.NoError(t, err)\n\terr = Connections.Add(fakeConn2)\n\tassert.NoError(t, err)\n\terr = Connections.Add(fakeConn3)\n\tassert.NoError(t, err)\n\n\tstats := Connections.GetStats(\"\")\n\tassert.Len(t, stats, 3)\n\tfor _, stat := range stats {\n\t\tassert.Equal(t, stat.Username, username)\n\t\tswitch stat.ConnectionID {\n\t\tcase \"SFTP_id1\":\n\t\t\tassert.Len(t, stat.Transfers, 2)\n\t\tcase \"DAV_id3\":\n\t\t\tassert.Len(t, stat.Transfers, 1)\n\t\t}\n\t}\n\n\terr = t1.Close()\n\tassert.NoError(t, err)\n\terr = t2.Close()\n\tassert.NoError(t, err)\n\n\terr = fakeConn3.SignalTransfersAbort()\n\tassert.NoError(t, err)\n\tassert.True(t, t3.AbortTransfer.Load())\n\terr = t3.Close()\n\tassert.NoError(t, err)\n\terr = fakeConn3.SignalTransfersAbort()\n\tassert.Error(t, err)\n\n\tConnections.Remove(fakeConn1.GetID())\n\tstats = Connections.GetStats(\"\")\n\tassert.Len(t, stats, 2)\n\tassert.Equal(t, fakeConn3.GetID(), stats[0].ConnectionID)\n\tassert.Equal(t, fakeConn2.GetID(), stats[1].ConnectionID)\n\tConnections.Remove(fakeConn2.GetID())\n\tstats = Connections.GetStats(\"\")\n\tassert.Len(t, stats, 1)\n\tassert.Equal(t, fakeConn3.GetID(), stats[0].ConnectionID)\n\tConnections.Remove(fakeConn3.GetID())\n\tstats = Connections.GetStats(\"\")\n\tassert.Len(t, stats, 0)\n}\n\nfunc TestQuotaScans(t *testing.T) {\n\tusername := \"username\"\n\tassert.True(t, QuotaScans.AddUserQuotaScan(username, \"\"))\n\tassert.False(t, QuotaScans.AddUserQuotaScan(username, \"\"))\n\tusersScans := QuotaScans.GetUsersQuotaScans(\"\")\n\tif assert.Len(t, usersScans, 1) {\n\t\tassert.Equal(t, usersScans[0].Username, username)\n\t\tassert.Equal(t, QuotaScans.UserScans[0].StartTime, usersScans[0].StartTime)\n\t\tQuotaScans.UserScans[0].StartTime = 0\n\t\tassert.NotEqual(t, QuotaScans.UserScans[0].StartTime, usersScans[0].StartTime)\n\t}\n\n\tassert.True(t, QuotaScans.RemoveUserQuotaScan(username))\n\tassert.False(t, QuotaScans.RemoveUserQuotaScan(username))\n\tassert.Len(t, QuotaScans.GetUsersQuotaScans(\"\"), 0)\n\tassert.Len(t, usersScans, 1)\n\n\tfolderName := \"folder\"\n\tassert.True(t, QuotaScans.AddVFolderQuotaScan(folderName))\n\tassert.False(t, QuotaScans.AddVFolderQuotaScan(folderName))\n\tif assert.Len(t, QuotaScans.GetVFoldersQuotaScans(), 1) {\n\t\tassert.Equal(t, QuotaScans.GetVFoldersQuotaScans()[0].Name, folderName)\n\t}\n\n\tassert.True(t, QuotaScans.RemoveVFolderQuotaScan(folderName))\n\tassert.False(t, QuotaScans.RemoveVFolderQuotaScan(folderName))\n\tassert.Len(t, QuotaScans.GetVFoldersQuotaScans(), 0)\n}\n\nfunc TestQuotaScansRole(t *testing.T) {\n\tusername := \"u\"\n\trole1 := \"r1\"\n\trole2 := \"r2\"\n\tassert.True(t, QuotaScans.AddUserQuotaScan(username, role1))\n\tassert.False(t, QuotaScans.AddUserQuotaScan(username, \"\"))\n\tusersScans := QuotaScans.GetUsersQuotaScans(\"\")\n\tassert.Len(t, usersScans, 1)\n\tassert.Empty(t, usersScans[0].Role)\n\tusersScans = QuotaScans.GetUsersQuotaScans(role1)\n\tassert.Len(t, usersScans, 1)\n\tusersScans = QuotaScans.GetUsersQuotaScans(role2)\n\tassert.Len(t, usersScans, 0)\n\tassert.True(t, QuotaScans.RemoveUserQuotaScan(username))\n\tassert.False(t, QuotaScans.RemoveUserQuotaScan(username))\n\tassert.Len(t, QuotaScans.GetUsersQuotaScans(\"\"), 0)\n}\n\nfunc TestProxyPolicy(t *testing.T) {\n\taddr := net.TCPAddr{}\n\tdownstream := net.TCPAddr{IP: net.ParseIP(\"1.1.1.1\")}\n\tp := getProxyPolicy(nil, nil, proxyproto.IGNORE)\n\tpolicy, err := p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &addr,\n\t\tDownstream: &downstream,\n\t})\n\tassert.ErrorIs(t, err, proxyproto.ErrInvalidUpstream)\n\tassert.Equal(t, proxyproto.REJECT, policy)\n\tip1 := net.ParseIP(\"10.8.1.1\")\n\tip2 := net.ParseIP(\"10.8.1.2\")\n\tip3 := net.ParseIP(\"10.8.1.3\")\n\tallowed, err := util.ParseAllowedIPAndRanges([]string{ip1.String()})\n\tassert.NoError(t, err)\n\tskipped, err := util.ParseAllowedIPAndRanges([]string{ip2.String(), ip3.String()})\n\tassert.NoError(t, err)\n\tp = getProxyPolicy(allowed, skipped, proxyproto.IGNORE)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: ip1},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.USE, policy)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: ip2},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.SKIP, policy)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: ip3},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.SKIP, policy)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: net.ParseIP(\"10.8.1.4\")},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.IGNORE, policy)\n\tp = getProxyPolicy(allowed, skipped, proxyproto.REQUIRE)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: ip1},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.REQUIRE, policy)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: ip2},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.SKIP, policy)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: ip3},\n\t\tDownstream: &downstream,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, proxyproto.SKIP, policy)\n\tpolicy, err = p(proxyproto.ConnPolicyOptions{\n\t\tUpstream: &net.TCPAddr{IP: net.ParseIP(\"10.8.1.5\")},\n\t\tDownstream: &downstream,\n\t})\n\tassert.ErrorIs(t, err, proxyproto.ErrInvalidUpstream)\n\tassert.Equal(t, proxyproto.REJECT, policy)\n}\n\nfunc TestProxyProtocolVersion(t *testing.T) {\n\tc := Configuration{\n\t\tProxyProtocol: 0,\n\t}\n\t_, err := c.GetProxyListener(nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"proxy protocol not configured\")\n\t}\n\tc.ProxyProtocol = 1\n\tlistener, err := c.GetProxyListener(nil)\n\tassert.NoError(t, err)\n\tproxyListener, ok := listener.(*proxyproto.Listener)\n\trequire.True(t, ok)\n\tassert.NotNil(t, proxyListener.ConnPolicy)\n\n\tc.ProxyProtocol = 2\n\tlistener, err = c.GetProxyListener(nil)\n\tassert.NoError(t, err)\n\tproxyListener, ok = listener.(*proxyproto.Listener)\n\trequire.True(t, ok)\n\tassert.NotNil(t, proxyListener.ConnPolicy)\n}\n\nfunc TestStartupHook(t *testing.T) {\n\tConfig.StartupHook = \"\"\n\n\tassert.NoError(t, Config.ExecuteStartupHook())\n\n\tConfig.StartupHook = \"http://foo\\x7f.com/startup\"\n\tassert.Error(t, Config.ExecuteStartupHook())\n\n\tConfig.StartupHook = \"http://invalid:5678/\"\n\tassert.Error(t, Config.ExecuteStartupHook())\n\n\tConfig.StartupHook = fmt.Sprintf(\"http://%v\", httpAddr)\n\tassert.NoError(t, Config.ExecuteStartupHook())\n\n\tConfig.StartupHook = \"invalidhook\"\n\tassert.Error(t, Config.ExecuteStartupHook())\n\n\tif runtime.GOOS != osWindows {\n\t\thookCmd, err := exec.LookPath(\"true\")\n\t\tassert.NoError(t, err)\n\t\tConfig.StartupHook = hookCmd\n\t\tassert.NoError(t, Config.ExecuteStartupHook())\n\t}\n\n\tConfig.StartupHook = \"\"\n}\n\nfunc TestPostDisconnectHook(t *testing.T) {\n\tConfig.PostDisconnectHook = \"http://127.0.0.1/\"\n\n\tremoteAddr := \"127.0.0.1:80\"\n\tConfig.checkPostDisconnectHook(remoteAddr, ProtocolHTTP, \"\", \"\", time.Now())\n\tConfig.checkPostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\n\tConfig.PostDisconnectHook = \"http://bar\\x7f.com/\"\n\tConfig.executePostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\n\tConfig.PostDisconnectHook = fmt.Sprintf(\"http://%v\", httpAddr)\n\tConfig.executePostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\n\tConfig.PostDisconnectHook = \"relativePath\"\n\tConfig.executePostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\n\tif runtime.GOOS == osWindows {\n\t\tConfig.PostDisconnectHook = \"C:\\\\a\\\\bad\\\\command\"\n\t\tConfig.executePostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\t} else {\n\t\tConfig.PostDisconnectHook = \"/invalid/path\"\n\t\tConfig.executePostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\n\t\thookCmd, err := exec.LookPath(\"true\")\n\t\tassert.NoError(t, err)\n\t\tConfig.PostDisconnectHook = hookCmd\n\t\tConfig.executePostDisconnectHook(remoteAddr, ProtocolSFTP, \"\", \"\", time.Now())\n\t}\n\tConfig.PostDisconnectHook = \"\"\n}\n\nfunc TestPostConnectHook(t *testing.T) {\n\tConfig.PostConnectHook = \"\"\n\n\tipAddr := \"127.0.0.1\"\n\n\tassert.NoError(t, Config.ExecutePostConnectHook(ipAddr, ProtocolFTP))\n\n\tConfig.PostConnectHook = \"http://foo\\x7f.com/\"\n\tassert.Error(t, Config.ExecutePostConnectHook(ipAddr, ProtocolSFTP))\n\n\tConfig.PostConnectHook = \"http://invalid:1234/\"\n\tassert.Error(t, Config.ExecutePostConnectHook(ipAddr, ProtocolSFTP))\n\n\tConfig.PostConnectHook = fmt.Sprintf(\"http://%v/404\", httpAddr)\n\tassert.Error(t, Config.ExecutePostConnectHook(ipAddr, ProtocolFTP))\n\n\tConfig.PostConnectHook = fmt.Sprintf(\"http://%v\", httpAddr)\n\tassert.NoError(t, Config.ExecutePostConnectHook(ipAddr, ProtocolFTP))\n\n\tConfig.PostConnectHook = \"invalid\"\n\tassert.Error(t, Config.ExecutePostConnectHook(ipAddr, ProtocolFTP))\n\n\tif runtime.GOOS == osWindows {\n\t\tConfig.PostConnectHook = \"C:\\\\bad\\\\command\"\n\t\tassert.Error(t, Config.ExecutePostConnectHook(ipAddr, ProtocolSFTP))\n\t} else {\n\t\tConfig.PostConnectHook = \"/invalid/path\"\n\t\tassert.Error(t, Config.ExecutePostConnectHook(ipAddr, ProtocolSFTP))\n\n\t\thookCmd, err := exec.LookPath(\"true\")\n\t\tassert.NoError(t, err)\n\t\tConfig.PostConnectHook = hookCmd\n\t\tassert.NoError(t, Config.ExecutePostConnectHook(ipAddr, ProtocolSFTP))\n\t}\n\n\tConfig.PostConnectHook = \"\"\n}\n\nfunc TestCryptoConvertFileInfo(t *testing.T) {\n\tname := \"name\"\n\tfs, err := vfs.NewCryptFs(\"connID1\", os.TempDir(), \"\", vfs.CryptFsConfig{\n\t\tPassphrase: kms.NewPlainSecret(\"secret\"),\n\t})\n\trequire.NoError(t, err)\n\tcryptFs := fs.(*vfs.CryptFs)\n\tinfo := vfs.NewFileInfo(name, true, 48, time.Now(), false)\n\tassert.Equal(t, info, cryptFs.ConvertFileInfo(info))\n\tinfo = vfs.NewFileInfo(name, false, 48, time.Now(), false)\n\tassert.NotEqual(t, info.Size(), cryptFs.ConvertFileInfo(info).Size())\n\tinfo = vfs.NewFileInfo(name, false, 33, time.Now(), false)\n\tassert.Equal(t, int64(0), cryptFs.ConvertFileInfo(info).Size())\n\tinfo = vfs.NewFileInfo(name, false, 1, time.Now(), false)\n\tassert.Equal(t, int64(0), cryptFs.ConvertFileInfo(info).Size())\n}\n\nfunc TestFolderCopy(t *testing.T) {\n\tfolder := vfs.BaseVirtualFolder{\n\t\tID: 1,\n\t\tName: \"name\",\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t\tUsedQuotaSize: 4096,\n\t\tUsedQuotaFiles: 2,\n\t\tLastQuotaUpdate: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUsers: []string{\"user1\", \"user2\"},\n\t}\n\tfolderCopy := folder.GetACopy()\n\tfolder.ID = 2\n\tfolder.Users = []string{\"user3\"}\n\trequire.Len(t, folderCopy.Users, 2)\n\trequire.True(t, slices.Contains(folderCopy.Users, \"user1\"))\n\trequire.True(t, slices.Contains(folderCopy.Users, \"user2\"))\n\trequire.Equal(t, int64(1), folderCopy.ID)\n\trequire.Equal(t, folder.Name, folderCopy.Name)\n\trequire.Equal(t, folder.MappedPath, folderCopy.MappedPath)\n\trequire.Equal(t, folder.UsedQuotaSize, folderCopy.UsedQuotaSize)\n\trequire.Equal(t, folder.UsedQuotaFiles, folderCopy.UsedQuotaFiles)\n\trequire.Equal(t, folder.LastQuotaUpdate, folderCopy.LastQuotaUpdate)\n\n\tfolder.FsConfig = vfs.Filesystem{\n\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\tPassphrase: kms.NewPlainSecret(\"crypto secret\"),\n\t\t},\n\t}\n\tfolderCopy = folder.GetACopy()\n\tfolder.FsConfig.CryptConfig.Passphrase = kms.NewEmptySecret()\n\trequire.Len(t, folderCopy.Users, 1)\n\trequire.True(t, slices.Contains(folderCopy.Users, \"user3\"))\n\trequire.Equal(t, int64(2), folderCopy.ID)\n\trequire.Equal(t, folder.Name, folderCopy.Name)\n\trequire.Equal(t, folder.MappedPath, folderCopy.MappedPath)\n\trequire.Equal(t, folder.UsedQuotaSize, folderCopy.UsedQuotaSize)\n\trequire.Equal(t, folder.UsedQuotaFiles, folderCopy.UsedQuotaFiles)\n\trequire.Equal(t, folder.LastQuotaUpdate, folderCopy.LastQuotaUpdate)\n\trequire.Equal(t, \"crypto secret\", folderCopy.FsConfig.CryptConfig.Passphrase.GetPayload())\n}\n\nfunc TestCachedFs(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tconn := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", user)\n\t// changing the user should not affect the connection\n\tuser.HomeDir = filepath.Join(os.TempDir(), \"temp\")\n\terr := os.Mkdir(user.HomeDir, os.ModePerm)\n\tassert.NoError(t, err)\n\tfs, err := user.GetFilesystem(\"\")\n\tassert.NoError(t, err)\n\tp, err := fs.ResolvePath(\"/\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, user.GetHomeDir(), p)\n\n\t_, p, err = conn.GetFsAndResolvedPath(\"/\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Clean(os.TempDir()), p)\n\t// the filesystem is cached changing the provider will not affect the connection\n\tconn.User.FsConfig.Provider = sdk.S3FilesystemProvider\n\t_, p, err = conn.GetFsAndResolvedPath(\"/\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Clean(os.TempDir()), p)\n\tuser = dataprovider.User{}\n\tuser.HomeDir = filepath.Join(os.TempDir(), \"temp\")\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\t_, err = user.GetFilesystem(\"\")\n\tassert.Error(t, err)\n\n\terr = os.Remove(user.HomeDir)\n\tassert.NoError(t, err)\n}\n\nfunc TestParseAllowedIPAndRanges(t *testing.T) {\n\t_, err := util.ParseAllowedIPAndRanges([]string{\"1.1.1.1\", \"not an ip\"})\n\tassert.Error(t, err)\n\t_, err = util.ParseAllowedIPAndRanges([]string{\"1.1.1.5\", \"192.168.1.0/240\"})\n\tassert.Error(t, err)\n\tallow, err := util.ParseAllowedIPAndRanges([]string{\"192.168.1.2\", \"172.16.0.0/24\"})\n\tassert.NoError(t, err)\n\tassert.True(t, allow[0](net.ParseIP(\"192.168.1.2\")))\n\tassert.False(t, allow[0](net.ParseIP(\"192.168.2.2\")))\n\tassert.True(t, allow[1](net.ParseIP(\"172.16.0.1\")))\n\tassert.False(t, allow[1](net.ParseIP(\"172.16.1.1\")))\n}\n\nfunc TestHideConfidentialData(_ *testing.T) {\n\tfor _, provider := range []sdk.FilesystemProvider{sdk.LocalFilesystemProvider,\n\t\tsdk.CryptedFilesystemProvider, sdk.S3FilesystemProvider, sdk.GCSFilesystemProvider,\n\t\tsdk.AzureBlobFilesystemProvider, sdk.SFTPFilesystemProvider,\n\t} {\n\t\tu := dataprovider.User{\n\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\tProvider: provider,\n\t\t\t},\n\t\t}\n\t\tu.PrepareForRendering()\n\t\tf := vfs.BaseVirtualFolder{\n\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\tProvider: provider,\n\t\t\t},\n\t\t}\n\t\tf.PrepareForRendering()\n\t}\n\ta := dataprovider.Admin{}\n\ta.HideConfidentialData()\n}\n\nfunc TestUserPerms(t *testing.T) {\n\tu := dataprovider.User{}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermUpload, dataprovider.PermDelete}\n\tassert.True(t, u.HasAnyPerm([]string{dataprovider.PermRename, dataprovider.PermDelete}, \"/\"))\n\tassert.False(t, u.HasAnyPerm([]string{dataprovider.PermRename, dataprovider.PermCreateDirs}, \"/\"))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDelete, dataprovider.PermCreateDirs}\n\tassert.True(t, u.HasPermsDeleteAll(\"/\"))\n\tassert.False(t, u.HasPermsRenameAll(\"/\"))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDeleteDirs, dataprovider.PermDeleteFiles, dataprovider.PermRenameDirs}\n\tassert.True(t, u.HasPermsDeleteAll(\"/\"))\n\tassert.False(t, u.HasPermsRenameAll(\"/\"))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDeleteDirs, dataprovider.PermRenameFiles, dataprovider.PermRenameDirs}\n\tassert.False(t, u.HasPermsDeleteAll(\"/\"))\n\tassert.True(t, u.HasPermsRenameAll(\"/\"))\n}\n\nfunc TestGetTLSVersion(t *testing.T) {\n\ttlsVer := util.GetTLSVersion(0)\n\tassert.Equal(t, uint16(tls.VersionTLS12), tlsVer)\n\ttlsVer = util.GetTLSVersion(12)\n\tassert.Equal(t, uint16(tls.VersionTLS12), tlsVer)\n\ttlsVer = util.GetTLSVersion(2)\n\tassert.Equal(t, uint16(tls.VersionTLS12), tlsVer)\n\ttlsVer = util.GetTLSVersion(13)\n\tassert.Equal(t, uint16(tls.VersionTLS13), tlsVer)\n}\n\nfunc TestCleanPath(t *testing.T) {\n\tassert.Equal(t, \"/\", util.CleanPath(\"/\"))\n\tassert.Equal(t, \"/\", util.CleanPath(\".\"))\n\tassert.Equal(t, \"/\", util.CleanPath(\"\"))\n\tassert.Equal(t, \"/\", util.CleanPath(\"/.\"))\n\tassert.Equal(t, \"/\", util.CleanPath(\"/a/..\"))\n\tassert.Equal(t, \"/a\", util.CleanPath(\"/a/\"))\n\tassert.Equal(t, \"/a\", util.CleanPath(\"a/\"))\n\t// filepath.ToSlash does not touch \\ as char on unix systems\n\t// so os.PathSeparator is used for windows compatible tests\n\tbslash := string(os.PathSeparator)\n\tassert.Equal(t, \"/\", util.CleanPath(bslash))\n\tassert.Equal(t, \"/\", util.CleanPath(bslash+bslash))\n\tassert.Equal(t, \"/a\", util.CleanPath(bslash+\"a\"+bslash))\n\tassert.Equal(t, \"/a\", util.CleanPath(\"a\"+bslash))\n\tassert.Equal(t, \"/a/b/c\", util.CleanPath(bslash+\"a\"+bslash+bslash+\"b\"+bslash+bslash+\"c\"+bslash))\n\tassert.Equal(t, \"/C:/a\", util.CleanPath(\"C:\"+bslash+\"a\"))\n}\n\nfunc TestUserRecentActivity(t *testing.T) {\n\tu := dataprovider.User{}\n\tres := u.HasRecentActivity()\n\tassert.False(t, res)\n\tu.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\tres = u.HasRecentActivity()\n\tassert.True(t, res)\n\tu.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Minute))\n\tres = u.HasRecentActivity()\n\tassert.False(t, res)\n\tu.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Second))\n\tres = u.HasRecentActivity()\n\tassert.True(t, res)\n}\n\nfunc TestVfsSameResource(t *testing.T) {\n\tfs := vfs.Filesystem{}\n\tother := vfs.Filesystem{}\n\tres := fs.IsSameResource(other)\n\tassert.True(t, res)\n\tfs = vfs.Filesystem{\n\t\tProvider: sdk.S3FilesystemProvider,\n\t\tS3Config: vfs.S3FsConfig{\n\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\tBucket: \"a\",\n\t\t\t\tRegion: \"b\",\n\t\t\t},\n\t\t},\n\t}\n\tother = vfs.Filesystem{\n\t\tProvider: sdk.S3FilesystemProvider,\n\t\tS3Config: vfs.S3FsConfig{\n\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\tBucket: \"a\",\n\t\t\t\tRegion: \"c\",\n\t\t\t},\n\t\t},\n\t}\n\tres = fs.IsSameResource(other)\n\tassert.False(t, res)\n\tother = vfs.Filesystem{\n\t\tProvider: sdk.S3FilesystemProvider,\n\t\tS3Config: vfs.S3FsConfig{\n\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\tBucket: \"a\",\n\t\t\t\tRegion: \"b\",\n\t\t\t},\n\t\t},\n\t}\n\tres = fs.IsSameResource(other)\n\tassert.True(t, res)\n\tfs = vfs.Filesystem{\n\t\tProvider: sdk.GCSFilesystemProvider,\n\t\tGCSConfig: vfs.GCSFsConfig{\n\t\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\t\tBucket: \"b\",\n\t\t\t},\n\t\t},\n\t}\n\tother = vfs.Filesystem{\n\t\tProvider: sdk.GCSFilesystemProvider,\n\t\tGCSConfig: vfs.GCSFsConfig{\n\t\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\t\tBucket: \"c\",\n\t\t\t},\n\t\t},\n\t}\n\tres = fs.IsSameResource(other)\n\tassert.False(t, res)\n\tother = vfs.Filesystem{\n\t\tProvider: sdk.GCSFilesystemProvider,\n\t\tGCSConfig: vfs.GCSFsConfig{\n\t\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\t\tBucket: \"b\",\n\t\t\t},\n\t\t},\n\t}\n\tres = fs.IsSameResource(other)\n\tassert.True(t, res)\n\tsasURL := kms.NewPlainSecret(\"http://127.0.0.1/sasurl\")\n\tfs = vfs.Filesystem{\n\t\tProvider: sdk.AzureBlobFilesystemProvider,\n\t\tAzBlobConfig: vfs.AzBlobFsConfig{\n\t\t\tBaseAzBlobFsConfig: sdk.BaseAzBlobFsConfig{\n\t\t\t\tAccountName: \"a\",\n\t\t\t},\n\t\t\tSASURL: sasURL,\n\t\t},\n\t}\n\terr := fs.Validate(\"data1\")\n\tassert.NoError(t, err)\n\tother = vfs.Filesystem{\n\t\tProvider: sdk.AzureBlobFilesystemProvider,\n\t\tAzBlobConfig: vfs.AzBlobFsConfig{\n\t\t\tBaseAzBlobFsConfig: sdk.BaseAzBlobFsConfig{\n\t\t\t\tAccountName: \"a\",\n\t\t\t},\n\t\t\tSASURL: sasURL,\n\t\t},\n\t}\n\terr = other.Validate(\"data2\")\n\tassert.NoError(t, err)\n\terr = fs.AzBlobConfig.SASURL.TryDecrypt()\n\tassert.NoError(t, err)\n\terr = other.AzBlobConfig.SASURL.TryDecrypt()\n\tassert.NoError(t, err)\n\tres = fs.IsSameResource(other)\n\tassert.True(t, res)\n\tfs.AzBlobConfig.AccountName = \"b\"\n\tres = fs.IsSameResource(other)\n\tassert.False(t, res)\n\tfs.AzBlobConfig.AccountName = \"a\"\n\tother.AzBlobConfig.SASURL = kms.NewPlainSecret(\"http://127.1.1.1/sasurl\")\n\terr = other.Validate(\"data2\")\n\tassert.NoError(t, err)\n\terr = other.AzBlobConfig.SASURL.TryDecrypt()\n\tassert.NoError(t, err)\n\tres = fs.IsSameResource(other)\n\tassert.False(t, res)\n\tfs = vfs.Filesystem{\n\t\tProvider: sdk.HTTPFilesystemProvider,\n\t\tHTTPConfig: vfs.HTTPFsConfig{\n\t\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\t\tEndpoint: \"http://127.0.0.1/httpfs\",\n\t\t\t\tUsername: \"a\",\n\t\t\t},\n\t\t},\n\t}\n\tother = vfs.Filesystem{\n\t\tProvider: sdk.HTTPFilesystemProvider,\n\t\tHTTPConfig: vfs.HTTPFsConfig{\n\t\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\t\tEndpoint: \"http://127.0.0.1/httpfs\",\n\t\t\t\tUsername: \"b\",\n\t\t\t},\n\t\t},\n\t}\n\tres = fs.IsSameResource(other)\n\tassert.True(t, res)\n\tfs.HTTPConfig.EqualityCheckMode = 1\n\tres = fs.IsSameResource(other)\n\tassert.False(t, res)\n}\n\nfunc TestUpdateTransferTimestamps(t *testing.T) {\n\tusername := \"user_test_timestamps\"\n\tuser := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\terr := dataprovider.AddUser(user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), user.FirstUpload)\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\n\terr = dataprovider.UpdateUserTransferTimestamps(username, true)\n\tassert.NoError(t, err)\n\tuserGet, err := dataprovider.UserExists(username, \"\")\n\tassert.NoError(t, err)\n\tassert.Greater(t, userGet.FirstUpload, int64(0))\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\terr = dataprovider.UpdateUserTransferTimestamps(username, false)\n\tassert.NoError(t, err)\n\tuserGet, err = dataprovider.UserExists(username, \"\")\n\tassert.NoError(t, err)\n\tassert.Greater(t, userGet.FirstUpload, int64(0))\n\tassert.Greater(t, userGet.FirstDownload, int64(0))\n\t// updating again must fail\n\terr = dataprovider.UpdateUserTransferTimestamps(username, true)\n\tassert.Error(t, err)\n\terr = dataprovider.UpdateUserTransferTimestamps(username, false)\n\tassert.Error(t, err)\n\t// cleanup\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestIPList(t *testing.T) {\n\ttype test struct {\n\t\tip string\n\t\tprotocol string\n\t\texpectedMatch bool\n\t\texpectedMode int\n\t\texpectedErr bool\n\t}\n\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"192.168.0.0/25\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.0.128/25\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t\tProtocols: 3,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.2.128/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 5,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"::/0\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t\tProtocols: 4,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"2001:4860:4860::8888/120\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t\tProtocols: 1,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"2001:4860:4860::8988/120\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 3,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"::1/128\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t}\n\tipList, err := dataprovider.NewIPList(dataprovider.IPListTypeDefender)\n\trequire.NoError(t, err)\n\tfor idx := range entries {\n\t\te := entries[idx]\n\t\terr := dataprovider.AddIPListEntry(&e, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\ttests := []test{\n\t\t{ip: \"1.1.1.1\", protocol: ProtocolSSH, expectedMatch: false, expectedMode: 0, expectedErr: false},\n\t\t{ip: \"invalid ip\", protocol: ProtocolSSH, expectedMatch: false, expectedMode: 0, expectedErr: true},\n\t\t{ip: \"192.168.0.1\", protocol: ProtocolFTP, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"192.168.0.2\", protocol: ProtocolHTTP, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"192.168.0.3\", protocol: ProtocolWebDAV, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"192.168.0.4\", protocol: ProtocolSSH, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"192.168.0.156\", protocol: ProtocolSSH, expectedMatch: true, expectedMode: dataprovider.ListModeDeny, expectedErr: false},\n\t\t{ip: \"192.168.0.158\", protocol: ProtocolFTP, expectedMatch: true, expectedMode: dataprovider.ListModeDeny, expectedErr: false},\n\t\t{ip: \"192.168.0.158\", protocol: ProtocolHTTP, expectedMatch: false, expectedMode: 0, expectedErr: false},\n\t\t{ip: \"192.168.2.128\", protocol: ProtocolHTTP, expectedMatch: false, expectedMode: 0, expectedErr: false},\n\t\t{ip: \"192.168.2.128\", protocol: ProtocolSSH, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"::2\", protocol: ProtocolSSH, expectedMatch: false, expectedMode: 0, expectedErr: false},\n\t\t{ip: \"::2\", protocol: ProtocolWebDAV, expectedMatch: true, expectedMode: dataprovider.ListModeDeny, expectedErr: false},\n\t\t{ip: \"::1\", protocol: ProtocolSSH, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"::1\", protocol: ProtocolHTTP, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"2001:4860:4860:0000:0000:0000:0000:8889\", protocol: ProtocolSSH, expectedMatch: true, expectedMode: dataprovider.ListModeDeny, expectedErr: false},\n\t\t{ip: \"2001:4860:4860:0000:0000:0000:0000:8889\", protocol: ProtocolFTP, expectedMatch: false, expectedMode: 0, expectedErr: false},\n\t\t{ip: \"2001:4860:4860:0000:0000:0000:0000:8989\", protocol: ProtocolFTP, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"2001:4860:4860:0000:0000:0000:0000:89F1\", protocol: ProtocolSSH, expectedMatch: true, expectedMode: dataprovider.ListModeAllow, expectedErr: false},\n\t\t{ip: \"2001:4860:4860:0000:0000:0000:0000:89F1\", protocol: ProtocolHTTP, expectedMatch: false, expectedMode: 0, expectedErr: false},\n\t}\n\n\tfor _, tc := range tests {\n\t\tmatch, mode, err := ipList.IsListed(tc.ip, tc.protocol)\n\t\tif tc.expectedErr {\n\t\t\tassert.Error(t, err, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t\t} else {\n\t\t\tassert.NoError(t, err, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t\t}\n\t\tassert.Equal(t, tc.expectedMatch, match, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t\tassert.Equal(t, tc.expectedMode, mode, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t}\n\n\tipList.DisableMemoryMode()\n\n\tfor _, tc := range tests {\n\t\tmatch, mode, err := ipList.IsListed(tc.ip, tc.protocol)\n\t\tif tc.expectedErr {\n\t\t\tassert.Error(t, err, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t\t} else {\n\t\t\tassert.NoError(t, err, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t\t}\n\t\tassert.Equal(t, tc.expectedMatch, match, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t\tassert.Equal(t, tc.expectedMode, mode, \"ip %s, protocol %s\", tc.ip, tc.protocol)\n\t}\n\n\tfor _, e := range entries {\n\t\terr := dataprovider.DeleteIPListEntry(e.IPOrNet, e.Type, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestSQLPlaceholderLimits(t *testing.T) {\n\tnumGroups := 120\n\tnumUsers := 120\n\tvar groupMapping []sdk.GroupMapping\n\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"testfolder\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"folder\"),\n\t}\n\terr := dataprovider.AddFolder(&folder, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tfor i := 0; i < numGroups; i++ {\n\t\tgroup := dataprovider.Group{\n\t\t\tBaseGroup: sdk.BaseGroup{\n\t\t\t\tName: fmt.Sprintf(\"testgroup%d\", i),\n\t\t\t},\n\t\t\tUserSettings: dataprovider.GroupUserSettings{\n\t\t\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t\tfmt.Sprintf(\"/dir%d\", i): {dataprovider.PermAny},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\t\tgroup.VirtualFolders = append(group.VirtualFolders, vfs.VirtualFolder{\n\t\t\tBaseVirtualFolder: folder,\n\t\t\tVirtualPath: \"/vdir\",\n\t\t})\n\t\terr := dataprovider.AddGroup(&group, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\n\t\tgroupMapping = append(groupMapping, sdk.GroupMapping{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t})\n\t}\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testusername\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), \"testhome\"),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tGroups: groupMapping,\n\t}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tusers, err := dataprovider.GetUsersForQuotaCheck(map[string]bool{user.Username: true})\n\tassert.NoError(t, err)\n\tif assert.Len(t, users, 1) {\n\t\tfor i := 0; i < numGroups; i++ {\n\t\t\t_, ok := users[0].Permissions[fmt.Sprintf(\"/dir%d\", i)]\n\t\t\tassert.True(t, ok)\n\t\t}\n\t}\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tfor i := 0; i < numUsers; i++ {\n\t\tuser := dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: fmt.Sprintf(\"testusername%d\", i),\n\t\t\t\tHomeDir: filepath.Join(os.TempDir()),\n\t\t\t\tStatus: 1,\n\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t\t},\n\t\t\t},\n\t\t\tGroups: []sdk.GroupMapping{\n\t\t\t\t{\n\t\t\t\t\tName: \"testgroup0\",\n\t\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\t\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\ttime.Sleep(100 * time.Millisecond)\n\n\terr = dataprovider.DeleteFolder(folder.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tfor i := 0; i < numUsers; i++ {\n\t\tusername := fmt.Sprintf(\"testusername%d\", i)\n\t\tuser, err := dataprovider.UserExists(username, \"\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.UpdatedAt, user.CreatedAt)\n\t\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\tfor i := 0; i < numGroups; i++ {\n\t\tgroupName := fmt.Sprintf(\"testgroup%d\", i)\n\t\terr = dataprovider.DeleteGroup(groupName, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestALPNProtocols(t *testing.T) {\n\tprotocols := util.GetALPNProtocols(nil)\n\tassert.Equal(t, []string{\"http/1.1\", \"h2\"}, protocols)\n\tprotocols = util.GetALPNProtocols([]string{\"invalid1\", \"invalid2\"})\n\tassert.Equal(t, []string{\"http/1.1\", \"h2\"}, protocols)\n\tprotocols = util.GetALPNProtocols([]string{\"invalid1\", \"h2\", \"invalid2\"})\n\tassert.Equal(t, []string{\"h2\"}, protocols)\n\tprotocols = util.GetALPNProtocols([]string{\"h2\", \"http/1.1\"})\n\tassert.Equal(t, []string{\"h2\", \"http/1.1\"}, protocols)\n}\n\nfunc TestServerVersion(t *testing.T) {\n\tappName := \"SFTPGo\"\n\tversion.SetConfig(\"\")\n\tv := version.GetServerVersion(\"_\", false)\n\tassert.Equal(t, fmt.Sprintf(\"%s_%s\", appName, version.Get().Version), v)\n\tv = version.GetServerVersion(\"-\", true)\n\tassert.Equal(t, fmt.Sprintf(\"%s-%s-\", appName, version.Get().Version), v)\n\tversion.SetConfig(\"short\")\n\tv = version.GetServerVersion(\"_\", false)\n\tassert.Equal(t, appName, v)\n\tv = version.GetServerVersion(\"_\", true)\n\tassert.Equal(t, appName+\"_\", v)\n\tversion.SetConfig(\"\")\n}\n\nfunc BenchmarkBcryptHashing(b *testing.B) {\n\tbcryptPassword := \"bcryptpassword\"\n\tfor i := 0; i < b.N; i++ {\n\t\t_, err := bcrypt.GenerateFromPassword([]byte(bcryptPassword), 10)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n}\n\nfunc BenchmarkCompareBcryptPassword(b *testing.B) {\n\tbcryptPassword := \"$2a$10$lPDdnDimJZ7d5/GwL6xDuOqoZVRXok6OHHhivCnanWUtcgN0Zafki\"\n\tfor i := 0; i < b.N; i++ {\n\t\terr := bcrypt.CompareHashAndPassword([]byte(bcryptPassword), []byte(\"password\"))\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n}\n\nfunc BenchmarkArgon2Hashing(b *testing.B) {\n\targonPassword := \"argon2password\"\n\tfor i := 0; i < b.N; i++ {\n\t\t_, err := argon2id.CreateHash(argonPassword, argon2id.DefaultParams)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n}\n\nfunc BenchmarkCompareArgon2Password(b *testing.B) {\n\targon2Password := \"$argon2id$v=19$m=65536,t=1,p=2$aOoAOdAwvzhOgi7wUFjXlw$wn/y37dBWdKHtPXHR03nNaKHWKPXyNuVXOknaU+YZ+s\"\n\tfor i := 0; i < b.N; i++ {\n\t\t_, err := argon2id.ComparePasswordAndHash(\"password\", argon2Password)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n}\n\nfunc BenchmarkAddRemoveConnections(b *testing.B) {\n\tvar conns []ActiveConnection\n\tfor i := 0; i < 100; i++ {\n\t\tconns = append(conns, &fakeConnection{\n\t\t\tBaseConnection: NewBaseConnection(fmt.Sprintf(\"id%d\", i), ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\t\tUsername: userTestUsername,\n\t\t\t\t},\n\t\t\t}),\n\t\t})\n\t}\n\tb.ResetTimer()\n\tfor i := 0; i < b.N; i++ {\n\t\tfor _, c := range conns {\n\t\t\tif err := Connections.Add(c); err != nil {\n\t\t\t\tpanic(err)\n\t\t\t}\n\t\t}\n\t\tvar wg sync.WaitGroup\n\t\tfor idx := len(conns) - 1; idx >= 0; idx-- {\n\t\t\twg.Add(1)\n\t\t\tgo func(index int) {\n\t\t\t\tdefer wg.Done()\n\t\t\t\tConnections.Remove(conns[index].GetID())\n\t\t\t}(idx)\n\t\t}\n\t\twg.Wait()\n\t}\n}\n\nfunc BenchmarkAddRemoveSSHConnections(b *testing.B) {\n\tconn1, conn2 := net.Pipe()\n\tvar conns []*SSHConnection\n\tfor i := 0; i < 2000; i++ {\n\t\tconns = append(conns, NewSSHConnection(fmt.Sprintf(\"id%d\", i), conn1))\n\t}\n\tb.ResetTimer()\n\tfor i := 0; i < b.N; i++ {\n\t\tfor _, c := range conns {\n\t\t\tConnections.AddSSHConnection(c)\n\t\t}\n\t\tfor idx := len(conns) - 1; idx >= 0; idx-- {\n\t\t\tConnections.RemoveSSHConnection(conns[idx].GetID())\n\t\t}\n\t}\n\tconn1.Close()\n\tconn2.Close()\n}\n" }, { "path": "internal/common/connection.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\tftpserver \"github.com/fclairamb/ftpserverlib\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// BaseConnection defines common fields for a connection using any supported protocol\ntype BaseConnection struct {\n\t// last activity for this connection.\n\t// Since this field is accessed atomically we put it as first element of the struct to achieve 64 bit alignment\n\tlastActivity atomic.Int64\n\tuploadDone atomic.Bool\n\tdownloadDone atomic.Bool\n\t// unique ID for a transfer.\n\t// This field is accessed atomically so we put it at the beginning of the struct to achieve 64 bit alignment\n\ttransferID atomic.Int64\n\t// Unique identifier for the connection\n\tID string\n\t// user associated with this connection if any\n\tUser dataprovider.User\n\t// start time for this connection\n\tstartTime time.Time\n\tprotocol string\n\tremoteAddr string\n\tlocalAddr string\n\tsync.RWMutex\n\tactiveTransfers []ActiveTransfer\n}\n\n// NewBaseConnection returns a new BaseConnection\nfunc NewBaseConnection(id, protocol, localAddr, remoteAddr string, user dataprovider.User) *BaseConnection {\n\tconnID := id\n\tif slices.Contains(supportedProtocols, protocol) {\n\t\tconnID = fmt.Sprintf(\"%s_%s\", protocol, id)\n\t}\n\tuser.UploadBandwidth, user.DownloadBandwidth = user.GetBandwidthForIP(util.GetIPFromRemoteAddress(remoteAddr), connID)\n\tc := &BaseConnection{\n\t\tID: connID,\n\t\tUser: user,\n\t\tstartTime: time.Now(),\n\t\tprotocol: protocol,\n\t\tlocalAddr: localAddr,\n\t\tremoteAddr: remoteAddr,\n\t}\n\tc.transferID.Store(0)\n\tc.lastActivity.Store(time.Now().UnixNano())\n\n\treturn c\n}\n\n// Log outputs a log entry to the configured logger\nfunc (c *BaseConnection) Log(level logger.LogLevel, format string, v ...any) {\n\tlogger.Log(level, c.protocol, c.ID, format, v...)\n}\n\n// GetTransferID returns an unique transfer ID for this connection\nfunc (c *BaseConnection) GetTransferID() int64 {\n\treturn c.transferID.Add(1)\n}\n\n// GetID returns the connection ID\nfunc (c *BaseConnection) GetID() string {\n\treturn c.ID\n}\n\n// GetUsername returns the authenticated username associated with this connection if any\nfunc (c *BaseConnection) GetUsername() string {\n\treturn c.User.Username\n}\n\n// GetRole returns the role for the user associated with this connection\nfunc (c *BaseConnection) GetRole() string {\n\treturn c.User.Role\n}\n\n// GetMaxSessions returns the maximum number of concurrent sessions allowed\nfunc (c *BaseConnection) GetMaxSessions() int {\n\treturn c.User.MaxSessions\n}\n\n// isAccessAllowed returns true if the user's access conditions are met\nfunc (c *BaseConnection) isAccessAllowed() bool {\n\tif err := c.User.CheckLoginConditions(); err != nil {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// GetProtocol returns the protocol for the connection\nfunc (c *BaseConnection) GetProtocol() string {\n\treturn c.protocol\n}\n\n// GetRemoteIP returns the remote ip address\nfunc (c *BaseConnection) GetRemoteIP() string {\n\treturn util.GetIPFromRemoteAddress(c.remoteAddr)\n}\n\n// SetProtocol sets the protocol for this connection\nfunc (c *BaseConnection) SetProtocol(protocol string) {\n\tc.protocol = protocol\n\tif slices.Contains(supportedProtocols, c.protocol) {\n\t\tc.ID = fmt.Sprintf(\"%v_%v\", c.protocol, c.ID)\n\t}\n}\n\n// GetConnectionTime returns the initial connection time\nfunc (c *BaseConnection) GetConnectionTime() time.Time {\n\treturn c.startTime\n}\n\n// UpdateLastActivity updates last activity for this connection\nfunc (c *BaseConnection) UpdateLastActivity() {\n\tc.lastActivity.Store(time.Now().UnixNano())\n}\n\n// GetLastActivity returns the last connection activity\nfunc (c *BaseConnection) GetLastActivity() time.Time {\n\treturn time.Unix(0, c.lastActivity.Load())\n}\n\n// CloseFS closes the underlying fs\nfunc (c *BaseConnection) CloseFS() error {\n\treturn c.User.CloseFs()\n}\n\n// AddTransfer associates a new transfer to this connection\nfunc (c *BaseConnection) AddTransfer(t ActiveTransfer) {\n\tConnections.transfers.add(c.User.Username)\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tc.activeTransfers = append(c.activeTransfers, t)\n\tc.Log(logger.LevelDebug, \"transfer added, id: %v, active transfers: %v\", t.GetID(), len(c.activeTransfers))\n\tif t.HasSizeLimit() {\n\t\tfolderName := \"\"\n\t\tif t.GetType() == TransferUpload {\n\t\t\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(t.GetVirtualPath()))\n\t\t\tif err == nil {\n\t\t\t\tif !vfolder.IsIncludedInUserQuota() {\n\t\t\t\t\tfolderName = vfolder.Name\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tgo transfersChecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\t\tID: t.GetID(),\n\t\t\tType: t.GetType(),\n\t\t\tConnID: c.ID,\n\t\t\tUsername: c.GetUsername(),\n\t\t\tFolderName: folderName,\n\t\t\tIP: c.GetRemoteIP(),\n\t\t\tTruncatedSize: t.GetTruncatedSize(),\n\t\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t})\n\t}\n}\n\n// RemoveTransfer removes the specified transfer from the active ones\nfunc (c *BaseConnection) RemoveTransfer(t ActiveTransfer) {\n\tConnections.transfers.remove(c.User.Username)\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tif t.HasSizeLimit() {\n\t\tgo transfersChecker.RemoveTransfer(t.GetID(), c.ID)\n\t}\n\n\tfor idx, transfer := range c.activeTransfers {\n\t\tif transfer.GetID() == t.GetID() {\n\t\t\tlastIdx := len(c.activeTransfers) - 1\n\t\t\tc.activeTransfers[idx] = c.activeTransfers[lastIdx]\n\t\t\tc.activeTransfers[lastIdx] = nil\n\t\t\tc.activeTransfers = c.activeTransfers[:lastIdx]\n\t\t\tc.Log(logger.LevelDebug, \"transfer removed, id: %v active transfers: %v\", t.GetID(), len(c.activeTransfers))\n\t\t\treturn\n\t\t}\n\t}\n\tc.Log(logger.LevelWarn, \"transfer to remove with id %v not found!\", t.GetID())\n}\n\n// SignalTransferClose makes the transfer fail on the next read/write with the\n// specified error\nfunc (c *BaseConnection) SignalTransferClose(transferID int64, err error) {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tfor _, t := range c.activeTransfers {\n\t\tif t.GetID() == transferID {\n\t\t\tc.Log(logger.LevelInfo, \"signal transfer close for transfer id %v\", transferID)\n\t\t\tt.SignalClose(err)\n\t\t}\n\t}\n}\n\n// GetTransfers returns the active transfers\nfunc (c *BaseConnection) GetTransfers() []ConnectionTransfer {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\ttransfers := make([]ConnectionTransfer, 0, len(c.activeTransfers))\n\tfor _, t := range c.activeTransfers {\n\t\tvar operationType string\n\t\tswitch t.GetType() {\n\t\tcase TransferDownload:\n\t\t\toperationType = operationDownload\n\t\tcase TransferUpload:\n\t\t\toperationType = operationUpload\n\t\t}\n\t\ttransfers = append(transfers, ConnectionTransfer{\n\t\t\tID: t.GetID(),\n\t\t\tOperationType: operationType,\n\t\t\tStartTime: util.GetTimeAsMsSinceEpoch(t.GetStartTime()),\n\t\t\tSize: t.GetSize(),\n\t\t\tVirtualPath: t.GetVirtualPath(),\n\t\t\tHasSizeLimit: t.HasSizeLimit(),\n\t\t\tULSize: t.GetUploadedSize(),\n\t\t\tDLSize: t.GetDownloadedSize(),\n\t\t})\n\t}\n\n\treturn transfers\n}\n\n// SignalTransfersAbort signals to the active transfers to exit as soon as possible\nfunc (c *BaseConnection) SignalTransfersAbort() error {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tif len(c.activeTransfers) == 0 {\n\t\treturn errors.New(\"no active transfer found\")\n\t}\n\n\tfor _, t := range c.activeTransfers {\n\t\tt.SignalClose(ErrTransferAborted)\n\t}\n\treturn nil\n}\n\nfunc (c *BaseConnection) getRealFsPath(fsPath string) string {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tfor _, t := range c.activeTransfers {\n\t\tif p := t.GetRealFsPath(fsPath); p != \"\" {\n\t\t\treturn p\n\t\t}\n\t}\n\treturn fsPath\n}\n\nfunc (c *BaseConnection) setTimes(fsPath string, atime time.Time, mtime time.Time) bool {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tfor _, t := range c.activeTransfers {\n\t\tif t.SetTimes(fsPath, atime, mtime) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// getInfoForOngoingUpload returns upload statistics for an upload currently in\n// progress on this connection.\nfunc (c *BaseConnection) getInfoForOngoingUpload(fsPath string) (os.FileInfo, error) {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tfor _, t := range c.activeTransfers {\n\t\tif t.GetType() == TransferUpload && t.GetFsPath() == fsPath {\n\t\t\treturn vfs.NewFileInfo(t.GetVirtualPath(), false, t.GetSize(), t.GetStartTime(), false), nil\n\t\t}\n\t}\n\treturn nil, os.ErrNotExist\n}\n\nfunc (c *BaseConnection) truncateOpenHandle(fsPath string, size int64) (int64, error) {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tfor _, t := range c.activeTransfers {\n\t\tinitialSize, err := t.Truncate(fsPath, size)\n\t\tif err != errTransferMismatch {\n\t\t\treturn initialSize, err\n\t\t}\n\t}\n\n\treturn 0, errNoTransfer\n}\n\n// ListDir reads the directory matching virtualPath and returns a list of directory entries\nfunc (c *BaseConnection) ListDir(virtualPath string) (*DirListerAt, error) {\n\tif !c.User.HasPerm(dataprovider.PermListItems, virtualPath) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tlister, err := fs.ReadDir(fsPath)\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"error listing directory: %+v\", err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\treturn &DirListerAt{\n\t\tvirtualPath: virtualPath,\n\t\tconn: c,\n\t\tfs: fs,\n\t\tinfo: c.User.GetVirtualFoldersInfo(virtualPath),\n\t\tlister: lister,\n\t}, nil\n}\n\n// CheckParentDirs tries to create the specified directory and any missing parent dirs\nfunc (c *BaseConnection) CheckParentDirs(virtualPath string) error {\n\tfs, err := c.User.GetFilesystemForPath(virtualPath, c.GetID())\n\tif err != nil {\n\t\treturn err\n\t}\n\tif fs.HasVirtualFolders() {\n\t\treturn nil\n\t}\n\tif _, err := c.DoStat(virtualPath, 0, false); !c.IsNotExistError(err) {\n\t\treturn err\n\t}\n\tdirs := util.GetDirsForVirtualPath(virtualPath)\n\tfor idx := len(dirs) - 1; idx >= 0; idx-- {\n\t\tfs, err = c.User.GetFilesystemForPath(dirs[idx], c.GetID())\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif fs.HasVirtualFolders() {\n\t\t\tcontinue\n\t\t}\n\t\tif err = c.createDirIfMissing(dirs[idx]); err != nil {\n\t\t\treturn fmt.Errorf(\"unable to check/create missing parent dir %q for virtual path %q: %w\",\n\t\t\t\tdirs[idx], virtualPath, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// GetCreateChecks returns the checks for creating new files\nfunc (c *BaseConnection) GetCreateChecks(virtualPath string, isNewFile bool, isResume bool) int {\n\tresult := 0\n\tif !isNewFile {\n\t\tif isResume {\n\t\t\tresult += vfs.CheckResume\n\t\t}\n\t\treturn result\n\t}\n\tif !c.User.HasPerm(dataprovider.PermCreateDirs, path.Dir(virtualPath)) {\n\t\tresult += vfs.CheckParentDir\n\t\treturn result\n\t}\n\treturn result\n}\n\n// CreateDir creates a new directory at the specified fsPath\nfunc (c *BaseConnection) CreateDir(virtualPath string, checkFilePatterns bool) error {\n\tif !c.User.HasPerm(dataprovider.PermCreateDirs, path.Dir(virtualPath)) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif checkFilePatterns {\n\t\tif ok, _ := c.User.IsFileAllowed(virtualPath); !ok {\n\t\t\treturn c.GetPermissionDeniedError()\n\t\t}\n\t}\n\tif c.User.IsVirtualFolder(virtualPath) {\n\t\tc.Log(logger.LevelWarn, \"mkdir not allowed %q is a virtual folder\", virtualPath)\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tstartTime := time.Now()\n\tif err := fs.Mkdir(fsPath); err != nil {\n\t\tc.Log(logger.LevelError, \"error creating dir: %q error: %+v\", fsPath, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\tvfs.SetPathPermissions(fs, fsPath, c.User.GetUID(), c.User.GetGID())\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\n\tlogger.CommandLog(mkdirLogSender, fsPath, \"\", c.User.Username, \"\", c.ID, c.protocol, -1, -1, \"\", \"\", \"\", -1,\n\t\tc.localAddr, c.remoteAddr, elapsed)\n\tExecuteActionNotification(c, operationMkdir, fsPath, virtualPath, \"\", \"\", \"\", 0, nil, elapsed, nil) //nolint:errcheck\n\treturn nil\n}\n\n// IsRemoveFileAllowed returns an error if removing this file is not allowed\nfunc (c *BaseConnection) IsRemoveFileAllowed(virtualPath string) error {\n\tif !c.User.HasAnyPerm([]string{dataprovider.PermDeleteFiles, dataprovider.PermDelete}, path.Dir(virtualPath)) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif ok, policy := c.User.IsFileAllowed(virtualPath); !ok {\n\t\tc.Log(logger.LevelDebug, \"removing file %q is not allowed\", virtualPath)\n\t\treturn c.GetErrorForDeniedFile(policy)\n\t}\n\treturn nil\n}\n\n// RemoveFile removes a file at the specified fsPath\nfunc (c *BaseConnection) RemoveFile(fs vfs.Fs, fsPath, virtualPath string, info os.FileInfo) error {\n\tif err := c.IsRemoveFileAllowed(virtualPath); err != nil {\n\t\treturn err\n\t}\n\n\tsize := info.Size()\n\tstatus, err := ExecutePreAction(c, operationPreDelete, fsPath, virtualPath, size, 0)\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"delete for file %q denied by pre action: %v\", virtualPath, err)\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tupdateQuota := true\n\tstartTime := time.Now()\n\tif err := fs.Remove(fsPath, false); err != nil {\n\t\tif status > 0 && fs.IsNotExist(err) {\n\t\t\t// file removed in the pre-action, if the file was deleted from the EventManager the quota is already updated\n\t\t\tc.Log(logger.LevelDebug, \"file deleted from the hook, status: %d\", status)\n\t\t\tupdateQuota = (status == 1)\n\t\t} else {\n\t\t\tc.Log(logger.LevelError, \"failed to remove file/symlink %q: %+v\", fsPath, err)\n\t\t\treturn c.GetFsError(fs, err)\n\t\t}\n\t}\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\n\tlogger.CommandLog(removeLogSender, fsPath, \"\", c.User.Username, \"\", c.ID, c.protocol, -1, -1, \"\", \"\", \"\", -1,\n\t\tc.localAddr, c.remoteAddr, elapsed)\n\tif updateQuota && info.Mode()&os.ModeSymlink == 0 {\n\t\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(virtualPath))\n\t\tif err == nil {\n\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.User, -1, -size, false)\n\t\t} else {\n\t\t\tdataprovider.UpdateUserQuota(&c.User, -1, -size, false) //nolint:errcheck\n\t\t}\n\t}\n\tExecuteActionNotification(c, operationDelete, fsPath, virtualPath, \"\", \"\", \"\", size, nil, elapsed, nil) //nolint:errcheck\n\treturn nil\n}\n\n// IsRemoveDirAllowed returns an error if removing this directory is not allowed\nfunc (c *BaseConnection) IsRemoveDirAllowed(fs vfs.Fs, fsPath, virtualPath string) error {\n\tif virtualPath == \"/\" || fs.GetRelativePath(fsPath) == \"/\" {\n\t\tc.Log(logger.LevelWarn, \"removing root dir is not allowed\")\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif c.User.IsVirtualFolder(virtualPath) {\n\t\tc.Log(logger.LevelWarn, \"removing a virtual folder is not allowed: %q\", virtualPath)\n\t\treturn fmt.Errorf(\"removing virtual folders is not allowed: %w\", c.GetPermissionDeniedError())\n\t}\n\tif c.User.HasVirtualFoldersInside(virtualPath) {\n\t\tc.Log(logger.LevelWarn, \"removing a directory with a virtual folder inside is not allowed: %q\", virtualPath)\n\t\treturn fmt.Errorf(\"cannot remove directory %q with virtual folders inside: %w\", virtualPath, c.GetOpUnsupportedError())\n\t}\n\tif c.User.IsMappedPath(fsPath) {\n\t\tc.Log(logger.LevelWarn, \"removing a directory mapped as virtual folder is not allowed: %q\", fsPath)\n\t\treturn fmt.Errorf(\"removing the directory %q mapped as virtual folder is not allowed: %w\",\n\t\t\tvirtualPath, c.GetPermissionDeniedError())\n\t}\n\tif !c.User.HasAnyPerm([]string{dataprovider.PermDeleteDirs, dataprovider.PermDelete}, path.Dir(virtualPath)) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif ok, policy := c.User.IsFileAllowed(virtualPath); !ok {\n\t\tc.Log(logger.LevelDebug, \"removing directory %q is not allowed\", virtualPath)\n\t\treturn c.GetErrorForDeniedFile(policy)\n\t}\n\treturn nil\n}\n\n// RemoveDir removes a directory at the specified fsPath\nfunc (c *BaseConnection) RemoveDir(virtualPath string) error {\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif err := c.IsRemoveDirAllowed(fs, fsPath, virtualPath); err != nil {\n\t\treturn err\n\t}\n\n\tvar fi os.FileInfo\n\tif fi, err = fs.Lstat(fsPath); err != nil {\n\t\t// see #149\n\t\tif fs.IsNotExist(err) && fs.HasVirtualFolders() {\n\t\t\treturn nil\n\t\t}\n\t\tc.Log(logger.LevelError, \"failed to remove a dir %q: stat error: %+v\", fsPath, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\tif !fi.IsDir() || fi.Mode()&os.ModeSymlink != 0 {\n\t\tc.Log(logger.LevelError, \"cannot remove %q is not a directory\", fsPath)\n\t\treturn c.GetGenericError(nil)\n\t}\n\n\tstartTime := time.Now()\n\tif err := fs.Remove(fsPath, true); err != nil {\n\t\tc.Log(logger.LevelError, \"failed to remove directory %q: %+v\", fsPath, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\n\tlogger.CommandLog(rmdirLogSender, fsPath, \"\", c.User.Username, \"\", c.ID, c.protocol, -1, -1, \"\", \"\", \"\", -1,\n\t\tc.localAddr, c.remoteAddr, elapsed)\n\tExecuteActionNotification(c, operationRmdir, fsPath, virtualPath, \"\", \"\", \"\", 0, nil, elapsed, nil) //nolint:errcheck\n\treturn nil\n}\n\nfunc (c *BaseConnection) doRecursiveRemoveDirEntry(virtualPath string, info os.FileInfo, recursion int) error {\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.doRecursiveRemove(fs, fsPath, virtualPath, info, recursion)\n}\n\nfunc (c *BaseConnection) doRecursiveRemove(fs vfs.Fs, fsPath, virtualPath string, info os.FileInfo, recursion int) error {\n\tif info.IsDir() {\n\t\tif recursion >= util.MaxRecursion {\n\t\t\tc.Log(logger.LevelError, \"recursive rename failed, recursion too depth: %d\", recursion)\n\t\t\treturn util.ErrRecursionTooDeep\n\t\t}\n\t\trecursion++\n\t\tlister, err := c.ListDir(virtualPath)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to get lister for dir %q: %w\", virtualPath, err)\n\t\t}\n\t\tdefer lister.Close()\n\n\t\tfor {\n\t\t\tentries, err := lister.Next(vfs.ListerBatchSize)\n\t\t\tfinished := errors.Is(err, io.EOF)\n\t\t\tif err != nil && !finished {\n\t\t\t\treturn fmt.Errorf(\"unable to get content for dir %q: %w\", virtualPath, err)\n\t\t\t}\n\t\t\tfor _, fi := range entries {\n\t\t\t\ttargetPath := path.Join(virtualPath, fi.Name())\n\t\t\t\tif err := c.doRecursiveRemoveDirEntry(targetPath, fi, recursion); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t\tif finished {\n\t\t\t\tlister.Close()\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\treturn c.RemoveDir(virtualPath)\n\t}\n\treturn c.RemoveFile(fs, fsPath, virtualPath, info)\n}\n\n// RemoveAll removes the specified path and any children it contains\nfunc (c *BaseConnection) RemoveAll(virtualPath string) error {\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfi, err := fs.Lstat(fsPath)\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"failed to remove path %q: stat error: %+v\", fsPath, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\tif fi.IsDir() && fi.Mode()&os.ModeSymlink == 0 {\n\t\tif err := c.IsRemoveDirAllowed(fs, fsPath, virtualPath); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn c.doRecursiveRemove(fs, fsPath, virtualPath, fi, 0)\n\t}\n\treturn c.RemoveFile(fs, fsPath, virtualPath, fi)\n}\n\nfunc (c *BaseConnection) checkCopy(srcInfo, dstInfo os.FileInfo, virtualSource, virtualTarget string) error {\n\t_, fsSourcePath, err := c.GetFsAndResolvedPath(virtualSource)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, fsTargetPath, err := c.GetFsAndResolvedPath(virtualTarget)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif srcInfo.IsDir() {\n\t\tif dstInfo != nil && !dstInfo.IsDir() {\n\t\t\treturn fmt.Errorf(\"cannot overwrite file %q with dir %q: %w\", virtualTarget, virtualSource, c.GetOpUnsupportedError())\n\t\t}\n\t\tif util.IsDirOverlapped(virtualSource, virtualTarget, true, \"/\") {\n\t\t\treturn fmt.Errorf(\"nested copy %q => %q is not supported: %w\", virtualSource, virtualTarget, c.GetOpUnsupportedError())\n\t\t}\n\t\tif util.IsDirOverlapped(fsSourcePath, fsTargetPath, true, c.User.FsConfig.GetPathSeparator()) {\n\t\t\tc.Log(logger.LevelWarn, \"nested fs copy %q => %q not allowed\", fsSourcePath, fsTargetPath)\n\t\t\treturn fmt.Errorf(\"nested fs copy is not supported: %w\", c.GetOpUnsupportedError())\n\t\t}\n\t\treturn nil\n\t}\n\tif dstInfo != nil && dstInfo.IsDir() {\n\t\treturn fmt.Errorf(\"cannot overwrite file %q with dir %q: %w\", virtualSource, virtualTarget, c.GetOpUnsupportedError())\n\t}\n\tif c.IsSameResource(virtualSource, virtualTarget) {\n\t\tif fsSourcePath == fsTargetPath {\n\t\t\treturn fmt.Errorf(\"the copy source and target cannot be the same: %w\", c.GetOpUnsupportedError())\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *BaseConnection) copyFile(virtualSourcePath, virtualTargetPath string, srcInfo os.FileInfo) error {\n\tif !c.User.HasPerm(dataprovider.PermCopy, virtualSourcePath) || !c.User.HasPerm(dataprovider.PermCopy, virtualTargetPath) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif ok, _ := c.User.IsFileAllowed(virtualTargetPath); !ok {\n\t\treturn fmt.Errorf(\"file %q is not allowed: %w\", virtualTargetPath, c.GetPermissionDeniedError())\n\t}\n\tif c.IsSameResource(virtualSourcePath, virtualTargetPath) {\n\t\tfs, fsTargetPath, err := c.GetFsAndResolvedPath(virtualTargetPath)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif copier, ok := fs.(vfs.FsFileCopier); ok {\n\t\t\t_, fsSourcePath, err := c.GetFsAndResolvedPath(virtualSourcePath)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tstartTime := time.Now()\n\t\t\tnumFiles, sizeDiff, err := copier.CopyFile(fsSourcePath, fsTargetPath, srcInfo)\n\t\t\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\t\t\tupdateUserQuotaAfterFileWrite(c, virtualTargetPath, numFiles, sizeDiff)\n\t\t\tlogger.CommandLog(copyLogSender, fsSourcePath, fsTargetPath, c.User.Username, \"\", c.ID, c.protocol, -1, -1,\n\t\t\t\t\"\", \"\", \"\", srcInfo.Size(), c.localAddr, c.remoteAddr, elapsed)\n\t\t\tExecuteActionNotification(c, operationCopy, fsSourcePath, virtualSourcePath, fsTargetPath, virtualTargetPath, \"\", srcInfo.Size(), err, elapsed, nil) //nolint:errcheck\n\t\t\treturn err\n\t\t}\n\t}\n\n\treader, rCancelFn, err := getFileReader(c, virtualSourcePath)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get reader for path %q: %w\", virtualSourcePath, err)\n\t}\n\tdefer rCancelFn()\n\tdefer reader.Close()\n\n\twriter, numFiles, truncatedSize, wCancelFn, err := getFileWriter(c, virtualTargetPath, srcInfo.Size())\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get writer for path %q: %w\", virtualTargetPath, err)\n\t}\n\tdefer wCancelFn()\n\n\tstartTime := time.Now()\n\t_, err = io.Copy(writer, reader)\n\treturn closeWriterAndUpdateQuota(writer, c, virtualSourcePath, virtualTargetPath, numFiles, truncatedSize,\n\t\terr, operationCopy, startTime)\n}\n\nfunc (c *BaseConnection) doRecursiveCopy(virtualSourcePath, virtualTargetPath string, srcInfo os.FileInfo,\n\tcreateTargetDir bool, recursion int,\n) error {\n\tif srcInfo.IsDir() {\n\t\tif recursion >= util.MaxRecursion {\n\t\t\tc.Log(logger.LevelError, \"recursive copy failed, recursion too depth: %d\", recursion)\n\t\t\treturn util.ErrRecursionTooDeep\n\t\t}\n\t\trecursion++\n\t\tif createTargetDir {\n\t\t\tif err := c.CreateDir(virtualTargetPath, false); err != nil {\n\t\t\t\treturn fmt.Errorf(\"unable to create directory %q: %w\", virtualTargetPath, err)\n\t\t\t}\n\t\t}\n\t\tlister, err := c.ListDir(virtualSourcePath)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to get lister for dir %q: %w\", virtualSourcePath, err)\n\t\t}\n\t\tdefer lister.Close()\n\n\t\tfor {\n\t\t\tentries, err := lister.Next(vfs.ListerBatchSize)\n\t\t\tfinished := errors.Is(err, io.EOF)\n\t\t\tif err != nil && !finished {\n\t\t\t\treturn fmt.Errorf(\"unable to get contents for dir %q: %w\", virtualSourcePath, err)\n\t\t\t}\n\t\t\tif err := c.recursiveCopyEntries(virtualSourcePath, virtualTargetPath, entries, recursion); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif finished {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\tif !srcInfo.Mode().IsRegular() {\n\t\tc.Log(logger.LevelInfo, \"skipping copy for non regular file %q\", virtualSourcePath)\n\t\treturn nil\n\t}\n\n\treturn c.copyFile(virtualSourcePath, virtualTargetPath, srcInfo)\n}\n\nfunc (c *BaseConnection) recursiveCopyEntries(virtualSourcePath, virtualTargetPath string, entries []os.FileInfo, recursion int) error {\n\tfor _, info := range entries {\n\t\tsourcePath := path.Join(virtualSourcePath, info.Name())\n\t\ttargetPath := path.Join(virtualTargetPath, info.Name())\n\t\ttargetInfo, err := c.DoStat(targetPath, 1, false)\n\t\tif err == nil {\n\t\t\tif info.IsDir() && targetInfo.IsDir() {\n\t\t\t\tc.Log(logger.LevelDebug, \"target copy dir %q already exists\", targetPath)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif err != nil && !c.IsNotExistError(err) {\n\t\t\treturn err\n\t\t}\n\t\tif err := c.checkCopy(info, targetInfo, sourcePath, targetPath); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := c.doRecursiveCopy(sourcePath, targetPath, info, true, recursion); err != nil {\n\t\t\tif c.IsNotExistError(err) {\n\t\t\t\tc.Log(logger.LevelInfo, \"skipping copy for source path %q: %v\", sourcePath, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// Copy virtualSourcePath to virtualTargetPath\nfunc (c *BaseConnection) Copy(virtualSourcePath, virtualTargetPath string) error {\n\tcopyFromSource := strings.HasSuffix(virtualSourcePath, \"/\")\n\tcopyInTarget := strings.HasSuffix(virtualTargetPath, \"/\")\n\tvirtualSourcePath = path.Clean(virtualSourcePath)\n\tvirtualTargetPath = path.Clean(virtualTargetPath)\n\tif virtualSourcePath == virtualTargetPath {\n\t\treturn fmt.Errorf(\"the copy source and target cannot be the same: %w\", c.GetOpUnsupportedError())\n\t}\n\tsrcInfo, err := c.DoStat(virtualSourcePath, 1, false)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif srcInfo.Mode()&os.ModeSymlink != 0 {\n\t\treturn fmt.Errorf(\"copying symlinks is not supported: %w\", c.GetOpUnsupportedError())\n\t}\n\tdstInfo, err := c.DoStat(virtualTargetPath, 1, false)\n\tif err == nil && !copyFromSource {\n\t\tcopyInTarget = dstInfo.IsDir()\n\t}\n\tif err != nil && !c.IsNotExistError(err) {\n\t\treturn err\n\t}\n\tdestPath := virtualTargetPath\n\tif copyInTarget {\n\t\tdestPath = path.Join(virtualTargetPath, path.Base(virtualSourcePath))\n\t\tdstInfo, err = c.DoStat(destPath, 1, false)\n\t\tif err != nil && !c.IsNotExistError(err) {\n\t\t\treturn err\n\t\t}\n\t}\n\tcreateTargetDir := dstInfo == nil || !dstInfo.IsDir()\n\tif err := c.checkCopy(srcInfo, dstInfo, virtualSourcePath, destPath); err != nil {\n\t\treturn err\n\t}\n\tif err := c.CheckParentDirs(path.Dir(destPath)); err != nil {\n\t\treturn err\n\t}\n\tstopKeepAlive := keepConnectionAlive(c, 2*time.Minute)\n\tdefer stopKeepAlive()\n\n\treturn c.doRecursiveCopy(virtualSourcePath, destPath, srcInfo, createTargetDir, 0)\n}\n\n// Rename renames (moves) virtualSourcePath to virtualTargetPath\nfunc (c *BaseConnection) Rename(virtualSourcePath, virtualTargetPath string) error {\n\treturn c.renameInternal(virtualSourcePath, virtualTargetPath, false, vfs.CheckParentDir)\n}\n\nfunc (c *BaseConnection) renameInternal(virtualSourcePath, virtualTargetPath string, //nolint:gocyclo\n\tcheckParentDestination bool, checks int,\n) error {\n\tif virtualSourcePath == virtualTargetPath {\n\t\treturn fmt.Errorf(\"the rename source and target cannot be the same: %w\", c.GetOpUnsupportedError())\n\t}\n\tfsSrc, fsSourcePath, err := c.GetFsAndResolvedPath(virtualSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfsDst, fsTargetPath, err := c.GetFsAndResolvedPath(virtualTargetPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tstartTime := time.Now()\n\tsrcInfo, err := fsSrc.Lstat(fsSourcePath)\n\tif err != nil {\n\t\treturn c.GetFsError(fsSrc, err)\n\t}\n\tif !c.isRenamePermitted(fsSrc, fsDst, fsSourcePath, fsTargetPath, virtualSourcePath, virtualTargetPath, srcInfo) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tinitialSize := int64(-1)\n\tdstInfo, err := fsDst.Lstat(fsTargetPath)\n\tif err != nil && !fsDst.IsNotExist(err) {\n\t\treturn err\n\t}\n\tif err == nil {\n\t\tcheckParentDestination = false\n\t\tif dstInfo.IsDir() {\n\t\t\tc.Log(logger.LevelWarn, \"attempted to rename %q overwriting an existing directory %q\",\n\t\t\t\tfsSourcePath, fsTargetPath)\n\t\t\treturn c.GetOpUnsupportedError()\n\t\t}\n\t\t// we are overwriting an existing file/symlink\n\t\tif dstInfo.Mode().IsRegular() {\n\t\t\tinitialSize = dstInfo.Size()\n\t\t}\n\t\tif !c.User.HasPerm(dataprovider.PermOverwrite, path.Dir(virtualTargetPath)) {\n\t\t\tc.Log(logger.LevelDebug, \"renaming %q -> %q is not allowed. Target exists but the user %q\"+\n\t\t\t\t\"has no overwrite permission\", virtualSourcePath, virtualTargetPath, c.User.Username)\n\t\t\treturn c.GetPermissionDeniedError()\n\t\t}\n\t}\n\tif srcInfo.IsDir() {\n\t\tif err := c.checkFolderRename(fsSrc, fsDst, fsSourcePath, fsTargetPath, virtualSourcePath, virtualTargetPath, srcInfo); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif !c.hasSpaceForRename(fsSrc, virtualSourcePath, virtualTargetPath, initialSize, fsSourcePath, srcInfo) {\n\t\tc.Log(logger.LevelInfo, \"denying cross rename due to space limit\")\n\t\treturn c.GetGenericError(ErrQuotaExceeded)\n\t}\n\tif checkParentDestination {\n\t\tc.CheckParentDirs(path.Dir(virtualTargetPath)) //nolint:errcheck\n\t}\n\tstopKeepAlive := keepConnectionAlive(c, 2*time.Minute)\n\tdefer stopKeepAlive()\n\n\tfiles, size, err := fsDst.Rename(fsSourcePath, fsTargetPath, checks)\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"failed to rename %q -> %q: %+v\", fsSourcePath, fsTargetPath, err)\n\t\treturn c.GetFsError(fsSrc, err)\n\t}\n\tvfs.SetPathPermissions(fsDst, fsTargetPath, c.User.GetUID(), c.User.GetGID())\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\tc.updateQuotaAfterRename(fsDst, virtualSourcePath, virtualTargetPath, fsTargetPath, initialSize, files, size) //nolint:errcheck\n\tlogger.CommandLog(renameLogSender, fsSourcePath, fsTargetPath, c.User.Username, \"\", c.ID, c.protocol, -1, -1,\n\t\t\"\", \"\", \"\", -1, c.localAddr, c.remoteAddr, elapsed)\n\tExecuteActionNotification(c, operationRename, fsSourcePath, virtualSourcePath, fsTargetPath, //nolint:errcheck\n\t\tvirtualTargetPath, \"\", 0, nil, elapsed, nil)\n\n\treturn nil\n}\n\n// CreateSymlink creates fsTargetPath as a symbolic link to fsSourcePath\nfunc (c *BaseConnection) CreateSymlink(virtualSourcePath, virtualTargetPath string) error {\n\tvar relativePath string\n\tif !path.IsAbs(virtualSourcePath) {\n\t\trelativePath = virtualSourcePath\n\t\tvirtualSourcePath = path.Join(path.Dir(virtualTargetPath), relativePath)\n\t\tc.Log(logger.LevelDebug, \"link relative path %q resolved as %q, target path %q\",\n\t\t\trelativePath, virtualSourcePath, virtualTargetPath)\n\t}\n\tif c.isCrossFoldersRequest(virtualSourcePath, virtualTargetPath) {\n\t\tc.Log(logger.LevelWarn, \"cross folder symlink is not supported, src: %v dst: %v\", virtualSourcePath, virtualTargetPath)\n\t\treturn c.GetOpUnsupportedError()\n\t}\n\t// we cannot have a cross folder request here so only one fs is enough\n\tfs, fsSourcePath, err := c.GetFsAndResolvedPath(virtualSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfsTargetPath, err := fs.ResolvePath(virtualTargetPath)\n\tif err != nil {\n\t\treturn c.GetFsError(fs, err)\n\t}\n\tif fs.GetRelativePath(fsSourcePath) == \"/\" {\n\t\tc.Log(logger.LevelError, \"symlinking root dir is not allowed\")\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif fs.GetRelativePath(fsTargetPath) == \"/\" {\n\t\tc.Log(logger.LevelError, \"symlinking to root dir is not allowed\")\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif !c.User.HasPerm(dataprovider.PermCreateSymlinks, path.Dir(virtualTargetPath)) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tok, policy := c.User.IsFileAllowed(virtualSourcePath)\n\tif !ok && policy == sdk.DenyPolicyHide {\n\t\tc.Log(logger.LevelError, \"symlink source path %q is not allowed\", virtualSourcePath)\n\t\treturn c.GetNotExistError()\n\t}\n\tif ok, _ = c.User.IsFileAllowed(virtualTargetPath); !ok {\n\t\tc.Log(logger.LevelError, \"symlink target path %q is not allowed\", virtualTargetPath)\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif relativePath != \"\" {\n\t\tfsSourcePath = relativePath\n\t}\n\tstartTime := time.Now()\n\tif err := fs.Symlink(fsSourcePath, fsTargetPath); err != nil {\n\t\tc.Log(logger.LevelError, \"failed to create symlink %q -> %q: %+v\", fsSourcePath, fsTargetPath, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\tlogger.CommandLog(symlinkLogSender, fsSourcePath, fsTargetPath, c.User.Username, \"\", c.ID, c.protocol, -1, -1, \"\",\n\t\t\"\", \"\", -1, c.localAddr, c.remoteAddr, elapsed)\n\treturn nil\n}\n\nfunc (c *BaseConnection) doStatInternal(virtualPath string, mode int, checkFilePatterns,\n\tconvertResult bool,\n) (os.FileInfo, error) {\n\t// for some vfs we don't create intermediary folders so we cannot simply check\n\t// if virtualPath is a virtual folder. Allowing stat for hidden virtual folders\n\t// is by purpose.\n\tvfolders := c.User.GetVirtualFoldersInPath(path.Dir(virtualPath))\n\tif _, ok := vfolders[virtualPath]; ok {\n\t\treturn vfs.NewFileInfo(virtualPath, true, 0, time.Unix(0, 0), false), nil\n\t}\n\tif checkFilePatterns && virtualPath != \"/\" {\n\t\tok, policy := c.User.IsFileAllowed(virtualPath)\n\t\tif !ok && policy == sdk.DenyPolicyHide {\n\t\t\treturn nil, c.GetNotExistError()\n\t\t}\n\t}\n\n\tvar info os.FileInfo\n\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif mode == 1 {\n\t\tinfo, err = fs.Lstat(c.getRealFsPath(fsPath))\n\t} else {\n\t\tinfo, err = fs.Stat(c.getRealFsPath(fsPath))\n\t}\n\tif err != nil {\n\t\tisNotExist := fs.IsNotExist(err)\n\t\tif isNotExist {\n\t\t\t// This is primarily useful for atomic storage backends, where files\n\t\t\t// become visible only after they are closed. However, since we may\n\t\t\t// be proxying (for example) an SFTP server backed by atomic\n\t\t\t// storage, and this search only inspects transfers active on the\n\t\t\t// current connection (typically just one), the check is inexpensive\n\t\t\t// and safe to perform unconditionally.\n\t\t\tif info, err := c.getInfoForOngoingUpload(fsPath); err == nil {\n\t\t\t\treturn info, nil\n\t\t\t}\n\t\t}\n\t\tif !isNotExist {\n\t\t\tc.Log(logger.LevelWarn, \"stat error for path %q: %+v\", virtualPath, err)\n\t\t}\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\tif convertResult && vfs.IsCryptOsFs(fs) {\n\t\tinfo = fs.(*vfs.CryptFs).ConvertFileInfo(info)\n\t}\n\treturn info, nil\n}\n\n// DoStat execute a Stat if mode = 0, Lstat if mode = 1\nfunc (c *BaseConnection) DoStat(virtualPath string, mode int, checkFilePatterns bool) (os.FileInfo, error) {\n\treturn c.doStatInternal(virtualPath, mode, checkFilePatterns, true)\n}\n\nfunc (c *BaseConnection) createDirIfMissing(name string) error {\n\t_, err := c.DoStat(name, 0, false)\n\tif c.IsNotExistError(err) {\n\t\treturn c.CreateDir(name, false)\n\t}\n\treturn err\n}\n\nfunc (c *BaseConnection) ignoreSetStat(fs vfs.Fs) bool {\n\tif Config.SetstatMode == 1 {\n\t\treturn true\n\t}\n\tif Config.SetstatMode == 2 && !vfs.IsLocalOrSFTPFs(fs) && !vfs.IsCryptOsFs(fs) {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (c *BaseConnection) handleChmod(fs vfs.Fs, fsPath, pathForPerms string, attributes *StatAttributes) error {\n\tif !c.User.HasPerm(dataprovider.PermChmod, pathForPerms) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif c.ignoreSetStat(fs) {\n\t\treturn nil\n\t}\n\tstartTime := time.Now()\n\tif err := fs.Chmod(c.getRealFsPath(fsPath), attributes.Mode); err != nil {\n\t\tc.Log(logger.LevelError, \"failed to chmod path %q, mode: %v, err: %+v\", fsPath, attributes.Mode.String(), err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\tlogger.CommandLog(chmodLogSender, fsPath, \"\", c.User.Username, attributes.Mode.String(), c.ID, c.protocol,\n\t\t-1, -1, \"\", \"\", \"\", -1, c.localAddr, c.remoteAddr, elapsed)\n\treturn nil\n}\n\nfunc (c *BaseConnection) handleChown(fs vfs.Fs, fsPath, pathForPerms string, attributes *StatAttributes) error {\n\tif !c.User.HasPerm(dataprovider.PermChown, pathForPerms) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif c.ignoreSetStat(fs) {\n\t\treturn nil\n\t}\n\tstartTime := time.Now()\n\tif err := fs.Chown(c.getRealFsPath(fsPath), attributes.UID, attributes.GID); err != nil {\n\t\tc.Log(logger.LevelError, \"failed to chown path %q, uid: %v, gid: %v, err: %+v\", fsPath, attributes.UID,\n\t\t\tattributes.GID, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\tlogger.CommandLog(chownLogSender, fsPath, \"\", c.User.Username, \"\", c.ID, c.protocol, attributes.UID, attributes.GID,\n\t\t\"\", \"\", \"\", -1, c.localAddr, c.remoteAddr, elapsed)\n\treturn nil\n}\n\nfunc (c *BaseConnection) handleChtimes(fs vfs.Fs, fsPath, pathForPerms string, attributes *StatAttributes) error {\n\tif !c.User.HasPerm(dataprovider.PermChtimes, pathForPerms) {\n\t\treturn c.GetPermissionDeniedError()\n\t}\n\tif Config.SetstatMode == 1 {\n\t\treturn nil\n\t}\n\tstartTime := time.Now()\n\tisUploading := c.setTimes(fsPath, attributes.Atime, attributes.Mtime)\n\tif err := fs.Chtimes(c.getRealFsPath(fsPath), attributes.Atime, attributes.Mtime, isUploading); err != nil {\n\t\tc.setTimes(fsPath, time.Time{}, time.Time{})\n\t\tif errors.Is(err, vfs.ErrVfsUnsupported) && Config.SetstatMode == 2 {\n\t\t\treturn nil\n\t\t}\n\t\tc.Log(logger.LevelError, \"failed to chtimes for path %q, access time: %v, modification time: %v, err: %+v\",\n\t\t\tfsPath, attributes.Atime, attributes.Mtime, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\taccessTimeString := attributes.Atime.Format(chtimesFormat)\n\tmodificationTimeString := attributes.Mtime.Format(chtimesFormat)\n\tlogger.CommandLog(chtimesLogSender, fsPath, \"\", c.User.Username, \"\", c.ID, c.protocol, -1, -1,\n\t\taccessTimeString, modificationTimeString, \"\", -1, c.localAddr, c.remoteAddr, elapsed)\n\treturn nil\n}\n\n// SetStat set StatAttributes for the specified fsPath\nfunc (c *BaseConnection) SetStat(virtualPath string, attributes *StatAttributes) error {\n\tif ok, policy := c.User.IsFileAllowed(virtualPath); !ok {\n\t\treturn c.GetErrorForDeniedFile(policy)\n\t}\n\tfs, fsPath, err := c.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tpathForPerms := path.Dir(virtualPath)\n\n\tif attributes.Flags&StatAttrTimes != 0 {\n\t\tif err = c.handleChtimes(fs, fsPath, pathForPerms, attributes); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif attributes.Flags&StatAttrPerms != 0 {\n\t\tif err = c.handleChmod(fs, fsPath, pathForPerms, attributes); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif attributes.Flags&StatAttrUIDGID != 0 {\n\t\tif err = c.handleChown(fs, fsPath, pathForPerms, attributes); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tif attributes.Flags&StatAttrSize != 0 {\n\t\tif !c.User.HasPerm(dataprovider.PermOverwrite, pathForPerms) {\n\t\t\treturn c.GetPermissionDeniedError()\n\t\t}\n\t\tstartTime := time.Now()\n\t\tif err = c.truncateFile(fs, fsPath, virtualPath, attributes.Size); err != nil {\n\t\t\tc.Log(logger.LevelError, \"failed to truncate path %q, size: %v, err: %+v\", fsPath, attributes.Size, err)\n\t\t\treturn c.GetFsError(fs, err)\n\t\t}\n\t\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\t\tlogger.CommandLog(truncateLogSender, fsPath, \"\", c.User.Username, \"\", c.ID, c.protocol, -1, -1, \"\", \"\",\n\t\t\t\"\", attributes.Size, c.localAddr, c.remoteAddr, elapsed)\n\t}\n\n\treturn nil\n}\n\nfunc (c *BaseConnection) truncateFile(fs vfs.Fs, fsPath, virtualPath string, size int64) error {\n\t// check first if we have an open transfer for the given path and try to truncate the file already opened\n\t// if we found no transfer we truncate by path.\n\tvar initialSize int64\n\tvar err error\n\tinitialSize, err = c.truncateOpenHandle(fsPath, size)\n\tif err == errNoTransfer {\n\t\tc.Log(logger.LevelDebug, \"file path %q not found in active transfers, execute trucate by path\", fsPath)\n\t\tvar info os.FileInfo\n\t\tinfo, err = fs.Stat(fsPath)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinitialSize = info.Size()\n\t\terr = fs.Truncate(fsPath, size)\n\t}\n\tif err == nil && vfs.HasTruncateSupport(fs) {\n\t\tsizeDiff := initialSize - size\n\t\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(virtualPath))\n\t\tif err == nil {\n\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -sizeDiff, false)\n\t\t} else {\n\t\t\tdataprovider.UpdateUserQuota(&c.User, 0, -sizeDiff, false) //nolint:errcheck\n\t\t}\n\t}\n\treturn err\n}\n\nfunc (c *BaseConnection) checkRecursiveRenameDirPermissions(fsSrc, fsDst vfs.Fs, sourcePath, targetPath,\n\tvirtualSourcePath, virtualTargetPath string, srcInfo os.FileInfo,\n) error {\n\tif !c.User.HasPermissionsInside(virtualSourcePath) &&\n\t\t!c.User.HasPermissionsInside(virtualTargetPath) {\n\t\tif !c.isRenamePermitted(fsSrc, fsDst, sourcePath, targetPath, virtualSourcePath, virtualTargetPath, srcInfo) {\n\t\t\tc.Log(logger.LevelInfo, \"rename %q -> %q is not allowed, virtual destination path: %q\",\n\t\t\t\tsourcePath, targetPath, virtualTargetPath)\n\t\t\treturn c.GetPermissionDeniedError()\n\t\t}\n\t\t// if all rename permissions are granted we have finished, otherwise we have to walk\n\t\t// because we could have the rename dir permission but not the rename file and the dir to\n\t\t// rename could contain files\n\t\tif c.User.HasPermsRenameAll(path.Dir(virtualSourcePath)) && c.User.HasPermsRenameAll(path.Dir(virtualTargetPath)) {\n\t\t\treturn nil\n\t\t}\n\t}\n\n\treturn fsSrc.Walk(sourcePath, func(walkedPath string, info os.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn c.GetFsError(fsSrc, err)\n\t\t}\n\t\tif walkedPath != sourcePath && !vfs.IsRenameAtomic(fsSrc) && Config.RenameMode == 0 {\n\t\t\tc.Log(logger.LevelInfo, \"cannot rename non empty directory %q on this filesystem\", virtualSourcePath)\n\t\t\treturn c.GetOpUnsupportedError()\n\t\t}\n\t\tdstPath := strings.Replace(walkedPath, sourcePath, targetPath, 1)\n\t\tvirtualSrcPath := fsSrc.GetRelativePath(walkedPath)\n\t\tvirtualDstPath := fsDst.GetRelativePath(dstPath)\n\t\tif !c.isRenamePermitted(fsSrc, fsDst, walkedPath, dstPath, virtualSrcPath, virtualDstPath, info) {\n\t\t\tc.Log(logger.LevelInfo, \"rename %q -> %q is not allowed, virtual destination path: %q\",\n\t\t\t\twalkedPath, dstPath, virtualDstPath)\n\t\t\treturn c.GetPermissionDeniedError()\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc (c *BaseConnection) hasRenamePerms(virtualSourcePath, virtualTargetPath string, fi os.FileInfo) bool {\n\tif c.User.HasPermsRenameAll(path.Dir(virtualSourcePath)) &&\n\t\tc.User.HasPermsRenameAll(path.Dir(virtualTargetPath)) {\n\t\treturn true\n\t}\n\tif fi == nil {\n\t\t// we don't know if this is a file or a directory and we don't have all the rename perms, return false\n\t\treturn false\n\t}\n\tif fi.IsDir() {\n\t\tperms := []string{\n\t\t\tdataprovider.PermRenameDirs,\n\t\t\tdataprovider.PermRename,\n\t\t}\n\t\treturn c.User.HasAnyPerm(perms, path.Dir(virtualSourcePath)) &&\n\t\t\tc.User.HasAnyPerm(perms, path.Dir(virtualTargetPath))\n\t}\n\t// file or symlink\n\tperms := []string{\n\t\tdataprovider.PermRenameFiles,\n\t\tdataprovider.PermRename,\n\t}\n\treturn c.User.HasAnyPerm(perms, path.Dir(virtualSourcePath)) &&\n\t\tc.User.HasAnyPerm(perms, path.Dir(virtualTargetPath))\n}\n\nfunc (c *BaseConnection) checkFolderRename(fsSrc, fsDst vfs.Fs, fsSourcePath, fsTargetPath, virtualSourcePath,\n\tvirtualTargetPath string, srcInfo os.FileInfo) error {\n\tif util.IsDirOverlapped(virtualSourcePath, virtualTargetPath, true, \"/\") {\n\t\tc.Log(logger.LevelDebug, \"renaming the folder %q->%q is not supported: nested folders\",\n\t\t\tvirtualSourcePath, virtualTargetPath)\n\t\treturn fmt.Errorf(\"nested rename %q => %q is not supported: %w\",\n\t\t\tvirtualSourcePath, virtualTargetPath, c.GetOpUnsupportedError())\n\t}\n\tif util.IsDirOverlapped(fsSourcePath, fsTargetPath, true, c.User.FsConfig.GetPathSeparator()) {\n\t\tc.Log(logger.LevelDebug, \"renaming the folder %q->%q is not supported: nested fs folders\",\n\t\t\tfsSourcePath, fsTargetPath)\n\t\treturn fmt.Errorf(\"nested fs rename %q => %q is not supported: %w\",\n\t\t\tfsSourcePath, fsTargetPath, c.GetOpUnsupportedError())\n\t}\n\tif c.User.HasVirtualFoldersInside(virtualSourcePath) {\n\t\tc.Log(logger.LevelDebug, \"renaming the folder %q is not supported: it has virtual folders inside it\",\n\t\t\tvirtualSourcePath)\n\t\treturn fmt.Errorf(\"folder %q has virtual folders inside it: %w\", virtualSourcePath, c.GetOpUnsupportedError())\n\t}\n\tif c.User.HasVirtualFoldersInside(virtualTargetPath) {\n\t\tc.Log(logger.LevelDebug, \"renaming the folder %q is not supported, the target %q has virtual folders inside it\",\n\t\t\tvirtualSourcePath, virtualTargetPath)\n\t\treturn fmt.Errorf(\"folder %q has virtual folders inside it: %w\", virtualTargetPath, c.GetOpUnsupportedError())\n\t}\n\tif err := c.checkRecursiveRenameDirPermissions(fsSrc, fsDst, fsSourcePath, fsTargetPath,\n\t\tvirtualSourcePath, virtualTargetPath, srcInfo); err != nil {\n\t\tc.Log(logger.LevelDebug, \"error checking recursive permissions before renaming %q: %+v\", fsSourcePath, err)\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (c *BaseConnection) isRenamePermitted(fsSrc, fsDst vfs.Fs, fsSourcePath, fsTargetPath, virtualSourcePath,\n\tvirtualTargetPath string, srcInfo os.FileInfo,\n) bool {\n\tif !c.IsSameResource(virtualSourcePath, virtualTargetPath) {\n\t\tc.Log(logger.LevelInfo, \"rename %q->%q is not allowed: the paths must be on the same resource\",\n\t\t\tvirtualSourcePath, virtualTargetPath)\n\t\treturn false\n\t}\n\tif c.User.IsMappedPath(fsSourcePath) && vfs.IsLocalOrCryptoFs(fsSrc) {\n\t\tc.Log(logger.LevelWarn, \"renaming a directory mapped as virtual folder is not allowed: %q\", fsSourcePath)\n\t\treturn false\n\t}\n\tif c.User.IsMappedPath(fsTargetPath) && vfs.IsLocalOrCryptoFs(fsDst) {\n\t\tc.Log(logger.LevelWarn, \"renaming to a directory mapped as virtual folder is not allowed: %q\", fsTargetPath)\n\t\treturn false\n\t}\n\tif virtualSourcePath == \"/\" || virtualTargetPath == \"/\" || fsSrc.GetRelativePath(fsSourcePath) == \"/\" {\n\t\tc.Log(logger.LevelWarn, \"renaming root dir is not allowed\")\n\t\treturn false\n\t}\n\tif c.User.IsVirtualFolder(virtualSourcePath) || c.User.IsVirtualFolder(virtualTargetPath) {\n\t\tc.Log(logger.LevelWarn, \"renaming a virtual folder is not allowed\")\n\t\treturn false\n\t}\n\tisSrcAllowed, _ := c.User.IsFileAllowed(virtualSourcePath)\n\tisDstAllowed, _ := c.User.IsFileAllowed(virtualTargetPath)\n\tif !isSrcAllowed || !isDstAllowed {\n\t\tc.Log(logger.LevelDebug, \"renaming source: %q to target: %q not allowed\", virtualSourcePath,\n\t\t\tvirtualTargetPath)\n\t\treturn false\n\t}\n\treturn c.hasRenamePerms(virtualSourcePath, virtualTargetPath, srcInfo)\n}\n\nfunc (c *BaseConnection) hasSpaceForRename(fs vfs.Fs, virtualSourcePath, virtualTargetPath string, initialSize int64,\n\tsourcePath string, srcInfo os.FileInfo) bool {\n\tif dataprovider.GetQuotaTracking() == 0 {\n\t\treturn true\n\t}\n\tsourceFolder, errSrc := c.User.GetVirtualFolderForPath(path.Dir(virtualSourcePath))\n\tdstFolder, errDst := c.User.GetVirtualFolderForPath(path.Dir(virtualTargetPath))\n\tif errSrc != nil && errDst != nil {\n\t\t// rename inside the user home dir\n\t\treturn true\n\t}\n\tif errSrc == nil && errDst == nil {\n\t\t// rename between virtual folders\n\t\tif sourceFolder.Name == dstFolder.Name {\n\t\t\t// rename inside the same virtual folder\n\t\t\treturn true\n\t\t}\n\t}\n\tif errSrc != nil && dstFolder.IsIncludedInUserQuota() {\n\t\t// rename between user root dir and a virtual folder included in user quota\n\t\treturn true\n\t}\n\tif errDst != nil && sourceFolder.IsIncludedInUserQuota() {\n\t\t// rename between a virtual folder included in user quota and the user root dir\n\t\treturn true\n\t}\n\tquotaResult, _ := c.HasSpace(true, false, virtualTargetPath)\n\tif quotaResult.HasSpace && quotaResult.QuotaSize == 0 && quotaResult.QuotaFiles == 0 {\n\t\t// no quota restrictions\n\t\treturn true\n\t}\n\treturn c.hasSpaceForCrossRename(fs, quotaResult, initialSize, sourcePath, srcInfo)\n}\n\n// hasSpaceForCrossRename checks the quota after a rename between different folders\nfunc (c *BaseConnection) hasSpaceForCrossRename(fs vfs.Fs, quotaResult vfs.QuotaCheckResult, initialSize int64,\n\tsourcePath string, srcInfo os.FileInfo,\n) bool {\n\tif !quotaResult.HasSpace && initialSize == -1 {\n\t\t// we are over quota and this is not a file replace\n\t\treturn false\n\t}\n\tvar sizeDiff int64\n\tvar filesDiff int\n\tvar err error\n\tif srcInfo.Mode().IsRegular() {\n\t\tsizeDiff = srcInfo.Size()\n\t\tfilesDiff = 1\n\t\tif initialSize != -1 {\n\t\t\tsizeDiff -= initialSize\n\t\t\tfilesDiff = 0\n\t\t}\n\t} else if srcInfo.IsDir() {\n\t\tfilesDiff, sizeDiff, err = fs.GetDirSize(sourcePath)\n\t\tif err != nil {\n\t\t\tc.Log(logger.LevelError, \"cross rename denied, error getting size for directory %q: %v\", sourcePath, err)\n\t\t\treturn false\n\t\t}\n\t}\n\tif !quotaResult.HasSpace && initialSize != -1 {\n\t\t// we are over quota but we are overwriting an existing file so we check if the quota size after the rename is ok\n\t\tif quotaResult.QuotaSize == 0 {\n\t\t\treturn true\n\t\t}\n\t\tc.Log(logger.LevelDebug, \"cross rename overwrite, source %q, used size %d, size to add %d\",\n\t\t\tsourcePath, quotaResult.UsedSize, sizeDiff)\n\t\tquotaResult.UsedSize += sizeDiff\n\t\treturn quotaResult.GetRemainingSize() >= 0\n\t}\n\tif quotaResult.QuotaFiles > 0 {\n\t\tremainingFiles := quotaResult.GetRemainingFiles()\n\t\tc.Log(logger.LevelDebug, \"cross rename, source %q remaining file %d to add %d\", sourcePath,\n\t\t\tremainingFiles, filesDiff)\n\t\tif remainingFiles < filesDiff {\n\t\t\treturn false\n\t\t}\n\t}\n\tif quotaResult.QuotaSize > 0 {\n\t\tremainingSize := quotaResult.GetRemainingSize()\n\t\tc.Log(logger.LevelDebug, \"cross rename, source %q remaining size %d to add %d\", srcInfo.Name(),\n\t\t\tremainingSize, sizeDiff)\n\t\tif remainingSize < sizeDiff {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// GetMaxWriteSize returns the allowed size for an upload or an error\n// if no enough size is available for a resume/append\nfunc (c *BaseConnection) GetMaxWriteSize(quotaResult vfs.QuotaCheckResult, isResume bool, fileSize int64,\n\tisUploadResumeSupported bool,\n) (int64, error) {\n\tmaxWriteSize := quotaResult.GetRemainingSize()\n\n\tif isResume {\n\t\tif !isUploadResumeSupported {\n\t\t\treturn 0, c.GetOpUnsupportedError()\n\t\t}\n\t\tif c.User.Filters.MaxUploadFileSize > 0 && c.User.Filters.MaxUploadFileSize <= fileSize {\n\t\t\treturn 0, c.GetQuotaExceededError()\n\t\t}\n\t\tif c.User.Filters.MaxUploadFileSize > 0 {\n\t\t\tmaxUploadSize := c.User.Filters.MaxUploadFileSize - fileSize\n\t\t\tif maxUploadSize < maxWriteSize || maxWriteSize == 0 {\n\t\t\t\tmaxWriteSize = maxUploadSize\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif maxWriteSize > 0 {\n\t\t\tmaxWriteSize += fileSize\n\t\t}\n\t\tif c.User.Filters.MaxUploadFileSize > 0 && (c.User.Filters.MaxUploadFileSize < maxWriteSize || maxWriteSize == 0) {\n\t\t\tmaxWriteSize = c.User.Filters.MaxUploadFileSize\n\t\t}\n\t}\n\n\treturn maxWriteSize, nil\n}\n\n// GetTransferQuota returns the data transfers quota\nfunc (c *BaseConnection) GetTransferQuota() dataprovider.TransferQuota {\n\tresult, _, _ := c.checkUserQuota()\n\treturn result\n}\n\nfunc (c *BaseConnection) checkUserQuota() (dataprovider.TransferQuota, int, int64) {\n\tul, dl, total := c.User.GetDataTransferLimits()\n\tresult := dataprovider.TransferQuota{\n\t\tULSize: ul,\n\t\tDLSize: dl,\n\t\tTotalSize: total,\n\t\tAllowedULSize: 0,\n\t\tAllowedDLSize: 0,\n\t\tAllowedTotalSize: 0,\n\t}\n\tif !c.User.HasTransferQuotaRestrictions() {\n\t\treturn result, -1, -1\n\t}\n\tusedFiles, usedSize, usedULSize, usedDLSize, err := dataprovider.GetUsedQuota(c.User.Username)\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error getting used quota for %q: %v\", c.User.Username, err)\n\t\tresult.AllowedTotalSize = -1\n\t\treturn result, -1, -1\n\t}\n\tif result.TotalSize > 0 {\n\t\tresult.AllowedTotalSize = result.TotalSize - (usedULSize + usedDLSize)\n\t}\n\tif result.ULSize > 0 {\n\t\tresult.AllowedULSize = result.ULSize - usedULSize\n\t}\n\tif result.DLSize > 0 {\n\t\tresult.AllowedDLSize = result.DLSize - usedDLSize\n\t}\n\n\treturn result, usedFiles, usedSize\n}\n\n// HasSpace checks user's quota usage\nfunc (c *BaseConnection) HasSpace(checkFiles, getUsage bool, requestPath string) (vfs.QuotaCheckResult,\n\tdataprovider.TransferQuota,\n) {\n\tresult := vfs.QuotaCheckResult{\n\t\tHasSpace: true,\n\t\tAllowedSize: 0,\n\t\tAllowedFiles: 0,\n\t\tUsedSize: 0,\n\t\tUsedFiles: 0,\n\t\tQuotaSize: 0,\n\t\tQuotaFiles: 0,\n\t}\n\tif dataprovider.GetQuotaTracking() == 0 {\n\t\treturn result, dataprovider.TransferQuota{}\n\t}\n\ttransferQuota, usedFiles, usedSize := c.checkUserQuota()\n\n\tvar err error\n\tvar vfolder vfs.VirtualFolder\n\tvfolder, err = c.User.GetVirtualFolderForPath(path.Dir(requestPath))\n\tif err == nil && !vfolder.IsIncludedInUserQuota() {\n\t\tif vfolder.HasNoQuotaRestrictions(checkFiles) && !getUsage {\n\t\t\treturn result, transferQuota\n\t\t}\n\t\tresult.QuotaSize = vfolder.QuotaSize\n\t\tresult.QuotaFiles = vfolder.QuotaFiles\n\t\tresult.UsedFiles, result.UsedSize, err = dataprovider.GetUsedVirtualFolderQuota(vfolder.Name)\n\t} else {\n\t\tif c.User.HasNoQuotaRestrictions(checkFiles) && !getUsage {\n\t\t\treturn result, transferQuota\n\t\t}\n\t\tresult.QuotaSize = c.User.QuotaSize\n\t\tresult.QuotaFiles = c.User.QuotaFiles\n\t\tif usedSize == -1 {\n\t\t\tresult.UsedFiles, result.UsedSize, _, _, err = dataprovider.GetUsedQuota(c.User.Username)\n\t\t} else {\n\t\t\terr = nil\n\t\t\tresult.UsedFiles = usedFiles\n\t\t\tresult.UsedSize = usedSize\n\t\t}\n\t}\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error getting used quota for %q request path %q: %v\", c.User.Username, requestPath, err)\n\t\tresult.HasSpace = false\n\t\treturn result, transferQuota\n\t}\n\tresult.AllowedFiles = result.QuotaFiles - result.UsedFiles\n\tresult.AllowedSize = result.QuotaSize - result.UsedSize\n\tif (checkFiles && result.QuotaFiles > 0 && result.UsedFiles >= result.QuotaFiles) ||\n\t\t(result.QuotaSize > 0 && result.UsedSize >= result.QuotaSize) {\n\t\tc.Log(logger.LevelDebug, \"quota exceed for user %q, request path %q, num files: %d/%d, size: %d/%d check files: %t\",\n\t\t\tc.User.Username, requestPath, result.UsedFiles, result.QuotaFiles, result.UsedSize, result.QuotaSize, checkFiles)\n\t\tresult.HasSpace = false\n\t\treturn result, transferQuota\n\t}\n\treturn result, transferQuota\n}\n\n// IsSameResource returns true if source and target paths are on the same resource\nfunc (c *BaseConnection) IsSameResource(virtualSourcePath, virtualTargetPath string) bool {\n\tsourceFolder, errSrc := c.User.GetVirtualFolderForPath(virtualSourcePath)\n\tdstFolder, errDst := c.User.GetVirtualFolderForPath(virtualTargetPath)\n\tif errSrc != nil && errDst != nil {\n\t\treturn true\n\t}\n\tif errSrc == nil && errDst == nil {\n\t\tif sourceFolder.Name == dstFolder.Name {\n\t\t\treturn true\n\t\t}\n\t\t// we have different folders, check if they point to the same resource\n\t\treturn sourceFolder.FsConfig.IsSameResource(dstFolder.FsConfig)\n\t}\n\tif errSrc == nil {\n\t\treturn sourceFolder.FsConfig.IsSameResource(c.User.FsConfig)\n\t}\n\treturn dstFolder.FsConfig.IsSameResource(c.User.FsConfig)\n}\n\nfunc (c *BaseConnection) isCrossFoldersRequest(virtualSourcePath, virtualTargetPath string) bool {\n\tsourceFolder, errSrc := c.User.GetVirtualFolderForPath(virtualSourcePath)\n\tdstFolder, errDst := c.User.GetVirtualFolderForPath(virtualTargetPath)\n\tif errSrc != nil && errDst != nil {\n\t\treturn false\n\t}\n\tif errSrc == nil && errDst == nil {\n\t\treturn sourceFolder.Name != dstFolder.Name\n\t}\n\treturn true\n}\n\nfunc (c *BaseConnection) updateQuotaMoveBetweenVFolders(sourceFolder, dstFolder *vfs.VirtualFolder, initialSize,\n\tfilesSize int64, numFiles int) {\n\tif sourceFolder.Name == dstFolder.Name {\n\t\t// both files are inside the same virtual folder\n\t\tif initialSize != -1 {\n\t\t\tdataprovider.UpdateUserFolderQuota(dstFolder, &c.User, -numFiles, -initialSize, false)\n\t\t}\n\t\treturn\n\t}\n\t// files are inside different virtual folders\n\tdataprovider.UpdateUserFolderQuota(sourceFolder, &c.User, -numFiles, -filesSize, false)\n\tif initialSize == -1 {\n\t\tdataprovider.UpdateUserFolderQuota(dstFolder, &c.User, numFiles, filesSize, false)\n\t\treturn\n\t}\n\t// we cannot have a directory here, initialSize != -1 only for files\n\tdataprovider.UpdateUserFolderQuota(dstFolder, &c.User, 0, filesSize-initialSize, false)\n}\n\nfunc (c *BaseConnection) updateQuotaMoveFromVFolder(sourceFolder *vfs.VirtualFolder, initialSize, filesSize int64, numFiles int) {\n\t// move between a virtual folder and the user home dir\n\tdataprovider.UpdateUserFolderQuota(sourceFolder, &c.User, -numFiles, -filesSize, false)\n\tif initialSize == -1 {\n\t\tdataprovider.UpdateUserQuota(&c.User, numFiles, filesSize, false) //nolint:errcheck\n\t\treturn\n\t}\n\t// we cannot have a directory here, initialSize != -1 only for files\n\tdataprovider.UpdateUserQuota(&c.User, 0, filesSize-initialSize, false) //nolint:errcheck\n}\n\nfunc (c *BaseConnection) updateQuotaMoveToVFolder(dstFolder *vfs.VirtualFolder, initialSize, filesSize int64, numFiles int) {\n\t// move between the user home dir and a virtual folder\n\tdataprovider.UpdateUserQuota(&c.User, -numFiles, -filesSize, false) //nolint:errcheck\n\tif initialSize == -1 {\n\t\tdataprovider.UpdateUserFolderQuota(dstFolder, &c.User, numFiles, filesSize, false)\n\t\treturn\n\t}\n\t// we cannot have a directory here, initialSize != -1 only for files\n\tdataprovider.UpdateUserFolderQuota(dstFolder, &c.User, 0, filesSize-initialSize, false)\n}\n\nfunc (c *BaseConnection) updateQuotaAfterRename(fs vfs.Fs, virtualSourcePath, virtualTargetPath, targetPath string,\n\tinitialSize int64, numFiles int, filesSize int64,\n) error {\n\tif dataprovider.GetQuotaTracking() == 0 {\n\t\treturn nil\n\t}\n\t// we don't allow to overwrite an existing directory so targetPath can be:\n\t// - a new file, a symlink is as a new file here\n\t// - a file overwriting an existing one\n\t// - a new directory\n\t// initialSize != -1 only when overwriting files\n\tsourceFolder, errSrc := c.User.GetVirtualFolderForPath(path.Dir(virtualSourcePath))\n\tdstFolder, errDst := c.User.GetVirtualFolderForPath(path.Dir(virtualTargetPath))\n\tif errSrc != nil && errDst != nil {\n\t\t// both files are contained inside the user home dir\n\t\tif initialSize != -1 {\n\t\t\t// we cannot have a directory here, we are overwriting an existing file\n\t\t\t// we need to subtract the size of the overwritten file from the user quota\n\t\t\tdataprovider.UpdateUserQuota(&c.User, -1, -initialSize, false) //nolint:errcheck\n\t\t}\n\t\treturn nil\n\t}\n\n\tif filesSize == -1 {\n\t\t// fs.Rename didn't return the affected files/sizes, we need to calculate them\n\t\tnumFiles = 1\n\t\tif fi, err := fs.Stat(targetPath); err == nil {\n\t\t\tif fi.Mode().IsDir() {\n\t\t\t\tnumFiles, filesSize, err = fs.GetDirSize(targetPath)\n\t\t\t\tif err != nil {\n\t\t\t\t\tc.Log(logger.LevelError, \"failed to update quota after rename, error scanning moved folder %q: %+v\",\n\t\t\t\t\t\ttargetPath, err)\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfilesSize = fi.Size()\n\t\t\t}\n\t\t} else {\n\t\t\tc.Log(logger.LevelError, \"failed to update quota after renaming, file %q stat error: %+v\", targetPath, err)\n\t\t\treturn err\n\t\t}\n\t\tc.Log(logger.LevelDebug, \"calculated renamed files: %d, size: %d bytes\", numFiles, filesSize)\n\t} else {\n\t\tc.Log(logger.LevelDebug, \"returned renamed files: %d, size: %d bytes\", numFiles, filesSize)\n\t}\n\tif errSrc == nil && errDst == nil {\n\t\tc.updateQuotaMoveBetweenVFolders(&sourceFolder, &dstFolder, initialSize, filesSize, numFiles)\n\t}\n\tif errSrc == nil && errDst != nil {\n\t\tc.updateQuotaMoveFromVFolder(&sourceFolder, initialSize, filesSize, numFiles)\n\t}\n\tif errSrc != nil && errDst == nil {\n\t\tc.updateQuotaMoveToVFolder(&dstFolder, initialSize, filesSize, numFiles)\n\t}\n\treturn nil\n}\n\n// IsNotExistError returns true if the specified fs error is not exist for the connection protocol\nfunc (c *BaseConnection) IsNotExistError(err error) bool {\n\tswitch c.protocol {\n\tcase ProtocolSFTP:\n\t\treturn errors.Is(err, sftp.ErrSSHFxNoSuchFile)\n\tcase ProtocolWebDAV, ProtocolFTP, ProtocolHTTP, ProtocolOIDC, ProtocolHTTPShare, ProtocolDataRetention:\n\t\treturn errors.Is(err, os.ErrNotExist)\n\tdefault:\n\t\treturn errors.Is(err, ErrNotExist)\n\t}\n}\n\n// GetErrorForDeniedFile return permission denied or not exist error based on the specified policy\nfunc (c *BaseConnection) GetErrorForDeniedFile(policy int) error {\n\tswitch policy {\n\tcase sdk.DenyPolicyHide:\n\t\treturn c.GetNotExistError()\n\tdefault:\n\t\treturn c.GetPermissionDeniedError()\n\t}\n}\n\n// GetPermissionDeniedError returns an appropriate permission denied error for the connection protocol\nfunc (c *BaseConnection) GetPermissionDeniedError() error {\n\treturn getPermissionDeniedError(c.protocol)\n}\n\n// GetNotExistError returns an appropriate not exist error for the connection protocol\nfunc (c *BaseConnection) GetNotExistError() error {\n\tswitch c.protocol {\n\tcase ProtocolSFTP:\n\t\treturn sftp.ErrSSHFxNoSuchFile\n\tcase ProtocolWebDAV, ProtocolFTP, ProtocolHTTP, ProtocolOIDC, ProtocolHTTPShare, ProtocolDataRetention:\n\t\treturn os.ErrNotExist\n\tdefault:\n\t\treturn ErrNotExist\n\t}\n}\n\n// GetOpUnsupportedError returns an appropriate operation not supported error for the connection protocol\nfunc (c *BaseConnection) GetOpUnsupportedError() error {\n\tswitch c.protocol {\n\tcase ProtocolSFTP:\n\t\treturn sftp.ErrSSHFxOpUnsupported\n\tdefault:\n\t\treturn ErrOpUnsupported\n\t}\n}\n\nfunc getQuotaExceededError(protocol string) error {\n\tswitch protocol {\n\tcase ProtocolSFTP:\n\t\treturn fmt.Errorf(\"%w: %w\", sftp.ErrSSHFxFailure, ErrQuotaExceeded)\n\tcase ProtocolFTP:\n\t\treturn ftpserver.ErrStorageExceeded\n\tdefault:\n\t\treturn ErrQuotaExceeded\n\t}\n}\n\nfunc getReadQuotaExceededError(protocol string) error {\n\tswitch protocol {\n\tcase ProtocolSFTP:\n\t\treturn fmt.Errorf(\"%w: %w\", sftp.ErrSSHFxFailure, ErrReadQuotaExceeded)\n\tdefault:\n\t\treturn ErrReadQuotaExceeded\n\t}\n}\n\n// GetQuotaExceededError returns an appropriate storage limit exceeded error for the connection protocol\nfunc (c *BaseConnection) GetQuotaExceededError() error {\n\treturn getQuotaExceededError(c.protocol)\n}\n\n// GetReadQuotaExceededError returns an appropriate read quota limit exceeded error for the connection protocol\nfunc (c *BaseConnection) GetReadQuotaExceededError() error {\n\treturn getReadQuotaExceededError(c.protocol)\n}\n\n// IsQuotaExceededError returns true if the given error is a quota exceeded error\nfunc (c *BaseConnection) IsQuotaExceededError(err error) bool {\n\tswitch c.protocol {\n\tcase ProtocolSFTP:\n\t\tif err == nil {\n\t\t\treturn false\n\t\t}\n\t\tif errors.Is(err, ErrQuotaExceeded) {\n\t\t\treturn true\n\t\t}\n\t\treturn errors.Is(err, sftp.ErrSSHFxFailure) && strings.Contains(err.Error(), ErrQuotaExceeded.Error())\n\tcase ProtocolFTP:\n\t\treturn errors.Is(err, ftpserver.ErrStorageExceeded) || errors.Is(err, ErrQuotaExceeded)\n\tdefault:\n\t\treturn errors.Is(err, ErrQuotaExceeded)\n\t}\n}\n\nfunc isSFTPGoError(err error) bool {\n\treturn errors.Is(err, ErrPermissionDenied) || errors.Is(err, ErrNotExist) || errors.Is(err, ErrOpUnsupported) ||\n\t\terrors.Is(err, ErrQuotaExceeded) || errors.Is(err, ErrReadQuotaExceeded) ||\n\t\terrors.Is(err, vfs.ErrStorageSizeUnavailable) || errors.Is(err, ErrShuttingDown)\n}\n\n// GetGenericError returns an appropriate generic error for the connection protocol\nfunc (c *BaseConnection) GetGenericError(err error) error {\n\tswitch c.protocol {\n\tcase ProtocolSFTP:\n\t\tif errors.Is(err, vfs.ErrStorageSizeUnavailable) || errors.Is(err, ErrOpUnsupported) || errors.Is(err, sftp.ErrSSHFxOpUnsupported) {\n\t\t\treturn fmt.Errorf(\"%w: %w\", sftp.ErrSSHFxOpUnsupported, err)\n\t\t}\n\t\tif isSFTPGoError(err) {\n\t\t\treturn fmt.Errorf(\"%w: %w\", sftp.ErrSSHFxFailure, err)\n\t\t}\n\t\tif err != nil {\n\t\t\tvar pathError *fs.PathError\n\t\t\tif errors.As(err, &pathError) {\n\t\t\t\tc.Log(logger.LevelError, \"generic path error: %+v\", pathError)\n\t\t\t\treturn fmt.Errorf(\"%w: %v %v\", sftp.ErrSSHFxFailure, pathError.Op, pathError.Err.Error())\n\t\t\t}\n\t\t\tc.Log(logger.LevelError, \"generic error: %+v\", err)\n\t\t}\n\t\treturn sftp.ErrSSHFxFailure\n\tdefault:\n\t\tif isSFTPGoError(err) {\n\t\t\treturn err\n\t\t}\n\t\tc.Log(logger.LevelError, \"generic error: %+v\", err)\n\t\treturn ErrGenericFailure\n\t}\n}\n\n// GetFsError converts a filesystem error to a protocol error\nfunc (c *BaseConnection) GetFsError(fs vfs.Fs, err error) error {\n\tif fs.IsNotExist(err) {\n\t\treturn c.GetNotExistError()\n\t} else if fs.IsPermission(err) {\n\t\treturn c.GetPermissionDeniedError()\n\t} else if fs.IsNotSupported(err) {\n\t\treturn c.GetOpUnsupportedError()\n\t} else if err != nil {\n\t\treturn c.GetGenericError(err)\n\t}\n\treturn nil\n}\n\nfunc (c *BaseConnection) getNotificationStatus(err error) int {\n\tif err == nil {\n\t\treturn 1\n\t}\n\tif c.IsQuotaExceededError(err) {\n\t\treturn 3\n\t}\n\treturn 2\n}\n\n// GetFsAndResolvedPath returns the fs and the fs path matching virtualPath\nfunc (c *BaseConnection) GetFsAndResolvedPath(virtualPath string) (vfs.Fs, string, error) {\n\tfs, err := c.User.GetFilesystemForPath(virtualPath, c.ID)\n\tif err != nil {\n\t\tif c.protocol == ProtocolWebDAV && strings.Contains(err.Error(), vfs.ErrSFTPLoop.Error()) {\n\t\t\t// if there is an SFTP loop we return a permission error, for WebDAV, so the problematic folder\n\t\t\t// will not be listed\n\t\t\treturn nil, \"\", util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)\n\t\t}\n\t\treturn nil, \"\", c.GetGenericError(err)\n\t}\n\n\tif isShuttingDown.Load() {\n\t\treturn nil, \"\", c.GetFsError(fs, ErrShuttingDown)\n\t}\n\n\tfsPath, err := fs.ResolvePath(virtualPath)\n\tif err != nil {\n\t\treturn nil, \"\", c.GetFsError(fs, err)\n\t}\n\n\treturn fs, fsPath, nil\n}\n\n// DirListerAt defines a directory lister implementing the ListAt method.\ntype DirListerAt struct {\n\tvirtualPath string\n\tconn *BaseConnection\n\tfs vfs.Fs\n\tinfo []os.FileInfo\n\tmu sync.Mutex\n\tlister vfs.DirLister\n}\n\n// Prepend adds the given os.FileInfo as first element of the internal cache\nfunc (l *DirListerAt) Prepend(fi os.FileInfo) {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\tl.info = slices.Insert(l.info, 0, fi)\n}\n\n// ListAt implements sftp.ListerAt\nfunc (l *DirListerAt) ListAt(f []os.FileInfo, _ int64) (int, error) {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\tif len(f) == 0 {\n\t\treturn 0, errors.New(\"invalid ListAt destination, zero size\")\n\t}\n\tif len(f) <= len(l.info) {\n\t\tfiles := make([]os.FileInfo, 0, len(f))\n\t\tfor idx := range l.info {\n\t\t\tfiles = append(files, l.info[idx])\n\t\t\tif len(files) == len(f) {\n\t\t\t\tl.info = l.info[idx+1:]\n\t\t\t\tn := copy(f, files)\n\t\t\t\treturn n, nil\n\t\t\t}\n\t\t}\n\t}\n\tlimit := len(f) - len(l.info)\n\tfiles, err := l.Next(limit)\n\tn := copy(f, files)\n\treturn n, err\n}\n\n// Next reads the directory and returns a slice of up to n FileInfo values.\nfunc (l *DirListerAt) Next(limit int) ([]os.FileInfo, error) {\n\tfor {\n\t\tfiles, err := l.lister.Next(limit)\n\t\tif err != nil && !errors.Is(err, io.EOF) {\n\t\t\tl.conn.Log(logger.LevelDebug, \"error retrieving directory entries: %+v\", err)\n\t\t\treturn files, l.conn.GetFsError(l.fs, err)\n\t\t}\n\t\tfiles = l.conn.User.FilterListDir(files, l.virtualPath)\n\t\tif len(l.info) > 0 {\n\t\t\tfiles = slices.Concat(l.info, files)\n\t\t\tl.info = nil\n\t\t}\n\t\tif err != nil || len(files) > 0 {\n\t\t\treturn files, err\n\t\t}\n\t}\n}\n\n// Close closes the DirListerAt\nfunc (l *DirListerAt) Close() error {\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\treturn l.lister.Close()\n}\n\nfunc (l *DirListerAt) convertError(err error) error {\n\tif errors.Is(err, io.EOF) {\n\t\treturn nil\n\t}\n\treturn err\n}\n\nfunc getPermissionDeniedError(protocol string) error {\n\tswitch protocol {\n\tcase ProtocolSFTP:\n\t\treturn sftp.ErrSSHFxPermissionDenied\n\tcase ProtocolWebDAV, ProtocolFTP, ProtocolHTTP, ProtocolOIDC, ProtocolHTTPShare, ProtocolDataRetention:\n\t\treturn os.ErrPermission\n\tdefault:\n\t\treturn ErrPermissionDenied\n\t}\n}\n\nfunc keepConnectionAlive(c *BaseConnection, interval time.Duration) func() {\n\tvar timer *time.Timer\n\tvar closed atomic.Bool\n\n\ttask := func() {\n\t\tc.UpdateLastActivity()\n\n\t\tif !closed.Load() {\n\t\t\ttimer.Reset(interval)\n\t\t}\n\t}\n\n\ttimer = time.AfterFunc(interval, task)\n\n\treturn func() {\n\t\tclosed.Store(true)\n\t\ttimer.Stop()\n\t}\n}\n" }, { "path": "internal/common/connection_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strconv\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\terrWalkDir = errors.New(\"err walk dir\")\n)\n\n// MockOsFs mockable OsFs\ntype MockOsFs struct {\n\tvfs.Fs\n\thasVirtualFolders bool\n\tname string\n\terr error\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *MockOsFs) Name() string {\n\tif fs.name != \"\" {\n\t\treturn fs.name\n\t}\n\treturn \"mockOsFs\"\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (fs *MockOsFs) HasVirtualFolders() bool {\n\treturn fs.hasVirtualFolders\n}\n\nfunc (fs *MockOsFs) IsUploadResumeSupported() bool {\n\treturn !fs.hasVirtualFolders\n}\n\nfunc (fs *MockOsFs) Chtimes(_ string, _, _ time.Time, _ bool) error {\n\treturn vfs.ErrVfsUnsupported\n}\n\nfunc (fs *MockOsFs) Lstat(name string) (os.FileInfo, error) {\n\tif fs.err != nil {\n\t\treturn nil, fs.err\n\t}\n\treturn fs.Fs.Lstat(name)\n}\n\n// Walk returns a duplicate path for testing\nfunc (fs *MockOsFs) Walk(_ string, walkFn filepath.WalkFunc) error {\n\tif fs.err == errWalkDir {\n\t\twalkFn(\"fsdpath\", vfs.NewFileInfo(\"dpath\", true, 0, time.Now(), false), nil) //nolint:errcheck\n\t\treturn walkFn(\"fsdpath\", vfs.NewFileInfo(\"dpath\", true, 0, time.Now(), false), nil) //nolint:errcheck\n\t}\n\twalkFn(\"fsfpath\", vfs.NewFileInfo(\"fpath\", false, 0, time.Now(), false), nil) //nolint:errcheck\n\treturn fs.err\n}\n\nfunc newMockOsFs(hasVirtualFolders bool, connectionID, rootDir, name string, err error) vfs.Fs {\n\treturn &MockOsFs{\n\t\tFs: vfs.NewOsFs(connectionID, rootDir, \"\", nil),\n\t\tname: name,\n\t\thasVirtualFolders: hasVirtualFolders,\n\t\terr: err,\n\t}\n}\n\nfunc TestRemoveErrors(t *testing.T) {\n\tmappedPath := filepath.Join(os.TempDir(), \"map\")\n\thomePath := filepath.Join(os.TempDir(), \"home\")\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"remove_errors_user\",\n\t\t\tHomeDir: homePath,\n\t\t},\n\t\tVirtualFolders: []vfs.VirtualFolder{\n\t\t\t{\n\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\tName: filepath.Base(mappedPath),\n\t\t\t\t\tMappedPath: mappedPath,\n\t\t\t\t},\n\t\t\t\tVirtualPath: \"/virtualpath\",\n\t\t\t},\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := NewBaseConnection(\"\", ProtocolFTP, \"\", \"\", user)\n\terr := conn.IsRemoveDirAllowed(fs, mappedPath, \"/virtualpath1\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"permission denied\")\n\t}\n\terr = conn.RemoveFile(fs, filepath.Join(homePath, \"missing_file\"), \"/missing_file\",\n\t\tvfs.NewFileInfo(\"info\", false, 100, time.Now(), false))\n\tassert.Error(t, err)\n}\n\nfunc TestSetStatMode(t *testing.T) {\n\toldSetStatMode := Config.SetstatMode\n\tConfig.SetstatMode = 1\n\n\tfakePath := \"fake path\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: os.TempDir(),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := newMockOsFs(true, \"\", user.GetHomeDir(), \"\", nil)\n\tconn := NewBaseConnection(\"\", ProtocolWebDAV, \"\", \"\", user)\n\terr := conn.handleChmod(fs, fakePath, fakePath, nil)\n\tassert.NoError(t, err)\n\terr = conn.handleChown(fs, fakePath, fakePath, nil)\n\tassert.NoError(t, err)\n\terr = conn.handleChtimes(fs, fakePath, fakePath, nil)\n\tassert.NoError(t, err)\n\n\tConfig.SetstatMode = 2\n\terr = conn.handleChmod(fs, fakePath, fakePath, nil)\n\tassert.NoError(t, err)\n\terr = conn.handleChtimes(fs, fakePath, fakePath, &StatAttributes{\n\t\tAtime: time.Now(),\n\t\tMtime: time.Now(),\n\t})\n\tassert.NoError(t, err)\n\n\tConfig.SetstatMode = oldSetStatMode\n}\n\nfunc TestRecursiveRenameWalkError(t *testing.T) {\n\tfs := vfs.NewOsFs(\"\", filepath.Clean(os.TempDir()), \"\", nil)\n\tconn := NewBaseConnection(\"\", ProtocolWebDAV, \"\", \"\", dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermListItems, dataprovider.PermUpload,\n\t\t\t\t\tdataprovider.PermDownload, dataprovider.PermRenameDirs},\n\t\t\t},\n\t\t},\n\t})\n\terr := conn.checkRecursiveRenameDirPermissions(fs, fs, filepath.Join(os.TempDir(), \"/source\"),\n\t\tfilepath.Join(os.TempDir(), \"/target\"), \"/source\", \"/target\",\n\t\tvfs.NewFileInfo(\"source\", true, 0, time.Now(), false))\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\tfs = newMockOsFs(false, \"mockID\", filepath.Clean(os.TempDir()), \"S3Fs\", errWalkDir)\n\terr = conn.checkRecursiveRenameDirPermissions(fs, fs, filepath.Join(os.TempDir(), \"/source\"),\n\t\tfilepath.Join(os.TempDir(), \"/target\"), \"/source\", \"/target\",\n\t\tvfs.NewFileInfo(\"source\", true, 0, time.Now(), false))\n\tif assert.Error(t, err) {\n\t\tassert.Equal(t, err.Error(), conn.GetOpUnsupportedError().Error())\n\t}\n\n\tconn.User.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermDownload, dataprovider.PermRenameFiles}\n\t// no dir rename permission, the quick check path returns permission error without walking\n\terr = conn.checkRecursiveRenameDirPermissions(fs, fs, filepath.Join(os.TempDir(), \"/source\"),\n\t\tfilepath.Join(os.TempDir(), \"/target\"), \"/source\", \"/target\",\n\t\tvfs.NewFileInfo(\"source\", true, 0, time.Now(), false))\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, conn.GetPermissionDeniedError().Error())\n\t}\n}\n\nfunc TestCrossRenameFsErrors(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := NewBaseConnection(\"\", ProtocolWebDAV, \"\", \"\", dataprovider.User{})\n\tdirPath := filepath.Join(os.TempDir(), \"d\")\n\terr := os.Mkdir(dirPath, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.Chmod(dirPath, 0001)\n\tassert.NoError(t, err)\n\tsrcInfo := vfs.NewFileInfo(filepath.Base(dirPath), true, 0, time.Now(), false)\n\tres := conn.hasSpaceForCrossRename(fs, vfs.QuotaCheckResult{}, 1, dirPath, srcInfo)\n\tassert.False(t, res)\n\n\terr = os.Chmod(dirPath, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.Remove(dirPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestRenameVirtualFolders(t *testing.T) {\n\tvdir := \"/avdir\"\n\tu := dataprovider.User{}\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: \"name\",\n\t\t\tMappedPath: \"mappedPath\",\n\t\t},\n\t\tVirtualPath: vdir,\n\t})\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := NewBaseConnection(\"\", ProtocolFTP, \"\", \"\", u)\n\tres := conn.isRenamePermitted(fs, fs, \"source\", \"target\", vdir, \"vdirtarget\", nil)\n\tassert.False(t, res)\n}\n\nfunc TestRenamePerms(t *testing.T) {\n\tsrc := \"source\"\n\ttarget := \"target\"\n\tsub := \"/sub\"\n\tsubTarget := sub + \"/target\"\n\tu := dataprovider.User{}\n\tu.Permissions = map[string][]string{}\n\tu.Permissions[\"/\"] = []string{dataprovider.PermCreateDirs, dataprovider.PermUpload, dataprovider.PermCreateSymlinks,\n\t\tdataprovider.PermDeleteFiles}\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", u)\n\tassert.False(t, conn.hasRenamePerms(src, target, nil))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRename}\n\tassert.True(t, conn.hasRenamePerms(src, target, nil))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermCreateDirs, dataprovider.PermUpload, dataprovider.PermDeleteFiles,\n\t\tdataprovider.PermDeleteDirs}\n\tassert.False(t, conn.hasRenamePerms(src, target, nil))\n\n\tinfo := vfs.NewFileInfo(src, true, 0, time.Now(), false)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRenameFiles}\n\tassert.False(t, conn.hasRenamePerms(src, target, info))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRenameDirs}\n\tassert.True(t, conn.hasRenamePerms(src, target, info))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRename}\n\tassert.True(t, conn.hasRenamePerms(src, target, info))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDeleteDirs}\n\tassert.False(t, conn.hasRenamePerms(src, target, info))\n\t// test with different permissions between source and target\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRename}\n\tu.Permissions[sub] = []string{dataprovider.PermRenameFiles}\n\tassert.False(t, conn.hasRenamePerms(src, subTarget, info))\n\tu.Permissions[sub] = []string{dataprovider.PermRenameDirs}\n\tassert.True(t, conn.hasRenamePerms(src, subTarget, info))\n\t// test files\n\tinfo = vfs.NewFileInfo(src, false, 0, time.Now(), false)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRenameDirs}\n\tassert.False(t, conn.hasRenamePerms(src, target, info))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRenameFiles}\n\tassert.True(t, conn.hasRenamePerms(src, target, info))\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRename}\n\tassert.True(t, conn.hasRenamePerms(src, target, info))\n\t// test with different permissions between source and target\n\tu.Permissions[\"/\"] = []string{dataprovider.PermRename}\n\tu.Permissions[sub] = []string{dataprovider.PermRenameDirs}\n\tassert.False(t, conn.hasRenamePerms(src, subTarget, info))\n\tu.Permissions[sub] = []string{dataprovider.PermRenameFiles}\n\tassert.True(t, conn.hasRenamePerms(src, subTarget, info))\n}\n\nfunc TestRenameNestedFolders(t *testing.T) {\n\tu := dataprovider.User{}\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: \"vfolder\",\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"f\"),\n\t\t},\n\t\tVirtualPath: \"/vdirs/f\",\n\t})\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", u)\n\terr := conn.checkFolderRename(nil, nil, filepath.Clean(os.TempDir()), filepath.Join(os.TempDir(), \"subdir\"), \"/src\", \"/dst\", nil)\n\tassert.Error(t, err)\n\terr = conn.checkFolderRename(nil, nil, filepath.Join(os.TempDir(), \"subdir\"), filepath.Clean(os.TempDir()), \"/src\", \"/dst\", nil)\n\tassert.Error(t, err)\n\terr = conn.checkFolderRename(nil, nil, \"\", \"\", \"/src/sub\", \"/src\", nil)\n\tassert.Error(t, err)\n\terr = conn.checkFolderRename(nil, nil, filepath.Join(os.TempDir(), \"src\"), filepath.Join(os.TempDir(), \"vdirs\"), \"/src\", \"/vdirs\", nil)\n\tassert.Error(t, err)\n}\n\nfunc TestUpdateQuotaAfterRename(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), \"home\"),\n\t\t},\n\t}\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\terr := os.MkdirAll(user.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tfs, err := user.GetFilesystem(\"id\")\n\tassert.NoError(t, err)\n\tc := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", user)\n\trequest := sftp.NewRequest(\"Rename\", \"/testfile\")\n\tif runtime.GOOS != osWindows {\n\t\trequest.Filepath = \"/dir\"\n\t\trequest.Target = path.Join(\"/vdir\", \"dir\")\n\t\ttestDirPath := filepath.Join(mappedPath, \"dir\")\n\t\terr := os.MkdirAll(testDirPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(testDirPath, 0001)\n\t\tassert.NoError(t, err)\n\t\terr = c.updateQuotaAfterRename(fs, request.Filepath, request.Target, testDirPath, 0, -1, -1)\n\t\tassert.Error(t, err)\n\t\terr = os.Chmod(testDirPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\ttestFile1 := \"/testfile1\"\n\trequest.Target = testFile1\n\trequest.Filepath = path.Join(\"/vdir\", \"file\")\n\terr = c.updateQuotaAfterRename(fs, request.Filepath, request.Target, filepath.Join(mappedPath, \"file\"), 0, -1, -1)\n\tassert.Error(t, err)\n\terr = os.WriteFile(filepath.Join(mappedPath, \"file\"), []byte(\"test content\"), os.ModePerm)\n\tassert.NoError(t, err)\n\trequest.Filepath = testFile1\n\trequest.Target = path.Join(\"/vdir\", \"file\")\n\terr = c.updateQuotaAfterRename(fs, request.Filepath, request.Target, filepath.Join(mappedPath, \"file\"), 12, -1, -1)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"testfile1\"), []byte(\"test content\"), os.ModePerm)\n\tassert.NoError(t, err)\n\trequest.Target = testFile1\n\trequest.Filepath = path.Join(\"/vdir\", \"file\")\n\terr = c.updateQuotaAfterRename(fs, request.Filepath, request.Target, filepath.Join(mappedPath, \"file\"), 12, -1, -1)\n\tassert.NoError(t, err)\n\trequest.Target = path.Join(\"/vdir1\", \"file\")\n\trequest.Filepath = path.Join(\"/vdir\", \"file\")\n\terr = c.updateQuotaAfterRename(fs, request.Filepath, request.Target, filepath.Join(mappedPath, \"file\"), 12, -1, -1)\n\tassert.NoError(t, err)\n\terr = c.updateQuotaAfterRename(fs, request.Filepath, request.Target, filepath.Join(mappedPath, \"file\"), 12, 1, 100)\n\tassert.NoError(t, err)\n\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestErrorsMapping(t *testing.T) {\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", dataprovider.User{BaseUser: sdk.BaseUser{HomeDir: os.TempDir()}})\n\tosErrorsProtocols := []string{ProtocolWebDAV, ProtocolFTP, ProtocolHTTP, ProtocolHTTPShare,\n\t\tProtocolDataRetention, ProtocolOIDC, protocolEventAction}\n\tfor _, protocol := range supportedProtocols {\n\t\tconn.SetProtocol(protocol)\n\t\terr := conn.GetFsError(fs, os.ErrNotExist)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxNoSuchFile)\n\t\t} else if slices.Contains(osErrorsProtocols, protocol) {\n\t\t\tassert.EqualError(t, err, os.ErrNotExist.Error())\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrNotExist.Error())\n\t\t}\n\t\terr = conn.GetFsError(fs, os.ErrPermission)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.EqualError(t, err, sftp.ErrSSHFxPermissionDenied.Error())\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrPermissionDenied.Error())\n\t\t}\n\t\terr = conn.GetFsError(fs, os.ErrClosed)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrGenericFailure.Error())\n\t\t}\n\t\terr = conn.GetFsError(fs, ErrPermissionDenied)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrPermissionDenied.Error())\n\t\t}\n\t\terr = conn.GetFsError(fs, vfs.ErrVfsUnsupported)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.EqualError(t, err, sftp.ErrSSHFxOpUnsupported.Error())\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrOpUnsupported.Error())\n\t\t}\n\t\terr = conn.GetFsError(fs, vfs.ErrStorageSizeUnavailable)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxOpUnsupported)\n\t\t\tassert.Contains(t, err.Error(), vfs.ErrStorageSizeUnavailable.Error())\n\t\t} else {\n\t\t\tassert.EqualError(t, err, vfs.ErrStorageSizeUnavailable.Error())\n\t\t}\n\t\terr = conn.GetQuotaExceededError()\n\t\tassert.True(t, conn.IsQuotaExceededError(err))\n\t\terr = conn.GetReadQuotaExceededError()\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\t\t\tassert.Contains(t, err.Error(), ErrReadQuotaExceeded.Error())\n\t\t} else {\n\t\t\tassert.ErrorIs(t, err, ErrReadQuotaExceeded)\n\t\t}\n\t\terr = conn.GetNotExistError()\n\t\tassert.True(t, conn.IsNotExistError(err))\n\t\terr = conn.GetFsError(fs, nil)\n\t\tassert.NoError(t, err)\n\t\terr = conn.GetOpUnsupportedError()\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.EqualError(t, err, sftp.ErrSSHFxOpUnsupported.Error())\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrOpUnsupported.Error())\n\t\t}\n\t\terr = conn.GetFsError(fs, ErrShuttingDown)\n\t\tif protocol == ProtocolSFTP {\n\t\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\t\t\tassert.Contains(t, err.Error(), ErrShuttingDown.Error())\n\t\t} else {\n\t\t\tassert.EqualError(t, err, ErrShuttingDown.Error())\n\t\t}\n\t}\n}\n\nfunc TestMaxWriteSize(t *testing.T) {\n\tpermissions := make(map[string][]string)\n\tpermissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t\tPermissions: permissions,\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tfs, err := user.GetFilesystem(\"123\")\n\tassert.NoError(t, err)\n\tconn := NewBaseConnection(\"\", ProtocolFTP, \"\", \"\", user)\n\tquotaResult := vfs.QuotaCheckResult{\n\t\tHasSpace: true,\n\t}\n\tsize, err := conn.GetMaxWriteSize(quotaResult, false, 0, fs.IsUploadResumeSupported())\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), size)\n\n\tconn.User.Filters.MaxUploadFileSize = 100\n\tsize, err = conn.GetMaxWriteSize(quotaResult, false, 0, fs.IsUploadResumeSupported())\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(100), size)\n\n\tquotaResult.QuotaSize = 1000\n\tsize, err = conn.GetMaxWriteSize(quotaResult, false, 50, fs.IsUploadResumeSupported())\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(100), size)\n\n\tquotaResult.QuotaSize = 1000\n\tquotaResult.UsedSize = 990\n\tsize, err = conn.GetMaxWriteSize(quotaResult, false, 50, fs.IsUploadResumeSupported())\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(60), size)\n\n\tquotaResult.QuotaSize = 0\n\tquotaResult.UsedSize = 0\n\tsize, err = conn.GetMaxWriteSize(quotaResult, true, 100, fs.IsUploadResumeSupported())\n\tassert.True(t, conn.IsQuotaExceededError(err))\n\tassert.Equal(t, int64(0), size)\n\n\tsize, err = conn.GetMaxWriteSize(quotaResult, true, 10, fs.IsUploadResumeSupported())\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(90), size)\n\n\tfs = newMockOsFs(true, fs.ConnectionID(), user.GetHomeDir(), \"\", nil)\n\tsize, err = conn.GetMaxWriteSize(quotaResult, true, 100, fs.IsUploadResumeSupported())\n\tassert.EqualError(t, err, ErrOpUnsupported.Error())\n\tassert.Equal(t, int64(0), size)\n}\n\nfunc TestCheckParentDirsErrors(t *testing.T) {\n\tpermissions := make(map[string][]string)\n\tpermissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t\tPermissions: permissions,\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t},\n\t}\n\tc := NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\terr := c.CheckParentDirs(\"/a/dir\")\n\tassert.Error(t, err)\n\n\tuser.FsConfig.Provider = sdk.LocalFilesystemProvider\n\tuser.VirtualFolders = nil\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\t},\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t\t},\n\t\tVirtualPath: \"/vdir/sub\",\n\t})\n\tc = NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\terr = c.CheckParentDirs(\"/vdir/sub/dir\")\n\tassert.Error(t, err)\n\n\tuser = dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: userTestUsername,\n\t\t\tPermissions: permissions,\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.S3FilesystemProvider,\n\t\t\tS3Config: vfs.S3FsConfig{\n\t\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\t\tBucket: \"buck\",\n\t\t\t\t\tRegion: \"us-east-1\",\n\t\t\t\t\tAccessKey: \"key\",\n\t\t\t\t},\n\t\t\t\tAccessSecret: kms.NewPlainSecret(\"s3secret\"),\n\t\t\t},\n\t\t},\n\t}\n\tc = NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\terr = c.CheckParentDirs(\"/a/dir\")\n\tassert.NoError(t, err)\n\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t\t},\n\t\tVirtualPath: \"/local/dir\",\n\t})\n\n\tc = NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\terr = c.CheckParentDirs(\"/local/dir/sub-dir\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(filepath.Join(os.TempDir(), \"sub-dir\"))\n\tassert.NoError(t, err)\n}\n\nfunc TestErrorResolvePath(t *testing.T) {\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Join(os.TempDir(), \"u\"),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"invalid JSON for credentials\")\n\tu.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: \"f\",\n\t\t\t\tMappedPath: filepath.Join(os.TempDir(), \"f\"),\n\t\t\t},\n\t\t\tVirtualPath: \"/f\",\n\t\t},\n\t}\n\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", u)\n\terr := conn.doRecursiveRemoveDirEntry(\"/vpath\", nil, 0)\n\tassert.Error(t, err)\n\terr = conn.doRecursiveRemove(nil, \"/fspath\", \"/vpath\", vfs.NewFileInfo(\"vpath\", true, 0, time.Now(), false), 2000)\n\tassert.Error(t, err, util.ErrRecursionTooDeep)\n\terr = conn.doRecursiveCopy(\"/src\", \"/dst\", vfs.NewFileInfo(\"src\", true, 0, time.Now(), false), false, 2000)\n\tassert.Error(t, err, util.ErrRecursionTooDeep)\n\terr = conn.checkCopy(vfs.NewFileInfo(\"name\", true, 0, time.Unix(0, 0), false), nil, \"/source\", \"/target\")\n\tassert.Error(t, err)\n\tsourceFile := filepath.Join(os.TempDir(), \"f\", \"source\")\n\terr = os.MkdirAll(filepath.Dir(sourceFile), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(sourceFile, []byte(\"\"), 0666)\n\tassert.NoError(t, err)\n\terr = conn.checkCopy(vfs.NewFileInfo(\"name\", true, 0, time.Unix(0, 0), false), nil, \"/f/source\", \"/target\")\n\tassert.Error(t, err)\n\terr = conn.checkCopy(vfs.NewFileInfo(\"source\", false, 0, time.Unix(0, 0), false), vfs.NewFileInfo(\"target\", true, 0, time.Unix(0, 0), false), \"/f/source\", \"/f/target\")\n\tassert.Error(t, err)\n\terr = os.RemoveAll(filepath.Dir(sourceFile))\n\tassert.NoError(t, err)\n}\n\nfunc TestConnectionKeepAlive(t *testing.T) {\n\tconn := NewBaseConnection(\"\", ProtocolWebDAV, \"\", \"\", dataprovider.User{})\n\tlastActivity := conn.GetLastActivity()\n\n\tstop := keepConnectionAlive(conn, 50*time.Millisecond)\n\tdefer stop()\n\n\ttime.Sleep(200 * time.Millisecond)\n\tassert.Greater(t, conn.GetLastActivity(), lastActivity)\n}\n\nfunc TestFsFileCopier(t *testing.T) {\n\tfs := vfs.Fs(&vfs.AzureBlobFs{})\n\t_, ok := fs.(vfs.FsFileCopier)\n\tassert.True(t, ok)\n\tfs = vfs.Fs(&vfs.OsFs{})\n\t_, ok = fs.(vfs.FsFileCopier)\n\tassert.False(t, ok)\n\tfs = vfs.Fs(&vfs.SFTPFs{})\n\t_, ok = fs.(vfs.FsFileCopier)\n\tassert.False(t, ok)\n\tfs = vfs.Fs(&vfs.GCSFs{})\n\t_, ok = fs.(vfs.FsFileCopier)\n\tassert.True(t, ok)\n\tfs = vfs.Fs(&vfs.S3Fs{})\n\t_, ok = fs.(vfs.FsFileCopier)\n\tassert.True(t, ok)\n}\n\nfunc TestFilePatterns(t *testing.T) {\n\tfilters := dataprovider.UserFilters{\n\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\tFilePatterns: []sdk.PatternsFilter{\n\t\t\t\t{\n\t\t\t\t\tPath: \"/dir1\",\n\t\t\t\t\tDenyPolicy: sdk.DenyPolicyDefault,\n\t\t\t\t\tAllowedPatterns: []string{\"*.jpg\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPath: \"/dir2\",\n\t\t\t\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t\t\t\t\tAllowedPatterns: []string{\"*.jpg\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPath: \"/dir3\",\n\t\t\t\t\tDenyPolicy: sdk.DenyPolicyDefault,\n\t\t\t\t\tDeniedPatterns: []string{\"*.jpg\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPath: \"/dir4\",\n\t\t\t\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t\t\t\t\tDeniedPatterns: []string{\"*\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tvirtualFolders := []vfs.VirtualFolder{\n\t\t{\n\t\t\tVirtualPath: \"/dir1/vdir1\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"/dir1/vdir2\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"/dir1/vdir3\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"/dir2/vdir1\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"/dir2/vdir2\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"/dir2/vdir3.jpg\",\n\t\t},\n\t}\n\tuser := dataprovider.User{\n\t\tFilters: filters,\n\t\tVirtualFolders: virtualFolders,\n\t}\n\n\tgetFilteredInfo := func(dirContents []os.FileInfo, virtualPath string) []os.FileInfo {\n\t\tresult := user.FilterListDir(dirContents, virtualPath)\n\t\tresult = append(result, user.GetVirtualFoldersInfo(virtualPath)...)\n\t\treturn result\n\t}\n\n\tdirContents := []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\t// dirContents are modified in place, we need to redefine them each time\n\tfiltered := getFilteredInfo(dirContents, \"/dir1\")\n\tassert.Len(t, filtered, 5)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir1/vdir1\")\n\tassert.Len(t, filtered, 2)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir2/vdir2\")\n\trequire.Len(t, filtered, 1)\n\tassert.Equal(t, \"file1.jpg\", filtered[0].Name())\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir2/vdir2/sub\")\n\trequire.Len(t, filtered, 1)\n\tassert.Equal(t, \"file1.jpg\", filtered[0].Name())\n\n\tres, _ := user.IsFileAllowed(\"/dir1/vdir1/file.txt\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir1/vdir1/sub/file.txt\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir1/vdir1/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir1/vdir1/sub/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/dir1/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/dir1/sub/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir4/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir4/dir1/sub/file.jpg\")\n\tassert.False(t, res)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir4\")\n\trequire.Len(t, filtered, 0)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir4/vdir2/sub\")\n\trequire.Len(t, filtered, 0)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\n\tfiltered = getFilteredInfo(dirContents, \"/dir2\")\n\tassert.Len(t, filtered, 2)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\n\tfiltered = getFilteredInfo(dirContents, \"/dir4\")\n\tassert.Len(t, filtered, 0)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t}\n\n\tfiltered = getFilteredInfo(dirContents, \"/dir4/sub\")\n\tassert.Len(t, filtered, 0)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"vdir3.jpg\", false, 123, time.Now(), false),\n\t}\n\n\tfiltered = getFilteredInfo(dirContents, \"/dir1\")\n\tassert.Len(t, filtered, 5)\n\n\tfiltered = getFilteredInfo(dirContents, \"/dir2\")\n\tif assert.Len(t, filtered, 1) {\n\t\tassert.True(t, filtered[0].IsDir())\n\t}\n\n\tuser.VirtualFolders = nil\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"vdir3.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir1\")\n\tassert.Len(t, filtered, 2)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"vdir3.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir2\")\n\tif assert.Len(t, filtered, 1) {\n\t\tassert.False(t, filtered[0].IsDir())\n\t}\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"vdir3.jpg\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir2\")\n\tif assert.Len(t, filtered, 2) {\n\t\tassert.False(t, filtered[0].IsDir())\n\t\tassert.False(t, filtered[1].IsDir())\n\t}\n\n\tuser.VirtualFolders = virtualFolders\n\tuser.Filters = filters\n\tfiltered = getFilteredInfo(nil, \"/dir1\")\n\tassert.Len(t, filtered, 3)\n\tfiltered = getFilteredInfo(nil, \"/dir2\")\n\tassert.Len(t, filtered, 1)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jPg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"vdir3.jpg\", false, 456, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir2\")\n\tassert.Len(t, filtered, 2)\n\n\tuser = dataprovider.User{\n\t\tFilters: dataprovider.UserFilters{\n\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\tFilePatterns: []sdk.PatternsFilter{\n\t\t\t\t\t{\n\t\t\t\t\t\tPath: \"/dir3\",\n\t\t\t\t\t\tAllowedPatterns: []string{\"ic35\"},\n\t\t\t\t\t\tDeniedPatterns: []string{\"*\"},\n\t\t\t\t\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"vdir3.jpg\", false, 456, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3\")\n\tassert.Len(t, filtered, 0)\n\n\tdirContents = nil\n\tfor i := 0; i < 100; i++ {\n\t\tdirContents = append(dirContents, vfs.NewFileInfo(fmt.Sprintf(\"ic%02d\", i), i%2 == 0, int64(i), time.Now(), false))\n\t}\n\tdirContents = append(dirContents, vfs.NewFileInfo(\"ic350\", false, 123, time.Now(), false))\n\tdirContents = append(dirContents, vfs.NewFileInfo(\".ic35\", false, 123, time.Now(), false))\n\tdirContents = append(dirContents, vfs.NewFileInfo(\"ic35.\", false, 123, time.Now(), false))\n\tdirContents = append(dirContents, vfs.NewFileInfo(\"*ic35\", false, 123, time.Now(), false))\n\tdirContents = append(dirContents, vfs.NewFileInfo(\"ic35*\", false, 123, time.Now(), false))\n\tdirContents = append(dirContents, vfs.NewFileInfo(\"ic35.*\", false, 123, time.Now(), false))\n\tdirContents = append(dirContents, vfs.NewFileInfo(\"file.jpg\", false, 123, time.Now(), false))\n\n\tfiltered = getFilteredInfo(dirContents, \"/dir3\")\n\trequire.Len(t, filtered, 1)\n\tassert.Equal(t, \"ic35\", filtered[0].Name())\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic36\")\n\trequire.Len(t, filtered, 0)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35\")\n\trequire.Len(t, filtered, 3)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35/sub\")\n\trequire.Len(t, filtered, 3)\n\n\tres, _ = user.IsFileAllowed(\"/dir3/file.txt\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35a\")\n\tassert.False(t, res)\n\tres, policy := user.IsFileAllowed(\"/dir3/ic35a/file\")\n\tassert.False(t, res)\n\tassert.Equal(t, sdk.DenyPolicyHide, policy)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/file.txt\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub/file.txt\")\n\tassert.True(t, res)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35/sub\")\n\trequire.Len(t, filtered, 3)\n\n\tuser.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/dir3/ic35/sub1\",\n\t\tAllowedPatterns: []string{\"*.jpg\"},\n\t\tDenyPolicy: sdk.DenyPolicyDefault,\n\t})\n\tuser.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/dir3/ic35/sub2\",\n\t\tDeniedPatterns: []string{\"*.jpg\"},\n\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t})\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35/sub1\")\n\trequire.Len(t, filtered, 3)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35/sub2\")\n\trequire.Len(t, filtered, 2)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35/sub2/sub1\")\n\trequire.Len(t, filtered, 2)\n\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/file.txt\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub/dir/file.txt\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub/dir/file.jpg\")\n\tassert.True(t, res)\n\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub1/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub1/file.txt\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub1/sub/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub1/sub2/file.txt\")\n\tassert.False(t, res)\n\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/file.txt\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/sub/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/sub1/file.txt\")\n\tassert.True(t, res)\n\n\tuser.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/dir3/ic35\",\n\t\tDeniedPatterns: []string{\"*.txt\"},\n\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t})\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/file.txt\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/adir/sub/file.jpg\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/adir/file.txt\")\n\tassert.False(t, res)\n\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/file.txt\")\n\tassert.True(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/sub/file.jpg\")\n\tassert.False(t, res)\n\tres, _ = user.IsFileAllowed(\"/dir3/ic35/sub2/sub1/file.txt\")\n\tassert.True(t, res)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35\")\n\trequire.Len(t, filtered, 1)\n\n\tdirContents = []os.FileInfo{\n\t\tvfs.NewFileInfo(\"file1.jpg\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file1.txt\", false, 123, time.Now(), false),\n\t\tvfs.NewFileInfo(\"file2.txt\", false, 123, time.Now(), false),\n\t}\n\tfiltered = getFilteredInfo(dirContents, \"/dir3/ic35/abc\")\n\trequire.Len(t, filtered, 1)\n}\n\nfunc TestStatForOngoingTransfers(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: xid.New().String(),\n\t\t\tPassword: xid.New().String(),\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {\"*\"},\n\t\t\t},\n\t\t},\n\t}\n\tfileName := \"file.txt\"\n\tconn := NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\ttr := NewBaseTransfer(nil, conn, nil, filepath.Join(os.TempDir(), fileName), filepath.Join(os.TempDir(), fileName),\n\t\tfileName, TransferUpload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\t_, err := conn.DoStat(\"/file.txt\", 0, false)\n\tassert.NoError(t, err)\n\terr = tr.Close()\n\tassert.NoError(t, err)\n\ttr = NewBaseTransfer(nil, conn, nil, filepath.Join(os.TempDir(), fileName), filepath.Join(os.TempDir(), fileName),\n\t\tfileName, TransferDownload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\t_, err = conn.DoStat(\"/file.txt\", 0, false)\n\tassert.Error(t, err)\n\terr = tr.Close()\n\tassert.NoError(t, err)\n\terr = conn.CloseFS()\n\tassert.NoError(t, err)\n}\n\nfunc TestListerAt(t *testing.T) {\n\tdir := t.TempDir()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"u\",\n\t\t\tPassword: \"p\",\n\t\t\tHomeDir: dir,\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {\"*\"},\n\t\t\t},\n\t\t},\n\t}\n\tconn := NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\tlister, err := conn.ListDir(\"/\")\n\trequire.NoError(t, err)\n\tfiles, err := lister.Next(1)\n\trequire.ErrorIs(t, err, io.EOF)\n\trequire.Len(t, files, 0)\n\terr = lister.Close()\n\trequire.NoError(t, err)\n\n\tconn.User.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tVirtualPath: \"p1\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"p2\",\n\t\t},\n\t\t{\n\t\t\tVirtualPath: \"p3\",\n\t\t},\n\t}\n\tlister, err = conn.ListDir(\"/\")\n\trequire.NoError(t, err)\n\tfiles, err = lister.Next(2)\n\t// virtual directories exceeds the limit\n\trequire.ErrorIs(t, err, io.EOF)\n\trequire.Len(t, files, 3)\n\tfiles, err = lister.Next(2)\n\trequire.ErrorIs(t, err, io.EOF)\n\trequire.Len(t, files, 0)\n\t_, err = lister.Next(-1)\n\trequire.ErrorContains(t, err, conn.GetGenericError(err).Error())\n\terr = lister.Close()\n\trequire.NoError(t, err)\n\n\tlister, err = conn.ListDir(\"/\")\n\trequire.NoError(t, err)\n\t_, err = lister.ListAt(nil, 0)\n\trequire.ErrorContains(t, err, \"zero size\")\n\terr = lister.Close()\n\trequire.NoError(t, err)\n\n\tfor i := 0; i < 100; i++ {\n\t\tf, err := os.Create(filepath.Join(dir, strconv.Itoa(i)))\n\t\trequire.NoError(t, err)\n\t\terr = f.Close()\n\t\trequire.NoError(t, err)\n\t}\n\tlister, err = conn.ListDir(\"/\")\n\trequire.NoError(t, err)\n\tfiles = make([]os.FileInfo, 18)\n\tn, err := lister.ListAt(files, 0)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 18, n)\n\tn, err = lister.ListAt(files, 0)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 18, n)\n\tfiles = make([]os.FileInfo, 100)\n\tn, err = lister.ListAt(files, 0)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 64+3, n)\n\tn, err = lister.ListAt(files, 0)\n\trequire.ErrorIs(t, err, io.EOF)\n\trequire.Equal(t, 0, n)\n\tn, err = lister.ListAt(files, 0)\n\trequire.ErrorIs(t, err, io.EOF)\n\trequire.Equal(t, 0, n)\n\terr = lister.Close()\n\trequire.NoError(t, err)\n\tn, err = lister.ListAt(files, 0)\n\tassert.Error(t, err)\n\tassert.NotErrorIs(t, err, io.EOF)\n\trequire.Equal(t, 0, n)\n\tlister, err = conn.ListDir(\"/\")\n\trequire.NoError(t, err)\n\tlister.Prepend(vfs.NewFileInfo(\"..\", true, 0, time.Unix(0, 0), false))\n\tlister.Prepend(vfs.NewFileInfo(\".\", true, 0, time.Unix(0, 0), false))\n\tfiles = make([]os.FileInfo, 1)\n\tn, err = lister.ListAt(files, 0)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 1, n)\n\tassert.Equal(t, \".\", files[0].Name())\n\tfiles = make([]os.FileInfo, 2)\n\tn, err = lister.ListAt(files, 0)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 2, n)\n\tassert.Equal(t, \"..\", files[0].Name())\n\tvfolders := []string{files[1].Name()}\n\tfiles = make([]os.FileInfo, 200)\n\tn, err = lister.ListAt(files, 0)\n\trequire.NoError(t, err)\n\trequire.Equal(t, 102, n)\n\tvfolders = append(vfolders, files[0].Name())\n\tvfolders = append(vfolders, files[1].Name())\n\tassert.Contains(t, vfolders, \"p1\")\n\tassert.Contains(t, vfolders, \"p2\")\n\tassert.Contains(t, vfolders, \"p3\")\n\terr = lister.Close()\n\trequire.NoError(t, err)\n}\n\nfunc TestGetFsAndResolvedPath(t *testing.T) {\n\thomeDir := filepath.Join(os.TempDir(), \"home_test\")\n\tlocalVdir := filepath.Join(os.TempDir(), \"local_mount_test\")\n\n\terr := os.MkdirAll(homeDir, 0777)\n\trequire.NoError(t, err)\n\terr = os.MkdirAll(localVdir, 0777)\n\trequire.NoError(t, err)\n\n\tt.Cleanup(func() {\n\t\tos.RemoveAll(homeDir)\n\t\tos.RemoveAll(localVdir)\n\t})\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: xid.New().String(),\n\t\t\tStatus: 1,\n\t\t\tHomeDir: homeDir,\n\t\t},\n\t\tVirtualFolders: []vfs.VirtualFolder{\n\t\t\t{\n\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\tName: \"s3\",\n\t\t\t\t\tMappedPath: \"\",\n\t\t\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\t\t\tProvider: sdk.S3FilesystemProvider,\n\t\t\t\t\t\tS3Config: vfs.S3FsConfig{\n\t\t\t\t\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\t\t\t\t\tBucket: \"my-test-bucket\",\n\t\t\t\t\t\t\t\tRegion: \"us-east-1\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tVirtualPath: \"/s3\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\tName: \"local\",\n\t\t\t\t\tMappedPath: localVdir,\n\t\t\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\t\t\tProvider: sdk.LocalFilesystemProvider,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tVirtualPath: \"/local\",\n\t\t\t},\n\t\t},\n\t}\n\n\tconn := NewBaseConnection(xid.New().String(), ProtocolSFTP, \"\", \"\", user)\n\n\ttests := []struct {\n\t\tname string\n\t\tinputVirtualPath string\n\t\texpectedFsType string\n\t\texpectedPhyPath string // The resolved path on the target FS\n\t\texpectedRelativePath string\n\t}{\n\t\t{\n\t\t\tname: \"Root File\",\n\t\t\tinputVirtualPath: \"/file.txt\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(homeDir, \"file.txt\"),\n\t\t\texpectedRelativePath: \"/file.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Standard S3 File\",\n\t\t\tinputVirtualPath: \"/s3/image.png\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"image.png\",\n\t\t\texpectedRelativePath: \"/s3/image.png\",\n\t\t},\n\t\t{\n\t\t\tname: \"Standard Local Mount File\",\n\t\t\tinputVirtualPath: \"/local/config.json\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(localVdir, \"config.json\"),\n\t\t\texpectedRelativePath: \"/local/config.json\",\n\t\t},\n\n\t\t{\n\t\t\tname: \"Backslash Separator -> Should hit S3\",\n\t\t\tinputVirtualPath: \"\\\\s3\\\\doc.txt\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"doc.txt\",\n\t\t\texpectedRelativePath: \"/s3/doc.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Mixed Separators -> Should hit Local Mount\",\n\t\t\tinputVirtualPath: \"/local\\\\subdir/test.txt\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(localVdir, \"subdir\", \"test.txt\"),\n\t\t\texpectedRelativePath: \"/local/subdir/test.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Double Slash -> Should normalize and hit S3\",\n\t\t\tinputVirtualPath: \"//s3//dir @1/data.csv\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"dir @1/data.csv\",\n\t\t\texpectedRelativePath: \"/s3/dir @1/data.csv\",\n\t\t},\n\n\t\t{\n\t\t\tname: \"Local Mount Traversal (Attempt to escape)\",\n\t\t\tinputVirtualPath: \"/local/../../etc/passwd\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(homeDir, \"/etc/passwd\"),\n\t\t\texpectedRelativePath: \"/etc/passwd\",\n\t\t},\n\t\t{\n\t\t\tname: \"Traversal Out of S3 (Valid)\",\n\t\t\tinputVirtualPath: \"/s3/../../secret.txt\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(homeDir, \"secret.txt\"),\n\t\t\texpectedRelativePath: \"/secret.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Traversal Inside S3\",\n\t\t\tinputVirtualPath: \"/s3/subdir/../image.png\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"image.png\",\n\t\t\texpectedRelativePath: \"/s3/image.png\",\n\t\t},\n\t\t{\n\t\t\tname: \"Mount Point Bypass -> Target Local Mount\",\n\t\t\tinputVirtualPath: \"/s3\\\\..\\\\local\\\\secret.txt\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(localVdir, \"secret.txt\"),\n\t\t\texpectedRelativePath: \"/local/secret.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Dirty Relative Path (Your Case)\",\n\t\t\tinputVirtualPath: \"test\\\\..\\\\..\\\\oops/file.txt\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(homeDir, \"oops\", \"file.txt\"),\n\t\t\texpectedRelativePath: \"/oops/file.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Relative Path targeting S3 (No leading slash)\",\n\t\t\tinputVirtualPath: \"s3//sub/../image.png\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"image.png\",\n\t\t\texpectedRelativePath: \"/s3/image.png\",\n\t\t},\n\t\t{\n\t\t\tname: \"Windows Path starting with Backslash\",\n\t\t\tinputVirtualPath: \"\\\\s3\\\\doc/dir\\\\doc.txt\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"doc/dir/doc.txt\",\n\t\t\texpectedRelativePath: \"/s3/doc/dir/doc.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Filesystem Juggling (Relative)\",\n\t\t\tinputVirtualPath: \"local/../s3/file.txt\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"file.txt\",\n\t\t\texpectedRelativePath: \"/s3/file.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Triple Dot Filename (Valid Name)\",\n\t\t\tinputVirtualPath: \"/...hidden/secret\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(homeDir, \"...hidden\", \"secret\"),\n\t\t\texpectedRelativePath: \"/...hidden/secret\",\n\t\t},\n\t\t{\n\t\t\tname: \"Dot Slash Prefix\",\n\t\t\tinputVirtualPath: \"./local/file.txt\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: filepath.Join(localVdir, \"file.txt\"),\n\t\t\texpectedRelativePath: \"/local/file.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Root of Local Mount Exactly\",\n\t\t\tinputVirtualPath: \"/local/\",\n\t\t\texpectedFsType: \"osfs\",\n\t\t\texpectedPhyPath: localVdir,\n\t\t\texpectedRelativePath: \"/local\",\n\t\t},\n\t\t{\n\t\t\tname: \"Root of S3 Mount Exactly\",\n\t\t\tinputVirtualPath: \"/s3/\",\n\t\t\texpectedFsType: \"S3Fs\",\n\t\t\texpectedPhyPath: \"\",\n\t\t\texpectedRelativePath: \"/s3\",\n\t\t},\n\t}\n\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\t// The input path is sanitized by the protocol handler\n\t\t\t// implementations before reaching GetFsAndResolvedPath.\n\t\t\tcleanInput := util.CleanPath(tc.inputVirtualPath)\n\t\t\tfs, resolvedPath, err := conn.GetFsAndResolvedPath(cleanInput)\n\t\t\tif assert.NoError(t, err, \"did not expect error for path: %q, got: %v\", tc.inputVirtualPath, err) {\n\t\t\t\tassert.Contains(t, fs.Name(), tc.expectedFsType,\n\t\t\t\t\t\"routing error: input %q but expected fs %q, got %q\", tc.inputVirtualPath, tc.expectedFsType, fs.Name())\n\t\t\t\tassert.Equal(t, tc.expectedPhyPath, resolvedPath,\n\t\t\t\t\t\"resolution error: input %q resolved to %q expected %q\", tc.inputVirtualPath, resolvedPath, tc.expectedPhyPath)\n\t\t\t\trelativePath := fs.GetRelativePath(resolvedPath)\n\t\t\t\tassert.Equal(t, tc.expectedRelativePath, relativePath,\n\t\t\t\t\t\"relative path error, input %q, got %q, expected %q\", tc.inputVirtualPath, tc.expectedRelativePath, relativePath)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestOsFsGetRelativePath(t *testing.T) {\n\thomeDir := filepath.Join(os.TempDir(), \"home_test\")\n\tlocalVdir := filepath.Join(os.TempDir(), \"local_mount_test\")\n\n\terr := os.MkdirAll(homeDir, 0777)\n\trequire.NoError(t, err)\n\terr = os.MkdirAll(localVdir, 0777)\n\trequire.NoError(t, err)\n\n\tt.Cleanup(func() {\n\t\tos.RemoveAll(homeDir)\n\t\tos.RemoveAll(localVdir)\n\t})\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: xid.New().String(),\n\t\t\tStatus: 1,\n\t\t\tHomeDir: homeDir,\n\t\t},\n\t\tVirtualFolders: []vfs.VirtualFolder{\n\t\t\t{\n\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\tName: \"local\",\n\t\t\t\t\tMappedPath: localVdir,\n\t\t\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\t\t\tProvider: sdk.LocalFilesystemProvider,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tVirtualPath: \"/local\",\n\t\t\t},\n\t\t},\n\t}\n\n\tconnID := xid.New().String()\n\trootFs, err := user.GetFilesystemForPath(\"/\", connID)\n\trequire.NoError(t, err)\n\n\tlocalFs, err := user.GetFilesystemForPath(\"/local\", connID)\n\trequire.NoError(t, err)\n\n\ttests := []struct {\n\t\tname string\n\t\tfs vfs.Fs\n\t\tinputPath string // The physical path to reverse-map\n\t\texpectedRel string // The expected virtual path\n\t}{\n\t\t{\n\t\t\tname: \"Root FS - Inside root\",\n\t\t\tfs: rootFs,\n\t\t\tinputPath: filepath.Join(homeDir, \"docs\", \"file.txt\"),\n\t\t\texpectedRel: \"/docs/file.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Root FS - Exact root directory\",\n\t\t\tfs: rootFs,\n\t\t\tinputPath: homeDir,\n\t\t\texpectedRel: \"/\",\n\t\t},\n\t\t{\n\t\t\tname: \"Root FS - External absolute path (Jail to /)\",\n\t\t\tfs: rootFs,\n\t\t\tinputPath: \"/etc/passwd\",\n\t\t\texpectedRel: \"/\",\n\t\t},\n\t\t{\n\t\t\tname: \"Root FS - Traversal escape (Jail to /)\",\n\t\t\tfs: rootFs,\n\t\t\tinputPath: filepath.Join(homeDir, \"..\", \"escaped.txt\"),\n\t\t\texpectedRel: \"/\",\n\t\t},\n\t\t{\n\t\t\tname: \"Root FS - Valid file named with triple dots\",\n\t\t\tfs: rootFs,\n\t\t\tinputPath: filepath.Join(homeDir, \"...\"),\n\t\t\texpectedRel: \"/...\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - Up path in dir\",\n\t\t\tfs: rootFs,\n\t\t\tinputPath: homeDir + \"/../\" + filepath.Base(homeDir) + \"/dir/test.txt\",\n\t\t\texpectedRel: \"/dir/test.txt\",\n\t\t},\n\n\t\t{\n\t\t\tname: \"Local FS - Inside mount\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: filepath.Join(localVdir, \"data\", \"config.json\"),\n\t\t\texpectedRel: \"/local/data/config.json\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - Exact mount directory\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: localVdir,\n\t\t\texpectedRel: \"/local\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - External absolute path (Jail to /local)\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: \"/var/log/syslog\",\n\t\t\texpectedRel: \"/local\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - Traversal escape (Jail to /local)\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: filepath.Join(localVdir, \"..\", \"..\", \"etc\", \"passwd\"),\n\t\t\texpectedRel: \"/local\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - Partial prefix (Jail to /local)\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: localVdir + \"_backup\",\n\t\t\texpectedRel: \"/local\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - Relative traversal matching virual dir\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: localVdir + \"/../\" + filepath.Base(localVdir) + \"/dir/test.txt\",\n\t\t\texpectedRel: \"/local/dir/test.txt\",\n\t\t},\n\t\t{\n\t\t\tname: \"Local FS - Valid file starting with two dots\",\n\t\t\tfs: localFs,\n\t\t\tinputPath: filepath.Join(localVdir, \"..hidden_file.txt\"),\n\t\t\texpectedRel: \"/local/..hidden_file.txt\",\n\t\t},\n\t}\n\n\tfor _, tc := range tests {\n\t\tt.Run(tc.name, func(t *testing.T) {\n\t\t\tactualRel := tc.fs.GetRelativePath(tc.inputPath)\n\t\t\tassert.Equal(t, tc.expectedRel, actualRel,\n\t\t\t\t\"Failed mapping physical path %q on FS %q\", tc.inputPath, tc.fs.Name())\n\t\t})\n\t}\n}\n" }, { "path": "internal/common/dataretention.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\t// RetentionChecks is the list of active retention checks\n\tRetentionChecks ActiveRetentionChecks\n)\n\n// ActiveRetentionChecks holds the active retention checks\ntype ActiveRetentionChecks struct {\n\tsync.RWMutex\n\tChecks []RetentionCheck\n}\n\n// Get returns the active retention checks\nfunc (c *ActiveRetentionChecks) Get(role string) []RetentionCheck {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tchecks := make([]RetentionCheck, 0, len(c.Checks))\n\tfor _, check := range c.Checks {\n\t\tif role == \"\" || role == check.Role {\n\t\t\tfoldersCopy := make([]dataprovider.FolderRetention, len(check.Folders))\n\t\t\tcopy(foldersCopy, check.Folders)\n\t\t\tchecks = append(checks, RetentionCheck{\n\t\t\t\tUsername: check.Username,\n\t\t\t\tStartTime: check.StartTime,\n\t\t\t\tFolders: foldersCopy,\n\t\t\t})\n\t\t}\n\t}\n\treturn checks\n}\n\n// Add a new retention check, returns nil if a retention check for the given\n// username is already active. The returned result can be used to start the check\nfunc (c *ActiveRetentionChecks) Add(check RetentionCheck, user *dataprovider.User) *RetentionCheck {\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tfor _, val := range c.Checks {\n\t\tif val.Username == user.Username {\n\t\t\treturn nil\n\t\t}\n\t}\n\t// we silently ignore file patterns\n\tuser.Filters.FilePatterns = nil\n\tconn := NewBaseConnection(\"\", \"\", \"\", \"\", *user)\n\tconn.SetProtocol(ProtocolDataRetention)\n\tconn.ID = fmt.Sprintf(\"data_retention_%v\", user.Username)\n\tcheck.Username = user.Username\n\tcheck.Role = user.Role\n\tcheck.StartTime = util.GetTimeAsMsSinceEpoch(time.Now())\n\tcheck.conn = conn\n\tcheck.updateUserPermissions()\n\tc.Checks = append(c.Checks, check)\n\n\treturn &check\n}\n\n// remove a user from the ones with active retention checks\n// and returns true if the user is removed\nfunc (c *ActiveRetentionChecks) remove(username string) bool {\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tfor idx, check := range c.Checks {\n\t\tif check.Username == username {\n\t\t\tlastIdx := len(c.Checks) - 1\n\t\t\tc.Checks[idx] = c.Checks[lastIdx]\n\t\t\tc.Checks = c.Checks[:lastIdx]\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\ntype folderRetentionCheckResult struct {\n\tPath string `json:\"path\"`\n\tRetention int `json:\"retention\"`\n\tDeletedFiles int `json:\"deleted_files\"`\n\tDeletedSize int64 `json:\"deleted_size\"`\n\tElapsed time.Duration `json:\"-\"`\n\tInfo string `json:\"info,omitempty\"`\n\tError string `json:\"error,omitempty\"`\n}\n\n// RetentionCheck defines an active retention check\ntype RetentionCheck struct {\n\t// Username to which the retention check refers\n\tUsername string `json:\"username\"`\n\t// retention check start time as unix timestamp in milliseconds\n\tStartTime int64 `json:\"start_time\"`\n\t// affected folders\n\tFolders []dataprovider.FolderRetention `json:\"folders\"`\n\tRole string `json:\"-\"`\n\t// Cleanup results\n\tresults []folderRetentionCheckResult `json:\"-\"`\n\tconn *BaseConnection `json:\"-\"`\n}\n\nfunc (c *RetentionCheck) updateUserPermissions() {\n\tfor k := range c.conn.User.Permissions {\n\t\tc.conn.User.Permissions[k] = []string{dataprovider.PermAny}\n\t}\n}\n\nfunc (c *RetentionCheck) getFolderRetention(folderPath string) (dataprovider.FolderRetention, error) {\n\tdirsForPath := util.GetDirsForVirtualPath(folderPath)\n\tfor _, dirPath := range dirsForPath {\n\t\tfor _, folder := range c.Folders {\n\t\t\tif folder.Path == dirPath {\n\t\t\t\treturn folder, nil\n\t\t\t}\n\t\t}\n\t}\n\n\treturn dataprovider.FolderRetention{}, fmt.Errorf(\"unable to find folder retention for %q\", folderPath)\n}\n\nfunc (c *RetentionCheck) removeFile(virtualPath string, info os.FileInfo) error {\n\tfs, fsPath, err := c.conn.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn c.conn.RemoveFile(fs, fsPath, virtualPath, info)\n}\n\nfunc (c *RetentionCheck) cleanupFolder(folderPath string, recursion int) error {\n\tstartTime := time.Now()\n\tresult := folderRetentionCheckResult{\n\t\tPath: folderPath,\n\t}\n\tdefer func() {\n\t\tc.results = append(c.results, result)\n\t}()\n\tif recursion >= util.MaxRecursion {\n\t\tresult.Elapsed = time.Since(startTime)\n\t\tresult.Info = \"data retention check skipped: recursion too deep\"\n\t\tc.conn.Log(logger.LevelError, \"data retention check skipped, recursion too depth for %q: %d\",\n\t\t\tfolderPath, recursion)\n\t\treturn util.ErrRecursionTooDeep\n\t}\n\trecursion++\n\n\tfolderRetention, err := c.getFolderRetention(folderPath)\n\tif err != nil {\n\t\tresult.Elapsed = time.Since(startTime)\n\t\tresult.Error = \"unable to get folder retention\"\n\t\tc.conn.Log(logger.LevelError, \"unable to get folder retention for path %q\", folderPath)\n\t\treturn err\n\t}\n\tresult.Retention = folderRetention.Retention\n\tif folderRetention.Retention == 0 {\n\t\tresult.Elapsed = time.Since(startTime)\n\t\tresult.Info = \"data retention check skipped: retention is set to 0\"\n\t\tc.conn.Log(logger.LevelDebug, \"retention check skipped for folder %q, retention is set to 0\", folderPath)\n\t\treturn nil\n\t}\n\tc.conn.Log(logger.LevelDebug, \"start retention check for folder %q, retention: %v hours, delete empty dirs? %v\",\n\t\tfolderPath, folderRetention.Retention, folderRetention.DeleteEmptyDirs)\n\tlister, err := c.conn.ListDir(folderPath)\n\tif err != nil {\n\t\tresult.Elapsed = time.Since(startTime)\n\t\tif err == c.conn.GetNotExistError() {\n\t\t\tresult.Info = \"data retention check skipped, folder does not exist\"\n\t\t\tc.conn.Log(logger.LevelDebug, \"folder %q does not exist, retention check skipped\", folderPath)\n\t\t\treturn nil\n\t\t}\n\t\tresult.Error = fmt.Sprintf(\"unable to get lister for directory %q\", folderPath)\n\t\tc.conn.Log(logger.LevelError, \"%s\", result.Error)\n\t\treturn err\n\t}\n\tdefer lister.Close()\n\n\tfor {\n\t\tfiles, err := lister.Next(vfs.ListerBatchSize)\n\t\tfinished := errors.Is(err, io.EOF)\n\t\tif err := lister.convertError(err); err != nil {\n\t\t\tresult.Elapsed = time.Since(startTime)\n\t\t\tresult.Error = fmt.Sprintf(\"unable to list directory %q\", folderPath)\n\t\t\tc.conn.Log(logger.LevelError, \"unable to list dir %q: %v\", folderPath, err)\n\t\t\treturn err\n\t\t}\n\t\tfor _, info := range files {\n\t\t\tvirtualPath := path.Join(folderPath, info.Name())\n\t\t\tif info.IsDir() {\n\t\t\t\tif err := c.cleanupFolder(virtualPath, recursion); err != nil {\n\t\t\t\t\tresult.Elapsed = time.Since(startTime)\n\t\t\t\t\tresult.Error = fmt.Sprintf(\"unable to check folder: %v\", err)\n\t\t\t\t\tc.conn.Log(logger.LevelError, \"unable to cleanup folder %q: %v\", virtualPath, err)\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tretentionTime := info.ModTime().Add(time.Duration(folderRetention.Retention) * time.Hour)\n\t\t\t\tif retentionTime.Before(time.Now()) {\n\t\t\t\t\tif err := c.removeFile(virtualPath, info); err != nil {\n\t\t\t\t\t\tresult.Elapsed = time.Since(startTime)\n\t\t\t\t\t\tresult.Error = fmt.Sprintf(\"unable to remove file %q: %v\", virtualPath, err)\n\t\t\t\t\t\tc.conn.Log(logger.LevelError, \"unable to remove file %q, retention %v: %v\",\n\t\t\t\t\t\t\tvirtualPath, retentionTime, err)\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tc.conn.Log(logger.LevelDebug, \"removed file %q, modification time: %v, retention: %v hours, retention time: %v\",\n\t\t\t\t\t\tvirtualPath, info.ModTime(), folderRetention.Retention, retentionTime)\n\t\t\t\t\tresult.DeletedFiles++\n\t\t\t\t\tresult.DeletedSize += info.Size()\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif finished {\n\t\t\tbreak\n\t\t}\n\t}\n\n\tlister.Close()\n\tc.checkEmptyDirRemoval(folderPath, folderRetention.DeleteEmptyDirs)\n\tresult.Elapsed = time.Since(startTime)\n\tc.conn.Log(logger.LevelDebug, \"retention check completed for folder %q, deleted files: %v, deleted size: %v bytes\",\n\t\tfolderPath, result.DeletedFiles, result.DeletedSize)\n\n\treturn nil\n}\n\nfunc (c *RetentionCheck) checkEmptyDirRemoval(folderPath string, checkVal bool) {\n\tif folderPath == \"/\" || !checkVal {\n\t\treturn\n\t}\n\tfor _, folder := range c.Folders {\n\t\tif folderPath == folder.Path {\n\t\t\treturn\n\t\t}\n\t}\n\tif c.conn.User.HasAnyPerm([]string{\n\t\tdataprovider.PermDelete,\n\t\tdataprovider.PermDeleteDirs,\n\t}, path.Dir(folderPath),\n\t) {\n\t\tlister, err := c.conn.ListDir(folderPath)\n\t\tif err == nil {\n\t\t\tfiles, err := lister.Next(1)\n\t\t\tlister.Close()\n\t\t\tif len(files) == 0 && errors.Is(err, io.EOF) {\n\t\t\t\terr = c.conn.RemoveDir(folderPath)\n\t\t\t\tc.conn.Log(logger.LevelDebug, \"tried to remove empty dir %q, error: %v\", folderPath, err)\n\t\t\t}\n\t\t}\n\t}\n}\n\n// Start starts the retention check\nfunc (c *RetentionCheck) Start() error {\n\tc.conn.Log(logger.LevelInfo, \"retention check started\")\n\tdefer RetentionChecks.remove(c.conn.User.Username)\n\tdefer c.conn.CloseFS() //nolint:errcheck\n\n\tstartTime := time.Now()\n\tfor _, folder := range c.Folders {\n\t\tif folder.Retention > 0 {\n\t\t\tif err := c.cleanupFolder(folder.Path, 0); err != nil {\n\t\t\t\tc.conn.Log(logger.LevelError, \"retention check failed, unable to cleanup folder %q, elapsed: %s\",\n\t\t\t\t\tfolder.Path, time.Since(startTime))\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\n\tc.conn.Log(logger.LevelInfo, \"retention check completed, elapsed: %s\", time.Since(startTime))\n\treturn nil\n}\n" }, { "path": "internal/common/dataretention_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc TestRetentionPermissionsAndGetFolder(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user1\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDelete}\n\tuser.Permissions[\"/dir1\"] = []string{dataprovider.PermListItems}\n\tuser.Permissions[\"/dir2/sub1\"] = []string{dataprovider.PermCreateDirs}\n\tuser.Permissions[\"/dir2/sub2\"] = []string{dataprovider.PermDelete}\n\n\tcheck := RetentionCheck{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/dir2\",\n\t\t\t\tRetention: 24 * 7,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPath: \"/dir3\",\n\t\t\t\tRetention: 24 * 7,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPath: \"/dir2/sub1/sub\",\n\t\t\t\tRetention: 24,\n\t\t\t},\n\t\t},\n\t}\n\n\tconn := NewBaseConnection(\"\", \"\", \"\", \"\", user)\n\tconn.SetProtocol(ProtocolDataRetention)\n\tconn.ID = fmt.Sprintf(\"data_retention_%v\", user.Username)\n\tcheck.conn = conn\n\tcheck.updateUserPermissions()\n\tassert.Equal(t, []string{dataprovider.PermAny}, conn.User.Permissions[\"/\"])\n\tassert.Equal(t, []string{dataprovider.PermAny}, conn.User.Permissions[\"/dir1\"])\n\tassert.Equal(t, []string{dataprovider.PermAny}, conn.User.Permissions[\"/dir2/sub1\"])\n\tassert.Equal(t, []string{dataprovider.PermAny}, conn.User.Permissions[\"/dir2/sub2\"])\n\n\t_, err := check.getFolderRetention(\"/\")\n\tassert.Error(t, err)\n\tfolder, err := check.getFolderRetention(\"/dir3\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/dir3\", folder.Path)\n\tfolder, err = check.getFolderRetention(\"/dir2/sub3\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/dir2\", folder.Path)\n\tfolder, err = check.getFolderRetention(\"/dir2/sub2\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/dir2\", folder.Path)\n\tfolder, err = check.getFolderRetention(\"/dir2/sub1\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/dir2\", folder.Path)\n\tfolder, err = check.getFolderRetention(\"/dir2/sub1/sub/sub\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/dir2/sub1/sub\", folder.Path)\n}\n\nfunc TestRetentionCheckAddRemove(t *testing.T) {\n\tusername := \"username\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tcheck := RetentionCheck{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/\",\n\t\t\t\tRetention: 48,\n\t\t\t},\n\t\t},\n\t}\n\tassert.NotNil(t, RetentionChecks.Add(check, &user))\n\tchecks := RetentionChecks.Get(\"\")\n\trequire.Len(t, checks, 1)\n\tassert.Equal(t, username, checks[0].Username)\n\tassert.Greater(t, checks[0].StartTime, int64(0))\n\trequire.Len(t, checks[0].Folders, 1)\n\tassert.Equal(t, check.Folders[0].Path, checks[0].Folders[0].Path)\n\tassert.Equal(t, check.Folders[0].Retention, checks[0].Folders[0].Retention)\n\n\tassert.Nil(t, RetentionChecks.Add(check, &user))\n\tassert.True(t, RetentionChecks.remove(username))\n\trequire.Len(t, RetentionChecks.Get(\"\"), 0)\n\tassert.False(t, RetentionChecks.remove(username))\n}\n\nfunc TestRetentionCheckRole(t *testing.T) {\n\tusername := \"retuser\"\n\trole1 := \"retrole1\"\n\trole2 := \"retrole2\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tRole: role1,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tcheck := RetentionCheck{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/\",\n\t\t\t\tRetention: 48,\n\t\t\t},\n\t\t},\n\t}\n\tassert.NotNil(t, RetentionChecks.Add(check, &user))\n\tchecks := RetentionChecks.Get(\"\")\n\trequire.Len(t, checks, 1)\n\tassert.Empty(t, checks[0].Role)\n\tchecks = RetentionChecks.Get(role1)\n\trequire.Len(t, checks, 1)\n\tchecks = RetentionChecks.Get(role2)\n\trequire.Len(t, checks, 0)\n\tuser.Role = \"\"\n\tassert.Nil(t, RetentionChecks.Add(check, &user))\n\tassert.True(t, RetentionChecks.remove(username))\n\trequire.Len(t, RetentionChecks.Get(\"\"), 0)\n}\n\nfunc TestCleanupErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"u\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tcheck := &RetentionCheck{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/path\",\n\t\t\t\tRetention: 48,\n\t\t\t},\n\t\t},\n\t}\n\tcheck = RetentionChecks.Add(*check, &user)\n\trequire.NotNil(t, check)\n\n\terr := check.removeFile(\"missing file\", nil)\n\tassert.Error(t, err)\n\n\terr = check.cleanupFolder(\"/\", 0)\n\tassert.Error(t, err)\n\n\terr = check.cleanupFolder(\"/\", 1000)\n\tassert.ErrorIs(t, err, util.ErrRecursionTooDeep)\n\n\tassert.True(t, RetentionChecks.remove(user.Username))\n}\n" }, { "path": "internal/common/defender.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"fmt\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// HostEvent is the enumerable for the supported host events\ntype HostEvent string\n\n// Supported host events\nconst (\n\tHostEventLoginFailed HostEvent = \"LoginFailed\"\n\tHostEventUserNotFound HostEvent = \"UserNotFound\"\n\tHostEventNoLoginTried HostEvent = \"NoLoginTried\"\n\tHostEventLimitExceeded HostEvent = \"LimitExceeded\"\n)\n\n// Supported defender drivers\nconst (\n\tDefenderDriverMemory = \"memory\"\n\tDefenderDriverProvider = \"provider\"\n)\n\nvar (\n\tsupportedDefenderDrivers = []string{DefenderDriverMemory, DefenderDriverProvider}\n)\n\n// Defender defines the interface that a defender must implements\ntype Defender interface {\n\tGetHosts() ([]dataprovider.DefenderEntry, error)\n\tGetHost(ip string) (dataprovider.DefenderEntry, error)\n\tAddEvent(ip, protocol string, event HostEvent) bool\n\tIsBanned(ip, protocol string) bool\n\tIsSafe(ip, protocol string) bool\n\tGetBanTime(ip string) (*time.Time, error)\n\tGetScore(ip string) (int, error)\n\tDeleteHost(ip string) bool\n\tDelayLogin(err error)\n}\n\n// DefenderConfig defines the \"defender\" configuration\ntype DefenderConfig struct {\n\t// Set to true to enable the defender\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n\t// Defender implementation to use, we support \"memory\" and \"provider\".\n\t// Using \"provider\" as driver you can share the defender events among\n\t// multiple SFTPGo instances. For a single instance \"memory\" provider will\n\t// be much faster\n\tDriver string `json:\"driver\" mapstructure:\"driver\"`\n\t// BanTime is the number of minutes that a host is banned\n\tBanTime int `json:\"ban_time\" mapstructure:\"ban_time\"`\n\t// Percentage increase of the ban time if a banned host tries to connect again\n\tBanTimeIncrement int `json:\"ban_time_increment\" mapstructure:\"ban_time_increment\"`\n\t// Threshold value for banning a client\n\tThreshold int `json:\"threshold\" mapstructure:\"threshold\"`\n\t// Score for invalid login attempts, eg. non-existent user accounts\n\tScoreInvalid int `json:\"score_invalid\" mapstructure:\"score_invalid\"`\n\t// Score for valid login attempts, eg. user accounts that exist\n\tScoreValid int `json:\"score_valid\" mapstructure:\"score_valid\"`\n\t// Score for limit exceeded events, generated from the rate limiters or for max connections\n\t// per-host exceeded\n\tScoreLimitExceeded int `json:\"score_limit_exceeded\" mapstructure:\"score_limit_exceeded\"`\n\t// ScoreNoAuth defines the score for clients disconnected without authentication\n\t// attempts\n\tScoreNoAuth int `json:\"score_no_auth\" mapstructure:\"score_no_auth\"`\n\t// Defines the time window, in minutes, for tracking client errors.\n\t// A host is banned if it has exceeded the defined threshold during\n\t// the last observation time minutes\n\tObservationTime int `json:\"observation_time\" mapstructure:\"observation_time\"`\n\t// The number of banned IPs and host scores kept in memory will vary between the\n\t// soft and hard limit for the \"memory\" driver. For the \"provider\" driver the\n\t// soft limit is ignored and the hard limit is used to limit the number of entries\n\t// to return when you request for the entire host list from the defender\n\tEntriesSoftLimit int `json:\"entries_soft_limit\" mapstructure:\"entries_soft_limit\"`\n\tEntriesHardLimit int `json:\"entries_hard_limit\" mapstructure:\"entries_hard_limit\"`\n\t// Configuration to impose a delay between login attempts\n\tLoginDelay LoginDelay `json:\"login_delay\" mapstructure:\"login_delay\"`\n}\n\n// LoginDelay defines the delays to impose between login attempts.\ntype LoginDelay struct {\n\t// The number of milliseconds to pause prior to allowing a successful login\n\tSuccess int `json:\"success\" mapstructure:\"success\"`\n\t// The number of milliseconds to pause prior to reporting a failed login\n\tPasswordFailed int `json:\"password_failed\" mapstructure:\"password_failed\"`\n}\n\ntype baseDefender struct {\n\tconfig *DefenderConfig\n\tipList *dataprovider.IPList\n}\n\nfunc (d *baseDefender) isBanned(ip, protocol string) bool {\n\tisListed, mode, err := d.ipList.IsListed(ip, protocol)\n\tif err != nil {\n\t\treturn false\n\t}\n\tif isListed && mode == dataprovider.ListModeDeny {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\nfunc (d *baseDefender) IsSafe(ip, protocol string) bool {\n\tisListed, mode, err := d.ipList.IsListed(ip, protocol)\n\tif err == nil && isListed && mode == dataprovider.ListModeAllow {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (d *baseDefender) getScore(event HostEvent) int {\n\tvar score int\n\n\tswitch event {\n\tcase HostEventLoginFailed:\n\t\tscore = d.config.ScoreValid\n\tcase HostEventLimitExceeded:\n\t\tscore = d.config.ScoreLimitExceeded\n\tcase HostEventUserNotFound:\n\t\tscore = d.config.ScoreInvalid\n\tcase HostEventNoLoginTried:\n\t\tscore = d.config.ScoreNoAuth\n\t}\n\treturn score\n}\n\n// logEvent logs a defender event that changes a host's score\nfunc (d *baseDefender) logEvent(ip, protocol string, event HostEvent, totalScore int) {\n\t// ignore events which do not change the host score\n\teventScore := d.getScore(event)\n\tif eventScore == 0 {\n\t\treturn\n\t}\n\n\tlogger.GetLogger().Debug().\n\t\tTimestamp().\n\t\tStr(\"sender\", \"defender\").\n\t\tStr(\"client_ip\", ip).\n\t\tStr(\"protocol\", protocol).\n\t\tStr(\"event\", string(event)).\n\t\tInt(\"increase_score_by\", eventScore).\n\t\tInt(\"score\", totalScore).\n\t\tSend()\n}\n\n// logBan logs a host's ban due to a too high host score\nfunc (d *baseDefender) logBan(ip, protocol string) {\n\tlogger.GetLogger().Info().\n\t\tTimestamp().\n\t\tStr(\"sender\", \"defender\").\n\t\tStr(\"client_ip\", ip).\n\t\tStr(\"protocol\", protocol).\n\t\tStr(\"event\", \"banned\").\n\t\tSend()\n}\n\n// DelayLogin applies the configured login delay.\nfunc (d *baseDefender) DelayLogin(err error) {\n\tif err == nil {\n\t\tif d.config.LoginDelay.Success > 0 {\n\t\t\ttime.Sleep(time.Duration(d.config.LoginDelay.Success) * time.Millisecond)\n\t\t}\n\t\treturn\n\t}\n\tif d.config.LoginDelay.PasswordFailed > 0 {\n\t\ttime.Sleep(time.Duration(d.config.LoginDelay.PasswordFailed) * time.Millisecond)\n\t}\n}\n\ntype hostEvent struct {\n\tdateTime time.Time\n\tscore int\n}\n\ntype hostScore struct {\n\tTotalScore int\n\tEvents []hostEvent\n}\n\nfunc (c *DefenderConfig) checkScores() error {\n\tif c.ScoreInvalid < 0 {\n\t\tc.ScoreInvalid = 0\n\t}\n\tif c.ScoreValid < 0 {\n\t\tc.ScoreValid = 0\n\t}\n\tif c.ScoreLimitExceeded < 0 {\n\t\tc.ScoreLimitExceeded = 0\n\t}\n\tif c.ScoreNoAuth < 0 {\n\t\tc.ScoreNoAuth = 0\n\t}\n\tif c.ScoreInvalid == 0 && c.ScoreValid == 0 && c.ScoreLimitExceeded == 0 && c.ScoreNoAuth == 0 {\n\t\treturn fmt.Errorf(\"invalid defender configuration: all scores are disabled\")\n\t}\n\treturn nil\n}\n\n// validate returns an error if the configuration is invalid\nfunc (c *DefenderConfig) validate() error {\n\tif !c.Enabled {\n\t\treturn nil\n\t}\n\tif err := c.checkScores(); err != nil {\n\t\treturn err\n\t}\n\tif c.ScoreInvalid >= c.Threshold {\n\t\treturn fmt.Errorf(\"score_invalid %d cannot be greater than threshold %d\", c.ScoreInvalid, c.Threshold)\n\t}\n\tif c.ScoreValid >= c.Threshold {\n\t\treturn fmt.Errorf(\"score_valid %d cannot be greater than threshold %d\", c.ScoreValid, c.Threshold)\n\t}\n\tif c.ScoreLimitExceeded >= c.Threshold {\n\t\treturn fmt.Errorf(\"score_limit_exceeded %d cannot be greater than threshold %d\", c.ScoreLimitExceeded, c.Threshold)\n\t}\n\tif c.ScoreNoAuth >= c.Threshold {\n\t\treturn fmt.Errorf(\"score_no_auth %d cannot be greater than threshold %d\", c.ScoreNoAuth, c.Threshold)\n\t}\n\tif c.BanTime <= 0 {\n\t\treturn fmt.Errorf(\"invalid ban_time %v\", c.BanTime)\n\t}\n\tif c.BanTimeIncrement <= 0 {\n\t\treturn fmt.Errorf(\"invalid ban_time_increment %v\", c.BanTimeIncrement)\n\t}\n\tif c.ObservationTime <= 0 {\n\t\treturn fmt.Errorf(\"invalid observation_time %v\", c.ObservationTime)\n\t}\n\tif c.EntriesSoftLimit <= 0 {\n\t\treturn fmt.Errorf(\"invalid entries_soft_limit %v\", c.EntriesSoftLimit)\n\t}\n\tif c.EntriesHardLimit <= c.EntriesSoftLimit {\n\t\treturn fmt.Errorf(\"invalid entries_hard_limit %v must be > %v\", c.EntriesHardLimit, c.EntriesSoftLimit)\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/common/defender_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"net\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/yl2chen/cidranger\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n)\n\nfunc TestBasicDefender(t *testing.T) {\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.1/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.2/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.0.0/24\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.1.1/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.1.2/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.9.0/24\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.3/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.4/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.8.0/24\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.1.3/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.1.4/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.9.0/24\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t}\n\n\tfor idx := range entries {\n\t\te := entries[idx]\n\t\terr := dataprovider.AddIPListEntry(&e, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\tconfig := &DefenderConfig{\n\t\tEnabled: true,\n\t\tBanTime: 10,\n\t\tBanTimeIncrement: 2,\n\t\tThreshold: 5,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreNoAuth: 2,\n\t\tScoreLimitExceeded: 3,\n\t\tObservationTime: 15,\n\t\tEntriesSoftLimit: 1,\n\t\tEntriesHardLimit: 2,\n\t}\n\n\td, err := newInMemoryDefender(config)\n\tassert.NoError(t, err)\n\n\tdefender := d.(*memoryDefender)\n\tassert.True(t, defender.IsBanned(\"172.16.1.1\", ProtocolSSH))\n\tassert.True(t, defender.IsBanned(\"192.168.1.1\", ProtocolFTP))\n\tassert.False(t, defender.IsBanned(\"172.16.1.10\", ProtocolSSH))\n\tassert.False(t, defender.IsBanned(\"192.168.1.10\", ProtocolSSH))\n\tassert.False(t, defender.IsBanned(\"10.8.2.3\", ProtocolSSH))\n\tassert.False(t, defender.IsBanned(\"10.9.2.3\", ProtocolSSH))\n\tassert.True(t, defender.IsBanned(\"10.8.0.3\", ProtocolSSH))\n\tassert.True(t, defender.IsBanned(\"10.8.9.3\", ProtocolSSH))\n\tassert.False(t, defender.IsBanned(\"invalid ip\", ProtocolSSH))\n\tassert.Equal(t, 0, defender.countBanned())\n\tassert.Equal(t, 0, defender.countHosts())\n\thosts, err := defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 0)\n\t_, err = defender.GetHost(\"10.8.0.4\")\n\tassert.Error(t, err)\n\n\tdefender.AddEvent(\"172.16.1.4\", ProtocolSSH, HostEventLoginFailed)\n\tdefender.AddEvent(\"192.168.1.4\", ProtocolSSH, HostEventLoginFailed)\n\tdefender.AddEvent(\"192.168.8.4\", ProtocolSSH, HostEventUserNotFound)\n\tdefender.AddEvent(\"172.16.1.3\", ProtocolSSH, HostEventLimitExceeded)\n\tdefender.AddEvent(\"192.168.1.3\", ProtocolSSH, HostEventLimitExceeded)\n\tassert.Equal(t, 0, defender.countHosts())\n\n\ttestIP := \"12.34.56.78\"\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventLoginFailed)\n\tassert.Equal(t, 1, defender.countHosts())\n\tassert.Equal(t, 0, defender.countBanned())\n\tscore, err := defender.GetScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, score)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, 1, hosts[0].Score)\n\t\tassert.True(t, hosts[0].BanTime.IsZero())\n\t\tassert.Empty(t, hosts[0].GetBanTime())\n\t}\n\thost, err := defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, host.Score)\n\tassert.Empty(t, host.GetBanTime())\n\tbanTime, err := defender.GetBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventLimitExceeded)\n\tassert.Equal(t, 1, defender.countHosts())\n\tassert.Equal(t, 0, defender.countBanned())\n\tscore, err = defender.GetScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 4, score)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, 4, hosts[0].Score)\n\t\tassert.True(t, hosts[0].BanTime.IsZero())\n\t\tassert.Empty(t, hosts[0].GetBanTime())\n\t}\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventUserNotFound)\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventNoLoginTried)\n\tassert.Equal(t, 0, defender.countHosts())\n\tassert.Equal(t, 1, defender.countBanned())\n\tscore, err = defender.GetScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n\tbanTime, err = defender.GetBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, banTime)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, 0, hosts[0].Score)\n\t\tassert.False(t, hosts[0].BanTime.IsZero())\n\t\tassert.NotEmpty(t, hosts[0].GetBanTime())\n\t\tassert.Equal(t, hex.EncodeToString([]byte(testIP)), hosts[0].GetID())\n\t}\n\thost, err = defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, host.Score)\n\tassert.NotEmpty(t, host.GetBanTime())\n\n\t// now test cleanup, testIP is already banned\n\ttestIP1 := \"12.34.56.79\"\n\ttestIP2 := \"12.34.56.80\"\n\ttestIP3 := \"12.34.56.81\"\n\n\tdefender.AddEvent(testIP1, ProtocolSSH, HostEventNoLoginTried)\n\tdefender.AddEvent(testIP2, ProtocolSSH, HostEventNoLoginTried)\n\tassert.Equal(t, 2, defender.countHosts())\n\ttime.Sleep(20 * time.Millisecond)\n\tdefender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)\n\tassert.Equal(t, defender.config.EntriesSoftLimit, defender.countHosts())\n\t// testIP1 and testIP2 should be removed\n\tassert.Equal(t, defender.config.EntriesSoftLimit, defender.countHosts())\n\tscore, err = defender.GetScore(testIP1)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n\tscore, err = defender.GetScore(testIP2)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n\tscore, err = defender.GetScore(testIP3)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2, score)\n\n\tdefender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)\n\tdefender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)\n\t// IP3 is now banned\n\tbanTime, err = defender.GetBanTime(testIP3)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, banTime)\n\tassert.Equal(t, 0, defender.countHosts())\n\n\ttime.Sleep(20 * time.Millisecond)\n\tfor i := 0; i < 3; i++ {\n\t\tdefender.AddEvent(testIP1, ProtocolSSH, HostEventNoLoginTried)\n\t}\n\tassert.Equal(t, 0, defender.countHosts())\n\tassert.Equal(t, config.EntriesSoftLimit, defender.countBanned())\n\tbanTime, err = defender.GetBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\tbanTime, err = defender.GetBanTime(testIP3)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\tbanTime, err = defender.GetBanTime(testIP1)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, banTime)\n\n\tfor i := 0; i < 3; i++ {\n\t\tdefender.AddEvent(testIP, ProtocolSSH, HostEventNoLoginTried)\n\t\ttime.Sleep(10 * time.Millisecond)\n\t\tdefender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)\n\t}\n\tassert.Equal(t, 0, defender.countHosts())\n\tassert.Equal(t, defender.config.EntriesSoftLimit, defender.countBanned())\n\n\tbanTime, err = defender.GetBanTime(testIP3)\n\tassert.NoError(t, err)\n\tif assert.NotNil(t, banTime) {\n\t\tassert.True(t, defender.IsBanned(testIP3, ProtocolFTP))\n\t\t// ban time should increase\n\t\tnewBanTime, err := defender.GetBanTime(testIP3)\n\t\tassert.NoError(t, err)\n\t\tassert.True(t, newBanTime.After(*banTime))\n\t}\n\n\tassert.True(t, defender.DeleteHost(testIP3))\n\tassert.False(t, defender.DeleteHost(testIP3))\n\n\tfor _, e := range entries {\n\t\terr := dataprovider.DeleteIPListEntry(e.IPOrNet, e.Type, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestExpiredHostBans(t *testing.T) {\n\tconfig := &DefenderConfig{\n\t\tEnabled: true,\n\t\tBanTime: 10,\n\t\tBanTimeIncrement: 2,\n\t\tThreshold: 5,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreLimitExceeded: 3,\n\t\tObservationTime: 15,\n\t\tEntriesSoftLimit: 1,\n\t\tEntriesHardLimit: 2,\n\t}\n\n\td, err := newInMemoryDefender(config)\n\tassert.NoError(t, err)\n\n\tdefender := d.(*memoryDefender)\n\n\ttestIP := \"1.2.3.4\"\n\tdefender.banned[testIP] = time.Now().Add(-24 * time.Hour)\n\n\t// the ban is expired testIP should not be listed\n\tres, err := defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, res, 0)\n\n\tassert.False(t, defender.IsBanned(testIP, ProtocolFTP))\n\t_, err = defender.GetHost(testIP)\n\tassert.Error(t, err)\n\t_, ok := defender.banned[testIP]\n\tassert.True(t, ok)\n\t// now add an event for an expired banned ip, it should be removed\n\tdefender.AddEvent(testIP, ProtocolFTP, HostEventLoginFailed)\n\tassert.False(t, defender.IsBanned(testIP, ProtocolFTP))\n\tentry, err := defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, testIP, entry.IP)\n\tassert.Empty(t, entry.GetBanTime())\n\tassert.Equal(t, 1, entry.Score)\n\n\tres, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, res, 1) {\n\t\tassert.Equal(t, testIP, res[0].IP)\n\t\tassert.Empty(t, res[0].GetBanTime())\n\t\tassert.Equal(t, 1, res[0].Score)\n\t}\n\n\tevents := []hostEvent{\n\t\t{\n\t\t\tdateTime: time.Now().Add(-24 * time.Hour),\n\t\t\tscore: 2,\n\t\t},\n\t\t{\n\t\t\tdateTime: time.Now().Add(-24 * time.Hour),\n\t\t\tscore: 3,\n\t\t},\n\t}\n\n\ths := hostScore{\n\t\tEvents: events,\n\t\tTotalScore: 5,\n\t}\n\n\tdefender.hosts[testIP] = hs\n\t// the recorded scored are too old\n\tres, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, res, 0)\n\t_, err = defender.GetHost(testIP)\n\tassert.Error(t, err)\n\t_, ok = defender.hosts[testIP]\n\tassert.True(t, ok)\n}\n\nfunc TestDefenderCleanup(t *testing.T) {\n\td := memoryDefender{\n\t\tbaseDefender: baseDefender{\n\t\t\tconfig: &DefenderConfig{\n\t\t\t\tObservationTime: 1,\n\t\t\t\tEntriesSoftLimit: 2,\n\t\t\t\tEntriesHardLimit: 3,\n\t\t\t},\n\t\t},\n\t\tbanned: make(map[string]time.Time),\n\t\thosts: make(map[string]hostScore),\n\t}\n\n\td.banned[\"1.1.1.1\"] = time.Now().Add(-24 * time.Hour)\n\td.banned[\"1.1.1.2\"] = time.Now().Add(-24 * time.Hour)\n\td.banned[\"1.1.1.3\"] = time.Now().Add(-24 * time.Hour)\n\td.banned[\"1.1.1.4\"] = time.Now().Add(-24 * time.Hour)\n\n\td.cleanupBanned()\n\tassert.Equal(t, 0, d.countBanned())\n\n\td.banned[\"2.2.2.2\"] = time.Now().Add(2 * time.Minute)\n\td.banned[\"2.2.2.3\"] = time.Now().Add(1 * time.Minute)\n\td.banned[\"2.2.2.4\"] = time.Now().Add(3 * time.Minute)\n\td.banned[\"2.2.2.5\"] = time.Now().Add(4 * time.Minute)\n\n\td.cleanupBanned()\n\tassert.Equal(t, d.config.EntriesSoftLimit, d.countBanned())\n\tbanTime, err := d.GetBanTime(\"2.2.2.3\")\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\n\td.hosts[\"3.3.3.3\"] = hostScore{\n\t\tTotalScore: 0,\n\t\tEvents: []hostEvent{\n\t\t\t{\n\t\t\t\tdateTime: time.Now().Add(-5 * time.Minute),\n\t\t\t\tscore: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tdateTime: time.Now().Add(-3 * time.Minute),\n\t\t\t\tscore: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tdateTime: time.Now(),\n\t\t\t\tscore: 1,\n\t\t\t},\n\t\t},\n\t}\n\td.hosts[\"3.3.3.4\"] = hostScore{\n\t\tTotalScore: 1,\n\t\tEvents: []hostEvent{\n\t\t\t{\n\t\t\t\tdateTime: time.Now().Add(-3 * time.Minute),\n\t\t\t\tscore: 1,\n\t\t\t},\n\t\t},\n\t}\n\td.hosts[\"3.3.3.5\"] = hostScore{\n\t\tTotalScore: 1,\n\t\tEvents: []hostEvent{\n\t\t\t{\n\t\t\t\tdateTime: time.Now().Add(-2 * time.Minute),\n\t\t\t\tscore: 1,\n\t\t\t},\n\t\t},\n\t}\n\td.hosts[\"3.3.3.6\"] = hostScore{\n\t\tTotalScore: 1,\n\t\tEvents: []hostEvent{\n\t\t\t{\n\t\t\t\tdateTime: time.Now().Add(-1 * time.Minute),\n\t\t\t\tscore: 1,\n\t\t\t},\n\t\t},\n\t}\n\n\tscore, err := d.GetScore(\"3.3.3.3\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, score)\n\n\td.cleanupHosts()\n\tassert.Equal(t, d.config.EntriesSoftLimit, d.countHosts())\n\tscore, err = d.GetScore(\"3.3.3.4\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n}\n\nfunc TestDefenderDelay(t *testing.T) {\n\td := memoryDefender{\n\t\tbaseDefender: baseDefender{\n\t\t\tconfig: &DefenderConfig{\n\t\t\t\tObservationTime: 1,\n\t\t\t\tEntriesSoftLimit: 2,\n\t\t\t\tEntriesHardLimit: 3,\n\t\t\t\tLoginDelay: LoginDelay{\n\t\t\t\t\tSuccess: 50,\n\t\t\t\t\tPasswordFailed: 200,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tstartTime := time.Now()\n\td.DelayLogin(nil)\n\telapsed := time.Since(startTime)\n\tassert.Less(t, elapsed, time.Millisecond*100)\n\n\tstartTime = time.Now()\n\td.DelayLogin(ErrInternalFailure)\n\telapsed = time.Since(startTime)\n\tassert.Greater(t, elapsed, time.Millisecond*150)\n}\n\nfunc TestDefenderConfig(t *testing.T) {\n\tc := DefenderConfig{}\n\terr := c.validate()\n\trequire.NoError(t, err)\n\n\tc.Enabled = true\n\tc.Threshold = 10\n\tc.ScoreInvalid = 10\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.ScoreInvalid = 2\n\tc.ScoreLimitExceeded = 10\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.ScoreLimitExceeded = 2\n\tc.ScoreValid = 10\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.ScoreValid = 1\n\tc.ScoreNoAuth = 10\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.ScoreNoAuth = 2\n\tc.BanTime = 0\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.BanTime = 30\n\tc.BanTimeIncrement = 0\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.BanTimeIncrement = 50\n\tc.ObservationTime = 0\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.ObservationTime = 30\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.EntriesSoftLimit = 10\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.EntriesHardLimit = 10\n\terr = c.validate()\n\trequire.Error(t, err)\n\n\tc.EntriesHardLimit = 20\n\terr = c.validate()\n\trequire.NoError(t, err)\n\n\tc = DefenderConfig{\n\t\tEnabled: true,\n\t\tScoreInvalid: -1,\n\t\tScoreLimitExceeded: -1,\n\t\tScoreNoAuth: -1,\n\t\tScoreValid: -1,\n\t}\n\terr = c.validate()\n\trequire.Error(t, err)\n\tassert.Equal(t, 0, c.ScoreInvalid)\n\tassert.Equal(t, 0, c.ScoreValid)\n\tassert.Equal(t, 0, c.ScoreLimitExceeded)\n\tassert.Equal(t, 0, c.ScoreNoAuth)\n}\n\nfunc BenchmarkDefenderBannedSearch(b *testing.B) {\n\td := getDefenderForBench()\n\n\tip, ipnet, err := net.ParseCIDR(\"10.8.0.0/12\") // 1048574 ip addresses\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tfor ip := ip.Mask(ipnet.Mask); ipnet.Contains(ip); inc(ip) {\n\t\td.banned[ip.String()] = time.Now().Add(10 * time.Minute)\n\t}\n\n\tb.ResetTimer()\n\n\tfor i := 0; i < b.N; i++ {\n\t\td.IsBanned(\"192.168.1.1\", ProtocolSSH)\n\t}\n}\n\nfunc BenchmarkCleanup(b *testing.B) {\n\td := getDefenderForBench()\n\n\tip, ipnet, err := net.ParseCIDR(\"192.168.4.0/24\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tb.ResetTimer()\n\n\tfor i := 0; i < b.N; i++ {\n\t\tfor ip := ip.Mask(ipnet.Mask); ipnet.Contains(ip); inc(ip) {\n\t\t\td.AddEvent(ip.String(), ProtocolSSH, HostEventLoginFailed)\n\t\t\tif d.countHosts() > d.config.EntriesHardLimit {\n\t\t\t\tpanic(\"too many hosts\")\n\t\t\t}\n\t\t\tif d.countBanned() > d.config.EntriesSoftLimit {\n\t\t\t\tpanic(\"too many ip banned\")\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc BenchmarkCIDRanger(b *testing.B) {\n\tranger := cidranger.NewPCTrieRanger()\n\tfor i := 0; i < 255; i++ {\n\t\tcidr := fmt.Sprintf(\"192.168.%d.1/24\", i)\n\t\t_, network, _ := net.ParseCIDR(cidr)\n\t\tif err := ranger.Insert(cidranger.NewBasicRangerEntry(*network)); err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n\n\tipToMatch := net.ParseIP(\"192.167.1.2\")\n\n\tb.ResetTimer()\n\tfor i := 0; i < b.N; i++ {\n\t\tif _, err := ranger.Contains(ipToMatch); err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t}\n}\n\nfunc BenchmarkNetContains(b *testing.B) {\n\tvar nets []*net.IPNet\n\tfor i := 0; i < 255; i++ {\n\t\tcidr := fmt.Sprintf(\"192.168.%d.1/24\", i)\n\t\t_, network, _ := net.ParseCIDR(cidr)\n\t\tnets = append(nets, network)\n\t}\n\n\tipToMatch := net.ParseIP(\"192.167.1.1\")\n\n\tb.ResetTimer()\n\tfor i := 0; i < b.N; i++ {\n\t\tfor _, n := range nets {\n\t\t\tn.Contains(ipToMatch)\n\t\t}\n\t}\n}\n\nfunc getDefenderForBench() *memoryDefender {\n\tconfig := &DefenderConfig{\n\t\tEnabled: true,\n\t\tBanTime: 30,\n\t\tBanTimeIncrement: 50,\n\t\tThreshold: 10,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 2,\n\t\tObservationTime: 30,\n\t\tEntriesSoftLimit: 50,\n\t\tEntriesHardLimit: 100,\n\t}\n\treturn &memoryDefender{\n\t\tbaseDefender: baseDefender{\n\t\t\tconfig: config,\n\t\t},\n\t\thosts: make(map[string]hostScore),\n\t\tbanned: make(map[string]time.Time),\n\t}\n}\n\nfunc inc(ip net.IP) {\n\tfor j := len(ip) - 1; j >= 0; j-- {\n\t\tip[j]++\n\t\tif ip[j] > 0 {\n\t\t\tbreak\n\t\t}\n\t}\n}\n" }, { "path": "internal/common/defenderdb.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype dbDefender struct {\n\tbaseDefender\n\tlastCleanup atomic.Int64\n}\n\nfunc newDBDefender(config *DefenderConfig) (Defender, error) {\n\terr := config.validate()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tipList, err := dataprovider.NewIPList(dataprovider.IPListTypeDefender)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefender := &dbDefender{\n\t\tbaseDefender: baseDefender{\n\t\t\tconfig: config,\n\t\t\tipList: ipList,\n\t\t},\n\t}\n\tdefender.lastCleanup.Store(0)\n\n\treturn defender, nil\n}\n\n// GetHosts returns hosts that are banned or for which some violations have been detected\nfunc (d *dbDefender) GetHosts() ([]dataprovider.DefenderEntry, error) {\n\treturn dataprovider.GetDefenderHosts(d.getStartObservationTime(), d.config.EntriesHardLimit)\n}\n\n// GetHost returns a defender host by ip, if any\nfunc (d *dbDefender) GetHost(ip string) (dataprovider.DefenderEntry, error) {\n\treturn dataprovider.GetDefenderHostByIP(ip, d.getStartObservationTime())\n}\n\n// IsBanned returns true if the specified IP is banned\n// and increase ban time if the IP is found.\n// This method must be called as soon as the client connects\nfunc (d *dbDefender) IsBanned(ip, protocol string) bool {\n\tif d.isBanned(ip, protocol) {\n\t\treturn true\n\t}\n\n\t_, err := dataprovider.IsDefenderHostBanned(ip)\n\tif err != nil {\n\t\t// not found or another error, we allow this host\n\t\treturn false\n\t}\n\tincrement := d.config.BanTime * d.config.BanTimeIncrement / 100\n\tif increment == 0 {\n\t\tincrement++\n\t}\n\tdataprovider.UpdateDefenderBanTime(ip, increment) //nolint:errcheck\n\treturn true\n}\n\n// DeleteHost removes the specified IP from the defender lists\nfunc (d *dbDefender) DeleteHost(ip string) bool {\n\tif _, err := d.GetHost(ip); err != nil {\n\t\treturn false\n\t}\n\treturn dataprovider.DeleteDefenderHost(ip) == nil\n}\n\n// AddEvent adds an event for the given IP.\n// This method must be called for clients not yet banned.\n// Returns true if the IP is in the defender's safe list.\nfunc (d *dbDefender) AddEvent(ip, protocol string, event HostEvent) bool {\n\tif d.IsSafe(ip, protocol) {\n\t\treturn true\n\t}\n\n\tscore := d.getScore(event)\n\n\thost, err := dataprovider.AddDefenderEvent(ip, score, d.getStartObservationTime())\n\tif err != nil {\n\t\treturn false\n\t}\n\td.logEvent(ip, protocol, event, host.Score)\n\tif host.Score > d.config.Threshold {\n\t\td.logBan(ip, protocol)\n\t\tbanTime := time.Now().Add(time.Duration(d.config.BanTime) * time.Minute)\n\t\terr = dataprovider.SetDefenderBanTime(ip, util.GetTimeAsMsSinceEpoch(banTime))\n\t\tif err == nil {\n\t\t\teventManager.handleIPBlockedEvent(EventParams{\n\t\t\t\tEvent: ipBlockedEventName,\n\t\t\t\tIP: ip,\n\t\t\t\tTimestamp: time.Now(),\n\t\t\t\tStatus: 1,\n\t\t\t})\n\t\t}\n\t}\n\n\tif err == nil {\n\t\td.cleanup()\n\t}\n\treturn false\n}\n\n// GetBanTime returns the ban time for the given IP or nil if the IP is not banned\nfunc (d *dbDefender) GetBanTime(ip string) (*time.Time, error) {\n\thost, err := d.GetHost(ip)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif host.BanTime.IsZero() {\n\t\treturn nil, nil\n\t}\n\treturn &host.BanTime, nil\n}\n\n// GetScore returns the score for the given IP\nfunc (d *dbDefender) GetScore(ip string) (int, error) {\n\thost, err := d.GetHost(ip)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\treturn host.Score, nil\n}\n\nfunc (d *dbDefender) cleanup() {\n\tlastCleanup := d.getLastCleanup()\n\tif lastCleanup.IsZero() || lastCleanup.Add(time.Duration(d.config.ObservationTime)*time.Minute*3).Before(time.Now()) {\n\t\t// FIXME: this could be racy in rare cases but it is better than acquire the lock for the cleanup duration\n\t\t// or to always acquire a read/write lock.\n\t\t// Concurrent cleanups could happen anyway from multiple SFTPGo instances and should not cause any issues\n\t\td.setLastCleanup(time.Now())\n\t\texpireTime := time.Now().Add(-time.Duration(d.config.ObservationTime+1) * time.Minute)\n\t\tlogger.Debug(logSender, \"\", \"cleanup defender hosts before %v, last cleanup %v\", expireTime, lastCleanup)\n\t\tif err := dataprovider.CleanupDefender(util.GetTimeAsMsSinceEpoch(expireTime)); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"defender cleanup error, reset last cleanup to %v\", lastCleanup)\n\t\t\td.setLastCleanup(lastCleanup)\n\t\t}\n\t}\n}\n\nfunc (d *dbDefender) getStartObservationTime() int64 {\n\tt := time.Now().Add(-time.Duration(d.config.ObservationTime) * time.Minute)\n\treturn util.GetTimeAsMsSinceEpoch(t)\n}\n\nfunc (d *dbDefender) getLastCleanup() time.Time {\n\tval := d.lastCleanup.Load()\n\tif val == 0 {\n\t\treturn time.Time{}\n\t}\n\treturn util.GetTimeFromMsecSinceEpoch(val)\n}\n\nfunc (d *dbDefender) setLastCleanup(when time.Time) {\n\tif when.IsZero() {\n\t\td.lastCleanup.Store(0)\n\t\treturn\n\t}\n\td.lastCleanup.Store(util.GetTimeAsMsSinceEpoch(when))\n}\n" }, { "path": "internal/common/defenderdb_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"encoding/hex\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc TestBasicDbDefender(t *testing.T) {\n\tif !isDbDefenderSupported() {\n\t\tt.Skip(\"this test is not supported with the current database provider\")\n\t}\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.1/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.2/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.0.0/24\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeDeny,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.3/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.16.1.4/32\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.8.0/24\",\n\t\t\tType: dataprovider.IPListTypeDefender,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t},\n\t}\n\n\tfor idx := range entries {\n\t\te := entries[idx]\n\t\terr := dataprovider.AddIPListEntry(&e, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\tconfig := &DefenderConfig{\n\t\tEnabled: true,\n\t\tBanTime: 10,\n\t\tBanTimeIncrement: 2,\n\t\tThreshold: 5,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreNoAuth: 2,\n\t\tScoreLimitExceeded: 3,\n\t\tObservationTime: 15,\n\t\tEntriesSoftLimit: 1,\n\t\tEntriesHardLimit: 10,\n\t}\n\td, err := newDBDefender(config)\n\tassert.NoError(t, err)\n\tdefender := d.(*dbDefender)\n\tassert.True(t, defender.IsBanned(\"172.16.1.1\", ProtocolFTP))\n\tassert.False(t, defender.IsBanned(\"172.16.1.10\", ProtocolSSH))\n\tassert.False(t, defender.IsBanned(\"10.8.1.3\", ProtocolHTTP))\n\tassert.True(t, defender.IsBanned(\"10.8.0.4\", ProtocolWebDAV))\n\tassert.False(t, defender.IsBanned(\"invalid ip\", ProtocolSSH))\n\thosts, err := defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 0)\n\t_, err = defender.GetHost(\"10.8.0.3\")\n\tassert.Error(t, err)\n\n\tdefender.AddEvent(\"172.16.1.4\", ProtocolSSH, HostEventLoginFailed)\n\tdefender.AddEvent(\"192.168.8.4\", ProtocolSSH, HostEventUserNotFound)\n\tdefender.AddEvent(\"172.16.1.3\", ProtocolSSH, HostEventLimitExceeded)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 0)\n\tassert.True(t, defender.getLastCleanup().IsZero())\n\n\ttestIP := \"123.45.67.89\"\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventLoginFailed)\n\tlastCleanup := defender.getLastCleanup()\n\tassert.False(t, lastCleanup.IsZero())\n\tscore, err := defender.GetScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, score)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, 1, hosts[0].Score)\n\t\tassert.True(t, hosts[0].BanTime.IsZero())\n\t\tassert.Empty(t, hosts[0].GetBanTime())\n\t}\n\thost, err := defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, host.Score)\n\tassert.Empty(t, host.GetBanTime())\n\tbanTime, err := defender.GetBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventLimitExceeded)\n\tscore, err = defender.GetScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 4, score)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, 4, hosts[0].Score)\n\t\tassert.True(t, hosts[0].BanTime.IsZero())\n\t\tassert.Empty(t, hosts[0].GetBanTime())\n\t}\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventNoLoginTried)\n\tdefender.AddEvent(testIP, ProtocolSSH, HostEventNoLoginTried)\n\tscore, err = defender.GetScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, score)\n\tbanTime, err = defender.GetBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, banTime)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, 0, hosts[0].Score)\n\t\tassert.False(t, hosts[0].BanTime.IsZero())\n\t\tassert.NotEmpty(t, hosts[0].GetBanTime())\n\t\tassert.Equal(t, hex.EncodeToString([]byte(testIP)), hosts[0].GetID())\n\t}\n\thost, err = defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, host.Score)\n\tassert.NotEmpty(t, host.GetBanTime())\n\t// ban time should increase\n\tassert.True(t, defender.IsBanned(testIP, ProtocolSSH))\n\tnewBanTime, err := defender.GetBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.True(t, newBanTime.After(*banTime))\n\n\tassert.True(t, defender.DeleteHost(testIP))\n\tassert.False(t, defender.DeleteHost(testIP))\n\t// test cleanup\n\ttestIP1 := \"123.45.67.90\"\n\ttestIP2 := \"123.45.67.91\"\n\ttestIP3 := \"123.45.67.92\"\n\tfor i := 0; i < 3; i++ {\n\t\tdefender.AddEvent(testIP, ProtocolSSH, HostEventUserNotFound)\n\t\tdefender.AddEvent(testIP1, ProtocolSSH, HostEventNoLoginTried)\n\t\tdefender.AddEvent(testIP2, ProtocolSSH, HostEventUserNotFound)\n\t}\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 3)\n\tfor _, host := range hosts {\n\t\tassert.Equal(t, 0, host.Score)\n\t\tassert.False(t, host.BanTime.IsZero())\n\t\tassert.NotEmpty(t, host.GetBanTime())\n\t}\n\tdefender.AddEvent(testIP3, ProtocolSSH, HostEventLoginFailed)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 4)\n\t// now set a ban time in the past, so the host will be cleanead up\n\tfor _, ip := range []string{testIP1, testIP2} {\n\t\terr = dataprovider.SetDefenderBanTime(ip, util.GetTimeAsMsSinceEpoch(time.Now().Add(-1*time.Minute)))\n\t\tassert.NoError(t, err)\n\t}\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 4)\n\tfor _, host := range hosts {\n\t\tswitch host.IP {\n\t\tcase testIP:\n\t\t\tassert.Equal(t, 0, host.Score)\n\t\t\tassert.False(t, host.BanTime.IsZero())\n\t\t\tassert.NotEmpty(t, host.GetBanTime())\n\t\tcase testIP3:\n\t\t\tassert.Equal(t, 1, host.Score)\n\t\t\tassert.True(t, host.BanTime.IsZero())\n\t\t\tassert.Empty(t, host.GetBanTime())\n\t\tdefault:\n\t\t\tassert.Equal(t, 6, host.Score)\n\t\t\tassert.True(t, host.BanTime.IsZero())\n\t\t\tassert.Empty(t, host.GetBanTime())\n\t\t}\n\t}\n\thost, err = defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, host.Score)\n\tassert.False(t, host.BanTime.IsZero())\n\tassert.NotEmpty(t, host.GetBanTime())\n\thost, err = defender.GetHost(testIP3)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, host.Score)\n\tassert.True(t, host.BanTime.IsZero())\n\tassert.Empty(t, host.GetBanTime())\n\t// set a negative observation time so the from field in the queries will be in the future\n\t// we still should get the banned hosts\n\tdefender.config.ObservationTime = -2\n\tassert.Greater(t, defender.getStartObservationTime(), time.Now().UnixMilli())\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, testIP, hosts[0].IP)\n\t\tassert.Equal(t, 0, hosts[0].Score)\n\t\tassert.False(t, hosts[0].BanTime.IsZero())\n\t\tassert.NotEmpty(t, hosts[0].GetBanTime())\n\t}\n\t_, err = defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\t// cleanup db\n\terr = dataprovider.CleanupDefender(util.GetTimeAsMsSinceEpoch(time.Now().Add(10 * time.Minute)))\n\tassert.NoError(t, err)\n\t// the banned host must still be there\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\tassert.Equal(t, testIP, hosts[0].IP)\n\t\tassert.Equal(t, 0, hosts[0].Score)\n\t\tassert.False(t, hosts[0].BanTime.IsZero())\n\t\tassert.NotEmpty(t, hosts[0].GetBanTime())\n\t}\n\t_, err = defender.GetHost(testIP)\n\tassert.NoError(t, err)\n\terr = dataprovider.SetDefenderBanTime(testIP, util.GetTimeAsMsSinceEpoch(time.Now().Add(-1*time.Minute)))\n\tassert.NoError(t, err)\n\terr = dataprovider.CleanupDefender(util.GetTimeAsMsSinceEpoch(time.Now().Add(10 * time.Minute)))\n\tassert.NoError(t, err)\n\thosts, err = defender.GetHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 0)\n\n\tfor _, e := range entries {\n\t\terr := dataprovider.DeleteIPListEntry(e.IPOrNet, e.Type, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestDbDefenderCleanup(t *testing.T) {\n\tif !isDbDefenderSupported() {\n\t\tt.Skip(\"this test is not supported with the current database provider\")\n\t}\n\tconfig := &DefenderConfig{\n\t\tEnabled: true,\n\t\tBanTime: 10,\n\t\tBanTimeIncrement: 2,\n\t\tThreshold: 5,\n\t\tScoreInvalid: 2,\n\t\tScoreValid: 1,\n\t\tScoreLimitExceeded: 3,\n\t\tObservationTime: 15,\n\t\tEntriesSoftLimit: 1,\n\t\tEntriesHardLimit: 10,\n\t}\n\td, err := newDBDefender(config)\n\tassert.NoError(t, err)\n\tdefender := d.(*dbDefender)\n\tlastCleanup := defender.getLastCleanup()\n\tassert.True(t, lastCleanup.IsZero())\n\tdefender.cleanup()\n\tlastCleanup = defender.getLastCleanup()\n\tassert.False(t, lastCleanup.IsZero())\n\tdefender.cleanup()\n\tassert.Equal(t, lastCleanup, defender.getLastCleanup())\n\tdefender.setLastCleanup(time.Time{})\n\tassert.True(t, defender.getLastCleanup().IsZero())\n\tdefender.setLastCleanup(time.Now().Add(-time.Duration(config.ObservationTime) * time.Minute * 4))\n\ttime.Sleep(20 * time.Millisecond)\n\tdefender.cleanup()\n\tassert.True(t, lastCleanup.Before(defender.getLastCleanup()))\n\n\tproviderConf := dataprovider.GetProviderConfig()\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\n\tlastCleanup = util.GetTimeFromMsecSinceEpoch(time.Now().Add(-time.Duration(config.ObservationTime) * time.Minute * 4).UnixMilli())\n\tdefender.setLastCleanup(lastCleanup)\n\tdefender.cleanup()\n\t// cleanup will fail and so last cleanup should be reset to the previous value\n\tassert.Equal(t, lastCleanup, defender.getLastCleanup())\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc isDbDefenderSupported() bool {\n\t// SQLite shares the implementation with other SQL-based provider but it makes no sense\n\t// to use it outside test cases\n\tswitch dataprovider.GetProviderStatus().Driver {\n\tcase dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,\n\t\tdataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n" }, { "path": "internal/common/defendermem.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"sort\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype memoryDefender struct {\n\tbaseDefender\n\tsync.RWMutex\n\t// IP addresses of the clients trying to connected are stored inside hosts,\n\t// they are added to banned once the thresold is reached.\n\t// A violation from a banned host will increase the ban time\n\t// based on the configured BanTimeIncrement\n\thosts map[string]hostScore // the key is the host IP\n\tbanned map[string]time.Time // the key is the host IP\n}\n\nfunc newInMemoryDefender(config *DefenderConfig) (Defender, error) {\n\terr := config.validate()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tipList, err := dataprovider.NewIPList(dataprovider.IPListTypeDefender)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefender := &memoryDefender{\n\t\tbaseDefender: baseDefender{\n\t\t\tconfig: config,\n\t\t\tipList: ipList,\n\t\t},\n\t\thosts: make(map[string]hostScore),\n\t\tbanned: make(map[string]time.Time),\n\t}\n\n\treturn defender, nil\n}\n\n// GetHosts returns hosts that are banned or for which some violations have been detected\nfunc (d *memoryDefender) GetHosts() ([]dataprovider.DefenderEntry, error) {\n\td.RLock()\n\tdefer d.RUnlock()\n\n\tvar result []dataprovider.DefenderEntry\n\tfor k, v := range d.banned {\n\t\tif v.After(time.Now()) {\n\t\t\tresult = append(result, dataprovider.DefenderEntry{\n\t\t\t\tIP: k,\n\t\t\t\tBanTime: v,\n\t\t\t})\n\t\t}\n\t}\n\tfor k, v := range d.hosts {\n\t\tscore := 0\n\t\tfor _, event := range v.Events {\n\t\t\tif event.dateTime.Add(time.Duration(d.config.ObservationTime) * time.Minute).After(time.Now()) {\n\t\t\t\tscore += event.score\n\t\t\t}\n\t\t}\n\t\tif score > 0 {\n\t\t\tresult = append(result, dataprovider.DefenderEntry{\n\t\t\t\tIP: k,\n\t\t\t\tScore: score,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn result, nil\n}\n\n// GetHost returns a defender host by ip, if any\nfunc (d *memoryDefender) GetHost(ip string) (dataprovider.DefenderEntry, error) {\n\td.RLock()\n\tdefer d.RUnlock()\n\n\tif banTime, ok := d.banned[ip]; ok {\n\t\tif banTime.After(time.Now()) {\n\t\t\treturn dataprovider.DefenderEntry{\n\t\t\t\tIP: ip,\n\t\t\t\tBanTime: banTime,\n\t\t\t}, nil\n\t\t}\n\t}\n\n\tif hs, ok := d.hosts[ip]; ok {\n\t\tscore := 0\n\t\tfor _, event := range hs.Events {\n\t\t\tif event.dateTime.Add(time.Duration(d.config.ObservationTime) * time.Minute).After(time.Now()) {\n\t\t\t\tscore += event.score\n\t\t\t}\n\t\t}\n\t\tif score > 0 {\n\t\t\treturn dataprovider.DefenderEntry{\n\t\t\t\tIP: ip,\n\t\t\t\tScore: score,\n\t\t\t}, nil\n\t\t}\n\t}\n\n\treturn dataprovider.DefenderEntry{}, util.NewRecordNotFoundError(\"host not found\")\n}\n\n// IsBanned returns true if the specified IP is banned\n// and increase ban time if the IP is found.\n// This method must be called as soon as the client connects\nfunc (d *memoryDefender) IsBanned(ip, protocol string) bool {\n\td.RLock()\n\n\tif banTime, ok := d.banned[ip]; ok {\n\t\tif banTime.After(time.Now()) {\n\t\t\tincrement := d.config.BanTime * d.config.BanTimeIncrement / 100\n\t\t\tif increment == 0 {\n\t\t\t\tincrement++\n\t\t\t}\n\n\t\t\td.RUnlock()\n\n\t\t\t// we can save an earlier ban time if there are contemporary updates\n\t\t\t// but this should not make much difference. I prefer to hold a read lock\n\t\t\t// until possible for performance reasons, this method is called each\n\t\t\t// time a new client connects and it must be as fast as possible\n\t\t\td.Lock()\n\t\t\td.banned[ip] = banTime.Add(time.Duration(increment) * time.Minute)\n\t\t\td.Unlock()\n\n\t\t\treturn true\n\t\t}\n\t}\n\n\tdefer d.RUnlock()\n\n\treturn d.isBanned(ip, protocol)\n}\n\n// DeleteHost removes the specified IP from the defender lists\nfunc (d *memoryDefender) DeleteHost(ip string) bool {\n\td.Lock()\n\tdefer d.Unlock()\n\n\tif _, ok := d.banned[ip]; ok {\n\t\tdelete(d.banned, ip)\n\t\treturn true\n\t}\n\n\tif _, ok := d.hosts[ip]; ok {\n\t\tdelete(d.hosts, ip)\n\t\treturn true\n\t}\n\n\treturn false\n}\n\n// AddEvent adds an event for the given IP.\n// This method must be called for clients not yet banned.\n// Returns true if the IP is in the defender's safe list.\nfunc (d *memoryDefender) AddEvent(ip, protocol string, event HostEvent) bool {\n\tif d.IsSafe(ip, protocol) {\n\t\treturn true\n\t}\n\n\td.Lock()\n\tdefer d.Unlock()\n\n\t// ignore events for already banned hosts\n\tif v, ok := d.banned[ip]; ok {\n\t\tif v.After(time.Now()) {\n\t\t\treturn false\n\t\t}\n\t\tdelete(d.banned, ip)\n\t}\n\n\tscore := d.getScore(event)\n\n\tev := hostEvent{\n\t\tdateTime: time.Now(),\n\t\tscore: score,\n\t}\n\n\tif hs, ok := d.hosts[ip]; ok {\n\t\ths.Events = append(hs.Events, ev)\n\t\ths.TotalScore = 0\n\n\t\tidx := 0\n\t\tfor _, event := range hs.Events {\n\t\t\tif event.dateTime.Add(time.Duration(d.config.ObservationTime) * time.Minute).After(time.Now()) {\n\t\t\t\ths.Events[idx] = event\n\t\t\t\ths.TotalScore += event.score\n\t\t\t\tidx++\n\t\t\t}\n\t\t}\n\t\td.logEvent(ip, protocol, event, hs.TotalScore)\n\n\t\ths.Events = hs.Events[:idx]\n\t\tif hs.TotalScore >= d.config.Threshold {\n\t\t\td.logBan(ip, protocol)\n\t\t\td.banned[ip] = time.Now().Add(time.Duration(d.config.BanTime) * time.Minute)\n\t\t\tdelete(d.hosts, ip)\n\t\t\td.cleanupBanned()\n\t\t\teventManager.handleIPBlockedEvent(EventParams{\n\t\t\t\tEvent: ipBlockedEventName,\n\t\t\t\tIP: ip,\n\t\t\t\tTimestamp: time.Now(),\n\t\t\t\tStatus: 1,\n\t\t\t})\n\t\t} else {\n\t\t\td.hosts[ip] = hs\n\t\t}\n\t} else {\n\t\td.logEvent(ip, protocol, event, ev.score)\n\t\td.hosts[ip] = hostScore{\n\t\t\tTotalScore: ev.score,\n\t\t\tEvents: []hostEvent{ev},\n\t\t}\n\t\td.cleanupHosts()\n\t}\n\treturn false\n}\n\nfunc (d *memoryDefender) countBanned() int {\n\td.RLock()\n\tdefer d.RUnlock()\n\n\treturn len(d.banned)\n}\n\nfunc (d *memoryDefender) countHosts() int {\n\td.RLock()\n\tdefer d.RUnlock()\n\n\treturn len(d.hosts)\n}\n\n// GetBanTime returns the ban time for the given IP or nil if the IP is not banned\nfunc (d *memoryDefender) GetBanTime(ip string) (*time.Time, error) {\n\td.RLock()\n\tdefer d.RUnlock()\n\n\tif banTime, ok := d.banned[ip]; ok {\n\t\treturn &banTime, nil\n\t}\n\n\treturn nil, nil\n}\n\n// GetScore returns the score for the given IP\nfunc (d *memoryDefender) GetScore(ip string) (int, error) {\n\td.RLock()\n\tdefer d.RUnlock()\n\n\tscore := 0\n\n\tif hs, ok := d.hosts[ip]; ok {\n\t\tfor _, event := range hs.Events {\n\t\t\tif event.dateTime.Add(time.Duration(d.config.ObservationTime) * time.Minute).After(time.Now()) {\n\t\t\t\tscore += event.score\n\t\t\t}\n\t\t}\n\t}\n\n\treturn score, nil\n}\n\nfunc (d *memoryDefender) cleanupBanned() {\n\tif len(d.banned) > d.config.EntriesHardLimit {\n\t\tkvList := make(kvList, 0, len(d.banned))\n\n\t\tfor k, v := range d.banned {\n\t\t\tif v.Before(time.Now()) {\n\t\t\t\tdelete(d.banned, k)\n\t\t\t}\n\n\t\t\tkvList = append(kvList, kv{\n\t\t\t\tKey: k,\n\t\t\t\tValue: v.UnixNano(),\n\t\t\t})\n\t\t}\n\n\t\t// we removed expired ip addresses, if any, above, this could be enough\n\t\tnumToRemove := len(d.banned) - d.config.EntriesSoftLimit\n\n\t\tif numToRemove <= 0 {\n\t\t\treturn\n\t\t}\n\n\t\tsort.Sort(kvList)\n\n\t\tfor idx, kv := range kvList {\n\t\t\tif idx >= numToRemove {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tdelete(d.banned, kv.Key)\n\t\t}\n\t}\n}\n\nfunc (d *memoryDefender) cleanupHosts() {\n\tif len(d.hosts) > d.config.EntriesHardLimit {\n\t\tkvList := make(kvList, 0, len(d.hosts))\n\n\t\tfor k, v := range d.hosts {\n\t\t\tvalue := int64(0)\n\t\t\tif len(v.Events) > 0 {\n\t\t\t\tvalue = v.Events[len(v.Events)-1].dateTime.UnixNano()\n\t\t\t}\n\t\t\tkvList = append(kvList, kv{\n\t\t\t\tKey: k,\n\t\t\t\tValue: value,\n\t\t\t})\n\t\t}\n\n\t\tsort.Sort(kvList)\n\n\t\tnumToRemove := len(d.hosts) - d.config.EntriesSoftLimit\n\n\t\tfor idx, kv := range kvList {\n\t\t\tif idx >= numToRemove {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tdelete(d.hosts, kv.Key)\n\t\t}\n\t}\n}\n\ntype kv struct {\n\tKey string\n\tValue int64\n}\n\ntype kvList []kv\n\nfunc (p kvList) Len() int { return len(p) }\nfunc (p kvList) Less(i, j int) bool { return p[i].Value < p[j].Value }\nfunc (p kvList) Swap(i, j int) { p[i], p[j] = p[j], p[i] }\n" }, { "path": "internal/common/eventmanager.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/csv\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"html\"\n\t\"io\"\n\t\"mime\"\n\t\"mime/multipart\"\n\t\"net/http\"\n\t\"net/textproto\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/bmatcuk/doublestar/v4\"\n\t\"github.com/klauspost/compress/zip\"\n\t\"github.com/robfig/cron/v3\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/wneessen/go-mail\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tipBlockedEventName = \"IP Blocked\"\n\tmaxAttachmentsSize = int64(10 * 1024 * 1024)\n\tobjDataPlaceholder = \"{{.ObjectData}}\"\n\tobjDataPlaceholderString = \"{{.ObjectDataString}}\"\n\tdateTimeMillisFormat = \"2006-01-02T15:04:05.000\"\n)\n\n// Supported IDP login events\nconst (\n\tIDPLoginUser = \"IDP login user\"\n\tIDPLoginAdmin = \"IDP login admin\"\n)\n\nvar (\n\t// eventManager handle the supported event rules actions\n\teventManager eventRulesContainer\n\tmultipartQuoteEscaper = strings.NewReplacer(\"\\\\\", \"\\\\\\\\\", `\"`, \"\\\\\\\"\")\n\tfsEventsWithSize = []string{operationPreDelete, OperationPreUpload, operationDelete,\n\t\toperationCopy, operationDownload, operationFirstUpload, operationFirstDownload,\n\t\toperationUpload}\n)\n\nfunc init() {\n\teventManager = eventRulesContainer{\n\t\tschedulesMapping: make(map[string][]cron.EntryID),\n\t\t// arbitrary maximum number of concurrent asynchronous tasks,\n\t\t// each task could execute multiple actions\n\t\tconcurrencyGuard: make(chan struct{}, 200),\n\t}\n\tdataprovider.SetEventRulesCallbacks(eventManager.loadRules, eventManager.RemoveRule,\n\t\tfunc(operation, executor, ip, objectType, objectName, role string, object plugin.Renderer) {\n\t\t\tp := EventParams{\n\t\t\t\tName: executor,\n\t\t\t\tObjectName: objectName,\n\t\t\t\tEvent: operation,\n\t\t\t\tStatus: 1,\n\t\t\t\tObjectType: objectType,\n\t\t\t\tIP: ip,\n\t\t\t\tRole: role,\n\t\t\t\tTimestamp: time.Now(),\n\t\t\t\tObject: object,\n\t\t\t}\n\t\t\tif u, ok := object.(*dataprovider.User); ok {\n\t\t\t\tp.Email = u.Email\n\t\t\t\tp.Groups = u.Groups\n\t\t\t} else if a, ok := object.(*dataprovider.Admin); ok {\n\t\t\t\tp.Email = a.Email\n\t\t\t}\n\t\t\teventManager.handleProviderEvent(p)\n\t\t})\n}\n\n// HandleCertificateEvent checks and executes action rules for certificate events\nfunc HandleCertificateEvent(params EventParams) {\n\teventManager.handleCertificateEvent(params)\n}\n\n// HandleIDPLoginEvent executes actions defined for a successful login from an Identity Provider\nfunc HandleIDPLoginEvent(params EventParams, customFields *map[string]any) (*dataprovider.User, *dataprovider.Admin, error) {\n\treturn eventManager.handleIDPLoginEvent(params, customFields)\n}\n\n// eventRulesContainer stores event rules by trigger\ntype eventRulesContainer struct {\n\tsync.RWMutex\n\tlastLoad atomic.Int64\n\tFsEvents []dataprovider.EventRule\n\tProviderEvents []dataprovider.EventRule\n\tSchedules []dataprovider.EventRule\n\tIPBlockedEvents []dataprovider.EventRule\n\tCertificateEvents []dataprovider.EventRule\n\tIPDLoginEvents []dataprovider.EventRule\n\tschedulesMapping map[string][]cron.EntryID\n\tconcurrencyGuard chan struct{}\n}\n\nfunc (r *eventRulesContainer) addAsyncTask() {\n\tactiveHooks.Add(1)\n\tr.concurrencyGuard <- struct{}{}\n}\n\nfunc (r *eventRulesContainer) removeAsyncTask() {\n\tactiveHooks.Add(-1)\n\t<-r.concurrencyGuard\n}\n\nfunc (r *eventRulesContainer) getLastLoadTime() int64 {\n\treturn r.lastLoad.Load()\n}\n\nfunc (r *eventRulesContainer) setLastLoadTime(modTime int64) {\n\tr.lastLoad.Store(modTime)\n}\n\n// RemoveRule deletes the rule with the specified name\nfunc (r *eventRulesContainer) RemoveRule(name string) {\n\tr.Lock()\n\tdefer r.Unlock()\n\n\tr.removeRuleInternal(name)\n\teventManagerLog(logger.LevelDebug, \"event rules updated after delete, fs events: %d, provider events: %d, schedules: %d\",\n\t\tlen(r.FsEvents), len(r.ProviderEvents), len(r.Schedules))\n}\n\nfunc (r *eventRulesContainer) removeRuleInternal(name string) {\n\tfor idx := range r.FsEvents {\n\t\tif r.FsEvents[idx].Name == name {\n\t\t\tlastIdx := len(r.FsEvents) - 1\n\t\t\tr.FsEvents[idx] = r.FsEvents[lastIdx]\n\t\t\tr.FsEvents = r.FsEvents[:lastIdx]\n\t\t\teventManagerLog(logger.LevelDebug, \"removed rule %q from fs events\", name)\n\t\t\treturn\n\t\t}\n\t}\n\tfor idx := range r.ProviderEvents {\n\t\tif r.ProviderEvents[idx].Name == name {\n\t\t\tlastIdx := len(r.ProviderEvents) - 1\n\t\t\tr.ProviderEvents[idx] = r.ProviderEvents[lastIdx]\n\t\t\tr.ProviderEvents = r.ProviderEvents[:lastIdx]\n\t\t\teventManagerLog(logger.LevelDebug, \"removed rule %q from provider events\", name)\n\t\t\treturn\n\t\t}\n\t}\n\tfor idx := range r.IPBlockedEvents {\n\t\tif r.IPBlockedEvents[idx].Name == name {\n\t\t\tlastIdx := len(r.IPBlockedEvents) - 1\n\t\t\tr.IPBlockedEvents[idx] = r.IPBlockedEvents[lastIdx]\n\t\t\tr.IPBlockedEvents = r.IPBlockedEvents[:lastIdx]\n\t\t\teventManagerLog(logger.LevelDebug, \"removed rule %q from IP blocked events\", name)\n\t\t\treturn\n\t\t}\n\t}\n\tfor idx := range r.CertificateEvents {\n\t\tif r.CertificateEvents[idx].Name == name {\n\t\t\tlastIdx := len(r.CertificateEvents) - 1\n\t\t\tr.CertificateEvents[idx] = r.CertificateEvents[lastIdx]\n\t\t\tr.CertificateEvents = r.CertificateEvents[:lastIdx]\n\t\t\teventManagerLog(logger.LevelDebug, \"removed rule %q from certificate events\", name)\n\t\t\treturn\n\t\t}\n\t}\n\tfor idx := range r.IPDLoginEvents {\n\t\tif r.IPDLoginEvents[idx].Name == name {\n\t\t\tlastIdx := len(r.IPDLoginEvents) - 1\n\t\t\tr.IPDLoginEvents[idx] = r.IPDLoginEvents[lastIdx]\n\t\t\tr.IPDLoginEvents = r.IPDLoginEvents[:lastIdx]\n\t\t\teventManagerLog(logger.LevelDebug, \"removed rule %q from IDP login events\", name)\n\t\t\treturn\n\t\t}\n\t}\n\tfor idx := range r.Schedules {\n\t\tif r.Schedules[idx].Name == name {\n\t\t\tif schedules, ok := r.schedulesMapping[name]; ok {\n\t\t\t\tfor _, entryID := range schedules {\n\t\t\t\t\teventManagerLog(logger.LevelDebug, \"removing scheduled entry id %d for rule %q\", entryID, name)\n\t\t\t\t\teventScheduler.Remove(entryID)\n\t\t\t\t}\n\t\t\t\tdelete(r.schedulesMapping, name)\n\t\t\t}\n\n\t\t\tlastIdx := len(r.Schedules) - 1\n\t\t\tr.Schedules[idx] = r.Schedules[lastIdx]\n\t\t\tr.Schedules = r.Schedules[:lastIdx]\n\t\t\teventManagerLog(logger.LevelDebug, \"removed rule %q from scheduled events\", name)\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc (r *eventRulesContainer) addUpdateRuleInternal(rule dataprovider.EventRule) {\n\tr.removeRuleInternal(rule.Name)\n\tif rule.DeletedAt > 0 {\n\t\tdeletedAt := util.GetTimeFromMsecSinceEpoch(rule.DeletedAt)\n\t\tif deletedAt.Add(30 * time.Minute).Before(time.Now()) {\n\t\t\teventManagerLog(logger.LevelDebug, \"removing rule %q deleted at %s\", rule.Name, deletedAt)\n\t\t\tgo dataprovider.RemoveEventRule(rule) //nolint:errcheck\n\t\t}\n\t\treturn\n\t}\n\tif rule.Status != 1 || rule.Trigger == dataprovider.EventTriggerOnDemand {\n\t\treturn\n\t}\n\tswitch rule.Trigger {\n\tcase dataprovider.EventTriggerFsEvent:\n\t\tr.FsEvents = append(r.FsEvents, rule)\n\t\teventManagerLog(logger.LevelDebug, \"added rule %q to fs events\", rule.Name)\n\tcase dataprovider.EventTriggerProviderEvent:\n\t\tr.ProviderEvents = append(r.ProviderEvents, rule)\n\t\teventManagerLog(logger.LevelDebug, \"added rule %q to provider events\", rule.Name)\n\tcase dataprovider.EventTriggerIPBlocked:\n\t\tr.IPBlockedEvents = append(r.IPBlockedEvents, rule)\n\t\teventManagerLog(logger.LevelDebug, \"added rule %q to IP blocked events\", rule.Name)\n\tcase dataprovider.EventTriggerCertificate:\n\t\tr.CertificateEvents = append(r.CertificateEvents, rule)\n\t\teventManagerLog(logger.LevelDebug, \"added rule %q to certificate events\", rule.Name)\n\tcase dataprovider.EventTriggerIDPLogin:\n\t\tr.IPDLoginEvents = append(r.IPDLoginEvents, rule)\n\t\teventManagerLog(logger.LevelDebug, \"added rule %q to IDP login events\", rule.Name)\n\tcase dataprovider.EventTriggerSchedule:\n\t\tfor _, schedule := range rule.Conditions.Schedules {\n\t\t\tcronSpec := schedule.GetCronSpec()\n\t\t\tjob := &eventCronJob{\n\t\t\t\truleName: dataprovider.ConvertName(rule.Name),\n\t\t\t}\n\t\t\tentryID, err := eventScheduler.AddJob(cronSpec, job)\n\t\t\tif err != nil {\n\t\t\t\teventManagerLog(logger.LevelError, \"unable to add scheduled rule %q, cron string %q: %v\", rule.Name, cronSpec, err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tr.schedulesMapping[rule.Name] = append(r.schedulesMapping[rule.Name], entryID)\n\t\t\teventManagerLog(logger.LevelDebug, \"schedule for rule %q added, id: %d, cron string %q, active scheduling rules: %d\",\n\t\t\t\trule.Name, entryID, cronSpec, len(r.schedulesMapping))\n\t\t}\n\t\tr.Schedules = append(r.Schedules, rule)\n\t\teventManagerLog(logger.LevelDebug, \"added rule %q to scheduled events\", rule.Name)\n\tdefault:\n\t\teventManagerLog(logger.LevelError, \"unsupported trigger: %d\", rule.Trigger)\n\t}\n}\n\nfunc (r *eventRulesContainer) loadRules() {\n\teventManagerLog(logger.LevelDebug, \"loading updated rules\")\n\tmodTime := util.GetTimeAsMsSinceEpoch(time.Now())\n\tlastLoadTime := r.getLastLoadTime()\n\trules, err := dataprovider.GetRecentlyUpdatedRules(lastLoadTime)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to load event rules: %v\", err)\n\t\treturn\n\t}\n\teventManagerLog(logger.LevelDebug, \"recently updated event rules loaded: %d\", len(rules))\n\n\tif len(rules) > 0 {\n\t\tr.Lock()\n\t\tdefer r.Unlock()\n\n\t\tfor _, rule := range rules {\n\t\t\tr.addUpdateRuleInternal(rule)\n\t\t}\n\t}\n\teventManagerLog(logger.LevelDebug, \"event rules updated, fs events: %d, provider events: %d, schedules: %d, ip blocked events: %d, certificate events: %d, IDP login events: %d\",\n\t\tlen(r.FsEvents), len(r.ProviderEvents), len(r.Schedules), len(r.IPBlockedEvents), len(r.CertificateEvents), len(r.IPDLoginEvents))\n\n\tr.setLastLoadTime(modTime)\n}\n\nfunc (*eventRulesContainer) checkIPDLoginEventMatch(conditions *dataprovider.EventConditions, params *EventParams) bool {\n\tswitch conditions.IDPLoginEvent {\n\tcase dataprovider.IDPLoginUser:\n\t\tif params.Event != IDPLoginUser {\n\t\t\treturn false\n\t\t}\n\tcase dataprovider.IDPLoginAdmin:\n\t\tif params.Event != IDPLoginAdmin {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn checkEventConditionPatterns(params.Name, conditions.Options.Names)\n}\n\nfunc (*eventRulesContainer) checkProviderEventMatch(conditions *dataprovider.EventConditions, params *EventParams) bool {\n\tif !slices.Contains(conditions.ProviderEvents, params.Event) {\n\t\treturn false\n\t}\n\tif !checkEventConditionPatterns(params.Name, conditions.Options.Names) {\n\t\treturn false\n\t}\n\tif !checkEventGroupConditionPatterns(params.Groups, conditions.Options.GroupNames) {\n\t\treturn false\n\t}\n\tif !checkEventConditionPatterns(params.Role, conditions.Options.RoleNames) {\n\t\treturn false\n\t}\n\tif len(conditions.Options.ProviderObjects) > 0 && !slices.Contains(conditions.Options.ProviderObjects, params.ObjectType) {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (*eventRulesContainer) checkFsEventMatch(conditions *dataprovider.EventConditions, params *EventParams) bool {\n\tif !slices.Contains(conditions.FsEvents, params.Event) {\n\t\treturn false\n\t}\n\tif !checkEventConditionPatterns(params.Name, conditions.Options.Names) {\n\t\treturn false\n\t}\n\tif !checkEventConditionPatterns(params.Role, conditions.Options.RoleNames) {\n\t\treturn false\n\t}\n\tif !checkEventGroupConditionPatterns(params.Groups, conditions.Options.GroupNames) {\n\t\treturn false\n\t}\n\tif !checkEventConditionPatterns(params.VirtualPath, conditions.Options.FsPaths) {\n\t\treturn false\n\t}\n\tif len(conditions.Options.Protocols) > 0 && !slices.Contains(conditions.Options.Protocols, params.Protocol) {\n\t\treturn false\n\t}\n\tif slices.Contains(fsEventsWithSize, params.Event) {\n\t\tif conditions.Options.MinFileSize > 0 {\n\t\t\tif params.FileSize < conditions.Options.MinFileSize {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\t\tif conditions.Options.MaxFileSize > 0 {\n\t\t\tif params.FileSize > conditions.Options.MaxFileSize {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\t}\n\treturn true\n}\n\n// hasFsRules returns true if there are any rules for filesystem event triggers\nfunc (r *eventRulesContainer) hasFsRules() bool {\n\tr.RLock()\n\tdefer r.RUnlock()\n\n\treturn len(r.FsEvents) > 0\n}\n\n// handleFsEvent executes the rules actions defined for the specified event.\n// The boolean parameter indicates whether a sync action was executed\nfunc (r *eventRulesContainer) handleFsEvent(params EventParams) (bool, error) {\n\tif params.Protocol == protocolEventAction {\n\t\treturn false, nil\n\t}\n\tr.RLock()\n\n\tvar rulesWithSyncActions, rulesAsync []dataprovider.EventRule\n\tfor _, rule := range r.FsEvents {\n\t\tif r.checkFsEventMatch(&rule.Conditions, ¶ms) {\n\t\t\tif err := rule.CheckActionsConsistency(\"\"); err != nil {\n\t\t\t\teventManagerLog(logger.LevelWarn, \"rule %q skipped: %v, event %q\",\n\t\t\t\t\trule.Name, err, params.Event)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\thasSyncActions := false\n\t\t\tfor _, action := range rule.Actions {\n\t\t\t\tif action.Options.ExecuteSync {\n\t\t\t\t\thasSyncActions = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\tif hasSyncActions {\n\t\t\t\trulesWithSyncActions = append(rulesWithSyncActions, rule)\n\t\t\t} else {\n\t\t\t\trulesAsync = append(rulesAsync, rule)\n\t\t\t}\n\t\t}\n\t}\n\n\tr.RUnlock()\n\n\tparams.sender = params.Name\n\tparams.addUID()\n\tif len(rulesAsync) > 0 {\n\t\tgo executeAsyncRulesActions(rulesAsync, params)\n\t}\n\n\tif len(rulesWithSyncActions) > 0 {\n\t\treturn true, executeSyncRulesActions(rulesWithSyncActions, params)\n\t}\n\treturn false, nil\n}\n\nfunc (r *eventRulesContainer) handleIDPLoginEvent(params EventParams, customFields *map[string]any) (*dataprovider.User,\n\t*dataprovider.Admin, error,\n) {\n\tr.RLock()\n\n\tvar rulesWithSyncActions, rulesAsync []dataprovider.EventRule\n\tfor _, rule := range r.IPDLoginEvents {\n\t\tif r.checkIPDLoginEventMatch(&rule.Conditions, ¶ms) {\n\t\t\tif err := rule.CheckActionsConsistency(\"\"); err != nil {\n\t\t\t\teventManagerLog(logger.LevelWarn, \"rule %q skipped: %v, event %q\",\n\t\t\t\t\trule.Name, err, params.Event)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\thasSyncActions := false\n\t\t\tfor _, action := range rule.Actions {\n\t\t\t\tif action.Options.ExecuteSync {\n\t\t\t\t\thasSyncActions = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\tif hasSyncActions {\n\t\t\t\trulesWithSyncActions = append(rulesWithSyncActions, rule)\n\t\t\t} else {\n\t\t\t\trulesAsync = append(rulesAsync, rule)\n\t\t\t}\n\t\t}\n\t}\n\n\tr.RUnlock()\n\n\tif len(rulesAsync) == 0 && len(rulesWithSyncActions) == 0 {\n\t\treturn nil, nil, nil\n\t}\n\n\tparams.addIDPCustomFields(customFields)\n\tif len(rulesWithSyncActions) > 1 {\n\t\tvar ruleNames []string\n\t\tfor _, r := range rulesWithSyncActions {\n\t\t\truleNames = append(ruleNames, r.Name)\n\t\t}\n\t\treturn nil, nil, fmt.Errorf(\"more than one account check action rules matches: %q\", strings.Join(ruleNames, \",\"))\n\t}\n\n\tparams.addUID()\n\tif len(rulesAsync) > 0 {\n\t\tgo executeAsyncRulesActions(rulesAsync, params)\n\t}\n\n\tif len(rulesWithSyncActions) > 0 {\n\t\treturn executeIDPAccountCheckRule(rulesWithSyncActions[0], params)\n\t}\n\treturn nil, nil, nil\n}\n\n// username is populated for user objects\nfunc (r *eventRulesContainer) handleProviderEvent(params EventParams) {\n\tr.RLock()\n\tdefer r.RUnlock()\n\n\tvar rules []dataprovider.EventRule\n\tfor _, rule := range r.ProviderEvents {\n\t\tif r.checkProviderEventMatch(&rule.Conditions, ¶ms) {\n\t\t\tif err := rule.CheckActionsConsistency(params.ObjectType); err == nil {\n\t\t\t\trules = append(rules, rule)\n\t\t\t} else {\n\t\t\t\teventManagerLog(logger.LevelWarn, \"rule %q skipped: %v, event %q object type %q\",\n\t\t\t\t\trule.Name, err, params.Event, params.ObjectType)\n\t\t\t}\n\t\t}\n\t}\n\n\tif len(rules) > 0 {\n\t\tparams.sender = params.ObjectName\n\t\tgo executeAsyncRulesActions(rules, params)\n\t}\n}\n\nfunc (r *eventRulesContainer) handleIPBlockedEvent(params EventParams) {\n\tr.RLock()\n\tdefer r.RUnlock()\n\n\tif len(r.IPBlockedEvents) == 0 {\n\t\treturn\n\t}\n\tvar rules []dataprovider.EventRule\n\tfor _, rule := range r.IPBlockedEvents {\n\t\tif err := rule.CheckActionsConsistency(\"\"); err == nil {\n\t\t\trules = append(rules, rule)\n\t\t} else {\n\t\t\teventManagerLog(logger.LevelWarn, \"rule %q skipped: %v, event %q\",\n\t\t\t\trule.Name, err, params.Event)\n\t\t}\n\t}\n\n\tif len(rules) > 0 {\n\t\tgo executeAsyncRulesActions(rules, params)\n\t}\n}\n\nfunc (r *eventRulesContainer) handleCertificateEvent(params EventParams) {\n\tr.RLock()\n\tdefer r.RUnlock()\n\n\tif len(r.CertificateEvents) == 0 {\n\t\treturn\n\t}\n\tvar rules []dataprovider.EventRule\n\tfor _, rule := range r.CertificateEvents {\n\t\tif err := rule.CheckActionsConsistency(\"\"); err == nil {\n\t\t\trules = append(rules, rule)\n\t\t} else {\n\t\t\teventManagerLog(logger.LevelWarn, \"rule %q skipped: %v, event %q\",\n\t\t\t\trule.Name, err, params.Event)\n\t\t}\n\t}\n\n\tif len(rules) > 0 {\n\t\tgo executeAsyncRulesActions(rules, params)\n\t}\n}\n\ntype executedRetentionCheck struct {\n\tUsername string\n\tActionName string\n\tResults []folderRetentionCheckResult\n}\n\n// EventParams defines the supported event parameters\ntype EventParams struct {\n\tName string\n\tGroups []sdk.GroupMapping\n\tEvent string\n\tStatus int\n\tVirtualPath string\n\tFsPath string\n\tVirtualTargetPath string\n\tFsTargetPath string\n\tObjectName string\n\tExtension string\n\tObjectType string\n\tFileSize int64\n\tElapsed int64\n\tProtocol string\n\tIP string\n\tRole string\n\tEmail string\n\tTimestamp time.Time\n\tUID string\n\tIDPCustomFields *map[string]string\n\tObject plugin.Renderer\n\tMetadata map[string]string\n\tsender string\n\tupdateStatusFromError bool\n\terrors []string\n\tretentionChecks []executedRetentionCheck\n}\n\nfunc (p *EventParams) getACopy() *EventParams {\n\tparams := *p\n\tparams.errors = make([]string, len(p.errors))\n\tcopy(params.errors, p.errors)\n\tretentionChecks := make([]executedRetentionCheck, 0, len(p.retentionChecks))\n\tfor _, c := range p.retentionChecks {\n\t\texecutedCheck := executedRetentionCheck{\n\t\t\tUsername: c.Username,\n\t\t\tActionName: c.ActionName,\n\t\t}\n\t\texecutedCheck.Results = make([]folderRetentionCheckResult, len(c.Results))\n\t\tcopy(executedCheck.Results, c.Results)\n\t\tretentionChecks = append(retentionChecks, executedCheck)\n\t}\n\tparams.retentionChecks = retentionChecks\n\tif p.IDPCustomFields != nil {\n\t\tfields := make(map[string]string)\n\t\tfor k, v := range *p.IDPCustomFields {\n\t\t\tfields[k] = v\n\t\t}\n\t\tparams.IDPCustomFields = &fields\n\t}\n\tif len(params.Metadata) > 0 {\n\t\tmetadata := make(map[string]string)\n\t\tfor k, v := range p.Metadata {\n\t\t\tmetadata[k] = v\n\t\t}\n\t\tparams.Metadata = metadata\n\t}\n\n\treturn ¶ms\n}\n\nfunc (p *EventParams) addIDPCustomFields(customFields *map[string]any) {\n\tif customFields == nil || len(*customFields) == 0 {\n\t\treturn\n\t}\n\n\tfields := make(map[string]string)\n\tfor k, v := range *customFields {\n\t\tswitch val := v.(type) {\n\t\tcase string:\n\t\t\tfields[k] = val\n\t\t}\n\t}\n\tp.IDPCustomFields = &fields\n}\n\n// AddError adds a new error to the event params and update the status if needed\nfunc (p *EventParams) AddError(err error) {\n\tif err == nil {\n\t\treturn\n\t}\n\tif p.updateStatusFromError && p.Status == 1 {\n\t\tp.Status = 2\n\t}\n\tp.errors = append(p.errors, err.Error())\n}\n\nfunc (p *EventParams) addUID() {\n\tif p.UID == \"\" {\n\t\tp.UID = util.GenerateUniqueID()\n\t}\n}\n\nfunc (p *EventParams) setBackupParams(backupPath string) {\n\tif p.sender != \"\" {\n\t\treturn\n\t}\n\tp.sender = dataprovider.ActionExecutorSystem\n\tp.FsPath = backupPath\n\tp.ObjectName = filepath.Base(backupPath)\n\tp.VirtualPath = \"/\" + p.ObjectName\n\tp.Timestamp = time.Now()\n\tinfo, err := os.Stat(backupPath)\n\tif err == nil {\n\t\tp.FileSize = info.Size()\n\t}\n}\n\nfunc (p *EventParams) getStatusString() string {\n\tswitch p.Status {\n\tcase 1:\n\t\treturn \"OK\"\n\tdefault:\n\t\treturn \"KO\"\n\t}\n}\n\n// getUsers returns users with group settings not applied\nfunc (p *EventParams) getUsers() ([]dataprovider.User, error) {\n\tif p.sender == \"\" {\n\t\tdump, err := dataprovider.DumpData([]string{dataprovider.DumpScopeUsers})\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"unable to get users: %+v\", err)\n\t\t\treturn nil, errors.New(\"unable to get users\")\n\t\t}\n\t\treturn dump.Users, nil\n\t}\n\tuser, err := p.getUserFromSender()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn []dataprovider.User{user}, nil\n}\n\nfunc (p *EventParams) getUserFromSender() (dataprovider.User, error) {\n\tif p.sender == dataprovider.ActionExecutorSystem {\n\t\treturn dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tStatus: 1,\n\t\t\t\tUsername: p.sender,\n\t\t\t\tHomeDir: dataprovider.GetBackupsPath(),\n\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil\n\t}\n\tuser, err := dataprovider.UserExists(p.sender, \"\")\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to get user %q: %+v\", p.sender, err)\n\t\treturn user, fmt.Errorf(\"error getting user %q\", p.sender)\n\t}\n\treturn user, nil\n}\n\nfunc (p *EventParams) getFolders() ([]vfs.BaseVirtualFolder, error) {\n\tif p.sender == \"\" {\n\t\tdump, err := dataprovider.DumpData([]string{dataprovider.DumpScopeFolders})\n\t\treturn dump.Folders, err\n\t}\n\tfolder, err := dataprovider.GetFolderByName(p.sender)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error getting folder %q: %w\", p.sender, err)\n\t}\n\treturn []vfs.BaseVirtualFolder{folder}, nil\n}\n\nfunc (p *EventParams) getCompressedDataRetentionReport() ([]byte, error) {\n\tif len(p.retentionChecks) == 0 {\n\t\treturn nil, errors.New(\"no data retention report available\")\n\t}\n\tvar b bytes.Buffer\n\tif _, err := p.writeCompressedDataRetentionReports(&b); err != nil {\n\t\treturn nil, err\n\t}\n\treturn b.Bytes(), nil\n}\n\nfunc (p *EventParams) writeCompressedDataRetentionReports(w io.Writer) (int64, error) {\n\tvar n int64\n\twr := zip.NewWriter(w)\n\n\tfor _, check := range p.retentionChecks {\n\t\tdata, err := getCSVRetentionReport(check.Results)\n\t\tif err != nil {\n\t\t\treturn n, fmt.Errorf(\"unable to get CSV report: %w\", err)\n\t\t}\n\t\tdataSize := int64(len(data))\n\t\tn += dataSize\n\t\t// we suppose a 3:1 compression ratio\n\t\tif n > (maxAttachmentsSize * 3) {\n\t\t\teventManagerLog(logger.LevelError, \"unable to get retention report, size too large: %s\",\n\t\t\t\tutil.ByteCountIEC(n))\n\t\t\treturn n, fmt.Errorf(\"unable to get retention report, size too large: %s\", util.ByteCountIEC(n))\n\t\t}\n\n\t\tfh := &zip.FileHeader{\n\t\t\tName: fmt.Sprintf(\"%s-%s.csv\", check.ActionName, check.Username),\n\t\t\tMethod: zip.Deflate,\n\t\t\tModified: time.Now().UTC(),\n\t\t}\n\t\tf, err := wr.CreateHeader(fh)\n\t\tif err != nil {\n\t\t\treturn n, fmt.Errorf(\"unable to create zip header for file %q: %w\", fh.Name, err)\n\t\t}\n\t\t_, err = io.CopyN(f, bytes.NewBuffer(data), dataSize)\n\t\tif err != nil {\n\t\t\treturn n, fmt.Errorf(\"unable to write content to zip file %q: %w\", fh.Name, err)\n\t\t}\n\t}\n\tif err := wr.Close(); err != nil {\n\t\treturn n, fmt.Errorf(\"unable to close zip writer: %w\", err)\n\t}\n\treturn n, nil\n}\n\nfunc (p *EventParams) getRetentionReportsAsMailAttachment() (*mail.File, error) {\n\tif len(p.retentionChecks) == 0 {\n\t\treturn nil, errors.New(\"no data retention report available\")\n\t}\n\treturn &mail.File{\n\t\tName: \"retention-reports.zip\",\n\t\tHeader: make(map[string][]string),\n\t\tWriter: p.writeCompressedDataRetentionReports,\n\t}, nil\n}\n\nfunc (*EventParams) getStringReplacement(val string, escapeMode int) string {\n\tswitch escapeMode {\n\tcase 1:\n\t\treturn util.JSONEscape(val)\n\tcase 2:\n\t\treturn html.EscapeString(val)\n\tdefault:\n\t\treturn val\n\t}\n}\n\nfunc (p *EventParams) getStringReplacements(addObjectData bool, escapeMode int) []string {\n\tvar dateTimeString string\n\tif Config.TZ == \"local\" {\n\t\tdateTimeString = p.Timestamp.Local().Format(dateTimeMillisFormat)\n\t} else {\n\t\tdateTimeString = p.Timestamp.UTC().Format(dateTimeMillisFormat)\n\t}\n\tyear := dateTimeString[0:4]\n\tmonth := dateTimeString[5:7]\n\tday := dateTimeString[8:10]\n\thour := dateTimeString[11:13]\n\tminute := dateTimeString[14:16]\n\n\treplacements := []string{\n\t\t\"{{.Name}}\", p.getStringReplacement(p.Name, escapeMode),\n\t\t\"{{.Event}}\", p.Event,\n\t\t\"{{.Status}}\", fmt.Sprintf(\"%d\", p.Status),\n\t\t\"{{.VirtualPath}}\", p.getStringReplacement(p.VirtualPath, escapeMode),\n\t\t\"{{.EscapedVirtualPath}}\", p.getStringReplacement(url.QueryEscape(p.VirtualPath), escapeMode),\n\t\t\"{{.FsPath}}\", p.getStringReplacement(p.FsPath, escapeMode),\n\t\t\"{{.VirtualTargetPath}}\", p.getStringReplacement(p.VirtualTargetPath, escapeMode),\n\t\t\"{{.FsTargetPath}}\", p.getStringReplacement(p.FsTargetPath, escapeMode),\n\t\t\"{{.ObjectName}}\", p.getStringReplacement(p.ObjectName, escapeMode),\n\t\t\"{{.ObjectBaseName}}\", p.getStringReplacement(strings.TrimSuffix(p.ObjectName, p.Extension), escapeMode),\n\t\t\"{{.ObjectType}}\", p.ObjectType,\n\t\t\"{{.FileSize}}\", strconv.FormatInt(p.FileSize, 10),\n\t\t\"{{.Elapsed}}\", strconv.FormatInt(p.Elapsed, 10),\n\t\t\"{{.Protocol}}\", p.Protocol,\n\t\t\"{{.IP}}\", p.IP,\n\t\t\"{{.Role}}\", p.getStringReplacement(p.Role, escapeMode),\n\t\t\"{{.Email}}\", p.getStringReplacement(p.Email, escapeMode),\n\t\t\"{{.Timestamp}}\", strconv.FormatInt(p.Timestamp.UnixNano(), 10),\n\t\t\"{{.DateTime}}\", dateTimeString,\n\t\t\"{{.Year}}\", year,\n\t\t\"{{.Month}}\", month,\n\t\t\"{{.Day}}\", day,\n\t\t\"{{.Hour}}\", hour,\n\t\t\"{{.Minute}}\", minute,\n\t\t\"{{.StatusString}}\", p.getStatusString(),\n\t\t\"{{.UID}}\", p.getStringReplacement(p.UID, escapeMode),\n\t\t\"{{.Ext}}\", p.getStringReplacement(p.Extension, escapeMode),\n\t}\n\tif p.VirtualPath != \"\" {\n\t\treplacements = append(replacements, \"{{.VirtualDirPath}}\", p.getStringReplacement(path.Dir(p.VirtualPath), escapeMode))\n\t}\n\tif p.VirtualTargetPath != \"\" {\n\t\treplacements = append(replacements, \"{{.VirtualTargetDirPath}}\", p.getStringReplacement(path.Dir(p.VirtualTargetPath), escapeMode))\n\t\treplacements = append(replacements, \"{{.TargetName}}\", p.getStringReplacement(path.Base(p.VirtualTargetPath), escapeMode))\n\t}\n\tif len(p.errors) > 0 {\n\t\treplacements = append(replacements, \"{{.ErrorString}}\", p.getStringReplacement(strings.Join(p.errors, \", \"), escapeMode))\n\t} else {\n\t\treplacements = append(replacements, \"{{.ErrorString}}\", \"\")\n\t}\n\treplacements = append(replacements, objDataPlaceholder, \"{}\")\n\treplacements = append(replacements, objDataPlaceholderString, \"\")\n\tif addObjectData {\n\t\tdata, err := p.Object.RenderAsJSON(p.Event != operationDelete)\n\t\tif err == nil {\n\t\t\tdataString := util.BytesToString(data)\n\t\t\treplacements[len(replacements)-3] = p.getStringReplacement(dataString, 0)\n\t\t\treplacements[len(replacements)-1] = p.getStringReplacement(dataString, 1)\n\t\t}\n\t}\n\tif p.IDPCustomFields != nil {\n\t\tfor k, v := range *p.IDPCustomFields {\n\t\t\treplacements = append(replacements, fmt.Sprintf(\"{{.IDPField%s}}\", k), p.getStringReplacement(v, escapeMode))\n\t\t}\n\t}\n\treplacements = append(replacements, \"{{.Metadata}}\", \"{}\")\n\treplacements = append(replacements, \"{{.MetadataString}}\", \"\")\n\tif len(p.Metadata) > 0 {\n\t\tdata, err := json.Marshal(p.Metadata)\n\t\tif err == nil {\n\t\t\tdataString := util.BytesToString(data)\n\t\t\treplacements[len(replacements)-3] = p.getStringReplacement(dataString, 0)\n\t\t\treplacements[len(replacements)-1] = p.getStringReplacement(dataString, 1)\n\t\t}\n\t}\n\treturn replacements\n}\n\nfunc getCSVRetentionReport(results []folderRetentionCheckResult) ([]byte, error) {\n\tvar b bytes.Buffer\n\tcsvWriter := csv.NewWriter(&b)\n\terr := csvWriter.Write([]string{\"path\", \"retention (hours)\", \"deleted files\", \"deleted size (bytes)\",\n\t\t\"elapsed (ms)\", \"info\", \"error\"})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfor _, result := range results {\n\t\terr = csvWriter.Write([]string{result.Path, strconv.Itoa(result.Retention), strconv.Itoa(result.DeletedFiles),\n\t\t\tstrconv.FormatInt(result.DeletedSize, 10), strconv.FormatInt(result.Elapsed.Milliseconds(), 10),\n\t\t\tresult.Info, result.Error})\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\tcsvWriter.Flush()\n\terr = csvWriter.Error()\n\treturn b.Bytes(), err\n}\n\nfunc closeWriterAndUpdateQuota(w io.WriteCloser, conn *BaseConnection, virtualSourcePath, virtualTargetPath string,\n\tnumFiles int, truncatedSize int64, errTransfer error, operation string, startTime time.Time,\n) error {\n\tvar fsDstPath string\n\tvar errDstFs error\n\terrWrite := w.Close()\n\ttargetPath := virtualSourcePath\n\tif virtualTargetPath != \"\" {\n\t\ttargetPath = virtualTargetPath\n\t\tvar fsDst vfs.Fs\n\t\tfsDst, fsDstPath, errDstFs = conn.GetFsAndResolvedPath(virtualTargetPath)\n\t\tif errTransfer != nil && errDstFs == nil {\n\t\t\t// try to remove a partial file on error. If this fails, we can't do anything\n\t\t\terrRemove := fsDst.Remove(fsDstPath, false)\n\t\t\tconn.Log(logger.LevelDebug, \"removing partial file %q after write error, result: %v\", virtualTargetPath, errRemove)\n\t\t}\n\t}\n\tinfo, err := conn.doStatInternal(targetPath, 0, false, false)\n\tif err == nil {\n\t\tupdateUserQuotaAfterFileWrite(conn, targetPath, numFiles, info.Size()-truncatedSize)\n\t\tvar fsSrcPath string\n\t\tvar errSrcFs error\n\t\tif virtualSourcePath != \"\" {\n\t\t\t_, fsSrcPath, errSrcFs = conn.GetFsAndResolvedPath(virtualSourcePath)\n\t\t}\n\t\tif errSrcFs == nil && errDstFs == nil {\n\t\t\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\t\t\tif errTransfer == nil {\n\t\t\t\terrTransfer = errWrite\n\t\t\t}\n\t\t\tif operation == operationCopy {\n\t\t\t\tlogger.CommandLog(copyLogSender, fsSrcPath, fsDstPath, conn.User.Username, \"\", conn.ID, conn.protocol, -1, -1,\n\t\t\t\t\t\"\", \"\", \"\", info.Size(), conn.localAddr, conn.remoteAddr, elapsed)\n\t\t\t}\n\t\t\tExecuteActionNotification(conn, operation, fsSrcPath, virtualSourcePath, fsDstPath, virtualTargetPath, \"\", info.Size(), errTransfer, elapsed, nil) //nolint:errcheck\n\t\t}\n\t} else {\n\t\teventManagerLog(logger.LevelWarn, \"unable to update quota after writing %q: %v\", targetPath, err)\n\t}\n\tif errTransfer != nil {\n\t\treturn errTransfer\n\t}\n\treturn errWrite\n}\n\nfunc updateUserQuotaAfterFileWrite(conn *BaseConnection, virtualPath string, numFiles int, fileSize int64) {\n\tvfolder, err := conn.User.GetVirtualFolderForPath(path.Dir(virtualPath))\n\tif err != nil {\n\t\tdataprovider.UpdateUserQuota(&conn.User, numFiles, fileSize, false) //nolint:errcheck\n\t\treturn\n\t}\n\tdataprovider.UpdateUserFolderQuota(&vfolder, &conn.User, numFiles, fileSize, false)\n}\n\nfunc checkWriterPermsAndQuota(conn *BaseConnection, virtualPath string, numFiles int, expectedSize, truncatedSize int64) error {\n\tif numFiles == 0 {\n\t\tif !conn.User.HasPerm(dataprovider.PermOverwrite, path.Dir(virtualPath)) {\n\t\t\treturn conn.GetPermissionDeniedError()\n\t\t}\n\t} else {\n\t\tif !conn.User.HasPerm(dataprovider.PermUpload, path.Dir(virtualPath)) {\n\t\t\treturn conn.GetPermissionDeniedError()\n\t\t}\n\t}\n\tq, _ := conn.HasSpace(numFiles > 0, false, virtualPath)\n\tif !q.HasSpace {\n\t\treturn conn.GetQuotaExceededError()\n\t}\n\tif expectedSize != -1 {\n\t\tsizeDiff := expectedSize - truncatedSize\n\t\tif sizeDiff > 0 {\n\t\t\tremainingSize := q.GetRemainingSize()\n\t\t\tif remainingSize > 0 && remainingSize < sizeDiff {\n\t\t\t\treturn conn.GetQuotaExceededError()\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc getFileWriter(conn *BaseConnection, virtualPath string, expectedSize int64) (io.WriteCloser, int, int64, func(), error) {\n\tfs, fsPath, err := conn.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn nil, 0, 0, nil, err\n\t}\n\tvar truncatedSize, fileSize int64\n\tnumFiles := 1\n\tisFileOverwrite := false\n\n\tinfo, err := fs.Lstat(fsPath)\n\tif err == nil {\n\t\tfileSize = info.Size()\n\t\tif info.IsDir() {\n\t\t\treturn nil, numFiles, truncatedSize, nil, fmt.Errorf(\"cannot write to a directory: %q\", virtualPath)\n\t\t}\n\t\tif info.Mode().IsRegular() {\n\t\t\tisFileOverwrite = true\n\t\t\ttruncatedSize = fileSize\n\t\t}\n\t\tnumFiles = 0\n\t}\n\tif err != nil && !fs.IsNotExist(err) {\n\t\treturn nil, numFiles, truncatedSize, nil, conn.GetFsError(fs, err)\n\t}\n\tif err := checkWriterPermsAndQuota(conn, virtualPath, numFiles, expectedSize, truncatedSize); err != nil {\n\t\treturn nil, numFiles, truncatedSize, nil, err\n\t}\n\tf, w, cancelFn, err := fs.Create(fsPath, 0, conn.GetCreateChecks(virtualPath, numFiles == 1, false))\n\tif err != nil {\n\t\treturn nil, numFiles, truncatedSize, nil, conn.GetFsError(fs, err)\n\t}\n\tvfs.SetPathPermissions(fs, fsPath, conn.User.GetUID(), conn.User.GetGID())\n\n\tif isFileOverwrite {\n\t\tif vfs.HasTruncateSupport(fs) || vfs.IsCryptOsFs(fs) {\n\t\t\tupdateUserQuotaAfterFileWrite(conn, virtualPath, numFiles, -fileSize)\n\t\t\ttruncatedSize = 0\n\t\t}\n\t}\n\tif cancelFn == nil {\n\t\tcancelFn = func() {}\n\t}\n\tif f != nil {\n\t\treturn f, numFiles, truncatedSize, cancelFn, nil\n\t}\n\treturn w, numFiles, truncatedSize, cancelFn, nil\n}\n\nfunc addZipEntry(wr *zipWriterWrapper, conn *BaseConnection, entryPath, baseDir string, info os.FileInfo, recursion int) error { //nolint:gocyclo\n\tif entryPath == wr.Name {\n\t\t// skip the archive itself\n\t\treturn nil\n\t}\n\tif recursion >= util.MaxRecursion {\n\t\teventManagerLog(logger.LevelError, \"unable to add zip entry %q, recursion too deep: %v\", entryPath, recursion)\n\t\treturn util.ErrRecursionTooDeep\n\t}\n\trecursion++\n\tvar err error\n\tif info == nil {\n\t\tinfo, err = conn.DoStat(entryPath, 1, false)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"unable to add zip entry %q, stat error: %v\", entryPath, err)\n\t\t\treturn err\n\t\t}\n\t}\n\tentryName, err := getZipEntryName(entryPath, baseDir)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to get zip entry name: %v\", err)\n\t\treturn err\n\t}\n\tif _, ok := wr.Entries[entryName]; ok {\n\t\teventManagerLog(logger.LevelInfo, \"skipping duplicate zip entry %q, is dir %t\", entryPath, info.IsDir())\n\t\treturn nil\n\t}\n\twr.Entries[entryName] = true\n\tif info.IsDir() {\n\t\t_, err = wr.Writer.CreateHeader(&zip.FileHeader{\n\t\t\tName: entryName + \"/\",\n\t\t\tMethod: zip.Deflate,\n\t\t\tModified: info.ModTime(),\n\t\t})\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"unable to create zip entry %q: %v\", entryPath, err)\n\t\t\treturn fmt.Errorf(\"unable to create zip entry %q: %w\", entryPath, err)\n\t\t}\n\t\tlister, err := conn.ListDir(entryPath)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"unable to add zip entry %q, get dir lister error: %v\", entryPath, err)\n\t\t\treturn fmt.Errorf(\"unable to add zip entry %q: %w\", entryPath, err)\n\t\t}\n\t\tdefer lister.Close()\n\n\t\tfor {\n\t\t\tcontents, err := lister.Next(vfs.ListerBatchSize)\n\t\t\tfinished := errors.Is(err, io.EOF)\n\t\t\tif err := lister.convertError(err); err != nil {\n\t\t\t\teventManagerLog(logger.LevelError, \"unable to add zip entry %q, read dir error: %v\", entryPath, err)\n\t\t\t\treturn fmt.Errorf(\"unable to add zip entry %q: %w\", entryPath, err)\n\t\t\t}\n\t\t\tfor _, info := range contents {\n\t\t\t\tfullPath := util.CleanPath(path.Join(entryPath, info.Name()))\n\t\t\t\tif err := addZipEntry(wr, conn, fullPath, baseDir, info, recursion); err != nil {\n\t\t\t\t\teventManagerLog(logger.LevelError, \"unable to add zip entry: %v\", err)\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t\tif finished {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\tif !info.Mode().IsRegular() {\n\t\t// we only allow regular files\n\t\teventManagerLog(logger.LevelInfo, \"skipping zip entry for non regular file %q\", entryPath)\n\t\treturn nil\n\t}\n\n\treturn addFileToZip(wr, conn, entryPath, entryName, info.ModTime())\n}\n\nfunc addFileToZip(wr *zipWriterWrapper, conn *BaseConnection, entryPath, entryName string, modTime time.Time) error {\n\treader, cancelFn, err := getFileReader(conn, entryPath)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to add zip entry %q, cannot open file: %v\", entryPath, err)\n\t\treturn fmt.Errorf(\"unable to open %q: %w\", entryPath, err)\n\t}\n\tdefer cancelFn()\n\tdefer reader.Close()\n\n\tf, err := wr.Writer.CreateHeader(&zip.FileHeader{\n\t\tName: entryName,\n\t\tMethod: zip.Deflate,\n\t\tModified: modTime,\n\t})\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to create zip entry %q: %v\", entryPath, err)\n\t\treturn fmt.Errorf(\"unable to create zip entry %q: %w\", entryPath, err)\n\t}\n\t_, err = io.Copy(f, reader)\n\treturn err\n}\n\nfunc getZipEntryName(entryPath, baseDir string) (string, error) {\n\tif !strings.HasPrefix(entryPath, baseDir) {\n\t\treturn \"\", fmt.Errorf(\"entry path %q is outside base dir %q\", entryPath, baseDir)\n\t}\n\tentryPath = strings.TrimPrefix(entryPath, baseDir)\n\treturn strings.TrimPrefix(entryPath, \"/\"), nil\n}\n\nfunc getFileReader(conn *BaseConnection, virtualPath string) (io.ReadCloser, func(), error) {\n\tif !conn.User.HasPerm(dataprovider.PermDownload, path.Dir(virtualPath)) {\n\t\treturn nil, nil, conn.GetPermissionDeniedError()\n\t}\n\tfs, fsPath, err := conn.GetFsAndResolvedPath(virtualPath)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tf, r, cancelFn, err := fs.Open(fsPath, 0)\n\tif err != nil {\n\t\treturn nil, nil, conn.GetFsError(fs, err)\n\t}\n\tif cancelFn == nil {\n\t\tcancelFn = func() {}\n\t}\n\n\tif f != nil {\n\t\treturn f, cancelFn, nil\n\t}\n\treturn r, cancelFn, nil\n}\n\nfunc writeFileContent(conn *BaseConnection, virtualPath string, w io.Writer) error {\n\treader, cancelFn, err := getFileReader(conn, virtualPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdefer cancelFn()\n\tdefer reader.Close()\n\n\t_, err = io.Copy(w, reader)\n\treturn err\n}\n\nfunc getFileContentFn(conn *BaseConnection, virtualPath string, size int64) func(w io.Writer) (int64, error) {\n\treturn func(w io.Writer) (int64, error) {\n\t\treader, cancelFn, err := getFileReader(conn, virtualPath)\n\t\tif err != nil {\n\t\t\treturn 0, err\n\t\t}\n\n\t\tdefer cancelFn()\n\t\tdefer reader.Close()\n\n\t\treturn io.CopyN(w, reader, size)\n\t}\n}\n\nfunc getMailAttachments(conn *BaseConnection, attachments []string, replacer *strings.Replacer) ([]*mail.File, error) {\n\tvar files []*mail.File\n\ttotalSize := int64(0)\n\n\tfor _, virtualPath := range replacePathsPlaceholders(attachments, replacer) {\n\t\tinfo, err := conn.DoStat(virtualPath, 0, false)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"unable to get info for file %q, user %q: %w\", virtualPath, conn.User.Username, err)\n\t\t}\n\t\tif !info.Mode().IsRegular() {\n\t\t\treturn nil, fmt.Errorf(\"cannot attach non regular file %q\", virtualPath)\n\t\t}\n\t\ttotalSize += info.Size()\n\t\tif totalSize > maxAttachmentsSize {\n\t\t\treturn nil, fmt.Errorf(\"unable to send files as attachment, size too large: %s\", util.ByteCountIEC(totalSize))\n\t\t}\n\t\tfiles = append(files, &mail.File{\n\t\t\tName: path.Base(virtualPath),\n\t\t\tHeader: make(map[string][]string),\n\t\t\tWriter: getFileContentFn(conn, virtualPath, info.Size()),\n\t\t})\n\t}\n\treturn files, nil\n}\n\nfunc replaceWithReplacer(input string, replacer *strings.Replacer) string {\n\tif !strings.Contains(input, \"{{.\") {\n\t\treturn input\n\t}\n\treturn replacer.Replace(input)\n}\n\nfunc checkEventConditionPattern(p dataprovider.ConditionPattern, name string) bool {\n\tvar matched bool\n\tvar err error\n\tif strings.Contains(p.Pattern, \"**\") {\n\t\tmatched, err = doublestar.Match(p.Pattern, name)\n\t} else {\n\t\tmatched, err = path.Match(p.Pattern, name)\n\t}\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"pattern matching error %q, err: %v\", p.Pattern, err)\n\t\treturn false\n\t}\n\tif p.InverseMatch {\n\t\treturn !matched\n\t}\n\treturn matched\n}\n\nfunc checkUserConditionOptions(user *dataprovider.User, conditions *dataprovider.ConditionOptions) bool {\n\tif !checkEventConditionPatterns(user.Username, conditions.Names) {\n\t\treturn false\n\t}\n\tif !checkEventConditionPatterns(user.Role, conditions.RoleNames) {\n\t\treturn false\n\t}\n\tif !checkEventGroupConditionPatterns(user.Groups, conditions.GroupNames) {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// checkEventConditionPatterns returns false if patterns are defined and no match is found\nfunc checkEventConditionPatterns(name string, patterns []dataprovider.ConditionPattern) bool {\n\tif len(patterns) == 0 {\n\t\treturn true\n\t}\n\tmatches := false\n\tfor _, p := range patterns {\n\t\t// assume, that multiple InverseMatches are set\n\t\tif p.InverseMatch {\n\t\t\tif checkEventConditionPattern(p, name) {\n\t\t\t\tmatches = true\n\t\t\t} else {\n\t\t\t\treturn false\n\t\t\t}\n\t\t} else if checkEventConditionPattern(p, name) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn matches\n}\n\nfunc checkEventGroupConditionPatterns(groups []sdk.GroupMapping, patterns []dataprovider.ConditionPattern) bool {\n\tif len(patterns) == 0 {\n\t\treturn true\n\t}\n\tmatches := false\n\tfor _, group := range groups {\n\t\tfor _, p := range patterns {\n\t\t\t// assume, that multiple InverseMatches are set\n\t\t\tif p.InverseMatch {\n\t\t\t\tif checkEventConditionPattern(p, group.Name) {\n\t\t\t\t\tmatches = true\n\t\t\t\t} else {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tif checkEventConditionPattern(p, group.Name) {\n\t\t\t\t\treturn true\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn matches\n}\n\nfunc getHTTPRuleActionEndpoint(c *dataprovider.EventActionHTTPConfig, replacer *strings.Replacer) (string, error) {\n\tu, err := url.Parse(c.Endpoint)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"invalid endpoint: %w\", err)\n\t}\n\tif strings.Contains(u.Path, \"{{.\") {\n\t\tpathComponents := strings.Split(u.Path, \"/\")\n\t\tfor idx := range pathComponents {\n\t\t\tpart := replaceWithReplacer(pathComponents[idx], replacer)\n\t\t\tif part != pathComponents[idx] {\n\t\t\t\tpathComponents[idx] = url.PathEscape(part)\n\t\t\t}\n\t\t}\n\t\tu.Path = \"\"\n\t\tu = u.JoinPath(pathComponents...)\n\t}\n\tif len(c.QueryParameters) > 0 {\n\t\tq := u.Query()\n\n\t\tfor _, keyVal := range c.QueryParameters {\n\t\t\tq.Add(keyVal.Key, replaceWithReplacer(keyVal.Value, replacer))\n\t\t}\n\n\t\tu.RawQuery = q.Encode()\n\t}\n\treturn u.String(), nil\n}\n\nfunc writeHTTPPart(m *multipart.Writer, part dataprovider.HTTPPart, h textproto.MIMEHeader,\n\tconn *BaseConnection, replacer *strings.Replacer, params *EventParams, addObjectData bool,\n) error {\n\tpartWriter, err := m.CreatePart(h)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to create part %q, err: %v\", part.Name, err)\n\t\treturn err\n\t}\n\tif part.Body != \"\" {\n\t\tcType := h.Get(\"Content-Type\")\n\t\tif strings.Contains(strings.ToLower(cType), \"application/json\") {\n\t\t\treplacements := params.getStringReplacements(addObjectData, 1)\n\t\t\tjsonReplacer := strings.NewReplacer(replacements...)\n\t\t\t_, err = partWriter.Write(util.StringToBytes(replaceWithReplacer(part.Body, jsonReplacer)))\n\t\t} else {\n\t\t\t_, err = partWriter.Write(util.StringToBytes(replaceWithReplacer(part.Body, replacer)))\n\t\t}\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"unable to write part %q, err: %v\", part.Name, err)\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t}\n\tif part.Filepath == dataprovider.RetentionReportPlaceHolder {\n\t\tdata, err := params.getCompressedDataRetentionReport()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = partWriter.Write(data)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"unable to write part %q, err: %v\", part.Name, err)\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t}\n\terr = writeFileContent(conn, util.CleanPath(replacer.Replace(part.Filepath)), partWriter)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to write file part %q, err: %v\", part.Name, err)\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc getHTTPRuleActionBody(c *dataprovider.EventActionHTTPConfig, replacer *strings.Replacer, //nolint:gocyclo\n\tcancel context.CancelFunc, user dataprovider.User, params *EventParams, addObjectData bool,\n) (io.Reader, string, error) {\n\tvar body io.Reader\n\tif c.Method == http.MethodGet {\n\t\treturn body, \"\", nil\n\t}\n\tif c.Body != \"\" {\n\t\tif c.Body == dataprovider.RetentionReportPlaceHolder {\n\t\t\tdata, err := params.getCompressedDataRetentionReport()\n\t\t\tif err != nil {\n\t\t\t\treturn body, \"\", err\n\t\t\t}\n\t\t\treturn bytes.NewBuffer(data), \"\", nil\n\t\t}\n\t\tif c.HasJSONBody() {\n\t\t\treplacements := params.getStringReplacements(addObjectData, 1)\n\t\t\tjsonReplacer := strings.NewReplacer(replacements...)\n\t\t\treturn bytes.NewBufferString(replaceWithReplacer(c.Body, jsonReplacer)), \"\", nil\n\t\t}\n\t\treturn bytes.NewBufferString(replaceWithReplacer(c.Body, replacer)), \"\", nil\n\t}\n\tif len(c.Parts) > 0 {\n\t\tr, w := io.Pipe()\n\t\tm := multipart.NewWriter(w)\n\n\t\tvar conn *BaseConnection\n\t\tif user.Username != \"\" {\n\t\t\tvar err error\n\t\t\tif err := getUserForEventAction(&user); err != nil {\n\t\t\t\treturn body, \"\", err\n\t\t\t}\n\t\t\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\t\t\terr = user.CheckFsRoot(connectionID)\n\t\t\tif err != nil {\n\t\t\t\tuser.CloseFs() //nolint:errcheck\n\t\t\t\treturn body, \"\", fmt.Errorf(\"error getting multipart file/s, unable to check root fs for user %q: %w\",\n\t\t\t\t\tuser.Username, err)\n\t\t\t}\n\t\t\tconn = NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\t\t}\n\n\t\tgo func() {\n\t\t\tdefer w.Close()\n\t\t\tdefer user.CloseFs() //nolint:errcheck\n\t\t\tif conn != nil {\n\t\t\t\tdefer conn.CloseFS() //nolint:errcheck\n\t\t\t}\n\n\t\t\tfor _, part := range c.Parts {\n\t\t\t\th := make(textproto.MIMEHeader)\n\t\t\t\tif part.Body != \"\" {\n\t\t\t\t\th.Set(\"Content-Disposition\", fmt.Sprintf(`form-data; name=\"%s\"`, multipartQuoteEscaper.Replace(part.Name)))\n\t\t\t\t} else {\n\t\t\t\t\th.Set(\"Content-Disposition\",\n\t\t\t\t\t\tfmt.Sprintf(`form-data; name=\"%s\"; filename=\"%s\"`,\n\t\t\t\t\t\t\tmultipartQuoteEscaper.Replace(part.Name),\n\t\t\t\t\t\t\tmultipartQuoteEscaper.Replace((path.Base(replaceWithReplacer(part.Filepath, replacer))))))\n\t\t\t\t\tcontentType := mime.TypeByExtension(path.Ext(part.Filepath))\n\t\t\t\t\tif contentType == \"\" {\n\t\t\t\t\t\tcontentType = \"application/octet-stream\"\n\t\t\t\t\t}\n\t\t\t\t\th.Set(\"Content-Type\", contentType)\n\t\t\t\t}\n\t\t\t\tfor _, keyVal := range part.Headers {\n\t\t\t\t\th.Set(keyVal.Key, replaceWithReplacer(keyVal.Value, replacer))\n\t\t\t\t}\n\t\t\t\tif err := writeHTTPPart(m, part, h, conn, replacer, params, addObjectData); err != nil {\n\t\t\t\t\tcancel()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\t\t\tm.Close()\n\t\t}()\n\n\t\treturn r, m.FormDataContentType(), nil\n\t}\n\treturn body, \"\", nil\n}\n\nfunc setHTTPReqHeaders(req *http.Request, c *dataprovider.EventActionHTTPConfig, replacer *strings.Replacer,\n\tcontentType string,\n) {\n\tif contentType != \"\" {\n\t\treq.Header.Set(\"Content-Type\", contentType)\n\t}\n\tif c.Username != \"\" || c.Password.GetPayload() != \"\" {\n\t\treq.SetBasicAuth(replaceWithReplacer(c.Username, replacer), c.Password.GetPayload())\n\t}\n\tfor _, keyVal := range c.Headers {\n\t\treq.Header.Set(keyVal.Key, replaceWithReplacer(keyVal.Value, replacer))\n\t}\n}\n\nfunc executeHTTPRuleAction(c dataprovider.EventActionHTTPConfig, params *EventParams) error {\n\tif err := c.TryDecryptPassword(); err != nil {\n\t\treturn err\n\t}\n\taddObjectData := false\n\tif params.Object != nil {\n\t\taddObjectData = c.HasObjectData()\n\t}\n\n\treplacements := params.getStringReplacements(addObjectData, 0)\n\treplacer := strings.NewReplacer(replacements...)\n\tendpoint, err := getHTTPRuleActionEndpoint(&c, replacer)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancel := c.GetContext()\n\tdefer cancel()\n\n\tvar user dataprovider.User\n\tif c.HasMultipartFiles() {\n\t\tuser, err = params.getUserFromSender()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tbody, contentType, err := getHTTPRuleActionBody(&c, replacer, cancel, user, params, addObjectData)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif body != nil {\n\t\trc, ok := body.(io.ReadCloser)\n\t\tif ok {\n\t\t\tdefer rc.Close()\n\t\t}\n\t}\n\treq, err := http.NewRequestWithContext(ctx, c.Method, endpoint, body)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsetHTTPReqHeaders(req, &c, replacer, contentType)\n\n\tclient := c.GetHTTPClient()\n\tdefer client.CloseIdleConnections()\n\n\tstartTime := time.Now()\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelDebug, \"unable to send http notification, endpoint: %s, elapsed: %s, err: %v\",\n\t\t\tendpoint, time.Since(startTime), err)\n\t\treturn fmt.Errorf(\"error sending HTTP request: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\teventManagerLog(logger.LevelDebug, \"http notification sent, endpoint: %s, elapsed: %s, status code: %d\",\n\t\tendpoint, time.Since(startTime), resp.StatusCode)\n\tif resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusNoContent {\n\t\tif rb, err := io.ReadAll(io.LimitReader(resp.Body, 2048)); err == nil {\n\t\t\teventManagerLog(logger.LevelDebug, \"error notification response from endpoint %q: %s\",\n\t\t\t\tendpoint, rb)\n\t\t}\n\t\treturn fmt.Errorf(\"unexpected status code: %d\", resp.StatusCode)\n\t}\n\n\treturn nil\n}\n\nfunc executeCommandRuleAction(c dataprovider.EventActionCommandConfig, params *EventParams) error {\n\tif !dataprovider.IsActionCommandAllowed(c.Cmd) {\n\t\treturn fmt.Errorf(\"command %q is not allowed\", c.Cmd)\n\t}\n\taddObjectData := false\n\tif params.Object != nil {\n\t\tfor _, k := range c.EnvVars {\n\t\t\tif strings.Contains(k.Value, objDataPlaceholder) || strings.Contains(k.Value, objDataPlaceholderString) {\n\t\t\t\taddObjectData = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treplacements := params.getStringReplacements(addObjectData, 0)\n\treplacer := strings.NewReplacer(replacements...)\n\n\targs := make([]string, 0, len(c.Args))\n\tfor _, arg := range c.Args {\n\t\targs = append(args, replaceWithReplacer(arg, replacer))\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), time.Duration(c.Timeout)*time.Second)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, c.Cmd, args...)\n\tcmd.Env = []string{}\n\tfor _, keyVal := range c.EnvVars {\n\t\tif keyVal.Value == \"$\" && !strings.HasPrefix(strings.ToUpper(keyVal.Key), \"SFTPGO_\") {\n\t\t\tval := os.Getenv(keyVal.Key)\n\t\t\tif val == \"\" {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"empty value for environment variable %q\", keyVal.Key)\n\t\t\t}\n\t\t\tcmd.Env = append(cmd.Env, fmt.Sprintf(\"%s=%s\", keyVal.Key, val))\n\t\t} else {\n\t\t\tcmd.Env = append(cmd.Env, fmt.Sprintf(\"%s=%s\", keyVal.Key, replaceWithReplacer(keyVal.Value, replacer)))\n\t\t}\n\t}\n\n\tstartTime := time.Now()\n\terr := cmd.Run()\n\n\teventManagerLog(logger.LevelDebug, \"executed command %q, elapsed: %s, error: %v\",\n\t\tc.Cmd, time.Since(startTime), err)\n\n\treturn err\n}\n\nfunc getEmailAddressesWithReplacer(addrs []string, replacer *strings.Replacer) []string {\n\tif len(addrs) == 0 {\n\t\treturn nil\n\t}\n\trecipients := make([]string, 0, len(addrs))\n\tfor _, recipient := range addrs {\n\t\trcpt := replaceWithReplacer(recipient, replacer)\n\t\tif rcpt != \"\" {\n\t\t\trecipients = append(recipients, rcpt)\n\t\t}\n\t}\n\treturn recipients\n}\n\nfunc executeEmailRuleAction(c dataprovider.EventActionEmailConfig, params *EventParams) error {\n\taddObjectData := false\n\tif params.Object != nil {\n\t\tif strings.Contains(c.Body, objDataPlaceholder) || strings.Contains(c.Body, objDataPlaceholderString) {\n\t\t\taddObjectData = true\n\t\t}\n\t}\n\treplacements := params.getStringReplacements(addObjectData, 0)\n\treplacer := strings.NewReplacer(replacements...)\n\tvar body string\n\tif c.ContentType == 1 {\n\t\treplacements := params.getStringReplacements(addObjectData, 2)\n\t\tbodyReplacer := strings.NewReplacer(replacements...)\n\t\tbody = replaceWithReplacer(c.Body, bodyReplacer)\n\t} else {\n\t\tbody = replaceWithReplacer(c.Body, replacer)\n\t}\n\tsubject := replaceWithReplacer(c.Subject, replacer)\n\trecipients := getEmailAddressesWithReplacer(c.Recipients, replacer)\n\tbcc := getEmailAddressesWithReplacer(c.Bcc, replacer)\n\tstartTime := time.Now()\n\tvar files []*mail.File\n\tfileAttachments := make([]string, 0, len(c.Attachments))\n\tfor _, attachment := range c.Attachments {\n\t\tif attachment == dataprovider.RetentionReportPlaceHolder {\n\t\t\tf, err := params.getRetentionReportsAsMailAttachment()\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfiles = append(files, f)\n\t\t\tcontinue\n\t\t}\n\t\tfileAttachments = append(fileAttachments, attachment)\n\t}\n\tif len(fileAttachments) > 0 {\n\t\tuser, err := params.getUserFromSender()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := getUserForEventAction(&user); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\t\terr = user.CheckFsRoot(connectionID)\n\t\tdefer user.CloseFs() //nolint:errcheck\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"error getting email attachments, unable to check root fs for user %q: %w\", user.Username, err)\n\t\t}\n\t\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\t\tdefer conn.CloseFS() //nolint:errcheck\n\n\t\tres, err := getMailAttachments(conn, fileAttachments, replacer)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfiles = append(files, res...)\n\t}\n\terr := smtp.SendEmail(recipients, bcc, subject, body, smtp.EmailContentType(c.ContentType), files...)\n\teventManagerLog(logger.LevelDebug, \"executed email notification action, elapsed: %s, error: %v\",\n\t\ttime.Since(startTime), err)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to send email: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc getUserForEventAction(user *dataprovider.User) error {\n\terr := user.LoadAndApplyGroupSettings()\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to get group for user %q: %+v\", user.Username, err)\n\t\treturn fmt.Errorf(\"unable to get groups for user %q\", user.Username)\n\t}\n\tuser.UploadDataTransfer = 0\n\tuser.UploadBandwidth = 0\n\tuser.DownloadBandwidth = 0\n\tuser.Filters.DisableFsChecks = false\n\tuser.Filters.FilePatterns = nil\n\tuser.Filters.BandwidthLimits = nil\n\tfor k := range user.Permissions {\n\t\tuser.Permissions[k] = []string{dataprovider.PermAny}\n\t}\n\treturn nil\n}\n\nfunc replacePathsPlaceholders(paths []string, replacer *strings.Replacer) []string {\n\tresults := make([]string, 0, len(paths))\n\tfor _, p := range paths {\n\t\tresults = append(results, util.CleanPath(replaceWithReplacer(p, replacer)))\n\t}\n\treturn util.RemoveDuplicates(results, false)\n}\n\nfunc executeDeleteFileFsAction(conn *BaseConnection, item string, info os.FileInfo) error {\n\tfs, fsPath, err := conn.GetFsAndResolvedPath(item)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn conn.RemoveFile(fs, fsPath, item, info)\n}\n\nfunc executeDeleteFsActionForUser(deletes []string, replacer *strings.Replacer, user dataprovider.User) error {\n\tif err := getUserForEventAction(&user); err != nil {\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\terr := user.CheckFsRoot(connectionID)\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err != nil {\n\t\treturn fmt.Errorf(\"delete error, unable to check root fs for user %q: %w\", user.Username, err)\n\t}\n\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\tdefer conn.CloseFS() //nolint:errcheck\n\n\tfor _, item := range replacePathsPlaceholders(deletes, replacer) {\n\t\tinfo, err := conn.DoStat(item, 0, false)\n\t\tif err != nil {\n\t\t\tif conn.IsNotExistError(err) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn fmt.Errorf(\"unable to check item to delete %q, user %q: %w\", item, user.Username, err)\n\t\t}\n\t\tif info.IsDir() {\n\t\t\tif err = conn.RemoveDir(item); err != nil {\n\t\t\t\treturn fmt.Errorf(\"unable to remove dir %q, user %q: %w\", item, user.Username, err)\n\t\t\t}\n\t\t} else {\n\t\t\tif err = executeDeleteFileFsAction(conn, item, info); err != nil {\n\t\t\t\treturn fmt.Errorf(\"unable to remove file %q, user %q: %w\", item, user.Username, err)\n\t\t\t}\n\t\t}\n\t\teventManagerLog(logger.LevelDebug, \"item %q removed for user %q\", item, user.Username)\n\t}\n\treturn nil\n}\n\nfunc executeDeleteFsRuleAction(deletes []string, replacer *strings.Replacer,\n\tconditions dataprovider.ConditionOptions, params *EventParams,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping fs delete for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeDeleteFsActionForUser(deletes, replacer, user); err != nil {\n\t\t\tparams.AddError(err)\n\t\t\tfailures = append(failures, user.Username)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"fs delete failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no delete executed\")\n\t\treturn errors.New(\"no delete executed\")\n\t}\n\treturn nil\n}\n\nfunc executeMkDirsFsActionForUser(dirs []string, replacer *strings.Replacer, user dataprovider.User) error {\n\tif err := getUserForEventAction(&user); err != nil {\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\terr := user.CheckFsRoot(connectionID)\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err != nil {\n\t\treturn fmt.Errorf(\"mkdir error, unable to check root fs for user %q: %w\", user.Username, err)\n\t}\n\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\tdefer conn.CloseFS() //nolint:errcheck\n\n\tfor _, item := range replacePathsPlaceholders(dirs, replacer) {\n\t\tif err = conn.CheckParentDirs(path.Dir(item)); err != nil {\n\t\t\treturn fmt.Errorf(\"unable to check parent dirs for %q, user %q: %w\", item, user.Username, err)\n\t\t}\n\t\tif err = conn.createDirIfMissing(item); err != nil {\n\t\t\treturn fmt.Errorf(\"unable to create dir %q, user %q: %w\", item, user.Username, err)\n\t\t}\n\t\teventManagerLog(logger.LevelDebug, \"directory %q created for user %q\", item, user.Username)\n\t}\n\treturn nil\n}\n\nfunc executeMkdirFsRuleAction(dirs []string, replacer *strings.Replacer,\n\tconditions dataprovider.ConditionOptions, params *EventParams,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping fs mkdir for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeMkDirsFsActionForUser(dirs, replacer, user); err != nil {\n\t\t\tfailures = append(failures, user.Username)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"fs mkdir failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no mkdir executed\")\n\t\treturn errors.New(\"no mkdir executed\")\n\t}\n\treturn nil\n}\n\nfunc executeRenameFsActionForUser(renames []dataprovider.RenameConfig, replacer *strings.Replacer,\n\tuser dataprovider.User,\n) error {\n\tif err := getUserForEventAction(&user); err != nil {\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\terr := user.CheckFsRoot(connectionID)\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err != nil {\n\t\treturn fmt.Errorf(\"rename error, unable to check root fs for user %q: %w\", user.Username, err)\n\t}\n\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\tdefer conn.CloseFS() //nolint:errcheck\n\n\tfor _, item := range renames {\n\t\tsource := util.CleanPath(replaceWithReplacer(item.Key, replacer))\n\t\ttarget := util.CleanPath(replaceWithReplacer(item.Value, replacer))\n\t\tchecks := 0\n\t\tif item.UpdateModTime {\n\t\t\tchecks += vfs.CheckUpdateModTime\n\t\t}\n\t\tif err = conn.renameInternal(source, target, true, checks); err != nil {\n\t\t\treturn fmt.Errorf(\"unable to rename %q->%q, user %q: %w\", source, target, user.Username, err)\n\t\t}\n\t\teventManagerLog(logger.LevelDebug, \"rename %q->%q ok, user %q\", source, target, user.Username)\n\t}\n\treturn nil\n}\n\nfunc executeCopyFsActionForUser(keyVals []dataprovider.KeyValue, replacer *strings.Replacer,\n\tuser dataprovider.User,\n) error {\n\tif err := getUserForEventAction(&user); err != nil {\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\terr := user.CheckFsRoot(connectionID)\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err != nil {\n\t\treturn fmt.Errorf(\"copy error, unable to check root fs for user %q: %w\", user.Username, err)\n\t}\n\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\tdefer conn.CloseFS() //nolint:errcheck\n\n\tfor _, item := range keyVals {\n\t\tsource := util.CleanPath(replaceWithReplacer(item.Key, replacer))\n\t\ttarget := util.CleanPath(replaceWithReplacer(item.Value, replacer))\n\t\tif strings.HasSuffix(item.Key, \"/\") {\n\t\t\tsource += \"/\"\n\t\t}\n\t\tif strings.HasSuffix(item.Value, \"/\") {\n\t\t\ttarget += \"/\"\n\t\t}\n\t\tif err = conn.Copy(source, target); err != nil {\n\t\t\treturn fmt.Errorf(\"unable to copy %q->%q, user %q: %w\", source, target, user.Username, err)\n\t\t}\n\t\teventManagerLog(logger.LevelDebug, \"copy %q->%q ok, user %q\", source, target, user.Username)\n\t}\n\treturn nil\n}\n\nfunc executeExistFsActionForUser(exist []string, replacer *strings.Replacer,\n\tuser dataprovider.User,\n) error {\n\tif err := getUserForEventAction(&user); err != nil {\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\terr := user.CheckFsRoot(connectionID)\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err != nil {\n\t\treturn fmt.Errorf(\"existence check error, unable to check root fs for user %q: %w\", user.Username, err)\n\t}\n\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\tdefer conn.CloseFS() //nolint:errcheck\n\n\tfor _, item := range replacePathsPlaceholders(exist, replacer) {\n\t\tif _, err = conn.DoStat(item, 0, false); err != nil {\n\t\t\treturn fmt.Errorf(\"error checking existence for path %q, user %q: %w\", item, user.Username, err)\n\t\t}\n\t\teventManagerLog(logger.LevelDebug, \"path %q exists for user %q\", item, user.Username)\n\t}\n\treturn nil\n}\n\nfunc executeRenameFsRuleAction(renames []dataprovider.RenameConfig, replacer *strings.Replacer,\n\tconditions dataprovider.ConditionOptions, params *EventParams,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping fs rename for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeRenameFsActionForUser(renames, replacer, user); err != nil {\n\t\t\tfailures = append(failures, user.Username)\n\t\t\tparams.AddError(err)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"fs rename failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no rename executed\")\n\t\treturn errors.New(\"no rename executed\")\n\t}\n\treturn nil\n}\n\nfunc executeCopyFsRuleAction(keyVals []dataprovider.KeyValue, replacer *strings.Replacer,\n\tconditions dataprovider.ConditionOptions, params *EventParams,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\tvar executed int\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping fs copy for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeCopyFsActionForUser(keyVals, replacer, user); err != nil {\n\t\t\tfailures = append(failures, user.Username)\n\t\t\tparams.AddError(err)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"fs copy failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no copy executed\")\n\t\treturn errors.New(\"no copy executed\")\n\t}\n\treturn nil\n}\n\nfunc getArchiveBaseDir(paths []string) string {\n\tvar parentDirs []string\n\tfor _, p := range paths {\n\t\tparentDirs = append(parentDirs, path.Dir(p))\n\t}\n\tparentDirs = util.RemoveDuplicates(parentDirs, false)\n\tbaseDir := \"/\"\n\tif len(parentDirs) == 1 {\n\t\tbaseDir = parentDirs[0]\n\t}\n\treturn baseDir\n}\n\nfunc getSizeForPath(conn *BaseConnection, p string, info os.FileInfo) (int64, error) {\n\tif info.IsDir() {\n\t\tvar dirSize int64\n\t\tlister, err := conn.ListDir(p)\n\t\tif err != nil {\n\t\t\treturn 0, err\n\t\t}\n\t\tdefer lister.Close()\n\t\tfor {\n\t\t\tentries, err := lister.Next(vfs.ListerBatchSize)\n\t\t\tfinished := errors.Is(err, io.EOF)\n\t\t\tif err != nil && !finished {\n\t\t\t\treturn 0, err\n\t\t\t}\n\t\t\tfor _, entry := range entries {\n\t\t\t\tsize, err := getSizeForPath(conn, path.Join(p, entry.Name()), entry)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn 0, err\n\t\t\t\t}\n\t\t\t\tdirSize += size\n\t\t\t}\n\t\t\tif finished {\n\t\t\t\treturn dirSize, nil\n\t\t\t}\n\t\t}\n\t}\n\tif info.Mode().IsRegular() {\n\t\treturn info.Size(), nil\n\t}\n\treturn 0, nil\n}\n\nfunc estimateZipSize(conn *BaseConnection, zipPath string, paths []string) (int64, error) {\n\tq, _ := conn.HasSpace(false, false, zipPath)\n\tif q.HasSpace && q.GetRemainingSize() > 0 {\n\t\tvar size int64\n\t\tfor _, item := range paths {\n\t\t\tinfo, err := conn.DoStat(item, 1, false)\n\t\t\tif err != nil {\n\t\t\t\treturn size, err\n\t\t\t}\n\t\t\titemSize, err := getSizeForPath(conn, item, info)\n\t\t\tif err != nil {\n\t\t\t\treturn size, err\n\t\t\t}\n\t\t\tsize += itemSize\n\t\t}\n\t\teventManagerLog(logger.LevelDebug, \"archive paths %v, archive name %q, size: %d\", paths, zipPath, size)\n\t\t// we assume the zip size will be half of the real size\n\t\treturn size / 2, nil\n\t}\n\treturn -1, nil\n}\n\nfunc executeCompressFsActionForUser(c dataprovider.EventActionFsCompress, replacer *strings.Replacer,\n\tuser dataprovider.User,\n) error {\n\tif err := getUserForEventAction(&user); err != nil {\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocolEventAction, xid.New().String())\n\terr := user.CheckFsRoot(connectionID)\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err != nil {\n\t\treturn fmt.Errorf(\"compress error, unable to check root fs for user %q: %w\", user.Username, err)\n\t}\n\tconn := NewBaseConnection(connectionID, protocolEventAction, \"\", \"\", user)\n\tdefer conn.CloseFS() //nolint:errcheck\n\n\tname := util.CleanPath(replaceWithReplacer(c.Name, replacer))\n\tconn.CheckParentDirs(path.Dir(name)) //nolint:errcheck\n\tpaths := make([]string, 0, len(c.Paths))\n\tfor idx := range c.Paths {\n\t\tp := util.CleanPath(replaceWithReplacer(c.Paths[idx], replacer))\n\t\tif p == name {\n\t\t\treturn fmt.Errorf(\"cannot compress the archive to create: %q\", name)\n\t\t}\n\t\tpaths = append(paths, p)\n\t}\n\tpaths = util.RemoveDuplicates(paths, false)\n\testimatedSize, err := estimateZipSize(conn, name, paths)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to estimate size for archive %q: %v\", name, err)\n\t\treturn fmt.Errorf(\"unable to estimate archive size: %w\", err)\n\t}\n\twriter, numFiles, truncatedSize, cancelFn, err := getFileWriter(conn, name, estimatedSize)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to create archive %q: %v\", name, err)\n\t\treturn fmt.Errorf(\"unable to create archive: %w\", err)\n\t}\n\tdefer cancelFn()\n\n\tbaseDir := getArchiveBaseDir(paths)\n\teventManagerLog(logger.LevelDebug, \"creating archive %q for paths %+v\", name, paths)\n\n\tzipWriter := &zipWriterWrapper{\n\t\tName: name,\n\t\tWriter: zip.NewWriter(writer),\n\t\tEntries: make(map[string]bool),\n\t}\n\tstartTime := time.Now()\n\tfor _, item := range paths {\n\t\tif err := addZipEntry(zipWriter, conn, item, baseDir, nil, 0); err != nil {\n\t\t\tcloseWriterAndUpdateQuota(writer, conn, name, \"\", numFiles, truncatedSize, err, operationUpload, startTime) //nolint:errcheck\n\t\t\treturn err\n\t\t}\n\t}\n\tif err := zipWriter.Writer.Close(); err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to close zip file %q: %v\", name, err)\n\t\tcloseWriterAndUpdateQuota(writer, conn, name, \"\", numFiles, truncatedSize, err, operationUpload, startTime) //nolint:errcheck\n\t\treturn fmt.Errorf(\"unable to close zip file %q: %w\", name, err)\n\t}\n\treturn closeWriterAndUpdateQuota(writer, conn, name, \"\", numFiles, truncatedSize, err, operationUpload, startTime)\n}\n\nfunc executeExistFsRuleAction(exist []string, replacer *strings.Replacer, conditions dataprovider.ConditionOptions,\n\tparams *EventParams,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping fs exist for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeExistFsActionForUser(exist, replacer, user); err != nil {\n\t\t\tfailures = append(failures, user.Username)\n\t\t\tparams.AddError(err)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"fs existence check failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no existence check executed\")\n\t\treturn errors.New(\"no existence check executed\")\n\t}\n\treturn nil\n}\n\nfunc executeCompressFsRuleAction(c dataprovider.EventActionFsCompress, replacer *strings.Replacer,\n\tconditions dataprovider.ConditionOptions, params *EventParams,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping fs compress for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeCompressFsActionForUser(c, replacer, user); err != nil {\n\t\t\tfailures = append(failures, user.Username)\n\t\t\tparams.AddError(err)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"fs compress failed for users: %s\", strings.Join(failures, \",\"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no file/folder compressed\")\n\t\treturn errors.New(\"no file/folder compressed\")\n\t}\n\treturn nil\n}\n\nfunc executeFsRuleAction(c dataprovider.EventActionFilesystemConfig, conditions dataprovider.ConditionOptions,\n\tparams *EventParams,\n) error {\n\taddObjectData := false\n\treplacements := params.getStringReplacements(addObjectData, 0)\n\treplacer := strings.NewReplacer(replacements...)\n\tswitch c.Type {\n\tcase dataprovider.FilesystemActionRename:\n\t\treturn executeRenameFsRuleAction(c.Renames, replacer, conditions, params)\n\tcase dataprovider.FilesystemActionDelete:\n\t\treturn executeDeleteFsRuleAction(c.Deletes, replacer, conditions, params)\n\tcase dataprovider.FilesystemActionMkdirs:\n\t\treturn executeMkdirFsRuleAction(c.MkDirs, replacer, conditions, params)\n\tcase dataprovider.FilesystemActionExist:\n\t\treturn executeExistFsRuleAction(c.Exist, replacer, conditions, params)\n\tcase dataprovider.FilesystemActionCompress:\n\t\treturn executeCompressFsRuleAction(c.Compress, replacer, conditions, params)\n\tcase dataprovider.FilesystemActionCopy:\n\t\treturn executeCopyFsRuleAction(c.Copy, replacer, conditions, params)\n\tdefault:\n\t\treturn fmt.Errorf(\"unsupported filesystem action %d\", c.Type)\n\t}\n}\n\nfunc executeQuotaResetForUser(user *dataprovider.User) error {\n\tif err := user.LoadAndApplyGroupSettings(); err != nil {\n\t\teventManagerLog(logger.LevelError, \"skipping scheduled quota reset for user %s, cannot apply group settings: %v\",\n\t\t\tuser.Username, err)\n\t\treturn err\n\t}\n\tif !QuotaScans.AddUserQuotaScan(user.Username, user.Role) {\n\t\teventManagerLog(logger.LevelError, \"another quota scan is already in progress for user %q\", user.Username)\n\t\treturn fmt.Errorf(\"another quota scan is in progress for user %q\", user.Username)\n\t}\n\tdefer QuotaScans.RemoveUserQuotaScan(user.Username)\n\n\tnumFiles, size, err := user.ScanQuota()\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"error scanning quota for user %q: %v\", user.Username, err)\n\t\treturn fmt.Errorf(\"error scanning quota for user %q: %w\", user.Username, err)\n\t}\n\terr = dataprovider.UpdateUserQuota(user, numFiles, size, true)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"error updating quota for user %q: %v\", user.Username, err)\n\t\treturn fmt.Errorf(\"error updating quota for user %q: %w\", user.Username, err)\n\t}\n\treturn nil\n}\n\nfunc executeUsersQuotaResetRuleAction(conditions dataprovider.ConditionOptions, params *EventParams) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping quota reset for user %q, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeQuotaResetForUser(&user); err != nil {\n\t\t\tparams.AddError(err)\n\t\t\tfailures = append(failures, user.Username)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"quota reset failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no user quota reset executed\")\n\t\treturn errors.New(\"no user quota reset executed\")\n\t}\n\treturn nil\n}\n\nfunc executeFoldersQuotaResetRuleAction(conditions dataprovider.ConditionOptions, params *EventParams) error {\n\tfolders, err := params.getFolders()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get folders: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, folder := range folders {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" && !checkEventConditionPatterns(folder.Name, conditions.Names) {\n\t\t\teventManagerLog(logger.LevelDebug, \"skipping scheduled quota reset for folder %s, name conditions don't match\",\n\t\t\t\tfolder.Name)\n\t\t\tcontinue\n\t\t}\n\t\tif !QuotaScans.AddVFolderQuotaScan(folder.Name) {\n\t\t\teventManagerLog(logger.LevelError, \"another quota scan is already in progress for folder %q\", folder.Name)\n\t\t\tparams.AddError(fmt.Errorf(\"another quota scan is already in progress for folder %q\", folder.Name))\n\t\t\tfailures = append(failures, folder.Name)\n\t\t\tcontinue\n\t\t}\n\t\texecuted++\n\t\tf := vfs.VirtualFolder{\n\t\t\tBaseVirtualFolder: folder,\n\t\t\tVirtualPath: \"/\",\n\t\t}\n\t\tnumFiles, size, err := f.ScanQuota()\n\t\tQuotaScans.RemoveVFolderQuotaScan(folder.Name)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"error scanning quota for folder %q: %v\", folder.Name, err)\n\t\t\tparams.AddError(fmt.Errorf(\"error scanning quota for folder %q: %w\", folder.Name, err))\n\t\t\tfailures = append(failures, folder.Name)\n\t\t\tcontinue\n\t\t}\n\t\terr = dataprovider.UpdateVirtualFolderQuota(&folder, numFiles, size, true)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"error updating quota for folder %q: %v\", folder.Name, err)\n\t\t\tparams.AddError(fmt.Errorf(\"error updating quota for folder %q: %w\", folder.Name, err))\n\t\t\tfailures = append(failures, folder.Name)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"quota reset failed for folders: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no folder quota reset executed\")\n\t\treturn errors.New(\"no folder quota reset executed\")\n\t}\n\treturn nil\n}\n\nfunc executeTransferQuotaResetRuleAction(conditions dataprovider.ConditionOptions, params *EventParams) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping scheduled transfer quota reset for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\terr = dataprovider.UpdateUserTransferQuota(&user, 0, 0, true)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelError, \"error updating transfer quota for user %q: %v\", user.Username, err)\n\t\t\tparams.AddError(fmt.Errorf(\"error updating transfer quota for user %q: %w\", user.Username, err))\n\t\t\tfailures = append(failures, user.Username)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"transfer quota reset failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no transfer quota reset executed\")\n\t\treturn errors.New(\"no transfer quota reset executed\")\n\t}\n\treturn nil\n}\n\nfunc executeDataRetentionCheckForUser(user dataprovider.User, folders []dataprovider.FolderRetention,\n\tparams *EventParams, actionName string,\n) error {\n\tif err := user.LoadAndApplyGroupSettings(); err != nil {\n\t\teventManagerLog(logger.LevelError, \"skipping scheduled retention check for user %s, cannot apply group settings: %v\",\n\t\t\tuser.Username, err)\n\t\treturn err\n\t}\n\tcheck := RetentionCheck{\n\t\tFolders: folders,\n\t}\n\tc := RetentionChecks.Add(check, &user)\n\tif c == nil {\n\t\teventManagerLog(logger.LevelError, \"another retention check is already in progress for user %q\", user.Username)\n\t\treturn fmt.Errorf(\"another retention check is in progress for user %q\", user.Username)\n\t}\n\tdefer func() {\n\t\tparams.retentionChecks = append(params.retentionChecks, executedRetentionCheck{\n\t\t\tUsername: user.Username,\n\t\t\tActionName: actionName,\n\t\t\tResults: c.results,\n\t\t})\n\t}()\n\tif err := c.Start(); err != nil {\n\t\teventManagerLog(logger.LevelError, \"error checking retention for user %q: %v\", user.Username, err)\n\t\treturn fmt.Errorf(\"error checking retention for user %q: %w\", user.Username, err)\n\t}\n\treturn nil\n}\n\nfunc executeDataRetentionCheckRuleAction(config dataprovider.EventActionDataRetentionConfig,\n\tconditions dataprovider.ConditionOptions, params *EventParams, actionName string,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\texecuted := 0\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping scheduled retention check for user %s, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif err = executeDataRetentionCheckForUser(user, config.Folders, params, actionName); err != nil {\n\t\t\tfailures = append(failures, user.Username)\n\t\t\tparams.AddError(err)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"retention check failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no retention check executed\")\n\t\treturn errors.New(\"no retention check executed\")\n\t}\n\treturn nil\n}\n\nfunc executeUserExpirationCheckRuleAction(conditions dataprovider.ConditionOptions, params *EventParams) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\tvar executed int\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping expiration check for user %q, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\texecuted++\n\t\tif user.ExpirationDate > 0 {\n\t\t\texpDate := util.GetTimeFromMsecSinceEpoch(user.ExpirationDate)\n\t\t\tif expDate.Before(time.Now()) {\n\t\t\t\tfailures = append(failures, user.Username)\n\t\t\t}\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"expired users: %s\", strings.Join(failures, \", \"))\n\t}\n\tif executed == 0 {\n\t\teventManagerLog(logger.LevelError, \"no user expiration check executed\")\n\t\treturn errors.New(\"no user expiration check executed\")\n\t}\n\treturn nil\n}\n\nfunc executeInactivityCheckForUser(user *dataprovider.User, config dataprovider.EventActionUserInactivity, when time.Time) error {\n\tif config.DeleteThreshold > 0 && (user.Status == 0 || config.DisableThreshold == 0) {\n\t\tif inactivityDays := user.InactivityDays(when); inactivityDays > config.DeleteThreshold {\n\t\t\terr := dataprovider.DeleteUser(user.Username, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t\t\teventManagerLog(logger.LevelInfo, \"deleting inactive user %q, days of inactivity: %d/%d, err: %v\",\n\t\t\t\tuser.Username, inactivityDays, config.DeleteThreshold, err)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"unable to delete inactive user %q\", user.Username)\n\t\t\t}\n\t\t\treturn fmt.Errorf(\"inactive user %q deleted. Number of days of inactivity: %d\", user.Username, inactivityDays)\n\t\t}\n\t}\n\tif config.DisableThreshold > 0 && user.Status > 0 {\n\t\tif inactivityDays := user.InactivityDays(when); inactivityDays > config.DisableThreshold {\n\t\t\tuser.Status = 0\n\t\t\terr := dataprovider.UpdateUser(user, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t\t\teventManagerLog(logger.LevelInfo, \"disabling inactive user %q, days of inactivity: %d/%d, err: %v\",\n\t\t\t\tuser.Username, inactivityDays, config.DisableThreshold, err)\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"unable to disable inactive user %q\", user.Username)\n\t\t\t}\n\t\t\treturn fmt.Errorf(\"inactive user %q disabled. Number of days of inactivity: %d\", user.Username, inactivityDays)\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc executeUserInactivityCheckRuleAction(config dataprovider.EventActionUserInactivity,\n\tconditions dataprovider.ConditionOptions,\n\tparams *EventParams,\n\twhen time.Time,\n) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping inactivity check for user %q, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif err = executeInactivityCheckForUser(&user, config, when); err != nil {\n\t\t\tparams.AddError(err)\n\t\t\tfailures = append(failures, user.Username)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"executed inactivity check actions for users: %s\", strings.Join(failures, \", \"))\n\t}\n\n\treturn nil\n}\n\nfunc executePwdExpirationCheckForUser(user *dataprovider.User, config dataprovider.EventActionPasswordExpiration) error {\n\tif err := user.LoadAndApplyGroupSettings(); err != nil {\n\t\teventManagerLog(logger.LevelError, \"skipping password expiration check for user %q, cannot apply group settings: %v\",\n\t\t\tuser.Username, err)\n\t\treturn err\n\t}\n\tif user.ExpirationDate > 0 {\n\t\tif expDate := util.GetTimeFromMsecSinceEpoch(user.ExpirationDate); expDate.Before(time.Now()) {\n\t\t\teventManagerLog(logger.LevelDebug, \"skipping password expiration check for expired user %q, expiration date: %s\",\n\t\t\t\tuser.Username, expDate)\n\t\t\treturn nil\n\t\t}\n\t}\n\tif user.Filters.PasswordExpiration == 0 {\n\t\teventManagerLog(logger.LevelDebug, \"password expiration not set for user %q skipping check\", user.Username)\n\t\treturn nil\n\t}\n\tdays := user.PasswordExpiresIn()\n\tif days > config.Threshold {\n\t\teventManagerLog(logger.LevelDebug, \"password for user %q expires in %d days, threshold %d, no need to notify\",\n\t\t\tuser.Username, days, config.Threshold)\n\t\treturn nil\n\t}\n\tbody := new(bytes.Buffer)\n\tdata := make(map[string]any)\n\tdata[\"Username\"] = user.Username\n\tdata[\"Days\"] = days\n\tif err := smtp.RenderPasswordExpirationTemplate(body, data); err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to notify password expiration for user %s: %v\",\n\t\t\tuser.Username, err)\n\t\treturn err\n\t}\n\tsubject := \"SFTPGo password expiration notification\"\n\tstartTime := time.Now()\n\tif err := smtp.SendEmail(user.GetEmailAddresses(), nil, subject, body.String(), smtp.EmailContentTypeTextHTML); err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to notify password expiration for user %s: %v, elapsed: %s\",\n\t\t\tuser.Username, err, time.Since(startTime))\n\t\treturn err\n\t}\n\teventManagerLog(logger.LevelDebug, \"password expiration email sent to user %s, days: %d, elapsed: %s\",\n\t\tuser.Username, days, time.Since(startTime))\n\treturn nil\n}\n\nfunc executePwdExpirationCheckRuleAction(config dataprovider.EventActionPasswordExpiration, conditions dataprovider.ConditionOptions,\n\tparams *EventParams) error {\n\tusers, err := params.getUsers()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get users: %w\", err)\n\t}\n\tvar failures []string\n\tfor _, user := range users {\n\t\t// if sender is set, the conditions have already been evaluated\n\t\tif params.sender == \"\" {\n\t\t\tif !checkUserConditionOptions(&user, &conditions) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"skipping password check for user %q, condition options don't match\",\n\t\t\t\t\tuser.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif err = executePwdExpirationCheckForUser(&user, config); err != nil {\n\t\t\tparams.AddError(err)\n\t\t\tfailures = append(failures, user.Username)\n\t\t}\n\t}\n\tif len(failures) > 0 {\n\t\treturn fmt.Errorf(\"password expiration check failed for users: %s\", strings.Join(failures, \", \"))\n\t}\n\n\treturn nil\n}\n\nfunc executeAdminCheckAction(c *dataprovider.EventActionIDPAccountCheck, params *EventParams) (*dataprovider.Admin, error) {\n\tadmin, err := dataprovider.AdminExists(params.Name)\n\texists := err == nil\n\tif exists && c.Mode == 1 {\n\t\treturn &admin, nil\n\t}\n\tif err != nil && !errors.Is(err, util.ErrNotFound) {\n\t\treturn nil, err\n\t}\n\n\treplacements := params.getStringReplacements(false, 1)\n\treplacer := strings.NewReplacer(replacements...)\n\tdata := replaceWithReplacer(c.TemplateAdmin, replacer)\n\n\tvar newAdmin dataprovider.Admin\n\terr = json.Unmarshal(util.StringToBytes(data), &newAdmin)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif exists {\n\t\teventManagerLog(logger.LevelDebug, \"updating admin %q after IDP login\", params.Name)\n\t\t// Not sure if this makes sense, but it shouldn't hurt.\n\t\tif newAdmin.Password == \"\" {\n\t\t\tnewAdmin.Password = admin.Password\n\t\t}\n\t\tnewAdmin.Filters.TOTPConfig = admin.Filters.TOTPConfig\n\t\tnewAdmin.Filters.RecoveryCodes = admin.Filters.RecoveryCodes\n\t\terr = dataprovider.UpdateAdmin(&newAdmin, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t} else {\n\t\teventManagerLog(logger.LevelDebug, \"creating admin %q after IDP login\", params.Name)\n\t\tif newAdmin.Password == \"\" {\n\t\t\tnewAdmin.Password = util.GenerateUniqueID()\n\t\t}\n\t\terr = dataprovider.AddAdmin(&newAdmin, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t}\n\treturn &newAdmin, err\n}\n\nfunc preserveUserProfile(user, newUser *dataprovider.User) {\n\tif newUser.CanChangePassword() && user.Password != \"\" {\n\t\tnewUser.Password = user.Password\n\t}\n\tif newUser.CanManagePublicKeys() && len(user.PublicKeys) > 0 {\n\t\tnewUser.PublicKeys = user.PublicKeys\n\t}\n\tif newUser.CanManageTLSCerts() {\n\t\tif len(user.Filters.TLSCerts) > 0 {\n\t\t\tnewUser.Filters.TLSCerts = user.Filters.TLSCerts\n\t\t}\n\t}\n\tif newUser.CanChangeInfo() {\n\t\tif user.Description != \"\" {\n\t\t\tnewUser.Description = user.Description\n\t\t}\n\t\tif user.Email != \"\" {\n\t\t\tnewUser.Email = user.Email\n\t\t}\n\t\tif len(user.Filters.AdditionalEmails) > 0 {\n\t\t\tnewUser.Filters.AdditionalEmails = user.Filters.AdditionalEmails\n\t\t}\n\t}\n\tif newUser.CanChangeAPIKeyAuth() {\n\t\tnewUser.Filters.AllowAPIKeyAuth = user.Filters.AllowAPIKeyAuth\n\t}\n\tnewUser.Filters.RecoveryCodes = user.Filters.RecoveryCodes\n\tnewUser.Filters.TOTPConfig = user.Filters.TOTPConfig\n\tnewUser.LastPasswordChange = user.LastPasswordChange\n\tnewUser.SetEmptySecretsIfNil()\n}\n\nfunc executeUserCheckAction(c *dataprovider.EventActionIDPAccountCheck, params *EventParams) (*dataprovider.User, error) {\n\tuser, err := dataprovider.UserExists(params.Name, \"\")\n\texists := err == nil\n\tif exists && c.Mode == 1 {\n\t\terr = user.LoadAndApplyGroupSettings()\n\t\treturn &user, err\n\t}\n\tif err != nil && !errors.Is(err, util.ErrNotFound) {\n\t\treturn nil, err\n\t}\n\treplacements := params.getStringReplacements(false, 1)\n\treplacer := strings.NewReplacer(replacements...)\n\tdata := replaceWithReplacer(c.TemplateUser, replacer)\n\n\tvar newUser dataprovider.User\n\terr = json.Unmarshal(util.StringToBytes(data), &newUser)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif exists {\n\t\teventManagerLog(logger.LevelDebug, \"updating user %q after IDP login\", params.Name)\n\t\tpreserveUserProfile(&user, &newUser)\n\t\terr = dataprovider.UpdateUser(&newUser, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t} else {\n\t\teventManagerLog(logger.LevelDebug, \"creating user %q after IDP login\", params.Name)\n\t\terr = dataprovider.AddUser(&newUser, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t}\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tu, err := dataprovider.GetUserWithGroupSettings(params.Name, \"\")\n\treturn &u, err\n}\n\nfunc executeRuleAction(action dataprovider.BaseEventAction, params *EventParams, //nolint:gocyclo\n\tconditions dataprovider.ConditionOptions,\n) error {\n\tif len(conditions.EventStatuses) > 0 && !slices.Contains(conditions.EventStatuses, params.Status) {\n\t\teventManagerLog(logger.LevelDebug, \"skipping action %s, event status %d does not match: %v\",\n\t\t\taction.Name, params.Status, conditions.EventStatuses)\n\t\treturn nil\n\t}\n\tvar err error\n\n\tswitch action.Type {\n\tcase dataprovider.ActionTypeHTTP:\n\t\terr = executeHTTPRuleAction(action.Options.HTTPConfig, params)\n\tcase dataprovider.ActionTypeCommand:\n\t\terr = executeCommandRuleAction(action.Options.CmdConfig, params)\n\tcase dataprovider.ActionTypeEmail:\n\t\terr = executeEmailRuleAction(action.Options.EmailConfig, params)\n\tcase dataprovider.ActionTypeBackup:\n\t\tvar backupPath string\n\t\tbackupPath, err = dataprovider.ExecuteBackup()\n\t\tif err == nil {\n\t\t\tparams.setBackupParams(backupPath)\n\t\t}\n\tcase dataprovider.ActionTypeUserQuotaReset:\n\t\terr = executeUsersQuotaResetRuleAction(conditions, params)\n\tcase dataprovider.ActionTypeFolderQuotaReset:\n\t\terr = executeFoldersQuotaResetRuleAction(conditions, params)\n\tcase dataprovider.ActionTypeTransferQuotaReset:\n\t\terr = executeTransferQuotaResetRuleAction(conditions, params)\n\tcase dataprovider.ActionTypeDataRetentionCheck:\n\t\terr = executeDataRetentionCheckRuleAction(action.Options.RetentionConfig, conditions, params, action.Name)\n\tcase dataprovider.ActionTypeFilesystem:\n\t\terr = executeFsRuleAction(action.Options.FsConfig, conditions, params)\n\tcase dataprovider.ActionTypePasswordExpirationCheck:\n\t\terr = executePwdExpirationCheckRuleAction(action.Options.PwdExpirationConfig, conditions, params)\n\tcase dataprovider.ActionTypeUserExpirationCheck:\n\t\terr = executeUserExpirationCheckRuleAction(conditions, params)\n\tcase dataprovider.ActionTypeUserInactivityCheck:\n\t\terr = executeUserInactivityCheckRuleAction(action.Options.UserInactivityConfig, conditions, params, time.Now())\n\tcase dataprovider.ActionTypeRotateLogs:\n\t\terr = logger.RotateLogFile()\n\tdefault:\n\t\terr = fmt.Errorf(\"unsupported action type: %d\", action.Type)\n\t}\n\n\tif err != nil {\n\t\terr = fmt.Errorf(\"action %q failed: %w\", action.Name, err)\n\t}\n\tparams.AddError(err)\n\treturn err\n}\n\nfunc executeIDPAccountCheckRule(rule dataprovider.EventRule, params EventParams) (*dataprovider.User,\n\t*dataprovider.Admin, error,\n) {\n\tfor _, action := range rule.Actions {\n\t\tif action.Type == dataprovider.ActionTypeIDPAccountCheck {\n\t\t\tstartTime := time.Now()\n\t\t\tvar user *dataprovider.User\n\t\t\tvar admin *dataprovider.Admin\n\t\t\tvar err error\n\t\t\tvar failedActions []string\n\t\t\tparamsCopy := params.getACopy()\n\n\t\t\tswitch params.Event {\n\t\t\tcase IDPLoginAdmin:\n\t\t\t\tadmin, err = executeAdminCheckAction(&action.BaseEventAction.Options.IDPConfig, paramsCopy)\n\t\t\tcase IDPLoginUser:\n\t\t\t\tuser, err = executeUserCheckAction(&action.BaseEventAction.Options.IDPConfig, paramsCopy)\n\t\t\tdefault:\n\t\t\t\terr = fmt.Errorf(\"unsupported IDP login event: %q\", params.Event)\n\t\t\t}\n\t\t\tif err != nil {\n\t\t\t\tparamsCopy.AddError(fmt.Errorf(\"unable to handle %q: %w\", params.Event, err))\n\t\t\t\teventManagerLog(logger.LevelError, \"unable to handle IDP login event %q, err: %v\", params.Event, err)\n\t\t\t\tfailedActions = append(failedActions, action.Name)\n\t\t\t} else {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"executed action %q for rule %q, elapsed %s\",\n\t\t\t\t\taction.Name, rule.Name, time.Since(startTime))\n\t\t\t}\n\t\t\t// execute async actions if any, including failure actions\n\t\t\tgo executeRuleAsyncActions(rule, paramsCopy, failedActions)\n\t\t\treturn user, admin, err\n\t\t}\n\t}\n\teventManagerLog(logger.LevelError, \"no action executed for IDP login event %q, event rule: %q\", params.Event, rule.Name)\n\treturn nil, nil, errors.New(\"no action executed\")\n}\n\nfunc executeSyncRulesActions(rules []dataprovider.EventRule, params EventParams) error {\n\tvar errRes error\n\n\tfor _, rule := range rules {\n\t\tvar failedActions []string\n\t\tparamsCopy := params.getACopy()\n\t\tfor _, action := range rule.Actions {\n\t\t\tif !action.Options.IsFailureAction && action.Options.ExecuteSync {\n\t\t\t\tstartTime := time.Now()\n\t\t\t\tif err := executeRuleAction(action.BaseEventAction, paramsCopy, rule.Conditions.Options); err != nil {\n\t\t\t\t\teventManagerLog(logger.LevelError, \"unable to execute sync action %q for rule %q, elapsed %s, err: %v\",\n\t\t\t\t\t\taction.Name, rule.Name, time.Since(startTime), err)\n\t\t\t\t\tfailedActions = append(failedActions, action.Name)\n\t\t\t\t\t// we return the last error, it is ok for now\n\t\t\t\t\terrRes = err\n\t\t\t\t\tif action.Options.StopOnFailure {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\teventManagerLog(logger.LevelDebug, \"executed sync action %q for rule %q, elapsed: %s\",\n\t\t\t\t\t\taction.Name, rule.Name, time.Since(startTime))\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t// execute async actions if any, including failure actions\n\t\tgo executeRuleAsyncActions(rule, paramsCopy, failedActions)\n\t}\n\n\treturn errRes\n}\n\nfunc executeAsyncRulesActions(rules []dataprovider.EventRule, params EventParams) {\n\teventManager.addAsyncTask()\n\tdefer eventManager.removeAsyncTask()\n\n\tparams.addUID()\n\tfor _, rule := range rules {\n\t\texecuteRuleAsyncActions(rule, params.getACopy(), nil)\n\t}\n}\n\nfunc executeRuleAsyncActions(rule dataprovider.EventRule, params *EventParams, failedActions []string) {\n\tfor _, action := range rule.Actions {\n\t\tif !action.Options.IsFailureAction && !action.Options.ExecuteSync {\n\t\t\tstartTime := time.Now()\n\t\t\tif err := executeRuleAction(action.BaseEventAction, params, rule.Conditions.Options); err != nil {\n\t\t\t\teventManagerLog(logger.LevelError, \"unable to execute action %q for rule %q, elapsed %s, err: %v\",\n\t\t\t\t\taction.Name, rule.Name, time.Since(startTime), err)\n\t\t\t\tfailedActions = append(failedActions, action.Name)\n\t\t\t\tif action.Options.StopOnFailure {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"executed action %q for rule %q, elapsed %s\",\n\t\t\t\t\taction.Name, rule.Name, time.Since(startTime))\n\t\t\t}\n\t\t}\n\t}\n\tif len(failedActions) > 0 {\n\t\tparams.updateStatusFromError = false\n\t\t// execute failure actions\n\t\tfor _, action := range rule.Actions {\n\t\t\tif action.Options.IsFailureAction {\n\t\t\t\tstartTime := time.Now()\n\t\t\t\tif err := executeRuleAction(action.BaseEventAction, params, rule.Conditions.Options); err != nil {\n\t\t\t\t\teventManagerLog(logger.LevelError, \"unable to execute failure action %q for rule %q, elapsed %s, err: %v\",\n\t\t\t\t\t\taction.Name, rule.Name, time.Since(startTime), err)\n\t\t\t\t\tif action.Options.StopOnFailure {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\teventManagerLog(logger.LevelDebug, \"executed failure action %q for rule %q, elapsed: %s\",\n\t\t\t\t\t\taction.Name, rule.Name, time.Since(startTime))\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\ntype eventCronJob struct {\n\truleName string\n}\n\nfunc (j *eventCronJob) getTask(rule *dataprovider.EventRule) (dataprovider.Task, error) {\n\tif rule.GuardFromConcurrentExecution() {\n\t\ttask, err := dataprovider.GetTaskByName(rule.Name)\n\t\tif err != nil {\n\t\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\t\teventManagerLog(logger.LevelDebug, \"adding task for rule %q\", rule.Name)\n\t\t\t\ttask = dataprovider.Task{\n\t\t\t\t\tName: rule.Name,\n\t\t\t\t\tUpdateAt: 0,\n\t\t\t\t\tVersion: 0,\n\t\t\t\t}\n\t\t\t\terr = dataprovider.AddTask(rule.Name)\n\t\t\t\tif err != nil {\n\t\t\t\t\teventManagerLog(logger.LevelWarn, \"unable to add task for rule %q: %v\", rule.Name, err)\n\t\t\t\t\treturn task, err\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\teventManagerLog(logger.LevelWarn, \"unable to get task for rule %q: %v\", rule.Name, err)\n\t\t\t}\n\t\t}\n\t\treturn task, err\n\t}\n\n\treturn dataprovider.Task{}, nil\n}\n\nfunc (j *eventCronJob) getEventParams() EventParams {\n\treturn EventParams{\n\t\tEvent: \"Schedule\",\n\t\tName: j.ruleName,\n\t\tStatus: 1,\n\t\tTimestamp: time.Now(),\n\t\tupdateStatusFromError: true,\n\t}\n}\n\nfunc (j *eventCronJob) Run() {\n\teventManagerLog(logger.LevelDebug, \"executing scheduled rule %q\", j.ruleName)\n\trule, err := dataprovider.EventRuleExists(j.ruleName)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelError, \"unable to load rule with name %q\", j.ruleName)\n\t\treturn\n\t}\n\tif err := rule.CheckActionsConsistency(\"\"); err != nil {\n\t\teventManagerLog(logger.LevelWarn, \"scheduled rule %q skipped: %v\", rule.Name, err)\n\t\treturn\n\t}\n\ttask, err := j.getTask(&rule)\n\tif err != nil {\n\t\treturn\n\t}\n\tif task.Name != \"\" {\n\t\tupdateInterval := 5 * time.Minute\n\t\tupdatedAt := util.GetTimeFromMsecSinceEpoch(task.UpdateAt)\n\t\tif updatedAt.Add(updateInterval*2 + 1).After(time.Now()) {\n\t\t\teventManagerLog(logger.LevelDebug, \"task for rule %q too recent: %s, skip execution\", rule.Name, updatedAt)\n\t\t\treturn\n\t\t}\n\t\terr = dataprovider.UpdateTask(rule.Name, task.Version)\n\t\tif err != nil {\n\t\t\teventManagerLog(logger.LevelInfo, \"unable to update task timestamp for rule %q, skip execution, err: %v\",\n\t\t\t\trule.Name, err)\n\t\t\treturn\n\t\t}\n\t\tticker := time.NewTicker(updateInterval)\n\t\tdone := make(chan bool)\n\n\t\tdefer func() {\n\t\t\tdone <- true\n\t\t\tticker.Stop()\n\t\t}()\n\n\t\tgo func(taskName string) {\n\t\t\teventManagerLog(logger.LevelDebug, \"update task %q timestamp worker started\", taskName)\n\t\t\tfor {\n\t\t\t\tselect {\n\t\t\t\tcase <-done:\n\t\t\t\t\teventManagerLog(logger.LevelDebug, \"update task %q timestamp worker finished\", taskName)\n\t\t\t\t\treturn\n\t\t\t\tcase <-ticker.C:\n\t\t\t\t\terr := dataprovider.UpdateTaskTimestamp(taskName)\n\t\t\t\t\teventManagerLog(logger.LevelInfo, \"updated timestamp for task %q, err: %v\", taskName, err)\n\t\t\t\t}\n\t\t\t}\n\t\t}(task.Name)\n\n\t\texecuteAsyncRulesActions([]dataprovider.EventRule{rule}, j.getEventParams())\n\t} else {\n\t\texecuteAsyncRulesActions([]dataprovider.EventRule{rule}, j.getEventParams())\n\t}\n\teventManagerLog(logger.LevelDebug, \"execution for scheduled rule %q finished\", j.ruleName)\n}\n\n// RunOnDemandRule executes actions for a rule with on-demand trigger\nfunc RunOnDemandRule(name string) error {\n\teventManagerLog(logger.LevelDebug, \"executing on demand rule %q\", name)\n\trule, err := dataprovider.EventRuleExists(name)\n\tif err != nil {\n\t\teventManagerLog(logger.LevelDebug, \"unable to load rule with name %q\", name)\n\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"rule %q does not exist\", name))\n\t}\n\tif rule.Trigger != dataprovider.EventTriggerOnDemand {\n\t\teventManagerLog(logger.LevelDebug, \"cannot run rule %q as on demand, trigger: %d\", name, rule.Trigger)\n\t\treturn util.NewValidationError(fmt.Sprintf(\"rule %q is not defined as on-demand\", name))\n\t}\n\tif rule.Status != 1 {\n\t\teventManagerLog(logger.LevelDebug, \"on-demand rule %q is inactive\", name)\n\t\treturn util.NewValidationError(fmt.Sprintf(\"rule %q is inactive\", name))\n\t}\n\tif err := rule.CheckActionsConsistency(\"\"); err != nil {\n\t\teventManagerLog(logger.LevelError, \"on-demand rule %q has incompatible actions: %v\", name, err)\n\t\treturn util.NewValidationError(fmt.Sprintf(\"rule %q has incosistent actions\", name))\n\t}\n\teventManagerLog(logger.LevelDebug, \"on-demand rule %q started\", name)\n\tgo executeAsyncRulesActions([]dataprovider.EventRule{rule}, EventParams{Status: 1, updateStatusFromError: true})\n\treturn nil\n}\n\ntype zipWriterWrapper struct {\n\tName string\n\tEntries map[string]bool\n\tWriter *zip.Writer\n}\n\nfunc eventManagerLog(level logger.LogLevel, format string, v ...any) {\n\tlogger.Log(level, \"eventmanager\", \"\", format, v...)\n}\n" }, { "path": "internal/common/eventmanager_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"mime/multipart\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/klauspost/compress/zip\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc TestEventRuleMatch(t *testing.T) {\n\trole := \"role1\"\n\tconditions := &dataprovider.EventConditions{\n\t\tProviderEvents: []string{\"add\", \"update\"},\n\t\tOptions: dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"user1\",\n\t\t\t\t\tInverseMatch: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: role,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tres := eventManager.checkProviderEventMatch(conditions, &EventParams{\n\t\tName: \"user1\",\n\t\tRole: role,\n\t\tEvent: \"add\",\n\t})\n\tassert.False(t, res)\n\tres = eventManager.checkProviderEventMatch(conditions, &EventParams{\n\t\tName: \"user2\",\n\t\tRole: role,\n\t\tEvent: \"update\",\n\t})\n\tassert.True(t, res)\n\tres = eventManager.checkProviderEventMatch(conditions, &EventParams{\n\t\tName: \"user2\",\n\t\tRole: role,\n\t\tEvent: \"delete\",\n\t})\n\tassert.False(t, res)\n\tconditions.Options.ProviderObjects = []string{\"api_key\"}\n\tres = eventManager.checkProviderEventMatch(conditions, &EventParams{\n\t\tName: \"user2\",\n\t\tEvent: \"update\",\n\t\tRole: role,\n\t\tObjectType: \"share\",\n\t})\n\tassert.False(t, res)\n\tres = eventManager.checkProviderEventMatch(conditions, &EventParams{\n\t\tName: \"user2\",\n\t\tEvent: \"update\",\n\t\tRole: role,\n\t\tObjectType: \"api_key\",\n\t})\n\tassert.True(t, res)\n\tres = eventManager.checkProviderEventMatch(conditions, &EventParams{\n\t\tName: \"user2\",\n\t\tEvent: \"update\",\n\t\tRole: role + \"1\",\n\t\tObjectType: \"api_key\",\n\t})\n\tassert.False(t, res)\n\t// now test fs events\n\tconditions = &dataprovider.EventConditions{\n\t\tFsEvents: []string{operationUpload, operationDownload},\n\t\tOptions: dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"user*\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPattern: \"tester*\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: role,\n\t\t\t\t\tInverseMatch: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"/**/*.txt\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tProtocols: []string{ProtocolSFTP},\n\t\t\tMinFileSize: 10,\n\t\t\tMaxFileSize: 30,\n\t\t},\n\t}\n\tparams := EventParams{\n\t\tName: \"tester4\",\n\t\tEvent: operationDelete,\n\t\tVirtualPath: \"/path.txt\",\n\t\tProtocol: ProtocolSFTP,\n\t\tObjectName: \"path.txt\",\n\t\tFileSize: 20,\n\t}\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.Event = operationDownload\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.True(t, res)\n\tparams.Role = role\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.Role = \"\"\n\tparams.Name = \"name\"\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.Name = \"user5\"\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.True(t, res)\n\tparams.VirtualPath = \"/sub/f.jpg\"\n\tparams.ObjectName = path.Base(params.VirtualPath)\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.VirtualPath = \"/sub/f.txt\"\n\tparams.ObjectName = path.Base(params.VirtualPath)\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.True(t, res)\n\tparams.Protocol = ProtocolHTTP\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.Protocol = ProtocolSFTP\n\tparams.FileSize = 5\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.FileSize = 50\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.FileSize = 25\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.True(t, res)\n\t// bad pattern\n\tconditions.Options.Names = []dataprovider.ConditionPattern{\n\t\t{\n\t\t\tPattern: \"[-]\",\n\t\t},\n\t}\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\t// check fs events with group name filters\n\tconditions = &dataprovider.EventConditions{\n\t\tFsEvents: []string{operationUpload, operationDownload},\n\t\tOptions: dataprovider.ConditionOptions{\n\t\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"group*\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPattern: \"testgroup*\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tparams = EventParams{\n\t\tName: \"user1\",\n\t\tEvent: operationUpload,\n\t}\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: \"g1\",\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: \"g2\",\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t}\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.False(t, res)\n\tparams.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: \"testgroup2\",\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: \"g2\",\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t}\n\tres = eventManager.checkFsEventMatch(conditions, ¶ms)\n\tassert.True(t, res)\n\t// check user conditions\n\tuser := dataprovider.User{}\n\tuser.Username = \"u1\"\n\tres = checkUserConditionOptions(&user, &dataprovider.ConditionOptions{})\n\tassert.True(t, res)\n\tres = checkUserConditionOptions(&user, &dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"user\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.False(t, res)\n\tres = checkUserConditionOptions(&user, &dataprovider.ConditionOptions{\n\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: role,\n\t\t\t},\n\t\t},\n\t})\n\tassert.False(t, res)\n\tuser.Role = role\n\tres = checkUserConditionOptions(&user, &dataprovider.ConditionOptions{\n\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: role,\n\t\t\t},\n\t\t},\n\t})\n\tassert.True(t, res)\n\tres = checkUserConditionOptions(&user, &dataprovider.ConditionOptions{\n\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"group\",\n\t\t\t},\n\t\t},\n\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: role,\n\t\t\t},\n\t\t},\n\t})\n\tassert.False(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 0,\n\t}, &EventParams{\n\t\tEvent: IDPLoginAdmin,\n\t})\n\tassert.True(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 2,\n\t}, &EventParams{\n\t\tEvent: IDPLoginAdmin,\n\t})\n\tassert.True(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 1,\n\t}, &EventParams{\n\t\tEvent: IDPLoginAdmin,\n\t})\n\tassert.False(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 1,\n\t}, &EventParams{\n\t\tEvent: IDPLoginUser,\n\t})\n\tassert.True(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 1,\n\t}, &EventParams{\n\t\tName: \"user\",\n\t\tEvent: IDPLoginUser,\n\t})\n\tassert.True(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 1,\n\t\tOptions: dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"abc\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, &EventParams{\n\t\tName: \"user\",\n\t\tEvent: IDPLoginUser,\n\t})\n\tassert.False(t, res)\n\tres = eventManager.checkIPDLoginEventMatch(&dataprovider.EventConditions{\n\t\tIDPLoginEvent: 2,\n\t}, &EventParams{\n\t\tName: \"user\",\n\t\tEvent: IDPLoginUser,\n\t})\n\tassert.False(t, res)\n}\n\nfunc TestDoubleStarMatching(t *testing.T) {\n\tc := dataprovider.ConditionPattern{\n\t\tPattern: \"/mydir/**\",\n\t}\n\tres := checkEventConditionPattern(c, \"/mydir\")\n\tassert.True(t, res)\n\tres = checkEventConditionPattern(c, \"/mydirname\")\n\tassert.False(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub\")\n\tassert.True(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub/dir\")\n\tassert.True(t, res)\n\n\tc.Pattern = \"/**/*\"\n\tres = checkEventConditionPattern(c, \"/mydir\")\n\tassert.True(t, res)\n\tres = checkEventConditionPattern(c, \"/mydirname\")\n\tassert.True(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub/dir/file.txt\")\n\tassert.True(t, res)\n\n\tc.Pattern = \"/**/*.filepart\"\n\tres = checkEventConditionPattern(c, \"/file.filepart\")\n\tassert.True(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub/file.filepart\")\n\tassert.True(t, res)\n\tres = checkEventConditionPattern(c, \"/file.txt\")\n\tassert.False(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/file.txt\")\n\tassert.False(t, res)\n\n\tc.Pattern = \"/mydir/**/*.txt\"\n\tres = checkEventConditionPattern(c, \"/mydir\")\n\tassert.False(t, res)\n\tres = checkEventConditionPattern(c, \"/mydirname/f.txt\")\n\tassert.False(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub\")\n\tassert.False(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub/dir\")\n\tassert.False(t, res)\n\tres = checkEventConditionPattern(c, \"/mydir/sub/dir/a.txt\")\n\tassert.True(t, res)\n\n\tc.InverseMatch = true\n\tassert.True(t, checkEventConditionPattern(c, \"/mydir\"))\n\tassert.True(t, checkEventConditionPattern(c, \"/mydirname/f.txt\"))\n\tassert.True(t, checkEventConditionPattern(c, \"/mydir/sub\"))\n\tassert.True(t, checkEventConditionPattern(c, \"/mydir/sub/dir\"))\n\tassert.False(t, checkEventConditionPattern(c, \"/mydir/sub/dir/a.txt\"))\n}\n\nfunc TestMutlipleDoubleStarMatching(t *testing.T) {\n\tpatterns := []dataprovider.ConditionPattern{\n\t\t{\n\t\t\tPattern: \"/**/*.txt\",\n\t\t\tInverseMatch: false,\n\t\t},\n\t\t{\n\t\t\tPattern: \"/**/*.tmp\",\n\t\t\tInverseMatch: false,\n\t\t},\n\t}\n\tassert.False(t, checkEventConditionPatterns(\"/mydir\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/test.tmp\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/test.txt\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/test.csv\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/sub\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/sub/test.tmp\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/sub/test.txt\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/sub/test.csv\", patterns))\n}\n\nfunc TestMultipleDoubleStarMatchingInverse(t *testing.T) {\n\tpatterns := []dataprovider.ConditionPattern{\n\t\t{\n\t\t\tPattern: \"/**/*.txt\",\n\t\t\tInverseMatch: true,\n\t\t},\n\t\t{\n\t\t\tPattern: \"/**/*.tmp\",\n\t\t\tInverseMatch: true,\n\t\t},\n\t}\n\tassert.True(t, checkEventConditionPatterns(\"/mydir\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/test.tmp\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/test.txt\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/test.csv\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/sub\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/sub/test.tmp\", patterns))\n\tassert.False(t, checkEventConditionPatterns(\"/mydir/sub/test.txt\", patterns))\n\tassert.True(t, checkEventConditionPatterns(\"/mydir/sub/test.csv\", patterns))\n}\n\nfunc TestGroupConditionPatterns(t *testing.T) {\n\tgroup1 := \"group1\"\n\tgroup2 := \"group2\"\n\tpatterns := []dataprovider.ConditionPattern{\n\t\t{\n\t\t\tPattern: group1,\n\t\t},\n\t\t{\n\t\t\tPattern: group2,\n\t\t},\n\t}\n\tinversePatterns := []dataprovider.ConditionPattern{\n\t\t{\n\t\t\tPattern: group1,\n\t\t\tInverseMatch: true,\n\t\t},\n\t\t{\n\t\t\tPattern: group2,\n\t\t\tInverseMatch: true,\n\t\t},\n\t}\n\tgroups := []sdk.GroupMapping{\n\t\t{\n\t\t\tName: \"group3\",\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tassert.False(t, checkEventGroupConditionPatterns(groups, patterns))\n\tassert.True(t, checkEventGroupConditionPatterns(groups, inversePatterns))\n\n\tgroups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: \"group4\",\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tassert.True(t, checkEventGroupConditionPatterns(groups, patterns))\n\tassert.False(t, checkEventGroupConditionPatterns(groups, inversePatterns))\n\tgroups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tassert.True(t, checkEventGroupConditionPatterns(groups, patterns))\n\tassert.False(t, checkEventGroupConditionPatterns(groups, inversePatterns))\n\tgroups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: \"group11\",\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tassert.False(t, checkEventGroupConditionPatterns(groups, patterns))\n\tassert.True(t, checkEventGroupConditionPatterns(groups, inversePatterns))\n}\n\nfunc TestEventManager(t *testing.T) {\n\tstartEventScheduler()\n\taction := &dataprovider.BaseEventAction{\n\t\tName: \"test_action\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: \"http://localhost\",\n\t\t\t\tTimeout: 20,\n\t\t\t\tMethod: http.MethodGet,\n\t\t\t},\n\t\t},\n\t}\n\terr := dataprovider.AddEventAction(action, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\trule := &dataprovider.EventRule{\n\t\tName: \"rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{operationUpload},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\n\terr = dataprovider.AddEventRule(rule, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 1)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 0)\n\tassert.Len(t, eventManager.schedulesMapping, 0)\n\teventManager.RUnlock()\n\n\trule.Trigger = dataprovider.EventTriggerProviderEvent\n\trule.Conditions = dataprovider.EventConditions{\n\t\tProviderEvents: []string{\"add\"},\n\t}\n\terr = dataprovider.UpdateEventRule(rule, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 1)\n\tassert.Len(t, eventManager.Schedules, 0)\n\tassert.Len(t, eventManager.schedulesMapping, 0)\n\teventManager.RUnlock()\n\n\trule.Trigger = dataprovider.EventTriggerSchedule\n\trule.Conditions = dataprovider.EventConditions{\n\t\tSchedules: []dataprovider.Schedule{\n\t\t\t{\n\t\t\t\tHours: \"0\",\n\t\t\t\tDayOfWeek: \"*\",\n\t\t\t\tDayOfMonth: \"*\",\n\t\t\t\tMonth: \"*\",\n\t\t\t},\n\t\t},\n\t}\n\trule.DeletedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-12 * time.Hour))\n\teventManager.addUpdateRuleInternal(*rule)\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 0)\n\tassert.Len(t, eventManager.schedulesMapping, 0)\n\teventManager.RUnlock()\n\n\tassert.Eventually(t, func() bool {\n\t\t_, err = dataprovider.EventRuleExists(rule.Name)\n\t\tok := errors.Is(err, util.ErrNotFound)\n\t\treturn ok\n\t}, 2*time.Second, 100*time.Millisecond)\n\n\trule.DeletedAt = 0\n\terr = dataprovider.AddEventRule(rule, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 1)\n\tassert.Len(t, eventManager.schedulesMapping, 1)\n\teventManager.RUnlock()\n\n\terr = dataprovider.DeleteEventRule(rule.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 0)\n\tassert.Len(t, eventManager.schedulesMapping, 0)\n\teventManager.RUnlock()\n\n\terr = dataprovider.DeleteEventAction(action.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tstopEventScheduler()\n}\n\nfunc TestEventManagerErrors(t *testing.T) {\n\tstartEventScheduler()\n\tproviderConf := dataprovider.GetProviderConfig()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\n\tparams := EventParams{\n\t\tsender: \"sender\",\n\t}\n\t_, err = params.getUsers()\n\tassert.Error(t, err)\n\t_, err = params.getFolders()\n\tassert.Error(t, err)\n\n\terr = executeUsersQuotaResetRuleAction(dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeFoldersQuotaResetRuleAction(dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeTransferQuotaResetRuleAction(dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeUserExpirationCheckRuleAction(dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{},\n\t\tdataprovider.ConditionOptions{}, &EventParams{}, time.Time{})\n\tassert.Error(t, err)\n\terr = executeDeleteFsRuleAction(nil, nil, dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeMkdirFsRuleAction(nil, nil, dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeRenameFsRuleAction(nil, nil, dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeExistFsRuleAction(nil, nil, dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeCopyFsRuleAction(nil, nil, dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executeCompressFsRuleAction(dataprovider.EventActionFsCompress{}, nil, dataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\terr = executePwdExpirationCheckRuleAction(dataprovider.EventActionPasswordExpiration{},\n\t\tdataprovider.ConditionOptions{}, &EventParams{})\n\tassert.Error(t, err)\n\t_, err = executeAdminCheckAction(&dataprovider.EventActionIDPAccountCheck{}, &EventParams{})\n\tassert.Error(t, err)\n\t_, err = executeUserCheckAction(&dataprovider.EventActionIDPAccountCheck{}, &EventParams{})\n\tassert.Error(t, err)\n\n\tgroupName := \"agroup\"\n\terr = executeQuotaResetForUser(&dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executeDataRetentionCheckForUser(dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t}, nil, &EventParams{}, \"\")\n\tassert.Error(t, err)\n\terr = executeDeleteFsActionForUser(nil, nil, dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executeMkDirsFsActionForUser(nil, nil, dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executeRenameFsActionForUser(nil, nil, dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executeExistFsActionForUser(nil, nil, dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executeCopyFsActionForUser(nil, nil, dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executeCompressFsActionForUser(dataprovider.EventActionFsCompress{}, nil, dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\terr = executePwdExpirationCheckForUser(&dataprovider.User{\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t}}, dataprovider.EventActionPasswordExpiration{})\n\tassert.Error(t, err)\n\n\t_, _, err = getHTTPRuleActionBody(&dataprovider.EventActionHTTPConfig{\n\t\tMethod: http.MethodPost,\n\t\tParts: []dataprovider.HTTPPart{\n\t\t\t{\n\t\t\t\tName: \"p1\",\n\t\t\t},\n\t\t},\n\t}, nil, nil, dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"u\",\n\t\t},\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, false)\n\tassert.Error(t, err)\n\n\tdataRetentionAction := dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeDataRetentionCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tRetentionConfig: dataprovider.EventActionDataRetentionConfig{\n\t\t\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t\t\t{\n\t\t\t\t\t\tPath: \"/\",\n\t\t\t\t\t\tRetention: 24,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\terr = executeRuleAction(dataRetentionAction, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"username1\",\n\t\t\t},\n\t\t},\n\t})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to get users\")\n\t}\n\n\teventManager.loadRules()\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 0)\n\teventManager.RUnlock()\n\n\t// rule with invalid trigger\n\teventManager.addUpdateRuleInternal(dataprovider.EventRule{\n\t\tName: \"test rule\",\n\t\tStatus: 1,\n\t\tTrigger: -1,\n\t})\n\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 0)\n\teventManager.RUnlock()\n\t// rule with invalid cronspec\n\teventManager.addUpdateRuleInternal(dataprovider.EventRule{\n\t\tName: \"test rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerSchedule,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tSchedules: []dataprovider.Schedule{\n\t\t\t\t{\n\t\t\t\t\tHours: \"1000\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t})\n\teventManager.RLock()\n\tassert.Len(t, eventManager.FsEvents, 0)\n\tassert.Len(t, eventManager.ProviderEvents, 0)\n\tassert.Len(t, eventManager.Schedules, 0)\n\teventManager.RUnlock()\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tstopEventScheduler()\n}\n\nfunc TestDateTimePlaceholder(t *testing.T) {\n\toldTZ := Config.TZ\n\n\tConfig.TZ = \"\"\n\tdateTime := time.Now()\n\tparams := EventParams{\n\t\tTimestamp: dateTime,\n\t}\n\treplacements := params.getStringReplacements(false, 0)\n\tr := strings.NewReplacer(replacements...)\n\tres := r.Replace(\"{{.DateTime}}\")\n\tassert.Equal(t, dateTime.UTC().Format(dateTimeMillisFormat), res)\n\tres = r.Replace(\"{{.Year}}-{{.Month}}-{{.Day}}T{{.Hour}}:{{.Minute}}\")\n\tassert.Equal(t, dateTime.UTC().Format(dateTimeMillisFormat)[:16], res)\n\n\tConfig.TZ = \"local\"\n\treplacements = params.getStringReplacements(false, 0)\n\tr = strings.NewReplacer(replacements...)\n\tres = r.Replace(\"{{.DateTime}}\")\n\tassert.Equal(t, dateTime.Local().Format(dateTimeMillisFormat), res)\n\tres = r.Replace(\"{{.Year}}-{{.Month}}-{{.Day}}T{{.Hour}}:{{.Minute}}\")\n\tassert.Equal(t, dateTime.Local().Format(dateTimeMillisFormat)[:16], res)\n\n\tConfig.TZ = oldTZ\n}\n\nfunc TestEventRuleActions(t *testing.T) {\n\tactionName := \"test rule action\"\n\taction := dataprovider.BaseEventAction{\n\t\tName: actionName,\n\t\tType: dataprovider.ActionTypeBackup,\n\t}\n\terr := executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{})\n\tassert.NoError(t, err)\n\taction.Type = -1\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{})\n\tassert.Error(t, err)\n\n\taction = dataprovider.BaseEventAction{\n\t\tName: actionName,\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: \"http://foo\\x7f.com/\", // invalid URL\n\t\t\t\tSkipTLSVerify: true,\n\t\t\t\tBody: `\"data\": \"{{.ObjectDataString}}\"`,\n\t\t\t\tMethod: http.MethodPost,\n\t\t\t\tQueryParameters: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"param\",\n\t\t\t\t\t\tValue: \"value\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tTimeout: 5,\n\t\t\t\tHeaders: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"Content-Type\",\n\t\t\t\t\t\tValue: \"application/json\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tUsername: \"httpuser\",\n\t\t\t},\n\t\t},\n\t}\n\taction.Options.SetEmptySecretsIfNil()\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid endpoint\")\n\t}\n\taction.Options.HTTPConfig.Endpoint = fmt.Sprintf(\"http://%v\", httpAddr)\n\tparams := &EventParams{\n\t\tName: \"a\",\n\t\tObject: &dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: \"test user\",\n\t\t\t},\n\t\t},\n\t}\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tassert.NoError(t, err)\n\taction.Options.HTTPConfig.Method = http.MethodGet\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tassert.NoError(t, err)\n\taction.Options.HTTPConfig.Endpoint = fmt.Sprintf(\"http://%v/404\", httpAddr)\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unexpected status code: 404\")\n\t}\n\taction.Options.HTTPConfig.Endpoint = \"http://invalid:1234\"\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tassert.Error(t, err)\n\taction.Options.HTTPConfig.QueryParameters = nil\n\taction.Options.HTTPConfig.Endpoint = \"http://bar\\x7f.com/\"\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tassert.Error(t, err)\n\taction.Options.HTTPConfig.Password = kms.NewSecret(sdkkms.SecretStatusSecretBox, \"payload\", \"key\", \"data\")\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to decrypt HTTP password\")\n\t}\n\taction.Options.HTTPConfig.Endpoint = fmt.Sprintf(\"http://%v\", httpAddr)\n\taction.Options.HTTPConfig.Password = kms.NewEmptySecret()\n\taction.Options.HTTPConfig.Body = \"\"\n\taction.Options.HTTPConfig.Parts = []dataprovider.HTTPPart{\n\t\t{\n\t\t\tName: \"p1\",\n\t\t\tFilepath: \"path\",\n\t\t},\n\t}\n\terr = executeRuleAction(action, params, dataprovider.ConditionOptions{})\n\tassert.Contains(t, getErrorString(err), \"error getting user\")\n\n\taction.Options.HTTPConfig.Parts = nil\n\taction.Options.HTTPConfig.Body = \"{{.ObjectData}}\"\n\t// test disk and transfer quota reset\n\tusername1 := \"user1\"\n\tusername2 := \"user2\"\n\tuser1 := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username1,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username1),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tuser2 := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username2,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username2),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tuser2.Filters.PasswordExpiration = 10\n\terr = dataprovider.AddUser(&user1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.AddUser(&user2, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = executePwdExpirationCheckRuleAction(dataprovider.EventActionPasswordExpiration{\n\t\tThreshold: 20,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user2.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{})\n\t// smtp not configured\n\tassert.Error(t, err)\n\n\taction = dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeUserQuotaReset,\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err) // no home dir\n\t// create the home dir\n\terr = os.MkdirAll(user1.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user1.GetHomeDir(), \"file.txt\"), []byte(\"user\"), 0666)\n\tassert.NoError(t, err)\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.NoError(t, err)\n\tuserGet, err := dataprovider.UserExists(username1, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, userGet.UsedQuotaFiles)\n\tassert.Equal(t, int64(4), userGet.UsedQuotaSize)\n\t// simulate another quota scan in progress\n\tassert.True(t, QuotaScans.AddUserQuotaScan(username1, \"\"))\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.True(t, QuotaScans.RemoveUserQuotaScan(username1))\n\t// non matching pattern\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"don't match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no user quota reset executed\")\n\n\taction = dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeUserExpirationCheck,\n\t}\n\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"don't match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no user expiration check executed\")\n\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.NoError(t, err)\n\n\tdataRetentionAction := dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeDataRetentionCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tRetentionConfig: dataprovider.EventActionDataRetentionConfig{\n\t\t\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t\t\t{\n\t\t\t\t\t\tPath: \"\",\n\t\t\t\t\t\tRetention: 24,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\terr = executeRuleAction(dataRetentionAction, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err) // invalid config, no folder path specified\n\tretentionDir := \"testretention\"\n\tdataRetentionAction = dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeDataRetentionCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tRetentionConfig: dataprovider.EventActionDataRetentionConfig{\n\t\t\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t\t\t{\n\t\t\t\t\t\tPath: path.Join(\"/\", retentionDir),\n\t\t\t\t\t\tRetention: 24,\n\t\t\t\t\t\tDeleteEmptyDirs: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\t// create some test files\n\tfile1 := filepath.Join(user1.GetHomeDir(), \"file1.txt\")\n\tfile2 := filepath.Join(user1.GetHomeDir(), retentionDir, \"file2.txt\")\n\tfile3 := filepath.Join(user1.GetHomeDir(), retentionDir, \"file3.txt\")\n\tfile4 := filepath.Join(user1.GetHomeDir(), retentionDir, \"sub\", \"file4.txt\")\n\n\terr = os.MkdirAll(filepath.Dir(file4), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tfor _, f := range []string{file1, file2, file3, file4} {\n\t\terr = os.WriteFile(f, []byte(\"\"), 0666)\n\t\tassert.NoError(t, err)\n\t}\n\ttimeBeforeRetention := time.Now().Add(-48 * time.Hour)\n\terr = os.Chtimes(file1, timeBeforeRetention, timeBeforeRetention)\n\tassert.NoError(t, err)\n\terr = os.Chtimes(file2, timeBeforeRetention, timeBeforeRetention)\n\tassert.NoError(t, err)\n\terr = os.Chtimes(file4, timeBeforeRetention, timeBeforeRetention)\n\tassert.NoError(t, err)\n\n\terr = executeRuleAction(dataRetentionAction, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.NoError(t, err)\n\tassert.FileExists(t, file1)\n\tassert.NoFileExists(t, file2)\n\tassert.FileExists(t, file3)\n\tassert.NoDirExists(t, filepath.Dir(file4))\n\t// simulate another check in progress\n\tc := RetentionChecks.Add(RetentionCheck{}, &user1)\n\tassert.NotNil(t, c)\n\terr = executeRuleAction(dataRetentionAction, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tRetentionChecks.remove(user1.Username)\n\n\terr = executeRuleAction(dataRetentionAction, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no retention check executed\")\n\n\t// test file exists action\n\taction = dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionExist,\n\t\t\t\tExist: []string{\"/file1.txt\", path.Join(\"/\", retentionDir, \"file3.txt\")},\n\t\t\t},\n\t\t},\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no existence check executed\")\n\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.NoError(t, err)\n\taction.Options.FsConfig.Exist = []string{\"/file1.txt\", path.Join(\"/\", retentionDir, \"file2.txt\")}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.UpdateUserTransferQuota(&user1, 100, 100, true)\n\tassert.NoError(t, err)\n\n\taction.Type = dataprovider.ActionTypeTransferQuotaReset\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.NoError(t, err)\n\tuserGet, err = dataprovider.UserExists(username1, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), userGet.UsedDownloadDataTransfer)\n\tassert.Equal(t, int64(0), userGet.UsedUploadDataTransfer)\n\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no transfer quota reset executed\")\n\n\taction.Type = dataprovider.ActionTypeFilesystem\n\taction.Options = dataprovider.BaseEventActionOptions{\n\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t{\n\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\tKey: \"/source\",\n\t\t\t\t\t\tValue: \"/target\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no rename executed\")\n\n\taction.Options = dataprovider.BaseEventActionOptions{\n\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\tType: dataprovider.FilesystemActionDelete,\n\t\t\tDeletes: []string{\"/dir1\"},\n\t\t},\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no delete executed\")\n\n\taction.Options = dataprovider.BaseEventActionOptions{\n\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\tType: dataprovider.FilesystemActionMkdirs,\n\t\t\tDeletes: []string{\"/dir1\"},\n\t\t},\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no mkdir executed\")\n\n\taction.Options = dataprovider.BaseEventActionOptions{\n\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\tType: dataprovider.FilesystemActionCompress,\n\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\tName: \"test.zip\",\n\t\t\t\tPaths: []string{\"/{{.VirtualPath}}\"},\n\t\t\t},\n\t\t},\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no file/folder compressed\")\n\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no match\",\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.Contains(t, getErrorString(err), \"no file/folder compressed\")\n\n\terr = dataprovider.DeleteUser(username1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(username2, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// test folder quota reset\n\tfoldername1 := \"f1\"\n\tfoldername2 := \"f2\"\n\tfolder1 := vfs.BaseVirtualFolder{\n\t\tName: foldername1,\n\t\tMappedPath: filepath.Join(os.TempDir(), foldername1),\n\t}\n\tfolder2 := vfs.BaseVirtualFolder{\n\t\tName: foldername2,\n\t\tMappedPath: filepath.Join(os.TempDir(), foldername2),\n\t}\n\terr = dataprovider.AddFolder(&folder1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.AddFolder(&folder2, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\taction = dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeFolderQuotaReset,\n\t}\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: foldername1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err) // no home dir\n\terr = os.MkdirAll(folder1.MappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(folder1.MappedPath, \"file.txt\"), []byte(\"folder\"), 0666)\n\tassert.NoError(t, err)\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: foldername1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.NoError(t, err)\n\tfolderGet, err := dataprovider.GetFolderByName(foldername1)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, folderGet.UsedQuotaFiles)\n\tassert.Equal(t, int64(6), folderGet.UsedQuotaSize)\n\t// simulate another quota scan in progress\n\tassert.True(t, QuotaScans.AddVFolderQuotaScan(foldername1))\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: foldername1,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\tassert.True(t, QuotaScans.RemoveVFolderQuotaScan(foldername1))\n\n\terr = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"no folder match\",\n\t\t\t},\n\t\t},\n\t})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no folder quota reset executed\")\n\t}\n\n\tbody, _, err := getHTTPRuleActionBody(&dataprovider.EventActionHTTPConfig{\n\t\tMethod: http.MethodPost,\n\t}, nil, nil, dataprovider.User{}, &EventParams{}, true)\n\tassert.NoError(t, err)\n\tassert.Nil(t, body)\n\tbody, _, err = getHTTPRuleActionBody(&dataprovider.EventActionHTTPConfig{\n\t\tMethod: http.MethodPost,\n\t\tBody: \"test body\",\n\t}, nil, nil, dataprovider.User{}, &EventParams{}, false)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, body)\n\n\terr = os.RemoveAll(folder1.MappedPath)\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteFolder(foldername1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteFolder(foldername2, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestIDPAccountCheckRule(t *testing.T) {\n\t_, _, err := executeIDPAccountCheckRule(dataprovider.EventRule{}, EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no action executed\")\n\t}\n\t_, _, err = executeIDPAccountCheckRule(dataprovider.EventRule{\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: \"n\",\n\t\t\t\t\tType: dataprovider.ActionTypeIDPAccountCheck,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, EventParams{Event: \"invalid\"})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported IDP login event\")\n\t}\n\t// invalid json\n\t_, err = executeAdminCheckAction(&dataprovider.EventActionIDPAccountCheck{TemplateAdmin: \"{\"}, &EventParams{Name: \"missing admin\"})\n\tassert.Error(t, err)\n\t_, err = executeUserCheckAction(&dataprovider.EventActionIDPAccountCheck{TemplateUser: \"[\"}, &EventParams{Name: \"missing user\"})\n\tassert.Error(t, err)\n\t_, err = executeUserCheckAction(&dataprovider.EventActionIDPAccountCheck{TemplateUser: \"{}\"}, &EventParams{Name: \"invalid user template\"})\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\tusername := \"u\"\n\tc := &dataprovider.EventActionIDPAccountCheck{\n\t\tMode: 1,\n\t\tTemplateUser: `{\"username\":\"` + username + `\",\"status\":1,\"home_dir\":\"` + util.JSONEscape(filepath.Join(os.TempDir())) + `\",\"permissions\":{\"/\":[\"*\"]}}`,\n\t}\n\tparams := &EventParams{\n\t\tName: username,\n\t\tEvent: IDPLoginUser,\n\t}\n\tuser, err := executeUserCheckAction(c, params)\n\tassert.NoError(t, err)\n\tassert.Equal(t, username, user.Username)\n\tassert.Equal(t, 1, user.Status)\n\tuser.Status = 0\n\terr = dataprovider.UpdateUser(user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// the user is not changed\n\tuser, err = executeUserCheckAction(c, params)\n\tassert.NoError(t, err)\n\tassert.Equal(t, username, user.Username)\n\tassert.Equal(t, 0, user.Status)\n\t// change the mode, the user is now updated\n\tc.Mode = 0\n\tuser, err = executeUserCheckAction(c, params)\n\tassert.NoError(t, err)\n\tassert.Equal(t, username, user.Username)\n\tassert.Equal(t, 1, user.Status)\n\tassert.Empty(t, user.Password)\n\tassert.Len(t, user.PublicKeys, 0)\n\tassert.Len(t, user.Filters.TLSCerts, 0)\n\tassert.Empty(t, user.Email)\n\tassert.Empty(t, user.Description)\n\t// Update the profile attribute and make sure they are preserved\n\tuser.Password = \"secret\"\n\tuser.Email = \"example@example.com\"\n\tuser.Filters.AdditionalEmails = []string{\"alias@example.com\"}\n\tuser.Description = \"some desc\"\n\tuser.Filters.TLSCerts = []string{serverCert}\n\tuser.PublicKeys = []string{\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1\"}\n\terr = dataprovider.UpdateUser(user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tuser, err = executeUserCheckAction(c, params)\n\tassert.NoError(t, err)\n\tassert.Equal(t, username, user.Username)\n\tassert.Equal(t, 1, user.Status)\n\tassert.NotEmpty(t, user.Password)\n\tassert.Len(t, user.PublicKeys, 1)\n\tassert.Len(t, user.Filters.TLSCerts, 1)\n\tassert.NotEmpty(t, user.Email)\n\tassert.Len(t, user.Filters.AdditionalEmails, 1)\n\tassert.NotEmpty(t, user.Description)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// check rule consistency\n\tr := dataprovider.EventRule{\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tType: dataprovider.ActionTypeIDPAccountCheck,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\terr = r.CheckActionsConsistency(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"IDP account check action is only supported for IDP login trigger\")\n\t}\n\tr.Trigger = dataprovider.EventTriggerIDPLogin\n\terr = r.CheckActionsConsistency(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"IDP account check must be a sync action\")\n\t}\n\tr.Actions[0].Options.ExecuteSync = true\n\terr = r.CheckActionsConsistency(\"\")\n\tassert.NoError(t, err)\n\tr.Actions = append(r.Actions, dataprovider.EventAction{\n\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\tType: dataprovider.ActionTypeCommand,\n\t\t},\n\t\tOptions: dataprovider.EventActionOptions{\n\t\t\tExecuteSync: true,\n\t\t},\n\t\tOrder: 2,\n\t})\n\terr = r.CheckActionsConsistency(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"IDP account check must be the only sync action\")\n\t}\n}\n\nfunc TestUserExpirationCheck(t *testing.T) {\n\tusername := \"test_user_expiration_check\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tExpirationDate: util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour)),\n\t\t},\n\t}\n\tuser.Filters.PasswordExpiration = 5\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tconditions := dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username,\n\t\t\t},\n\t\t},\n\t}\n\terr = executeUserExpirationCheckRuleAction(conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"expired users\")\n\t}\n\t// the check will be skipped, the user is expired\n\terr = executePwdExpirationCheckRuleAction(dataprovider.EventActionPasswordExpiration{Threshold: 10}, conditions, &EventParams{})\n\tassert.NoError(t, err)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestEventRuleActionsNoGroupMatching(t *testing.T) {\n\tusername := \"test_user_action_group_matching\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t},\n\t}\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tconditions := dataprovider.ConditionOptions{\n\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"agroup\",\n\t\t\t},\n\t\t},\n\t}\n\terr = executeDeleteFsRuleAction(nil, nil, conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no delete executed\")\n\t}\n\terr = executeMkdirFsRuleAction(nil, nil, conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no mkdir executed\")\n\t}\n\terr = executeRenameFsRuleAction(nil, nil, conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no rename executed\")\n\t}\n\terr = executeExistFsRuleAction(nil, nil, conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no existence check executed\")\n\t}\n\terr = executeCopyFsRuleAction(nil, nil, conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no copy executed\")\n\t}\n\terr = executeUsersQuotaResetRuleAction(conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no user quota reset executed\")\n\t}\n\terr = executeTransferQuotaResetRuleAction(conditions, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no transfer quota reset executed\")\n\t}\n\terr = executeDataRetentionCheckRuleAction(dataprovider.EventActionDataRetentionConfig{}, conditions, &EventParams{}, \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no retention check executed\")\n\t}\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestGetFileContent(t *testing.T) {\n\tusername := \"test_user_get_file_content\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t},\n\t}\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(user.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\tfileContent := []byte(\"test file content\")\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"file.txt\"), fileContent, 0666)\n\tassert.NoError(t, err)\n\tconn := NewBaseConnection(xid.New().String(), protocolEventAction, \"\", \"\", user)\n\treplacer := strings.NewReplacer(\"old\", \"new\")\n\tfiles, err := getMailAttachments(conn, []string{\"/file.txt\"}, replacer)\n\tassert.NoError(t, err)\n\tif assert.Len(t, files, 1) {\n\t\tvar b bytes.Buffer\n\t\t_, err = files[0].Writer(&b)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, fileContent, b.Bytes())\n\t}\n\t// missing file\n\t_, err = getMailAttachments(conn, []string{\"/file1.txt\"}, replacer)\n\tassert.Error(t, err)\n\t// directory\n\t_, err = getMailAttachments(conn, []string{\"/\"}, replacer)\n\tassert.Error(t, err)\n\t// files too large\n\tcontent := make([]byte, maxAttachmentsSize/2+1)\n\t_, err = rand.Read(content)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"file1.txt\"), content, 0666)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"file2.txt\"), content, 0666)\n\tassert.NoError(t, err)\n\tfiles, err = getMailAttachments(conn, []string{\"/file1.txt\"}, replacer)\n\tassert.NoError(t, err)\n\tif assert.Len(t, files, 1) {\n\t\tvar b bytes.Buffer\n\t\t_, err = files[0].Writer(&b)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, content, b.Bytes())\n\t}\n\t_, err = getMailAttachments(conn, []string{\"/file1.txt\", \"/file2.txt\"}, replacer)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"size too large\")\n\t}\n\t// change the filesystem provider\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"pwd\")\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tconn = NewBaseConnection(xid.New().String(), protocolEventAction, \"\", \"\", user)\n\t// the file is not encrypted so reading the encryption header will fail\n\tfiles, err = getMailAttachments(conn, []string{\"/file.txt\"}, replacer)\n\tassert.NoError(t, err)\n\tif assert.Len(t, files, 1) {\n\t\tvar b bytes.Buffer\n\t\t_, err = files[0].Writer(&b)\n\t\tassert.Error(t, err)\n\t}\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestFilesystemActionErrors(t *testing.T) {\n\terr := executeFsRuleAction(dataprovider.EventActionFilesystemConfig{}, dataprovider.ConditionOptions{}, &EventParams{})\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported filesystem action\")\n\t}\n\tusername := \"test_user_for_actions\"\n\ttestReplacer := strings.NewReplacer(\"old\", \"new\")\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: \"127.0.0.1:4022\",\n\t\t\t\t\tUsername: username,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(\"pwd\"),\n\t\t\t},\n\t\t},\n\t}\n\terr = executeEmailRuleAction(dataprovider.EventActionEmailConfig{\n\t\tRecipients: []string{\"test@example.net\"},\n\t\tSubject: \"subject\",\n\t\tBody: \"body\",\n\t\tAttachments: []string{\"/file.txt\"},\n\t}, &EventParams{\n\t\tsender: username,\n\t})\n\tassert.Error(t, err)\n\tconn := NewBaseConnection(\"\", protocolEventAction, \"\", \"\", user)\n\terr = executeDeleteFileFsAction(conn, \"\", nil)\n\tassert.Error(t, err)\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// check root fs fails\n\terr = executeDeleteFsActionForUser(nil, testReplacer, user)\n\tassert.Error(t, err)\n\terr = executeMkDirsFsActionForUser(nil, testReplacer, user)\n\tassert.Error(t, err)\n\terr = executeRenameFsActionForUser(nil, testReplacer, user)\n\tassert.Error(t, err)\n\terr = executeExistFsActionForUser(nil, testReplacer, user)\n\tassert.Error(t, err)\n\terr = executeCopyFsActionForUser(nil, testReplacer, user)\n\tassert.Error(t, err)\n\terr = executeCompressFsActionForUser(dataprovider.EventActionFsCompress{}, testReplacer, user)\n\tassert.Error(t, err)\n\t_, _, _, _, err = getFileWriter(conn, \"/path.txt\", -1) //nolint:dogsled\n\tassert.Error(t, err)\n\terr = executeEmailRuleAction(dataprovider.EventActionEmailConfig{\n\t\tRecipients: []string{\"test@example.net\"},\n\t\tSubject: \"subject\",\n\t\tBody: \"body\",\n\t\tAttachments: []string{\"/file1.txt\"},\n\t}, &EventParams{\n\t\tsender: username,\n\t})\n\tassert.Error(t, err)\n\tfn := getFileContentFn(NewBaseConnection(\"\", protocolEventAction, \"\", \"\", user), \"/f.txt\", 1234)\n\tvar b bytes.Buffer\n\t_, err = fn(&b)\n\tassert.Error(t, err)\n\terr = executeHTTPRuleAction(dataprovider.EventActionHTTPConfig{\n\t\tEndpoint: \"http://127.0.0.1:9999/\",\n\t\tMethod: http.MethodPost,\n\t\tParts: []dataprovider.HTTPPart{\n\t\t\t{\n\t\t\t\tName: \"p1\",\n\t\t\t\tFilepath: \"/filepath\",\n\t\t\t},\n\t\t},\n\t}, &EventParams{\n\t\tsender: username,\n\t})\n\tassert.Error(t, err)\n\tuser.FsConfig.Provider = sdk.LocalFilesystemProvider\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermUpload}\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = executeRenameFsActionForUser([]dataprovider.RenameConfig{\n\t\t{\n\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\tKey: \"/p1\",\n\t\t\t\tValue: \"/p1\",\n\t\t\t},\n\t\t},\n\t}, testReplacer, user)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"the rename source and target cannot be the same\")\n\t}\n\terr = executeRuleAction(dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: \"/p2\",\n\t\t\t\t\t\t\tValue: \"/p2\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: username,\n\t\t\t},\n\t\t},\n\t})\n\tassert.Error(t, err)\n\n\tif runtime.GOOS != osWindows {\n\t\tdirPath := filepath.Join(user.HomeDir, \"adir\", \"sub\")\n\t\terr := os.MkdirAll(dirPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tfilePath := filepath.Join(dirPath, \"f.dat\")\n\t\terr = os.WriteFile(filePath, []byte(\"test file content\"), 0666)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(dirPath, 0001)\n\t\tassert.NoError(t, err)\n\n\t\terr = executeDeleteFsActionForUser([]string{\"/adir/sub\"}, testReplacer, user)\n\t\tassert.Error(t, err)\n\t\terr = executeDeleteFsActionForUser([]string{\"/adir/sub/f.dat\"}, testReplacer, user)\n\t\tassert.Error(t, err)\n\t\terr = os.Chmod(dirPath, 0555)\n\t\tassert.NoError(t, err)\n\t\terr = executeDeleteFsActionForUser([]string{\"/adir/sub/f.dat\"}, testReplacer, user)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"unable to remove file\")\n\t\t}\n\t\terr = executeRuleAction(dataprovider.BaseEventAction{\n\t\t\tType: dataprovider.ActionTypeFilesystem,\n\t\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\t\tType: dataprovider.FilesystemActionDelete,\n\t\t\t\t\tDeletes: []string{\"/adir/sub/f.dat\"},\n\t\t\t\t},\n\t\t\t},\n\t\t}, &EventParams{}, dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: username,\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tassert.Error(t, err)\n\n\t\terr = executeMkDirsFsActionForUser([]string{\"/adir/sub/sub\"}, testReplacer, user)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"unable to create dir\")\n\t\t}\n\t\terr = executeMkDirsFsActionForUser([]string{\"/adir/sub/sub/sub\"}, testReplacer, user)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"unable to check parent dirs\")\n\t\t}\n\n\t\terr = executeRuleAction(dataprovider.BaseEventAction{\n\t\t\tType: dataprovider.ActionTypeFilesystem,\n\t\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\t\tType: dataprovider.FilesystemActionMkdirs,\n\t\t\t\t\tMkDirs: []string{\"/adir/sub/sub1\"},\n\t\t\t\t},\n\t\t\t},\n\t\t}, &EventParams{}, dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: username,\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tassert.Error(t, err)\n\n\t\terr = os.Chmod(dirPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\n\t\tconn = NewBaseConnection(\"\", protocolEventAction, \"\", \"\", user)\n\t\twr := &zipWriterWrapper{\n\t\t\tName: \"test.zip\",\n\t\t\tWriter: zip.NewWriter(bytes.NewBuffer(nil)),\n\t\t\tEntries: map[string]bool{},\n\t\t}\n\t\terr = addZipEntry(wr, conn, \"/adir/sub/f.dat\", \"/adir/sub/sub\", nil, 0)\n\t\tassert.Error(t, err)\n\t\tassert.Contains(t, getErrorString(err), \"is outside base dir\")\n\t}\n\n\twr := &zipWriterWrapper{\n\t\tName: xid.New().String() + \".zip\",\n\t\tWriter: zip.NewWriter(bytes.NewBuffer(nil)),\n\t\tEntries: map[string]bool{},\n\t}\n\terr = addZipEntry(wr, conn, \"/p1\", \"/\", nil, 2000)\n\tassert.ErrorIs(t, err, util.ErrRecursionTooDeep)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaActionsWithQuotaTrackDisabled(t *testing.T) {\n\toldProviderConf := dataprovider.GetProviderConfig()\n\tproviderConf := dataprovider.GetProviderConfig()\n\tproviderConf.TrackQuota = 0\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tusername := \"u1\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.LocalFilesystemProvider,\n\t\t},\n\t}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = os.MkdirAll(user.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = executeRuleAction(dataprovider.BaseEventAction{Type: dataprovider.ActionTypeUserQuotaReset},\n\t\t&EventParams{}, dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: username,\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\tassert.Error(t, err)\n\n\terr = executeRuleAction(dataprovider.BaseEventAction{Type: dataprovider.ActionTypeTransferQuotaReset},\n\t\t&EventParams{}, dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: username,\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\tassert.Error(t, err)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tfoldername := \"f1\"\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: foldername,\n\t\tMappedPath: filepath.Join(os.TempDir(), foldername),\n\t}\n\terr = dataprovider.AddFolder(&folder, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(folder.MappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\n\terr = executeRuleAction(dataprovider.BaseEventAction{Type: dataprovider.ActionTypeFolderQuotaReset},\n\t\t&EventParams{}, dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: foldername,\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\tassert.Error(t, err)\n\n\terr = os.RemoveAll(folder.MappedPath)\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteFolder(foldername, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(oldProviderConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestScheduledActions(t *testing.T) {\n\tstartEventScheduler()\n\tbackupsPath := filepath.Join(os.TempDir(), \"backups\")\n\terr := os.RemoveAll(backupsPath)\n\tassert.NoError(t, err)\n\tnow := time.Now().UTC().Format(dateTimeMillisFormat)\n\t// The backup action sets the home directory to the backup path.\n\texpectedDirPath := filepath.Join(backupsPath, fmt.Sprintf(\"%s_%s_%s\", now[0:4], now[5:7], now[8:10]))\n\n\taction1 := &dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t}\n\terr = dataprovider.AddEventAction(action1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\taction2 := &dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionMkdirs,\n\t\t\t\tMkDirs: []string{\"{{.Year}}_{{.Month}}_{{.Day}}\"},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddEventAction(action2, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\trule := &dataprovider.EventRule{\n\t\tName: \"rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerSchedule,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tSchedules: []dataprovider.Schedule{\n\t\t\t\t{\n\t\t\t\t\tHours: \"11\",\n\t\t\t\t\tDayOfWeek: \"*\",\n\t\t\t\t\tDayOfMonth: \"*\",\n\t\t\t\t\tMonth: \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\n\tjob := eventCronJob{\n\t\truleName: rule.Name,\n\t}\n\tjob.Run() // rule not found\n\tassert.NoDirExists(t, backupsPath)\n\n\terr = dataprovider.AddEventRule(rule, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tjob.Run()\n\tassert.DirExists(t, backupsPath)\n\tassert.DirExists(t, expectedDirPath)\n\n\taction1.Type = dataprovider.ActionTypeEmail\n\taction1.Options = dataprovider.BaseEventActionOptions{\n\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\tRecipients: []string{\"example@example.com\"},\n\t\t\tSubject: \"test with attachments\",\n\t\t\tBody: \"body\",\n\t\t\tAttachments: []string{\"/file1.txt\"},\n\t\t},\n\t}\n\terr = dataprovider.UpdateEventAction(action1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tjob.Run() // action is not compatible with a scheduled rule\n\n\terr = dataprovider.DeleteEventRule(rule.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(action1.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(action2.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(backupsPath)\n\tassert.NoError(t, err)\n\n\tstopEventScheduler()\n}\n\nfunc TestEventParamsCopy(t *testing.T) {\n\tparams := EventParams{\n\t\tName: \"name\",\n\t\tEvent: \"event\",\n\t\tExtension: \"ext\",\n\t\tStatus: 1,\n\t\terrors: []string{\"error1\"},\n\t\tretentionChecks: []executedRetentionCheck{},\n\t}\n\tparamsCopy := params.getACopy()\n\tassert.Equal(t, params, *paramsCopy)\n\tparams.Name = \"name mod\"\n\tparamsCopy.Event = \"event mod\"\n\tparamsCopy.Status = 2\n\tparams.errors = append(params.errors, \"error2\")\n\tparamsCopy.errors = append(paramsCopy.errors, \"error3\")\n\tassert.Equal(t, []string{\"error1\", \"error3\"}, paramsCopy.errors)\n\tassert.Equal(t, []string{\"error1\", \"error2\"}, params.errors)\n\tassert.Equal(t, \"name mod\", params.Name)\n\tassert.Equal(t, \"name\", paramsCopy.Name)\n\tassert.Equal(t, \"event\", params.Event)\n\tassert.Equal(t, \"event mod\", paramsCopy.Event)\n\tassert.Equal(t, 1, params.Status)\n\tassert.Equal(t, 2, paramsCopy.Status)\n\tparams = EventParams{\n\t\tretentionChecks: []executedRetentionCheck{\n\t\t\t{\n\t\t\t\tUsername: \"u\",\n\t\t\t\tActionName: \"a\",\n\t\t\t\tResults: []folderRetentionCheckResult{\n\t\t\t\t\t{\n\t\t\t\t\t\tPath: \"p\",\n\t\t\t\t\t\tRetention: 1,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tparamsCopy = params.getACopy()\n\trequire.Len(t, paramsCopy.retentionChecks, 1)\n\tparamsCopy.retentionChecks[0].Username = \"u_copy\"\n\tparamsCopy.retentionChecks[0].ActionName = \"a_copy\"\n\trequire.Len(t, paramsCopy.retentionChecks[0].Results, 1)\n\tparamsCopy.retentionChecks[0].Results[0].Path = \"p_copy\"\n\tparamsCopy.retentionChecks[0].Results[0].Retention = 2\n\tassert.Equal(t, \"u\", params.retentionChecks[0].Username)\n\tassert.Equal(t, \"a\", params.retentionChecks[0].ActionName)\n\tassert.Equal(t, \"p\", params.retentionChecks[0].Results[0].Path)\n\tassert.Equal(t, 1, params.retentionChecks[0].Results[0].Retention)\n\tassert.Equal(t, \"u_copy\", paramsCopy.retentionChecks[0].Username)\n\tassert.Equal(t, \"a_copy\", paramsCopy.retentionChecks[0].ActionName)\n\tassert.Equal(t, \"p_copy\", paramsCopy.retentionChecks[0].Results[0].Path)\n\tassert.Equal(t, 2, paramsCopy.retentionChecks[0].Results[0].Retention)\n\tassert.Nil(t, params.IDPCustomFields)\n\tparams.addIDPCustomFields(nil)\n\tassert.Nil(t, params.IDPCustomFields)\n\tparams.IDPCustomFields = &map[string]string{\n\t\t\"field1\": \"val1\",\n\t}\n\tparamsCopy = params.getACopy()\n\tfor k, v := range *paramsCopy.IDPCustomFields {\n\t\tassert.Equal(t, \"field1\", k)\n\t\tassert.Equal(t, \"val1\", v)\n\t}\n\tassert.Equal(t, params.IDPCustomFields, paramsCopy.IDPCustomFields)\n\t(*paramsCopy.IDPCustomFields)[\"field1\"] = \"val2\"\n\tassert.NotEqual(t, params.IDPCustomFields, paramsCopy.IDPCustomFields)\n\tparams.Metadata = map[string]string{\"key\": \"value\"}\n\tparamsCopy = params.getACopy()\n\tparams.Metadata[\"key1\"] = \"value1\"\n\trequire.Equal(t, map[string]string{\"key\": \"value\"}, paramsCopy.Metadata)\n}\n\nfunc TestEventParamsStatusFromError(t *testing.T) {\n\tparams := EventParams{Status: 1}\n\tparams.AddError(os.ErrNotExist)\n\tassert.Equal(t, 1, params.Status)\n\n\tparams = EventParams{Status: 1, updateStatusFromError: true}\n\tparams.AddError(os.ErrNotExist)\n\tassert.Equal(t, 2, params.Status)\n}\n\ntype testWriter struct {\n\terrTest error\n\tsentinel string\n}\n\nfunc (w *testWriter) Write(p []byte) (int, error) {\n\tif w.errTest != nil {\n\t\treturn 0, w.errTest\n\t}\n\tif w.sentinel == string(p) {\n\t\treturn 0, io.ErrUnexpectedEOF\n\t}\n\treturn len(p), nil\n}\n\nfunc TestWriteHTTPPartsError(t *testing.T) {\n\tm := multipart.NewWriter(&testWriter{\n\t\terrTest: io.ErrShortWrite,\n\t})\n\n\terr := writeHTTPPart(m, dataprovider.HTTPPart{}, nil, nil, nil, &EventParams{}, false)\n\tassert.ErrorIs(t, err, io.ErrShortWrite)\n\n\tbody := \"test body\"\n\tm = multipart.NewWriter(&testWriter{sentinel: body})\n\terr = writeHTTPPart(m, dataprovider.HTTPPart{\n\t\tBody: body,\n\t}, nil, nil, nil, &EventParams{}, false)\n\tassert.ErrorIs(t, err, io.ErrUnexpectedEOF)\n}\n\nfunc TestReplacePathsPlaceholders(t *testing.T) {\n\treplacer := strings.NewReplacer(\"{{.VirtualPath}}\", \"/path1\")\n\tpaths := []string{\"{{.VirtualPath}}\", \"/path1\"}\n\tpaths = replacePathsPlaceholders(paths, replacer)\n\tassert.Equal(t, []string{\"/path1\"}, paths)\n\tpaths = []string{\"{{.VirtualPath}}\", \"/path2\"}\n\tpaths = replacePathsPlaceholders(paths, replacer)\n\tassert.Equal(t, []string{\"/path1\", \"/path2\"}, paths)\n}\n\nfunc TestEstimateZipSizeErrors(t *testing.T) {\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"u\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), \"u\"),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t\tQuotaSize: 1000,\n\t\t},\n\t}\n\terr := dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(u.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn := NewBaseConnection(\"\", ProtocolFTP, \"\", \"\", u)\n\t_, _, _, _, err = getFileWriter(conn, \"/missing/path/file.txt\", -1) //nolint:dogsled\n\tassert.Error(t, err)\n\t_, err = getSizeForPath(conn, \"/missing\", vfs.NewFileInfo(\"missing\", true, 0, time.Now(), false))\n\tassert.True(t, conn.IsNotExistError(err))\n\tif runtime.GOOS != osWindows {\n\t\terr = os.MkdirAll(filepath.Join(u.HomeDir, \"d1\", \"d2\", \"sub\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(filepath.Join(u.HomeDir, \"d1\", \"d2\", \"sub\", \"file.txt\"), []byte(\"data\"), 0666)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(filepath.Join(u.HomeDir, \"d1\", \"d2\"), 0001)\n\t\tassert.NoError(t, err)\n\t\tsize, err := estimateZipSize(conn, \"/archive.zip\", []string{\"/d1\"})\n\t\tassert.Error(t, err, \"size %d\", size)\n\t\terr = os.Chmod(filepath.Join(u.HomeDir, \"d1\", \"d2\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.DeleteUser(u.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestOnDemandRule(t *testing.T) {\n\ta := &dataprovider.BaseEventAction{\n\t\tName: \"a\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t\tOptions: dataprovider.BaseEventActionOptions{},\n\t}\n\terr := dataprovider.AddEventAction(a, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tr := &dataprovider.EventRule{\n\t\tName: \"test on demand rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerOnDemand,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: a.Name,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddEventRule(r, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = RunOnDemandRule(r.Name)\n\tassert.NoError(t, err)\n\n\tr.Status = 0\n\terr = dataprovider.UpdateEventRule(r, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = RunOnDemandRule(r.Name)\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\tassert.Contains(t, err.Error(), \"is inactive\")\n\n\tr.Status = 1\n\tr.Trigger = dataprovider.EventTriggerCertificate\n\terr = dataprovider.UpdateEventRule(r, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = RunOnDemandRule(r.Name)\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\tassert.Contains(t, err.Error(), \"is not defined as on-demand\")\n\n\ta1 := &dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"example@example.org\"},\n\t\t\t\tSubject: \"subject\",\n\t\t\t\tBody: \"body\",\n\t\t\t\tAttachments: []string{\"/{{.VirtualPath}}\"},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddEventAction(a1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tr.Trigger = dataprovider.EventTriggerOnDemand\n\tr.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: a1.Name,\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.UpdateEventRule(r, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = RunOnDemandRule(r.Name)\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\tassert.Contains(t, err.Error(), \"incosistent actions\")\n\n\terr = dataprovider.DeleteEventRule(r.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(a.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(a1.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = RunOnDemandRule(r.Name)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n}\n\nfunc getErrorString(err error) string {\n\tif err == nil {\n\t\treturn \"\"\n\t}\n\treturn err.Error()\n}\n\nfunc TestHTTPEndpointWithPlaceholders(t *testing.T) {\n\tc := dataprovider.EventActionHTTPConfig{\n\t\tEndpoint: \"http://127.0.0.1:8080/base/url/{{.Name}}/{{.VirtualPath}}/upload\",\n\t\tQueryParameters: []dataprovider.KeyValue{\n\t\t\t{\n\t\t\t\tKey: \"u\",\n\t\t\t\tValue: \"{{.Name}}\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tKey: \"p\",\n\t\t\t\tValue: \"{{.VirtualPath}}\",\n\t\t\t},\n\t\t},\n\t}\n\tname := \"uname\"\n\tvPath := \"/a dir/@ file.txt\"\n\treplacer := strings.NewReplacer(\"{{.Name}}\", name, \"{{.VirtualPath}}\", vPath)\n\tu, err := getHTTPRuleActionEndpoint(&c, replacer)\n\tassert.NoError(t, err)\n\texpected := \"http://127.0.0.1:8080/base/url/\" + url.PathEscape(name) + \"/\" + url.PathEscape(vPath) +\n\t\t\"/upload?\" + \"p=\" + url.QueryEscape(vPath) + \"&u=\" + url.QueryEscape(name)\n\tassert.Equal(t, expected, u)\n\n\tc.Endpoint = \"http://127.0.0.1/upload\"\n\tu, err = getHTTPRuleActionEndpoint(&c, replacer)\n\tassert.NoError(t, err)\n\texpected = c.Endpoint + \"?p=\" + url.QueryEscape(vPath) + \"&u=\" + url.QueryEscape(name)\n\tassert.Equal(t, expected, u)\n}\n\nfunc TestMetadataReplacement(t *testing.T) {\n\tparams := &EventParams{\n\t\tMetadata: map[string]string{\n\t\t\t\"key\": \"value\",\n\t\t},\n\t}\n\treplacements := params.getStringReplacements(false, 0)\n\treplacer := strings.NewReplacer(replacements...)\n\treader, _, err := getHTTPRuleActionBody(&dataprovider.EventActionHTTPConfig{Body: \"{{.Metadata}} {{.MetadataString}}\"}, replacer, nil, dataprovider.User{}, params, false)\n\trequire.NoError(t, err)\n\tdata, err := io.ReadAll(reader)\n\trequire.NoError(t, err)\n\tassert.Equal(t, `{\"key\":\"value\"} {\\\"key\\\":\\\"value\\\"}`, string(data))\n}\n\nfunc TestUserInactivityCheck(t *testing.T) {\n\tusername1 := \"user1\"\n\tusername2 := \"user2\"\n\tuser1 := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username1,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username1),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tuser2 := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username2,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username2),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tdays := user1.InactivityDays(time.Now().Add(10*24*time.Hour + 5*time.Second))\n\tassert.Equal(t, 0, days)\n\n\tuser2.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\terr := executeInactivityCheckForUser(&user2, dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t}, time.Now().Add(12*24*time.Hour))\n\tassert.Error(t, err)\n\tuser2.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\terr = executeInactivityCheckForUser(&user2, dataprovider.EventActionUserInactivity{\n\t\tDeleteThreshold: 10,\n\t}, time.Now().Add(12*24*time.Hour))\n\tassert.Error(t, err)\n\n\terr = dataprovider.AddUser(&user1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.AddUser(&user2, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser1, err = dataprovider.UserExists(username1, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, user1.Status)\n\tdays = user1.InactivityDays(time.Now().Add(10*24*time.Hour + 5*time.Second))\n\tassert.Equal(t, 10, days)\n\tdays = user1.InactivityDays(time.Now().Add(-10*24*time.Hour + 5*time.Second))\n\tassert.Equal(t, -9, days)\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: \"not matching\",\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(12*24*time.Hour))\n\tassert.NoError(t, err)\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now())\n\tassert.NoError(t, err) // no action\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(-12*24*time.Hour))\n\tassert.NoError(t, err) // no action\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t\tDeleteThreshold: 20,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(30*24*time.Hour))\n\t// both thresholds exceeded, the user will be disabled\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"executed inactivity check actions for users\")\n\t}\n\tuser1, err = dataprovider.UserExists(username1, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, user1.Status)\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(30*24*time.Hour))\n\tassert.NoError(t, err) // already disabled, no action\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t\tDeleteThreshold: 20,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(-30*24*time.Hour))\n\tassert.NoError(t, err)\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t\tDeleteThreshold: 20,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now())\n\tassert.NoError(t, err)\n\tuser1, err = dataprovider.UserExists(username1, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, user1.Status)\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t\tDeleteThreshold: 20,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user1.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(30*24*time.Hour)) // the user is disabled, will be now deleted\n\tassert.Error(t, err)\n\t_, err = dataprovider.UserExists(username1, \"\")\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\n\terr = executeUserInactivityCheckRuleAction(dataprovider.EventActionUserInactivity{\n\t\tDeleteThreshold: 20,\n\t}, dataprovider.ConditionOptions{\n\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user2.Username,\n\t\t\t},\n\t\t},\n\t}, &EventParams{}, time.Now().Add(30*24*time.Hour)) // no disable threshold, user deleted\n\tassert.Error(t, err)\n\t_, err = dataprovider.UserExists(username2, \"\")\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\n\terr = dataprovider.DeleteUser(username1, \"\", \"\", \"\")\n\tassert.Error(t, err)\n\terr = dataprovider.DeleteUser(username2, \"\", \"\", \"\")\n\tassert.Error(t, err)\n}\n" }, { "path": "internal/common/eventscheduler.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"time\"\n\n\t\"github.com/robfig/cron/v3\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\teventScheduler *cron.Cron\n)\n\nfunc stopEventScheduler() {\n\tif eventScheduler != nil {\n\t\teventScheduler.Stop()\n\t\teventScheduler = nil\n\t}\n}\n\nfunc startEventScheduler() {\n\tstopEventScheduler()\n\n\toptions := []cron.Option{\n\t\tcron.WithLogger(cron.DiscardLogger),\n\t}\n\tif !dataprovider.UseLocalTime() {\n\t\teventManagerLog(logger.LevelDebug, \"use UTC time for the scheduler\")\n\t\toptions = append(options, cron.WithLocation(time.UTC))\n\t}\n\n\teventScheduler = cron.New(options...)\n\teventManager.loadRules()\n\t_, err := eventScheduler.AddFunc(\"@every 10m\", eventManager.loadRules)\n\tutil.PanicOnError(err)\n\teventScheduler.Start()\n}\n" }, { "path": "internal/common/httpauth.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"encoding/csv\"\n\t\"os\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/GehirnInc/crypt/apr1_crypt\"\n\t\"github.com/GehirnInc/crypt/md5_crypt\"\n\t\"golang.org/x/crypto/bcrypt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\t// HTTPAuthenticationHeader defines the HTTP authentication\n\tHTTPAuthenticationHeader = \"WWW-Authenticate\"\n\tmd5CryptPwdPrefix = \"$1$\"\n\tapr1CryptPwdPrefix = \"$apr1$\"\n)\n\nvar (\n\tbcryptPwdPrefixes = []string{\"$2a$\", \"$2$\", \"$2x$\", \"$2y$\", \"$2b$\"}\n)\n\n// HTTPAuthProvider defines the interface for HTTP auth providers\ntype HTTPAuthProvider interface {\n\tValidateCredentials(username, password string) bool\n\tIsEnabled() bool\n}\n\ntype basicAuthProvider struct {\n\tPath string\n\tsync.RWMutex\n\tInfo os.FileInfo\n\tUsers map[string]string\n}\n\n// NewBasicAuthProvider returns an HTTPAuthProvider implementing Basic Auth\nfunc NewBasicAuthProvider(authUserFile string) (HTTPAuthProvider, error) {\n\tbasicAuthProvider := basicAuthProvider{\n\t\tPath: authUserFile,\n\t\tInfo: nil,\n\t\tUsers: make(map[string]string),\n\t}\n\treturn &basicAuthProvider, basicAuthProvider.loadUsers()\n}\n\nfunc (p *basicAuthProvider) IsEnabled() bool {\n\treturn p.Path != \"\"\n}\n\nfunc (p *basicAuthProvider) isReloadNeeded(info os.FileInfo) bool {\n\tp.RLock()\n\tdefer p.RUnlock()\n\n\treturn p.Info == nil || p.Info.ModTime() != info.ModTime() || p.Info.Size() != info.Size()\n}\n\nfunc (p *basicAuthProvider) loadUsers() error {\n\tif !p.IsEnabled() {\n\t\treturn nil\n\t}\n\tinfo, err := os.Stat(p.Path)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to stat basic auth users file: %v\", err)\n\t\treturn err\n\t}\n\tif p.isReloadNeeded(info) {\n\t\tr, err := os.Open(p.Path)\n\t\tif err != nil {\n\t\t\tlogger.Debug(logSender, \"\", \"unable to open basic auth users file: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tdefer r.Close()\n\t\treader := csv.NewReader(r)\n\t\treader.Comma = ':'\n\t\treader.Comment = '#'\n\t\treader.TrimLeadingSpace = true\n\t\trecords, err := reader.ReadAll()\n\t\tif err != nil {\n\t\t\tlogger.Debug(logSender, \"\", \"unable to parse basic auth users file: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tp.Lock()\n\t\tdefer p.Unlock()\n\n\t\tp.Users = make(map[string]string)\n\t\tfor _, record := range records {\n\t\t\tif len(record) == 2 {\n\t\t\t\tp.Users[record[0]] = record[1]\n\t\t\t}\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"number of users loaded for httpd basic auth: %v\", len(p.Users))\n\t\tp.Info = info\n\t}\n\treturn nil\n}\n\nfunc (p *basicAuthProvider) getHashedPassword(username string) (string, bool) {\n\terr := p.loadUsers()\n\tif err != nil {\n\t\treturn \"\", false\n\t}\n\tp.RLock()\n\tdefer p.RUnlock()\n\n\tpwd, ok := p.Users[username]\n\treturn pwd, ok\n}\n\n// ValidateCredentials returns true if the credentials are valid\nfunc (p *basicAuthProvider) ValidateCredentials(username, password string) bool {\n\tif hashedPwd, ok := p.getHashedPassword(username); ok {\n\t\tif util.IsStringPrefixInSlice(hashedPwd, bcryptPwdPrefixes) {\n\t\t\terr := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(password))\n\t\t\treturn err == nil\n\t\t}\n\t\tif strings.HasPrefix(hashedPwd, md5CryptPwdPrefix) {\n\t\t\tcrypter := md5_crypt.New()\n\t\t\terr := crypter.Verify(hashedPwd, []byte(password))\n\t\t\treturn err == nil\n\t\t}\n\t\tif strings.HasPrefix(hashedPwd, apr1CryptPwdPrefix) {\n\t\t\tcrypter := apr1_crypt.New()\n\t\t\terr := crypter.Verify(hashedPwd, []byte(password))\n\t\t\treturn err == nil\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "internal/common/httpauth_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestBasicAuth(t *testing.T) {\n\thttpAuth, err := NewBasicAuthProvider(\"\")\n\trequire.NoError(t, err)\n\trequire.False(t, httpAuth.IsEnabled())\n\n\t_, err = NewBasicAuthProvider(\"missing path\")\n\trequire.Error(t, err)\n\n\tauthUserFile := filepath.Join(os.TempDir(), \"http_users.txt\")\n\tauthUserData := []byte(\"test1:$2y$05$bcHSED7aO1cfLto6ZdDBOOKzlwftslVhtpIkRhAtSa4GuLmk5mola\\n\")\n\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\n\thttpAuth, err = NewBasicAuthProvider(authUserFile)\n\trequire.NoError(t, err)\n\trequire.True(t, httpAuth.IsEnabled())\n\trequire.False(t, httpAuth.ValidateCredentials(\"test1\", \"wrong1\"))\n\trequire.False(t, httpAuth.ValidateCredentials(\"test2\", \"password2\"))\n\trequire.True(t, httpAuth.ValidateCredentials(\"test1\", \"password1\"))\n\n\tauthUserData = append(authUserData, []byte(\"test2:$1$OtSSTL8b$bmaCqEksI1e7rnZSjsIDR1\\n\")...)\n\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\trequire.False(t, httpAuth.ValidateCredentials(\"test2\", \"wrong2\"))\n\trequire.True(t, httpAuth.ValidateCredentials(\"test2\", \"password2\"))\n\n\tauthUserData = append(authUserData, []byte(\"test2:$apr1$gLnIkRIf$Xr/6aJfmIrihP4b2N2tcs/\\n\")...)\n\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\trequire.False(t, httpAuth.ValidateCredentials(\"test2\", \"wrong2\"))\n\trequire.True(t, httpAuth.ValidateCredentials(\"test2\", \"password2\"))\n\n\tauthUserData = append(authUserData, []byte(\"test3:$apr1$gLnIkRIf$Xr/6aJfmIrihP4b2N2tcs/\\n\")...)\n\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\trequire.False(t, httpAuth.ValidateCredentials(\"test3\", \"password3\"))\n\n\tauthUserData = append(authUserData, []byte(\"test4:$invalid$gLnIkRIf$Xr/6$aJfmIr$ihP4b2N2tcs/\\n\")...)\n\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\trequire.False(t, httpAuth.ValidateCredentials(\"test4\", \"password3\"))\n\n\tif runtime.GOOS != \"windows\" {\n\t\tauthUserData = append(authUserData, []byte(\"test5:$apr1$gLnIkRIf$Xr/6aJfmIrihP4b2N2tcs/\\n\")...)\n\t\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\t\trequire.NoError(t, err)\n\t\terr = os.Chmod(authUserFile, 0001)\n\t\trequire.NoError(t, err)\n\t\trequire.False(t, httpAuth.ValidateCredentials(\"test5\", \"password2\"))\n\t\terr = os.Chmod(authUserFile, os.ModePerm)\n\t\trequire.NoError(t, err)\n\t}\n\tauthUserData = append(authUserData, []byte(\"\\\"foo\\\"bar\\\"\\r\\n\")...)\n\terr = os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\trequire.False(t, httpAuth.ValidateCredentials(\"test2\", \"password2\"))\n\n\terr = os.Remove(authUserFile)\n\trequire.NoError(t, err)\n}\n" }, { "path": "internal/common/protocol_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common_test\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"math\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t_ \"github.com/go-sql-driver/mysql\"\n\t_ \"github.com/jackc/pgx/v5/stdlib\"\n\t_ \"github.com/mattn/go-sqlite3\"\n\t\"github.com/mhale/smtpd\"\n\t\"github.com/minio/sio\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/pquerna/otp\"\n\t\"github.com/pquerna/otp/totp\"\n\t\"github.com/rs/xid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"github.com/studio-b12/gowebdav\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\thttpAddr = \"127.0.0.1:9999\"\n\thttpProxyAddr = \"127.0.0.1:7777\"\n\tsftpServerAddr = \"127.0.0.1:4022\"\n\tsmtpServerAddr = \"127.0.0.1:2525\"\n\twebDavServerPort = 9191\n\thttpFsPort = 34567\n\tdefaultUsername = \"test_common_sftp\"\n\tdefaultPassword = \"test_password\"\n\tdefaultSFTPUsername = \"test_common_sftpfs_user\"\n\tdefaultHTTPFsUsername = \"httpfs_ftp_user\"\n\thttpFsWellKnowDir = \"/wellknow\"\n\tosWindows = \"windows\"\n\ttestFileName = \"test_file_common_sftp.dat\"\n\ttestDir = \"test_dir_common\"\n\ttestPubKey = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1\"\n\ttestPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAtN449A/nY5O6cSH/9Doa8a3ISU0WZJaHydTaCLuO+dkqtNpnV5mq\nzFbKidXAI1eSwVctw9ReVOl1uK6aZF3lbXdOD8W9PXobR9KUUT2qBx5QC4ibfAqDKWymDA\nPG9ylzz64hsYBqJr7VNk9kTFEUsDmWzLabLoH42Elnp8mF/lTkWIcpVp0ly/etS08gttXo\nXenekJ1vRuxOYWDCEzGPU7kGc920TmM14k7IDdPoOh5+3sRUKedKeOUrVDH1f0n7QjHQsZ\ncbshp8tgqzf734zu8cTqNrr+6taptdEOOij1iUL/qYGfzny/hA48tO5+UFUih5W8ftp0+E\nNBIDkkGgk2MJ92I7QAXyMVsIABXco+mJT7pQi9tqlODGIQ3AOj0gcA3X/Ib8QX77Ih3TPi\nXEh77/P1XiYZOgpp2cRmNH8QbqaL9u898hDvJwIPJPuj2lIltTElH7hjBf5LQfCzrLV7BD\n10rM7sl4jr+A2q8jl1Ikp+25kainBBZSbrDummT9AAAFgDU/VLk1P1S5AAAAB3NzaC1yc2\nEAAAGBALTeOPQP52OTunEh//Q6GvGtyElNFmSWh8nU2gi7jvnZKrTaZ1eZqsxWyonVwCNX\nksFXLcPUXlTpdbiummRd5W13Tg/FvT16G0fSlFE9qgceUAuIm3wKgylspgwDxvcpc8+uIb\nGAaia+1TZPZExRFLA5lsy2my6B+NhJZ6fJhf5U5FiHKVadJcv3rUtPILbV6F3p3pCdb0bs\nTmFgwhMxj1O5BnPdtE5jNeJOyA3T6Doeft7EVCnnSnjlK1Qx9X9J+0Ix0LGXG7IafLYKs3\n+9+M7vHE6ja6/urWqbXRDjoo9YlC/6mBn858v4QOPLTuflBVIoeVvH7adPhDQSA5JBoJNj\nCfdiO0AF8jFbCAAV3KPpiU+6UIvbapTgxiENwDo9IHAN1/yG/EF++yId0z4lxIe+/z9V4m\nGToKadnEZjR/EG6mi/bvPfIQ7ycCDyT7o9pSJbUxJR+4YwX+S0Hws6y1ewQ9dKzO7JeI6/\ngNqvI5dSJKftuZGopwQWUm6w7ppk/QAAAAMBAAEAAAGAHKnC+Nq0XtGAkIFE4N18e6SAwy\n0WSWaZqmCzFQM0S2AhJnweOIG/0ZZHjsRzKKauOTmppQk40dgVsejpytIek9R+aH172gxJ\n2n4Cx0UwduRU5x8FFQlNc/kl722B0JWfJuB/snOZXv6LJ4o5aObIkozt2w9tVFeAqjYn2S\n1UsNOfRHBXGsTYwpRDwFWP56nKo2d2wBBTHDhCy6fb2dLW1fvSi/YspueOGIlHpvlYKi2/\nCWqvs9xVrwcScMtiDoQYq0khhO0efLCxvg/o+W9CLMVM2ms4G1zoSUQKN0oYWWQJyW4+VI\nYneWO8UpN0J3ElXKi7bhgAat7dBaM1g9IrAzk153DiEFZNsPxGOgL/+YdQN7zUBx/z7EkI\njyv80RV7fpUXvcq2p+qNl6UVig3VSzRrnsaJkUWu/A0u59ha7ocv6NxDIXjxpIDJme16GF\nquiGVBQNnYJymS/vFEbGf6bgf7iRmMCRUMG4nqLA6fPYP9uAtch+CmDfVLZC/fIdC5AAAA\nwQCDissV4zH6bfqgxJSuYNk8Vbb+19cF3b7gH1rVlB3zxpCAgcRgMHC+dP1z2NRx7UW9MR\nnye6kjpkzZZ0OigLqo7TtEq8uTglD9o6W7mRXqhy5A/ySOmqPL3ernHHQhGuoNODYAHkOU\nu2Rh8HXi+VLwKZcLInPOYJvcuLG4DxN8WfeVvlMHwhAOaTNNOtL4XZDHQeIPc4qHmJymmv\nsV7GuyQ6yW5C10uoGdxRPd90Bh4z4h2bKfZFjvEBbSBVkqrlAAAADBAN/zNtNayd/dX7Cr\nNb4sZuzCh+CW4BH8GOePZWNCATwBbNXBVb5cR+dmuTqYm+Ekz0VxVQRA1TvKncluJOQpoa\nXj8r0xdIgqkehnfDPMKtYVor06B9Fl1jrXtXU0Vrr6QcBWruSVyK1ZxqcmcNK/+KolVepe\nA6vcl/iKaG4U7su166nxLST06M2EgcSVsFJHpKn5+WAXC+X0Gx8kNjWIIb3GpiChdc0xZD\nmq02xZthVJrTCVw/e7gfDoB2QRsNV8HwAAAMEAzsCghZVp+0YsYg9oOrw4tEqcbEXEMhwY\n0jW8JNL8Spr1Ibp5Dw6bRSk5azARjmJtnMJhJ3oeHfF0eoISqcNuQXGndGQbVM9YzzAzc1\nNbbCNsVroqKlChT5wyPNGS+phi2bPARBno7WSDvshTZ7dAVEP2c9MJW0XwoSevwKlhgSdt\nRLFFQ/5nclJSdzPBOmQouC0OBcMFSrYtMeknJ4VvueVvve5HcHFaEsaMc7ABAGaLYaBQOm\niixITGvaNZh/tjAAAACW5pY29sYUBwMQE=\n-----END OPENSSH PRIVATE KEY-----`\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n\tallPerms = []string{dataprovider.PermAny}\n\thomeBasePath string\n\tlogFilePath string\n\tbackupsPath string\n\ttestFileContent = []byte(\"test data\")\n\tlastReceivedEmail receivedEmail\n)\n\nfunc TestMain(m *testing.M) {\n\thomeBasePath = os.TempDir()\n\tlogFilePath = filepath.Join(configDir, \"common_test.log\")\n\tbackupsPath = filepath.Join(os.TempDir(), \"backups\")\n\tlogger.InitLogger(logFilePath, 5, 1, 28, false, false, zerolog.DebugLevel)\n\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"1\")\n\tos.Setenv(\"SFTPGO_COMMON__ALLOW_SELF_CONNECTIONS\", \"1\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_USERNAME\", \"admin\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_PASSWORD\", \"password\")\n\terr := config.LoadConfig(configDir, \"\")\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error loading configuration: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\tlogger.InfoToConsole(\"Starting COMMON tests, provider: %v\", providerConf.Driver)\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = common.Initialize(config.GetCommonConfig(), 0)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error initializing common: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\thttpConfig := config.GetHTTPConfig()\n\thttpConfig.Timeout = 5\n\thttpConfig.RetryMax = 0\n\thttpConfig.Initialize(configDir) //nolint:errcheck\n\tkmsConfig := config.GetKMSConfig()\n\terr = kmsConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing kms: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tmfaConfig := config.GetMFAConfig()\n\terr = mfaConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing MFA: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.Bindings[0].Port = 4022\n\tsftpdConf.EnabledSSHCommands = []string{\"*\"}\n\tsftpdConf.Bindings = append(sftpdConf.Bindings, sftpd.Binding{\n\t\tPort: 4024,\n\t})\n\tsftpdConf.KeyboardInteractiveAuthentication = true\n\n\thttpdConf := config.GetHTTPDConfig()\n\thttpdConf.Bindings[0].Port = 4080\n\thttpdtest.SetBaseURL(\"http://127.0.0.1:4080\")\n\n\twebDavConf := config.GetWebDAVDConfig()\n\twebDavConf.Bindings = []webdavd.Binding{\n\t\t{\n\t\t\tPort: webDavServerPort,\n\t\t},\n\t}\n\n\tgo func() {\n\t\tif err := sftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tif err := httpdConf.Initialize(configDir, 0); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tif err := webDavConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start WebDAV server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(httpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(webDavConf.Bindings[0].GetAddress())\n\tstartHTTPFs()\n\n\tgo func() {\n\t\t// start a test HTTP server to receive action notifications\n\t\thttp.HandleFunc(\"/\", func(w http.ResponseWriter, _ *http.Request) {\n\t\t\tfmt.Fprintf(w, \"OK\\n\")\n\t\t})\n\t\thttp.HandleFunc(\"/404\", func(w http.ResponseWriter, _ *http.Request) {\n\t\t\tw.WriteHeader(http.StatusNotFound)\n\t\t\tfmt.Fprintf(w, \"Not found\\n\")\n\t\t})\n\t\thttp.HandleFunc(\"/multipart\", func(w http.ResponseWriter, r *http.Request) {\n\t\t\terr := r.ParseMultipartForm(1048576)\n\t\t\tif err != nil {\n\t\t\t\tw.WriteHeader(http.StatusInternalServerError)\n\t\t\t\tfmt.Fprintf(w, \"KO\\n\")\n\t\t\t\treturn\n\t\t\t}\n\t\t\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\t\t\tfmt.Fprintf(w, \"OK\\n\")\n\t\t})\n\t\tif err := http.ListenAndServe(httpAddr, nil); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP notification server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tcommon.Config.ProxyProtocol = 2\n\t\tlistener, err := net.Listen(\"tcp\", httpProxyAddr)\n\t\tif err != nil {\n\t\t\tlogger.ErrorToConsole(\"error creating listener for proxy protocol server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t\tproxyListener, err := common.Config.GetProxyListener(listener)\n\t\tif err != nil {\n\t\t\tlogger.ErrorToConsole(\"error creating proxy protocol listener: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t\tcommon.Config.ProxyProtocol = 0\n\n\t\ts := &http.Server{}\n\t\tif err := s.Serve(proxyListener); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP proxy protocol server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tif err := smtpd.ListenAndServe(smtpServerAddr, func(_ net.Addr, from string, to []string, data []byte) error {\n\t\t\tlastReceivedEmail.set(from, to, data)\n\t\t\treturn nil\n\t\t}, \"SFTPGo test\", \"localhost\"); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SMTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(httpAddr)\n\twaitTCPListening(httpProxyAddr)\n\twaitTCPListening(smtpServerAddr)\n\n\texitCode := m.Run()\n\tos.Remove(logFilePath)\n\tos.RemoveAll(backupsPath)\n\tos.Exit(exitCode)\n}\n\nfunc TestBaseConnection(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t_, err = client.ReadDir(testDir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.Error(t, err)\n\t\tinfo, err := client.Stat(testDir)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.IsDir())\n\t\t}\n\t\terr = client.Rename(testDir, testDir)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"the rename source and target cannot be the same\")\n\t\t}\n\t\terr = client.Rename(testDir, path.Join(testDir, \"sub\"))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tlinkName := testFileName + \".link\" //nolint:goconst\n\t\terr = client.Rename(testFileName, testFileName)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"the rename source and target cannot be the same\")\n\t\t}\n\t\terr = client.Symlink(testFileName, linkName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(testFileName, testFileName)\n\t\tassert.Error(t, err)\n\t\tinfo, err = client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, int64(len(testFileContent)), info.Size())\n\t\t\tassert.False(t, info.IsDir())\n\t\t}\n\t\tinfo, err = client.Lstat(linkName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.NotEqual(t, int64(7), info.Size())\n\t\t\tassert.True(t, info.Mode()&os.ModeSymlink != 0)\n\t\t\tassert.False(t, info.IsDir())\n\t\t}\n\t\terr = client.RemoveDirectory(linkName)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t}\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(linkName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, \"test\")\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\tf, err = client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\"1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName + \"1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(\"missing\")\n\t\tassert.Error(t, err)\n\t} else {\n\t\tprintLatestLogs(10)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRemoveAll(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebDavClient := getWebDavClient(user)\n\terr = webDavClient.RemoveAll(\"/\")\n\tif assert.Error(t, err) {\n\t\tassert.True(t, gowebdav.IsErrCode(err, http.StatusForbidden))\n\t}\n\n\ttestDir := \"baseDir\"\n\terr = webDavClient.RemoveAll(testDir)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, testFileName), 1234, client)\n\t\tassert.NoError(t, err)\n\n\t\terr = webDavClient.RemoveAll(path.Join(testDir, testFileName))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(testDir, testFileName))\n\t\tassert.Error(t, err)\n\n\t\terr = writeSFTPFile(path.Join(testDir, testFileName), 1234, client)\n\t\tassert.NoError(t, err)\n\t\terr = webDavClient.RemoveAll(testDir)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testDir)\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRelativeSymlinks(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlinkName := testFileName + \"_link\" //nolint:goconst\n\t\terr = client.Symlink(\"non-existent-file\", linkName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(linkName)\n\t\tassert.NoError(t, err)\n\t\ttestDir := \"sub\"\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Create(path.Join(testDir, testFileName))\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(testDir, testFileName), linkName)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(linkName)\n\t\tassert.NoError(t, err)\n\t\tp, err := client.ReadLink(linkName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, path.Join(\"/\", testDir, testFileName), p)\n\t\terr = client.Remove(linkName)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Symlink(testFileName, path.Join(testDir, linkName))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(testDir, linkName))\n\t\tassert.NoError(t, err)\n\t\tp, err = client.ReadLink(path.Join(testDir, linkName))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, path.Join(\"/\", testDir, testFileName), p)\n\n\t\tf, err = client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Symlink(testFileName, linkName)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(linkName)\n\t\tassert.NoError(t, err)\n\t\tp, err = client.ReadLink(linkName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, path.Join(\"/\", testFileName), p)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCheckFsAfterUpdate(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\t// remove the home dir, it will not be re-created\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.Error(t, err)\n\t} else {\n\t\tprintLatestLogs(10)\n\t}\n\t// update the user and login again, this time the home dir will be created\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginAccessTime(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.AccessTime = []sdk.TimePeriod{\n\t\t{\n\t\t\tDayOfWeek: int(time.Now().Add(-25 * time.Hour).UTC().Weekday()),\n\t\t\tFrom: \"00:00\",\n\t\t\tTo: \"23:59\",\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, _, err = getSftpClient(user)\n\tassert.Error(t, err)\n\n\tuser.Filters.AccessTime = []sdk.TimePeriod{\n\t\t{\n\t\t\tDayOfWeek: int(time.Now().UTC().Weekday()),\n\t\t\tFrom: \"00:00\",\n\t\t\tTo: \"23:59\",\n\t\t},\n\t}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr := checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSetStat(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tacmodTime := time.Now().Add(36 * time.Hour)\n\t\terr = client.Chtimes(testFileName, acmodTime, acmodTime)\n\t\tassert.NoError(t, err)\n\t\tnewFi, err := client.Lstat(testFileName)\n\t\tassert.NoError(t, err)\n\t\tdiff := math.Abs(newFi.ModTime().Sub(acmodTime).Seconds())\n\t\tassert.LessOrEqual(t, diff, float64(1))\n\t\tif runtime.GOOS != osWindows {\n\t\t\terr = client.Chown(testFileName, os.Getuid(), os.Getgid())\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tnewPerm := os.FileMode(0666)\n\t\terr = client.Chmod(testFileName, newPerm)\n\t\tassert.NoError(t, err)\n\t\tnewFi, err = client.Lstat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, newPerm, newFi.Mode().Perm())\n\t\t}\n\t\terr = client.Truncate(testFileName, 2)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, int64(2), info.Size())\n\t\t}\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Truncate(testFileName, 0)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.Chtimes(testFileName, acmodTime, acmodTime)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\tif runtime.GOOS != osWindows {\n\t\t\terr = client.Chown(testFileName, os.Getuid(), os.Getgid())\n\t\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t}\n\t\terr = client.Chmod(testFileName, newPerm)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCryptFsUserUploadErrorOverwrite(t *testing.T) {\n\tu := getCryptFsUser()\n\tu.QuotaSize = 6000\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tvar buf []byte\n\tfor i := 0; i < 4000; i++ {\n\t\tbuf = append(buf, []byte(\"a\")...)\n\t}\n\tbufSize := int64(len(buf))\n\treader := bytes.NewReader(buf)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tf, err := client.Create(testFileName + \"_big\")\n\t\tassert.NoError(t, err)\n\t\tn, err := io.Copy(f, reader)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, bufSize, n)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tencryptedSize, err := getEncryptedFileSize(bufSize)\n\t\tassert.NoError(t, err)\n\t\texpectedSize := encryptedSize\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedSize, user.UsedQuotaSize)\n\t\t// now write a small file\n\t\tf, err = client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tencryptedSize, err = getEncryptedFileSize(int64(len(testFileContent)))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedSize+encryptedSize, user.UsedQuotaSize)\n\t\t// try to overwrite this file with a big one, this cause an overquota error\n\t\t// the partial file is deleted and the quota updated\n\t\t_, err = reader.Seek(0, io.SeekStart)\n\t\tassert.NoError(t, err)\n\t\tf, err = client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = io.Copy(f, reader)\n\t\tassert.Error(t, err)\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedSize, user.UsedQuotaSize)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestChtimesOpenHandle(t *testing.T) {\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getCryptFsUser()\n\tcryptFsUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, cryptFsUser} {\n\t\tconn, client, err := getSftpClient(user)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\n\t\t\tf, err := client.Create(testFileName)\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\tf1, err := client.Create(testFileName + \"1\")\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\tacmodTime := time.Now().Add(36 * time.Hour)\n\t\t\terr = client.Chtimes(testFileName, acmodTime, acmodTime)\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\terr = f1.Close()\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\tinfo, err := client.Lstat(testFileName)\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\tdiff := math.Abs(info.ModTime().Sub(acmodTime).Seconds())\n\t\t\tassert.LessOrEqual(t, diff, float64(1), \"user %v\", user.Username)\n\t\t\tinfo1, err := client.Lstat(testFileName + \"1\")\n\t\t\tassert.NoError(t, err, \"user %v\", user.Username)\n\t\t\tdiff = math.Abs(info1.ModTime().Sub(acmodTime).Seconds())\n\t\t\tassert.Greater(t, diff, float64(86400), \"user %v\", user.Username)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(cryptFsUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(cryptFsUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWaitForConnections(t *testing.T) {\n\tu := getTestUser()\n\tu.UploadBandwidth = 128\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileSize := int64(524288)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = common.CheckClosing()\n\t\tassert.NoError(t, err)\n\n\t\tvar wg sync.WaitGroup\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\n\t\t\ttime.Sleep(1 * time.Second)\n\t\t\tcommon.WaitForTransfers(10)\n\t\t\tcommon.WaitForTransfers(0)\n\t\t\tcommon.WaitForTransfers(10)\n\t\t}()\n\n\t\terr = writeSFTPFileNoCheck(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\twg.Wait()\n\n\t\terr = common.CheckClosing()\n\t\tassert.EqualError(t, err, common.ErrShuttingDown.Error())\n\n\t\t_, err = client.Stat(testFileName)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrShuttingDown.Error())\n\t\t}\n\t}\n\n\t_, _, err = getSftpClient(user)\n\tassert.Error(t, err)\n\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t}\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\n\t\tvar wg sync.WaitGroup\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tdefer wg.Done()\n\n\t\t\ttime.Sleep(1 * time.Second)\n\t\t\tcommon.WaitForTransfers(1)\n\t\t}()\n\n\t\terr = writeSFTPFileNoCheck(testFileName, testFileSize, client)\n\t\t// we don't have an error here because the service won't really stop\n\t\tassert.NoError(t, err)\n\t\twg.Wait()\n\t}\n\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\n\tcommon.WaitForTransfers(1)\n\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCheckParentDirs(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestDir := \"/path/to/sub/dir\"\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\t_, err = client.Stat(testDir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\tc := common.NewBaseConnection(xid.New().String(), common.ProtocolSFTP, \"\", \"\", user)\n\t\terr = c.CheckParentDirs(testDir)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = c.CheckParentDirs(testDir)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Permissions[\"/\"] = []string{dataprovider.PermUpload, dataprovider.PermListItems, dataprovider.PermDownload}\n\tuser, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tc := common.NewBaseConnection(xid.New().String(), common.ProtocolSFTP, \"\", \"\", user)\n\t\terr = c.CheckParentDirs(testDir)\n\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxPermissionDenied)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermissionErrors(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestSFTPUser()\n\tsubDir := \"/sub\"\n\tu.Permissions[subDir] = nil\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.MkdirAll(path.Join(subDir, subDir))\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Create(path.Join(subDir, subDir, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\tconn, client, err = getSftpClient(sftpUser)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t_, err = client.ReadDir(subDir)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Mkdir(path.Join(subDir, subDir))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.RemoveDirectory(path.Join(subDir, subDir))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Symlink(\"test\", path.Join(subDir, subDir))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Chmod(path.Join(subDir, subDir), os.ModePerm)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Chown(path.Join(subDir, subDir), os.Getuid(), os.Getgid())\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Chtimes(path.Join(subDir, subDir), time.Now(), time.Now())\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Truncate(path.Join(subDir, subDir), 0)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Remove(path.Join(subDir, subDir, testFileName))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHiddenPatternFilter(t *testing.T) {\n\tdeniedDir := \"/denied_hidden\"\n\tu := getTestUser()\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: deniedDir,\n\t\t\tDeniedPatterns: []string{\"*.txt\", \"beta*\"},\n\t\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tdirName := \"beta\"\n\tsubDirName := \"testDir\"\n\ttestFile := filepath.Join(u.GetHomeDir(), deniedDir, \"file.txt\")\n\ttestFile1 := filepath.Join(u.GetHomeDir(), deniedDir, \"beta.txt\")\n\ttestHiddenFile := filepath.Join(u.GetHomeDir(), deniedDir, dirName, subDirName, \"hidden.jpg\")\n\terr = os.MkdirAll(filepath.Join(u.GetHomeDir(), deniedDir), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFile, testFileContent, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFile1, testFileContent, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(filepath.Join(u.GetHomeDir(), deniedDir, dirName, subDirName), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testHiddenFile, testFileContent, os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tfiles, err := client.ReadDir(deniedDir)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, files, 0)\n\t\terr = client.Remove(path.Join(deniedDir, filepath.Base(testFile)))\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.Chtimes(path.Join(deniedDir, filepath.Base(testFile)), time.Now(), time.Now())\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t_, err = client.Stat(path.Join(deniedDir, filepath.Base(testFile1)))\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.RemoveDirectory(path.Join(deniedDir, dirName))\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.Rename(path.Join(deniedDir, dirName), path.Join(deniedDir, \"newname\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Mkdir(path.Join(deniedDir, \"beta1\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(deniedDir, \"afile.txt\"), 1024, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(deniedDir, dirName, subDirName, \"afile.jpg\"), 1024, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t_, err = client.Open(path.Join(deniedDir, dirName, subDirName, filepath.Base(testHiddenFile)))\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = client.Symlink(path.Join(deniedDir, dirName), dirName)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\terr = writeSFTPFile(path.Join(deniedDir, testFileName), 1024, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(deniedDir, testFileName), path.Join(deniedDir, \"symlink.txt\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\tfiles, err = client.ReadDir(deniedDir)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, files, 1)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: deniedDir,\n\t\t\tDeniedPatterns: []string{\"*.txt\", \"beta*\"},\n\t\t\tDenyPolicy: sdk.DenyPolicyDefault,\n\t\t},\n\t}\n\tuser, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tfiles, err := client.ReadDir(deniedDir)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, files, 4)\n\t\t_, err = client.Stat(path.Join(deniedDir, filepath.Base(testFile)))\n\t\tassert.NoError(t, err)\n\t\terr = client.Chtimes(path.Join(deniedDir, filepath.Base(testFile)), time.Now(), time.Now())\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Mkdir(path.Join(deniedDir, \"beta2\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(deniedDir, \"afile2.txt\"), 1024, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Symlink(path.Join(deniedDir, testFileName), path.Join(deniedDir, \"link.txt\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(deniedDir, dirName, subDirName, \"afile.jpg\"), 1024, client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(path.Join(deniedDir, dirName, subDirName, filepath.Base(testHiddenFile)))\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHiddenRoot(t *testing.T) {\n\t// only the \"/ftp\" directory is allowed and visibile in the \"/\" path\n\t// within /ftp any file/directory is allowed and visibile\n\tu := getTestUser()\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tAllowedPatterns: []string{\"ftp\"},\n\t\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t\t},\n\t\t{\n\t\t\tPath: \"/ftp\",\n\t\t\tAllowedPatterns: []string{\"*\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor i := 0; i < 10; i++ {\n\t\terr = os.MkdirAll(filepath.Join(user.HomeDir, fmt.Sprintf(\"ftp%d\", i)), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.WriteFile(filepath.Join(user.HomeDir, testFileName), []byte(\"\"), 0666)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.HomeDir, \"ftp.txt\"), []byte(\"\"), 0666)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Mkdir(\"ftp\")\n\t\tassert.NoError(t, err)\n\t\tentries, err := client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, entries, 1) {\n\t\t\tassert.Equal(t, \"ftp\", entries[0].Name())\n\t\t}\n\t\t_, err = client.Stat(\".\")\n\t\tassert.NoError(t, err)\n\t\tfor _, name := range []string{testFileName, \"ftp.txt\"} {\n\t\t\t_, err = client.Stat(name)\n\t\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t}\n\t\tfor i := 0; i < 10; i++ {\n\t\t\t_, err = client.Stat(fmt.Sprintf(\"ftp%d\", i))\n\t\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t}\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(\"ftp123\", 4096, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(testFileName, testFileName+\"_rename\") //nolint:goconst\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(\"/ftp\", testFileName), 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"/ftp/dir\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/ftp\", testFileName), path.Join(\"/ftp/dir\", testFileName))\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestFileNotAllowedErrors(t *testing.T) {\n\tdeniedDir := \"/denied\"\n\tu := getTestUser()\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: deniedDir,\n\t\t\tDeniedPatterns: []string{\"*.txt\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFile := filepath.Join(u.GetHomeDir(), deniedDir, \"file.txt\")\n\t\terr = os.MkdirAll(filepath.Join(u.GetHomeDir(), deniedDir), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(testFile, testFileContent, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(deniedDir, \"file.txt\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(deniedDir, \"file.txt\"), path.Join(deniedDir, \"file1.txt\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRootDirVirtualFolder(t *testing.T) {\n\tmappedPath1 := filepath.Join(os.TempDir(), \"mapped1\")\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: filepath.Base(mappedPath1),\n\t\tMappedPath: mappedPath1,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(\"cryptsecret\"),\n\t\t\t},\n\t\t},\n\t}\n\tmappedPath2 := filepath.Join(os.TempDir(), \"mapped2\")\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: filepath.Base(mappedPath2),\n\t\tMappedPath: mappedPath2,\n\t}\n\tfolder1, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfolder2, _, err := httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tu.UploadDataTransfer = 1000\n\tu.DownloadDataTransfer = 5000\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folder1.Name,\n\t\t},\n\t\tVirtualPath: \"/\",\n\t\tQuotaFiles: 1000,\n\t})\n\tvdirPath2 := \"/vmapped\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folder2.Name,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf, err := user.GetVirtualFolderForPath(\"/\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/\", f.VirtualPath)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Create(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tassert.NoFileExists(t, filepath.Join(user.HomeDir, testFileName))\n\t\tassert.FileExists(t, filepath.Join(mappedPath1, testFileName))\n\t\tentries, err := client.ReadDir(\".\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Len(t, entries, 2)\n\t\t}\n\n\t\tuser, _, err := httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\tfolder, _, err := httpdtest.GetFolderByName(folder1.Name, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, folder.UsedQuotaFiles)\n\n\t\tf, err = client.Create(path.Join(vdirPath2, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tfolder, _, err = httpdtest.GetFolderByName(folder1.Name, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, folder.UsedQuotaFiles)\n\n\t\terr = client.Rename(testFileName, path.Join(vdirPath2, testFileName+\"_rename\"))\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(path.Join(vdirPath2, testFileName), testFileName+\"_rename\")\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\"_rename\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirPath2, testFileName), path.Join(vdirPath2, testFileName+\"_rename\"))\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folder1.Name}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folder2.Name}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestTruncateQuotaLimits(t *testing.T) {\n\tmappedPath1 := filepath.Join(os.TempDir(), \"mapped1\")\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: filepath.Base(mappedPath1),\n\t\tMappedPath: mappedPath1,\n\t}\n\tfolder1, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tmappedPath2 := filepath.Join(os.TempDir(), \"mapped2\")\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: filepath.Base(mappedPath2),\n\t\tMappedPath: mappedPath2,\n\t}\n\tfolder2, _, err := httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.QuotaSize = 20\n\tu.UploadDataTransfer = 1000\n\tu.DownloadDataTransfer = 5000\n\tvdirPath1 := \"/vmapped1\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folder1.Name,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: 10,\n\t})\n\tvdirPath2 := \"/vmapped2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folder2.Name,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaSize = 20\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\tf, err := client.OpenFile(testFileName, os.O_WRONLY|os.O_CREATE)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tn, err := f.Write(testFileContent)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\terr = f.Truncate(2)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaFiles := 0\n\t\t\t\texpectedQuotaSize := int64(2)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(expectedQuotaSize, io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(testFileContent)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\terr = f.Truncate(5)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaSize = int64(5)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(expectedQuotaSize, io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(testFileContent)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaFiles = 1\n\t\t\t\texpectedQuotaSize = int64(5) + int64(len(testFileContent))\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// now truncate by path\n\t\t\terr = client.Truncate(testFileName, 5)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t\t\t// now open an existing file without truncate it, quota should not change\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// open the file truncating it\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY|os.O_TRUNC)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// now test max write size\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tn, err := f.Write(testFileContent)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\terr = f.Truncate(11)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(11), user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(int64(11), io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(testFileContent)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\terr = f.Truncate(5)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(int64(5), io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(testFileContent)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\terr = f.Truncate(12)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(12), user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(int64(12), io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = f.Write(testFileContent)\n\t\t\t\tif assert.Error(t, err) {\n\t\t\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t\t\t}\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.Error(t, err)\n\t\t\t\t// the file is deleted\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t\t}\n\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\t// basic test inside a virtual folder\n\t\t\t\tvfileName1 := path.Join(vdirPath1, testFileName)\n\t\t\t\tf, err = client.OpenFile(vfileName1, os.O_WRONLY|os.O_CREATE)\n\t\t\t\tif assert.NoError(t, err) {\n\t\t\t\t\tn, err := f.Write(testFileContent)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\t\terr = f.Truncate(2)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\texpectedQuotaFiles := 0\n\t\t\t\t\texpectedQuotaSize := int64(2)\n\t\t\t\t\tfold, _, err := httpdtest.GetFolderByName(folder1.Name, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, expectedQuotaSize, fold.UsedQuotaSize)\n\t\t\t\t\tassert.Equal(t, expectedQuotaFiles, fold.UsedQuotaFiles)\n\t\t\t\t\terr = f.Close()\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\texpectedQuotaFiles = 1\n\t\t\t\t\tfold, _, err = httpdtest.GetFolderByName(folder1.Name, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, expectedQuotaSize, fold.UsedQuotaSize)\n\t\t\t\t\tassert.Equal(t, expectedQuotaFiles, fold.UsedQuotaFiles)\n\t\t\t\t}\n\t\t\t\terr = client.Truncate(vfileName1, 1)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tfold, _, err := httpdtest.GetFolderByName(folder1.Name, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, int64(1), fold.UsedQuotaSize)\n\t\t\t\tassert.Equal(t, 1, fold.UsedQuotaFiles)\n\t\t\t\t// now test on vdirPath2, the folder quota is included in the user's quota\n\t\t\t\tvfileName2 := path.Join(vdirPath2, testFileName)\n\t\t\t\tf, err = client.OpenFile(vfileName2, os.O_WRONLY|os.O_CREATE)\n\t\t\t\tif assert.NoError(t, err) {\n\t\t\t\t\tn, err := f.Write(testFileContent)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, len(testFileContent), n)\n\t\t\t\t\terr = f.Truncate(3)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\texpectedQuotaFiles := 0\n\t\t\t\t\texpectedQuotaSize := int64(3)\n\t\t\t\t\tfold, _, err := httpdtest.GetFolderByName(folder2.Name, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, int64(0), fold.UsedQuotaSize)\n\t\t\t\t\tassert.Equal(t, 0, fold.UsedQuotaFiles)\n\t\t\t\t\terr = f.Close()\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\texpectedQuotaFiles = 1\n\t\t\t\t\tfold, _, err = httpdtest.GetFolderByName(folder2.Name, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, int64(0), fold.UsedQuotaSize)\n\t\t\t\t\tassert.Equal(t, 0, fold.UsedQuotaFiles)\n\t\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t\t}\n\n\t\t\t\t// cleanup\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tif user.Username == defaultUsername {\n\t\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tuser.Password = defaultPassword\n\t\t\t\t\tuser.QuotaSize = 0\n\t\t\t\t\tuser.ID = 0\n\t\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersQuotaRenameOverwrite(t *testing.T) {\n\ttestFileSize := int64(131072)\n\ttestFileSize1 := int64(65537)\n\ttestFileName1 := \"test_file1.dat\" //nolint:goconst\n\tu := getTestUser()\n\tu.QuotaFiles = 0\n\tu.QuotaSize = 0\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\" //nolint:goconst\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\" //nolint:goconst\n\tmappedPath3 := filepath.Join(os.TempDir(), \"vdir3\")\n\tfolderName3 := filepath.Base(mappedPath3)\n\tvdirPath3 := \"/vdir3\"\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderName3,\n\t\tMappedPath: mappedPath3,\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: 2,\n\t\tQuotaSize: 0,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: testFileSize + testFileSize1 + 1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName3,\n\t\t},\n\t\tVirtualPath: vdirPath3,\n\t\tQuotaFiles: 2,\n\t\tQuotaSize: testFileSize * 2,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(path.Join(vdirPath1, testFileName))\n\t\tassert.NoError(t, err)\n\t\tcontents, err := io.ReadAll(f)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, contents, int(testFileSize))\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath3, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath3, testFileName+\"1\"), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, path.Join(vdirPath1, testFileName+\".rename\")) //nolint:goconst\n\t\tassert.Error(t, err)\n\t\t// we overwrite an existing file and we have unlimited size\n\t\terr = client.Rename(testFileName, path.Join(vdirPath1, testFileName))\n\t\tassert.NoError(t, err)\n\t\t// we have no space and we try to overwrite a bigger file with a smaller one, this should succeed\n\t\terr = client.Rename(testFileName1, path.Join(vdirPath2, testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// we have no space and we try to overwrite a smaller file with a bigger one, this should fail\n\t\terr = client.Rename(testFileName, path.Join(vdirPath2, testFileName1))\n\t\tassert.Error(t, err)\n\t\tfi, err := client.Stat(path.Join(vdirPath1, testFileName1))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize1, fi.Size())\n\t\t}\n\t\t// we are overquota inside vdir3 size 2/2 and size 262144/262144\n\t\terr = client.Rename(path.Join(vdirPath1, testFileName1), path.Join(vdirPath3, testFileName1+\".rename\"))\n\t\tassert.Error(t, err)\n\t\t// we overwrite an existing file and we have enough size\n\t\terr = client.Rename(path.Join(vdirPath1, testFileName1), path.Join(vdirPath3, testFileName))\n\t\tassert.NoError(t, err)\n\t\ttestFileName2 := \"test_file2.dat\"\n\t\terr = writeSFTPFile(testFileName2, testFileSize+testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// we overwrite an existing file and we haven't enough size\n\t\terr = client.Rename(testFileName2, path.Join(vdirPath3, testFileName))\n\t\tassert.Error(t, err)\n\t\t// now remove a file from vdir3, create a dir with 2 files and try to rename it in vdir3\n\t\t// this will fail since the rename will result in 3 files inside vdir3 and quota limits only\n\t\t// allow 2 total files there\n\t\terr = client.Remove(path.Join(vdirPath3, testFileName+\"1\"))\n\t\tassert.NoError(t, err)\n\t\taDir := \"a dir\"\n\t\terr = client.Mkdir(aDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(aDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(aDir, testFileName1+\"1\"), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(aDir, path.Join(vdirPath3, aDir))\n\t\tassert.Error(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName3}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath3)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameOverwrite(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65537)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(testFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents := make([]byte, testFileSize)\n\t\tn, err := io.ReadFull(f, contents)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int(testFileSize), n)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), user.UsedDownloadDataTransfer)\n\t\tassert.Equal(t, int64(0), user.UsedUploadDataTransfer)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\terr = client.Rename(testFileName, testFileName1)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), user.UsedDownloadDataTransfer)\n\t\tassert.Equal(t, int64(0), user.UsedUploadDataTransfer)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\terr = client.Remove(testFileName1)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName1, testFileName)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersQuotaValues(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tvdirPath1 := \"/vdir1\"\n\tfolderName1 := filepath.Base(mappedPath1)\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tvdirPath2 := \"/vdir2\"\n\tfolderName2 := filepath.Base(mappedPath2)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// we copy the same file two times to test quota update on file overwrite\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaFiles := 2\n\t\texpectedQuotaSize := testFileSize * 2\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = client.Remove(path.Join(vdirPath1, testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(vdirPath2, testFileName))\n\t\tassert.NoError(t, err)\n\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameInsideSameVirtualFolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tvdirPath1 := \"/vdir1\"\n\tfolderName1 := filepath.Base(mappedPath1)\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tvdirPath2 := \"/vdir2\"\n\tfolderName2 := filepath.Base(mappedPath2)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\tdir1 := \"dir1\" //nolint:goconst\n\t\tdir2 := \"dir2\" //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// initial files:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t//\n\t\t// rename a file inside vdir1 it is included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName.rename\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath1, dir1, testFileName), path.Join(vdirPath1, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file inside vdir2, it isn't included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName.rename\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName.rename\n\t\t// - vdir2/dir2/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName), path.Join(vdirPath2, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file inside vdir2 overwriting an existing, we now have:\n\t\t// - vdir1/dir1/testFileName.rename\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName.rename (initial testFileName1)\n\t\terr = client.Rename(path.Join(vdirPath2, dir2, testFileName1), path.Join(vdirPath2, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file inside vdir1 overwriting an existing, we now have:\n\t\t// - vdir1/dir1/testFileName.rename (initial testFileName1)\n\t\t// - vdir2/dir1/testFileName.rename (initial testFileName1)\n\t\terr = client.Rename(path.Join(vdirPath1, dir2, testFileName1), path.Join(vdirPath1, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a directory inside the same virtual folder, quota should not change\n\t\terr = client.RemoveDirectory(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirPath1, dir1), path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirPath2, dir1), path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameBetweenVirtualFolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir2\"\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// initial files:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t//\n\t\t// rename a file from vdir1 to vdir2, vdir1 is included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName1.rename\n\t\terr = client.Rename(path.Join(vdirPath1, dir2, testFileName1), path.Join(vdirPath2, dir1, testFileName1+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 3, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to vdir1, vdir2 is not included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName.rename\n\t\t// - vdir2/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName1.rename\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName), path.Join(vdirPath1, dir2, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1*2, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// rename a file from vdir1 to vdir2 overwriting an existing file, vdir1 is included inside user quota, so we have:\n\t\t// - vdir1/dir2/testFileName.rename\n\t\t// - vdir2/dir2/testFileName1 (is the initial testFileName)\n\t\t// - vdir2/dir1/testFileName1.rename\n\t\terr = client.Rename(path.Join(vdirPath1, dir1, testFileName), path.Join(vdirPath2, dir2, testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1+testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to vdir1 overwriting an existing file, vdir2 is not included inside user quota, so we have:\n\t\t// - vdir1/dir2/testFileName.rename (is the initial testFileName1)\n\t\t// - vdir2/dir2/testFileName1 (is the initial testFileName)\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName1+\".rename\"), path.Join(vdirPath1, dir2, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir2, testFileName), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir2, testFileName+\"1.dupl\"), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\t// - vdir1/dir2/testFileName.rename (initial testFileName1)\n\t\t// - vdir1/dir2/testFileName\n\t\t// - vdir2/dir2/testFileName1 (initial testFileName)\n\t\t// - vdir2/dir2/testFileName (initial testFileName1)\n\t\t// - vdir2/dir2/testFileName1.dupl\n\t\t// rename directories between the two virtual folders\n\t\terr = client.Rename(path.Join(vdirPath2, dir2), path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 5, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1*3+testFileSize*2, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// now move on vpath2\n\t\terr = client.Rename(path.Join(vdirPath1, dir2), path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1*2+testFileSize, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameFromVirtualFolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir2\"\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// initial files:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t//\n\t\t// rename a file from vdir1 to the user home dir, vdir1 is included in user quota so we have:\n\t\t// - testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath1, dir1, testFileName), path.Join(testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to the user home dir, vdir2 is not included in user quota so we have:\n\t\t// - testFileName\n\t\t// - testFileName1\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\terr = client.Rename(path.Join(vdirPath2, dir2, testFileName1), path.Join(testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a file from vdir1 to the user home dir overwriting an existing file, vdir1 is included in user quota so we have:\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\terr = client.Rename(path.Join(vdirPath1, dir2, testFileName1), path.Join(testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to the user home dir overwriting an existing file, vdir2 is not included in user quota so we have:\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1 (initial testFileName)\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName), path.Join(testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// dir rename\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1 (initial testFileName)\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir1/testFileName1\n\t\t// - dir1/testFileName\n\t\t// - dir1/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath2, dir1), dir1)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*3+testFileSize1*3, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1 (initial testFileName)\n\t\t// - dir2/testFileName\n\t\t// - dir2/testFileName1\n\t\t// - dir1/testFileName\n\t\t// - dir1/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath1, dir1), dir2)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*3+testFileSize1*3, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameToVirtualFolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tu.Permissions[vdirPath1] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload,\n\t\tdataprovider.PermOverwrite, dataprovider.PermDelete, dataprovider.PermCreateSymlinks, dataprovider.PermCreateDirs,\n\t\tdataprovider.PermRename}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir2\"\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// initial files:\n\t\t// - testFileName\n\t\t// - testFileName1\n\t\t//\n\t\t// rename a file from user home dir to vdir1, vdir1 is included in user quota so we have:\n\t\t// - testFileName\n\t\t// - /vdir1/dir1/testFileName1\n\t\terr = client.Rename(testFileName1, path.Join(vdirPath1, dir1, testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file from user home dir to vdir2, vdir2 is not included in user quota so we have:\n\t\t// - /vdir2/dir1/testFileName\n\t\t// - /vdir1/dir1/testFileName1\n\t\terr = client.Rename(testFileName, path.Join(vdirPath2, dir1, testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// upload two new files to the user home dir so we have:\n\t\t// - testFileName\n\t\t// - testFileName1\n\t\t// - /vdir1/dir1/testFileName1\n\t\t// - /vdir2/dir1/testFileName\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1+testFileSize1, user.UsedQuotaSize)\n\t\t// rename a file from user home dir to vdir1 overwriting an existing file, vdir1 is included in user quota so we have:\n\t\t// - testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName\n\t\terr = client.Rename(testFileName, path.Join(vdirPath1, dir1, testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a file from user home dir to vdir2 overwriting an existing file, vdir2 is not included in user quota so we have:\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\terr = client.Rename(testFileName1, path.Join(vdirPath2, dir1, testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = client.Mkdir(dir1)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// - /dir1/testFileName\n\t\t// - /dir1/testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// - /vdir1/adir/testFileName\n\t\t// - /vdir1/adir/testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\terr = client.Rename(dir1, path.Join(vdirPath1, \"adir\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\terr = client.Mkdir(dir1)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// - /vdir1/adir/testFileName\n\t\t// - /vdir1/adir/testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\t// - /vdir2/adir/testFileName\n\t\t// - /vdir2/adir/testFileName1\n\t\terr = client.Rename(dir1, path.Join(vdirPath2, \"adir\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1*2+testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 3, f.UsedQuotaFiles)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferQuotaLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.TotalDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFileSize := int64(524288)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(testFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents := make([]byte, testFileSize)\n\t\tn, err := io.ReadFull(f, contents)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int(testFileSize), n)\n\t\tassert.Len(t, contents, int(testFileSize))\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Open(testFileName)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\tassert.Contains(t, err.Error(), common.ErrReadQuotaExceeded.Error())\n\t\t}\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t}\n\t}\n\t// test the limit while uploading/downloading\n\tuser.TotalDataTransfer = 0\n\tuser.UploadDataTransfer = 1\n\tuser.DownloadDataTransfer = 1\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFileSize := int64(450000)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\t_, err = io.Copy(io.Discard, f)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tf, err = client.Open(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\t_, err = io.Copy(io.Discard, f)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\t\tassert.Contains(t, err.Error(), common.ErrReadQuotaExceeded.Error())\n\t\t\t}\n\t\t\terr = f.Close()\n\t\t\tassert.Error(t, err)\n\t\t}\n\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersLink(t *testing.T) {\n\tu := getTestUser()\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\ttestDir := \"adir\"\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), path.Join(vdirPath1, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), path.Join(vdirPath1, testDir, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), path.Join(vdirPath2, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), path.Join(vdirPath2, testDir, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath1, testFileName+\".link1\")) //nolint:goconst\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath1, testDir, testFileName+\".link1\"))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath2, testFileName+\".link1\"))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath2, testDir, testFileName+\".link1\"))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), testFileName+\".link1\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), testFileName+\".link1\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), path.Join(vdirPath2, testDir, testFileName+\".link1\"))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), path.Join(vdirPath1, testFileName+\".link1\"))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(\"/\", \"/roolink\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Symlink(testFileName, \"/\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Symlink(testFileName, vdirPath1)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Symlink(vdirPath1, testFileName+\".link2\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestCrossFolderRename(t *testing.T) {\n\tfolder1 := \"folder1\"\n\tfolder2 := \"folder2\"\n\tfolder3 := \"folder3\"\n\tfolder4 := \"folder4\"\n\tfolder5 := \"folder5\"\n\tfolder6 := \"folder6\"\n\tfolder7 := \"folder7\"\n\n\tbaseUser, resp, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folder1,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder1),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folder2,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder2),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folder3,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder3),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword + \"mod\"),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf4 := vfs.BaseVirtualFolder{\n\t\tName: folder4,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder4),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t\tPrefix: path.Join(\"/\", folder4),\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f4, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf5 := vfs.BaseVirtualFolder{\n\t\tName: folder5,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder5),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t\tPrefix: path.Join(\"/\", folder5),\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f5, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf6 := vfs.BaseVirtualFolder{\n\t\tName: folder6,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder6),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: \"127.0.0.1:4024\",\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t\tPrefix: path.Join(\"/\", folder6),\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f6, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf7 := vfs.BaseVirtualFolder{\n\t\tName: folder7,\n\t\tMappedPath: filepath.Join(os.TempDir(), folder7),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t\tPrefix: path.Join(\"/\", folder4),\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f7, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getCryptFsUser()\n\tu.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder1,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder1),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder2,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder2),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder3,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder3),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder4,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder4),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder5,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder5),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder6,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder6),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder7,\n\t\t\t},\n\t\t\tVirtualPath: path.Join(\"/\", folder7),\n\t\t\tQuotaSize: -1,\n\t\t\tQuotaFiles: -1,\n\t\t},\n\t}\n\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tsubDir := \"testSubDir\"\n\t\terr = client.Mkdir(subDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(subDir, \"afile.bin\"), 64, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(subDir, path.Join(\"/\", folder1, subDir))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(\"/\", folder1, subDir))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(\"/\", folder1, subDir, \"afile.bin\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/\", folder1, subDir), path.Join(\"/\", folder2, subDir))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(\"/\", folder2, subDir))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(\"/\", folder2, subDir, \"afile.bin\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/\", folder2, subDir), path.Join(\"/\", folder3, subDir))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(\"/\", folder3, \"file.bin\"), 64, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/\", folder3, \"file.bin\"), \"/renamed.bin\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(\"/\", folder3, \"file.bin\"), path.Join(\"/\", folder2, \"/renamed.bin\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(\"/\", folder3, \"file.bin\"), path.Join(\"/\", folder3, \"/renamed.bin\"))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(\"/afile.bin\", 64, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"afile.bin\", path.Join(\"/\", folder4, \"afile_renamed.bin\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(\"/\", folder4, \"afile.bin\"), 64, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/\", folder4, \"afile.bin\"), path.Join(\"/\", folder5, \"afile_renamed.bin\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/\", folder5, \"afile_renamed.bin\"), path.Join(\"/\", folder6, \"afile_renamed.bin\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = writeSFTPFile(path.Join(\"/\", folder4, \"afile.bin\"), 64, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(\"/\", folder7, \"afile.bin\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(\"/\", folder4, \"afile.bin\"), path.Join(\"/\", folder7, \"afile.bin\"))\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tfor _, folderName := range []string{folder1, folder2, folder3, folder4, folder5, folder6, folder7} {\n\t\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(filepath.Join(os.TempDir(), folderName))\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestDirs(t *testing.T) {\n\tu := getTestUser()\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/path/vdir\"\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload,\n\t\tdataprovider.PermDelete, dataprovider.PermCreateDirs, dataprovider.PermRename, dataprovider.PermListItems}\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tinfo, err := client.ReadDir(\"/\")\n\t\tif assert.NoError(t, err) {\n\t\t\tif assert.Len(t, info, 1) {\n\t\t\t\tassert.Equal(t, \"path\", info[0].Name())\n\t\t\t}\n\t\t}\n\t\tfi, err := client.Stat(path.Dir(vdirPath))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, fi.IsDir())\n\t\t}\n\t\terr = client.RemoveDirectory(\"/\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.RemoveDirectory(vdirPath)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.RemoveDirectory(path.Dir(vdirPath))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.Mkdir(vdirPath)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Mkdir(\"adir\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"/adir\", path.Dir(vdirPath))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = client.MkdirAll(\"/subdir/adir\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"adir\", \"subdir/adir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\terr = writeSFTPFile(\"/subdir/afile.bin\", 64, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(\"/afile.bin\", 32, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"afile.bin\", \"subdir/afile.bin\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(\"afile.bin\", \"subdir/afile1.bin\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Dir(vdirPath), \"renamed_vdir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestCryptFsStat(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getCryptFsUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(4096)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t}\n\t\tinfo, err = os.Stat(filepath.Join(user.HomeDir, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Greater(t, info.Size(), testFileSize)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestFsPermissionErrors(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tuser, _, err := httpdtest.AddUser(getCryptFsUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestDir := \"tDir\"\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(user.GetHomeDir(), 0111)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(testDir, testDir+\"1\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\t\terr = os.Chmod(user.GetHomeDir(), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRenameErrorOutsideHomeDir(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldUploadMode := common.Config.UploadMode\n\toldTempPath := common.Config.TempPath\n\n\tcommon.Config.UploadMode = common.UploadModeAtomicWithResume\n\tcommon.Config.TempPath = filepath.Clean(os.TempDir())\n\tvfs.SetTempPath(common.Config.TempPath)\n\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = os.Chmod(user.GetHomeDir(), 0555)\n\t\tassert.NoError(t, err)\n\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\n\t\terr = os.Chmod(user.GetHomeDir(), os.ModeDir)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.UploadMode = oldUploadMode\n\tcommon.Config.TempPath = oldTempPath\n\tvfs.SetTempPath(oldTempPath)\n}\n\nfunc TestResolvePathError(t *testing.T) {\n\tu := getTestUser()\n\tu.HomeDir = \"relative_path\"\n\tconn := common.NewBaseConnection(\"\", common.ProtocolFTP, \"\", \"\", u)\n\ttestPath := \"apath\"\n\t_, err := conn.ListDir(testPath)\n\tassert.Error(t, err)\n\terr = conn.CreateDir(testPath, true)\n\tassert.Error(t, err)\n\terr = conn.RemoveDir(testPath)\n\tassert.Error(t, err)\n\terr = conn.Rename(testPath, testPath+\"1\")\n\tassert.Error(t, err)\n\terr = conn.CreateSymlink(testPath, testPath+\".sym\")\n\tassert.Error(t, err)\n\t_, err = conn.DoStat(testPath, 0, false)\n\tassert.Error(t, err)\n\terr = conn.RemoveAll(testPath)\n\tassert.Error(t, err)\n\terr = conn.SetStat(testPath, &common.StatAttributes{\n\t\tAtime: time.Now(),\n\t\tMtime: time.Now(),\n\t})\n\tassert.Error(t, err)\n\n\tu = getTestUser()\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: \"relative_mapped_path\",\n\t\t},\n\t\tVirtualPath: \"/vpath\",\n\t})\n\terr = os.MkdirAll(u.HomeDir, os.ModePerm)\n\tassert.NoError(t, err)\n\tconn.User = u\n\terr = conn.Rename(testPath, \"/vpath/subpath\")\n\tassert.Error(t, err)\n\n\toutHomePath := filepath.Join(os.TempDir(), testFileName)\n\terr = os.WriteFile(outHomePath, testFileContent, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.Symlink(outHomePath, filepath.Join(u.HomeDir, testFileName+\".link\"))\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(u.HomeDir, testFileName), testFileContent, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = conn.CreateSymlink(testFileName, testFileName+\".link\")\n\tassert.Error(t, err)\n\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.Remove(outHomePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserPasswordHashing(t *testing.T) {\n\tif config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName {\n\t\tt.Skip(\"this test is not supported with the memory provider\")\n\t}\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.PasswordHashing.Algo = dataprovider.HashingAlgoArgon2ID\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tcurrentUser, err := dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.True(t, strings.HasPrefix(currentUser.Password, \"$2a$\"))\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tu = getTestUser()\n\tuser, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tcurrentUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.True(t, strings.HasPrefix(currentUser.Password, \"$argon2id$\"))\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestAllowList(t *testing.T) {\n\tconfigCopy := common.Config\n\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"172.18.1.1/32\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.18.1.2/32\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.7.0/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 5,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"0.0.0.0/0\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 8,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"::/0\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 8,\n\t\t},\n\t}\n\n\tfor _, e := range entries {\n\t\t_, resp, err := httpdtest.AddIPListEntry(e, http.StatusCreated)\n\t\tassert.NoError(t, err, string(resp))\n\t}\n\n\tcommon.Config.AllowListStatus = 1\n\terr := common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\tassert.True(t, common.Config.IsAllowListEnabled())\n\n\ttestIP := \"172.18.1.1\"\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(testIP, common.ProtocolFTP))\n\tentry := entries[0]\n\tentry.Protocols = 1\n\t_, _, err = httpdtest.UpdateIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(testIP, common.ProtocolFTP))\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(testIP, common.ProtocolSSH))\n\t_, err = httpdtest.RemoveIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n\tentries = entries[1:]\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(testIP, common.ProtocolSSH))\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(\"172.18.1.3\", common.ProtocolSSH))\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(\"172.18.1.3\", common.ProtocolHTTP))\n\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(\"10.8.7.3\", common.ProtocolWebDAV))\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(\"10.8.7.4\", common.ProtocolSSH))\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(\"10.8.7.4\", common.ProtocolFTP))\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(\"10.8.7.4\", common.ProtocolHTTP))\n\tassert.NoError(t, common.Connections.IsNewConnectionAllowed(\"2001:0db8::1428:57ab\", common.ProtocolHTTP))\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(\"2001:0db8::1428:57ab\", common.ProtocolSSH))\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(\"10.8.8.2\", common.ProtocolWebDAV))\n\tassert.Error(t, common.Connections.IsNewConnectionAllowed(\"invalid IP\", common.ProtocolHTTP))\n\n\tcommon.Config = configCopy\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\tassert.False(t, common.Config.IsAllowListEnabled())\n\n\tfor _, e := range entries {\n\t\t_, err := httpdtest.RemoveIPListEntry(e, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestDbDefenderErrors(t *testing.T) {\n\tif !isDbDefenderSupported() {\n\t\tt.Skip(\"this test is not supported with the current database provider\")\n\t}\n\tconfigCopy := common.Config\n\tcommon.Config.DefenderConfig.Enabled = true\n\tcommon.Config.DefenderConfig.Driver = common.DefenderDriverProvider\n\terr := common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\n\ttestIP := \"127.1.1.1\"\n\thosts, err := common.GetDefenderHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 0)\n\tcommon.AddDefenderEvent(testIP, common.ProtocolSSH, common.HostEventLimitExceeded)\n\thosts, err = common.GetDefenderHosts()\n\tassert.NoError(t, err)\n\tassert.Len(t, hosts, 1)\n\tscore, err := common.GetDefenderScore(testIP)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 3, score)\n\tbanTime, err := common.GetDefenderBanTime(testIP)\n\tassert.NoError(t, err)\n\tassert.Nil(t, banTime)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\n\tcommon.AddDefenderEvent(testIP, common.ProtocolFTP, common.HostEventLimitExceeded)\n\t_, err = common.GetDefenderHosts()\n\tassert.Error(t, err)\n\t_, err = common.GetDefenderHost(testIP)\n\tassert.Error(t, err)\n\t_, err = common.GetDefenderBanTime(testIP)\n\tassert.Error(t, err)\n\t_, err = common.GetDefenderScore(testIP)\n\tassert.Error(t, err)\n\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.CleanupDefender(util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Hour)))\n\tassert.NoError(t, err)\n\n\tcommon.Config = configCopy\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestDelayedQuotaUpdater(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.DelayedQuotaUpdate = 120\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tu.TotalDataTransfer = 2000\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.UpdateUserQuota(&user, 10, 6000, false)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateUserTransferQuota(&user, 100, 200, false)\n\tassert.NoError(t, err)\n\tfiles, size, ulSize, dlSize, err := dataprovider.GetUsedQuota(user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, files)\n\tassert.Equal(t, int64(6000), size)\n\tassert.Equal(t, int64(100), ulSize)\n\tassert.Equal(t, int64(200), dlSize)\n\n\tuserGet, err := dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, userGet.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), userGet.UsedQuotaSize)\n\tassert.Equal(t, int64(0), userGet.UsedUploadDataTransfer)\n\tassert.Equal(t, int64(0), userGet.UsedDownloadDataTransfer)\n\n\terr = dataprovider.UpdateUserQuota(&user, 10, 6000, true)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateUserTransferQuota(&user, 100, 200, true)\n\tassert.NoError(t, err)\n\tfiles, size, ulSize, dlSize, err = dataprovider.GetUsedQuota(user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, files)\n\tassert.Equal(t, int64(6000), size)\n\tassert.Equal(t, int64(100), ulSize)\n\tassert.Equal(t, int64(200), dlSize)\n\n\tuserGet, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, userGet.UsedQuotaFiles)\n\tassert.Equal(t, int64(6000), userGet.UsedQuotaSize)\n\tassert.Equal(t, int64(100), userGet.UsedUploadDataTransfer)\n\tassert.Equal(t, int64(200), userGet.UsedDownloadDataTransfer)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"folder\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"p\"),\n\t}\n\terr = dataprovider.AddFolder(&folder, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = dataprovider.UpdateVirtualFolderQuota(&folder, 10, 6000, false)\n\tassert.NoError(t, err)\n\tfiles, size, err = dataprovider.GetUsedVirtualFolderQuota(folder.Name)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, files)\n\tassert.Equal(t, int64(6000), size)\n\n\tfolderGet, err := dataprovider.GetFolderByName(folder.Name)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, folderGet.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), folderGet.UsedQuotaSize)\n\n\terr = dataprovider.UpdateVirtualFolderQuota(&folder, 10, 6000, true)\n\tassert.NoError(t, err)\n\tfiles, size, err = dataprovider.GetUsedVirtualFolderQuota(folder.Name)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, files)\n\tassert.Equal(t, int64(6000), size)\n\n\tfolderGet, err = dataprovider.GetFolderByName(folder.Name)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, folderGet.UsedQuotaFiles)\n\tassert.Equal(t, int64(6000), folderGet.UsedQuotaSize)\n\n\terr = dataprovider.DeleteFolder(folder.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestPasswordCaching(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tdbUser, err := dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tfound, match := dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n\n\tuser.Password = \"wrong\"\n\t_, _, err = getSftpClient(user)\n\tassert.Error(t, err)\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n\tuser.Password = \"\"\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.True(t, found)\n\tassert.True(t, match)\n\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword+\"_\", dbUser.Password)\n\tassert.True(t, found)\n\tassert.False(t, match)\n\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username+\"_\", defaultPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// the password was not changed\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.True(t, found)\n\tassert.True(t, match)\n\t// the password hash will change\n\tuser.Password = defaultPassword\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tdbUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.True(t, found)\n\tassert.True(t, match)\n\t//change password\n\tnewPassword := defaultPassword + \"mod\"\n\tuser.Password = newPassword\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tdbUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, newPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.True(t, found)\n\tassert.False(t, match)\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, newPassword, dbUser.Password)\n\tassert.True(t, found)\n\tassert.True(t, match)\n\t// update the password\n\terr = dataprovider.UpdateUserPassword(user.Username, defaultPassword, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tdbUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\t// the stored hash does not match\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n\n\tuser.Password = defaultPassword\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.True(t, found)\n\tassert.True(t, match)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tfound, match = dataprovider.CheckCachedUserPassword(user.Username, defaultPassword, dbUser.Password)\n\tassert.False(t, found)\n\tassert.False(t, match)\n}\n\nfunc TestEventRule(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: \"http://localhost\",\n\t\t\t\tTimeout: 20,\n\t\t\t\tMethod: http.MethodGet,\n\t\t\t},\n\t\t},\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t}\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"action3\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test1@example.com\", \"test2@example.com\"},\n\t\t\t\tBcc: []string{\"test3@example.com\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" from \"{{.Name}}\" status {{.StatusString}}`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, size: {{.FileSize}}, protocol: {{.Protocol}}, IP: {{.IP}} Data: {{.ObjectData}} {{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\ta4 := dataprovider.BaseEventAction{\n\t\tName: \"action4\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.com\"},\n\t\t\t\tSubject: `Failed \"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, protocol: {{.Protocol}}, IP: {{.IP}} {{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction3, _, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction4, _, err := httpdtest.AddEventAction(a4, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tEventStatuses: []int{1},\n\t\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"/subdir/*.dat\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"/**/*.txt\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 3,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action4.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 4,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test rule2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"download\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"/**/*.dat\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action4.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr3 := dataprovider.EventRule{\n\t\tName: \"test rule3\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"delete\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule3, _, err := httpdtest.AddEventRule(r3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuploadScriptPath := filepath.Join(os.TempDir(), \"upload.sh\")\n\tu := getTestUser()\n\tu.DownloadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tmovedFileName := \"moved.dat\"\n\tmovedPath := filepath.Join(user.HomeDir, movedFileName)\n\terr = os.WriteFile(uploadScriptPath, getUploadScriptContent(movedPath, \"\", 0), 0755)\n\tassert.NoError(t, err)\n\n\tdataprovider.EnabledActionCommands = []string{uploadScriptPath}\n\tdefer func() {\n\t\tdataprovider.EnabledActionCommands = nil\n\t}()\n\n\taction1.Type = dataprovider.ActionTypeCommand\n\taction1.Options = dataprovider.BaseEventActionOptions{\n\t\tCmdConfig: dataprovider.EventActionCommandConfig{\n\t\t\tCmd: uploadScriptPath,\n\t\t\tTimeout: 10,\n\t\t\tEnvVars: []dataprovider.KeyValue{\n\t\t\t\t{\n\t\t\t\t\tKey: \"SFTPGO_ACTION_PATH\",\n\t\t\t\t\tValue: \"{{.FsPath}}\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tKey: \"CUSTOM_ENV_VAR\",\n\t\t\t\t\tValue: \"value\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tdirName := \"subdir\"\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tsize := int64(32768)\n\t\t// rule conditions does not match\n\t\terr = writeSFTPFileNoCheck(testFileName, size, client)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, size, info.Size())\n\t\t}\n\t\terr = client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"subdir1\")\n\t\tassert.NoError(t, err)\n\t\t// rule conditions match\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(path.Join(dirName, testFileName), size, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(dirName, testFileName))\n\t\tassert.Error(t, err)\n\t\tinfo, err = client.Stat(movedFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, size, info.Size())\n\t\t}\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 3)\n\t\tassert.True(t, slices.Contains(email.To, \"test1@example.com\"))\n\t\tassert.True(t, slices.Contains(email.To, \"test2@example.com\"))\n\t\tassert.True(t, slices.Contains(email.To, \"test3@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: New \"upload\" from \"%s\" status OK`, user.Username))\n\t\t// test the failure action, we download a file that exceeds the transfer quota limit\n\t\terr = writeSFTPFileNoCheck(path.Join(\"subdir1\", testFileName), 1*1024*1024+65535, client)\n\t\tassert.NoError(t, err)\n\t\tlastReceivedEmail.reset()\n\t\tf, err := client.Open(path.Join(\"subdir1\", testFileName))\n\t\tassert.NoError(t, err)\n\t\t_, err = io.ReadAll(f)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrReadQuotaExceeded.Error())\n\t\t}\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 3)\n\t\tassert.True(t, slices.Contains(email.To, \"test1@example.com\"))\n\t\tassert.True(t, slices.Contains(email.To, \"test2@example.com\"))\n\t\tassert.True(t, slices.Contains(email.To, \"test3@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: New \"download\" from \"%s\" status KO`, user.Username))\n\t\tassert.Contains(t, email.Data, `\"download\" failed`)\n\t\tassert.Contains(t, email.Data, common.ErrReadQuotaExceeded.Error())\n\t\t_, err = httpdtest.UpdateTransferQuotaUsage(user, \"\", http.StatusOK)\n\t\tassert.NoError(t, err)\n\n\t\t// remove the upload script to test the failure action\n\t\terr = os.Remove(uploadScriptPath)\n\t\tassert.NoError(t, err)\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(path.Join(dirName, testFileName), size, client)\n\t\tassert.Error(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"failure@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: Failed \"upload\" from \"%s\"`, user.Username))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`action %q failed`, action1.Name))\n\t\t// now test the download rule\n\t\tlastReceivedEmail.reset()\n\t\tf, err = client.Open(movedFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents, err := io.ReadAll(f)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, contents, int(size))\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 3)\n\t\tassert.True(t, slices.Contains(email.To, \"test1@example.com\"))\n\t\tassert.True(t, slices.Contains(email.To, \"test2@example.com\"))\n\t\tassert.True(t, slices.Contains(email.To, \"test3@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: New \"download\" from \"%s\"`, user.Username))\n\t}\n\t// test upload action command with arguments\n\taction1.Options.CmdConfig.Args = []string{\"{{.Event}}\", \"{{.VirtualPath}}\", \"custom_arg\"}\n\taction1, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\tuploadLogFilePath := filepath.Join(os.TempDir(), \"upload.log\")\n\terr = os.WriteFile(uploadScriptPath, getUploadScriptContent(movedPath, uploadLogFilePath, 0), 0755)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = writeSFTPFileNoCheck(path.Join(dirName, testFileName), 123, client)\n\t\tassert.NoError(t, err)\n\n\t\tlogContent, err := os.ReadFile(uploadLogFilePath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, fmt.Sprintf(\"upload %s custom_arg\", util.CleanPath(path.Join(dirName, testFileName))),\n\t\t\tstrings.TrimSpace(string(logContent)))\n\n\t\terr = os.Remove(uploadLogFilePath)\n\t\tassert.NoError(t, err)\n\t\tlastReceivedEmail.reset()\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t}\n\n\tlastReceivedEmail.reset()\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 3)\n\tassert.True(t, slices.Contains(email.To, \"test1@example.com\"))\n\tassert.True(t, slices.Contains(email.To, \"test2@example.com\"))\n\tassert.True(t, slices.Contains(email.To, \"test3@example.com\"))\n\tassert.Contains(t, email.Data, `Subject: New \"delete\" from \"admin\"`)\n\t_, err = httpdtest.RemoveEventRule(rule3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action4, http.StatusOK)\n\tassert.NoError(t, err)\n\tlastReceivedEmail.reset()\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleStatues(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test6@example.com\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" error`,\n\t\t\t\tBody: \"{{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr := dataprovider.EventRule{\n\t\tName: \"rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tEventStatuses: []int{3},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule, resp, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tu := getTestUser()\n\tu.UploadDataTransfer = 1\n\tu.DownloadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFileSize := int64(999999)\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(testFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents := make([]byte, testFileSize)\n\t\tn, err := io.ReadFull(f, contents)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int(testFileSize), n)\n\t\tassert.Len(t, contents, int(testFileSize))\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\n\t\tlastReceivedEmail.reset()\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From == \"\"\n\t\t}, 600*time.Millisecond, 500*time.Millisecond)\n\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.Error(t, err)\n\t\tlastReceivedEmail.reset()\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test6@example.com\"))\n\t\tassert.Contains(t, email.Data, `Subject: New \"upload\" error`)\n\t\tassert.Contains(t, email.Data, common.ErrQuotaExceeded.Error())\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleDisabledCommand(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tsaveObjectScriptPath := filepath.Join(os.TempDir(), \"provider.sh\")\n\toutPath := filepath.Join(os.TempDir(), \"provider_out.json\")\n\terr = os.WriteFile(saveObjectScriptPath, getSaveProviderObjectScriptContent(outPath, 0), 0755)\n\tassert.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeCommand,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tCmdConfig: dataprovider.EventActionCommandConfig{\n\t\t\t\tCmd: saveObjectScriptPath,\n\t\t\t\tTimeout: 10,\n\t\t\t\tEnvVars: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"SFTPGO_OBJECT_DATA\",\n\t\t\t\t\t\tValue: \"{{.ObjectData}}\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test3@example.com\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Object name: {{.ObjectName}} object type: {{.ObjectType}} Data: {{.ObjectData}}\",\n\t\t\t},\n\t\t},\n\t}\n\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"a3\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.com\"},\n\t\t\t\tSubject: `Failed \"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Object name: {{.ObjectName}} object type: {{.ObjectType}}, IP: {{.IP}}\",\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddEventAction(a1, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t// Enable the command to allow saving\n\tdataprovider.EnabledActionCommands = []string{a1.Options.CmdConfig.Cmd}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction3, _, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr := dataprovider.EventRule{\n\t\tName: \"rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"add\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tProviderObjects: []string{\"folder\"},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 3,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule, _, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// restrict command execution\n\tdataprovider.EnabledActionCommands = nil\n\n\tlastReceivedEmail.reset()\n\t// create a folder to trigger the rule\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"ftest failed command\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"p\"),\n\t}\n\tfolder, _, err = httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tassert.NoFileExists(t, outPath)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"failure@example.com\"))\n\tassert.Contains(t, email.Data, `Subject: Failed \"add\" from \"admin\"`)\n\tassert.Contains(t, email.Data, fmt.Sprintf(\"Object name: %s object type: folder\", folder.Name))\n\tlastReceivedEmail.reset()\n\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventRuleProviderEvents(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tsaveObjectScriptPath := filepath.Join(os.TempDir(), \"provider.sh\")\n\toutPath := filepath.Join(os.TempDir(), \"provider_out.json\")\n\terr = os.WriteFile(saveObjectScriptPath, getSaveProviderObjectScriptContent(outPath, 0), 0755)\n\tassert.NoError(t, err)\n\n\tdataprovider.EnabledActionCommands = []string{saveObjectScriptPath}\n\tdefer func() {\n\t\tdataprovider.EnabledActionCommands = nil\n\t}()\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeCommand,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tCmdConfig: dataprovider.EventActionCommandConfig{\n\t\t\t\tCmd: saveObjectScriptPath,\n\t\t\t\tTimeout: 10,\n\t\t\t\tEnvVars: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"SFTPGO_OBJECT_DATA\",\n\t\t\t\t\t\tValue: \"{{.ObjectData}}\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test3@example.com\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Object name: {{.ObjectName}} object type: {{.ObjectType}} Data: {{.ObjectData}}\",\n\t\t\t},\n\t\t},\n\t}\n\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"a3\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.com\"},\n\t\t\t\tSubject: `Failed \"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Object name: {{.ObjectName}} object type: {{.ObjectType}}, IP: {{.IP}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction3, _, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr := dataprovider.EventRule{\n\t\tName: \"rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"update\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 3,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule, _, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tlastReceivedEmail.reset()\n\t// create and update a folder to trigger the rule\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"ftest rule\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"p\"),\n\t}\n\tfolder, _, err = httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// no action is triggered on add\n\tassert.NoFileExists(t, outPath)\n\t// update the folder\n\t_, _, err = httpdtest.UpdateFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Eventually(t, func() bool {\n\t\t_, err := os.Stat(outPath)\n\t\treturn err == nil\n\t}, 2*time.Second, 100*time.Millisecond) {\n\t\tcontent, err := os.ReadFile(outPath)\n\t\tassert.NoError(t, err)\n\t\tvar folderGet vfs.BaseVirtualFolder\n\t\terr = json.Unmarshal(content, &folderGet)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, folder, folderGet)\n\t\terr = os.Remove(outPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test3@example.com\"))\n\t\tassert.Contains(t, email.Data, `Subject: New \"update\" from \"admin\"`)\n\t}\n\t// now delete the script to generate an error\n\tlastReceivedEmail.reset()\n\terr = os.Remove(saveObjectScriptPath)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NoFileExists(t, outPath)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"failure@example.com\"))\n\tassert.Contains(t, email.Data, `Subject: Failed \"update\" from \"admin\"`)\n\tassert.Contains(t, email.Data, fmt.Sprintf(\"Object name: %s object type: folder\", folder.Name))\n\tlastReceivedEmail.reset()\n\t// generate an error for the failure action\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\t_, _, err = httpdtest.UpdateFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NoFileExists(t, outPath)\n\temail = lastReceivedEmail.get()\n\tassert.Len(t, email.To, 0)\n\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventRuleFsActions(t *testing.T) {\n\tdirsToCreate := []string{\n\t\t\"/basedir/1\",\n\t\t\"/basedir/sub/2\",\n\t\t\"/basedir/3\",\n\t}\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionMkdirs,\n\t\t\t\tMkDirs: dirsToCreate,\n\t\t\t},\n\t\t},\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: \"/{{.VirtualDirPath}}/{{.ObjectName}}\",\n\t\t\t\t\t\t\tValue: \"/{{.ObjectName}}_renamed\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"a3\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionDelete,\n\t\t\t\tDeletes: []string{\"/{{.ObjectName}}_renamed\"},\n\t\t\t},\n\t\t},\n\t}\n\ta4 := dataprovider.BaseEventAction{\n\t\tName: \"a4\",\n\t\tType: dataprovider.ActionTypeFolderQuotaReset,\n\t}\n\ta5 := dataprovider.BaseEventAction{\n\t\tName: \"a5\",\n\t\tType: dataprovider.ActionTypeUserQuotaReset,\n\t}\n\ta6 := dataprovider.BaseEventAction{\n\t\tName: \"a6\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionExist,\n\t\t\t\tExist: []string{\"/{{.VirtualPath}}\"},\n\t\t\t},\n\t\t},\n\t}\n\taction1, resp, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\taction2, resp, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\taction3, resp, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\taction4, resp, err := httpdtest.AddEventAction(a4, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\taction5, resp, err := httpdtest.AddEventAction(a5, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\taction6, resp, err := httpdtest.AddEventAction(a6, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"r1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"add\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\tr2 := dataprovider.EventRule{\n\t\tName: \"r2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action5.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\tr3 := dataprovider.EventRule{\n\t\tName: \"r3\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"mkdir\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action6.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\tr4 := dataprovider.EventRule{\n\t\tName: \"r4\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"rmdir\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action4.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\tr5 := dataprovider.EventRule{\n\t\tName: \"r5\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"add\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action4.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule3, _, err := httpdtest.AddEventRule(r3, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule4, _, err := httpdtest.AddEventRule(r4, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule5, _, err := httpdtest.AddEventRule(r5, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfolderMappedPath := filepath.Join(os.TempDir(), \"folder\")\n\terr = os.MkdirAll(folderMappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(folderMappedPath, \"file.txt\"), []byte(\"1\"), 0666)\n\tassert.NoError(t, err)\n\n\tfolder, _, err := httpdtest.AddFolder(vfs.BaseVirtualFolder{\n\t\tName: \"test folder\",\n\t\tMappedPath: folderMappedPath,\n\t}, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\tfolderGet, _, err := httpdtest.GetFolderByName(folder.Name, http.StatusOK)\n\t\tif err != nil {\n\t\t\treturn false\n\t\t}\n\t\treturn folderGet.UsedQuotaFiles == 1 && folderGet.UsedQuotaSize == 1\n\t}, 2*time.Second, 100*time.Millisecond)\n\n\tu := getTestUser()\n\tu.Filters.DisableFsChecks = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t// check initial directories creation\n\t\tfor _, dir := range dirsToCreate {\n\t\t\tassert.Eventually(t, func() bool {\n\t\t\t\t_, err := client.Stat(dir)\n\t\t\t\treturn err == nil\n\t\t\t}, 2*time.Second, 100*time.Millisecond)\n\t\t}\n\t\t// upload a file and check the sync rename\n\t\tsize := int64(32768)\n\t\terr = writeSFTPFileNoCheck(path.Join(\"basedir\", testFileName), size, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(\"basedir\", testFileName))\n\t\tassert.Error(t, err)\n\t\tinfo, err := client.Stat(testFileName + \"_renamed\") //nolint:goconst\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, size, info.Size())\n\t\t}\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\tuserGet, _, err := httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tif err != nil {\n\t\t\t\treturn false\n\t\t\t}\n\t\t\treturn userGet.UsedQuotaFiles == 1 && userGet.UsedQuotaSize == size\n\t\t}, 2*time.Second, 100*time.Millisecond)\n\n\t\tfor i := 0; i < 2; i++ {\n\t\t\terr = client.Mkdir(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Eventually(t, func() bool {\n\t\t\t\t_, err = client.Stat(testFileName + \"_renamed\")\n\t\t\t\treturn err != nil\n\t\t\t}, 2*time.Second, 100*time.Millisecond)\n\t\t\terr = client.RemoveDirectory(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\terr = client.Mkdir(testFileName + \"_renamed\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\t_, err = client.Stat(testFileName + \"_renamed\")\n\t\t\treturn err != nil\n\t\t}, 2*time.Second, 100*time.Millisecond)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(folderMappedPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule4, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule5, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action4, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action5, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action6, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionObjectBaseName(t *testing.T) {\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: \"/{{.VirtualDirPath}}/{{.ObjectName}}\",\n\t\t\t\t\t\t\tValue: \"/{{.ObjectBaseName}}\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, resp, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"r2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestDir := \"test dir name\"\n\t\terr = client.Mkdir(testDir)\n\t\tfileSize := int64(32768)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFileNoCheck(path.Join(testDir, testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\n\t\t_, err = client.Stat(path.Join(testDir, testFileName))\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\t\t_, err = client.Stat(strings.TrimSuffix(testFileName, path.Ext(testFileName)))\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadEventRule(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test1@example.com\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" from \"{{.Name}}\" status {{.StatusString}}`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, size: {{.FileSize}}, protocol: {{.Protocol}}, IP: {{.IP}} Data: {{.ObjectData}} {{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"/**/*.filepart\",\n\t\t\t\t\t\tInverseMatch: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(\"/test.filepart\", 32768, client)\n\t\tassert.NoError(t, err)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Empty(t, email.From)\n\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(testFileName, 32768, client)\n\t\tassert.NoError(t, err)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.Data, `Subject: New \"upload\"`)\n\t}\n\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test rule2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"rename\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"/**/*.filepart\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttempName := \"file.filepart\"\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(tempName, 32768, client)\n\t\tassert.NoError(t, err)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Empty(t, email.From)\n\n\t\tlastReceivedEmail.reset()\n\t\terr = client.Rename(tempName, testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.Data, `Subject: New \"rename\"`)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRulePreDelete(t *testing.T) {\n\tmovePath := \"recycle bin\"\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: \"/{{.VirtualPath}}\",\n\t\t\t\t\t\t\tValue: fmt.Sprintf(\"/%s/{{.VirtualPath}}\", movePath),\n\t\t\t\t\t\t},\n\t\t\t\t\t\tUpdateModTime: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, resp, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"pre-delete\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: fmt.Sprintf(\"/%s/**\", movePath),\n\t\t\t\t\t\tInverseMatch: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf := vfs.BaseVirtualFolder{\n\t\tName: movePath,\n\t\tMappedPath: filepath.Join(os.TempDir(), movePath),\n\t}\n\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tu.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: movePath,\n\t\t\t},\n\t\t\tVirtualPath: \"/\" + movePath,\n\t\t\tQuotaFiles: 1000,\n\t\t},\n\t}\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 1000\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\n\t\t\ttestDir := \"sub dir\"\n\t\t\terr = client.MkdirAll(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = writeSFTPFile(path.Join(testDir, testFileName), 100, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tmodTime := time.Now().Add(-36 * time.Hour)\n\t\t\terr = client.Chtimes(testFileName, modTime, modTime)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Remove(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Remove(path.Join(testDir, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\t// check files\n\t\t\t_, err = client.Stat(testFileName)\n\t\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t\t_, err = client.Stat(path.Join(testDir, testFileName))\n\t\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t\tinfo, err := client.Stat(path.Join(\"/\", movePath, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\tdiff := math.Abs(time.Until(info.ModTime()).Seconds())\n\t\t\tassert.LessOrEqual(t, diff, float64(2))\n\n\t\t\t_, err = client.Stat(path.Join(\"/\", movePath, testDir, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\t// check quota\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == localUser.Username {\n\t\t\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t\t\tfolder, _, err := httpdtest.GetFolderByName(movePath, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 2, folder.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(200), folder.UsedQuotaSize)\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(100), user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// pre-delete action is not executed in movePath\n\t\t\terr = client.Remove(path.Join(\"/\", movePath, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == localUser.Username {\n\t\t\t\t// check quota\n\t\t\t\tfolder, _, err := httpdtest.GetFolderByName(movePath, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, folder.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(100), folder.UsedQuotaSize)\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: movePath}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(filepath.Join(os.TempDir(), movePath))\n\tassert.NoError(t, err)\n}\n\nfunc TestEventRulePreDownloadUpload(t *testing.T) {\n\ttestDir := \"/d\"\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionMkdirs,\n\t\t\t\tMkDirs: []string{testDir},\n\t\t\t},\n\t\t},\n\t}\n\taction1, resp, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: \"/missing source\",\n\t\t\t\t\t\t\tValue: \"/missing target\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction2, resp, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"pre-download\", \"pre-upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t// the rule will always succeed, so uploads/downloads will work\n\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Open(testFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents := make([]byte, 100)\n\t\tn, err := io.ReadFull(f, contents)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int(100), n)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\t// disable the rule\n\t\trule1.Status = 0\n\t\t_, _, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testDir)\n\t\tassert.ErrorIs(t, err, fs.ErrNotExist)\n\t\t// now update the rule so that it will always fail\n\t\trule1.Status = 1\n\t\trule1.Actions = []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\t\t_, _, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Open(testFileName)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionCommandEnvVars(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tenvName := \"MY_ENV\"\n\tuploadScriptPath := filepath.Join(os.TempDir(), \"upload.sh\")\n\n\tdataprovider.EnabledActionCommands = []string{uploadScriptPath}\n\tdefer func() {\n\t\tdataprovider.EnabledActionCommands = nil\n\t}()\n\n\terr := os.WriteFile(uploadScriptPath, getUploadScriptEnvContent(envName), 0755)\n\tassert.NoError(t, err)\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeCommand,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tCmdConfig: dataprovider.EventActionCommandConfig{\n\t\t\t\tCmd: uploadScriptPath,\n\t\t\t\tTimeout: 10,\n\t\t\t\tEnvVars: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: envName,\n\t\t\t\t\t\tValue: \"$\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = writeSFTPFileNoCheck(testFileName, 100, client)\n\t\tassert.Error(t, err)\n\t}\n\n\tos.Setenv(envName, \"1\")\n\tdefer os.Unsetenv(envName)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = writeSFTPFileNoCheck(testFileName, 100, client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.Remove(uploadScriptPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestFsActionCopy(t *testing.T) {\n\tdirCopy := \"/dircopy\"\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionCopy,\n\t\t\t\tCopy: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"/{{.VirtualPath}}/\",\n\t\t\t\t\t\tValue: dirCopy + \"/\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, resp, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tg1 := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"group1\",\n\t\t},\n\t\tUserSettings: dataprovider.GroupUserSettings{\n\t\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t// Restrict permissions in copyPath to check that action\n\t\t\t\t\t// will have full permissions anyway.\n\t\t\t\t\tdirCopy: {dataprovider.PermListItems, dataprovider.PermDelete},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tgroup1, resp, err := httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(dirCopy, testFileName))\n\t\tassert.NoError(t, err)\n\n\t\taction1.Options.FsConfig.Copy = []dataprovider.KeyValue{\n\t\t\t{\n\t\t\t\tKey: \"/missing path\",\n\t\t\t\tValue: \"/copied path\",\n\t\t\t},\n\t\t}\n\t\t_, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\t// copy a missing path will fail\n\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\tassert.Error(t, err)\n\t}\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventFsActionsGroupFilters(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"example@example.net\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" from \"{{.Name}}\" status {{.StatusString}}`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, size: {{.FileSize}}, protocol: {{.Protocol}}, IP: {{.IP}} {{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"group*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t// the user has no group, so the rule does not match\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFile(testFileName, 32, client)\n\t\tassert.NoError(t, err)\n\t\tassert.Empty(t, lastReceivedEmail.get().From)\n\t}\n\tg1 := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"agroup1\",\n\t\t},\n\t}\n\tgroup1, _, err := httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tg2 := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"group2\",\n\t\t},\n\t}\n\tgroup2, _, err := httpdtest.AddGroup(g2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t// the group does not match\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFile(testFileName, 32, client)\n\t\tassert.NoError(t, err)\n\t\tassert.Empty(t, lastReceivedEmail.get().From)\n\t}\n\tuser.Groups = append(user.Groups, sdk.GroupMapping{\n\t\tName: group2.Name,\n\t\tType: sdk.GroupTypeSecondary,\n\t})\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t// the group matches\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFile(testFileName, 32, client)\n\t\tassert.NoError(t, err)\n\t\tassert.NotEmpty(t, lastReceivedEmail.get().From)\n\t}\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventProviderActionGroupFilters(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"example@example.net\"},\n\t\t\t\tSubject: `New \"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"IP: {{.IP}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"add\", \"update\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"group_*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tProviderObjects: []string{\"user\"},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tg1 := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"agroup_1\",\n\t\t},\n\t}\n\tgroup1, _, err := httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tg2 := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"group_2\",\n\t\t},\n\t}\n\tgroup2, _, err := httpdtest.AddGroup(g2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\n\tlastReceivedEmail.reset()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\n\tlastReceivedEmail.reset()\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttime.Sleep(300 * time.Millisecond)\n\temail = lastReceivedEmail.get()\n\tassert.Len(t, email.To, 0)\n\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\n\tlastReceivedEmail.reset()\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\temail = lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestBackupAsAttachment(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1 with space\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}} {{.StatusString}}\"`,\n\t\t\t\tBody: \"Domain: {{.Name}}\",\n\t\t\t\tAttachments: []string{\"/{{.VirtualPath}}\"},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule certificate\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerCertificate,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tlastReceivedEmail.reset()\n\trenewalEvent := \"Certificate renewal\"\n\n\tcommon.HandleCertificateEvent(common.EventParams{\n\t\tName: \"example.com\",\n\t\tTimestamp: time.Now(),\n\t\tStatus: 1,\n\t\tEvent: renewalEvent,\n\t})\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"%s OK\"`, renewalEvent))\n\tassert.Contains(t, email.Data, `Domain: example.com`)\n\tassert.Contains(t, email.Data, \"Content-Type: application/json\")\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventActionHTTPMultipart(t *testing.T) {\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: fmt.Sprintf(\"http://%s/multipart\", httpAddr),\n\t\t\t\tMethod: http.MethodPut,\n\t\t\t\tParts: []dataprovider.HTTPPart{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"part1\",\n\t\t\t\t\t\tHeaders: []dataprovider.KeyValue{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tKey: \"Content-Type\",\n\t\t\t\t\t\t\t\tValue: \"application/json\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tBody: `{\"FilePath\": \"{{.VirtualPath}}\"}`,\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"file\",\n\t\t\t\t\t\tFilepath: \"/{{.VirtualPath}}\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, resp, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test http multipart\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\t// now add an missing file to the http multipart action\n\t\taction1.Options.HTTPConfig.Parts = append(action1.Options.HTTPConfig.Parts, dataprovider.HTTPPart{\n\t\t\tName: \"file1\",\n\t\t\tFilepath: \"/missing\",\n\t\t})\n\t\t_, resp, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\t\tassert.NoError(t, err, string(resp))\n\n\t\tf, err = client.Create(\"testfile.txt\")\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionCompress(t *testing.T) {\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionCompress,\n\t\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\t\tName: \"/{{.VirtualPath}}.zip\",\n\t\t\t\t\tPaths: []string{\"/{{.VirtualPath}}\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test compress\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.FsConfig.SFTPConfig.BufferSize = 1\n\tu.QuotaFiles = 1000\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getCryptFsUser()\n\tu.QuotaFiles = 1000\n\tcryptFsUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, cryptFsUser} {\n\t\t// cleanup home dir\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t\trule1.Conditions.Options.Names = []dataprovider.ConditionPattern{\n\t\t\t{\n\t\t\t\tPattern: user.Username,\n\t\t\t},\n\t\t}\n\t\t_, _, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\n\t\tconn, client, err := getSftpClient(user)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\n\t\t\texpectedQuotaSize := int64(len(testFileContent))\n\t\t\texpectedQuotaFiles := 1\n\t\t\tif user.Username == cryptFsUser.Username {\n\t\t\t\tencryptedFileSize, err := getEncryptedFileSize(expectedQuotaSize)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaSize = encryptedFileSize\n\t\t\t}\n\n\t\t\tf, err := client.Create(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tinfo, err := client.Stat(testFileName + \".zip\") //nolint:goconst\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Greater(t, info.Size(), int64(0))\n\t\t\t\t// check quota\n\t\t\t\tarchiveSize := info.Size()\n\t\t\t\tif user.Username == cryptFsUser.Username {\n\t\t\t\t\tencryptedFileSize, err := getEncryptedFileSize(archiveSize)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tarchiveSize = encryptedFileSize\n\t\t\t\t}\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles+1, user.UsedQuotaFiles,\n\t\t\t\t\t\"quota file does no match for user %q\", user.Username)\n\t\t\t\tassert.Equal(t, expectedQuotaSize+archiveSize, user.UsedQuotaSize,\n\t\t\t\t\t\"quota size does no match for user %q\", user.Username)\n\t\t\t}\n\t\t\t// now overwrite the same file\n\t\t\tf, err = client.Create(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tinfo, err = client.Stat(testFileName + \".zip\")\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Greater(t, info.Size(), int64(0))\n\t\t\t\tarchiveSize := info.Size()\n\t\t\t\tif user.Username == cryptFsUser.Username {\n\t\t\t\t\tencryptedFileSize, err := getEncryptedFileSize(archiveSize)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tarchiveSize = encryptedFileSize\n\t\t\t\t}\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles+1, user.UsedQuotaFiles,\n\t\t\t\t\t\"quota file after overwrite does no match for user %q\", user.Username)\n\t\t\t\tassert.Equal(t, expectedQuotaSize+archiveSize, user.UsedQuotaSize,\n\t\t\t\t\t\"quota size after overwrite does no match for user %q\", user.Username)\n\t\t\t}\n\t\t}\n\t\tif user.Username == localUser.Username {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(cryptFsUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(cryptFsUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionCompressQuotaErrors(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ttestDir := \"archiveDir\"\n\tzipPath := \"/archive.zip\"\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionCompress,\n\t\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\t\tName: zipPath,\n\t\t\t\t\tPaths: []string{\"/\" + testDir},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"Compress failed\"`,\n\t\t\t\tBody: \"Error: {{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test compress\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"rename\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfileSize := int64(100)\n\tu := getTestUser()\n\tu.QuotaSize = 10 * fileSize\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.MkdirAll(path.Join(testDir, \"1\", \"1\"))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"1\", testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(path.Join(testDir, \"2\", \"2\"))\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"2\", testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(testDir, \"2\", testFileName), path.Join(testDir, \"2\", testFileName+\"_link\"))\n\t\tassert.NoError(t, err)\n\t\t// trigger the compress action\n\t\terr = client.Mkdir(\"a\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"a\", \"b\")\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\t_, err := client.Stat(zipPath)\n\t\t\treturn err == nil\n\t\t}, 3*time.Second, 100*time.Millisecond)\n\t\terr = client.Remove(zipPath)\n\t\tassert.NoError(t, err)\n\t\t// add other 6 file, the compress action should fail with a quota error\n\t\terr = writeSFTPFile(path.Join(testDir, \"1\", \"1\", testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"2\", \"2\", testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"1\", \"1\", testFileName+\"1\"), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"2\", \"2\", testFileName+\"2\"), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"1\", testFileName+\"1\"), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, \"2\", testFileName+\"2\"), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\tlastReceivedEmail.reset()\n\t\terr = client.Rename(\"b\", \"a\")\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3*time.Second, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, `Subject: \"Compress failed\"`)\n\t\tassert.Contains(t, email.Data, common.ErrQuotaExceeded.Error())\n\t\t// update quota size so the user is already overquota\n\t\tuser.QuotaSize = 7 * fileSize\n\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tlastReceivedEmail.reset()\n\t\terr = client.Rename(\"a\", \"b\")\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3*time.Second, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, `Subject: \"Compress failed\"`)\n\t\tassert.Contains(t, email.Data, common.ErrQuotaExceeded.Error())\n\t\t// remove the path to compress to trigger an error for size estimation\n\t\tout, err := runSSHCommand(fmt.Sprintf(\"sftpgo-remove %s\", testDir), user)\n\t\tassert.NoError(t, err, string(out))\n\t\tlastReceivedEmail.reset()\n\t\terr = client.Rename(\"b\", \"a\")\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3*time.Second, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, `Subject: \"Compress failed\"`)\n\t\tassert.Contains(t, email.Data, \"unable to estimate archive size\")\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventActionCompressQuotaFolder(t *testing.T) {\n\ttestDir := \"/folder\"\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionCompress,\n\t\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\t\tName: \"/{{.VirtualPath}}.zip\",\n\t\t\t\t\tPaths: []string{\"/{{.VirtualPath}}\", testDir},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test compress\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tmappedPath := filepath.Join(os.TempDir(), \"virtualpath\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/virtualpath\"\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize := int64(len(testFileContent))\n\t\texpectedQuotaFiles := 1\n\t\terr = client.Symlink(path.Join(testDir, testFileName), path.Join(testDir, testFileName+\"_link\"))\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Create(path.Join(testDir, testFileName))\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(path.Join(testDir, testFileName) + \".zip\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Greater(t, info.Size(), int64(0))\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\texpectedQuotaFiles++\n\t\t\texpectedQuotaSize += info.Size()\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t}\n\t\tvfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, vfolder.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), vfolder.UsedQuotaSize)\n\t\t// upload in the virtual path\n\t\tf, err = client.Create(path.Join(vdirPath, testFileName))\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Stat(path.Join(vdirPath, testFileName) + \".zip\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Greater(t, info.Size(), int64(0))\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\texpectedQuotaFiles += 2\n\t\t\texpectedQuotaSize += info.Size() + int64(len(testFileContent))\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\tvfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 0, vfolder.UsedQuotaFiles)\n\t\t\tassert.Equal(t, int64(0), vfolder.UsedQuotaSize)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionCompressErrors(t *testing.T) {\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionCompress,\n\t\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\t\tName: \"/{{.VirtualPath}}.zip\",\n\t\t\t\t\tPaths: []string{\"/{{.VirtualPath}}.zip\"}, // cannot compress itself\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test compress\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t}\n\t// try to compress a missing file\n\taction1.Options.FsConfig.Compress.Paths = []string{\"/missing file\"}\n\t_, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t}\n\t// try to overwrite a directory\n\ttestDir := \"/adir\"\n\taction1.Options.FsConfig.Compress.Name = testDir\n\taction1.Options.FsConfig.Compress.Paths = []string{\"/{{.VirtualPath}}\"}\n\t_, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionEmailAttachments(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionCompress,\n\t\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\t\tName: \"/archive/{{.VirtualPath}}.zip\",\n\t\t\t\t\tPaths: []string{\"/{{.VirtualPath}}\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, size: {{.FileSize}}, protocol: {{.Protocol}}, IP: {{.IP}} {{.EscapedVirtualPath}}\",\n\t\t\t\tAttachments: []string{\"/archive/{{.VirtualPath}}.zip\"},\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test email with attachment\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestSFTPUser()\n\tu.FsConfig.SFTPConfig.BufferSize = 1\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tcryptFsUser, _, err := httpdtest.AddUser(getCryptFsUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, cryptFsUser} {\n\t\tconn, client, err := getSftpClient(user)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\n\t\t\tlastReceivedEmail.reset()\n\t\t\tf, err := client.Create(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = f.Write(testFileContent)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Eventually(t, func() bool {\n\t\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\t\temail := lastReceivedEmail.get()\n\t\t\tassert.Len(t, email.To, 1)\n\t\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\t\tassert.Contains(t, email.Data, `Subject: \"upload\" from`)\n\t\t\tassert.Contains(t, email.Data, url.QueryEscape(\"/\"+testFileName))\n\t\t\tassert.Contains(t, email.Data, \"Content-Disposition: attachment\")\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(cryptFsUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(cryptFsUser.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventActionsRetentionReports(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ttestDir := \"/d\"\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeDataRetentionCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tRetentionConfig: dataprovider.EventActionDataRetentionConfig{\n\t\t\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t\t\t{\n\t\t\t\t\t\tPath: testDir,\n\t\t\t\t\t\tRetention: 1,\n\t\t\t\t\t\tDeleteEmptyDirs: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, size: {{.FileSize}}, protocol: {{.Protocol}}, IP: {{.IP}}\",\n\t\t\t\tAttachments: []string{dataprovider.RetentionReportPlaceHolder},\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"action3\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: fmt.Sprintf(\"http://%s/\", httpAddr),\n\t\t\t\tTimeout: 20,\n\t\t\t\tMethod: http.MethodPost,\n\t\t\t\tBody: dataprovider.RetentionReportPlaceHolder,\n\t\t\t},\n\t\t},\n\t}\n\taction3, _, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta4 := dataprovider.BaseEventAction{\n\t\tName: \"action4\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: fmt.Sprintf(\"http://%s/multipart\", httpAddr),\n\t\t\t\tTimeout: 20,\n\t\t\t\tMethod: http.MethodPost,\n\t\t\t\tParts: []dataprovider.HTTPPart{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"reports.zip\",\n\t\t\t\t\t\tFilepath: dataprovider.RetentionReportPlaceHolder,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\taction4, _, err := httpdtest.AddEventAction(a4, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 3,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action4.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 4,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tsubdir := path.Join(testDir, \"sub\")\n\t\terr = client.MkdirAll(subdir)\n\t\tassert.NoError(t, err)\n\n\t\tlastReceivedEmail.reset()\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"upload\" from \"%s\"`, user.Username))\n\t\tassert.Contains(t, email.Data, \"Content-Disposition: attachment\")\n\t\t_, err = client.Stat(testDir)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(subdir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\t\terr = client.Mkdir(subdir)\n\t\tassert.NoError(t, err)\n\t\tnewName := path.Join(testDir, testFileName)\n\t\terr = client.Rename(testFileName, newName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chtimes(newName, time.Now().Add(-24*time.Hour), time.Now().Add(-24*time.Hour))\n\t\tassert.NoError(t, err)\n\n\t\tlastReceivedEmail.reset()\n\t\tf, err = client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\t_, err = client.Stat(subdir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t_, err = client.Stat(subdir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t}\n\t// now remove the retention check to test errors\n\trule1.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action2.Name,\n\t\t\t},\n\t\t\tOrder: 2,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: true,\n\t\t\t\tStopOnFailure: false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action3.Name,\n\t\t\t},\n\t\t\tOrder: 3,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: true,\n\t\t\t\tStopOnFailure: false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action4.Name,\n\t\t\t},\n\t\t\tOrder: 4,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: true,\n\t\t\t\tStopOnFailure: false,\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tf, err := client.Create(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = f.Write(testFileContent)\n\t\tassert.NoError(t, err)\n\t\terr = f.Close()\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action4, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleFirstUploadDownloadActions(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Fs path {{.FsPath}}, size: {{.FileSize}}, protocol: {{.Protocol}}, IP: {{.IP}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test first upload rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"first-upload\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test first download rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"first-download\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFileSize := int64(32768)\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"first-upload\" from \"%s\"`, user.Username))\n\t\tlastReceivedEmail.reset()\n\t\t// a new upload will not produce a new notification\n\t\terr = writeSFTPFileNoCheck(testFileName+\"_1\", 32768, client)\n\t\tassert.NoError(t, err)\n\t\tassert.Never(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\t\t// the same for download\n\t\tf, err := client.Open(testFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents := make([]byte, testFileSize)\n\t\tn, err := io.ReadFull(f, contents)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int(testFileSize), n)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail = lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"first-download\" from \"%s\"`, user.Username))\n\t\t// download again\n\t\tlastReceivedEmail.reset()\n\t\tf, err = client.Open(testFileName)\n\t\tassert.NoError(t, err)\n\t\tcontents = make([]byte, testFileSize)\n\t\tn, err = io.ReadFull(f, contents)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int(testFileSize), n)\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\tassert.Never(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleRenameEvent(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tContentType: 1,\n\t\t\t\tBody: `

Fs path {{.FsPath}}, Name: {{.Name}}, Target path \"{{.VirtualTargetDirPath}}/{{.TargetName}}\", size: {{.FileSize}}

`,\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rename rule\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"rename\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Username = \"test & chars\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFileSize := int64(32768)\n\t\tlastReceivedEmail.reset()\n\t\terr = writeSFTPFileNoCheck(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"subdir\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, path.Join(\"/subdir\", testFileName))\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"rename\" from \"%s\"`, user.Username))\n\t\tassert.Contains(t, email.Data, \"Content-Type: text/html\")\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(\"Target path %q\", path.Join(\"/subdir\", testFileName)))\n\t\tassert.Contains(t, email.Data, \"Name: test & chars,\")\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleIDPLogin(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\tlastReceivedEmail.reset()\n\n\tusername := `test_'idp_'login`\n\tcustom1 := `cust\"oa\"1`\n\tu := map[string]any{\n\t\t\"username\": \"{{.Name}}\",\n\t\t\"status\": 1,\n\t\t\"home_dir\": filepath.Join(os.TempDir(), \"{{.IDPFieldcustom1}}\"),\n\t\t\"permissions\": map[string][]string{\n\t\t\t\"/\": {dataprovider.PermAny},\n\t\t},\n\t}\n\tuserTmpl, err := json.Marshal(u)\n\trequire.NoError(t, err)\n\ta := map[string]any{\n\t\t\"username\": \"{{.Name}}\",\n\t\t\"status\": 1,\n\t\t\"permissions\": []string{dataprovider.PermAdminAny},\n\t}\n\tadminTmpl, err := json.Marshal(a)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeIDPAccountCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tIDPConfig: dataprovider.EventActionIDPAccountCheck{\n\t\t\t\tMode: 1, // create if not exists\n\t\t\t\tTemplateUser: string(userTmpl),\n\t\t\t\tTemplateAdmin: string(adminTmpl),\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}} {{.StatusString}}\"`,\n\t\t\t\tBody: \"{{.Name}} Custom field: {{.IDPFieldcustom1}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule IDP login\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIDPLogin,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tIDPLoginEvent: dataprovider.IDPLoginUser,\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name, // the rule is not sync and will be skipped\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule1, resp, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tcustomFields := map[string]any{\n\t\t\"custom1\": custom1,\n\t}\n\tuser, admin, err := common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginUser,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tassert.Nil(t, admin)\n\tassert.NoError(t, err)\n\n\trule1.Actions[0].Options.ExecuteSync = true\n\trule1, resp, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginUser,\n\t\tStatus: 1,\n\t}, &customFields)\n\tif assert.NotNil(t, user) {\n\t\tassert.Equal(t, filepath.Join(os.TempDir(), custom1), user.GetHomeDir())\n\t\t_, err = httpdtest.RemoveUser(*user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t}\n\tassert.Nil(t, admin)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"%s OK\"`, common.IDPLoginUser))\n\tassert.Contains(t, email.Data, username)\n\tassert.Contains(t, email.Data, custom1)\n\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tassert.Nil(t, admin)\n\tassert.NoError(t, err)\n\n\trule1.Conditions.IDPLoginEvent = dataprovider.IDPLoginAny\n\trule1.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action1.Name,\n\t\t\t},\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: true,\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t}\n\trule1, _, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test email on IDP login\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIDPLogin,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tIDPLoginEvent: dataprovider.IDPLoginAdmin,\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule2, resp, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tlastReceivedEmail.reset()\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tif assert.NotNil(t, admin) {\n\t\tassert.Equal(t, 1, admin.Status)\n\t}\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail = lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"%s OK\"`, common.IDPLoginAdmin))\n\tassert.Contains(t, email.Data, username)\n\tassert.Contains(t, email.Data, custom1)\n\tadmin.Status = 0\n\t_, _, err = httpdtest.UpdateAdmin(*admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tif assert.NotNil(t, admin) {\n\t\tassert.Equal(t, 0, admin.Status)\n\t}\n\tassert.NoError(t, err)\n\taction1.Options.IDPConfig.Mode = 0\n\taction1, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tif assert.NotNil(t, admin) {\n\t\tassert.Equal(t, 1, admin.Status)\n\t}\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(*admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tr3 := dataprovider.EventRule{\n\t\tName: \"test rule2 IDP login\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIDPLogin,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tIDPLoginEvent: dataprovider.IDPLoginAny,\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule3, resp, err := httpdtest.AddEventRule(r3, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tassert.Nil(t, admin)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"more than one account check action rules matches\")\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule3, http.StatusOK)\n\tassert.NoError(t, err)\n\n\taction1.Options.IDPConfig.TemplateAdmin = `{}`\n\taction1, _, err = httpdtest.UpdateEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tuser, admin, err = common.HandleIDPLoginEvent(common.EventParams{\n\t\tName: username,\n\t\tEvent: common.IDPLoginAdmin,\n\t\tStatus: 1,\n\t}, &customFields)\n\tassert.Nil(t, user)\n\tassert.Nil(t, admin)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleEmailField(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\tlastReceivedEmail.reset()\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"{{.Email}}\"},\n\t\t\t\tSubject: `\"{{.Event}}\" from \"{{.Name}}\"`,\n\t\t\t\tBody: \"Sample email body\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.com\"},\n\t\t\t\tSubject: `\"Failure`,\n\t\t\t\tBody: \"{{.ErrorString}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"r1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"mkdir\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test rule2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"add\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tProviderObjects: []string{\"user\"},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Email = \"user@example.com\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, user.Email))\n\tassert.Contains(t, email.Data, `Subject: \"add\" from \"admin\"`)\n\n\t// if we add a user without email the notification will fail\n\tlastReceivedEmail.reset()\n\tu1 := getTestUser()\n\tu1.Username += \"_1\"\n\tuser1, _, err := httpdtest.AddUser(u1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail = lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"failure@example.com\"))\n\tassert.Contains(t, email.Data, `no recipient addresses set`)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr = client.Mkdir(testFileName)\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.True(t, slices.Contains(email.To, user.Email))\n\t\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"mkdir\" from \"%s\"`, user.Username))\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleCertificate(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notify@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\tlastReceivedEmail.reset()\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.com\"},\n\t\t\t\tSubject: `\"{{.Event}} {{.StatusString}}\"`,\n\t\t\t\tContentType: 0,\n\t\t\t\tBody: \"Domain: {{.Name}} Timestamp: {{.Timestamp}} {{.ErrorString}} Date time: {{.DateTime}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeFolderQuotaReset,\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule certificate\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerCertificate,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test rule 2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerCertificate,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\trenewalEvent := \"Certificate renewal\"\n\n\tcommon.HandleCertificateEvent(common.EventParams{\n\t\tName: \"example.com\",\n\t\tTimestamp: time.Now(),\n\t\tStatus: 1,\n\t\tEvent: renewalEvent,\n\t})\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"%s OK\"`, renewalEvent))\n\tassert.Contains(t, email.Data, \"Content-Type: text/plain\")\n\tassert.Contains(t, email.Data, `Domain: example.com Timestamp`)\n\n\tlastReceivedEmail.reset()\n\tdateTime := time.Now()\n\tparams := common.EventParams{\n\t\tName: \"example.com\",\n\t\tTimestamp: dateTime,\n\t\tStatus: 2,\n\t\tEvent: renewalEvent,\n\t}\n\terrRenew := errors.New(\"generic renew error\")\n\tparams.AddError(errRenew)\n\tcommon.HandleCertificateEvent(params)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail = lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"test@example.com\"))\n\tassert.Contains(t, email.Data, fmt.Sprintf(`Subject: \"%s KO\"`, renewalEvent))\n\tassert.Contains(t, email.Data, `Domain: example.com Timestamp`)\n\tassert.Contains(t, email.Data, dateTime.UTC().Format(\"2006-01-02T15:04:05.000\"))\n\tassert.Contains(t, email.Data, errRenew.Error())\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t// ignored no more certificate rules\n\tcommon.HandleCertificateEvent(common.EventParams{\n\t\tName: \"example.com\",\n\t\tTimestamp: time.Now(),\n\t\tStatus: 1,\n\t\tEvent: renewalEvent,\n\t})\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleIPBlocked(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.DefenderConfig.Enabled = true\n\tcfg.DefenderConfig.Threshold = 3\n\tcfg.DefenderConfig.ScoreLimitExceeded = 2\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test3@example.com\", \"test4@example.com\"},\n\t\t\t\tSubject: `New \"{{.Event}}\"`,\n\t\t\t\tBody: \"IP: {{.IP}} Timestamp: {{.Timestamp}}\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeFolderQuotaReset,\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"test rule ip blocked\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIPBlocked,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr2 := dataprovider.EventRule{\n\t\tName: \"test rule 2\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIPBlocked,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlastReceivedEmail.reset()\n\ttime.Sleep(300 * time.Millisecond)\n\tassert.Empty(t, lastReceivedEmail.get().From, lastReceivedEmail.get().Data)\n\n\tfor i := 0; i < 3; i++ {\n\t\tuser.Password = \"wrong_pwd\"\n\t\t_, _, err = getSftpClient(user)\n\t\tassert.Error(t, err)\n\t}\n\t// the client is now banned\n\tuser.Password = defaultPassword\n\t_, _, err = getSftpClient(user)\n\tassert.Error(t, err)\n\t// check the email notification\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 2)\n\tassert.True(t, slices.Contains(email.To, \"test3@example.com\"))\n\tassert.True(t, slices.Contains(email.To, \"test4@example.com\"))\n\tassert.Contains(t, email.Data, `Subject: New \"IP Blocked\"`)\n\n\terr = dataprovider.DeleteEventRule(rule1.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventRule(rule2.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(action1.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(action2.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventRuleRotateLog(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeRotateLogs,\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"success@example.net\"},\n\t\t\t\tSubject: `OK`,\n\t\t\t\tBody: \"OK action\",\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"mkdir\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: user.Username,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule1, resp, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr := client.Mkdir(\"just a test dir\")\n\t\tassert.NoError(t, err)\n\t\t// just check that the action is executed\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.To, \"success@example.net\")\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRuleInactivityCheck(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeUserInactivityCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tUserInactivityConfig: dataprovider.EventActionUserInactivity{\n\t\t\t\tDisableThreshold: 10,\n\t\t\t\tDeleteThreshold: 20,\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"success@example.net\"},\n\t\t\t\tSubject: `OK`,\n\t\t\t\tBody: \"OK action\",\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"mkdir\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: user.Username,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t},\n\t}\n\trule1, resp, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr := client.Mkdir(\"just a test dir\")\n\t\tassert.NoError(t, err)\n\t\t// just check that the action is executed\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.To, \"success@example.net\")\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestEventRulePasswordExpiration(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.net\"},\n\t\t\t\tSubject: `Failure`,\n\t\t\t\tBody: \"Failure action\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypePasswordExpirationCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tPwdExpirationConfig: dataprovider.EventActionPasswordExpiration{\n\t\t\t\tThreshold: 10,\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"a3\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"success@example.net\"},\n\t\t\t\tSubject: `OK`,\n\t\t\t\tBody: \"OK action\",\n\t\t\t},\n\t\t},\n\t}\n\taction3, _, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"mkdir\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, resp, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tdirName := \"aTestDir\"\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr := client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\t// the user has no password expiration, the check will be skipped and the ok action executed\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.To, \"success@example.net\")\n\t\terr = client.RemoveDirectory(dirName)\n\t\tassert.NoError(t, err)\n\t}\n\tuser.Filters.PasswordExpiration = 20\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr := client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\t// the passowrd is not about to expire, the check will be skipped and the ok action executed\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.To, \"success@example.net\")\n\t\terr = client.RemoveDirectory(dirName)\n\t\tassert.NoError(t, err)\n\t}\n\tuser.Filters.PasswordExpiration = 5\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr := client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\t// the passowrd is about to expire, the user has no email, the failure action will be executed\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 1)\n\t\tassert.Contains(t, email.To, \"failure@example.net\")\n\t\terr = client.RemoveDirectory(dirName)\n\t\tassert.NoError(t, err)\n\t}\n\t// remove the success action\n\trule1.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action2.Name,\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action1.Name,\n\t\t\t},\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tIsFailureAction: true,\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Email = \"user@example.net\"\n\tuser.Filters.AdditionalEmails = []string{\"additional@example.net\"}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tlastReceivedEmail.reset()\n\t\terr := client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\t// the passowrd expiration will be notified\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn lastReceivedEmail.get().From != \"\"\n\t\t}, 1500*time.Millisecond, 100*time.Millisecond)\n\t\temail := lastReceivedEmail.get()\n\t\tassert.Len(t, email.To, 2)\n\t\tassert.Contains(t, email.To, user.Email)\n\t\tassert.Contains(t, email.To, user.Filters.AdditionalEmails[0])\n\t\tassert.Contains(t, email.Data, \"your SFTPGo password expires in 5 days\")\n\t\terr = client.RemoveDirectory(dirName)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestSyncUploadAction(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tuploadScriptPath := filepath.Join(os.TempDir(), \"upload.sh\")\n\tcommon.Config.Actions.ExecuteOn = []string{\"upload\"}\n\tcommon.Config.Actions.ExecuteSync = []string{\"upload\"}\n\tcommon.Config.Actions.Hook = uploadScriptPath\n\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tmovedFileName := \"moved.dat\"\n\tmovedPath := filepath.Join(user.HomeDir, movedFileName)\n\terr = os.WriteFile(uploadScriptPath, getUploadScriptContent(movedPath, \"\", 0), 0755)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tsize := int64(32768)\n\t\terr = writeSFTPFileNoCheck(testFileName, size, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testFileName)\n\t\tassert.Error(t, err)\n\t\tinfo, err := client.Stat(movedFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, size, info.Size())\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, size, user.UsedQuotaSize)\n\t\t// test some hook failure\n\t\t// the uploaded file is moved and the hook fails, it will be not removed from the quota\n\t\terr = os.WriteFile(uploadScriptPath, getUploadScriptContent(movedPath, \"\", 1), 0755)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFileNoCheck(testFileName+\"_1\", size, client)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, size*2, user.UsedQuotaSize)\n\n\t\t// the uploaded file is not moved and the hook fails, the uploaded file will be deleted\n\t\t// and removed from the quota\n\t\tmovedPath = filepath.Join(user.HomeDir, \"missing dir\", movedFileName)\n\t\terr = os.WriteFile(uploadScriptPath, getUploadScriptContent(movedPath, \"\", 1), 0755)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFileNoCheck(testFileName+\"_2\", size, client)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, size*2, user.UsedQuotaSize)\n\t\t// overwrite an existing file\n\t\t_, err = client.Stat(movedFileName)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFileNoCheck(movedFileName, size, client)\n\t\tassert.Error(t, err)\n\t\t_, err = client.Stat(movedFileName)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, size, user.UsedQuotaSize)\n\t}\n\n\terr = os.Remove(uploadScriptPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = nil\n\tcommon.Config.Actions.ExecuteSync = nil\n\tcommon.Config.Actions.Hook = uploadScriptPath\n}\n\nfunc TestQuotaTrackDisabled(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.TrackQuota = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(testFileName, 32, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\"1\")\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestGetQuotaError(t *testing.T) {\n\tif dataprovider.GetProviderStatus().Driver == \"memory\" {\n\t\tt.Skip(\"this test is not available with the memory provider\")\n\t}\n\tu := getTestUser()\n\tu.TotalDataTransfer = 2000\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/vpath\"\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaSize: 0,\n\t\tQuotaFiles: 10,\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(testFileName, 32, client)\n\t\tassert.NoError(t, err)\n\n\t\terr = dataprovider.Close()\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Rename(testFileName, path.Join(vdirPath, testFileName))\n\t\tassert.Error(t, err)\n\n\t\terr = config.LoadConfig(configDir, \"\")\n\t\tassert.NoError(t, err)\n\t\tproviderConf := config.GetProviderConf()\n\t\terr = dataprovider.Initialize(providerConf, configDir, true)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestRetentionAPI(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermOverwrite, dataprovider.PermDownload, dataprovider.PermCreateDirs,\n\t\tdataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuploadPath := path.Join(testDir, testFileName)\n\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(uploadPath, 32, client)\n\t\tassert.NoError(t, err)\n\n\t\tfolderRetention := []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/\",\n\t\t\t\tRetention: 24,\n\t\t\t\tDeleteEmptyDirs: true,\n\t\t\t},\n\t\t}\n\t\tcheck := common.RetentionCheck{\n\t\t\tFolders: folderRetention,\n\t\t}\n\t\tc := common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\t_, err = client.Stat(uploadPath)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Chtimes(uploadPath, time.Now().Add(-48*time.Hour), time.Now().Add(-48*time.Hour))\n\t\tassert.NoError(t, err)\n\n\t\terr = c.Start()\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\t_, err = client.Stat(uploadPath)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\t\t_, err = client.Stat(testDir)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(uploadPath, 32, client)\n\t\tassert.NoError(t, err)\n\n\t\tcheck.Folders[0].DeleteEmptyDirs = false\n\t\terr = client.Chtimes(uploadPath, time.Now().Add(-48*time.Hour), time.Now().Add(-48*time.Hour))\n\t\tassert.NoError(t, err)\n\n\t\tc = common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\t_, err = client.Stat(uploadPath)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\t\t_, err = client.Stat(testDir)\n\t\tassert.NoError(t, err)\n\n\t\terr = writeSFTPFile(uploadPath, 32, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chtimes(uploadPath, time.Now().Add(-48*time.Hour), time.Now().Add(-48*time.Hour))\n\t\tassert.NoError(t, err)\n\t\tconn.Close()\n\t\tclient.Close()\n\t}\n\n\t// remove delete permissions to the user, it will be automatically granted\n\tuser.Permissions[\"/\"+testDir] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermChtimes}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tinnerUploadFilePath := path.Join(\"/\"+testDir, testDir, testFileName)\n\t\terr = client.Mkdir(path.Join(testDir, testDir))\n\t\tassert.NoError(t, err)\n\n\t\terr = writeSFTPFile(innerUploadFilePath, 32, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chtimes(innerUploadFilePath, time.Now().Add(-48*time.Hour), time.Now().Add(-48*time.Hour))\n\t\tassert.NoError(t, err)\n\n\t\tfolderRetention := []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/missing\",\n\t\t\t\tRetention: 24,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPath: \"/\" + testDir,\n\t\t\t\tRetention: 24,\n\t\t\t\tDeleteEmptyDirs: true,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPath: path.Dir(innerUploadFilePath),\n\t\t\t\tRetention: 0,\n\t\t\t},\n\t\t}\n\t\tcheck := common.RetentionCheck{\n\t\t\tFolders: folderRetention,\n\t\t}\n\t\tc := common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\t_, err = client.Stat(uploadPath)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t_, err = client.Stat(innerUploadFilePath)\n\t\tassert.NoError(t, err)\n\n\t\tfolderRetention = []dataprovider.FolderRetention{\n\n\t\t\t{\n\t\t\t\tPath: \"/\" + testDir,\n\t\t\t\tRetention: 24,\n\t\t\t\tDeleteEmptyDirs: true,\n\t\t\t},\n\t\t}\n\n\t\tcheck = common.RetentionCheck{\n\t\t\tFolders: folderRetention,\n\t\t}\n\t\tc = common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\t_, err = client.Stat(innerUploadFilePath)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\tconn.Close()\n\t\tclient.Close()\n\t}\n\t// finally test some errors removing files or folders\n\tif runtime.GOOS != osWindows {\n\t\tdirPath := filepath.Join(user.HomeDir, \"adir\", \"sub\")\n\t\terr := os.MkdirAll(dirPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tfilePath := filepath.Join(dirPath, \"f.dat\")\n\t\terr = os.WriteFile(filePath, nil, os.ModePerm)\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Chtimes(filePath, time.Now().Add(-72*time.Hour), time.Now().Add(-72*time.Hour))\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Chmod(dirPath, 0001)\n\t\tassert.NoError(t, err)\n\n\t\tfolderRetention := []dataprovider.FolderRetention{\n\n\t\t\t{\n\t\t\t\tPath: \"/adir\",\n\t\t\t\tRetention: 24,\n\t\t\t\tDeleteEmptyDirs: true,\n\t\t\t},\n\t\t}\n\n\t\tcheck := common.RetentionCheck{\n\t\t\tFolders: folderRetention,\n\t\t}\n\t\tc := common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\terr = os.Chmod(dirPath, 0555)\n\t\tassert.NoError(t, err)\n\n\t\tc = common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\terr = os.Chmod(dirPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\n\t\tcheck = common.RetentionCheck{\n\t\t\tFolders: folderRetention,\n\t\t}\n\t\tc = common.RetentionChecks.Add(check, &user)\n\t\tassert.NotNil(t, c)\n\t\terr = c.Start()\n\t\tassert.NoError(t, err)\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\t\tassert.NoDirExists(t, dirPath)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1*time.Second, 50*time.Millisecond)\n}\n\nfunc TestPerUserTransferLimits(t *testing.T) {\n\toldMaxPerHostConns := common.Config.MaxPerHostConnections\n\n\tcommon.Config.MaxPerHostConnections = 2\n\n\tu := getTestUser()\n\tu.UploadBandwidth = 32\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tif !assert.NoError(t, err) {\n\t\tprintLatestLogs(20)\n\t}\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tvar wg sync.WaitGroup\n\t\tnumErrors := 0\n\t\tfor i := 0; i <= 2; i++ {\n\t\t\twg.Add(1)\n\t\t\tgo func(counter int) {\n\t\t\t\tdefer wg.Done()\n\n\t\t\t\ttime.Sleep(20 * time.Millisecond)\n\t\t\t\terr := writeSFTPFile(fmt.Sprintf(\"%s_%d\", testFileName, counter), 64*1024, client)\n\t\t\t\tif err != nil {\n\t\t\t\t\tnumErrors++\n\t\t\t\t}\n\t\t\t}(i)\n\t\t}\n\t\twg.Wait()\n\n\t\tassert.Equal(t, 1, numErrors)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxPerHostConnections = oldMaxPerHostConns\n}\n\nfunc TestMaxSessionsSameConnection(t *testing.T) {\n\tu := getTestUser()\n\tu.UploadBandwidth = 32\n\tu.MaxSessions = 2\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tvar wg sync.WaitGroup\n\t\tnumErrors := 0\n\t\tfor i := 0; i <= 2; i++ {\n\t\t\twg.Add(1)\n\t\t\tgo func(counter int) {\n\t\t\t\tdefer wg.Done()\n\n\t\t\t\tvar err error\n\t\t\t\tif counter < 2 {\n\t\t\t\t\terr = writeSFTPFile(fmt.Sprintf(\"%s_%d\", testFileName, counter), 64*1024, client)\n\t\t\t\t} else {\n\t\t\t\t\t// wait for the transfers to start\n\t\t\t\t\ttime.Sleep(50 * time.Millisecond)\n\t\t\t\t\t_, _, err = getSftpClient(user)\n\t\t\t\t}\n\t\t\t\tif err != nil {\n\t\t\t\t\tnumErrors++\n\t\t\t\t}\n\t\t\t}(i)\n\t\t}\n\n\t\twg.Wait()\n\t\tassert.Equal(t, 1, numErrors)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRenameDir(t *testing.T) {\n\tu := getTestUser()\n\ttestDir := \"/dir-to-rename\"\n\tu.Permissions[testDir] = []string{dataprovider.PermListItems, dataprovider.PermUpload}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, testFileName), 32, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testDir, testDir+\"_rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestBuiltinKeyboardInteractiveAuthentication(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.KeyboardInteractive(func(_, _ string, _ []string, _ []bool) ([]string, error) {\n\t\t\treturn []string{defaultPassword}, nil\n\t\t}),\n\t}\n\tconn, client, err := getCustomAuthSftpClient(user, authMethods)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t}\n\t// add multi-factor authentication\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tpasscode, err := generateTOTPPasscode(key.Secret(), otp.AlgorithmSHA1)\n\tassert.NoError(t, err)\n\tpasswordAsked := false\n\tpasscodeAsked := false\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.KeyboardInteractive(func(_, _ string, questions []string, _ []bool) ([]string, error) {\n\t\t\tvar answers []string\n\t\t\tif strings.HasPrefix(questions[0], \"Password\") {\n\t\t\t\tanswers = append(answers, defaultPassword)\n\t\t\t\tpasswordAsked = true\n\t\t\t} else {\n\t\t\t\tanswers = append(answers, passcode)\n\t\t\t\tpasscodeAsked = true\n\t\t\t}\n\t\t\treturn answers, nil\n\t\t}),\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t}\n\tassert.True(t, passwordAsked)\n\tassert.True(t, passcodeAsked)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMultiStepBuiltinKeyboardAuth(t *testing.T) {\n\tu := getTestUser()\n\tu.PublicKeys = []string{testPubKey}\n\tu.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsigner, err := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\tassert.NoError(t, err)\n\t// public key + password\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.KeyboardInteractive(func(_, _ string, _ []string, _ []bool) ([]string, error) {\n\t\t\treturn []string{defaultPassword}, nil\n\t\t}),\n\t}\n\tconn, client, err := getCustomAuthSftpClient(user, authMethods)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t}\n\t// add multi-factor authentication\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tpasscode, err := generateTOTPPasscode(key.Secret(), otp.AlgorithmSHA1)\n\tassert.NoError(t, err)\n\t// public key + passcode\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.KeyboardInteractive(func(_, _ string, _ []string, _ []bool) ([]string, error) {\n\t\t\treturn []string{passcode}, nil\n\t\t}),\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRenameSymlink(t *testing.T) {\n\tu := getTestUser()\n\ttestDir := \"/dir-no-create-links\"\n\totherDir := \"otherdir\"\n\tu.Permissions[testDir] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(otherDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(otherDir, otherDir+\".link\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(otherDir+\".link\", path.Join(testDir, \"symlink\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(otherDir+\".link\", \"allowed_link\")\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSplittedDeletePerms(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermDeleteDirs,\n\t\tdataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.Error(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.NoError(t, err)\n\t}\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermDeleteFiles,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermOverwrite}\n\t_, _, err = httpdtest.UpdateUser(u, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(testDir)\n\t\tassert.Error(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSplittedRenamePerms(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermRenameDirs,\n\t\tdataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\"_renamed\")\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(testDir, testDir+\"_renamed\")\n\t\tassert.NoError(t, err)\n\t}\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermRenameFiles,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermOverwrite}\n\t_, _, err = httpdtest.UpdateUser(u, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\"_renamed\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testDir, testDir+\"_renamed\")\n\t\tassert.Error(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPLoopError(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 2525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\tuser1 := getTestUser()\n\tuser2 := getTestUser()\n\tuser1.Username += \"1\"\n\tuser2.Username += \"2\"\n\t// user1 is a local account with a virtual SFTP folder to user2\n\t// user2 has user1 as SFTP fs\n\tf := vfs.BaseVirtualFolder{\n\t\tName: \"sftp\",\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: user2.Username,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\tfolder, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser1.VirtualFolders = append(user1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folder.Name,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\n\tuser2.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser2.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user1.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\n\tuser1, resp, err := httpdtest.AddUser(user1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser2, resp, err = httpdtest.AddUser(user2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"a1\",\n\t\tType: dataprovider.ActionTypeUserQuotaReset,\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"a2\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.com\"},\n\t\t\t\tSubject: `Failed action\"`,\n\t\t\t\tBody: \"Test body\",\n\t\t\t},\n\t\t},\n\t}\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"update\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tlastReceivedEmail.reset()\n\t_, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn lastReceivedEmail.get().From != \"\"\n\t}, 3000*time.Millisecond, 100*time.Millisecond)\n\temail := lastReceivedEmail.get()\n\tassert.Len(t, email.To, 1)\n\tassert.True(t, slices.Contains(email.To, \"failure@example.com\"))\n\tassert.Contains(t, email.Data, `Subject: Failed action`)\n\n\tuser1.VirtualFolders[0].FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\tuser2.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\n\tconn := common.NewBaseConnection(\"\", common.ProtocolWebDAV, \"\", \"\", user1)\n\t_, _, err = conn.GetFsAndResolvedPath(user1.VirtualFolders[0].VirtualPath)\n\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\tconn = common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user1)\n\t_, _, err = conn.GetFsAndResolvedPath(user1.VirtualFolders[0].VirtualPath)\n\tassert.Error(t, err)\n\tconn = common.NewBaseConnection(\"\", common.ProtocolFTP, \"\", \"\", user1)\n\t_, _, err = conn.GetFsAndResolvedPath(user1.VirtualFolders[0].VirtualPath)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestNonLocalCrossRename(t *testing.T) {\n\tbaseUser, resp, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tu := getTestUser()\n\tu.HomeDir += \"_folders\"\n\tu.Username += \"_folders\"\n\tmappedPathSFTP := filepath.Join(os.TempDir(), \"sftp\")\n\tfolderNameSFTP := filepath.Base(mappedPathSFTP)\n\tvdirSFTPPath := \"/vdir/sftp\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameSFTP,\n\t\t},\n\t\tVirtualPath: vdirSFTPPath,\n\t})\n\tmappedPathCrypt := filepath.Join(os.TempDir(), \"crypt\")\n\tfolderNameCrypt := filepath.Base(mappedPathCrypt)\n\tvdirCryptPath := \"/vdir/crypt\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameCrypt,\n\t\t},\n\t\tVirtualPath: vdirCryptPath,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderNameSFTP,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderNameCrypt,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t\tMappedPath: mappedPathCrypt,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirSFTPPath, testFileName), 8192, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirCryptPath, testFileName), 16384, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirSFTPPath, testFileName), path.Join(vdirCryptPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(vdirCryptPath, testFileName), path.Join(vdirSFTPPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(testFileName, path.Join(vdirCryptPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(testFileName, path.Join(vdirSFTPPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(vdirSFTPPath, testFileName), testFileName+\".rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(vdirCryptPath, testFileName), testFileName+\".rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t// rename on local fs or on the same folder must work\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirSFTPPath, testFileName), path.Join(vdirSFTPPath, testFileName+\"_rename\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirCryptPath, testFileName), path.Join(vdirCryptPath, testFileName+\"_rename\"))\n\t\tassert.NoError(t, err)\n\t\t// renaming a virtual folder is not allowed\n\t\terr = client.Rename(vdirSFTPPath, vdirSFTPPath+\"_rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(vdirCryptPath, vdirCryptPath+\"_rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(vdirCryptPath, path.Join(vdirCryptPath, \"rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Mkdir(path.Join(vdirCryptPath, \"subcryptdir\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirCryptPath, \"subcryptdir\"), vdirCryptPath)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t// renaming root folder is not allowed\n\t\terr = client.Rename(\"/\", \"new_name\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t// renaming a path to a virtual folder is not allowed\n\t\terr = client.Rename(\"/vdir\", \"new_vdir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameSFTP}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathCrypt)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathSFTP)\n\tassert.NoError(t, err)\n}\n\nfunc TestNonLocalCrossRenameNonLocalBaseUser(t *testing.T) {\n\tbaseUser, resp, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tu := getTestSFTPUser()\n\tmappedPathLocal := filepath.Join(os.TempDir(), \"local\")\n\tfolderNameLocal := filepath.Base(mappedPathLocal)\n\tvdirLocalPath := \"/vdir/local\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameLocal,\n\t\t},\n\t\tVirtualPath: vdirLocalPath,\n\t})\n\tmappedPathCrypt := filepath.Join(os.TempDir(), \"crypt\")\n\tfolderNameCrypt := filepath.Base(mappedPathCrypt)\n\tvdirCryptPath := \"/vdir/crypt\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameCrypt,\n\t\t},\n\t\tVirtualPath: vdirCryptPath,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderNameLocal,\n\t\tMappedPath: mappedPathLocal,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderNameCrypt,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t\tMappedPath: mappedPathCrypt,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\terr = writeSFTPFile(testFileName, 4096, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirLocalPath, testFileName), 8192, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirCryptPath, testFileName), 16384, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirLocalPath, testFileName), path.Join(vdirCryptPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(vdirCryptPath, testFileName), path.Join(vdirLocalPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(testFileName, path.Join(vdirCryptPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(testFileName, path.Join(vdirLocalPath, testFileName+\".rename\"))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(vdirLocalPath, testFileName), testFileName+\".rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(path.Join(vdirCryptPath, testFileName), testFileName+\".rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t// rename on local fs or on the same folder must work\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirLocalPath, testFileName), path.Join(vdirLocalPath, testFileName+\"_rename\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirCryptPath, testFileName), path.Join(vdirCryptPath, testFileName+\"_rename\"))\n\t\tassert.NoError(t, err)\n\t\t// renaming a virtual folder is not allowed\n\t\terr = client.Rename(vdirLocalPath, vdirLocalPath+\"_rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Rename(vdirCryptPath, vdirCryptPath+\"_rename\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t// renaming root folder is not allowed\n\t\terr = client.Rename(\"/\", \"new_name\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t// renaming a path to a virtual folder is not allowed\n\t\terr = client.Rename(\"/vdir\", \"new_vdir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameLocal}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathCrypt)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathLocal)\n\tassert.NoError(t, err)\n}\n\nfunc TestCopyAndRemoveSSHCommands(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tfileSize := int64(32)\n\t\terr = writeSFTPFile(testFileName, fileSize, client)\n\t\tassert.NoError(t, err)\n\n\t\ttestFileNameCopy := testFileName + \"_copy\"\n\t\tout, err := runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", testFileName, testFileNameCopy), user)\n\t\tassert.NoError(t, err, string(out))\n\t\t// the resolved destination path match the source path\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", testFileName, path.Dir(testFileName)), user)\n\t\tassert.Error(t, err, string(out))\n\n\t\tinfo, err := client.Stat(testFileNameCopy)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, fileSize, info.Size())\n\t\t}\n\n\t\ttestDir := \"test dir\"\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s '%s'`, testFileName, testDir), user)\n\t\tassert.NoError(t, err, string(out))\n\t\tinfo, err = client.Stat(path.Join(testDir, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, fileSize, info.Size())\n\t\t}\n\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3*fileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %s\", testFileNameCopy), user)\n\t\tassert.NoError(t, err, string(out))\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-remove '%s'`, testDir), user)\n\t\tassert.NoError(t, err, string(out))\n\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, fileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\t\t_, err = client.Stat(testFileNameCopy)\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t// create a dir tree\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir 2\"\n\t\terr = client.MkdirAll(path.Join(dir1, dir2))\n\t\tassert.NoError(t, err)\n\t\ttoCreate := []string{\n\t\t\tpath.Join(dir1, testFileName),\n\t\t\tpath.Join(dir1, dir2, testFileName),\n\t\t}\n\t\tfor _, p := range toCreate {\n\t\t\terr = writeSFTPFile(p, fileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\t// create a symlink, copying a symlink is not supported\n\t\terr = client.Symlink(path.Join(\"/\", dir1, testFileName), path.Join(\"/\", dir1, testFileName+\"_link\"))\n\t\tassert.NoError(t, err)\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", path.Join(\"/\", dir1, testFileName+\"_link\"),\n\t\t\tpath.Join(\"/\", testFileName+\"_link\")), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// copying a dir inside itself should fail\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", path.Join(\"/\", dir1),\n\t\t\tpath.Join(\"/\", dir1, \"sub\")), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// copy source and dest must differ\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", path.Join(\"/\", dir1),\n\t\t\tpath.Join(\"/\", dir1)), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// copy a missing file/dir should fail\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", path.Join(\"/\", \"missing_entry\"),\n\t\t\tpath.Join(\"/\", dir1)), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// try to overwrite a file with a dir\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", path.Join(\"/\", dir1), testFileName), user)\n\t\tassert.Error(t, err, string(out))\n\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s \"%s\"`, dir1, dir2), user)\n\t\tassert.NoError(t, err, string(out))\n\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 5*fileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 5, user.UsedQuotaFiles)\n\n\t\t// copy again, quota must remain unchanged\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s/ \"%s\"`, dir1, dir2), user)\n\t\tassert.NoError(t, err, string(out))\n\t\t_, err = client.Stat(dir2)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 5*fileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 5, user.UsedQuotaFiles)\n\t\t// now copy inside target\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s \"%s\"`, dir1, dir2), user)\n\t\tassert.NoError(t, err, string(out))\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 7*fileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 7, user.UsedQuotaFiles)\n\n\t\tfor _, p := range []string{dir1, dir2} {\n\t\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-remove \"%s\"`, p), user)\n\t\t\tassert.NoError(t, err, string(out))\n\t\t\t_, err = client.Stat(p)\n\t\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, fileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t// test quota errors\n\t\tuser.QuotaFiles = 1\n\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\t// quota files exceeded\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", testFileName, testFileNameCopy), user)\n\t\tassert.Error(t, err, string(out))\n\t\tuser.QuotaFiles = 1000\n\t\tuser.QuotaSize = fileSize + 1\n\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\t// quota size exceeded after the copy\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", testFileName, testFileNameCopy), user)\n\t\tassert.Error(t, err, string(out))\n\t\tuser.QuotaSize = fileSize - 1\n\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\t// quota size exceeded\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", testFileName, testFileNameCopy), user)\n\t\tassert.Error(t, err, string(out))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCopyAndRemovePermissions(t *testing.T) {\n\tu := getTestUser()\n\trestrictedPath := \"/dir/path\"\n\tpatternFilterPath := \"/patterns\"\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: patternFilterPath,\n\t\t\tDeniedPatterns: []string{\"*.dat\"},\n\t\t},\n\t}\n\tu.Permissions[restrictedPath] = []string{}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.MkdirAll(restrictedPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(patternFilterPath)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName, 100, client)\n\t\tassert.NoError(t, err)\n\t\t// getting file writer will fail\n\t\tout, err := runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, testFileName, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// file pattern not allowed\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, testFileName, patternFilterPath), user)\n\t\tassert.Error(t, err, string(out))\n\n\t\ttestDir := path.Join(\"/\", path.Base(restrictedPath))\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, testFileName), 100, client)\n\t\tassert.NoError(t, err)\n\t\t// creating target dir will fail\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s/`, testDir, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// get dir contents will fail\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s /`, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// get dir contents will fail\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-remove %s`, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// give list dir permissions and retry, now delete will fail\n\t\tuser.Permissions[restrictedPath] = []string{dataprovider.PermListItems, dataprovider.PermUpload}\n\t\tuser.Permissions[testDir] = []string{dataprovider.PermListItems}\n\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\t// no copy permission\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, testFileName, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\tuser.Permissions[restrictedPath] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermCopy}\n\t\tuser.Permissions[testDir] = []string{dataprovider.PermListItems, dataprovider.PermCopy}\n\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, testFileName, restrictedPath), user)\n\t\tassert.NoError(t, err, string(out))\n\t\t// overwrite will fail, no permission\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, testFileName, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-remove %s`, restrictedPath), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// try to copy a file from testDir, we have only list permissions so getFileReader will fail\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, path.Join(testDir, testFileName), testFileName+\".copy\"), user)\n\t\tassert.Error(t, err, string(out))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCrossFoldersCopy(t *testing.T) {\n\tbaseUser, resp, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tu := getTestUser()\n\tu.Username += \"_1\"\n\tu.HomeDir = filepath.Join(os.TempDir(), u.Username)\n\tu.QuotaFiles = 1000\n\tmappedPath1 := filepath.Join(os.TempDir(), \"mapped1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvpath1 := \"/vdirs/vdir1\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vpath1,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tmappedPath2 := filepath.Join(os.TempDir(), \"mapped1\", \"dir\", \"mapped2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvpath2 := \"/vdirs/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vpath2,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tmappedPath3 := filepath.Join(os.TempDir(), \"mapped3\")\n\tfolderName3 := filepath.Base(mappedPath3)\n\tvpath3 := \"/vdirs/vdir3\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName3,\n\t\t},\n\t\tVirtualPath: vpath3,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tmappedPath4 := filepath.Join(os.TempDir(), \"mapped4\")\n\tfolderName4 := filepath.Base(mappedPath4)\n\tvpath4 := \"/vdirs/vdir4\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName4,\n\t\t},\n\t\tVirtualPath: vpath4,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderName3,\n\t\tMappedPath: mappedPath3,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf4 := vfs.BaseVirtualFolder{\n\t\tName: folderName4,\n\t\tMappedPath: mappedPath4,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f4, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tbaseFileSize := int64(100)\n\t\terr = writeSFTPFile(path.Join(vpath1, testFileName), baseFileSize+1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vpath2, testFileName), baseFileSize+2, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vpath3, testFileName), baseFileSize+3, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vpath4, testFileName), baseFileSize+4, client)\n\t\tassert.NoError(t, err)\n\t\t// cannot remove a directory with virtual folders inside\n\t\tout, err := runSSHCommand(fmt.Sprintf(`sftpgo-remove %s`, path.Dir(vpath1)), user)\n\t\tassert.Error(t, err, string(out))\n\t\t// copy across virtual folders\n\t\tcopyDir := \"/copy\"\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s/`, path.Dir(vpath1), copyDir), user)\n\t\tassert.NoError(t, err, string(out))\n\t\t// check the copy\n\t\tinfo, err := client.Stat(path.Join(copyDir, vpath1, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, baseFileSize+1, info.Size())\n\t\t}\n\t\tinfo, err = client.Stat(path.Join(copyDir, vpath2, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, baseFileSize+2, info.Size())\n\t\t}\n\t\tinfo, err = client.Stat(path.Join(copyDir, vpath3, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, baseFileSize+3, info.Size())\n\t\t}\n\t\tinfo, err = client.Stat(path.Join(copyDir, vpath4, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, baseFileSize+4, info.Size())\n\t\t}\n\t\t// nested fs paths\n\t\tout, err = runSSHCommand(fmt.Sprintf(`sftpgo-copy %s %s`, vpath1, vpath2), user)\n\t\tassert.Error(t, err, string(out))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tfor _, folderName := range []string{folderName1, folderName2, folderName3, folderName4} {\n\t\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(filepath.Join(os.TempDir(), folderName))\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestHTTPFs(t *testing.T) {\n\tu := getTestUserWithHTTPFs()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\terr = os.MkdirAll(user.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn := common.NewBaseConnection(xid.New().String(), common.ProtocolFTP, \"\", \"\", user)\n\terr = conn.CreateDir(httpFsWellKnowDir, false)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(filepath.Join(os.TempDir(), \"httpfs\", defaultHTTPFsUsername, httpFsWellKnowDir, \"file.txt\"), []byte(\"data\"), 0666)\n\tassert.NoError(t, err)\n\n\terr = conn.Copy(httpFsWellKnowDir, httpFsWellKnowDir+\"_copy\")\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestProxyProtocol(t *testing.T) {\n\tresp, err := httpclient.Get(fmt.Sprintf(\"http://%v\", httpProxyAddr))\n\tif !assert.Error(t, err) {\n\t\tresp.Body.Close()\n\t}\n}\n\nfunc TestSetProtocol(t *testing.T) {\n\tconn := common.NewBaseConnection(\"id\", \"sshd_exec\", \"\", \"\", dataprovider.User{BaseUser: sdk.BaseUser{HomeDir: os.TempDir()}})\n\tconn.SetProtocol(common.ProtocolSCP)\n\trequire.Equal(t, \"SCP_id\", conn.GetID())\n}\n\nfunc TestGetFsError(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"invalid JSON for credentials\")\n\tconn := common.NewBaseConnection(\"\", common.ProtocolFTP, \"\", \"\", u)\n\t_, _, err := conn.GetFsAndResolvedPath(\"/vpath\")\n\tassert.Error(t, err)\n}\n\nfunc waitTCPListening(address string) {\n\tfor {\n\t\tconn, err := net.Dial(\"tcp\", address)\n\t\tif err != nil {\n\t\t\tlogger.WarnToConsole(\"tcp server %v not listening: %v\", address, err)\n\t\t\ttime.Sleep(100 * time.Millisecond)\n\t\t\tcontinue\n\t\t}\n\t\tlogger.InfoToConsole(\"tcp server %v now listening\", address)\n\t\tconn.Close()\n\t\tbreak\n\t}\n}\n\nfunc checkBasicSFTP(client *sftp.Client) error {\n\t_, err := client.Getwd()\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = client.ReadDir(\".\")\n\treturn err\n}\n\nfunc getCustomAuthSftpClient(user dataprovider.User, authMethods []ssh.AuthMethod) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tAuth: authMethods,\n\t\tTimeout: 5 * time.Second,\n\t}\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc getSftpClient(user dataprovider.User) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif user.Password != \"\" {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}\n\t} else {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t}\n\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc runSSHCommand(command string, user dataprovider.User) ([]byte, error) {\n\tvar sshSession *ssh.Session\n\tvar output []byte\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif user.Password != \"\" {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}\n\t} else {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t}\n\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn output, err\n\t}\n\tdefer conn.Close()\n\tsshSession, err = conn.NewSession()\n\tif err != nil {\n\t\treturn output, err\n\t}\n\tvar stdout, stderr bytes.Buffer\n\tsshSession.Stdout = &stdout\n\tsshSession.Stderr = &stderr\n\terr = sshSession.Run(command)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to run command %v: %v\", command, stderr.Bytes())\n\t}\n\treturn stdout.Bytes(), err\n}\n\nfunc getWebDavClient(user dataprovider.User) *gowebdav.Client {\n\trootPath := fmt.Sprintf(\"http://localhost:%d/\", webDavServerPort)\n\tpwd := defaultPassword\n\tif user.Password != \"\" {\n\t\tpwd = user.Password\n\t}\n\tclient := gowebdav.NewClient(rootPath, user.Username, pwd)\n\tclient.SetTimeout(10 * time.Second)\n\treturn client\n}\n\nfunc getTestUser() dataprovider.User {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: defaultUsername,\n\t\t\tPassword: defaultPassword,\n\t\t\tHomeDir: filepath.Join(homeBasePath, defaultUsername),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = allPerms\n\treturn user\n}\n\nfunc getTestSFTPUser() dataprovider.User {\n\tu := getTestUser()\n\tu.Username = defaultSFTPUsername\n\tu.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tu.FsConfig.SFTPConfig.Endpoint = sftpServerAddr\n\tu.FsConfig.SFTPConfig.Username = defaultUsername\n\tu.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\treturn u\n}\n\nfunc getCryptFsUser() dataprovider.User {\n\tu := getTestUser()\n\tu.Username += \"_crypt\"\n\tu.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tu.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(defaultPassword)\n\treturn u\n}\n\nfunc getTestUserWithHTTPFs() dataprovider.User {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tu.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: fmt.Sprintf(\"http://127.0.0.1:%d/api/v1\", httpFsPort),\n\t\t\tUsername: defaultHTTPFsUsername,\n\t\t},\n\t}\n\treturn u\n}\n\nfunc writeSFTPFile(name string, size int64, client *sftp.Client) error {\n\terr := writeSFTPFileNoCheck(name, size, client)\n\tif err != nil {\n\t\treturn err\n\t}\n\tinfo, err := client.Stat(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif info.Size() != size {\n\t\treturn fmt.Errorf(\"file size mismatch, wanted %v, actual %v\", size, info.Size())\n\t}\n\treturn nil\n}\n\nfunc writeSFTPFileNoCheck(name string, size int64, client *sftp.Client) error {\n\tcontent := make([]byte, size)\n\t_, err := rand.Read(content)\n\tif err != nil {\n\t\treturn err\n\t}\n\tf, err := client.Create(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = io.Copy(f, bytes.NewBuffer(content))\n\tif err != nil {\n\t\tf.Close()\n\t\treturn err\n\t}\n\treturn f.Close()\n}\n\nfunc getUploadScriptEnvContent(envVar string) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"if [ -z \\\"$%s\\\" ]\\n\", envVar))...)\n\tcontent = append(content, []byte(\"then\\n\")...)\n\tcontent = append(content, []byte(\" exit 1\\n\")...)\n\tcontent = append(content, []byte(\"else\\n\")...)\n\tcontent = append(content, []byte(\" exit 0\\n\")...)\n\tcontent = append(content, []byte(\"fi\\n\")...)\n\treturn content\n}\n\nfunc getUploadScriptContent(movedPath, logFilePath string, exitStatus int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(\"sleep 1\\n\")...)\n\tif logFilePath != \"\" {\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo $@ > %v\\n\", logFilePath))...)\n\t}\n\tcontent = append(content, []byte(fmt.Sprintf(\"mv ${SFTPGO_ACTION_PATH} %v\\n\", movedPath))...)\n\tcontent = append(content, []byte(fmt.Sprintf(\"exit %d\", exitStatus))...)\n\treturn content\n}\n\nfunc getSaveProviderObjectScriptContent(outFilePath string, exitStatus int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"echo ${SFTPGO_OBJECT_DATA} > %v\\n\", outFilePath))...)\n\tcontent = append(content, []byte(fmt.Sprintf(\"exit %d\", exitStatus))...)\n\treturn content\n}\n\nfunc generateTOTPPasscode(secret string, algo otp.Algorithm) (string, error) {\n\treturn totp.GenerateCodeCustom(secret, time.Now(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: algo,\n\t})\n}\n\nfunc isDbDefenderSupported() bool {\n\t// SQLite shares the implementation with other SQL-based provider but it makes no sense\n\t// to use it outside test cases\n\tswitch dataprovider.GetProviderStatus().Driver {\n\tcase dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,\n\t\tdataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc getEncryptedFileSize(size int64) (int64, error) {\n\tencSize, err := sio.EncryptedSize(uint64(size))\n\treturn int64(encSize) + 33, err\n}\n\nfunc printLatestLogs(maxNumberOfLines int) {\n\tvar lines []string\n\tf, err := os.Open(logFilePath)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer f.Close()\n\tscanner := bufio.NewScanner(f)\n\tfor scanner.Scan() {\n\t\tlines = append(lines, scanner.Text()+\"\\r\\n\")\n\t\tfor len(lines) > maxNumberOfLines {\n\t\t\tlines = lines[1:]\n\t\t}\n\t}\n\tif scanner.Err() != nil {\n\t\tlogger.WarnToConsole(\"Unable to print latest logs: %v\", scanner.Err())\n\t\treturn\n\t}\n\tfor _, line := range lines {\n\t\tlogger.DebugToConsole(\"%s\", line)\n\t}\n}\n\ntype receivedEmail struct {\n\tsync.RWMutex\n\tFrom string\n\tTo []string\n\tData string\n}\n\nfunc (e *receivedEmail) set(from string, to []string, data []byte) {\n\te.Lock()\n\tdefer e.Unlock()\n\n\te.From = from\n\te.To = to\n\te.Data = strings.ReplaceAll(string(data), \"=\\r\\n\", \"\")\n}\n\nfunc (e *receivedEmail) reset() {\n\te.Lock()\n\tdefer e.Unlock()\n\n\te.From = \"\"\n\te.To = nil\n\te.Data = \"\"\n}\n\nfunc (e *receivedEmail) get() receivedEmail {\n\te.RLock()\n\tdefer e.RUnlock()\n\n\treturn receivedEmail{\n\t\tFrom: e.From,\n\t\tTo: e.To,\n\t\tData: e.Data,\n\t}\n}\n\nfunc startHTTPFs() {\n\tgo func() {\n\t\treaddirCallback := func(name string) []os.FileInfo {\n\t\t\tif name == httpFsWellKnowDir {\n\t\t\t\treturn []os.FileInfo{vfs.NewFileInfo(\"ghost.txt\", false, 0, time.Unix(0, 0), false)}\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\tcallbacks := &httpdtest.HTTPFsCallbacks{\n\t\t\tReaddir: readdirCallback,\n\t\t}\n\t\tif err := httpdtest.StartTestHTTPFs(httpFsPort, callbacks); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTPfs test server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\twaitTCPListening(fmt.Sprintf(\":%d\", httpFsPort))\n}\n" }, { "path": "internal/common/ratelimiter.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"slices\"\n\t\"sort\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"golang.org/x/time/rate\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\terrNoBucket = errors.New(\"no bucket found\")\n\terrReserve = errors.New(\"unable to reserve token\")\n\trateLimiterProtocolValues = []string{ProtocolSSH, ProtocolFTP, ProtocolWebDAV, ProtocolHTTP}\n)\n\n// RateLimiterType defines the supported rate limiters types\ntype RateLimiterType int\n\n// Supported rate limiter types\nconst (\n\trateLimiterTypeGlobal RateLimiterType = iota + 1\n\trateLimiterTypeSource\n)\n\n// RateLimiterConfig defines the configuration for a rate limiter\ntype RateLimiterConfig struct {\n\t// Average defines the maximum rate allowed. 0 means disabled\n\tAverage int64 `json:\"average\" mapstructure:\"average\"`\n\t// Period defines the period as milliseconds. Default: 1000 (1 second).\n\t// The rate is actually defined by dividing average by period.\n\t// So for a rate below 1 req/s, one needs to define a period larger than a second.\n\tPeriod int64 `json:\"period\" mapstructure:\"period\"`\n\t// Burst is the maximum number of requests allowed to go through in the\n\t// same arbitrarily small period of time. Default: 1.\n\tBurst int `json:\"burst\" mapstructure:\"burst\"`\n\t// Type defines the rate limiter type:\n\t// - rateLimiterTypeGlobal is a global rate limiter independent from the source\n\t// - rateLimiterTypeSource is a per-source rate limiter\n\tType int `json:\"type\" mapstructure:\"type\"`\n\t// Protocols defines the protocols for this rate limiter.\n\t// Available protocols are: \"SFTP\", \"FTP\", \"DAV\".\n\t// A rate limiter with no protocols defined is disabled\n\tProtocols []string `json:\"protocols\" mapstructure:\"protocols\"`\n\t// If the rate limit is exceeded, the defender is enabled, and this is a per-source limiter,\n\t// a new defender event will be generated\n\tGenerateDefenderEvents bool `json:\"generate_defender_events\" mapstructure:\"generate_defender_events\"`\n\t// The number of per-ip rate limiters kept in memory will vary between the\n\t// soft and hard limit\n\tEntriesSoftLimit int `json:\"entries_soft_limit\" mapstructure:\"entries_soft_limit\"`\n\tEntriesHardLimit int `json:\"entries_hard_limit\" mapstructure:\"entries_hard_limit\"`\n}\n\nfunc (r *RateLimiterConfig) isEnabled() bool {\n\treturn r.Average > 0 && len(r.Protocols) > 0\n}\n\nfunc (r *RateLimiterConfig) validate() error {\n\tif r.Burst < 1 {\n\t\treturn fmt.Errorf(\"invalid burst %v. It must be >= 1\", r.Burst)\n\t}\n\tif r.Period < 100 {\n\t\treturn fmt.Errorf(\"invalid period %v. It must be >= 100\", r.Period)\n\t}\n\tif r.Type != int(rateLimiterTypeGlobal) && r.Type != int(rateLimiterTypeSource) {\n\t\treturn fmt.Errorf(\"invalid type %v\", r.Type)\n\t}\n\tif r.Type != int(rateLimiterTypeGlobal) {\n\t\tif r.EntriesSoftLimit <= 0 {\n\t\t\treturn fmt.Errorf(\"invalid entries_soft_limit %v\", r.EntriesSoftLimit)\n\t\t}\n\t\tif r.EntriesHardLimit <= r.EntriesSoftLimit {\n\t\t\treturn fmt.Errorf(\"invalid entries_hard_limit %v must be > %v\", r.EntriesHardLimit, r.EntriesSoftLimit)\n\t\t}\n\t}\n\tr.Protocols = util.RemoveDuplicates(r.Protocols, true)\n\tfor _, protocol := range r.Protocols {\n\t\tif !slices.Contains(rateLimiterProtocolValues, protocol) {\n\t\t\treturn fmt.Errorf(\"invalid protocol %q\", protocol)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (r *RateLimiterConfig) getLimiter() *rateLimiter {\n\tlimiter := &rateLimiter{\n\t\tburst: r.Burst,\n\t\tglobalBucket: nil,\n\t\tgenerateDefenderEvents: r.GenerateDefenderEvents,\n\t}\n\tvar maxDelay time.Duration\n\tperiod := time.Duration(r.Period) * time.Millisecond\n\trtl := float64(r.Average*int64(time.Second)) / float64(period)\n\tlimiter.rate = rate.Limit(rtl)\n\tif rtl < 1 {\n\t\tmaxDelay = period / 2\n\t} else {\n\t\tmaxDelay = time.Second / (time.Duration(rtl) * 2)\n\t}\n\tif maxDelay > 10*time.Second {\n\t\tmaxDelay = 10 * time.Second\n\t}\n\tlimiter.maxDelay = maxDelay\n\tlimiter.buckets = sourceBuckets{\n\t\tbuckets: make(map[string]sourceRateLimiter),\n\t\thardLimit: r.EntriesHardLimit,\n\t\tsoftLimit: r.EntriesSoftLimit,\n\t}\n\tif r.Type != int(rateLimiterTypeSource) {\n\t\tlimiter.globalBucket = rate.NewLimiter(limiter.rate, limiter.burst)\n\t}\n\treturn limiter\n}\n\n// RateLimiter defines a rate limiter\ntype rateLimiter struct {\n\trate rate.Limit\n\tburst int\n\tmaxDelay time.Duration\n\tglobalBucket *rate.Limiter\n\tbuckets sourceBuckets\n\tgenerateDefenderEvents bool\n}\n\n// Wait blocks until the limit allows one event to happen\n// or returns an error if the time to wait exceeds the max\n// allowed delay\nfunc (rl *rateLimiter) Wait(source, protocol string) (time.Duration, error) {\n\tvar res *rate.Reservation\n\tif rl.globalBucket != nil {\n\t\tres = rl.globalBucket.Reserve()\n\t} else {\n\t\tvar err error\n\t\tres, err = rl.buckets.reserve(source)\n\t\tif err != nil {\n\t\t\trateLimiter := rate.NewLimiter(rl.rate, rl.burst)\n\t\t\tres = rl.buckets.addAndReserve(rateLimiter, source)\n\t\t}\n\t}\n\tif !res.OK() {\n\t\treturn 0, errReserve\n\t}\n\tdelay := res.Delay()\n\tif delay > rl.maxDelay {\n\t\tres.Cancel()\n\t\tif rl.generateDefenderEvents && rl.globalBucket == nil {\n\t\t\tAddDefenderEvent(source, protocol, HostEventLimitExceeded)\n\t\t}\n\t\treturn delay, fmt.Errorf(\"rate limit exceed, wait time to respect rate %v, max wait time allowed %v\", delay, rl.maxDelay)\n\t}\n\ttime.Sleep(delay)\n\treturn 0, nil\n}\n\ntype sourceRateLimiter struct {\n\tlastActivity *atomic.Int64\n\tbucket *rate.Limiter\n}\n\nfunc (s *sourceRateLimiter) updateLastActivity() {\n\ts.lastActivity.Store(time.Now().UnixNano())\n}\n\nfunc (s *sourceRateLimiter) getLastActivity() int64 {\n\treturn s.lastActivity.Load()\n}\n\ntype sourceBuckets struct {\n\tsync.RWMutex\n\tbuckets map[string]sourceRateLimiter\n\thardLimit int\n\tsoftLimit int\n}\n\nfunc (b *sourceBuckets) reserve(source string) (*rate.Reservation, error) {\n\tb.RLock()\n\tdefer b.RUnlock()\n\n\tif src, ok := b.buckets[source]; ok {\n\t\tsrc.updateLastActivity()\n\t\treturn src.bucket.Reserve(), nil\n\t}\n\n\treturn nil, errNoBucket\n}\n\nfunc (b *sourceBuckets) addAndReserve(r *rate.Limiter, source string) *rate.Reservation {\n\tb.Lock()\n\tdefer b.Unlock()\n\n\tb.cleanup()\n\n\tsrc := sourceRateLimiter{\n\t\tlastActivity: new(atomic.Int64),\n\t\tbucket: r,\n\t}\n\tsrc.updateLastActivity()\n\tb.buckets[source] = src\n\treturn src.bucket.Reserve()\n}\n\nfunc (b *sourceBuckets) cleanup() {\n\tif len(b.buckets) >= b.hardLimit {\n\t\tnumToRemove := len(b.buckets) - b.softLimit\n\n\t\tkvList := make(kvList, 0, len(b.buckets))\n\n\t\tfor k, v := range b.buckets {\n\t\t\tkvList = append(kvList, kv{\n\t\t\t\tKey: k,\n\t\t\t\tValue: v.getLastActivity(),\n\t\t\t})\n\t\t}\n\n\t\tsort.Sort(kvList)\n\n\t\tfor idx, kv := range kvList {\n\t\t\tif idx >= numToRemove {\n\t\t\t\tbreak\n\t\t\t}\n\n\t\t\tdelete(b.buckets, kv.Key)\n\t\t}\n\t}\n}\n" }, { "path": "internal/common/ratelimiter_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestRateLimiterConfig(t *testing.T) {\n\tconfig := RateLimiterConfig{}\n\terr := config.validate()\n\trequire.Error(t, err)\n\tconfig.Burst = 1\n\tconfig.Period = 10\n\terr = config.validate()\n\trequire.Error(t, err)\n\tconfig.Period = 1000\n\tconfig.Type = 100\n\terr = config.validate()\n\trequire.Error(t, err)\n\tconfig.Type = int(rateLimiterTypeSource)\n\tconfig.EntriesSoftLimit = 0\n\terr = config.validate()\n\trequire.Error(t, err)\n\tconfig.EntriesSoftLimit = 150\n\tconfig.EntriesHardLimit = 0\n\terr = config.validate()\n\trequire.Error(t, err)\n\tconfig.EntriesHardLimit = 200\n\tconfig.Protocols = []string{\"unsupported protocol\"}\n\terr = config.validate()\n\trequire.Error(t, err)\n\tconfig.Protocols = rateLimiterProtocolValues\n\terr = config.validate()\n\trequire.NoError(t, err)\n\n\tlimiter := config.getLimiter()\n\trequire.Equal(t, 500*time.Millisecond, limiter.maxDelay)\n\trequire.Nil(t, limiter.globalBucket)\n\tconfig.Type = int(rateLimiterTypeGlobal)\n\tconfig.Average = 1\n\tconfig.Period = 10000\n\tlimiter = config.getLimiter()\n\trequire.Equal(t, 5*time.Second, limiter.maxDelay)\n\trequire.NotNil(t, limiter.globalBucket)\n\tconfig.Period = 100000\n\tlimiter = config.getLimiter()\n\trequire.Equal(t, 10*time.Second, limiter.maxDelay)\n\tconfig.Period = 500\n\tconfig.Average = 1\n\tlimiter = config.getLimiter()\n\trequire.Equal(t, 250*time.Millisecond, limiter.maxDelay)\n}\n\nfunc TestRateLimiter(t *testing.T) {\n\tconfig := RateLimiterConfig{\n\t\tAverage: 1,\n\t\tPeriod: 1000,\n\t\tBurst: 1,\n\t\tType: int(rateLimiterTypeGlobal),\n\t\tProtocols: rateLimiterProtocolValues,\n\t}\n\tlimiter := config.getLimiter()\n\t_, err := limiter.Wait(\"\", ProtocolFTP)\n\trequire.NoError(t, err)\n\t_, err = limiter.Wait(\"\", ProtocolSSH)\n\trequire.Error(t, err)\n\n\tconfig.Type = int(rateLimiterTypeSource)\n\tconfig.GenerateDefenderEvents = true\n\tconfig.EntriesSoftLimit = 5\n\tconfig.EntriesHardLimit = 10\n\tlimiter = config.getLimiter()\n\n\tsource := \"192.168.1.2\"\n\t_, err = limiter.Wait(source, ProtocolSSH)\n\trequire.NoError(t, err)\n\t_, err = limiter.Wait(source, ProtocolSSH)\n\trequire.Error(t, err)\n\t// a different source should work\n\t_, err = limiter.Wait(source+\"1\", ProtocolSSH)\n\trequire.NoError(t, err)\n\n\tconfig.Burst = 0\n\tlimiter = config.getLimiter()\n\t_, err = limiter.Wait(source, ProtocolSSH)\n\trequire.ErrorIs(t, err, errReserve)\n}\n\nfunc TestLimiterCleanup(t *testing.T) {\n\tconfig := RateLimiterConfig{\n\t\tAverage: 100,\n\t\tPeriod: 1000,\n\t\tBurst: 1,\n\t\tType: int(rateLimiterTypeSource),\n\t\tProtocols: rateLimiterProtocolValues,\n\t\tEntriesSoftLimit: 1,\n\t\tEntriesHardLimit: 3,\n\t}\n\tlimiter := config.getLimiter()\n\tsource1 := \"10.8.0.1\"\n\tsource2 := \"10.8.0.2\"\n\tsource3 := \"10.8.0.3\"\n\tsource4 := \"10.8.0.4\"\n\t_, err := limiter.Wait(source1, ProtocolSSH)\n\tassert.NoError(t, err)\n\ttime.Sleep(20 * time.Millisecond)\n\t_, err = limiter.Wait(source2, ProtocolSSH)\n\tassert.NoError(t, err)\n\ttime.Sleep(20 * time.Millisecond)\n\tassert.Len(t, limiter.buckets.buckets, 2)\n\t_, ok := limiter.buckets.buckets[source1]\n\tassert.True(t, ok)\n\t_, ok = limiter.buckets.buckets[source2]\n\tassert.True(t, ok)\n\t_, err = limiter.Wait(source3, ProtocolSSH)\n\tassert.NoError(t, err)\n\tassert.Len(t, limiter.buckets.buckets, 3)\n\t_, ok = limiter.buckets.buckets[source1]\n\tassert.True(t, ok)\n\t_, ok = limiter.buckets.buckets[source2]\n\tassert.True(t, ok)\n\t_, ok = limiter.buckets.buckets[source3]\n\tassert.True(t, ok)\n\ttime.Sleep(20 * time.Millisecond)\n\t_, err = limiter.Wait(source4, ProtocolSSH)\n\tassert.NoError(t, err)\n\tassert.Len(t, limiter.buckets.buckets, 2)\n\t_, ok = limiter.buckets.buckets[source3]\n\tassert.True(t, ok)\n\t_, ok = limiter.buckets.buckets[source4]\n\tassert.True(t, ok)\n}\n" }, { "path": "internal/common/tlsutils.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"math/rand\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"sync\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\t// DefaultTLSKeyPaidID defines the id to use for non-binding specific key pairs\n\tDefaultTLSKeyPaidID = \"default\"\n\tpemCRLType = \"X509 CRL\"\n)\n\nvar (\n\tpemCRLPrefix = []byte(\"-----BEGIN X509 CRL\")\n)\n\n// TLSKeyPair defines the paths and the unique identifier for a TLS key pair\ntype TLSKeyPair struct {\n\tCert string\n\tKey string\n\tID string\n}\n\n// CertManager defines a TLS certificate manager\ntype CertManager struct {\n\tkeyPairs []TLSKeyPair\n\tconfigDir string\n\tlogSender string\n\tsync.RWMutex\n\tcaCertificates []string\n\tcaRevocationLists []string\n\tmonitorList []string\n\tcerts map[string]*tls.Certificate\n\tcertsInfo map[string]fs.FileInfo\n\trootCAs *x509.CertPool\n\tcrls []*x509.RevocationList\n}\n\n// Reload tries to reload certificate and CRLs\nfunc (m *CertManager) Reload() error {\n\terrCrt := m.loadCertificates()\n\terrCRLs := m.LoadCRLs()\n\n\tif errCrt != nil {\n\t\treturn errCrt\n\t}\n\treturn errCRLs\n}\n\n// LoadCertificates tries to load the configured x509 key pairs\nfunc (m *CertManager) loadCertificates() error {\n\tif len(m.keyPairs) == 0 {\n\t\treturn errors.New(\"no key pairs defined\")\n\t}\n\tcerts := make(map[string]*tls.Certificate)\n\tfor _, keyPair := range m.keyPairs {\n\t\tif keyPair.ID == \"\" {\n\t\t\treturn errors.New(\"TLS certificate without ID\")\n\t\t}\n\t\tnewCert, err := tls.LoadX509KeyPair(keyPair.Cert, keyPair.Key)\n\t\tif err != nil {\n\t\t\tlogger.Error(m.logSender, \"\", \"unable to load X509 key pair, cert file %q key file %q error: %v\",\n\t\t\t\tkeyPair.Cert, keyPair.Key, err)\n\t\t\treturn err\n\t\t}\n\t\tif _, ok := certs[keyPair.ID]; ok {\n\t\t\tlogger.Error(m.logSender, \"\", \"TLS certificate with id %q is duplicated\", keyPair.ID)\n\t\t\treturn fmt.Errorf(\"TLS certificate with id %q is duplicated\", keyPair.ID)\n\t\t}\n\t\tlogger.Debug(m.logSender, \"\", \"TLS certificate %q successfully loaded, id %v\", keyPair.Cert, keyPair.ID)\n\t\tcerts[keyPair.ID] = &newCert\n\t\tif !slices.Contains(m.monitorList, keyPair.Cert) {\n\t\t\tm.monitorList = append(m.monitorList, keyPair.Cert)\n\t\t}\n\t}\n\n\tm.Lock()\n\tdefer m.Unlock()\n\n\tm.certs = certs\n\treturn nil\n}\n\n// HasCertificate returns true if there is a certificate for the specified certID\nfunc (m *CertManager) HasCertificate(certID string) bool {\n\tm.RLock()\n\tdefer m.RUnlock()\n\n\t_, ok := m.certs[certID]\n\treturn ok\n}\n\n// GetCertificateFunc returns the loaded certificate\nfunc (m *CertManager) GetCertificateFunc(certID string) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {\n\treturn func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {\n\t\tm.RLock()\n\t\tdefer m.RUnlock()\n\n\t\tval, ok := m.certs[certID]\n\t\tif !ok {\n\t\t\tlogger.Error(m.logSender, \"\", \"no certificate for id %s\", certID)\n\t\t\treturn nil, fmt.Errorf(\"no certificate for id %s\", certID)\n\t\t}\n\n\t\treturn val, nil\n\t}\n}\n\n// IsRevoked returns true if the specified certificate has been revoked\nfunc (m *CertManager) IsRevoked(crt *x509.Certificate, caCrt *x509.Certificate) bool {\n\tm.RLock()\n\tdefer m.RUnlock()\n\n\tif crt == nil || caCrt == nil {\n\t\tlogger.Error(m.logSender, \"\", \"unable to verify crt %v, ca crt %v\", crt, caCrt)\n\t\treturn len(m.crls) > 0\n\t}\n\n\tfor _, crl := range m.crls {\n\t\tif crl.CheckSignatureFrom(caCrt) == nil {\n\t\t\tfor _, rc := range crl.RevokedCertificateEntries {\n\t\t\t\tif rc.SerialNumber.Cmp(crt.SerialNumber) == 0 {\n\t\t\t\t\treturn true\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn false\n}\n\n// LoadCRLs tries to load certificate revocation lists from the given paths\nfunc (m *CertManager) LoadCRLs() error {\n\tif len(m.caRevocationLists) == 0 {\n\t\treturn nil\n\t}\n\n\tvar crls []*x509.RevocationList\n\n\tfor _, revocationList := range m.caRevocationLists {\n\t\tif !util.IsFileInputValid(revocationList) {\n\t\t\treturn fmt.Errorf(\"invalid root CA revocation list %q\", revocationList)\n\t\t}\n\t\tif revocationList != \"\" && !filepath.IsAbs(revocationList) {\n\t\t\trevocationList = filepath.Join(m.configDir, revocationList)\n\t\t}\n\t\tcrlBytes, err := os.ReadFile(revocationList)\n\t\tif err != nil {\n\t\t\tlogger.Error(m.logSender, \"\", \"unable to read revocation list %q\", revocationList)\n\t\t\treturn err\n\t\t}\n\t\tif bytes.HasPrefix(crlBytes, pemCRLPrefix) {\n\t\t\tblock, _ := pem.Decode(crlBytes)\n\t\t\tif block != nil && block.Type == pemCRLType {\n\t\t\t\tcrlBytes = block.Bytes\n\t\t\t}\n\t\t}\n\t\tcrl, err := x509.ParseRevocationList(crlBytes)\n\t\tif err != nil {\n\t\t\tlogger.Error(m.logSender, \"\", \"unable to parse revocation list %q\", revocationList)\n\t\t\treturn err\n\t\t}\n\n\t\tlogger.Debug(m.logSender, \"\", \"CRL %q successfully loaded\", revocationList)\n\t\tcrls = append(crls, crl)\n\t\tif !slices.Contains(m.monitorList, revocationList) {\n\t\t\tm.monitorList = append(m.monitorList, revocationList)\n\t\t}\n\t}\n\n\tm.Lock()\n\tdefer m.Unlock()\n\n\tm.crls = crls\n\n\treturn nil\n}\n\n// GetRootCAs returns the set of root certificate authorities that servers\n// use if required to verify a client certificate\nfunc (m *CertManager) GetRootCAs() *x509.CertPool {\n\tm.RLock()\n\tdefer m.RUnlock()\n\n\treturn m.rootCAs\n}\n\n// LoadRootCAs tries to load root CA certificate authorities from the given paths\nfunc (m *CertManager) LoadRootCAs() error {\n\tif len(m.caCertificates) == 0 {\n\t\treturn nil\n\t}\n\n\trootCAs := x509.NewCertPool()\n\n\tfor _, rootCA := range m.caCertificates {\n\t\tif !util.IsFileInputValid(rootCA) {\n\t\t\treturn fmt.Errorf(\"invalid root CA certificate %q\", rootCA)\n\t\t}\n\t\tif rootCA != \"\" && !filepath.IsAbs(rootCA) {\n\t\t\trootCA = filepath.Join(m.configDir, rootCA)\n\t\t}\n\t\tcrt, err := os.ReadFile(rootCA)\n\t\tif err != nil {\n\t\t\tlogger.Error(m.logSender, \"\", \"unable to read root CA from file %q: %v\", rootCA, err)\n\t\t\treturn err\n\t\t}\n\t\tif rootCAs.AppendCertsFromPEM(crt) {\n\t\t\tlogger.Debug(m.logSender, \"\", \"TLS certificate authority %q successfully loaded\", rootCA)\n\t\t} else {\n\t\t\terr := fmt.Errorf(\"unable to load TLS certificate authority %q\", rootCA)\n\t\t\tlogger.Error(m.logSender, \"\", \"%v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\tm.Lock()\n\tdefer m.Unlock()\n\n\tm.rootCAs = rootCAs\n\treturn nil\n}\n\n// SetCACertificates sets the root CA authorities file paths.\n// This should not be changed at runtime\nfunc (m *CertManager) SetCACertificates(caCertificates []string) {\n\tm.caCertificates = util.RemoveDuplicates(caCertificates, true)\n}\n\n// SetCARevocationLists sets the CA revocation lists file paths.\n// This should not be changed at runtime\nfunc (m *CertManager) SetCARevocationLists(caRevocationLists []string) {\n\tm.caRevocationLists = util.RemoveDuplicates(caRevocationLists, true)\n}\n\nfunc (m *CertManager) monitor() {\n\tcertsInfo := make(map[string]fs.FileInfo)\n\n\tfor _, crt := range m.monitorList {\n\t\tinfo, err := os.Stat(crt)\n\t\tif err != nil {\n\t\t\tlogger.Warn(m.logSender, \"\", \"unable to stat certificate to monitor %q: %v\", crt, err)\n\t\t\treturn\n\t\t}\n\t\tcertsInfo[crt] = info\n\t}\n\n\tm.Lock()\n\n\tisChanged := false\n\tfor k, oldInfo := range m.certsInfo {\n\t\tnewInfo, ok := certsInfo[k]\n\t\tif ok {\n\t\t\tif newInfo.Size() != oldInfo.Size() || newInfo.ModTime() != oldInfo.ModTime() {\n\t\t\t\tlogger.Debug(m.logSender, \"\", \"change detected for certificate %q, reload required\", k)\n\t\t\t\tisChanged = true\n\t\t\t}\n\t\t}\n\t}\n\tm.certsInfo = certsInfo\n\n\tm.Unlock()\n\n\tif isChanged {\n\t\tm.Reload() //nolint:errcheck\n\t}\n}\n\n// NewCertManager creates a new certificate manager\nfunc NewCertManager(keyPairs []TLSKeyPair, configDir, logSender string) (*CertManager, error) {\n\tmanager := &CertManager{\n\t\tkeyPairs: keyPairs,\n\t\tconfigDir: configDir,\n\t\tlogSender: logSender,\n\t\tcerts: make(map[string]*tls.Certificate),\n\t\tcertsInfo: make(map[string]fs.FileInfo),\n\t}\n\terr := manager.loadCertificates()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\trandSecs := rand.Intn(59)\n\tmanager.monitor()\n\tif eventScheduler != nil {\n\t\t_, err = eventScheduler.AddFunc(fmt.Sprintf(\"@every 8h0m%ds\", randSecs), manager.monitor)\n\t}\n\treturn manager, err\n}\n" }, { "path": "internal/common/tlsutils_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nconst (\n\tserverCert = `-----BEGIN CERTIFICATE-----\nMIIEIjCCAgqgAwIBAgIQfxHX0pnvRtkmtfLklgrcNzANBgkqhkiG9w0BAQsFADAT\nMREwDwYDVQQDEwhDZXJ0QXV0aDAeFw0yMzAxMDMxMDIyMDdaFw0zMzAxMDMxMDMw\nNDVaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAKbMWjMhyjMnDsq/19J9D44Y13uPSMN26NFOCfjVgV23zcqvI8W1\ncsosYj89gSmIRxpcL2FtX7NjIT4vaqXob/en1lYy8hstacOs2cy2LcVZHfxu/hv3\n6hEKLY28tOD41L1CYZesBt3yV8vGcYIOnnAdIiG52SChnduTafBVE9Pq5P7qJ1gZ\nd4uBYxe8/Za0metKDvMN6FTK+THq56eD830iRwFOdSw3Z4NS/nQNeVW263E4CC4u\nBVxgwIHu6giqEfIoV6oVTY64y8X2YlwqvbVN/OtWNIJBLu+mN2EhR2ygpZdAyc82\n1yrk/X2/Dd3OiKSrrvXL1fOuNGlLNGD+3vUCAwEAAaNxMG8wDgYDVR0PAQH/BAQD\nAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUabrE\n6ATHRqEf/CDQiNWI+0e/nhIwHwYDVR0jBBgwFoAUKPyWZxHuWgH3MA/996i3V4gd\naYgwDQYJKoZIhvcNAQELBQADggIBAHFtnPXxCCeeGw4RiIai3bavGtyK5qooZUia\nhN8abJp9VJKYthLwF75c0wn8W0ZMTY8z9xgmFK9afWHCBNyK+0KCpd/LdDUfwvIn\n3RwR4HRFjNG+n1UZBA4l1W6X6kCq9/x7YaKLrek9aBHfxwMnoMrOeMUybm6D+B5E\nlSkAyJRq5VHVatM7UGmdux2MXK5IMpzlIBzz1pXddnzF3f9nfS54xt6ilWst9bMi\n6mBxisJmqc51L/Fyb2SoCJoO/6kv+3V5HnRNBcZuVE8G5/Uc+WRnyy9dh996W83b\njNvSJ9UpspqMtKx7DKU4fC/3xYDjRimZvZ3akfIdkf3j5GVWMtVbx+QVSZ8aKBSM\nZx35p8aF0zppTjp2JvBpiQlGIXKfPkmmH4bLpU7Z7qLXFFnp+fs3CjcIng19gGgi\nXQldgHVsl8FtIebxgW6wc5jb2y/fXjgx9c0SKEeeA3Pp6fExH8PdQdyHHmkHKQzO\nozon1tZhQbcjkNz8kXFp3x3X/0i4TsR6vsUigSFHXT7DgusBK8eAiRVOLSpbfIyp\n7Ul/9DjhtYxcZjNI/xNJcECPGazNDdKh4TdLh35pnQHOsRXDWB873rr5xkJIUXbU\nubo+q0VpmF7OtfPO9PrPilWAUhVDRx7CCTW3YUsWrYJkr8d6F/n6y7QPKMtB9Y2P\njRJ4LDqX\n-----END CERTIFICATE-----`\n\tserverKey = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApsxaMyHKMycOyr/X0n0PjhjXe49Iw3bo0U4J+NWBXbfNyq8j\nxbVyyixiPz2BKYhHGlwvYW1fs2MhPi9qpehv96fWVjLyGy1pw6zZzLYtxVkd/G7+\nG/fqEQotjby04PjUvUJhl6wG3fJXy8Zxgg6ecB0iIbnZIKGd25Np8FUT0+rk/uon\nWBl3i4FjF7z9lrSZ60oO8w3oVMr5Mernp4PzfSJHAU51LDdng1L+dA15VbbrcTgI\nLi4FXGDAge7qCKoR8ihXqhVNjrjLxfZiXCq9tU3861Y0gkEu76Y3YSFHbKCll0DJ\nzzbXKuT9fb8N3c6IpKuu9cvV8640aUs0YP7e9QIDAQABAoIBADbD9gG/4HH3KwYr\nAyPbaBYR1f59xzhWfI7sfp2zDGzHAsy/wJETyILVG9UDzrriQeZHyk7E6J0vuSR/\n0RZ0QP8hnmBjDdcajBVxVXm/fzvCzPOrRcfNGI9LtjVJdmI/kSoq93wjQYXyIh2I\nJJC9WAwbpK9KJB5wsjH8LtZ4OLBlcdeB8jcvO6FzGij6HwyxqyPctxetlvpcmc/w\nzNJhps6t+TJ8PpNtEmTpOOmx85V6HMb3QJexwmUYygRaOoiQKBKZSNaOnGoC8w1d\nWahyyXJk4B3OUllqG1TLUgabFGqq2PeJSP8RvYFH8DUj+fdxD78qDHAygrL8ELLZ\n2O3Wi0ECgYEAyREnS/kylyIcAsyKczsKEDMIDUF9rGvm2B+QG7cLKHTu24oiNg5B\nIk5nkaYmSSrC3O2/s4v47mYzMtWbLxlogiNK6ljLPpdU5/JaeHncZC+18seBoePQ\n9nOW3AvY2A6ihzy8sKRMfl3FUx/1rcXLdNwkMQo0FWR7nqVPUme9QkkCgYEA1F5n\nlhfDptiHekagKMTf9SGw4B2UiG6SLjMWhcG2AEFeXpZlsk7Qubnuzk0krjYp+JAI\nbrlzMOkmBXBQywKLe3SG0s0McbRGWVFbEA1SA+WZV5rwJe5PO7W6ndCF2+slyZ5T\ndPwOY1RybV6R07EvjtfnE8Wtdyko4X22sTkyd00CgYA5MYnuEHqVhvxUx33yfS7F\noN5/dsuayi6l94R0fcLMxUZUaJyGp9NbQNYxFgP5+BHp6i8HkZ9DoQqbQSudYCrc\nKdHbi1p0+XMLb2LQtkk8rl2hK6LyO+1qzUJyYWRTQQZ2VY6O6I1hvKaumH636XWQ\nTjZ1RKPAGg8X94nytNOfEQKBgQC/+TL0iDjyGyykyTFAiW/WXQVSIwtBJYr5Pm9u\nrESFCJJxOM1nmT2vlrecQDoXTZk1O6aTyQqrPSeEpRoz2fISwKyb5IYKRyeM2DFU\nWmY4ZZXvjnzmHP39APNYc8Z9nZzEHF5fEvdCrXTfDy0Ny08tdlhKFFkRreBprkW3\nAPhwxQKBgDBdionnjdB9jdGbYHrsPaweMGdQNXkrTTCFfBA47F+qZswfon12yu4A\n+cBKCnQe2dQHl8AV3IeUKpmNghu4iICOASQEO9dS6OWZI5vBxZMePBm6+bjTOuf6\nozecw3yR55tKpPImt87rhrWlwp35uWuhOr9GHYBdFSwgrEkVMw++\n-----END RSA PRIVATE KEY-----`\n\tcaCRT = `-----BEGIN CERTIFICATE-----\nMIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0\nQXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT\nCENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m\nfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1\nv03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh\nyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL\nCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U\n4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb\nKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo\nNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb\nS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i\nM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY\n/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy\nOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD\nAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu\nXgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F\nsYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki\npAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE\njbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX\ny2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy\nWFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV\noUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV\nL/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5\nDvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E\neL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli\nSXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w\nkK8u1YiiVenmoQ==\n-----END CERTIFICATE-----`\n\tcaKey = `-----BEGIN RSA PRIVATE KEY-----\nMIIJKgIBAAKCAgEA7WHW216mfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7x\nb64rkpdzx1aWetSiCrEyc3D1v03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvD\nOBUYZgtMqHZzpE6xRrqQ84zhyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKz\nn/2uEVt33qmO85WtN3RzbSqLCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj\n7B5P5MeamkkogwbExUjdHp3U4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZ\nDe67V/Q8iB2May1k7zBz1ZtbKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmOb\ncn8AIfH6smLQrn0C3cs7CYfoNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLq\nR/BJTbbyXUB0imne1u00fuzbS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb7\n8x7ivdyXSF5LVQJ1JvhhWu6iM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpB\nP8d2jcRZVUVrSXGc2mAGuGOY/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2Z\nxugCXULtRWJ9p4C9zUl40HEyOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEA\nAQKCAgEA4x0OoceG54ZrVxifqVaQd8qw3uRmUKUMIMdfuMlsdideeLO97ynmSlRY\n00kGo/I4Lp6mNEjI9gUie9+uBrcUhri4YLcujHCH+YlNnCBDbGjwbe0ds9SLCWaa\nKztZHMSlW5Q4Bqytgu+MpOnxSgqjlOk+vz9TcGFKVnUkHIkAcqKFJX8gOFxPZA/t\nOb1kJaz4kuv5W2Kur/ISKvQtvFvOtQeV0aJyZm8LqXnvS4cPI7yN4329NDU0HyDR\ny/deqS2aqV4zII3FFqbz8zix/m1xtVQzWCugZGMKrz0iuJMfNeCABb8rRGc6GsZz\n+465v/kobqgeyyneJ1s5rMFrLp2o+dwmnIVMNsFDUiN1lIZDHLvlgonaUO3IdTZc\n9asamFWKFKUMgWqM4zB1vmUO12CKowLNIIKb0L+kf1ixaLLDRGf/f9vLtSHE+oyx\nlATiS18VNA8+CGsHF6uXMRwf2auZdRI9+s6AAeyRISSbO1khyWKHo+bpOvmPAkDR\nnknTjbYgkoZOV+mrsU5oxV8s6vMkuvA3rwFhT2gie8pokuACFcCRrZi9MVs4LmUQ\nu0GYTHvp2WJUjMWBm6XX7Hk3g2HV842qpk/mdtTjNsXws81djtJPn4I/soIXSgXz\npY3SvKTuOckP9OZVF0yqKGeZXKpD288PKpC+MAg3GvEJaednagECggEBAPsfLwuP\nL1kiDjXyMcRoKlrQ6Q/zBGyBmJbZ5uVGa02+XtYtDAzLoVupPESXL0E7+r8ZpZ39\n0dV4CEJKpbVS/BBtTEkPpTK5kz778Ib04TAyj+YLhsZjsnuja3T5bIBZXFDeDVDM\n0ZaoFoKpIjTu2aO6pzngsgXs6EYbo2MTuJD3h0nkGZsICL7xvT9Mw0P1p2Ftt/hN\n+jKk3vN220wTWUsq43AePi45VwK+PNP12ZXv9HpWDxlPo3j0nXtgYXittYNAT92u\nBZbFAzldEIX9WKKZgsWtIzLaASjVRntpxDCTby/nlzQ5dw3DHU1DV3PIqxZS2+Oe\nKV+7XFWgZ44YjYECggEBAPH+VDu3QSrqSahkZLkgBtGRkiZPkZFXYvU6kL8qf5wO\nZ/uXMeqHtznAupLea8I4YZLfQim/NfC0v1cAcFa9Ckt9g3GwTSirVcN0AC1iOyv3\n/hMZCA1zIyIcuUplNr8qewoX71uPOvCNH0dix77423mKFkJmNwzy4Q+rV+qkRdLn\nv+AAgh7g5N91pxNd6LQJjoyfi1Ka6rRP2yGXM5v7QOwD16eN4JmExUxX1YQ7uNuX\npVS+HRxnBquA+3/DB1LtBX6pa2cUa+LRUmE/NCPHMvJcyuNkYpJKlNTd9vnbfo0H\nRNSJSWm+aGxDFMjuPjV3JLj2OdKMPwpnXdh2vBZCPpMCggEAM+yTvrEhmi2HgLIO\nhkz/jP2rYyfdn04ArhhqPLgd0dpuI5z24+Jq/9fzZT9ZfwSW6VK1QwDLlXcXRhXH\nQ8Hf6smev3CjuORURO61IkKaGWwrAucZPAY7ToNQ4cP9ImDXzMTNPgrLv3oMBYJR\nV16X09nxX+9NABqnQG/QjdjzDc6Qw7+NZ9f2bvzvI5qMuY2eyW91XbtJ45ThoLfP\nymAp03gPxQwL0WT7z85kJ3OrROxzwaPvxU0JQSZbNbqNDPXmFTiECxNDhpRAAWlz\n1DC5Vg2l05fkMkyPdtD6nOQWs/CYSfB5/EtxiX/xnBszhvZUIe6KFvuKFIhaJD5h\niykagQKCAQEAoBRm8k3KbTIo4ZzvyEq4V/+dF3zBRczx6FkCkYLygXBCNvsQiR2Y\nBjtI8Ijz7bnQShEoOmeDriRTAqGGrspEuiVgQ1+l2wZkKHRe/aaij/Zv+4AuhH8q\nuZEYvW7w5Uqbs9SbgQzhp2kjTNy6V8lVnjPLf8cQGZ+9Y9krwktC6T5m/i435WdN\n38h7amNP4XEE/F86Eb3rDrZYtgLIoCF4E+iCyxMehU+AGH1uABhls9XAB6vvo+8/\nSUp8lEqWWLP0U5KNOtYWfCeOAEiIHDbUq+DYUc4BKtbtV1cx3pzlPTOWw6XBi5Lq\njttdL4HyYvnasAQpwe8GcMJqIRyCVZMiwwKCAQEAhQTTS3CC8PwcoYrpBdTjW1ck\nvVFeF1YbfqPZfYxASCOtdx6wRnnEJ+bjqntagns9e88muxj9UhxSL6q9XaXQBD8+\n2AmKUxphCZQiYFZcTucjQEQEI2nN+nAKgRrUSMMGiR8Ekc2iFrcxBU0dnSohw+aB\nPbMKVypQCREu9PcDFIp9rXQTeElbaNsIg1C1w/SQjODbmN/QFHTVbRODYqLeX1J/\nVcGsykSIq7hv6bjn7JGkr2JTdANbjk9LnMjMdJFsKRYxPKkOQfYred6Hiojp5Sor\nPW5am8ejnNSPhIfqQp3uV3KhwPDKIeIpzvrB4uPfTjQWhekHCb8cKSWux3flqw==\n-----END RSA PRIVATE KEY-----`\n\tcaCRL = `-----BEGIN X509 CRL-----\nMIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN\nMjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg\nZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r\nrl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV\n+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199\nXSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE\njF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF\nDouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD\nMSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4\niYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE\nypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4\nhVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94\ncp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67\nsn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn\nw7bXJGfJcIMrrKs=\n-----END X509 CRL-----`\n\tclient1Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6\nHUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE\nOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7\nQie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf\nXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO\nc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo\nGzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU\nOrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC\nsDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I\nl59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb\nBbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz\nMYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7\nQPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz\nJ20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+\noffI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX\nG8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr\nkvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au\nMU3Bo0A=\n-----END CERTIFICATE-----`\n\tclient1Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki\nJ3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi\n85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW\neYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4\nZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy\nbbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO\nhHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw\neezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl\nX3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ\nCFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL\nj+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU\nNhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf\nsXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB\nZ29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB\nLGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g\nmCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67\nT8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn\nRunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa\nItjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW\nasmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+\nDYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59\n0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls\nujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY\nnXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe\nyEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==\n-----END RSA PRIVATE KEY-----`\n\t// client 2 crt is revoked\n\tclient2Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b\nQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua\neq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ\ncr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT\nA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0\n6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f\nZjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz\nPQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY\nxcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D\nEP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB\n4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO\n78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925\n7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e\nqc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N\nf5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv\n/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S\nANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR\nE0+r2+4=\n-----END CERTIFICATE-----`\n\tclient2Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV\njm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP\nkZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK\nh4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P\nQAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu\n4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq\nop4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM\nqLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt\nRvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL\nVBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO\nqkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy\nVILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl\nNiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7\n4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl\n/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd\naoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu\nkhrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz\n3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/\neMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i\nvG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB\nGcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb\nAp157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D\n8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl\nRKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA\nubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl\n-----END RSA PRIVATE KEY-----`\n)\n\nfunc TestLoadCertificate(t *testing.T) {\n\tstartEventScheduler()\n\tcaCrtPath := filepath.Join(os.TempDir(), \"testca.crt\")\n\tcaCrlPath := filepath.Join(os.TempDir(), \"testcrl.crt\")\n\tcertPath := filepath.Join(os.TempDir(), \"test.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test.key\")\n\terr := os.WriteFile(caCrtPath, []byte(caCRT), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(certPath, []byte(serverCert), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(serverKey), os.ModePerm)\n\tassert.NoError(t, err)\n\tkeyPairs := []TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: DefaultTLSKeyPaidID,\n\t\t},\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertManager, err := NewCertManager(keyPairs, configDir, logSenderTest)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is duplicated\")\n\t}\n\tassert.Nil(t, certManager)\n\n\tkeyPairs = []TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\n\tcertManager, err = NewCertManager(keyPairs, configDir, logSenderTest)\n\tassert.NoError(t, err)\n\tassert.True(t, certManager.HasCertificate(DefaultTLSKeyPaidID))\n\tassert.False(t, certManager.HasCertificate(\"unknownID\"))\n\tcertFunc := certManager.GetCertificateFunc(DefaultTLSKeyPaidID)\n\tif assert.NotNil(t, certFunc) {\n\t\thello := &tls.ClientHelloInfo{\n\t\t\tServerName: \"localhost\",\n\t\t\tCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},\n\t\t}\n\t\tcert, err := certFunc(hello)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, certManager.certs[DefaultTLSKeyPaidID], cert)\n\t}\n\tcertFunc = certManager.GetCertificateFunc(\"unknownID\")\n\tif assert.NotNil(t, certFunc) {\n\t\thello := &tls.ClientHelloInfo{\n\t\t\tServerName: \"localhost\",\n\t\t\tCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},\n\t\t}\n\t\t_, err = certFunc(hello)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"no certificate for id unknownID\")\n\t\t}\n\t}\n\tcertManager.SetCACertificates(nil)\n\terr = certManager.LoadRootCAs()\n\tassert.NoError(t, err)\n\n\tcertManager.SetCACertificates([]string{\"\"})\n\terr = certManager.LoadRootCAs()\n\tassert.Error(t, err)\n\n\tcertManager.SetCACertificates([]string{\"invalid\"})\n\terr = certManager.LoadRootCAs()\n\tassert.Error(t, err)\n\n\t// laoding the key as root CA must fail\n\tcertManager.SetCACertificates([]string{keyPath})\n\terr = certManager.LoadRootCAs()\n\tassert.Error(t, err)\n\n\tcertManager.SetCACertificates([]string{certPath})\n\terr = certManager.LoadRootCAs()\n\tassert.NoError(t, err)\n\n\trootCa := certManager.GetRootCAs()\n\tassert.NotNil(t, rootCa)\n\n\terr = certManager.Reload()\n\tassert.NoError(t, err)\n\n\tcertManager.SetCARevocationLists(nil)\n\terr = certManager.LoadCRLs()\n\tassert.NoError(t, err)\n\n\tcertManager.SetCARevocationLists([]string{\"\"})\n\terr = certManager.LoadCRLs()\n\tassert.Error(t, err)\n\n\tcertManager.SetCARevocationLists([]string{\"invalid crl\"})\n\terr = certManager.LoadCRLs()\n\tassert.Error(t, err)\n\n\t// this is not a crl and must fail\n\tcertManager.SetCARevocationLists([]string{caCrtPath})\n\terr = certManager.LoadCRLs()\n\tassert.Error(t, err)\n\n\tcertManager.SetCARevocationLists([]string{caCrlPath})\n\terr = certManager.LoadCRLs()\n\tassert.NoError(t, err)\n\n\tcrt, err := tls.X509KeyPair([]byte(caCRT), []byte(caKey))\n\tassert.NoError(t, err)\n\n\tx509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tcrt, err = tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\tx509crt, err := x509.ParseCertificate(crt.Certificate[0])\n\tif assert.NoError(t, err) {\n\t\tassert.False(t, certManager.IsRevoked(x509crt, x509CAcrt))\n\t}\n\n\tcrt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\tx509crt, err = x509.ParseCertificate(crt.Certificate[0])\n\tif assert.NoError(t, err) {\n\t\tassert.True(t, certManager.IsRevoked(x509crt, x509CAcrt))\n\t}\n\n\tassert.True(t, certManager.IsRevoked(nil, nil))\n\n\terr = os.Remove(caCrlPath)\n\tassert.NoError(t, err)\n\terr = certManager.Reload()\n\tassert.Error(t, err)\n\n\terr = os.Remove(certPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\terr = certManager.Reload()\n\tassert.Error(t, err)\n\n\terr = os.Remove(caCrtPath)\n\tassert.NoError(t, err)\n\tstopEventScheduler()\n}\n\nfunc TestLoadInvalidCert(t *testing.T) {\n\tstartEventScheduler()\n\tcertManager, err := NewCertManager(nil, configDir, logSenderTest)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no key pairs defined\")\n\t}\n\tassert.Nil(t, certManager)\n\n\tkeyPairs := []TLSKeyPair{\n\t\t{\n\t\t\tCert: \"test.crt\",\n\t\t\tKey: \"test.key\",\n\t\t\tID: DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertManager, err = NewCertManager(keyPairs, configDir, logSenderTest)\n\tassert.Error(t, err)\n\tassert.Nil(t, certManager)\n\n\tkeyPairs = []TLSKeyPair{\n\t\t{\n\t\t\tCert: \"test.crt\",\n\t\t\tKey: \"test.key\",\n\t\t},\n\t}\n\tcertManager, err = NewCertManager(keyPairs, configDir, logSenderTest)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"TLS certificate without ID\")\n\t}\n\tassert.Nil(t, certManager)\n\tstopEventScheduler()\n}\n\nfunc TestCertificateMonitor(t *testing.T) {\n\tstartEventScheduler()\n\tdefer stopEventScheduler()\n\n\tcertPath := filepath.Join(os.TempDir(), \"test.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test.key\")\n\tcaCrlPath := filepath.Join(os.TempDir(), \"testcrl.crt\")\n\terr := os.WriteFile(certPath, []byte(serverCert), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(serverKey), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tkeyPairs := []TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertManager, err := NewCertManager(keyPairs, configDir, logSenderTest)\n\tassert.NoError(t, err)\n\tassert.Len(t, certManager.monitorList, 1)\n\trequire.Len(t, certManager.certsInfo, 1)\n\tinfo := certManager.certsInfo[certPath]\n\trequire.NotNil(t, info)\n\tcertManager.SetCARevocationLists([]string{caCrlPath})\n\terr = certManager.LoadCRLs()\n\tassert.NoError(t, err)\n\tassert.Len(t, certManager.monitorList, 2)\n\tcertManager.monitor()\n\trequire.Len(t, certManager.certsInfo, 2)\n\n\terr = os.Remove(certPath)\n\tassert.NoError(t, err)\n\tcertManager.monitor()\n\n\ttime.Sleep(100 * time.Millisecond)\n\terr = os.WriteFile(certPath, []byte(serverCert), os.ModePerm)\n\tassert.NoError(t, err)\n\tcertManager.monitor()\n\trequire.Len(t, certManager.certsInfo, 2)\n\tnewInfo := certManager.certsInfo[certPath]\n\trequire.NotNil(t, newInfo)\n\tassert.Equal(t, info.Size(), newInfo.Size())\n\tassert.NotEqual(t, info.ModTime(), newInfo.ModTime())\n\n\terr = os.Remove(caCrlPath)\n\tassert.NoError(t, err)\n\n\terr = os.Remove(certPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n}\n" }, { "path": "internal/common/transfer.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"path\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\t// ErrTransferClosed defines the error returned for a closed transfer\n\tErrTransferClosed = errors.New(\"transfer already closed\")\n)\n\n// BaseTransfer contains protocols common transfer details for an upload or a download.\ntype BaseTransfer struct {\n\tID int64\n\tBytesSent atomic.Int64\n\tBytesReceived atomic.Int64\n\tFs vfs.Fs\n\tFile vfs.File\n\tConnection *BaseConnection\n\tcancelFn func()\n\tfsPath string\n\teffectiveFsPath string\n\trequestPath string\n\tftpMode string\n\tstart time.Time\n\tMaxWriteSize int64\n\tMinWriteOffset int64\n\tInitialSize int64\n\ttruncatedSize int64\n\tisNewFile bool\n\ttransferType int\n\tAbortTransfer atomic.Bool\n\taTime time.Time\n\tmTime time.Time\n\ttransferQuota dataprovider.TransferQuota\n\tmetadata map[string]string\n\tsync.Mutex\n\terrAbort error\n\tErrTransfer error\n}\n\n// NewBaseTransfer returns a new BaseTransfer and adds it to the given connection\nfunc NewBaseTransfer(file vfs.File, conn *BaseConnection, cancelFn func(), fsPath, effectiveFsPath, requestPath string,\n\ttransferType int, minWriteOffset, initialSize, maxWriteSize, truncatedSize int64, isNewFile bool, fs vfs.Fs,\n\ttransferQuota dataprovider.TransferQuota,\n) *BaseTransfer {\n\tt := &BaseTransfer{\n\t\tID: conn.GetTransferID(),\n\t\tFile: file,\n\t\tConnection: conn,\n\t\tcancelFn: cancelFn,\n\t\tfsPath: fsPath,\n\t\teffectiveFsPath: effectiveFsPath,\n\t\tstart: time.Now(),\n\t\ttransferType: transferType,\n\t\tMinWriteOffset: minWriteOffset,\n\t\tInitialSize: initialSize,\n\t\tisNewFile: isNewFile,\n\t\trequestPath: requestPath,\n\t\tMaxWriteSize: maxWriteSize,\n\t\ttruncatedSize: truncatedSize,\n\t\ttransferQuota: transferQuota,\n\t\tFs: fs,\n\t}\n\tt.AbortTransfer.Store(false)\n\tt.BytesSent.Store(0)\n\tt.BytesReceived.Store(0)\n\n\tconn.AddTransfer(t)\n\treturn t\n}\n\n// GetTransferQuota returns data transfer quota limits\nfunc (t *BaseTransfer) GetTransferQuota() dataprovider.TransferQuota {\n\treturn t.transferQuota\n}\n\n// SetFtpMode sets the FTP mode for the current transfer\nfunc (t *BaseTransfer) SetFtpMode(mode string) {\n\tt.ftpMode = mode\n}\n\n// GetID returns the transfer ID\nfunc (t *BaseTransfer) GetID() int64 {\n\treturn t.ID\n}\n\n// GetType returns the transfer type\nfunc (t *BaseTransfer) GetType() int {\n\treturn t.transferType\n}\n\n// GetSize returns the transferred size\nfunc (t *BaseTransfer) GetSize() int64 {\n\tif t.transferType == TransferDownload {\n\t\treturn t.BytesSent.Load()\n\t}\n\treturn t.BytesReceived.Load()\n}\n\n// GetDownloadedSize returns the transferred size\nfunc (t *BaseTransfer) GetDownloadedSize() int64 {\n\treturn t.BytesSent.Load()\n}\n\n// GetUploadedSize returns the transferred size\nfunc (t *BaseTransfer) GetUploadedSize() int64 {\n\treturn t.BytesReceived.Load()\n}\n\n// GetStartTime returns the start time\nfunc (t *BaseTransfer) GetStartTime() time.Time {\n\treturn t.start\n}\n\n// GetAbortError returns the error to send to the client if the transfer was aborted\nfunc (t *BaseTransfer) GetAbortError() error {\n\tt.Lock()\n\tdefer t.Unlock()\n\n\tif t.errAbort != nil {\n\t\treturn t.errAbort\n\t}\n\treturn getQuotaExceededError(t.Connection.protocol)\n}\n\n// SignalClose signals that the transfer should be closed after the next read/write.\n// The optional error argument allow to send a specific error, otherwise a generic\n// transfer aborted error is sent\nfunc (t *BaseTransfer) SignalClose(err error) {\n\tt.Lock()\n\tt.errAbort = err\n\tt.Unlock()\n\tt.AbortTransfer.Store(true)\n}\n\n// GetTruncatedSize returns the truncated sized if this is an upload overwriting\n// an existing file\nfunc (t *BaseTransfer) GetTruncatedSize() int64 {\n\treturn t.truncatedSize\n}\n\n// HasSizeLimit returns true if there is an upload or download size limit\nfunc (t *BaseTransfer) HasSizeLimit() bool {\n\tif t.MaxWriteSize > 0 {\n\t\treturn true\n\t}\n\tif t.transferQuota.HasSizeLimits() {\n\t\treturn true\n\t}\n\n\treturn false\n}\n\n// GetVirtualPath returns the transfer virtual path\nfunc (t *BaseTransfer) GetVirtualPath() string {\n\treturn t.requestPath\n}\n\n// GetFsPath returns the transfer filesystem path\nfunc (t *BaseTransfer) GetFsPath() string {\n\treturn t.fsPath\n}\n\n// SetTimes stores access and modification times if fsPath matches the current file\nfunc (t *BaseTransfer) SetTimes(fsPath string, atime time.Time, mtime time.Time) bool {\n\tif fsPath == t.GetFsPath() {\n\t\tt.aTime = atime\n\t\tt.mTime = mtime\n\t\treturn true\n\t}\n\treturn false\n}\n\n// GetRealFsPath returns the real transfer filesystem path.\n// If atomic uploads are enabled this differ from fsPath\nfunc (t *BaseTransfer) GetRealFsPath(fsPath string) string {\n\tif fsPath == t.GetFsPath() {\n\t\tif t.File != nil || vfs.IsLocalOsFs(t.Fs) {\n\t\t\treturn t.effectiveFsPath\n\t\t}\n\t\treturn t.fsPath\n\t}\n\treturn \"\"\n}\n\n// SetMetadata sets the metadata for the file\nfunc (t *BaseTransfer) SetMetadata(val map[string]string) {\n\tt.metadata = val\n}\n\n// SetCancelFn sets the cancel function for the transfer\nfunc (t *BaseTransfer) SetCancelFn(cancelFn func()) {\n\tt.cancelFn = cancelFn\n}\n\n// ConvertError accepts an error that occurs during a read or write and\n// converts it into a more understandable form for the client if it is a\n// well-known type of error\nfunc (t *BaseTransfer) ConvertError(err error) error {\n\tvar pathError *fs.PathError\n\tif errors.As(err, &pathError) {\n\t\treturn fmt.Errorf(\"%s %s: %s\", pathError.Op, t.GetVirtualPath(), pathError.Err.Error())\n\t}\n\treturn t.Connection.GetFsError(t.Fs, err)\n}\n\n// CheckRead returns an error if read if not allowed\nfunc (t *BaseTransfer) CheckRead() error {\n\tif t.transferQuota.AllowedDLSize == 0 && t.transferQuota.AllowedTotalSize == 0 {\n\t\treturn nil\n\t}\n\tif t.transferQuota.AllowedTotalSize > 0 {\n\t\tif t.BytesSent.Load()+t.BytesReceived.Load() > t.transferQuota.AllowedTotalSize {\n\t\t\treturn t.Connection.GetReadQuotaExceededError()\n\t\t}\n\t} else if t.transferQuota.AllowedDLSize > 0 {\n\t\tif t.BytesSent.Load() > t.transferQuota.AllowedDLSize {\n\t\t\treturn t.Connection.GetReadQuotaExceededError()\n\t\t}\n\t}\n\treturn nil\n}\n\n// CheckWrite returns an error if write if not allowed\nfunc (t *BaseTransfer) CheckWrite() error {\n\tif t.MaxWriteSize > 0 && t.BytesReceived.Load() > t.MaxWriteSize {\n\t\treturn t.Connection.GetQuotaExceededError()\n\t}\n\tif t.transferQuota.AllowedULSize == 0 && t.transferQuota.AllowedTotalSize == 0 {\n\t\treturn nil\n\t}\n\tif t.transferQuota.AllowedTotalSize > 0 {\n\t\tif t.BytesSent.Load()+t.BytesReceived.Load() > t.transferQuota.AllowedTotalSize {\n\t\t\treturn t.Connection.GetQuotaExceededError()\n\t\t}\n\t} else if t.transferQuota.AllowedULSize > 0 {\n\t\tif t.BytesReceived.Load() > t.transferQuota.AllowedULSize {\n\t\t\treturn t.Connection.GetQuotaExceededError()\n\t\t}\n\t}\n\treturn nil\n}\n\n// Truncate changes the size of the opened file.\n// Supported for local fs only\nfunc (t *BaseTransfer) Truncate(fsPath string, size int64) (int64, error) {\n\tif fsPath == t.GetFsPath() {\n\t\tif t.File != nil {\n\t\t\tinitialSize := t.InitialSize\n\t\t\terr := t.File.Truncate(size)\n\t\t\tif err == nil {\n\t\t\t\tt.Lock()\n\t\t\t\tt.InitialSize = size\n\t\t\t\tif t.MaxWriteSize > 0 {\n\t\t\t\t\tsizeDiff := initialSize - size\n\t\t\t\t\tt.MaxWriteSize += sizeDiff\n\t\t\t\t\tmetric.TransferCompleted(t.BytesSent.Load(), t.BytesReceived.Load(),\n\t\t\t\t\t\tt.transferType, t.ErrTransfer, vfs.IsSFTPFs(t.Fs))\n\t\t\t\t\tif t.transferQuota.HasSizeLimits() {\n\t\t\t\t\t\tgo func(ulSize, dlSize int64, user dataprovider.User) {\n\t\t\t\t\t\t\tdataprovider.UpdateUserTransferQuota(&user, ulSize, dlSize, false) //nolint:errcheck\n\t\t\t\t\t\t}(t.BytesReceived.Load(), t.BytesSent.Load(), t.Connection.User)\n\t\t\t\t\t}\n\t\t\t\t\tt.BytesReceived.Store(0)\n\t\t\t\t}\n\t\t\t\tt.Unlock()\n\t\t\t}\n\t\t\tt.Connection.Log(logger.LevelDebug, \"file %q truncated to size %v max write size %v new initial size %v err: %v\",\n\t\t\t\tfsPath, size, t.MaxWriteSize, t.InitialSize, err)\n\t\t\treturn initialSize, err\n\t\t}\n\t\tif size == 0 && t.BytesSent.Load() == 0 {\n\t\t\t// for cloud providers the file is always truncated to zero, we don't support append/resume for uploads.\n\t\t\t// For buffered SFTP and local fs we can have buffered bytes so we returns an error\n\t\t\tif !vfs.IsBufferedLocalOrSFTPFs(t.Fs) {\n\t\t\t\treturn 0, nil\n\t\t\t}\n\t\t}\n\t\treturn 0, vfs.ErrVfsUnsupported\n\t}\n\treturn 0, errTransferMismatch\n}\n\n// TransferError is called if there is an unexpected error.\n// For example network or client issues\nfunc (t *BaseTransfer) TransferError(err error) {\n\tt.Lock()\n\tdefer t.Unlock()\n\tif t.ErrTransfer != nil {\n\t\treturn\n\t}\n\tt.ErrTransfer = err\n\tif t.cancelFn != nil {\n\t\tt.cancelFn()\n\t}\n\telapsed := time.Since(t.start).Nanoseconds() / 1000000\n\tt.Connection.Log(logger.LevelError, \"Unexpected error for transfer, path: %q, error: \\\"%v\\\" bytes sent: %v, \"+\n\t\t\"bytes received: %v transfer running since %v ms\", t.fsPath, t.ErrTransfer, t.BytesSent.Load(),\n\t\tt.BytesReceived.Load(), elapsed)\n}\n\nfunc (t *BaseTransfer) getUploadFileSize() (int64, int, error) {\n\tvar fileSize int64\n\tvar deletedFiles int\n\n\tswitch dataprovider.GetQuotaTracking() {\n\tcase 0:\n\t\treturn fileSize, deletedFiles, errors.New(\"quota tracking disabled\")\n\tcase 2:\n\t\tif !t.Connection.User.HasQuotaRestrictions() {\n\t\t\tvfolder, err := t.Connection.User.GetVirtualFolderForPath(path.Dir(t.requestPath))\n\t\t\tif err != nil {\n\t\t\t\treturn fileSize, deletedFiles, errors.New(\"quota tracking disabled for this user\")\n\t\t\t}\n\t\t\tif vfolder.IsIncludedInUserQuota() {\n\t\t\t\treturn fileSize, deletedFiles, errors.New(\"quota tracking disabled for this user and folder included in user quota\")\n\t\t\t}\n\t\t}\n\t}\n\n\tinfo, err := t.Fs.Stat(t.fsPath)\n\tif err == nil {\n\t\tfileSize = info.Size()\n\t}\n\tif t.ErrTransfer != nil && vfs.IsCryptOsFs(t.Fs) {\n\t\terrDelete := t.Fs.Remove(t.fsPath, false)\n\t\tif errDelete != nil {\n\t\t\tt.Connection.Log(logger.LevelWarn, \"error removing partial crypto file %q: %v\", t.fsPath, errDelete)\n\t\t} else {\n\t\t\tfileSize = 0\n\t\t\tdeletedFiles = 1\n\t\t\tt.BytesReceived.Store(0)\n\t\t\tt.MinWriteOffset = 0\n\t\t}\n\t}\n\treturn fileSize, deletedFiles, err\n}\n\n// return 1 if the file is outside the user home dir\nfunc (t *BaseTransfer) checkUploadOutsideHomeDir(err error) int {\n\tif err == nil {\n\t\treturn 0\n\t}\n\tif t.ErrTransfer == nil {\n\t\tt.ErrTransfer = err\n\t}\n\tif Config.TempPath == \"\" {\n\t\treturn 0\n\t}\n\terr = t.Fs.Remove(t.effectiveFsPath, false)\n\tt.Connection.Log(logger.LevelWarn, \"upload in temp path cannot be renamed, delete temporary file: %q, deletion error: %v\",\n\t\tt.effectiveFsPath, err)\n\t// the file is outside the home dir so don't update the quota\n\tt.BytesReceived.Store(0)\n\tt.MinWriteOffset = 0\n\treturn 1\n}\n\n// Close it is called when the transfer is completed.\n// It logs the transfer info, updates the user quota (for uploads)\n// and executes any defined action.\n// If there is an error no action will be executed and, in atomic mode,\n// we try to delete the temporary file\nfunc (t *BaseTransfer) Close() error {\n\tdefer t.Connection.RemoveTransfer(t)\n\n\tvar err error\n\tnumFiles := t.getUploadedFiles()\n\tmetric.TransferCompleted(t.BytesSent.Load(), t.BytesReceived.Load(),\n\t\tt.transferType, t.ErrTransfer, vfs.IsSFTPFs(t.Fs))\n\tif t.transferQuota.HasSizeLimits() {\n\t\tdataprovider.UpdateUserTransferQuota(&t.Connection.User, t.BytesReceived.Load(), //nolint:errcheck\n\t\t\tt.BytesSent.Load(), false)\n\t}\n\tif (t.File != nil || vfs.IsLocalOsFs(t.Fs)) && t.Connection.IsQuotaExceededError(t.ErrTransfer) {\n\t\t// if quota is exceeded we try to remove the partial file for uploads to local filesystem\n\t\terr = t.Fs.Remove(t.effectiveFsPath, false)\n\t\tif err == nil {\n\t\t\tt.BytesReceived.Store(0)\n\t\t\tt.MinWriteOffset = 0\n\t\t}\n\t\tt.Connection.Log(logger.LevelWarn, \"upload denied due to space limit, delete temporary file: %q, deletion error: %v\",\n\t\t\tt.effectiveFsPath, err)\n\t} else if t.isAtomicUpload() {\n\t\tif t.ErrTransfer == nil || Config.UploadMode&UploadModeAtomicWithResume != 0 {\n\t\t\t_, _, err = t.Fs.Rename(t.effectiveFsPath, t.fsPath, 0)\n\t\t\tt.Connection.Log(logger.LevelDebug, \"atomic upload completed, rename: %q -> %q, error: %v\",\n\t\t\t\tt.effectiveFsPath, t.fsPath, err)\n\t\t\t// the file must be removed if it is uploaded to a path outside the home dir and cannot be renamed\n\t\t\tt.checkUploadOutsideHomeDir(err)\n\t\t} else {\n\t\t\terr = t.Fs.Remove(t.effectiveFsPath, false)\n\t\t\tt.Connection.Log(logger.LevelWarn, \"atomic upload completed with error: \\\"%v\\\", delete temporary file: %q, deletion error: %v\",\n\t\t\t\tt.ErrTransfer, t.effectiveFsPath, err)\n\t\t\tif err == nil {\n\t\t\t\tt.BytesReceived.Store(0)\n\t\t\t\tt.MinWriteOffset = 0\n\t\t\t}\n\t\t}\n\t}\n\telapsed := time.Since(t.start).Nanoseconds() / 1000000\n\tvar uploadFileSize int64\n\tif t.transferType == TransferDownload {\n\t\tlogger.TransferLog(downloadLogSender, t.fsPath, elapsed, t.BytesSent.Load(), t.Connection.User.Username,\n\t\t\tt.Connection.ID, t.Connection.protocol, t.Connection.localAddr, t.Connection.remoteAddr, t.ftpMode,\n\t\t\tt.ErrTransfer)\n\t\tExecuteActionNotification(t.Connection, operationDownload, t.fsPath, t.requestPath, \"\", \"\", \"\", //nolint:errcheck\n\t\t\tt.BytesSent.Load(), t.ErrTransfer, elapsed, t.metadata)\n\t} else {\n\t\tstatSize, deletedFiles, errStat := t.getUploadFileSize()\n\t\tif errStat == nil {\n\t\t\tuploadFileSize = statSize\n\t\t} else {\n\t\t\tuploadFileSize = t.BytesReceived.Load() + t.MinWriteOffset\n\t\t\tif t.Fs.IsNotExist(errStat) {\n\t\t\t\tuploadFileSize = 0\n\t\t\t\tnumFiles--\n\t\t\t}\n\t\t}\n\t\tnumFiles -= deletedFiles\n\t\tt.Connection.Log(logger.LevelDebug, \"upload file size %d, num files %d, deleted files %d, fs path %q\",\n\t\t\tuploadFileSize, numFiles, deletedFiles, t.fsPath)\n\t\tnumFiles, uploadFileSize = t.executeUploadHook(numFiles, uploadFileSize, elapsed)\n\t\tt.updateQuota(numFiles, uploadFileSize)\n\t\tt.updateTimes()\n\t\tlogger.TransferLog(uploadLogSender, t.fsPath, elapsed, t.BytesReceived.Load(), t.Connection.User.Username,\n\t\t\tt.Connection.ID, t.Connection.protocol, t.Connection.localAddr, t.Connection.remoteAddr, t.ftpMode,\n\t\t\tt.ErrTransfer)\n\t}\n\tif t.ErrTransfer != nil {\n\t\tt.Connection.Log(logger.LevelError, \"transfer error: %v, path: %q\", t.ErrTransfer, t.fsPath)\n\t\tif err == nil {\n\t\t\terr = t.ErrTransfer\n\t\t}\n\t}\n\tt.updateTransferTimestamps(uploadFileSize, elapsed)\n\treturn err\n}\n\nfunc (t *BaseTransfer) isAtomicUpload() bool {\n\treturn t.transferType == TransferUpload && t.effectiveFsPath != t.fsPath\n}\n\nfunc (t *BaseTransfer) updateTransferTimestamps(uploadFileSize, elapsed int64) {\n\tif t.ErrTransfer != nil {\n\t\treturn\n\t}\n\tif t.transferType == TransferUpload {\n\t\tif t.Connection.User.FirstUpload == 0 && !t.Connection.uploadDone.Load() {\n\t\t\tif err := dataprovider.UpdateUserTransferTimestamps(t.Connection.User.Username, true); err == nil {\n\t\t\t\tt.Connection.uploadDone.Store(true)\n\t\t\t\tExecuteActionNotification(t.Connection, operationFirstUpload, t.fsPath, t.requestPath, \"\", //nolint:errcheck\n\t\t\t\t\t\"\", \"\", uploadFileSize, t.ErrTransfer, elapsed, t.metadata)\n\t\t\t}\n\t\t}\n\t\treturn\n\t}\n\tif t.Connection.User.FirstDownload == 0 && !t.Connection.downloadDone.Load() && t.BytesSent.Load() > 0 {\n\t\tif err := dataprovider.UpdateUserTransferTimestamps(t.Connection.User.Username, false); err == nil {\n\t\t\tt.Connection.downloadDone.Store(true)\n\t\t\tExecuteActionNotification(t.Connection, operationFirstDownload, t.fsPath, t.requestPath, \"\", //nolint:errcheck\n\t\t\t\t\"\", \"\", t.BytesSent.Load(), t.ErrTransfer, elapsed, t.metadata)\n\t\t}\n\t}\n}\n\nfunc (t *BaseTransfer) executeUploadHook(numFiles int, fileSize, elapsed int64) (int, int64) {\n\terr := ExecuteActionNotification(t.Connection, operationUpload, t.fsPath, t.requestPath, \"\", \"\", \"\",\n\t\tfileSize, t.ErrTransfer, elapsed, t.metadata)\n\tif err != nil {\n\t\tif t.ErrTransfer == nil {\n\t\t\tt.ErrTransfer = err\n\t\t}\n\t\t// try to remove the uploaded file\n\t\terr = t.Fs.Remove(t.fsPath, false)\n\t\tif err == nil {\n\t\t\tnumFiles--\n\t\t\tfileSize = 0\n\t\t\tt.BytesReceived.Store(0)\n\t\t\tt.MinWriteOffset = 0\n\t\t} else {\n\t\t\tt.Connection.Log(logger.LevelWarn, \"unable to remove path %q after upload hook failure: %v\", t.fsPath, err)\n\t\t}\n\t}\n\treturn numFiles, fileSize\n}\n\nfunc (t *BaseTransfer) getUploadedFiles() int {\n\tnumFiles := 0\n\tif t.isNewFile {\n\t\tnumFiles = 1\n\t}\n\treturn numFiles\n}\n\nfunc (t *BaseTransfer) updateTimes() {\n\tif !t.aTime.IsZero() && !t.mTime.IsZero() {\n\t\terr := t.Fs.Chtimes(t.fsPath, t.aTime, t.mTime, false)\n\t\tt.Connection.Log(logger.LevelDebug, \"set times for file %q, atime: %v, mtime: %v, err: %v\",\n\t\t\tt.fsPath, t.aTime, t.mTime, err)\n\t}\n}\n\nfunc (t *BaseTransfer) updateQuota(numFiles int, fileSize int64) bool {\n\t// Uploads on some filesystem (S3 and similar) are atomic, if there is an error nothing is uploaded\n\tif t.File == nil && t.ErrTransfer != nil && vfs.HasImplicitAtomicUploads(t.Fs) {\n\t\treturn false\n\t}\n\tsizeDiff := fileSize - t.InitialSize\n\tif t.transferType == TransferUpload && (numFiles != 0 || sizeDiff != 0) {\n\t\tvfolder, err := t.Connection.User.GetVirtualFolderForPath(path.Dir(t.requestPath))\n\t\tif err == nil {\n\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &t.Connection.User, numFiles,\n\t\t\t\tsizeDiff, false)\n\t\t} else {\n\t\t\tdataprovider.UpdateUserQuota(&t.Connection.User, numFiles, sizeDiff, false) //nolint:errcheck\n\t\t}\n\t\treturn true\n\t}\n\treturn false\n}\n\n// HandleThrottle manage bandwidth throttling\nfunc (t *BaseTransfer) HandleThrottle() {\n\tvar wantedBandwidth int64\n\tvar trasferredBytes int64\n\tif t.transferType == TransferDownload {\n\t\twantedBandwidth = t.Connection.User.DownloadBandwidth\n\t\ttrasferredBytes = t.BytesSent.Load()\n\t} else {\n\t\twantedBandwidth = t.Connection.User.UploadBandwidth\n\t\ttrasferredBytes = t.BytesReceived.Load()\n\t}\n\tif wantedBandwidth > 0 {\n\t\t// real and wanted elapsed as milliseconds, bytes as kilobytes\n\t\trealElapsed := time.Since(t.start).Nanoseconds() / 1000000\n\t\t// trasferredBytes / 1024 = KB/s, we multiply for 1000 to get milliseconds\n\t\twantedElapsed := 1000 * (trasferredBytes / 1024) / wantedBandwidth\n\t\tif wantedElapsed > realElapsed {\n\t\t\ttoSleep := time.Duration(wantedElapsed - realElapsed)\n\t\t\ttime.Sleep(toSleep * time.Millisecond)\n\t\t}\n\t}\n}\n" }, { "path": "internal/common/transfer_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc TestTransferUpdateQuota(t *testing.T) {\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", dataprovider.User{})\n\ttransfer := BaseTransfer{\n\t\tConnection: conn,\n\t\ttransferType: TransferUpload,\n\t\tFs: vfs.NewOsFs(\"\", os.TempDir(), \"\", nil),\n\t}\n\ttransfer.BytesReceived.Store(123)\n\terrFake := errors.New(\"fake error\")\n\ttransfer.TransferError(errFake)\n\terr := transfer.Close()\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, errFake.Error())\n\t}\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tvdirPath := \"/vdir\"\n\tconn.User.VirtualFolders = append(conn.User.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\ttransfer.ErrTransfer = nil\n\ttransfer.BytesReceived.Store(1)\n\ttransfer.requestPath = \"/vdir/file\"\n\tassert.True(t, transfer.updateQuota(1, 0))\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\n\ttransfer.ErrTransfer = errFake\n\ttransfer.Fs = newMockOsFs(true, \"\", \"\", \"S3Fs fake\", nil)\n\tassert.False(t, transfer.updateQuota(1, 0))\n}\n\nfunc TestTransferThrottling(t *testing.T) {\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test\",\n\t\t\tUploadBandwidth: 50,\n\t\t\tDownloadBandwidth: 40,\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\ttestFileSize := int64(131072)\n\twantedUploadElapsed := 1000 * (testFileSize / 1024) / u.UploadBandwidth\n\twantedDownloadElapsed := 1000 * (testFileSize / 1024) / u.DownloadBandwidth\n\t// some tolerance\n\twantedUploadElapsed -= wantedDownloadElapsed / 10\n\twantedDownloadElapsed -= wantedDownloadElapsed / 10\n\tconn := NewBaseConnection(\"id\", ProtocolSCP, \"\", \"\", u)\n\ttransfer := NewBaseTransfer(nil, conn, nil, \"\", \"\", \"\", TransferUpload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\ttransfer.BytesReceived.Store(testFileSize)\n\ttransfer.Connection.UpdateLastActivity()\n\tstartTime := transfer.Connection.GetLastActivity()\n\ttransfer.HandleThrottle()\n\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\tassert.GreaterOrEqual(t, elapsed, wantedUploadElapsed, \"upload bandwidth throttling not respected\")\n\terr := transfer.Close()\n\tassert.NoError(t, err)\n\n\ttransfer = NewBaseTransfer(nil, conn, nil, \"\", \"\", \"\", TransferDownload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\ttransfer.BytesSent.Store(testFileSize)\n\ttransfer.Connection.UpdateLastActivity()\n\tstartTime = transfer.Connection.GetLastActivity()\n\n\ttransfer.HandleThrottle()\n\telapsed = time.Since(startTime).Nanoseconds() / 1000000\n\tassert.GreaterOrEqual(t, elapsed, wantedDownloadElapsed, \"download bandwidth throttling not respected\")\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n}\n\nfunc TestRealPath(t *testing.T) {\n\ttestFile := filepath.Join(os.TempDir(), \"afile.txt\")\n\tfs := vfs.NewOsFs(\"123\", os.TempDir(), \"\", nil)\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t},\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfile, err := os.Create(testFile)\n\trequire.NoError(t, err)\n\tconn := NewBaseConnection(fs.ConnectionID(), ProtocolSFTP, \"\", \"\", u)\n\ttransfer := NewBaseTransfer(file, conn, nil, testFile, testFile, \"/transfer_test_file\",\n\t\tTransferUpload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\trPath := transfer.GetRealFsPath(testFile)\n\tassert.Equal(t, testFile, rPath)\n\trPath = conn.getRealFsPath(testFile)\n\tassert.Equal(t, testFile, rPath)\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\terr = file.Close()\n\tassert.NoError(t, err)\n\ttransfer.File = nil\n\trPath = transfer.GetRealFsPath(testFile)\n\tassert.Equal(t, testFile, rPath)\n\trPath = transfer.GetRealFsPath(\"\")\n\tassert.Empty(t, rPath)\n\terr = os.Remove(testFile)\n\tassert.NoError(t, err)\n\tassert.Len(t, conn.GetTransfers(), 0)\n}\n\nfunc TestTruncate(t *testing.T) {\n\ttestFile := filepath.Join(os.TempDir(), \"transfer_test_file\")\n\tfs := vfs.NewOsFs(\"123\", os.TempDir(), \"\", nil)\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t},\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfile, err := os.Create(testFile)\n\tif !assert.NoError(t, err) {\n\t\tassert.FailNow(t, \"unable to open test file\")\n\t}\n\t_, err = file.Write([]byte(\"hello\"))\n\tassert.NoError(t, err)\n\tconn := NewBaseConnection(fs.ConnectionID(), ProtocolSFTP, \"\", \"\", u)\n\ttransfer := NewBaseTransfer(file, conn, nil, testFile, testFile, \"/transfer_test_file\", TransferUpload, 0, 5,\n\t\t100, 0, false, fs, dataprovider.TransferQuota{})\n\n\terr = conn.SetStat(\"/transfer_test_file\", &StatAttributes{\n\t\tSize: 2,\n\t\tFlags: StatAttrSize,\n\t})\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(103), transfer.MaxWriteSize)\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\terr = file.Close()\n\tassert.NoError(t, err)\n\tfi, err := os.Stat(testFile)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, int64(2), fi.Size())\n\t}\n\n\ttransfer = NewBaseTransfer(file, conn, nil, testFile, testFile, \"/transfer_test_file\", TransferUpload, 0, 0,\n\t\t100, 0, true, fs, dataprovider.TransferQuota{})\n\t// file.Stat will fail on a closed file\n\terr = conn.SetStat(\"/transfer_test_file\", &StatAttributes{\n\t\tSize: 2,\n\t\tFlags: StatAttrSize,\n\t})\n\tassert.Error(t, err)\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\n\ttransfer = NewBaseTransfer(nil, conn, nil, testFile, testFile, \"\", TransferUpload, 0, 0, 0, 0, true,\n\t\tfs, dataprovider.TransferQuota{})\n\t_, err = transfer.Truncate(\"mismatch\", 0)\n\tassert.EqualError(t, err, errTransferMismatch.Error())\n\t_, err = transfer.Truncate(testFile, 0)\n\tassert.NoError(t, err)\n\t_, err = transfer.Truncate(testFile, 1)\n\tassert.EqualError(t, err, vfs.ErrVfsUnsupported.Error())\n\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\n\terr = os.Remove(testFile)\n\tassert.NoError(t, err)\n\n\tassert.Len(t, conn.GetTransfers(), 0)\n}\n\nfunc TestTransferErrors(t *testing.T) {\n\tisCancelled := false\n\tcancelFn := func() {\n\t\tisCancelled = true\n\t}\n\ttestFile := filepath.Join(os.TempDir(), \"transfer_test_file\")\n\tfs := vfs.NewOsFs(\"id\", os.TempDir(), \"\", nil)\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t},\n\t}\n\terr := os.WriteFile(testFile, []byte(\"test data\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tfile, err := os.Open(testFile)\n\tif !assert.NoError(t, err) {\n\t\tassert.FailNow(t, \"unable to open test file\")\n\t}\n\tconn := NewBaseConnection(\"id\", ProtocolSFTP, \"\", \"\", u)\n\ttransfer := NewBaseTransfer(file, conn, nil, testFile, testFile, \"/transfer_test_file\", TransferUpload,\n\t\t0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\tpathError := &os.PathError{\n\t\tOp: \"test\",\n\t\tPath: testFile,\n\t\tErr: os.ErrInvalid,\n\t}\n\terr = transfer.ConvertError(pathError)\n\tassert.EqualError(t, err, fmt.Sprintf(\"%s %s: %s\", pathError.Op, \"/transfer_test_file\", pathError.Err.Error()))\n\terr = transfer.ConvertError(os.ErrNotExist)\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxNoSuchFile)\n\terr = transfer.ConvertError(os.ErrPermission)\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxPermissionDenied)\n\tassert.Nil(t, transfer.cancelFn)\n\tassert.Equal(t, testFile, transfer.GetFsPath())\n\ttransfer.SetMetadata(map[string]string{\"key\": \"val\"})\n\ttransfer.SetCancelFn(cancelFn)\n\terrFake := errors.New(\"err fake\")\n\ttransfer.BytesReceived.Store(9)\n\ttransfer.TransferError(ErrQuotaExceeded)\n\tassert.True(t, isCancelled)\n\ttransfer.TransferError(errFake)\n\tassert.Error(t, transfer.ErrTransfer, ErrQuotaExceeded.Error())\n\t// the file is closed from the embedding struct before to call close\n\terr = file.Close()\n\tassert.NoError(t, err)\n\terr = transfer.Close()\n\tif assert.Error(t, err) {\n\t\tassert.Error(t, err, ErrQuotaExceeded.Error())\n\t}\n\tassert.NoFileExists(t, testFile)\n\n\terr = os.WriteFile(testFile, []byte(\"test data\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tfile, err = os.Open(testFile)\n\tif !assert.NoError(t, err) {\n\t\tassert.FailNow(t, \"unable to open test file\")\n\t}\n\tfsPath := filepath.Join(os.TempDir(), \"test_file\")\n\ttransfer = NewBaseTransfer(file, conn, nil, fsPath, file.Name(), \"/test_file\", TransferUpload, 0, 0, 0, 0, true,\n\t\tfs, dataprovider.TransferQuota{})\n\ttransfer.BytesReceived.Store(9)\n\ttransfer.TransferError(errFake)\n\tassert.Error(t, transfer.ErrTransfer, errFake.Error())\n\t// the file is closed from the embedding struct before to call close\n\terr = file.Close()\n\tassert.NoError(t, err)\n\terr = transfer.Close()\n\tif assert.Error(t, err) {\n\t\tassert.Error(t, err, errFake.Error())\n\t}\n\tassert.NoFileExists(t, testFile)\n\n\terr = os.WriteFile(testFile, []byte(\"test data\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tfile, err = os.Open(testFile)\n\tif !assert.NoError(t, err) {\n\t\tassert.FailNow(t, \"unable to open test file\")\n\t}\n\ttransfer = NewBaseTransfer(file, conn, nil, fsPath, file.Name(), \"/test_file\", TransferUpload, 0, 0, 0, 0, true,\n\t\tfs, dataprovider.TransferQuota{})\n\ttransfer.BytesReceived.Store(9)\n\t// the file is closed from the embedding struct before to call close\n\terr = file.Close()\n\tassert.NoError(t, err)\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\tassert.NoFileExists(t, testFile)\n\tassert.FileExists(t, fsPath)\n\terr = os.Remove(fsPath)\n\tassert.NoError(t, err)\n\n\tassert.Len(t, conn.GetTransfers(), 0)\n}\n\nfunc TestRemovePartialCryptoFile(t *testing.T) {\n\ttestFile := filepath.Join(os.TempDir(), \"transfer_test_file\")\n\tfs, err := vfs.NewCryptFs(\"id\", os.TempDir(), \"\", vfs.CryptFsConfig{Passphrase: kms.NewPlainSecret(\"secret\")})\n\trequire.NoError(t, err)\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t\tQuotaFiles: 1000000,\n\t\t},\n\t}\n\tconn := NewBaseConnection(fs.ConnectionID(), ProtocolSFTP, \"\", \"\", u)\n\ttransfer := NewBaseTransfer(nil, conn, nil, testFile, testFile, \"/transfer_test_file\", TransferUpload,\n\t\t0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\ttransfer.ErrTransfer = errors.New(\"test error\")\n\t_, _, err = transfer.getUploadFileSize()\n\tassert.Error(t, err)\n\terr = os.WriteFile(testFile, []byte(\"test data\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tsize, deletedFiles, err := transfer.getUploadFileSize()\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), size)\n\tassert.Equal(t, 1, deletedFiles)\n\tassert.NoFileExists(t, testFile)\n\terr = transfer.Close()\n\tassert.Error(t, err)\n\tassert.Len(t, conn.GetTransfers(), 0)\n}\n\nfunc TestFTPMode(t *testing.T) {\n\tconn := NewBaseConnection(\"\", ProtocolFTP, \"\", \"\", dataprovider.User{})\n\ttransfer := BaseTransfer{\n\t\tConnection: conn,\n\t\ttransferType: TransferUpload,\n\t\tFs: vfs.NewOsFs(\"\", os.TempDir(), \"\", nil),\n\t}\n\ttransfer.BytesReceived.Store(123)\n\tassert.Empty(t, transfer.ftpMode)\n\ttransfer.SetFtpMode(\"active\")\n\tassert.Equal(t, \"active\", transfer.ftpMode)\n}\n\nfunc TestTransferQuota(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tTotalDataTransfer: 3,\n\t\t\tUploadDataTransfer: 2,\n\t\t\tDownloadDataTransfer: 1,\n\t\t},\n\t}\n\tul, dl, total := user.GetDataTransferLimits()\n\tassert.Equal(t, int64(2*1048576), ul)\n\tassert.Equal(t, int64(1*1048576), dl)\n\tassert.Equal(t, int64(3*1048576), total)\n\tuser.TotalDataTransfer = -1\n\tuser.UploadDataTransfer = -1\n\tuser.DownloadDataTransfer = -1\n\tul, dl, total = user.GetDataTransferLimits()\n\tassert.Equal(t, int64(0), ul)\n\tassert.Equal(t, int64(0), dl)\n\tassert.Equal(t, int64(0), total)\n\ttransferQuota := dataprovider.TransferQuota{}\n\tassert.True(t, transferQuota.HasDownloadSpace())\n\tassert.True(t, transferQuota.HasUploadSpace())\n\ttransferQuota.TotalSize = -1\n\ttransferQuota.ULSize = -1\n\ttransferQuota.DLSize = -1\n\tassert.True(t, transferQuota.HasDownloadSpace())\n\tassert.True(t, transferQuota.HasUploadSpace())\n\ttransferQuota.TotalSize = 100\n\ttransferQuota.AllowedTotalSize = 10\n\tassert.True(t, transferQuota.HasDownloadSpace())\n\tassert.True(t, transferQuota.HasUploadSpace())\n\ttransferQuota.AllowedTotalSize = 0\n\tassert.False(t, transferQuota.HasDownloadSpace())\n\tassert.False(t, transferQuota.HasUploadSpace())\n\ttransferQuota.TotalSize = 0\n\ttransferQuota.DLSize = 100\n\ttransferQuota.ULSize = 50\n\ttransferQuota.AllowedTotalSize = 0\n\tassert.False(t, transferQuota.HasDownloadSpace())\n\tassert.False(t, transferQuota.HasUploadSpace())\n\ttransferQuota.AllowedDLSize = 1\n\ttransferQuota.AllowedULSize = 1\n\tassert.True(t, transferQuota.HasDownloadSpace())\n\tassert.True(t, transferQuota.HasUploadSpace())\n\ttransferQuota.AllowedDLSize = -10\n\ttransferQuota.AllowedULSize = -1\n\tassert.False(t, transferQuota.HasDownloadSpace())\n\tassert.False(t, transferQuota.HasUploadSpace())\n\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", user)\n\ttransfer := NewBaseTransfer(nil, conn, nil, \"file.txt\", \"file.txt\", \"/transfer_test_file\", TransferUpload,\n\t\t0, 0, 0, 0, true, vfs.NewOsFs(\"\", os.TempDir(), \"\", nil), dataprovider.TransferQuota{})\n\terr := transfer.CheckRead()\n\tassert.NoError(t, err)\n\terr = transfer.CheckWrite()\n\tassert.NoError(t, err)\n\n\ttransfer.transferQuota = dataprovider.TransferQuota{\n\t\tAllowedTotalSize: 10,\n\t}\n\ttransfer.BytesReceived.Store(5)\n\ttransfer.BytesSent.Store(4)\n\terr = transfer.CheckRead()\n\tassert.NoError(t, err)\n\terr = transfer.CheckWrite()\n\tassert.NoError(t, err)\n\n\ttransfer.BytesSent.Store(6)\n\terr = transfer.CheckRead()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), ErrReadQuotaExceeded.Error())\n\t}\n\terr = transfer.CheckWrite()\n\tassert.True(t, conn.IsQuotaExceededError(err))\n\n\ttransferQuota = dataprovider.TransferQuota{\n\t\tAllowedTotalSize: 0,\n\t\tAllowedULSize: 10,\n\t\tAllowedDLSize: 5,\n\t}\n\ttransfer.transferQuota = transferQuota\n\tassert.Equal(t, transferQuota, transfer.GetTransferQuota())\n\terr = transfer.CheckRead()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), ErrReadQuotaExceeded.Error())\n\t}\n\terr = transfer.CheckWrite()\n\tassert.NoError(t, err)\n\n\ttransfer.BytesReceived.Store(11)\n\terr = transfer.CheckRead()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), ErrReadQuotaExceeded.Error())\n\t}\n\terr = transfer.CheckWrite()\n\tassert.True(t, conn.IsQuotaExceededError(err))\n\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\tassert.Len(t, conn.GetTransfers(), 0)\n\tassert.Equal(t, int32(0), Connections.GetTotalTransfers())\n}\n\nfunc TestUploadOutsideHomeRenameError(t *testing.T) {\n\toldTempPath := Config.TempPath\n\n\tconn := NewBaseConnection(\"\", ProtocolSFTP, \"\", \"\", dataprovider.User{})\n\ttransfer := BaseTransfer{\n\t\tConnection: conn,\n\t\ttransferType: TransferUpload,\n\t\tFs: vfs.NewOsFs(\"\", filepath.Join(os.TempDir(), \"home\"), \"\", nil),\n\t}\n\ttransfer.BytesReceived.Store(123)\n\n\tfileName := filepath.Join(os.TempDir(), \"_temp\")\n\terr := os.WriteFile(fileName, []byte(`data`), 0644)\n\tassert.NoError(t, err)\n\n\ttransfer.effectiveFsPath = fileName\n\tres := transfer.checkUploadOutsideHomeDir(os.ErrPermission)\n\tassert.Equal(t, 0, res)\n\n\tConfig.TempPath = filepath.Clean(os.TempDir())\n\tres = transfer.checkUploadOutsideHomeDir(nil)\n\tassert.Equal(t, 0, res)\n\tassert.Greater(t, transfer.BytesReceived.Load(), int64(0))\n\tres = transfer.checkUploadOutsideHomeDir(os.ErrPermission)\n\tassert.Equal(t, 1, res)\n\tassert.Equal(t, int64(0), transfer.BytesReceived.Load())\n\tassert.NoFileExists(t, fileName)\n\n\tConfig.TempPath = oldTempPath\n}\n" }, { "path": "internal/common/transferschecker.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"errors\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype overquotaTransfer struct {\n\tConnID string\n\tTransferID int64\n\tTransferType int\n}\n\ntype uploadAggregationKey struct {\n\tUsername string\n\tFolderName string\n}\n\n// TransfersChecker defines the interface that transfer checkers must implement.\n// A transfer checker ensure that multiple concurrent transfers does not exceeded\n// the remaining user quota\ntype TransfersChecker interface {\n\tAddTransfer(transfer dataprovider.ActiveTransfer)\n\tRemoveTransfer(ID int64, connectionID string)\n\tUpdateTransferCurrentSizes(ulSize, dlSize, ID int64, connectionID string)\n\tGetOverquotaTransfers() []overquotaTransfer\n}\n\nfunc getTransfersChecker(isShared int) TransfersChecker {\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"using provider transfer checker\")\n\t\treturn &transfersCheckerDB{}\n\t}\n\tlogger.Info(logSender, \"\", \"using memory transfer checker\")\n\treturn &transfersCheckerMem{}\n}\n\ntype baseTransferChecker struct {\n\ttransfers []dataprovider.ActiveTransfer\n}\n\nfunc (t *baseTransferChecker) isDataTransferExceeded(user dataprovider.User, transfer dataprovider.ActiveTransfer, ulSize,\n\tdlSize int64,\n) bool {\n\tulQuota, dlQuota, totalQuota := user.GetDataTransferLimits()\n\tif totalQuota > 0 {\n\t\tallowedSize := totalQuota - (user.UsedUploadDataTransfer + user.UsedDownloadDataTransfer)\n\t\tif ulSize+dlSize > allowedSize {\n\t\t\treturn transfer.CurrentDLSize > 0 || transfer.CurrentULSize > 0\n\t\t}\n\t}\n\tif dlQuota > 0 {\n\t\tallowedSize := dlQuota - user.UsedDownloadDataTransfer\n\t\tif dlSize > allowedSize {\n\t\t\treturn transfer.CurrentDLSize > 0\n\t\t}\n\t}\n\tif ulQuota > 0 {\n\t\tallowedSize := ulQuota - user.UsedUploadDataTransfer\n\t\tif ulSize > allowedSize {\n\t\t\treturn transfer.CurrentULSize > 0\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (t *baseTransferChecker) getRemainingDiskQuota(user dataprovider.User, folderName string) (int64, error) {\n\tvar result int64\n\n\tif folderName != \"\" {\n\t\tfor _, folder := range user.VirtualFolders {\n\t\t\tif folder.Name == folderName {\n\t\t\t\tif folder.QuotaSize > 0 {\n\t\t\t\t\treturn folder.QuotaSize - folder.UsedQuotaSize, nil\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif user.QuotaSize > 0 {\n\t\t\treturn user.QuotaSize - user.UsedQuotaSize, nil\n\t\t}\n\t}\n\n\treturn result, errors.New(\"no quota limit defined\")\n}\n\nfunc (t *baseTransferChecker) aggregateTransfersByUser(usersToFetch map[string]bool,\n) (map[string]bool, map[string][]dataprovider.ActiveTransfer) {\n\taggregations := make(map[string][]dataprovider.ActiveTransfer)\n\tfor _, transfer := range t.transfers {\n\t\taggregations[transfer.Username] = append(aggregations[transfer.Username], transfer)\n\t\tif len(aggregations[transfer.Username]) > 1 {\n\t\t\tif _, ok := usersToFetch[transfer.Username]; !ok {\n\t\t\t\tusersToFetch[transfer.Username] = false\n\t\t\t}\n\t\t}\n\t}\n\n\treturn usersToFetch, aggregations\n}\n\nfunc (t *baseTransferChecker) aggregateUploadTransfers() (map[string]bool, map[int][]dataprovider.ActiveTransfer) {\n\tusersToFetch := make(map[string]bool)\n\taggregations := make(map[int][]dataprovider.ActiveTransfer)\n\tvar keys []uploadAggregationKey\n\n\tfor _, transfer := range t.transfers {\n\t\tif transfer.Type != TransferUpload {\n\t\t\tcontinue\n\t\t}\n\t\tkey := -1\n\t\tfor idx, k := range keys {\n\t\t\tif k.Username == transfer.Username && k.FolderName == transfer.FolderName {\n\t\t\t\tkey = idx\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif key == -1 {\n\t\t\tkey = len(keys)\n\t\t}\n\t\tkeys = append(keys, uploadAggregationKey{\n\t\t\tUsername: transfer.Username,\n\t\t\tFolderName: transfer.FolderName,\n\t\t})\n\n\t\taggregations[key] = append(aggregations[key], transfer)\n\t\tif len(aggregations[key]) > 1 {\n\t\t\tif transfer.FolderName != \"\" {\n\t\t\t\tusersToFetch[transfer.Username] = true\n\t\t\t} else {\n\t\t\t\tif _, ok := usersToFetch[transfer.Username]; !ok {\n\t\t\t\t\tusersToFetch[transfer.Username] = false\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn usersToFetch, aggregations\n}\n\nfunc (t *baseTransferChecker) getUsersToCheck(usersToFetch map[string]bool) (map[string]dataprovider.User, error) {\n\tusers, err := dataprovider.GetUsersForQuotaCheck(usersToFetch)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tusersMap := make(map[string]dataprovider.User)\n\n\tfor _, user := range users {\n\t\tusersMap[user.Username] = user\n\t}\n\n\treturn usersMap, nil\n}\n\nfunc (t *baseTransferChecker) getOverquotaTransfers(usersToFetch map[string]bool,\n\tuploadAggregations map[int][]dataprovider.ActiveTransfer,\n\tuserAggregations map[string][]dataprovider.ActiveTransfer,\n) []overquotaTransfer {\n\tif len(usersToFetch) == 0 {\n\t\treturn nil\n\t}\n\tusersMap, err := t.getUsersToCheck(usersToFetch)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to check transfers, error getting users quota: %v\", err)\n\t\treturn nil\n\t}\n\n\tvar overquotaTransfers []overquotaTransfer\n\n\tfor _, transfers := range uploadAggregations {\n\t\tusername := transfers[0].Username\n\t\tfolderName := transfers[0].FolderName\n\t\tremaningDiskQuota, err := t.getRemainingDiskQuota(usersMap[username], folderName)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tvar usedDiskQuota int64\n\t\tfor _, tr := range transfers {\n\t\t\t// We optimistically assume that a cloud transfer that replaces an existing\n\t\t\t// file will be successful\n\t\t\tusedDiskQuota += tr.CurrentULSize - tr.TruncatedSize\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"username %q, folder %q, concurrent transfers: %v, remaining disk quota (bytes): %v, disk quota used in ongoing transfers (bytes): %v\",\n\t\t\tusername, folderName, len(transfers), remaningDiskQuota, usedDiskQuota)\n\t\tif usedDiskQuota > remaningDiskQuota {\n\t\t\tfor _, tr := range transfers {\n\t\t\t\tif tr.CurrentULSize > tr.TruncatedSize {\n\t\t\t\t\toverquotaTransfers = append(overquotaTransfers, overquotaTransfer{\n\t\t\t\t\t\tConnID: tr.ConnID,\n\t\t\t\t\t\tTransferID: tr.ID,\n\t\t\t\t\t\tTransferType: tr.Type,\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tfor username, transfers := range userAggregations {\n\t\tvar ulSize, dlSize int64\n\t\tfor _, tr := range transfers {\n\t\t\tulSize += tr.CurrentULSize\n\t\t\tdlSize += tr.CurrentDLSize\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"username %q, concurrent transfers: %v, quota (bytes) used in ongoing transfers, ul: %v, dl: %v\",\n\t\t\tusername, len(transfers), ulSize, dlSize)\n\t\tfor _, tr := range transfers {\n\t\t\tif t.isDataTransferExceeded(usersMap[username], tr, ulSize, dlSize) {\n\t\t\t\toverquotaTransfers = append(overquotaTransfers, overquotaTransfer{\n\t\t\t\t\tConnID: tr.ConnID,\n\t\t\t\t\tTransferID: tr.ID,\n\t\t\t\t\tTransferType: tr.Type,\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\treturn overquotaTransfers\n}\n\ntype transfersCheckerMem struct {\n\tsync.RWMutex\n\tbaseTransferChecker\n}\n\nfunc (t *transfersCheckerMem) AddTransfer(transfer dataprovider.ActiveTransfer) {\n\tt.Lock()\n\tdefer t.Unlock()\n\n\tt.transfers = append(t.transfers, transfer)\n}\n\nfunc (t *transfersCheckerMem) RemoveTransfer(ID int64, connectionID string) {\n\tt.Lock()\n\tdefer t.Unlock()\n\n\tfor idx, transfer := range t.transfers {\n\t\tif transfer.ID == ID && transfer.ConnID == connectionID {\n\t\t\tlastIdx := len(t.transfers) - 1\n\t\t\tt.transfers[idx] = t.transfers[lastIdx]\n\t\t\tt.transfers = t.transfers[:lastIdx]\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc (t *transfersCheckerMem) UpdateTransferCurrentSizes(ulSize, dlSize, ID int64, connectionID string) {\n\tt.Lock()\n\tdefer t.Unlock()\n\n\tfor idx := range t.transfers {\n\t\tif t.transfers[idx].ID == ID && t.transfers[idx].ConnID == connectionID {\n\t\t\tt.transfers[idx].CurrentDLSize = dlSize\n\t\t\tt.transfers[idx].CurrentULSize = ulSize\n\t\t\tt.transfers[idx].UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\treturn\n\t\t}\n\t}\n}\n\nfunc (t *transfersCheckerMem) GetOverquotaTransfers() []overquotaTransfer {\n\tt.RLock()\n\n\tusersToFetch, uploadAggregations := t.aggregateUploadTransfers()\n\tusersToFetch, userAggregations := t.aggregateTransfersByUser(usersToFetch)\n\n\tt.RUnlock()\n\n\treturn t.getOverquotaTransfers(usersToFetch, uploadAggregations, userAggregations)\n}\n\ntype transfersCheckerDB struct {\n\tbaseTransferChecker\n\tlastCleanup time.Time\n}\n\nfunc (t *transfersCheckerDB) AddTransfer(transfer dataprovider.ActiveTransfer) {\n\tdataprovider.AddActiveTransfer(transfer)\n}\n\nfunc (t *transfersCheckerDB) RemoveTransfer(ID int64, connectionID string) {\n\tdataprovider.RemoveActiveTransfer(ID, connectionID)\n}\n\nfunc (t *transfersCheckerDB) UpdateTransferCurrentSizes(ulSize, dlSize, ID int64, connectionID string) {\n\tdataprovider.UpdateActiveTransferSizes(ulSize, dlSize, ID, connectionID)\n}\n\nfunc (t *transfersCheckerDB) GetOverquotaTransfers() []overquotaTransfer {\n\tif t.lastCleanup.IsZero() || t.lastCleanup.Add(periodicTimeoutCheckInterval*15).Before(time.Now()) {\n\t\tbefore := time.Now().Add(-periodicTimeoutCheckInterval * 5)\n\t\terr := dataprovider.CleanupActiveTransfers(before)\n\t\tlogger.Debug(logSender, \"\", \"cleanup active transfers completed, err: %v\", err)\n\t\tif err == nil {\n\t\t\tt.lastCleanup = time.Now()\n\t\t}\n\t}\n\tvar err error\n\tfrom := time.Now().Add(-periodicTimeoutCheckInterval * 2)\n\tt.transfers, err = dataprovider.GetActiveTransfers(from)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to check overquota transfers, error getting active transfers: %v\", err)\n\t\treturn nil\n\t}\n\n\tusersToFetch, uploadAggregations := t.aggregateUploadTransfers()\n\tusersToFetch, userAggregations := t.aggregateTransfersByUser(usersToFetch)\n\n\treturn t.getOverquotaTransfers(usersToFetch, uploadAggregations, userAggregations)\n}\n" }, { "path": "internal/common/transferschecker_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage common\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc TestTransfersCheckerDiskQuota(t *testing.T) {\n\tusername := \"transfers_check_username\"\n\tfolderName := \"test_transfers_folder\"\n\tgroupName := \"test_transfers_group\"\n\tvdirPath := \"/vdir\"\n\tgroup := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: groupName,\n\t\t},\n\t\tUserSettings: dataprovider.GroupUserSettings{\n\t\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\t\tQuotaSize: 120,\n\t\t\t},\n\t\t},\n\t}\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: filepath.Join(os.TempDir(), folderName),\n\t}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"testpwd\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tQuotaSize: 0, // the quota size defined for the group is used\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tVirtualFolders: []vfs.VirtualFolder{\n\t\t\t{\n\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\tName: folderName,\n\t\t\t\t},\n\t\t\t\tVirtualPath: vdirPath,\n\t\t\t\tQuotaSize: 100,\n\t\t\t},\n\t\t},\n\t\tGroups: []sdk.GroupMapping{\n\t\t\t{\n\t\t\t\tName: groupName,\n\t\t\t\tType: sdk.GroupTypePrimary,\n\t\t\t},\n\t\t},\n\t}\n\terr := dataprovider.AddGroup(&group, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tgroup, err = dataprovider.GroupExists(groupName)\n\tassert.NoError(t, err)\n\terr = dataprovider.AddFolder(&folder, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(120), group.UserSettings.QuotaSize)\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser, err = dataprovider.GetUserWithGroupSettings(username, \"\")\n\tassert.NoError(t, err)\n\n\tconnID1 := xid.New().String()\n\tfsUser, err := user.GetFilesystemForPath(\"/file1\", connID1)\n\tassert.NoError(t, err)\n\tconn1 := NewBaseConnection(connID1, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn1 := &fakeConnection{\n\t\tBaseConnection: conn1,\n\t}\n\ttransfer1 := NewBaseTransfer(nil, conn1, nil, filepath.Join(user.HomeDir, \"file1\"), filepath.Join(user.HomeDir, \"file1\"),\n\t\t\"/file1\", TransferUpload, 0, 0, 120, 0, true, fsUser, dataprovider.TransferQuota{})\n\ttransfer1.BytesReceived.Store(150)\n\terr = Connections.Add(fakeConn1)\n\tassert.NoError(t, err)\n\t// the transferschecker will do nothing if there is only one ongoing transfer\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\n\tconnID2 := xid.New().String()\n\tconn2 := NewBaseConnection(connID2, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn2 := &fakeConnection{\n\t\tBaseConnection: conn2,\n\t}\n\ttransfer2 := NewBaseTransfer(nil, conn2, nil, filepath.Join(user.HomeDir, \"file2\"), filepath.Join(user.HomeDir, \"file2\"),\n\t\t\"/file2\", TransferUpload, 0, 0, 120, 40, true, fsUser, dataprovider.TransferQuota{})\n\ttransfer1.BytesReceived.Store(50)\n\ttransfer2.BytesReceived.Store(60)\n\terr = Connections.Add(fakeConn2)\n\tassert.NoError(t, err)\n\n\tconnID3 := xid.New().String()\n\tconn3 := NewBaseConnection(connID3, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn3 := &fakeConnection{\n\t\tBaseConnection: conn3,\n\t}\n\ttransfer3 := NewBaseTransfer(nil, conn3, nil, filepath.Join(user.HomeDir, \"file3\"), filepath.Join(user.HomeDir, \"file3\"),\n\t\t\"/file3\", TransferDownload, 0, 0, 120, 0, true, fsUser, dataprovider.TransferQuota{})\n\ttransfer3.BytesReceived.Store(60) // this value will be ignored, this is a download\n\terr = Connections.Add(fakeConn3)\n\tassert.NoError(t, err)\n\n\t// the transfers are not overquota\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\tassert.Nil(t, transfer3.errAbort)\n\n\ttransfer1.BytesReceived.Store(80) // truncated size will be subtracted, we are not overquota\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\tassert.Nil(t, transfer3.errAbort)\n\ttransfer1.BytesReceived.Store(120)\n\t// we are now overquota\n\t// if another check is in progress nothing is done\n\tConnections.transfersCheckStatus.Store(true)\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\tassert.Nil(t, transfer3.errAbort)\n\tConnections.transfersCheckStatus.Store(false)\n\n\tConnections.checkTransfers()\n\tassert.True(t, conn1.IsQuotaExceededError(transfer1.errAbort), transfer1.errAbort)\n\tassert.True(t, conn2.IsQuotaExceededError(transfer2.errAbort), transfer2.errAbort)\n\tassert.True(t, conn1.IsQuotaExceededError(transfer1.GetAbortError()))\n\tassert.Nil(t, transfer3.errAbort)\n\tassert.True(t, conn3.IsQuotaExceededError(transfer3.GetAbortError()))\n\t// update the user quota size\n\tgroup.UserSettings.QuotaSize = 1000\n\terr = dataprovider.UpdateGroup(&group, []string{username}, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\ttransfer1.errAbort = nil\n\ttransfer2.errAbort = nil\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\tassert.Nil(t, transfer3.errAbort)\n\n\tgroup.UserSettings.QuotaSize = 0\n\terr = dataprovider.UpdateGroup(&group, []string{username}, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\tassert.Nil(t, transfer3.errAbort)\n\t// now check a public folder\n\ttransfer1.BytesReceived.Store(0)\n\ttransfer2.BytesReceived.Store(0)\n\tconnID4 := xid.New().String()\n\tfsFolder, err := user.GetFilesystemForPath(path.Join(vdirPath, \"/file1\"), connID4)\n\tassert.NoError(t, err)\n\tconn4 := NewBaseConnection(connID4, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn4 := &fakeConnection{\n\t\tBaseConnection: conn4,\n\t}\n\ttransfer4 := NewBaseTransfer(nil, conn4, nil, filepath.Join(os.TempDir(), folderName, \"file1\"),\n\t\tfilepath.Join(os.TempDir(), folderName, \"file1\"), path.Join(vdirPath, \"/file1\"), TransferUpload, 0, 0,\n\t\t100, 0, true, fsFolder, dataprovider.TransferQuota{})\n\terr = Connections.Add(fakeConn4)\n\tassert.NoError(t, err)\n\tconnID5 := xid.New().String()\n\tconn5 := NewBaseConnection(connID5, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn5 := &fakeConnection{\n\t\tBaseConnection: conn5,\n\t}\n\ttransfer5 := NewBaseTransfer(nil, conn5, nil, filepath.Join(os.TempDir(), folderName, \"file2\"),\n\t\tfilepath.Join(os.TempDir(), folderName, \"file2\"), path.Join(vdirPath, \"/file2\"), TransferUpload, 0, 0,\n\t\t100, 0, true, fsFolder, dataprovider.TransferQuota{})\n\n\terr = Connections.Add(fakeConn5)\n\tassert.NoError(t, err)\n\ttransfer4.BytesReceived.Store(50)\n\ttransfer5.BytesReceived.Store(40)\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer4.errAbort)\n\tassert.Nil(t, transfer5.errAbort)\n\ttransfer5.BytesReceived.Store(60)\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\tassert.Nil(t, transfer3.errAbort)\n\tassert.True(t, conn1.IsQuotaExceededError(transfer4.errAbort))\n\tassert.True(t, conn2.IsQuotaExceededError(transfer5.errAbort))\n\n\tif dataprovider.GetProviderStatus().Driver != dataprovider.MemoryDataProviderName {\n\t\tproviderConf := dataprovider.GetProviderConfig()\n\t\terr = dataprovider.Close()\n\t\tassert.NoError(t, err)\n\n\t\ttransfer4.errAbort = nil\n\t\ttransfer5.errAbort = nil\n\t\tConnections.checkTransfers()\n\t\tassert.Nil(t, transfer1.errAbort)\n\t\tassert.Nil(t, transfer2.errAbort)\n\t\tassert.Nil(t, transfer3.errAbort)\n\t\tassert.Nil(t, transfer4.errAbort)\n\t\tassert.Nil(t, transfer5.errAbort)\n\n\t\terr = dataprovider.Initialize(providerConf, configDir, true)\n\t\tassert.NoError(t, err)\n\t}\n\n\terr = transfer1.Close()\n\tassert.NoError(t, err)\n\terr = transfer2.Close()\n\tassert.NoError(t, err)\n\terr = transfer3.Close()\n\tassert.NoError(t, err)\n\terr = transfer4.Close()\n\tassert.NoError(t, err)\n\terr = transfer5.Close()\n\tassert.NoError(t, err)\n\n\tConnections.Remove(fakeConn1.GetID())\n\tConnections.Remove(fakeConn2.GetID())\n\tConnections.Remove(fakeConn3.GetID())\n\tConnections.Remove(fakeConn4.GetID())\n\tConnections.Remove(fakeConn5.GetID())\n\tstats := Connections.GetStats(\"\")\n\tassert.Len(t, stats, 0)\n\tassert.Equal(t, int32(0), Connections.GetTotalTransfers())\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.DeleteFolder(folderName, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(filepath.Join(os.TempDir(), folderName))\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteGroup(groupName, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferCheckerTransferQuota(t *testing.T) {\n\tusername := \"transfers_check_username\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"test_pwd\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tTotalDataTransfer: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tconnID1 := xid.New().String()\n\tfsUser, err := user.GetFilesystemForPath(\"/file1\", connID1)\n\tassert.NoError(t, err)\n\tconn1 := NewBaseConnection(connID1, ProtocolSFTP, \"\", \"192.168.1.1\", user)\n\tfakeConn1 := &fakeConnection{\n\t\tBaseConnection: conn1,\n\t}\n\ttransfer1 := NewBaseTransfer(nil, conn1, nil, filepath.Join(user.HomeDir, \"file1\"), filepath.Join(user.HomeDir, \"file1\"),\n\t\t\"/file1\", TransferUpload, 0, 0, 0, 0, true, fsUser, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\ttransfer1.BytesReceived.Store(150)\n\terr = Connections.Add(fakeConn1)\n\tassert.NoError(t, err)\n\t// the transferschecker will do nothing if there is only one ongoing transfer\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\n\tconnID2 := xid.New().String()\n\tconn2 := NewBaseConnection(connID2, ProtocolSFTP, \"\", \"127.0.0.1\", user)\n\tfakeConn2 := &fakeConnection{\n\t\tBaseConnection: conn2,\n\t}\n\ttransfer2 := NewBaseTransfer(nil, conn2, nil, filepath.Join(user.HomeDir, \"file2\"), filepath.Join(user.HomeDir, \"file2\"),\n\t\t\"/file2\", TransferUpload, 0, 0, 0, 0, true, fsUser, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\ttransfer2.BytesReceived.Store(150)\n\terr = Connections.Add(fakeConn2)\n\tassert.NoError(t, err)\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\t// now test overquota\n\ttransfer1.BytesReceived.Store(1024*1024 + 1)\n\ttransfer2.BytesReceived.Store(0)\n\tConnections.checkTransfers()\n\tassert.True(t, conn1.IsQuotaExceededError(transfer1.errAbort), transfer1.errAbort)\n\tassert.Nil(t, transfer2.errAbort)\n\ttransfer1.errAbort = nil\n\ttransfer1.BytesReceived.Store(1024*1024 + 1)\n\ttransfer2.BytesReceived.Store(1024)\n\tConnections.checkTransfers()\n\tassert.True(t, conn1.IsQuotaExceededError(transfer1.errAbort))\n\tassert.True(t, conn2.IsQuotaExceededError(transfer2.errAbort))\n\ttransfer1.BytesReceived.Store(0)\n\ttransfer2.BytesReceived.Store(0)\n\ttransfer1.errAbort = nil\n\ttransfer2.errAbort = nil\n\n\terr = transfer1.Close()\n\tassert.NoError(t, err)\n\terr = transfer2.Close()\n\tassert.NoError(t, err)\n\tConnections.Remove(fakeConn1.GetID())\n\tConnections.Remove(fakeConn2.GetID())\n\n\tconnID3 := xid.New().String()\n\tconn3 := NewBaseConnection(connID3, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn3 := &fakeConnection{\n\t\tBaseConnection: conn3,\n\t}\n\ttransfer3 := NewBaseTransfer(nil, conn3, nil, filepath.Join(user.HomeDir, \"file1\"), filepath.Join(user.HomeDir, \"file1\"),\n\t\t\"/file1\", TransferDownload, 0, 0, 0, 0, true, fsUser, dataprovider.TransferQuota{AllowedDLSize: 100})\n\ttransfer3.BytesSent.Store(150)\n\terr = Connections.Add(fakeConn3)\n\tassert.NoError(t, err)\n\n\tconnID4 := xid.New().String()\n\tconn4 := NewBaseConnection(connID4, ProtocolSFTP, \"\", \"\", user)\n\tfakeConn4 := &fakeConnection{\n\t\tBaseConnection: conn4,\n\t}\n\ttransfer4 := NewBaseTransfer(nil, conn4, nil, filepath.Join(user.HomeDir, \"file2\"), filepath.Join(user.HomeDir, \"file2\"),\n\t\t\"/file2\", TransferDownload, 0, 0, 0, 0, true, fsUser, dataprovider.TransferQuota{AllowedDLSize: 100})\n\ttransfer4.BytesSent.Store(150)\n\terr = Connections.Add(fakeConn4)\n\tassert.NoError(t, err)\n\tConnections.checkTransfers()\n\tassert.Nil(t, transfer3.errAbort)\n\tassert.Nil(t, transfer4.errAbort)\n\n\ttransfer3.BytesSent.Store(512 * 1024)\n\ttransfer4.BytesSent.Store(512*1024 + 1)\n\tConnections.checkTransfers()\n\tif assert.Error(t, transfer3.errAbort) {\n\t\tassert.Contains(t, transfer3.errAbort.Error(), ErrReadQuotaExceeded.Error())\n\t}\n\tif assert.Error(t, transfer4.errAbort) {\n\t\tassert.Contains(t, transfer4.errAbort.Error(), ErrReadQuotaExceeded.Error())\n\t}\n\terr = transfer3.Close()\n\tassert.NoError(t, err)\n\terr = transfer4.Close()\n\tassert.NoError(t, err)\n\n\tConnections.Remove(fakeConn3.GetID())\n\tConnections.Remove(fakeConn4.GetID())\n\tstats := Connections.GetStats(\"\")\n\tassert.Len(t, stats, 0)\n\tassert.Equal(t, int32(0), Connections.GetTotalTransfers())\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAggregateTransfers(t *testing.T) {\n\tchecker := transfersCheckerMem{}\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"1\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 100,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\tusersToFetch, aggregations := checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 0)\n\tassert.Len(t, aggregations, 1)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferDownload,\n\t\tConnID: \"2\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 0,\n\t\tCurrentDLSize: 100,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 0)\n\tassert.Len(t, aggregations, 1)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"3\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"folder\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 10,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 0)\n\tassert.Len(t, aggregations, 2)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"4\",\n\t\tUsername: \"user1\",\n\t\tFolderName: \"\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 100,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 0)\n\tassert.Len(t, aggregations, 3)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"5\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 100,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 1)\n\tval, ok := usersToFetch[\"user\"]\n\tassert.True(t, ok)\n\tassert.False(t, val)\n\tassert.Len(t, aggregations, 3)\n\taggregate, ok := aggregations[0]\n\tassert.True(t, ok)\n\tassert.Len(t, aggregate, 2)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"6\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 100,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 1)\n\tval, ok = usersToFetch[\"user\"]\n\tassert.True(t, ok)\n\tassert.False(t, val)\n\tassert.Len(t, aggregations, 3)\n\taggregate, ok = aggregations[0]\n\tassert.True(t, ok)\n\tassert.Len(t, aggregate, 3)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"7\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"folder\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 10,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 1)\n\tval, ok = usersToFetch[\"user\"]\n\tassert.True(t, ok)\n\tassert.True(t, val)\n\tassert.Len(t, aggregations, 3)\n\taggregate, ok = aggregations[0]\n\tassert.True(t, ok)\n\tassert.Len(t, aggregate, 3)\n\taggregate, ok = aggregations[1]\n\tassert.True(t, ok)\n\tassert.Len(t, aggregate, 2)\n\n\tchecker.AddTransfer(dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferUpload,\n\t\tConnID: \"8\",\n\t\tUsername: \"user\",\n\t\tFolderName: \"\",\n\t\tTruncatedSize: 0,\n\t\tCurrentULSize: 100,\n\t\tCurrentDLSize: 0,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t})\n\n\tusersToFetch, aggregations = checker.aggregateUploadTransfers()\n\tassert.Len(t, usersToFetch, 1)\n\tval, ok = usersToFetch[\"user\"]\n\tassert.True(t, ok)\n\tassert.True(t, val)\n\tassert.Len(t, aggregations, 3)\n\taggregate, ok = aggregations[0]\n\tassert.True(t, ok)\n\tassert.Len(t, aggregate, 4)\n\taggregate, ok = aggregations[1]\n\tassert.True(t, ok)\n\tassert.Len(t, aggregate, 2)\n}\n\nfunc TestDataTransferExceeded(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tTotalDataTransfer: 1,\n\t\t},\n\t}\n\ttransfer := dataprovider.ActiveTransfer{\n\t\tCurrentULSize: 0,\n\t\tCurrentDLSize: 0,\n\t}\n\tuser.UsedDownloadDataTransfer = 1024 * 1024\n\tuser.UsedUploadDataTransfer = 512 * 1024\n\tchecker := transfersCheckerMem{}\n\tres := checker.isDataTransferExceeded(user, transfer, 100, 100)\n\tassert.False(t, res)\n\ttransfer.CurrentULSize = 1\n\tres = checker.isDataTransferExceeded(user, transfer, 100, 100)\n\tassert.True(t, res)\n\tuser.UsedDownloadDataTransfer = 512*1024 - 100\n\tuser.UsedUploadDataTransfer = 512*1024 - 100\n\tres = checker.isDataTransferExceeded(user, transfer, 100, 100)\n\tassert.False(t, res)\n\tres = checker.isDataTransferExceeded(user, transfer, 101, 100)\n\tassert.True(t, res)\n\n\tuser.TotalDataTransfer = 0\n\tuser.DownloadDataTransfer = 1\n\tuser.UsedDownloadDataTransfer = 512 * 1024\n\ttransfer.CurrentULSize = 0\n\ttransfer.CurrentDLSize = 100\n\tres = checker.isDataTransferExceeded(user, transfer, 0, 512*1024)\n\tassert.False(t, res)\n\tres = checker.isDataTransferExceeded(user, transfer, 0, 512*1024+1)\n\tassert.True(t, res)\n\n\tuser.DownloadDataTransfer = 0\n\tuser.UploadDataTransfer = 1\n\tuser.UsedUploadDataTransfer = 512 * 1024\n\ttransfer.CurrentULSize = 0\n\ttransfer.CurrentDLSize = 0\n\tres = checker.isDataTransferExceeded(user, transfer, 512*1024+1, 0)\n\tassert.False(t, res)\n\ttransfer.CurrentULSize = 1\n\tres = checker.isDataTransferExceeded(user, transfer, 512*1024+1, 0)\n\tassert.True(t, res)\n}\n\nfunc TestGetUsersForQuotaCheck(t *testing.T) {\n\tusersToFetch := make(map[string]bool)\n\tfor i := 0; i < 70; i++ {\n\t\tusersToFetch[fmt.Sprintf(\"user%v\", i)] = i%2 == 0\n\t}\n\n\tusers, err := dataprovider.GetUsersForQuotaCheck(usersToFetch)\n\tassert.NoError(t, err)\n\tassert.Len(t, users, 0)\n\n\tfor i := 0; i < 60; i++ {\n\t\tfolder := vfs.BaseVirtualFolder{\n\t\t\tName: fmt.Sprintf(\"f%v\", i),\n\t\t\tMappedPath: filepath.Join(os.TempDir(), fmt.Sprintf(\"f%v\", i)),\n\t\t}\n\t\tuser := dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: fmt.Sprintf(\"user%v\", i),\n\t\t\t\tPassword: \"pwd\",\n\t\t\t\tHomeDir: filepath.Join(os.TempDir(), fmt.Sprintf(\"user%v\", i)),\n\t\t\t\tStatus: 1,\n\t\t\t\tQuotaSize: 120,\n\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t\t},\n\t\t\t},\n\t\t\tVirtualFolders: []vfs.VirtualFolder{\n\t\t\t\t{\n\t\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\t\tName: folder.Name,\n\t\t\t\t\t},\n\t\t\t\t\tVirtualPath: \"/vfolder\",\n\t\t\t\t\tQuotaSize: 100,\n\t\t\t\t},\n\t\t\t},\n\t\t}\n\t\terr = dataprovider.AddFolder(&folder, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t\terr = dataprovider.UpdateVirtualFolderQuota(&vfs.BaseVirtualFolder{Name: fmt.Sprintf(\"f%v\", i)}, 1, 50, false)\n\t\tassert.NoError(t, err)\n\t}\n\n\tusers, err = dataprovider.GetUsersForQuotaCheck(usersToFetch)\n\tassert.NoError(t, err)\n\tassert.Len(t, users, 60)\n\n\tfor _, user := range users {\n\t\tuserIdxStr := strings.Replace(user.Username, \"user\", \"\", 1)\n\t\tuserIdx, err := strconv.Atoi(userIdxStr)\n\t\tassert.NoError(t, err)\n\t\tif userIdx%2 == 0 {\n\t\t\tif assert.Len(t, user.VirtualFolders, 1, user.Username) {\n\t\t\t\tassert.Equal(t, int64(100), user.VirtualFolders[0].QuotaSize)\n\t\t\t\tassert.Equal(t, int64(50), user.VirtualFolders[0].UsedQuotaSize)\n\t\t\t}\n\t\t} else {\n\t\t\tswitch dataprovider.GetProviderStatus().Driver {\n\t\t\tcase dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,\n\t\t\t\tdataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:\n\t\t\t\tassert.Len(t, user.VirtualFolders, 0, user.Username)\n\t\t\t}\n\t\t}\n\t\tul, dl, total := user.GetDataTransferLimits()\n\t\tassert.Equal(t, int64(0), ul)\n\t\tassert.Equal(t, int64(0), dl)\n\t\tassert.Equal(t, int64(0), total)\n\t}\n\n\tfor i := 0; i < 60; i++ {\n\t\terr = dataprovider.DeleteUser(fmt.Sprintf(\"user%v\", i), \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t\terr = dataprovider.DeleteFolder(fmt.Sprintf(\"f%v\", i), \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\n\tusers, err = dataprovider.GetUsersForQuotaCheck(usersToFetch)\n\tassert.NoError(t, err)\n\tassert.Len(t, users, 0)\n}\n\nfunc TestDBTransferChecker(t *testing.T) {\n\tif !isDbTransferCheckerSupported() {\n\t\tt.Skip(\"this test is not supported with the current database provider\")\n\t}\n\tproviderConf := dataprovider.GetProviderConfig()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\tproviderConf.IsShared = 1\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tc := getTransfersChecker(1)\n\tchecker, ok := c.(*transfersCheckerDB)\n\tassert.True(t, ok)\n\tassert.True(t, checker.lastCleanup.IsZero())\n\ttransfer1 := dataprovider.ActiveTransfer{\n\t\tID: 1,\n\t\tType: TransferDownload,\n\t\tConnID: xid.New().String(),\n\t\tUsername: \"user1\",\n\t\tFolderName: \"folder1\",\n\t\tIP: \"127.0.0.1\",\n\t}\n\tchecker.AddTransfer(transfer1)\n\ttransfers, err := dataprovider.GetActiveTransfers(time.Now().Add(24 * time.Hour))\n\tassert.NoError(t, err)\n\tassert.Len(t, transfers, 0)\n\ttransfers, err = dataprovider.GetActiveTransfers(time.Now().Add(-periodicTimeoutCheckInterval * 2))\n\tassert.NoError(t, err)\n\tvar createdAt, updatedAt int64\n\tif assert.Len(t, transfers, 1) {\n\t\ttransfer := transfers[0]\n\t\tassert.Equal(t, transfer1.ID, transfer.ID)\n\t\tassert.Equal(t, transfer1.Type, transfer.Type)\n\t\tassert.Equal(t, transfer1.ConnID, transfer.ConnID)\n\t\tassert.Equal(t, transfer1.Username, transfer.Username)\n\t\tassert.Equal(t, transfer1.IP, transfer.IP)\n\t\tassert.Equal(t, transfer1.FolderName, transfer.FolderName)\n\t\tassert.Greater(t, transfer.CreatedAt, int64(0))\n\t\tassert.Greater(t, transfer.UpdatedAt, int64(0))\n\t\tassert.Equal(t, int64(0), transfer.CurrentDLSize)\n\t\tassert.Equal(t, int64(0), transfer.CurrentULSize)\n\t\tcreatedAt = transfer.CreatedAt\n\t\tupdatedAt = transfer.UpdatedAt\n\t}\n\ttime.Sleep(100 * time.Millisecond)\n\tchecker.UpdateTransferCurrentSizes(100, 150, transfer1.ID, transfer1.ConnID)\n\ttransfers, err = dataprovider.GetActiveTransfers(time.Now().Add(-periodicTimeoutCheckInterval * 2))\n\tassert.NoError(t, err)\n\tif assert.Len(t, transfers, 1) {\n\t\ttransfer := transfers[0]\n\t\tassert.Equal(t, int64(150), transfer.CurrentDLSize)\n\t\tassert.Equal(t, int64(100), transfer.CurrentULSize)\n\t\tassert.Equal(t, createdAt, transfer.CreatedAt)\n\t\tassert.Greater(t, transfer.UpdatedAt, updatedAt)\n\t}\n\tres := checker.GetOverquotaTransfers()\n\tassert.Len(t, res, 0)\n\n\tchecker.RemoveTransfer(transfer1.ID, transfer1.ConnID)\n\ttransfers, err = dataprovider.GetActiveTransfers(time.Now().Add(-periodicTimeoutCheckInterval * 2))\n\tassert.NoError(t, err)\n\tassert.Len(t, transfers, 0)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\tres = checker.GetOverquotaTransfers()\n\tassert.Len(t, res, 0)\n\tproviderConf.IsShared = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc isDbTransferCheckerSupported() bool {\n\t// SQLite shares the implementation with other SQL-based provider but it makes no sense\n\t// to use it outside test cases\n\tswitch dataprovider.GetProviderStatus().Driver {\n\tcase dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,\n\t\tdataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n" }, { "path": "internal/config/config.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package config manages the configuration\npackage config\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\n\tkmsplugin \"github.com/sftpgo/sdk/plugin/kms\"\n\t\"github.com/spf13/viper\"\n\t\"github.com/subosito/gotenv\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/command\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/telemetry\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\tlogSender = \"config\"\n\t// configName defines the name for config file.\n\t// This name does not include the extension, viper will search for files\n\t// with supported extensions such as \"sftpgo.json\", \"sftpgo.yaml\" and so on\n\tconfigName = \"sftpgo\"\n\t// ConfigEnvPrefix defines a prefix that environment variables will use\n\tconfigEnvPrefix = \"sftpgo\"\n\tenvFileMaxSize = 1048576\n)\n\nvar (\n\tglobalConf globalConfig\n\tdefaultInstallCodeHint = \"Installation code\"\n\tdefaultSFTPDBinding = sftpd.Binding{\n\t\tAddress: \"\",\n\t\tPort: 2022,\n\t\tApplyProxyConfig: true,\n\t}\n\tdefaultFTPDBinding = ftpd.Binding{\n\t\tAddress: \"\",\n\t\tPort: 0,\n\t\tApplyProxyConfig: true,\n\t\tTLSMode: 0,\n\t\tCertificateFile: \"\",\n\t\tCertificateKeyFile: \"\",\n\t\tMinTLSVersion: 12,\n\t\tForcePassiveIP: \"\",\n\t\tPassiveIPOverrides: nil,\n\t\tPassiveHost: \"\",\n\t\tClientAuthType: 0,\n\t\tTLSCipherSuites: nil,\n\t\tPassiveConnectionsSecurity: 0,\n\t\tActiveConnectionsSecurity: 0,\n\t\tDebug: false,\n\t}\n\tdefaultWebDAVDBinding = webdavd.Binding{\n\t\tAddress: \"\",\n\t\tPort: 0,\n\t\tEnableHTTPS: false,\n\t\tCertificateFile: \"\",\n\t\tCertificateKeyFile: \"\",\n\t\tMinTLSVersion: 12,\n\t\tClientAuthType: 0,\n\t\tTLSCipherSuites: nil,\n\t\tProtocols: nil,\n\t\tPrefix: \"\",\n\t\tProxyMode: 0,\n\t\tProxyAllowed: nil,\n\t\tClientIPProxyHeader: \"\",\n\t\tClientIPHeaderDepth: 0,\n\t\tDisableWWWAuthHeader: false,\n\t}\n\tdefaultHTTPDBinding = httpd.Binding{\n\t\tAddress: \"\",\n\t\tPort: 8080,\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: true,\n\t\tEnableRESTAPI: true,\n\t\tEnabledLoginMethods: 0,\n\t\tDisabledLoginMethods: 0,\n\t\tEnableHTTPS: false,\n\t\tCertificateFile: \"\",\n\t\tCertificateKeyFile: \"\",\n\t\tMinTLSVersion: 12,\n\t\tClientAuthType: 0,\n\t\tTLSCipherSuites: nil,\n\t\tProtocols: nil,\n\t\tProxyMode: 0,\n\t\tProxyAllowed: nil,\n\t\tClientIPProxyHeader: \"\",\n\t\tClientIPHeaderDepth: 0,\n\t\tHideLoginURL: 0,\n\t\tRenderOpenAPI: true,\n\t\tBaseURL: \"\",\n\t\tLanguages: []string{\"en\"},\n\t\tOIDC: httpd.OIDC{\n\t\t\tClientID: \"\",\n\t\t\tClientSecret: \"\",\n\t\t\tClientSecretFile: \"\",\n\t\t\tConfigURL: \"\",\n\t\t\tRedirectBaseURL: \"\",\n\t\t\tUsernameField: \"\",\n\t\t\tRoleField: \"\",\n\t\t\tImplicitRoles: false,\n\t\t\tScopes: []string{\"openid\", \"profile\", \"email\"},\n\t\t\tCustomFields: []string{},\n\t\t\tInsecureSkipSignatureCheck: false,\n\t\t\tDebug: false,\n\t\t},\n\t\tSecurity: httpd.SecurityConf{\n\t\t\tEnabled: false,\n\t\t\tAllowedHosts: nil,\n\t\t\tAllowedHostsAreRegex: false,\n\t\t\tHostsProxyHeaders: nil,\n\t\t\tHTTPSRedirect: false,\n\t\t\tHTTPSHost: \"\",\n\t\t\tHTTPSProxyHeaders: nil,\n\t\t\tSTSSeconds: 0,\n\t\t\tSTSIncludeSubdomains: false,\n\t\t\tSTSPreload: false,\n\t\t\tContentTypeNosniff: false,\n\t\t\tContentSecurityPolicy: \"\",\n\t\t\tPermissionsPolicy: \"\",\n\t\t\tCrossOriginOpenerPolicy: \"\",\n\t\t\tCrossOriginResourcePolicy: \"\",\n\t\t\tCrossOriginEmbedderPolicy: \"\",\n\t\t\tCacheControl: \"\",\n\t\t},\n\t\tBranding: httpd.Branding{},\n\t}\n\tdefaultRateLimiter = common.RateLimiterConfig{\n\t\tAverage: 0,\n\t\tPeriod: 1000,\n\t\tBurst: 1,\n\t\tType: 2,\n\t\tProtocols: []string{common.ProtocolSSH, common.ProtocolFTP, common.ProtocolWebDAV, common.ProtocolHTTP},\n\t\tGenerateDefenderEvents: false,\n\t\tEntriesSoftLimit: 100,\n\t\tEntriesHardLimit: 150,\n\t}\n\tdefaultTOTP = mfa.TOTPConfig{\n\t\tName: \"Default\",\n\t\tIssuer: \"SFTPGo\",\n\t\tAlgo: mfa.TOTPAlgoSHA1,\n\t}\n)\n\ntype globalConfig struct {\n\tCommon common.Configuration `json:\"common\" mapstructure:\"common\"`\n\tACME acme.Configuration `json:\"acme\" mapstructure:\"acme\"`\n\tSFTPD sftpd.Configuration `json:\"sftpd\" mapstructure:\"sftpd\"`\n\tFTPD ftpd.Configuration `json:\"ftpd\" mapstructure:\"ftpd\"`\n\tWebDAVD webdavd.Configuration `json:\"webdavd\" mapstructure:\"webdavd\"`\n\tProviderConf dataprovider.Config `json:\"data_provider\" mapstructure:\"data_provider\"`\n\tHTTPDConfig httpd.Conf `json:\"httpd\" mapstructure:\"httpd\"`\n\tHTTPConfig httpclient.Config `json:\"http\" mapstructure:\"http\"`\n\tCommandConfig command.Config `json:\"command\" mapstructure:\"command\"`\n\tKMSConfig kms.Configuration `json:\"kms\" mapstructure:\"kms\"`\n\tMFAConfig mfa.Config `json:\"mfa\" mapstructure:\"mfa\"`\n\tTelemetryConfig telemetry.Conf `json:\"telemetry\" mapstructure:\"telemetry\"`\n\tPluginsConfig []plugin.Config `json:\"plugins\" mapstructure:\"plugins\"`\n\tSMTPConfig smtp.Config `json:\"smtp\" mapstructure:\"smtp\"`\n}\n\nfunc init() {\n\tInit()\n}\n\n// Init initializes the global configuration.\n// It is not supposed to be called outside of this package.\n// It is exported to minimize refactoring efforts. Will eventually disappear.\nfunc Init() {\n\t// create a default configuration to use if no config file is provided\n\tglobalConf = globalConfig{\n\t\tCommon: common.Configuration{\n\t\t\tIdleTimeout: 15,\n\t\t\tUploadMode: 0,\n\t\t\tActions: common.ProtocolActions{\n\t\t\t\tExecuteOn: []string{},\n\t\t\t\tExecuteSync: []string{},\n\t\t\t\tHook: \"\",\n\t\t\t},\n\t\t\tSetstatMode: 0,\n\t\t\tRenameMode: 0,\n\t\t\tResumeMaxSize: 0,\n\t\t\tTempPath: \"\",\n\t\t\tProxyProtocol: 0,\n\t\t\tProxyAllowed: []string{},\n\t\t\tProxySkipped: []string{},\n\t\t\tPostConnectHook: \"\",\n\t\t\tPostDisconnectHook: \"\",\n\t\t\tMaxTotalConnections: 0,\n\t\t\tMaxPerHostConnections: 20,\n\t\t\tAllowListStatus: 0,\n\t\t\tAllowSelfConnections: 0,\n\t\t\tDefenderConfig: common.DefenderConfig{\n\t\t\t\tEnabled: false,\n\t\t\t\tDriver: common.DefenderDriverMemory,\n\t\t\t\tBanTime: 30,\n\t\t\t\tBanTimeIncrement: 50,\n\t\t\t\tThreshold: 15,\n\t\t\t\tScoreInvalid: 2,\n\t\t\t\tScoreValid: 1,\n\t\t\t\tScoreLimitExceeded: 3,\n\t\t\t\tScoreNoAuth: 0,\n\t\t\t\tObservationTime: 30,\n\t\t\t\tEntriesSoftLimit: 100,\n\t\t\t\tEntriesHardLimit: 150,\n\t\t\t\tLoginDelay: common.LoginDelay{\n\t\t\t\t\tSuccess: 0,\n\t\t\t\t\tPasswordFailed: 1000,\n\t\t\t\t},\n\t\t\t},\n\t\t\tRateLimitersConfig: []common.RateLimiterConfig{defaultRateLimiter},\n\t\t\tUmask: \"\",\n\t\t\tServerVersion: \"\",\n\t\t\tTZ: \"\",\n\t\t\tMetadata: common.MetadataConfig{\n\t\t\t\tRead: 0,\n\t\t\t},\n\t\t\tEventManager: common.EventManagerConfig{\n\t\t\t\tEnabledCommands: []string{},\n\t\t\t},\n\t\t},\n\t\tACME: acme.Configuration{\n\t\t\tEmail: \"\",\n\t\t\tKeyType: \"4096\",\n\t\t\tCertsPath: \"certs\",\n\t\t\tCAEndpoint: \"https://acme-v02.api.letsencrypt.org/directory\",\n\t\t\tDomains: []string{},\n\t\t\tRenewDays: 30,\n\t\t\tHTTP01Challenge: acme.HTTP01Challenge{\n\t\t\t\tPort: 80,\n\t\t\t\tWebRoot: \"\",\n\t\t\t\tProxyHeader: \"\",\n\t\t\t},\n\t\t\tTLSALPN01Challenge: acme.TLSALPN01Challenge{\n\t\t\t\tPort: 0,\n\t\t\t},\n\t\t},\n\t\tSFTPD: sftpd.Configuration{\n\t\t\tBindings: []sftpd.Binding{defaultSFTPDBinding},\n\t\t\tMaxAuthTries: 0,\n\t\t\tHostKeys: []string{},\n\t\t\tHostCertificates: []string{},\n\t\t\tHostKeyAlgorithms: []string{},\n\t\t\tKexAlgorithms: []string{},\n\t\t\tCiphers: []string{},\n\t\t\tMACs: []string{},\n\t\t\tPublicKeyAlgorithms: []string{},\n\t\t\tTrustedUserCAKeys: []string{},\n\t\t\tRevokedUserCertsFile: \"\",\n\t\t\tOPKSSHPath: \"\",\n\t\t\tOPKSSHChecksum: \"\",\n\t\t\tLoginBannerFile: \"\",\n\t\t\tEnabledSSHCommands: []string{},\n\t\t\tKeyboardInteractiveAuthentication: true,\n\t\t\tKeyboardInteractiveHook: \"\",\n\t\t\tPasswordAuthentication: true,\n\t\t},\n\t\tFTPD: ftpd.Configuration{\n\t\t\tBindings: []ftpd.Binding{defaultFTPDBinding},\n\t\t\tBannerFile: \"\",\n\t\t\tActiveTransfersPortNon20: true,\n\t\t\tPassivePortRange: ftpd.PortRange{\n\t\t\t\tStart: 50000,\n\t\t\t\tEnd: 50100,\n\t\t\t},\n\t\t\tDisableActiveMode: false,\n\t\t\tEnableSite: false,\n\t\t\tHASHSupport: 0,\n\t\t\tCombineSupport: 0,\n\t\t\tCertificateFile: \"\",\n\t\t\tCertificateKeyFile: \"\",\n\t\t\tCACertificates: []string{},\n\t\t\tCARevocationLists: []string{},\n\t\t},\n\t\tWebDAVD: webdavd.Configuration{\n\t\t\tBindings: []webdavd.Binding{defaultWebDAVDBinding},\n\t\t\tCertificateFile: \"\",\n\t\t\tCertificateKeyFile: \"\",\n\t\t\tCACertificates: []string{},\n\t\t\tCARevocationLists: []string{},\n\t\t\tCors: webdavd.CorsConfig{\n\t\t\t\tEnabled: false,\n\t\t\t\tAllowedOrigins: []string{},\n\t\t\t\tAllowedMethods: []string{},\n\t\t\t\tAllowedHeaders: []string{},\n\t\t\t\tExposedHeaders: []string{},\n\t\t\t\tAllowCredentials: false,\n\t\t\t\tMaxAge: 0,\n\t\t\t\tOptionsPassthrough: false,\n\t\t\t\tOptionsSuccessStatus: 0,\n\t\t\t\tAllowPrivateNetwork: false,\n\t\t\t},\n\t\t\tCache: webdavd.Cache{\n\t\t\t\tUsers: webdavd.UsersCacheConfig{\n\t\t\t\t\tExpirationTime: 0,\n\t\t\t\t\tMaxSize: 50,\n\t\t\t\t},\n\t\t\t\tMimeTypes: webdavd.MimeCacheConfig{\n\t\t\t\t\tEnabled: true,\n\t\t\t\t\tMaxSize: 1000,\n\t\t\t\t\tCustomMappings: nil,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tProviderConf: dataprovider.Config{\n\t\t\tDriver: \"sqlite\",\n\t\t\tName: \"sftpgo.db\",\n\t\t\tHost: \"\",\n\t\t\tPort: 0,\n\t\t\tUsername: \"\",\n\t\t\tPassword: \"\",\n\t\t\tConnectionString: \"\",\n\t\t\tSQLTablesPrefix: \"\",\n\t\t\tSSLMode: 0,\n\t\t\tDisableSNI: false,\n\t\t\tTargetSessionAttrs: \"\",\n\t\t\tRootCert: \"\",\n\t\t\tClientCert: \"\",\n\t\t\tClientKey: \"\",\n\t\t\tTrackQuota: 2,\n\t\t\tPoolSize: 0,\n\t\t\tUsersBaseDir: \"\",\n\t\t\tActions: dataprovider.ObjectsActions{\n\t\t\t\tExecuteOn: []string{},\n\t\t\t\tExecuteFor: []string{},\n\t\t\t\tHook: \"\",\n\t\t\t},\n\t\t\tExternalAuthHook: \"\",\n\t\t\tExternalAuthScope: 0,\n\t\t\tPreLoginHook: \"\",\n\t\t\tPostLoginHook: \"\",\n\t\t\tPostLoginScope: 0,\n\t\t\tCheckPasswordHook: \"\",\n\t\t\tCheckPasswordScope: 0,\n\t\t\tPasswordHashing: dataprovider.PasswordHashing{\n\t\t\t\tArgon2Options: dataprovider.Argon2Options{\n\t\t\t\t\tMemory: 65536,\n\t\t\t\t\tIterations: 1,\n\t\t\t\t\tParallelism: 2,\n\t\t\t\t},\n\t\t\t\tBcryptOptions: dataprovider.BcryptOptions{\n\t\t\t\t\tCost: 10,\n\t\t\t\t},\n\t\t\t\tAlgo: dataprovider.HashingAlgoBcrypt,\n\t\t\t},\n\t\t\tPasswordValidation: dataprovider.PasswordValidation{\n\t\t\t\tAdmins: dataprovider.PasswordValidationRules{\n\t\t\t\t\tMinEntropy: 0,\n\t\t\t\t},\n\t\t\t\tUsers: dataprovider.PasswordValidationRules{\n\t\t\t\t\tMinEntropy: 0,\n\t\t\t\t},\n\t\t\t},\n\t\t\tPasswordCaching: true,\n\t\t\tUpdateMode: 0,\n\t\t\tDelayedQuotaUpdate: 0,\n\t\t\tCreateDefaultAdmin: false,\n\t\t\tNamingRules: 1,\n\t\t\tIsShared: 0,\n\t\t\tNode: dataprovider.NodeConfig{\n\t\t\t\tHost: \"\",\n\t\t\t\tPort: 0,\n\t\t\t\tProto: \"http\",\n\t\t\t},\n\t\t\tBackupsPath: \"backups\",\n\t\t},\n\t\tHTTPDConfig: httpd.Conf{\n\t\t\tBindings: []httpd.Binding{defaultHTTPDBinding},\n\t\t\tTemplatesPath: \"templates\",\n\t\t\tStaticFilesPath: \"static\",\n\t\t\tOpenAPIPath: \"openapi\",\n\t\t\tWebRoot: \"\",\n\t\t\tCertificateFile: \"\",\n\t\t\tCertificateKeyFile: \"\",\n\t\t\tCACertificates: nil,\n\t\t\tCARevocationLists: nil,\n\t\t\tSigningPassphrase: \"\",\n\t\t\tSigningPassphraseFile: \"\",\n\t\t\tTokenValidation: 0,\n\t\t\tCookieLifetime: 20,\n\t\t\tShareCookieLifetime: 120,\n\t\t\tJWTLifetime: 20,\n\t\t\tMaxUploadFileSize: 0,\n\t\t\tCors: httpd.CorsConfig{\n\t\t\t\tEnabled: false,\n\t\t\t\tAllowedOrigins: []string{},\n\t\t\t\tAllowedMethods: []string{},\n\t\t\t\tAllowedHeaders: []string{},\n\t\t\t\tExposedHeaders: []string{},\n\t\t\t\tAllowCredentials: false,\n\t\t\t\tMaxAge: 0,\n\t\t\t\tOptionsPassthrough: false,\n\t\t\t\tOptionsSuccessStatus: 0,\n\t\t\t\tAllowPrivateNetwork: false,\n\t\t\t},\n\t\t\tSetup: httpd.SetupConfig{\n\t\t\t\tInstallationCode: \"\",\n\t\t\t\tInstallationCodeHint: defaultInstallCodeHint,\n\t\t\t},\n\t\t\tHideSupportLink: false,\n\t\t},\n\t\tHTTPConfig: httpclient.Config{\n\t\t\tTimeout: 20,\n\t\t\tRetryWaitMin: 2,\n\t\t\tRetryWaitMax: 30,\n\t\t\tRetryMax: 3,\n\t\t\tCACertificates: nil,\n\t\t\tCertificates: nil,\n\t\t\tSkipTLSVerify: false,\n\t\t\tHeaders: nil,\n\t\t},\n\t\tCommandConfig: command.Config{\n\t\t\tTimeout: 30,\n\t\t\tEnv: nil,\n\t\t\tCommands: nil,\n\t\t},\n\t\tKMSConfig: kms.Configuration{\n\t\t\tSecrets: kms.Secrets{\n\t\t\t\tURL: \"\",\n\t\t\t\tMasterKeyString: \"\",\n\t\t\t\tMasterKeyPath: \"\",\n\t\t\t},\n\t\t},\n\t\tMFAConfig: mfa.Config{\n\t\t\tTOTP: []mfa.TOTPConfig{defaultTOTP},\n\t\t},\n\t\tTelemetryConfig: telemetry.Conf{\n\t\t\tBindPort: 0,\n\t\t\tBindAddress: \"127.0.0.1\",\n\t\t\tEnableProfiler: false,\n\t\t\tAuthUserFile: \"\",\n\t\t\tCertificateFile: \"\",\n\t\t\tCertificateKeyFile: \"\",\n\t\t\tMinTLSVersion: 12,\n\t\t\tTLSCipherSuites: nil,\n\t\t\tProtocols: nil,\n\t\t},\n\t\tSMTPConfig: smtp.Config{\n\t\t\tHost: \"\",\n\t\t\tPort: 587,\n\t\t\tFrom: \"\",\n\t\t\tUser: \"\",\n\t\t\tPassword: \"\",\n\t\t\tAuthType: 0,\n\t\t\tEncryption: 0,\n\t\t\tDomain: \"\",\n\t\t\tTemplatesPath: \"templates\",\n\t\t},\n\t\tPluginsConfig: nil,\n\t}\n\n\tviper.SetEnvPrefix(configEnvPrefix)\n\treplacer := strings.NewReplacer(\".\", \"__\")\n\tviper.SetEnvKeyReplacer(replacer)\n\tviper.SetConfigName(configName)\n\tsetViperDefaults()\n\tviper.AutomaticEnv()\n\tviper.AllowEmptyEnv(true)\n}\n\n// GetCommonConfig returns the common protocols configuration\nfunc GetCommonConfig() common.Configuration {\n\treturn globalConf.Common\n}\n\n// SetCommonConfig sets the common protocols configuration\nfunc SetCommonConfig(config common.Configuration) {\n\tglobalConf.Common = config\n}\n\n// GetSFTPDConfig returns the configuration for the SFTP server\nfunc GetSFTPDConfig() sftpd.Configuration {\n\treturn globalConf.SFTPD\n}\n\n// SetSFTPDConfig sets the configuration for the SFTP server\nfunc SetSFTPDConfig(config sftpd.Configuration) {\n\tglobalConf.SFTPD = config\n}\n\n// GetFTPDConfig returns the configuration for the FTP server\nfunc GetFTPDConfig() ftpd.Configuration {\n\treturn globalConf.FTPD\n}\n\n// SetFTPDConfig sets the configuration for the FTP server\nfunc SetFTPDConfig(config ftpd.Configuration) {\n\tglobalConf.FTPD = config\n}\n\n// GetWebDAVDConfig returns the configuration for the WebDAV server\nfunc GetWebDAVDConfig() webdavd.Configuration {\n\treturn globalConf.WebDAVD\n}\n\n// SetWebDAVDConfig sets the configuration for the WebDAV server\nfunc SetWebDAVDConfig(config webdavd.Configuration) {\n\tglobalConf.WebDAVD = config\n}\n\n// GetHTTPDConfig returns the configuration for the HTTP server\nfunc GetHTTPDConfig() httpd.Conf {\n\treturn globalConf.HTTPDConfig\n}\n\n// SetHTTPDConfig sets the configuration for the HTTP server\nfunc SetHTTPDConfig(config httpd.Conf) {\n\tglobalConf.HTTPDConfig = config\n}\n\n// GetProviderConf returns the configuration for the data provider\nfunc GetProviderConf() dataprovider.Config {\n\treturn globalConf.ProviderConf\n}\n\n// SetProviderConf sets the configuration for the data provider\nfunc SetProviderConf(config dataprovider.Config) {\n\tglobalConf.ProviderConf = config\n}\n\n// GetHTTPConfig returns the configuration for HTTP clients\nfunc GetHTTPConfig() httpclient.Config {\n\treturn globalConf.HTTPConfig\n}\n\n// GetCommandConfig returns the configuration for external commands\nfunc GetCommandConfig() command.Config {\n\treturn globalConf.CommandConfig\n}\n\n// GetKMSConfig returns the KMS configuration\nfunc GetKMSConfig() kms.Configuration {\n\treturn globalConf.KMSConfig\n}\n\n// SetKMSConfig sets the kms configuration\nfunc SetKMSConfig(config kms.Configuration) {\n\tglobalConf.KMSConfig = config\n}\n\n// GetTelemetryConfig returns the telemetry configuration\nfunc GetTelemetryConfig() telemetry.Conf {\n\treturn globalConf.TelemetryConfig\n}\n\n// SetTelemetryConfig sets the telemetry configuration\nfunc SetTelemetryConfig(config telemetry.Conf) {\n\tglobalConf.TelemetryConfig = config\n}\n\n// GetPluginsConfig returns the plugins configuration\nfunc GetPluginsConfig() []plugin.Config {\n\treturn globalConf.PluginsConfig\n}\n\n// SetPluginsConfig sets the plugin configuration\nfunc SetPluginsConfig(config []plugin.Config) {\n\tglobalConf.PluginsConfig = config\n}\n\n// HasKMSPlugin returns true if at least one KMS plugin is configured.\nfunc HasKMSPlugin() bool {\n\tfor _, c := range globalConf.PluginsConfig {\n\t\tif c.Type == kmsplugin.PluginName {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// GetMFAConfig returns multi-factor authentication config\nfunc GetMFAConfig() mfa.Config {\n\treturn globalConf.MFAConfig\n}\n\n// GetSMTPConfig returns the SMTP configuration\nfunc GetSMTPConfig() smtp.Config {\n\treturn globalConf.SMTPConfig\n}\n\n// GetACMEConfig returns the ACME configuration\nfunc GetACMEConfig() acme.Configuration {\n\treturn globalConf.ACME\n}\n\n// HasServicesToStart returns true if the config defines at least a service to start.\n// Supported services are SFTP, FTP and WebDAV\nfunc HasServicesToStart() bool {\n\tif globalConf.SFTPD.ShouldBind() {\n\t\treturn true\n\t}\n\tif globalConf.FTPD.ShouldBind() {\n\t\treturn true\n\t}\n\tif globalConf.WebDAVD.ShouldBind() {\n\t\treturn true\n\t}\n\tif globalConf.HTTPDConfig.ShouldBind() {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc getRedactedPassword(value string) string {\n\tif value == \"\" {\n\t\treturn value\n\t}\n\treturn \"[redacted]\"\n}\n\nfunc getRedactedGlobalConf() globalConfig {\n\tconf := globalConf\n\tconf.Common.Actions.Hook = util.GetRedactedURL(conf.Common.Actions.Hook)\n\tconf.Common.StartupHook = util.GetRedactedURL(conf.Common.StartupHook)\n\tconf.Common.PostConnectHook = util.GetRedactedURL(conf.Common.PostConnectHook)\n\tconf.Common.PostDisconnectHook = util.GetRedactedURL(conf.Common.PostDisconnectHook)\n\tconf.SFTPD.KeyboardInteractiveHook = util.GetRedactedURL(conf.SFTPD.KeyboardInteractiveHook)\n\tconf.HTTPDConfig.SigningPassphrase = getRedactedPassword(conf.HTTPDConfig.SigningPassphrase)\n\tconf.HTTPDConfig.Setup.InstallationCode = getRedactedPassword(conf.HTTPDConfig.Setup.InstallationCode)\n\tconf.ProviderConf.Password = getRedactedPassword(conf.ProviderConf.Password)\n\tconf.ProviderConf.Actions.Hook = util.GetRedactedURL(conf.ProviderConf.Actions.Hook)\n\tconf.ProviderConf.ExternalAuthHook = util.GetRedactedURL(conf.ProviderConf.ExternalAuthHook)\n\tconf.ProviderConf.PreLoginHook = util.GetRedactedURL(conf.ProviderConf.PreLoginHook)\n\tconf.ProviderConf.PostLoginHook = util.GetRedactedURL(conf.ProviderConf.PostLoginHook)\n\tconf.ProviderConf.CheckPasswordHook = util.GetRedactedURL(conf.ProviderConf.CheckPasswordHook)\n\tconf.SMTPConfig.Password = getRedactedPassword(conf.SMTPConfig.Password)\n\tconf.HTTPDConfig.Bindings = nil\n\tfor _, binding := range globalConf.HTTPDConfig.Bindings {\n\t\tbinding.OIDC.ClientID = getRedactedPassword(binding.OIDC.ClientID)\n\t\tbinding.OIDC.ClientSecret = getRedactedPassword(binding.OIDC.ClientSecret)\n\t\tconf.HTTPDConfig.Bindings = append(conf.HTTPDConfig.Bindings, binding)\n\t}\n\tconf.KMSConfig.Secrets.MasterKeyString = getRedactedPassword(conf.KMSConfig.Secrets.MasterKeyString)\n\tconf.PluginsConfig = nil\n\tfor _, plugin := range globalConf.PluginsConfig {\n\t\tvar args []string\n\t\tfor _, arg := range plugin.Args {\n\t\t\targs = append(args, getRedactedPassword(arg))\n\t\t}\n\t\tplugin.Args = args\n\t\tconf.PluginsConfig = append(conf.PluginsConfig, plugin)\n\t}\n\treturn conf\n}\n\nfunc setConfigFile(configDir, configFile string) {\n\tif configFile == \"\" {\n\t\treturn\n\t}\n\tif !filepath.IsAbs(configFile) && util.IsFileInputValid(configFile) {\n\t\tconfigFile = filepath.Join(configDir, configFile)\n\t}\n\tviper.SetConfigFile(configFile)\n}\n\n// readEnvFiles reads files inside the \"env.d\" directory relative to configDir\n// and then export the valid variables into environment variables if they do\n// not exist\nfunc readEnvFiles(configDir string) {\n\tenvd := filepath.Join(configDir, \"env.d\")\n\tentries, err := os.ReadDir(envd)\n\tif err != nil {\n\t\tlogger.Info(logSender, \"\", \"unable to read env files from %q: %v\", envd, err)\n\t\treturn\n\t}\n\tfor _, entry := range entries {\n\t\tinfo, err := entry.Info()\n\t\tif err == nil && info.Mode().IsRegular() {\n\t\t\tenvFile := filepath.Join(envd, entry.Name())\n\t\t\tif info.Size() > envFileMaxSize {\n\t\t\t\tlogger.Info(logSender, \"\", \"env file %q too big: %s, skipping\", entry.Name(), util.ByteCountIEC(info.Size()))\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\terr = gotenv.Load(envFile)\n\t\t\tif err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"unable to load env vars from file %q, err: %v\", envFile, err)\n\t\t\t} else {\n\t\t\t\tlogger.Info(logSender, \"\", \"set env vars from file %q\", envFile)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc checkOverrideDefaultSettings() {\n\t// for slices we need to set the defaults to nil if the key is set in the config file,\n\t// otherwise the values are merged and not replaced as expected\n\trateLimiters := viper.Get(\"common.rate_limiters\")\n\tif val, ok := rateLimiters.([]any); ok {\n\t\tif len(val) > 0 {\n\t\t\tif rl, ok := val[0].(map[string]any); ok {\n\t\t\t\tif _, ok := rl[\"protocols\"]; ok {\n\t\t\t\t\tglobalConf.Common.RateLimitersConfig[0].Protocols = nil\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\thttpdBindings := viper.Get(\"httpd.bindings\")\n\tif val, ok := httpdBindings.([]any); ok {\n\t\tif len(val) > 0 {\n\t\t\tif binding, ok := val[0].(map[string]any); ok {\n\t\t\t\tif val, ok := binding[\"oidc\"]; ok {\n\t\t\t\t\tif oidc, ok := val.(map[string]any); ok {\n\t\t\t\t\t\tif _, ok := oidc[\"scopes\"]; ok {\n\t\t\t\t\t\t\tglobalConf.HTTPDConfig.Bindings[0].OIDC.Scopes = nil\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tif slices.Contains(viper.AllKeys(), \"mfa.totp\") {\n\t\tglobalConf.MFAConfig.TOTP = nil\n\t}\n}\n\n// LoadConfig loads the configuration\n// configDir will be added to the configuration search paths.\n// The search path contains by default the current directory and on linux it contains\n// $HOME/.config/sftpgo and /etc/sftpgo too.\n// configFile is an absolute or relative path (to the config dir) to the configuration file.\nfunc LoadConfig(configDir, configFile string) error {\n\tvar err error\n\treadEnvFiles(configDir)\n\tviper.AddConfigPath(configDir)\n\tsetViperAdditionalConfigPaths()\n\tviper.AddConfigPath(\".\")\n\tsetConfigFile(configDir, configFile)\n\tif err = viper.ReadInConfig(); err != nil {\n\t\t// if the user specify a configuration file we get os.ErrNotExist.\n\t\t// viper.ConfigFileNotFoundError is returned if viper is unable\n\t\t// to find sftpgo.{json,yaml, etc..} in any of the search paths\n\t\tif errors.As(err, &viper.ConfigFileNotFoundError{}) {\n\t\t\tlogger.Debug(logSender, \"\", \"no configuration file found\")\n\t\t} else {\n\t\t\tlogger.Warn(logSender, \"\", \"error loading configuration file: %v\", err)\n\t\t\tlogger.WarnToConsole(\"error loading configuration file: %v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\tcheckOverrideDefaultSettings()\n\terr = viper.Unmarshal(&globalConf)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error parsing configuration file: %v\", err)\n\t\tlogger.WarnToConsole(\"error parsing configuration file: %v\", err)\n\t\treturn err\n\t}\n\t// viper only supports slice of strings from env vars, so we use our custom method\n\tloadBindingsFromEnv()\n\tloadWebDAVCacheMappingsFromEnv()\n\tresetInvalidConfigs()\n\tlogger.Debug(logSender, \"\", \"config file used: '%q', config loaded: %+v\", viper.ConfigFileUsed(), getRedactedGlobalConf())\n\treturn nil\n}\n\nfunc isProxyProtocolValid() bool {\n\treturn globalConf.Common.ProxyProtocol >= 0 && globalConf.Common.ProxyProtocol <= 2\n}\n\nfunc isExternalAuthScopeValid() bool {\n\treturn globalConf.ProviderConf.ExternalAuthScope >= 0 && globalConf.ProviderConf.ExternalAuthScope <= 15\n}\n\nfunc resetInvalidConfigs() {\n\tif strings.TrimSpace(globalConf.HTTPDConfig.Setup.InstallationCodeHint) == \"\" {\n\t\tglobalConf.HTTPDConfig.Setup.InstallationCodeHint = defaultInstallCodeHint\n\t}\n\tif globalConf.ProviderConf.UsersBaseDir != \"\" && !util.IsFileInputValid(globalConf.ProviderConf.UsersBaseDir) {\n\t\twarn := fmt.Sprintf(\"invalid users base dir %q will be ignored\", globalConf.ProviderConf.UsersBaseDir)\n\t\tglobalConf.ProviderConf.UsersBaseDir = \"\"\n\t\tlogger.Warn(logSender, \"\", \"Non-fatal configuration error: %v\", warn)\n\t\tlogger.WarnToConsole(\"Non-fatal configuration error: %v\", warn)\n\t}\n\tif !isProxyProtocolValid() {\n\t\twarn := fmt.Sprintf(\"invalid proxy_protocol 0, 1 and 2 are supported, configured: %v reset proxy_protocol to 0\",\n\t\t\tglobalConf.Common.ProxyProtocol)\n\t\tglobalConf.Common.ProxyProtocol = 0\n\t\tlogger.Warn(logSender, \"\", \"Non-fatal configuration error: %v\", warn)\n\t\tlogger.WarnToConsole(\"Non-fatal configuration error: %v\", warn)\n\t}\n\tif !isExternalAuthScopeValid() {\n\t\twarn := fmt.Sprintf(\"invalid external_auth_scope: %v reset to 0\", globalConf.ProviderConf.ExternalAuthScope)\n\t\tglobalConf.ProviderConf.ExternalAuthScope = 0\n\t\tlogger.Warn(logSender, \"\", \"Non-fatal configuration error: %v\", warn)\n\t\tlogger.WarnToConsole(\"Non-fatal configuration error: %v\", warn)\n\t}\n\tif globalConf.Common.DefenderConfig.Enabled && globalConf.Common.DefenderConfig.Driver == common.DefenderDriverProvider {\n\t\tif !globalConf.ProviderConf.IsDefenderSupported() {\n\t\t\twarn := fmt.Sprintf(\"provider based defender is not supported with data provider %q, \"+\n\t\t\t\t\"the memory defender implementation will be used. If you want to use the provider defender \"+\n\t\t\t\t\"implementation please switch to a shared/distributed data provider\",\n\t\t\t\tglobalConf.ProviderConf.Driver)\n\t\t\tglobalConf.Common.DefenderConfig.Driver = common.DefenderDriverMemory\n\t\t\tlogger.Warn(logSender, \"\", \"Non-fatal configuration error: %v\", warn)\n\t\t\tlogger.WarnToConsole(\"Non-fatal configuration error: %v\", warn)\n\t\t}\n\t}\n\tif globalConf.Common.RenameMode < 0 || globalConf.Common.RenameMode > 1 {\n\t\twarn := fmt.Sprintf(\"invalid rename mode %d, reset to 0\", globalConf.Common.RenameMode)\n\t\tglobalConf.Common.RenameMode = 0\n\t\tlogger.Warn(logSender, \"\", \"Non-fatal configuration error: %v\", warn)\n\t\tlogger.WarnToConsole(\"Non-fatal configuration error: %v\", warn)\n\t}\n}\n\nfunc loadBindingsFromEnv() {\n\tfor idx := 0; idx < 10; idx++ {\n\t\tgetTOTPFromEnv(idx)\n\t\tgetRateLimitersFromEnv(idx)\n\t\tgetPluginsFromEnv(idx)\n\t\tgetSFTPDBindindFromEnv(idx)\n\t\tgetFTPDBindingFromEnv(idx)\n\t\tgetWebDAVDBindingFromEnv(idx)\n\t\tgetHTTPDBindingFromEnv(idx)\n\t\tgetHTTPClientCertificatesFromEnv(idx)\n\t\tgetHTTPClientHeadersFromEnv(idx)\n\t\tgetCommandConfigsFromEnv(idx)\n\t}\n}\n\nfunc getTOTPFromEnv(idx int) {\n\ttotpConfig := defaultTOTP\n\tif len(globalConf.MFAConfig.TOTP) > idx {\n\t\ttotpConfig = globalConf.MFAConfig.TOTP[idx]\n\t}\n\n\tisSet := false\n\n\tname, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_MFA__TOTP__%v__NAME\", idx))\n\tif ok {\n\t\ttotpConfig.Name = name\n\t\tisSet = true\n\t}\n\n\tissuer, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_MFA__TOTP__%v__ISSUER\", idx))\n\tif ok {\n\t\ttotpConfig.Issuer = issuer\n\t\tisSet = true\n\t}\n\n\talgo, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_MFA__TOTP__%v__ALGO\", idx))\n\tif ok {\n\t\ttotpConfig.Algo = algo\n\t\tisSet = true\n\t}\n\n\tif isSet {\n\t\tif len(globalConf.MFAConfig.TOTP) > idx {\n\t\t\tglobalConf.MFAConfig.TOTP[idx] = totpConfig\n\t\t} else {\n\t\t\tglobalConf.MFAConfig.TOTP = append(globalConf.MFAConfig.TOTP, totpConfig)\n\t\t}\n\t}\n}\n\nfunc getRateLimitersFromEnv(idx int) {\n\trtlConfig := defaultRateLimiter\n\tif len(globalConf.Common.RateLimitersConfig) > idx {\n\t\trtlConfig = globalConf.Common.RateLimitersConfig[idx]\n\t}\n\n\tisSet := false\n\n\taverage, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__AVERAGE\", idx), 64)\n\tif ok {\n\t\trtlConfig.Average = average\n\t\tisSet = true\n\t}\n\n\tperiod, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__PERIOD\", idx), 64)\n\tif ok {\n\t\trtlConfig.Period = period\n\t\tisSet = true\n\t}\n\n\tburst, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__BURST\", idx), 32)\n\tif ok {\n\t\trtlConfig.Burst = int(burst)\n\t\tisSet = true\n\t}\n\n\trtlType, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__TYPE\", idx), 32)\n\tif ok {\n\t\trtlConfig.Type = int(rtlType)\n\t\tisSet = true\n\t}\n\n\tprotocols, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__PROTOCOLS\", idx))\n\tif ok {\n\t\trtlConfig.Protocols = protocols\n\t\tisSet = true\n\t}\n\n\tgenerateEvents, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__GENERATE_DEFENDER_EVENTS\", idx))\n\tif ok {\n\t\trtlConfig.GenerateDefenderEvents = generateEvents\n\t\tisSet = true\n\t}\n\n\tsoftLimit, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__ENTRIES_SOFT_LIMIT\", idx), 32)\n\tif ok {\n\t\trtlConfig.EntriesSoftLimit = int(softLimit)\n\t\tisSet = true\n\t}\n\n\thardLimit, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMON__RATE_LIMITERS__%v__ENTRIES_HARD_LIMIT\", idx), 32)\n\tif ok {\n\t\trtlConfig.EntriesHardLimit = int(hardLimit)\n\t\tisSet = true\n\t}\n\n\tif isSet {\n\t\tif len(globalConf.Common.RateLimitersConfig) > idx {\n\t\t\tglobalConf.Common.RateLimitersConfig[idx] = rtlConfig\n\t\t} else {\n\t\t\tglobalConf.Common.RateLimitersConfig = append(globalConf.Common.RateLimitersConfig, rtlConfig)\n\t\t}\n\t}\n}\n\nfunc getKMSPluginFromEnv(idx int, pluginConfig *plugin.Config) bool {\n\tisSet := false\n\n\tkmsScheme, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__KMS_OPTIONS__SCHEME\", idx))\n\tif ok {\n\t\tpluginConfig.KMSOptions.Scheme = kmsScheme\n\t\tisSet = true\n\t}\n\n\tkmsEncStatus, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__KMS_OPTIONS__ENCRYPTED_STATUS\", idx))\n\tif ok {\n\t\tpluginConfig.KMSOptions.EncryptedStatus = kmsEncStatus\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getAuthPluginFromEnv(idx int, pluginConfig *plugin.Config) bool {\n\tisSet := false\n\n\tauthScope, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__AUTH_OPTIONS__SCOPE\", idx), 32)\n\tif ok {\n\t\tpluginConfig.AuthOptions.Scope = int(authScope)\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getNotifierPluginFromEnv(idx int, pluginConfig *plugin.Config) bool {\n\tisSet := false\n\n\tnotifierFsEvents, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__FS_EVENTS\", idx))\n\tif ok {\n\t\tpluginConfig.NotifierOptions.FsEvents = notifierFsEvents\n\t\tisSet = true\n\t}\n\n\tnotifierProviderEvents, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__PROVIDER_EVENTS\", idx))\n\tif ok {\n\t\tpluginConfig.NotifierOptions.ProviderEvents = notifierProviderEvents\n\t\tisSet = true\n\t}\n\n\tnotifierProviderObjects, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__PROVIDER_OBJECTS\", idx))\n\tif ok {\n\t\tpluginConfig.NotifierOptions.ProviderObjects = notifierProviderObjects\n\t\tisSet = true\n\t}\n\n\tnotifierLogEventsString, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__LOG_EVENTS\", idx))\n\tif ok {\n\t\tvar notifierLogEvents []int\n\t\tfor _, e := range notifierLogEventsString {\n\t\t\tev, err := strconv.Atoi(e)\n\t\t\tif err == nil {\n\t\t\t\tnotifierLogEvents = append(notifierLogEvents, ev)\n\t\t\t}\n\t\t}\n\t\tif len(notifierLogEvents) > 0 {\n\t\t\tpluginConfig.NotifierOptions.LogEvents = notifierLogEvents\n\t\t\tisSet = true\n\t\t}\n\t}\n\n\tnotifierRetryMaxTime, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__RETRY_MAX_TIME\", idx), 32)\n\tif ok {\n\t\tpluginConfig.NotifierOptions.RetryMaxTime = int(notifierRetryMaxTime)\n\t\tisSet = true\n\t}\n\n\tnotifierRetryQueueMaxSize, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__RETRY_QUEUE_MAX_SIZE\", idx), 32)\n\tif ok {\n\t\tpluginConfig.NotifierOptions.RetryQueueMaxSize = int(notifierRetryQueueMaxSize)\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getPluginsFromEnv(idx int) {\n\tpluginConfig := plugin.Config{}\n\tif len(globalConf.PluginsConfig) > idx {\n\t\tpluginConfig = globalConf.PluginsConfig[idx]\n\t}\n\n\tisSet := false\n\n\tpluginType, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__TYPE\", idx))\n\tif ok {\n\t\tpluginConfig.Type = pluginType\n\t\tisSet = true\n\t}\n\n\tif getNotifierPluginFromEnv(idx, &pluginConfig) {\n\t\tisSet = true\n\t}\n\n\tif getKMSPluginFromEnv(idx, &pluginConfig) {\n\t\tisSet = true\n\t}\n\n\tif getAuthPluginFromEnv(idx, &pluginConfig) {\n\t\tisSet = true\n\t}\n\n\tcmd, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__CMD\", idx))\n\tif ok {\n\t\tpluginConfig.Cmd = cmd\n\t\tisSet = true\n\t}\n\n\tcmdArgs, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__ARGS\", idx))\n\tif ok {\n\t\tpluginConfig.Args = cmdArgs\n\t\tisSet = true\n\t}\n\n\tpluginHash, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__SHA256SUM\", idx))\n\tif ok {\n\t\tpluginConfig.SHA256Sum = pluginHash\n\t\tisSet = true\n\t}\n\n\tautoMTLS, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__AUTO_MTLS\", idx))\n\tif ok {\n\t\tpluginConfig.AutoMTLS = autoMTLS\n\t\tisSet = true\n\t}\n\n\tenvPrefix, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__ENV_PREFIX\", idx))\n\tif ok {\n\t\tpluginConfig.EnvPrefix = envPrefix\n\t\tisSet = true\n\t}\n\n\tenvVars, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_PLUGINS__%v__ENV_VARS\", idx))\n\tif ok {\n\t\tpluginConfig.EnvVars = envVars\n\t\tisSet = true\n\t}\n\n\tif isSet {\n\t\tif len(globalConf.PluginsConfig) > idx {\n\t\t\tglobalConf.PluginsConfig[idx] = pluginConfig\n\t\t} else {\n\t\t\tglobalConf.PluginsConfig = append(globalConf.PluginsConfig, pluginConfig)\n\t\t}\n\t}\n}\n\nfunc getSFTPDBindindFromEnv(idx int) {\n\tbinding := defaultSFTPDBinding\n\tif len(globalConf.SFTPD.Bindings) > idx {\n\t\tbinding = globalConf.SFTPD.Bindings[idx]\n\t}\n\n\tisSet := false\n\n\tport, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_SFTPD__BINDINGS__%v__PORT\", idx), 32)\n\tif ok {\n\t\tbinding.Port = int(port)\n\t\tisSet = true\n\t}\n\n\taddress, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_SFTPD__BINDINGS__%v__ADDRESS\", idx))\n\tif ok {\n\t\tbinding.Address = address\n\t\tisSet = true\n\t}\n\n\tapplyProxyConfig, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_SFTPD__BINDINGS__%v__APPLY_PROXY_CONFIG\", idx))\n\tif ok {\n\t\tbinding.ApplyProxyConfig = applyProxyConfig\n\t\tisSet = true\n\t}\n\n\tif isSet {\n\t\tif len(globalConf.SFTPD.Bindings) > idx {\n\t\t\tglobalConf.SFTPD.Bindings[idx] = binding\n\t\t} else {\n\t\t\tglobalConf.SFTPD.Bindings = append(globalConf.SFTPD.Bindings, binding)\n\t\t}\n\t}\n}\n\nfunc getFTPDPassiveIPOverridesFromEnv(idx int) []ftpd.PassiveIPOverride {\n\tvar overrides []ftpd.PassiveIPOverride\n\tif len(globalConf.FTPD.Bindings) > idx {\n\t\toverrides = globalConf.FTPD.Bindings[idx].PassiveIPOverrides\n\t}\n\n\tfor subIdx := 0; subIdx < 10; subIdx++ {\n\t\tvar override ftpd.PassiveIPOverride\n\t\tvar replace bool\n\t\tif len(globalConf.FTPD.Bindings) > idx && len(globalConf.FTPD.Bindings[idx].PassiveIPOverrides) > subIdx {\n\t\t\toverride = globalConf.FTPD.Bindings[idx].PassiveIPOverrides[subIdx]\n\t\t\treplace = true\n\t\t}\n\n\t\tip, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__PASSIVE_IP_OVERRIDES__%v__IP\", idx, subIdx))\n\t\tif ok {\n\t\t\toverride.IP = ip\n\t\t}\n\n\t\tnetworks, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__PASSIVE_IP_OVERRIDES__%v__NETWORKS\",\n\t\t\tidx, subIdx))\n\t\tif ok {\n\t\t\toverride.Networks = networks\n\t\t}\n\n\t\tif len(override.Networks) > 0 {\n\t\t\tif replace {\n\t\t\t\toverrides[subIdx] = override\n\t\t\t} else {\n\t\t\t\toverrides = append(overrides, override)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn overrides\n}\n\nfunc getDefaultFTPDBinding(idx int) ftpd.Binding {\n\tbinding := defaultFTPDBinding\n\tif len(globalConf.FTPD.Bindings) > idx {\n\t\tbinding = globalConf.FTPD.Bindings[idx]\n\t}\n\treturn binding\n}\n\nfunc getFTPDBindingSecurityFromEnv(idx int, binding *ftpd.Binding) bool {\n\tisSet := false\n\n\tcertificateFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__CERTIFICATE_FILE\", idx))\n\tif ok {\n\t\tbinding.CertificateFile = certificateFile\n\t\tisSet = true\n\t}\n\n\tcertificateKeyFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__CERTIFICATE_KEY_FILE\", idx))\n\tif ok {\n\t\tbinding.CertificateKeyFile = certificateKeyFile\n\t\tisSet = true\n\t}\n\n\ttlsMode, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__TLS_MODE\", idx), 32)\n\tif ok {\n\t\tbinding.TLSMode = int(tlsMode)\n\t\tisSet = true\n\t}\n\n\ttlsVer, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__MIN_TLS_VERSION\", idx), 32)\n\tif ok {\n\t\tbinding.MinTLSVersion = int(tlsVer)\n\t\tisSet = true\n\t}\n\n\ttlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__TLS_CIPHER_SUITES\", idx))\n\tif ok {\n\t\tbinding.TLSCipherSuites = tlsCiphers\n\t\tisSet = true\n\t}\n\n\tclientAuthType, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__CLIENT_AUTH_TYPE\", idx), 32)\n\tif ok {\n\t\tbinding.ClientAuthType = int(clientAuthType)\n\t\tisSet = true\n\t}\n\n\tpasvSecurity, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__PASSIVE_CONNECTIONS_SECURITY\", idx), 32)\n\tif ok {\n\t\tbinding.PassiveConnectionsSecurity = int(pasvSecurity)\n\t\tisSet = true\n\t}\n\n\tactiveSecurity, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__ACTIVE_CONNECTIONS_SECURITY\", idx), 32)\n\tif ok {\n\t\tbinding.ActiveConnectionsSecurity = int(activeSecurity)\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getFTPDBindingFromEnv(idx int) {\n\tbinding := getDefaultFTPDBinding(idx)\n\tisSet := false\n\n\tport, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__PORT\", idx), 32)\n\tif ok {\n\t\tbinding.Port = int(port)\n\t\tisSet = true\n\t}\n\n\taddress, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__ADDRESS\", idx))\n\tif ok {\n\t\tbinding.Address = address\n\t\tisSet = true\n\t}\n\n\tapplyProxyConfig, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__APPLY_PROXY_CONFIG\", idx))\n\tif ok {\n\t\tbinding.ApplyProxyConfig = applyProxyConfig\n\t\tisSet = true\n\t}\n\n\tpassiveIP, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__FORCE_PASSIVE_IP\", idx))\n\tif ok {\n\t\tbinding.ForcePassiveIP = passiveIP\n\t\tisSet = true\n\t}\n\n\tpassiveIPOverrides := getFTPDPassiveIPOverridesFromEnv(idx)\n\tif len(passiveIPOverrides) > 0 {\n\t\tbinding.PassiveIPOverrides = passiveIPOverrides\n\t\tisSet = true\n\t}\n\n\tpassiveHost, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__PASSIVE_HOST\", idx))\n\tif ok {\n\t\tbinding.PassiveHost = passiveHost\n\t\tisSet = true\n\t}\n\n\tdebug, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_FTPD__BINDINGS__%v__DEBUG\", idx))\n\tif ok {\n\t\tbinding.Debug = debug\n\t\tisSet = true\n\t}\n\n\tif getFTPDBindingSecurityFromEnv(idx, &binding) {\n\t\tisSet = true\n\t}\n\n\tapplyFTPDBindingFromEnv(idx, isSet, binding)\n}\n\nfunc applyFTPDBindingFromEnv(idx int, isSet bool, binding ftpd.Binding) {\n\tif isSet {\n\t\tif len(globalConf.FTPD.Bindings) > idx {\n\t\t\tglobalConf.FTPD.Bindings[idx] = binding\n\t\t} else {\n\t\t\tglobalConf.FTPD.Bindings = append(globalConf.FTPD.Bindings, binding)\n\t\t}\n\t}\n}\n\nfunc getWebDAVBindingHTTPSConfigsFromEnv(idx int, binding *webdavd.Binding) bool {\n\tisSet := false\n\n\tenableHTTPS, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__ENABLE_HTTPS\", idx))\n\tif ok {\n\t\tbinding.EnableHTTPS = enableHTTPS\n\t\tisSet = true\n\t}\n\n\tcertificateFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__CERTIFICATE_FILE\", idx))\n\tif ok {\n\t\tbinding.CertificateFile = certificateFile\n\t\tisSet = true\n\t}\n\n\tcertificateKeyFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__CERTIFICATE_KEY_FILE\", idx))\n\tif ok {\n\t\tbinding.CertificateKeyFile = certificateKeyFile\n\t\tisSet = true\n\t}\n\n\ttlsVer, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__MIN_TLS_VERSION\", idx), 32)\n\tif ok {\n\t\tbinding.MinTLSVersion = int(tlsVer)\n\t\tisSet = true\n\t}\n\n\tclientAuthType, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_AUTH_TYPE\", idx), 32)\n\tif ok {\n\t\tbinding.ClientAuthType = int(clientAuthType)\n\t\tisSet = true\n\t}\n\n\ttlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__TLS_CIPHER_SUITES\", idx))\n\tif ok {\n\t\tbinding.TLSCipherSuites = tlsCiphers\n\t\tisSet = true\n\t}\n\n\tprotocols, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%d__TLS_PROTOCOLS\", idx))\n\tif ok {\n\t\tbinding.Protocols = protocols\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getWebDAVDBindingProxyConfigsFromEnv(idx int, binding *webdavd.Binding) bool {\n\tisSet := false\n\n\tproxyMode, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__PROXY_MODE\", idx), 32)\n\tif ok {\n\t\tbinding.ProxyMode = int(proxyMode)\n\t\tisSet = true\n\t}\n\n\tproxyAllowed, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__PROXY_ALLOWED\", idx))\n\tif ok {\n\t\tbinding.ProxyAllowed = proxyAllowed\n\t\tisSet = true\n\t}\n\n\tclientIPProxyHeader, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_IP_PROXY_HEADER\", idx))\n\tif ok {\n\t\tbinding.ClientIPProxyHeader = clientIPProxyHeader\n\t\tisSet = true\n\t}\n\n\tclientIPHeaderDepth, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_IP_HEADER_DEPTH\", idx), 32)\n\tif ok {\n\t\tbinding.ClientIPHeaderDepth = int(clientIPHeaderDepth)\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc loadWebDAVCacheMappingsFromEnv() []webdavd.CustomMimeMapping {\n\tfor idx := 0; idx < 30; idx++ {\n\t\text, extOK := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__%d__EXT\", idx))\n\t\tmime, mimeOK := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__%d__MIME\", idx))\n\t\tif extOK && mimeOK {\n\t\t\tif len(globalConf.WebDAVD.Cache.MimeTypes.CustomMappings) > idx {\n\t\t\t\tglobalConf.WebDAVD.Cache.MimeTypes.CustomMappings[idx].Ext = ext\n\t\t\t\tglobalConf.WebDAVD.Cache.MimeTypes.CustomMappings[idx].Mime = mime\n\t\t\t} else {\n\t\t\t\tglobalConf.WebDAVD.Cache.MimeTypes.CustomMappings = append(globalConf.WebDAVD.Cache.MimeTypes.CustomMappings,\n\t\t\t\t\twebdavd.CustomMimeMapping{\n\t\t\t\t\t\tExt: ext,\n\t\t\t\t\t\tMime: mime,\n\t\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\treturn globalConf.WebDAVD.Cache.MimeTypes.CustomMappings\n}\n\nfunc getWebDAVDBindingFromEnv(idx int) {\n\tbinding := defaultWebDAVDBinding\n\tif len(globalConf.WebDAVD.Bindings) > idx {\n\t\tbinding = globalConf.WebDAVD.Bindings[idx]\n\t}\n\n\tisSet := false\n\n\tport, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__PORT\", idx), 32)\n\tif ok {\n\t\tbinding.Port = int(port)\n\t\tisSet = true\n\t}\n\n\taddress, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__ADDRESS\", idx))\n\tif ok {\n\t\tbinding.Address = address\n\t\tisSet = true\n\t}\n\n\tif getWebDAVBindingHTTPSConfigsFromEnv(idx, &binding) {\n\t\tisSet = true\n\t}\n\n\tprefix, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__PREFIX\", idx))\n\tif ok {\n\t\tbinding.Prefix = prefix\n\t\tisSet = true\n\t}\n\n\tif getWebDAVDBindingProxyConfigsFromEnv(idx, &binding) {\n\t\tisSet = true\n\t}\n\n\tdisableWWWAuth, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_WEBDAVD__BINDINGS__%v__DISABLE_WWW_AUTH_HEADER\", idx))\n\tif ok {\n\t\tbinding.DisableWWWAuthHeader = disableWWWAuth\n\t\tisSet = true\n\t}\n\n\tif isSet {\n\t\tif len(globalConf.WebDAVD.Bindings) > idx {\n\t\t\tglobalConf.WebDAVD.Bindings[idx] = binding\n\t\t} else {\n\t\t\tglobalConf.WebDAVD.Bindings = append(globalConf.WebDAVD.Bindings, binding)\n\t\t}\n\t}\n}\n\nfunc getHTTPDSecurityProxyHeadersFromEnv(idx int) []httpd.HTTPSProxyHeader {\n\tvar httpsProxyHeaders []httpd.HTTPSProxyHeader\n\tif len(globalConf.HTTPDConfig.Bindings) > idx {\n\t\thttpsProxyHeaders = globalConf.HTTPDConfig.Bindings[idx].Security.HTTPSProxyHeaders\n\t}\n\n\tfor subIdx := 0; subIdx < 10; subIdx++ {\n\t\tvar httpsProxyHeader httpd.HTTPSProxyHeader\n\t\tvar replace bool\n\t\tif len(globalConf.HTTPDConfig.Bindings) > idx &&\n\t\t\tlen(globalConf.HTTPDConfig.Bindings[idx].Security.HTTPSProxyHeaders) > subIdx {\n\t\t\thttpsProxyHeader = httpsProxyHeaders[subIdx]\n\t\t\treplace = true\n\t\t}\n\t\tproxyKey, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HTTPS_PROXY_HEADERS__%v__KEY\",\n\t\t\tidx, subIdx))\n\t\tif ok {\n\t\t\thttpsProxyHeader.Key = proxyKey\n\t\t}\n\t\tproxyVal, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HTTPS_PROXY_HEADERS__%v__VALUE\",\n\t\t\tidx, subIdx))\n\t\tif ok {\n\t\t\thttpsProxyHeader.Value = proxyVal\n\t\t}\n\t\tif httpsProxyHeader.Key != \"\" && httpsProxyHeader.Value != \"\" {\n\t\t\tif replace {\n\t\t\t\thttpsProxyHeaders[subIdx] = httpsProxyHeader\n\t\t\t} else {\n\t\t\t\thttpsProxyHeaders = append(httpsProxyHeaders, httpsProxyHeader)\n\t\t\t}\n\t\t}\n\t}\n\treturn httpsProxyHeaders\n}\n\nfunc getHTTPDSecurityConfFromEnv(idx int) (httpd.SecurityConf, bool) { //nolint:gocyclo\n\tresult := defaultHTTPDBinding.Security\n\tif len(globalConf.HTTPDConfig.Bindings) > idx {\n\t\tresult = globalConf.HTTPDConfig.Bindings[idx].Security\n\t}\n\tisSet := false\n\n\tenabled, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__ENABLED\", idx))\n\tif ok {\n\t\tresult.Enabled = enabled\n\t\tisSet = true\n\t}\n\n\tallowedHosts, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__ALLOWED_HOSTS\", idx))\n\tif ok {\n\t\tresult.AllowedHosts = allowedHosts\n\t\tisSet = true\n\t}\n\n\tallowedHostsAreRegex, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__ALLOWED_HOSTS_ARE_REGEX\", idx))\n\tif ok {\n\t\tresult.AllowedHostsAreRegex = allowedHostsAreRegex\n\t\tisSet = true\n\t}\n\n\thostsProxyHeaders, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HOSTS_PROXY_HEADERS\", idx))\n\tif ok {\n\t\tresult.HostsProxyHeaders = hostsProxyHeaders\n\t\tisSet = true\n\t}\n\n\thttpsRedirect, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HTTPS_REDIRECT\", idx))\n\tif ok {\n\t\tresult.HTTPSRedirect = httpsRedirect\n\t\tisSet = true\n\t}\n\n\thttpsHost, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HTTPS_HOST\", idx))\n\tif ok {\n\t\tresult.HTTPSHost = httpsHost\n\t\tisSet = true\n\t}\n\n\thttpsProxyHeaders := getHTTPDSecurityProxyHeadersFromEnv(idx)\n\tif len(httpsProxyHeaders) > 0 {\n\t\tresult.HTTPSProxyHeaders = httpsProxyHeaders\n\t\tisSet = true\n\t}\n\n\tstsSeconds, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__STS_SECONDS\", idx), 64)\n\tif ok {\n\t\tresult.STSSeconds = stsSeconds\n\t\tisSet = true\n\t}\n\n\tstsIncludeSubDomains, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__STS_INCLUDE_SUBDOMAINS\", idx))\n\tif ok {\n\t\tresult.STSIncludeSubdomains = stsIncludeSubDomains\n\t\tisSet = true\n\t}\n\n\tstsPreload, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__STS_PRELOAD\", idx))\n\tif ok {\n\t\tresult.STSPreload = stsPreload\n\t\tisSet = true\n\t}\n\n\tcontentTypeNosniff, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CONTENT_TYPE_NOSNIFF\", idx))\n\tif ok {\n\t\tresult.ContentTypeNosniff = contentTypeNosniff\n\t\tisSet = true\n\t}\n\n\tcontentSecurityPolicy, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CONTENT_SECURITY_POLICY\", idx))\n\tif ok {\n\t\tresult.ContentSecurityPolicy = contentSecurityPolicy\n\t\tisSet = true\n\t}\n\n\tpermissionsPolicy, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__PERMISSIONS_POLICY\", idx))\n\tif ok {\n\t\tresult.PermissionsPolicy = permissionsPolicy\n\t\tisSet = true\n\t}\n\n\tcrossOriginOpenerPolicy, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CROSS_ORIGIN_OPENER_POLICY\", idx))\n\tif ok {\n\t\tresult.CrossOriginOpenerPolicy = crossOriginOpenerPolicy\n\t\tisSet = true\n\t}\n\n\tcrossOriginResourcePolicy, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CROSS_ORIGIN_RESOURCE_POLICY\", idx))\n\tif ok {\n\t\tresult.CrossOriginResourcePolicy = crossOriginResourcePolicy\n\t\tisSet = true\n\t}\n\n\tcrossOriginEmbedderPolicy, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CROSS_ORIGIN_EMBEDDER_POLICY\", idx))\n\tif ok {\n\t\tresult.CrossOriginEmbedderPolicy = crossOriginEmbedderPolicy\n\t\tisSet = true\n\t}\n\n\treferredPolicy, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__REFERRER_POLICY\", idx))\n\tif ok {\n\t\tresult.ReferrerPolicy = referredPolicy\n\t\tisSet = true\n\t}\n\n\tcacheControl, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CACHE_CONTROL\", idx))\n\tif ok {\n\t\tresult.CacheControl = cacheControl\n\t\tisSet = true\n\t}\n\n\treturn result, isSet\n}\n\nfunc getHTTPDOIDCFromEnv(idx int) (httpd.OIDC, bool) {\n\tresult := defaultHTTPDBinding.OIDC\n\tif len(globalConf.HTTPDConfig.Bindings) > idx {\n\t\tresult = globalConf.HTTPDConfig.Bindings[idx].OIDC\n\t}\n\tisSet := false\n\n\tclientID, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__CLIENT_ID\", idx))\n\tif ok {\n\t\tresult.ClientID = clientID\n\t\tisSet = true\n\t}\n\n\tclientSecret, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__CLIENT_SECRET\", idx))\n\tif ok {\n\t\tresult.ClientSecret = clientSecret\n\t\tisSet = true\n\t}\n\n\tclientSecretFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__CLIENT_SECRET_FILE\", idx))\n\tif ok {\n\t\tresult.ClientSecretFile = clientSecretFile\n\t\tisSet = true\n\t}\n\n\tconfigURL, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__CONFIG_URL\", idx))\n\tif ok {\n\t\tresult.ConfigURL = configURL\n\t\tisSet = true\n\t}\n\n\tredirectBaseURL, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__REDIRECT_BASE_URL\", idx))\n\tif ok {\n\t\tresult.RedirectBaseURL = redirectBaseURL\n\t\tisSet = true\n\t}\n\n\tusernameField, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__USERNAME_FIELD\", idx))\n\tif ok {\n\t\tresult.UsernameField = usernameField\n\t\tisSet = true\n\t}\n\n\tscopes, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__SCOPES\", idx))\n\tif ok {\n\t\tresult.Scopes = scopes\n\t\tisSet = true\n\t}\n\n\troleField, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__ROLE_FIELD\", idx))\n\tif ok {\n\t\tresult.RoleField = roleField\n\t\tisSet = true\n\t}\n\n\timplicitRoles, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__IMPLICIT_ROLES\", idx))\n\tif ok {\n\t\tresult.ImplicitRoles = implicitRoles\n\t\tisSet = true\n\t}\n\n\tcustomFields, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__CUSTOM_FIELDS\", idx))\n\tif ok {\n\t\tresult.CustomFields = customFields\n\t\tisSet = true\n\t}\n\n\tskipSignatureCheck, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__INSECURE_SKIP_SIGNATURE_CHECK\", idx))\n\tif ok {\n\t\tresult.InsecureSkipSignatureCheck = skipSignatureCheck\n\t\tisSet = true\n\t}\n\n\tdebug, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__OIDC__DEBUG\", idx))\n\tif ok {\n\t\tresult.Debug = debug\n\t\tisSet = true\n\t}\n\n\treturn result, isSet\n}\n\nfunc getHTTPDUIBrandingFromEnv(prefix string, branding httpd.UIBranding) (httpd.UIBranding, bool) {\n\tisSet := false\n\n\tname, ok := os.LookupEnv(fmt.Sprintf(\"%s__NAME\", prefix))\n\tif ok {\n\t\tbranding.Name = name\n\t\tisSet = true\n\t}\n\n\tshortName, ok := os.LookupEnv(fmt.Sprintf(\"%s__SHORT_NAME\", prefix))\n\tif ok {\n\t\tbranding.ShortName = shortName\n\t\tisSet = true\n\t}\n\n\tfaviconPath, ok := os.LookupEnv(fmt.Sprintf(\"%s__FAVICON_PATH\", prefix))\n\tif ok {\n\t\tbranding.FaviconPath = faviconPath\n\t\tisSet = true\n\t}\n\n\tlogoPath, ok := os.LookupEnv(fmt.Sprintf(\"%s__LOGO_PATH\", prefix))\n\tif ok {\n\t\tbranding.LogoPath = logoPath\n\t\tisSet = true\n\t}\n\n\tdisclaimerName, ok := os.LookupEnv(fmt.Sprintf(\"%s__DISCLAIMER_NAME\", prefix))\n\tif ok {\n\t\tbranding.DisclaimerName = disclaimerName\n\t\tisSet = true\n\t}\n\n\tdisclaimerPath, ok := os.LookupEnv(fmt.Sprintf(\"%s__DISCLAIMER_PATH\", prefix))\n\tif ok {\n\t\tbranding.DisclaimerPath = disclaimerPath\n\t\tisSet = true\n\t}\n\n\tdefaultCSSPath, ok := lookupStringListFromEnv(fmt.Sprintf(\"%s__DEFAULT_CSS\", prefix))\n\tif ok {\n\t\tbranding.DefaultCSS = defaultCSSPath\n\t\tisSet = true\n\t}\n\n\textraCSS, ok := lookupStringListFromEnv(fmt.Sprintf(\"%s__EXTRA_CSS\", prefix))\n\tif ok {\n\t\tbranding.ExtraCSS = extraCSS\n\t\tisSet = true\n\t}\n\n\treturn branding, isSet\n}\n\nfunc getHTTPDBrandingFromEnv(idx int) (httpd.Branding, bool) {\n\tresult := defaultHTTPDBinding.Branding\n\tif len(globalConf.HTTPDConfig.Bindings) > idx {\n\t\tresult = globalConf.HTTPDConfig.Bindings[idx].Branding\n\t}\n\tisSet := false\n\n\twebAdmin, ok := getHTTPDUIBrandingFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__BRANDING__WEB_ADMIN\", idx),\n\t\tresult.WebAdmin)\n\tif ok {\n\t\tresult.WebAdmin = webAdmin\n\t\tisSet = true\n\t}\n\n\twebClient, ok := getHTTPDUIBrandingFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__BRANDING__WEB_CLIENT\", idx),\n\t\tresult.WebClient)\n\tif ok {\n\t\tresult.WebClient = webClient\n\t\tisSet = true\n\t}\n\n\treturn result, isSet\n}\n\nfunc getDefaultHTTPBinding(idx int) httpd.Binding {\n\tbinding := defaultHTTPDBinding\n\tif len(globalConf.HTTPDConfig.Bindings) > idx {\n\t\tbinding = globalConf.HTTPDConfig.Bindings[idx]\n\t}\n\treturn binding\n}\n\nfunc getHTTPDNestedObjectsFromEnv(idx int, binding *httpd.Binding) bool {\n\tisSet := false\n\n\toidc, ok := getHTTPDOIDCFromEnv(idx)\n\tif ok {\n\t\tbinding.OIDC = oidc\n\t\tisSet = true\n\t}\n\n\tsecurityConf, ok := getHTTPDSecurityConfFromEnv(idx)\n\tif ok {\n\t\tbinding.Security = securityConf\n\t\tisSet = true\n\t}\n\n\tbrandingConf, ok := getHTTPDBrandingFromEnv(idx)\n\tif ok {\n\t\tbinding.Branding = brandingConf\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getHTTPDBindingProxyConfigsFromEnv(idx int, binding *httpd.Binding) bool {\n\tisSet := false\n\n\tproxyMode, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__PROXY_MODE\", idx), 32)\n\tif ok {\n\t\tbinding.ProxyMode = int(proxyMode)\n\t\tisSet = true\n\t}\n\n\tproxyAllowed, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__PROXY_ALLOWED\", idx))\n\tif ok {\n\t\tbinding.ProxyAllowed = proxyAllowed\n\t\tisSet = true\n\t}\n\n\tclientIPProxyHeader, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__CLIENT_IP_PROXY_HEADER\", idx))\n\tif ok {\n\t\tbinding.ClientIPProxyHeader = clientIPProxyHeader\n\t\tisSet = true\n\t}\n\n\tclientIPHeaderDepth, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__CLIENT_IP_HEADER_DEPTH\", idx), 32)\n\tif ok {\n\t\tbinding.ClientIPHeaderDepth = int(clientIPHeaderDepth)\n\t\tisSet = true\n\t}\n\n\treturn isSet\n}\n\nfunc getHTTPDBindingFromEnv(idx int) { //nolint:gocyclo\n\tbinding := getDefaultHTTPBinding(idx)\n\tisSet := false\n\n\tport, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__PORT\", idx), 32)\n\tif ok {\n\t\tbinding.Port = int(port)\n\t\tisSet = true\n\t}\n\n\taddress, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__ADDRESS\", idx))\n\tif ok {\n\t\tbinding.Address = address\n\t\tisSet = true\n\t}\n\n\tcertificateFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__CERTIFICATE_FILE\", idx))\n\tif ok {\n\t\tbinding.CertificateFile = certificateFile\n\t\tisSet = true\n\t}\n\n\tcertificateKeyFile, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__CERTIFICATE_KEY_FILE\", idx))\n\tif ok {\n\t\tbinding.CertificateKeyFile = certificateKeyFile\n\t\tisSet = true\n\t}\n\n\tenableWebAdmin, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__ENABLE_WEB_ADMIN\", idx))\n\tif ok {\n\t\tbinding.EnableWebAdmin = enableWebAdmin\n\t\tisSet = true\n\t}\n\n\tenableWebClient, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__ENABLE_WEB_CLIENT\", idx))\n\tif ok {\n\t\tbinding.EnableWebClient = enableWebClient\n\t\tisSet = true\n\t}\n\n\tenableRESTAPI, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__ENABLE_REST_API\", idx))\n\tif ok {\n\t\tbinding.EnableRESTAPI = enableRESTAPI\n\t\tisSet = true\n\t}\n\n\tenabledLoginMethods, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__ENABLED_LOGIN_METHODS\", idx), 32)\n\tif ok {\n\t\tbinding.EnabledLoginMethods = int(enabledLoginMethods)\n\t\tisSet = true\n\t}\n\n\tdisabledLoginMethods, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__DISABLED_LOGIN_METHODS\", idx), 32)\n\tif ok {\n\t\tbinding.DisabledLoginMethods = int(disabledLoginMethods)\n\t\tisSet = true\n\t}\n\n\trenderOpenAPI, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__RENDER_OPENAPI\", idx))\n\tif ok {\n\t\tbinding.RenderOpenAPI = renderOpenAPI\n\t\tisSet = true\n\t}\n\n\tbaseURL, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%d__BASE_URL\", idx))\n\tif ok {\n\t\tbinding.BaseURL = baseURL\n\t\tisSet = true\n\t}\n\n\tlanguages, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%d__LANGUAGES\", idx))\n\tif ok {\n\t\tbinding.Languages = languages\n\t\tisSet = true\n\t}\n\n\tenableHTTPS, ok := lookupBoolFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__ENABLE_HTTPS\", idx))\n\tif ok {\n\t\tbinding.EnableHTTPS = enableHTTPS\n\t\tisSet = true\n\t}\n\n\ttlsVer, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__MIN_TLS_VERSION\", idx), 32)\n\tif ok {\n\t\tbinding.MinTLSVersion = int(tlsVer)\n\t\tisSet = true\n\t}\n\n\tclientAuthType, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__CLIENT_AUTH_TYPE\", idx), 32)\n\tif ok {\n\t\tbinding.ClientAuthType = int(clientAuthType)\n\t\tisSet = true\n\t}\n\n\ttlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__TLS_CIPHER_SUITES\", idx))\n\tif ok {\n\t\tbinding.TLSCipherSuites = tlsCiphers\n\t\tisSet = true\n\t}\n\n\tprotocols, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%d__TLS_PROTOCOLS\", idx))\n\tif ok {\n\t\tbinding.Protocols = protocols\n\t\tisSet = true\n\t}\n\n\tif getHTTPDBindingProxyConfigsFromEnv(idx, &binding) {\n\t\tisSet = true\n\t}\n\n\thideLoginURL, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_HTTPD__BINDINGS__%v__HIDE_LOGIN_URL\", idx), 32)\n\tif ok {\n\t\tbinding.HideLoginURL = int(hideLoginURL)\n\t\tisSet = true\n\t}\n\n\tif getHTTPDNestedObjectsFromEnv(idx, &binding) {\n\t\tisSet = true\n\t}\n\n\tsetHTTPDBinding(isSet, binding, idx)\n}\n\nfunc setHTTPDBinding(isSet bool, binding httpd.Binding, idx int) {\n\tif isSet {\n\t\tif len(globalConf.HTTPDConfig.Bindings) > idx {\n\t\t\tglobalConf.HTTPDConfig.Bindings[idx] = binding\n\t\t} else {\n\t\t\tglobalConf.HTTPDConfig.Bindings = append(globalConf.HTTPDConfig.Bindings, binding)\n\t\t}\n\t}\n}\n\nfunc getHTTPClientCertificatesFromEnv(idx int) {\n\ttlsCert := httpclient.TLSKeyPair{}\n\tif len(globalConf.HTTPConfig.Certificates) > idx {\n\t\ttlsCert = globalConf.HTTPConfig.Certificates[idx]\n\t}\n\n\tcert, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTP__CERTIFICATES__%v__CERT\", idx))\n\tif ok {\n\t\ttlsCert.Cert = cert\n\t}\n\n\tkey, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTP__CERTIFICATES__%v__KEY\", idx))\n\tif ok {\n\t\ttlsCert.Key = key\n\t}\n\n\tif tlsCert.Cert != \"\" && tlsCert.Key != \"\" {\n\t\tif len(globalConf.HTTPConfig.Certificates) > idx {\n\t\t\tglobalConf.HTTPConfig.Certificates[idx] = tlsCert\n\t\t} else {\n\t\t\tglobalConf.HTTPConfig.Certificates = append(globalConf.HTTPConfig.Certificates, tlsCert)\n\t\t}\n\t}\n}\n\nfunc getHTTPClientHeadersFromEnv(idx int) {\n\theader := httpclient.Header{}\n\tif len(globalConf.HTTPConfig.Headers) > idx {\n\t\theader = globalConf.HTTPConfig.Headers[idx]\n\t}\n\n\tkey, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTP__HEADERS__%v__KEY\", idx))\n\tif ok {\n\t\theader.Key = key\n\t}\n\n\tvalue, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTP__HEADERS__%v__VALUE\", idx))\n\tif ok {\n\t\theader.Value = value\n\t}\n\n\turl, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_HTTP__HEADERS__%v__URL\", idx))\n\tif ok {\n\t\theader.URL = url\n\t}\n\n\tif header.Key != \"\" && header.Value != \"\" {\n\t\tif len(globalConf.HTTPConfig.Headers) > idx {\n\t\t\tglobalConf.HTTPConfig.Headers[idx] = header\n\t\t} else {\n\t\t\tglobalConf.HTTPConfig.Headers = append(globalConf.HTTPConfig.Headers, header)\n\t\t}\n\t}\n}\n\nfunc getCommandConfigsFromEnv(idx int) {\n\tcfg := command.Command{}\n\tif len(globalConf.CommandConfig.Commands) > idx {\n\t\tcfg = globalConf.CommandConfig.Commands[idx]\n\t}\n\n\tpath, ok := os.LookupEnv(fmt.Sprintf(\"SFTPGO_COMMAND__COMMANDS__%v__PATH\", idx))\n\tif ok {\n\t\tcfg.Path = path\n\t}\n\n\ttimeout, ok := lookupIntFromEnv(fmt.Sprintf(\"SFTPGO_COMMAND__COMMANDS__%v__TIMEOUT\", idx), 32)\n\tif ok {\n\t\tcfg.Timeout = int(timeout)\n\t}\n\n\tenv, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_COMMAND__COMMANDS__%v__ENV\", idx))\n\tif ok {\n\t\tcfg.Env = env\n\t}\n\n\targs, ok := lookupStringListFromEnv(fmt.Sprintf(\"SFTPGO_COMMAND__COMMANDS__%v__ARGS\", idx))\n\tif ok {\n\t\tcfg.Args = args\n\t}\n\n\tif cfg.Path != \"\" {\n\t\tif len(globalConf.CommandConfig.Commands) > idx {\n\t\t\tglobalConf.CommandConfig.Commands[idx] = cfg\n\t\t} else {\n\t\t\tglobalConf.CommandConfig.Commands = append(globalConf.CommandConfig.Commands, cfg)\n\t\t}\n\t}\n}\n\nfunc setViperDefaults() {\n\tviper.SetDefault(\"common.idle_timeout\", globalConf.Common.IdleTimeout)\n\tviper.SetDefault(\"common.upload_mode\", globalConf.Common.UploadMode)\n\tviper.SetDefault(\"common.actions.execute_on\", globalConf.Common.Actions.ExecuteOn)\n\tviper.SetDefault(\"common.actions.execute_sync\", globalConf.Common.Actions.ExecuteSync)\n\tviper.SetDefault(\"common.actions.hook\", globalConf.Common.Actions.Hook)\n\tviper.SetDefault(\"common.setstat_mode\", globalConf.Common.SetstatMode)\n\tviper.SetDefault(\"common.rename_mode\", globalConf.Common.RenameMode)\n\tviper.SetDefault(\"common.resume_max_size\", globalConf.Common.ResumeMaxSize)\n\tviper.SetDefault(\"common.temp_path\", globalConf.Common.TempPath)\n\tviper.SetDefault(\"common.proxy_protocol\", globalConf.Common.ProxyProtocol)\n\tviper.SetDefault(\"common.proxy_allowed\", globalConf.Common.ProxyAllowed)\n\tviper.SetDefault(\"common.proxy_skipped\", globalConf.Common.ProxySkipped)\n\tviper.SetDefault(\"common.post_connect_hook\", globalConf.Common.PostConnectHook)\n\tviper.SetDefault(\"common.post_disconnect_hook\", globalConf.Common.PostDisconnectHook)\n\tviper.SetDefault(\"common.max_total_connections\", globalConf.Common.MaxTotalConnections)\n\tviper.SetDefault(\"common.max_per_host_connections\", globalConf.Common.MaxPerHostConnections)\n\tviper.SetDefault(\"common.allowlist_status\", globalConf.Common.AllowListStatus)\n\tviper.SetDefault(\"common.allow_self_connections\", globalConf.Common.AllowSelfConnections)\n\tviper.SetDefault(\"common.defender.enabled\", globalConf.Common.DefenderConfig.Enabled)\n\tviper.SetDefault(\"common.defender.driver\", globalConf.Common.DefenderConfig.Driver)\n\tviper.SetDefault(\"common.defender.ban_time\", globalConf.Common.DefenderConfig.BanTime)\n\tviper.SetDefault(\"common.defender.ban_time_increment\", globalConf.Common.DefenderConfig.BanTimeIncrement)\n\tviper.SetDefault(\"common.defender.threshold\", globalConf.Common.DefenderConfig.Threshold)\n\tviper.SetDefault(\"common.defender.score_invalid\", globalConf.Common.DefenderConfig.ScoreInvalid)\n\tviper.SetDefault(\"common.defender.score_valid\", globalConf.Common.DefenderConfig.ScoreValid)\n\tviper.SetDefault(\"common.defender.score_limit_exceeded\", globalConf.Common.DefenderConfig.ScoreLimitExceeded)\n\tviper.SetDefault(\"common.defender.score_no_auth\", globalConf.Common.DefenderConfig.ScoreNoAuth)\n\tviper.SetDefault(\"common.defender.observation_time\", globalConf.Common.DefenderConfig.ObservationTime)\n\tviper.SetDefault(\"common.defender.entries_soft_limit\", globalConf.Common.DefenderConfig.EntriesSoftLimit)\n\tviper.SetDefault(\"common.defender.entries_hard_limit\", globalConf.Common.DefenderConfig.EntriesHardLimit)\n\tviper.SetDefault(\"common.defender.login_delay.success\", globalConf.Common.DefenderConfig.LoginDelay.Success)\n\tviper.SetDefault(\"common.defender.login_delay.password_failed\", globalConf.Common.DefenderConfig.LoginDelay.PasswordFailed)\n\tviper.SetDefault(\"common.umask\", globalConf.Common.Umask)\n\tviper.SetDefault(\"common.server_version\", globalConf.Common.ServerVersion)\n\tviper.SetDefault(\"common.tz\", globalConf.Common.TZ)\n\tviper.SetDefault(\"common.metadata.read\", globalConf.Common.Metadata.Read)\n\tviper.SetDefault(\"common.event_manager.enabled_commands\", globalConf.Common.EventManager.EnabledCommands)\n\tviper.SetDefault(\"acme.email\", globalConf.ACME.Email)\n\tviper.SetDefault(\"acme.key_type\", globalConf.ACME.KeyType)\n\tviper.SetDefault(\"acme.certs_path\", globalConf.ACME.CertsPath)\n\tviper.SetDefault(\"acme.ca_endpoint\", globalConf.ACME.CAEndpoint)\n\tviper.SetDefault(\"acme.domains\", globalConf.ACME.Domains)\n\tviper.SetDefault(\"acme.renew_days\", globalConf.ACME.RenewDays)\n\tviper.SetDefault(\"acme.http01_challenge.port\", globalConf.ACME.HTTP01Challenge.Port)\n\tviper.SetDefault(\"acme.http01_challenge.webroot\", globalConf.ACME.HTTP01Challenge.WebRoot)\n\tviper.SetDefault(\"acme.http01_challenge.proxy_header\", globalConf.ACME.HTTP01Challenge.ProxyHeader)\n\tviper.SetDefault(\"acme.tls_alpn01_challenge.port\", globalConf.ACME.TLSALPN01Challenge.Port)\n\tviper.SetDefault(\"sftpd.max_auth_tries\", globalConf.SFTPD.MaxAuthTries)\n\tviper.SetDefault(\"sftpd.host_keys\", globalConf.SFTPD.HostKeys)\n\tviper.SetDefault(\"sftpd.host_certificates\", globalConf.SFTPD.HostCertificates)\n\tviper.SetDefault(\"sftpd.host_key_algorithms\", globalConf.SFTPD.HostKeyAlgorithms)\n\tviper.SetDefault(\"sftpd.kex_algorithms\", globalConf.SFTPD.KexAlgorithms)\n\tviper.SetDefault(\"sftpd.ciphers\", globalConf.SFTPD.Ciphers)\n\tviper.SetDefault(\"sftpd.macs\", globalConf.SFTPD.MACs)\n\tviper.SetDefault(\"sftpd.public_key_algorithms\", globalConf.SFTPD.PublicKeyAlgorithms)\n\tviper.SetDefault(\"sftpd.trusted_user_ca_keys\", globalConf.SFTPD.TrustedUserCAKeys)\n\tviper.SetDefault(\"sftpd.revoked_user_certs_file\", globalConf.SFTPD.RevokedUserCertsFile)\n\tviper.SetDefault(\"sftpd.opkssh_path\", globalConf.SFTPD.OPKSSHPath)\n\tviper.SetDefault(\"sftpd.opkssh_checksum\", globalConf.SFTPD.OPKSSHChecksum)\n\tviper.SetDefault(\"sftpd.login_banner_file\", globalConf.SFTPD.LoginBannerFile)\n\tviper.SetDefault(\"sftpd.enabled_ssh_commands\", sftpd.GetDefaultSSHCommands())\n\tviper.SetDefault(\"sftpd.keyboard_interactive_authentication\", globalConf.SFTPD.KeyboardInteractiveAuthentication)\n\tviper.SetDefault(\"sftpd.keyboard_interactive_auth_hook\", globalConf.SFTPD.KeyboardInteractiveHook)\n\tviper.SetDefault(\"sftpd.password_authentication\", globalConf.SFTPD.PasswordAuthentication)\n\tviper.SetDefault(\"ftpd.banner_file\", globalConf.FTPD.BannerFile)\n\tviper.SetDefault(\"ftpd.active_transfers_port_non_20\", globalConf.FTPD.ActiveTransfersPortNon20)\n\tviper.SetDefault(\"ftpd.passive_port_range.start\", globalConf.FTPD.PassivePortRange.Start)\n\tviper.SetDefault(\"ftpd.passive_port_range.end\", globalConf.FTPD.PassivePortRange.End)\n\tviper.SetDefault(\"ftpd.disable_active_mode\", globalConf.FTPD.DisableActiveMode)\n\tviper.SetDefault(\"ftpd.enable_site\", globalConf.FTPD.EnableSite)\n\tviper.SetDefault(\"ftpd.hash_support\", globalConf.FTPD.HASHSupport)\n\tviper.SetDefault(\"ftpd.combine_support\", globalConf.FTPD.CombineSupport)\n\tviper.SetDefault(\"ftpd.certificate_file\", globalConf.FTPD.CertificateFile)\n\tviper.SetDefault(\"ftpd.certificate_key_file\", globalConf.FTPD.CertificateKeyFile)\n\tviper.SetDefault(\"ftpd.ca_certificates\", globalConf.FTPD.CACertificates)\n\tviper.SetDefault(\"ftpd.ca_revocation_lists\", globalConf.FTPD.CARevocationLists)\n\tviper.SetDefault(\"webdavd.certificate_file\", globalConf.WebDAVD.CertificateFile)\n\tviper.SetDefault(\"webdavd.certificate_key_file\", globalConf.WebDAVD.CertificateKeyFile)\n\tviper.SetDefault(\"webdavd.ca_certificates\", globalConf.WebDAVD.CACertificates)\n\tviper.SetDefault(\"webdavd.ca_revocation_lists\", globalConf.WebDAVD.CARevocationLists)\n\tviper.SetDefault(\"webdavd.cors.enabled\", globalConf.WebDAVD.Cors.Enabled)\n\tviper.SetDefault(\"webdavd.cors.allowed_origins\", globalConf.WebDAVD.Cors.AllowedOrigins)\n\tviper.SetDefault(\"webdavd.cors.allowed_methods\", globalConf.WebDAVD.Cors.AllowedMethods)\n\tviper.SetDefault(\"webdavd.cors.allowed_headers\", globalConf.WebDAVD.Cors.AllowedHeaders)\n\tviper.SetDefault(\"webdavd.cors.exposed_headers\", globalConf.WebDAVD.Cors.ExposedHeaders)\n\tviper.SetDefault(\"webdavd.cors.allow_credentials\", globalConf.WebDAVD.Cors.AllowCredentials)\n\tviper.SetDefault(\"webdavd.cors.options_passthrough\", globalConf.WebDAVD.Cors.OptionsPassthrough)\n\tviper.SetDefault(\"webdavd.cors.options_success_status\", globalConf.WebDAVD.Cors.OptionsSuccessStatus)\n\tviper.SetDefault(\"webdavd.cors.allow_private_network\", globalConf.WebDAVD.Cors.AllowPrivateNetwork)\n\tviper.SetDefault(\"webdavd.cors.max_age\", globalConf.WebDAVD.Cors.MaxAge)\n\tviper.SetDefault(\"webdavd.cache.users.expiration_time\", globalConf.WebDAVD.Cache.Users.ExpirationTime)\n\tviper.SetDefault(\"webdavd.cache.users.max_size\", globalConf.WebDAVD.Cache.Users.MaxSize)\n\tviper.SetDefault(\"webdavd.cache.mime_types.enabled\", globalConf.WebDAVD.Cache.MimeTypes.Enabled)\n\tviper.SetDefault(\"webdavd.cache.mime_types.max_size\", globalConf.WebDAVD.Cache.MimeTypes.MaxSize)\n\tviper.SetDefault(\"webdavd.cache.mime_types.custom_mappings\", globalConf.WebDAVD.Cache.MimeTypes.CustomMappings)\n\tviper.SetDefault(\"data_provider.driver\", globalConf.ProviderConf.Driver)\n\tviper.SetDefault(\"data_provider.name\", globalConf.ProviderConf.Name)\n\tviper.SetDefault(\"data_provider.host\", globalConf.ProviderConf.Host)\n\tviper.SetDefault(\"data_provider.port\", globalConf.ProviderConf.Port)\n\tviper.SetDefault(\"data_provider.username\", globalConf.ProviderConf.Username)\n\tviper.SetDefault(\"data_provider.password\", globalConf.ProviderConf.Password)\n\tviper.SetDefault(\"data_provider.sslmode\", globalConf.ProviderConf.SSLMode)\n\tviper.SetDefault(\"data_provider.disable_sni\", globalConf.ProviderConf.DisableSNI)\n\tviper.SetDefault(\"data_provider.target_session_attrs\", globalConf.ProviderConf.TargetSessionAttrs)\n\tviper.SetDefault(\"data_provider.root_cert\", globalConf.ProviderConf.RootCert)\n\tviper.SetDefault(\"data_provider.client_cert\", globalConf.ProviderConf.ClientCert)\n\tviper.SetDefault(\"data_provider.client_key\", globalConf.ProviderConf.ClientKey)\n\tviper.SetDefault(\"data_provider.connection_string\", globalConf.ProviderConf.ConnectionString)\n\tviper.SetDefault(\"data_provider.sql_tables_prefix\", globalConf.ProviderConf.SQLTablesPrefix)\n\tviper.SetDefault(\"data_provider.track_quota\", globalConf.ProviderConf.TrackQuota)\n\tviper.SetDefault(\"data_provider.pool_size\", globalConf.ProviderConf.PoolSize)\n\tviper.SetDefault(\"data_provider.users_base_dir\", globalConf.ProviderConf.UsersBaseDir)\n\tviper.SetDefault(\"data_provider.actions.execute_on\", globalConf.ProviderConf.Actions.ExecuteOn)\n\tviper.SetDefault(\"data_provider.actions.execute_for\", globalConf.ProviderConf.Actions.ExecuteFor)\n\tviper.SetDefault(\"data_provider.actions.hook\", globalConf.ProviderConf.Actions.Hook)\n\tviper.SetDefault(\"data_provider.external_auth_hook\", globalConf.ProviderConf.ExternalAuthHook)\n\tviper.SetDefault(\"data_provider.external_auth_scope\", globalConf.ProviderConf.ExternalAuthScope)\n\tviper.SetDefault(\"data_provider.pre_login_hook\", globalConf.ProviderConf.PreLoginHook)\n\tviper.SetDefault(\"data_provider.post_login_hook\", globalConf.ProviderConf.PostLoginHook)\n\tviper.SetDefault(\"data_provider.post_login_scope\", globalConf.ProviderConf.PostLoginScope)\n\tviper.SetDefault(\"data_provider.check_password_hook\", globalConf.ProviderConf.CheckPasswordHook)\n\tviper.SetDefault(\"data_provider.check_password_scope\", globalConf.ProviderConf.CheckPasswordScope)\n\tviper.SetDefault(\"data_provider.password_hashing.bcrypt_options.cost\", globalConf.ProviderConf.PasswordHashing.BcryptOptions.Cost)\n\tviper.SetDefault(\"data_provider.password_hashing.argon2_options.memory\", globalConf.ProviderConf.PasswordHashing.Argon2Options.Memory)\n\tviper.SetDefault(\"data_provider.password_hashing.argon2_options.iterations\", globalConf.ProviderConf.PasswordHashing.Argon2Options.Iterations)\n\tviper.SetDefault(\"data_provider.password_hashing.argon2_options.parallelism\", globalConf.ProviderConf.PasswordHashing.Argon2Options.Parallelism)\n\tviper.SetDefault(\"data_provider.password_hashing.algo\", globalConf.ProviderConf.PasswordHashing.Algo)\n\tviper.SetDefault(\"data_provider.password_validation.admins.min_entropy\", globalConf.ProviderConf.PasswordValidation.Admins.MinEntropy)\n\tviper.SetDefault(\"data_provider.password_validation.users.min_entropy\", globalConf.ProviderConf.PasswordValidation.Users.MinEntropy)\n\tviper.SetDefault(\"data_provider.password_caching\", globalConf.ProviderConf.PasswordCaching)\n\tviper.SetDefault(\"data_provider.update_mode\", globalConf.ProviderConf.UpdateMode)\n\tviper.SetDefault(\"data_provider.delayed_quota_update\", globalConf.ProviderConf.DelayedQuotaUpdate)\n\tviper.SetDefault(\"data_provider.create_default_admin\", globalConf.ProviderConf.CreateDefaultAdmin)\n\tviper.SetDefault(\"data_provider.naming_rules\", globalConf.ProviderConf.NamingRules)\n\tviper.SetDefault(\"data_provider.is_shared\", globalConf.ProviderConf.IsShared)\n\tviper.SetDefault(\"data_provider.node.host\", globalConf.ProviderConf.Node.Host)\n\tviper.SetDefault(\"data_provider.node.port\", globalConf.ProviderConf.Node.Port)\n\tviper.SetDefault(\"data_provider.node.proto\", globalConf.ProviderConf.Node.Proto)\n\tviper.SetDefault(\"data_provider.backups_path\", globalConf.ProviderConf.BackupsPath)\n\tviper.SetDefault(\"httpd.templates_path\", globalConf.HTTPDConfig.TemplatesPath)\n\tviper.SetDefault(\"httpd.static_files_path\", globalConf.HTTPDConfig.StaticFilesPath)\n\tviper.SetDefault(\"httpd.openapi_path\", globalConf.HTTPDConfig.OpenAPIPath)\n\tviper.SetDefault(\"httpd.web_root\", globalConf.HTTPDConfig.WebRoot)\n\tviper.SetDefault(\"httpd.certificate_file\", globalConf.HTTPDConfig.CertificateFile)\n\tviper.SetDefault(\"httpd.certificate_key_file\", globalConf.HTTPDConfig.CertificateKeyFile)\n\tviper.SetDefault(\"httpd.ca_certificates\", globalConf.HTTPDConfig.CACertificates)\n\tviper.SetDefault(\"httpd.ca_revocation_lists\", globalConf.HTTPDConfig.CARevocationLists)\n\tviper.SetDefault(\"httpd.signing_passphrase\", globalConf.HTTPDConfig.SigningPassphrase)\n\tviper.SetDefault(\"httpd.signing_passphrase_file\", globalConf.HTTPDConfig.SigningPassphraseFile)\n\tviper.SetDefault(\"httpd.token_validation\", globalConf.HTTPDConfig.TokenValidation)\n\tviper.SetDefault(\"httpd.cookie_lifetime\", globalConf.HTTPDConfig.CookieLifetime)\n\tviper.SetDefault(\"httpd.share_cookie_lifetime\", globalConf.HTTPDConfig.ShareCookieLifetime)\n\tviper.SetDefault(\"httpd.jwt_lifetime\", globalConf.HTTPDConfig.JWTLifetime)\n\tviper.SetDefault(\"httpd.max_upload_file_size\", globalConf.HTTPDConfig.MaxUploadFileSize)\n\tviper.SetDefault(\"httpd.cors.enabled\", globalConf.HTTPDConfig.Cors.Enabled)\n\tviper.SetDefault(\"httpd.cors.allowed_origins\", globalConf.HTTPDConfig.Cors.AllowedOrigins)\n\tviper.SetDefault(\"httpd.cors.allowed_methods\", globalConf.HTTPDConfig.Cors.AllowedMethods)\n\tviper.SetDefault(\"httpd.cors.allowed_headers\", globalConf.HTTPDConfig.Cors.AllowedHeaders)\n\tviper.SetDefault(\"httpd.cors.exposed_headers\", globalConf.HTTPDConfig.Cors.ExposedHeaders)\n\tviper.SetDefault(\"httpd.cors.allow_credentials\", globalConf.HTTPDConfig.Cors.AllowCredentials)\n\tviper.SetDefault(\"httpd.cors.max_age\", globalConf.HTTPDConfig.Cors.MaxAge)\n\tviper.SetDefault(\"httpd.cors.options_passthrough\", globalConf.HTTPDConfig.Cors.OptionsPassthrough)\n\tviper.SetDefault(\"httpd.cors.options_success_status\", globalConf.HTTPDConfig.Cors.OptionsSuccessStatus)\n\tviper.SetDefault(\"httpd.cors.allow_private_network\", globalConf.HTTPDConfig.Cors.AllowPrivateNetwork)\n\tviper.SetDefault(\"httpd.setup.installation_code\", globalConf.HTTPDConfig.Setup.InstallationCode)\n\tviper.SetDefault(\"httpd.setup.installation_code_hint\", globalConf.HTTPDConfig.Setup.InstallationCodeHint)\n\tviper.SetDefault(\"httpd.hide_support_link\", globalConf.HTTPDConfig.HideSupportLink)\n\tviper.SetDefault(\"http.timeout\", globalConf.HTTPConfig.Timeout)\n\tviper.SetDefault(\"http.retry_wait_min\", globalConf.HTTPConfig.RetryWaitMin)\n\tviper.SetDefault(\"http.retry_wait_max\", globalConf.HTTPConfig.RetryWaitMax)\n\tviper.SetDefault(\"http.retry_max\", globalConf.HTTPConfig.RetryMax)\n\tviper.SetDefault(\"http.ca_certificates\", globalConf.HTTPConfig.CACertificates)\n\tviper.SetDefault(\"http.skip_tls_verify\", globalConf.HTTPConfig.SkipTLSVerify)\n\tviper.SetDefault(\"command.timeout\", globalConf.CommandConfig.Timeout)\n\tviper.SetDefault(\"command.env\", globalConf.CommandConfig.Env)\n\tviper.SetDefault(\"kms.secrets.url\", globalConf.KMSConfig.Secrets.URL)\n\tviper.SetDefault(\"kms.secrets.master_key\", globalConf.KMSConfig.Secrets.MasterKeyString)\n\tviper.SetDefault(\"kms.secrets.master_key_path\", globalConf.KMSConfig.Secrets.MasterKeyPath)\n\tviper.SetDefault(\"telemetry.bind_port\", globalConf.TelemetryConfig.BindPort)\n\tviper.SetDefault(\"telemetry.bind_address\", globalConf.TelemetryConfig.BindAddress)\n\tviper.SetDefault(\"telemetry.enable_profiler\", globalConf.TelemetryConfig.EnableProfiler)\n\tviper.SetDefault(\"telemetry.auth_user_file\", globalConf.TelemetryConfig.AuthUserFile)\n\tviper.SetDefault(\"telemetry.certificate_file\", globalConf.TelemetryConfig.CertificateFile)\n\tviper.SetDefault(\"telemetry.certificate_key_file\", globalConf.TelemetryConfig.CertificateKeyFile)\n\tviper.SetDefault(\"telemetry.min_tls_version\", globalConf.TelemetryConfig.MinTLSVersion)\n\tviper.SetDefault(\"telemetry.tls_cipher_suites\", globalConf.TelemetryConfig.TLSCipherSuites)\n\tviper.SetDefault(\"telemetry.tls_protocols\", globalConf.TelemetryConfig.Protocols)\n\tviper.SetDefault(\"smtp.host\", globalConf.SMTPConfig.Host)\n\tviper.SetDefault(\"smtp.port\", globalConf.SMTPConfig.Port)\n\tviper.SetDefault(\"smtp.from\", globalConf.SMTPConfig.From)\n\tviper.SetDefault(\"smtp.user\", globalConf.SMTPConfig.User)\n\tviper.SetDefault(\"smtp.password\", globalConf.SMTPConfig.Password)\n\tviper.SetDefault(\"smtp.auth_type\", globalConf.SMTPConfig.AuthType)\n\tviper.SetDefault(\"smtp.encryption\", globalConf.SMTPConfig.Encryption)\n\tviper.SetDefault(\"smtp.domain\", globalConf.SMTPConfig.Domain)\n\tviper.SetDefault(\"smtp.templates_path\", globalConf.SMTPConfig.TemplatesPath)\n}\n\nfunc lookupBoolFromEnv(envName string) (bool, bool) {\n\tvalue, ok := os.LookupEnv(envName)\n\tif ok {\n\t\tconverted, err := strconv.ParseBool(strings.TrimSpace(value))\n\t\tif err == nil {\n\t\t\treturn converted, ok\n\t\t}\n\t}\n\n\treturn false, false\n}\n\nfunc lookupIntFromEnv(envName string, bitSize int) (int64, bool) {\n\tvalue, ok := os.LookupEnv(envName)\n\tif ok {\n\t\tconverted, err := strconv.ParseInt(strings.TrimSpace(value), 10, bitSize)\n\t\tif err == nil {\n\t\t\treturn converted, ok\n\t\t}\n\t}\n\n\treturn 0, false\n}\n\nfunc lookupStringListFromEnv(envName string) ([]string, bool) {\n\tvalue, ok := os.LookupEnv(envName)\n\tif ok {\n\t\tvar result []string\n\t\tfor v := range strings.SplitSeq(value, \",\") {\n\t\t\tval := strings.TrimSpace(v)\n\t\t\tif val != \"\" {\n\t\t\t\tresult = append(result, val)\n\t\t\t}\n\t\t}\n\t\treturn result, true\n\t}\n\treturn nil, false\n}\n" }, { "path": "internal/config/config_darwin.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build darwin\n\npackage config\n\nimport \"github.com/spf13/viper\"\n\n// macOS specific config search path\nfunc setViperAdditionalConfigPaths() {\n\tviper.AddConfigPath(\"/usr/local/etc/sftpgo\")\n}\n" }, { "path": "internal/config/config_fallback.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !linux && !darwin\n\npackage config\n\nfunc setViperAdditionalConfigPaths() {}\n" }, { "path": "internal/config/config_linux.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build linux\n\npackage config\n\nimport \"github.com/spf13/viper\"\n\n// linux specific config search path\nfunc setViperAdditionalConfigPaths() {\n\tviper.AddConfigPath(\"$HOME/.config/sftpgo\")\n\tviper.AddConfigPath(\"/etc/sftpgo\")\n\tviper.AddConfigPath(\"/usr/local/etc/sftpgo\")\n}\n" }, { "path": "internal/config/config_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage config_test\n\nimport (\n\t\"crypto/rand\"\n\t\"encoding/json\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"github.com/sftpgo/sdk/kms\"\n\t\"github.com/spf13/viper\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/command\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\ttempConfigName = \"temp\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n)\n\nfunc reset() {\n\tviper.Reset()\n\tconfig.Init()\n}\n\nfunc TestLoadConfigTest(t *testing.T) {\n\treset()\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, httpd.Conf{}, config.GetHTTPConfig())\n\tassert.NotEqual(t, dataprovider.Config{}, config.GetProviderConf())\n\tassert.NotEqual(t, sftpd.Configuration{}, config.GetSFTPDConfig())\n\tassert.NotEqual(t, httpclient.Config{}, config.GetHTTPConfig())\n\tassert.NotEqual(t, smtp.Config{}, config.GetSMTPConfig())\n\tconfName := tempConfigName + \".json\" //nolint:goconst\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.Error(t, err)\n\terr = os.WriteFile(configFilePath, []byte(\"{invalid json}\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.Error(t, err)\n\terr = os.WriteFile(configFilePath, []byte(`{\"sftpd\": {\"max_auth_tries\": \"a\"}}`), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.Error(t, err)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoadConfigFileNotFound(t *testing.T) {\n\treset()\n\n\tviper.SetConfigName(\"configfile\")\n\terr := config.LoadConfig(os.TempDir(), \"\")\n\trequire.NoError(t, err)\n\tmfaConf := config.GetMFAConfig()\n\trequire.Len(t, mfaConf.TOTP, 1)\n\trequire.Len(t, config.GetCommonConfig().RateLimitersConfig, 1)\n\trequire.Len(t, config.GetCommonConfig().RateLimitersConfig[0].Protocols, 4)\n\trequire.Len(t, config.GetHTTPDConfig().Bindings, 1)\n\trequire.Len(t, config.GetHTTPDConfig().Bindings[0].OIDC.Scopes, 3)\n}\n\nfunc TestReadEnvFiles(t *testing.T) {\n\treset()\n\n\tenvd := filepath.Join(configDir, \"env.d\")\n\terr := os.Mkdir(envd, os.ModePerm)\n\tassert.NoError(t, err)\n\n\tcontent := make([]byte, 1048576+1)\n\t_, err = rand.Read(content)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(filepath.Join(envd, \"env1\"), []byte(\"SFTPGO_SFTPD__MAX_AUTH_TRIES = 10\"), 0666)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(envd, \"env2\"), []byte(`{\"invalid env\": \"value\"}`), 0666)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(envd, \"env3\"), content, 0666)\n\tassert.NoError(t, err)\n\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, config.GetSFTPDConfig().MaxAuthTries)\n\n\t_, ok := os.LookupEnv(\"SFTPGO_SFTPD__MAX_AUTH_TRIES\")\n\tassert.True(t, ok)\n\terr = os.Unsetenv(\"SFTPGO_SFTPD__MAX_AUTH_TRIES\")\n\tassert.NoError(t, err)\n\tos.RemoveAll(envd)\n}\n\nfunc TestEnabledSSHCommands(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\n\treset()\n\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.EnabledSSHCommands = []string{\"scp\"}\n\tc := make(map[string]sftpd.Configuration)\n\tc[\"sftpd\"] = sftpdConf\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tsftpdConf = config.GetSFTPDConfig()\n\tif assert.Len(t, sftpdConf.EnabledSSHCommands, 1) {\n\t\tassert.Equal(t, \"scp\", sftpdConf.EnabledSSHCommands[0])\n\t}\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestInvalidExternalAuthScope(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.ExternalAuthScope = 100\n\tc := make(map[string]dataprovider.Config)\n\tc[\"data_provider\"] = providerConf\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, config.GetProviderConf().ExternalAuthScope)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestInvalidProxyProtocol(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tcommonConf := config.GetCommonConfig()\n\tcommonConf.ProxyProtocol = 10\n\tc := make(map[string]common.Configuration)\n\tc[\"common\"] = commonConf\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, config.GetCommonConfig().ProxyProtocol)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestInvalidUsersBaseDir(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.UsersBaseDir = \".\"\n\tc := make(map[string]dataprovider.Config)\n\tc[\"data_provider\"] = providerConf\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tassert.Empty(t, config.GetProviderConf().UsersBaseDir)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestInvalidInstallationHint(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\thttpdConfig := config.GetHTTPDConfig()\n\thttpdConfig.Setup = httpd.SetupConfig{\n\t\tInstallationCode: \"abc\",\n\t\tInstallationCodeHint: \" \",\n\t}\n\tc := make(map[string]httpd.Conf)\n\tc[\"httpd\"] = httpdConfig\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\thttpdConfig = config.GetHTTPDConfig()\n\tassert.Equal(t, \"abc\", httpdConfig.Setup.InstallationCode)\n\tassert.Equal(t, \"Installation code\", httpdConfig.Setup.InstallationCodeHint)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestInvalidRenameMode(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\tcommonConfig := config.GetCommonConfig()\n\tcommonConfig.RenameMode = 10\n\tc := make(map[string]any)\n\tc[\"common\"] = commonConfig\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, config.GetCommonConfig().RenameMode)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestDefenderProviderDriver(t *testing.T) {\n\tif config.GetProviderConf().Driver != dataprovider.SQLiteDataProviderName {\n\t\tt.Skip(\"this test is not supported with the current database provider\")\n\t}\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.Driver = dataprovider.BoltDataProviderName\n\tcommonConfig := config.GetCommonConfig()\n\tcommonConfig.DefenderConfig.Enabled = true\n\tcommonConfig.DefenderConfig.Driver = common.DefenderDriverProvider\n\tc := make(map[string]any)\n\tc[\"common\"] = commonConfig\n\tc[\"data_provider\"] = providerConf\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tassert.Equal(t, dataprovider.BoltDataProviderName, config.GetProviderConf().Driver)\n\tassert.Equal(t, common.DefenderDriverMemory, config.GetCommonConfig().DefenderConfig.Driver)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestSetGetConfig(t *testing.T) {\n\treset()\n\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.MaxAuthTries = 10\n\tconfig.SetSFTPDConfig(sftpdConf)\n\tassert.Equal(t, sftpdConf.MaxAuthTries, config.GetSFTPDConfig().MaxAuthTries)\n\tdataProviderConf := config.GetProviderConf()\n\tdataProviderConf.Host = \"test host\"\n\tconfig.SetProviderConf(dataProviderConf)\n\tassert.Equal(t, dataProviderConf.Host, config.GetProviderConf().Host)\n\thttpdConf := config.GetHTTPDConfig()\n\thttpdConf.Bindings = append(httpdConf.Bindings, httpd.Binding{Address: \"0.0.0.0\"})\n\tconfig.SetHTTPDConfig(httpdConf)\n\tassert.Equal(t, httpdConf.Bindings[0].Address, config.GetHTTPDConfig().Bindings[0].Address)\n\tcommonConf := config.GetCommonConfig()\n\tcommonConf.IdleTimeout = 10\n\tconfig.SetCommonConfig(commonConf)\n\tassert.Equal(t, commonConf.IdleTimeout, config.GetCommonConfig().IdleTimeout)\n\tftpdConf := config.GetFTPDConfig()\n\tftpdConf.CertificateFile = \"cert\"\n\tftpdConf.CertificateKeyFile = \"key\"\n\tconfig.SetFTPDConfig(ftpdConf)\n\tassert.Equal(t, ftpdConf.CertificateFile, config.GetFTPDConfig().CertificateFile)\n\tassert.Equal(t, ftpdConf.CertificateKeyFile, config.GetFTPDConfig().CertificateKeyFile)\n\twebDavConf := config.GetWebDAVDConfig()\n\twebDavConf.CertificateFile = \"dav_cert\"\n\twebDavConf.CertificateKeyFile = \"dav_key\"\n\tconfig.SetWebDAVDConfig(webDavConf)\n\tassert.Equal(t, webDavConf.CertificateFile, config.GetWebDAVDConfig().CertificateFile)\n\tassert.Equal(t, webDavConf.CertificateKeyFile, config.GetWebDAVDConfig().CertificateKeyFile)\n\tkmsConf := config.GetKMSConfig()\n\tkmsConf.Secrets.MasterKeyPath = \"apath\"\n\tkmsConf.Secrets.URL = \"aurl\"\n\tconfig.SetKMSConfig(kmsConf)\n\tassert.Equal(t, kmsConf.Secrets.MasterKeyPath, config.GetKMSConfig().Secrets.MasterKeyPath)\n\tassert.Equal(t, kmsConf.Secrets.URL, config.GetKMSConfig().Secrets.URL)\n\ttelemetryConf := config.GetTelemetryConfig()\n\ttelemetryConf.BindPort = 10001\n\ttelemetryConf.BindAddress = \"0.0.0.0\"\n\tconfig.SetTelemetryConfig(telemetryConf)\n\tassert.Equal(t, telemetryConf.BindPort, config.GetTelemetryConfig().BindPort)\n\tassert.Equal(t, telemetryConf.BindAddress, config.GetTelemetryConfig().BindAddress)\n\tpluginConf := []plugin.Config{\n\t\t{\n\t\t\tType: \"eventsearcher\",\n\t\t},\n\t}\n\tconfig.SetPluginsConfig(pluginConf)\n\tif assert.Len(t, config.GetPluginsConfig(), 1) {\n\t\tassert.Equal(t, pluginConf[0].Type, config.GetPluginsConfig()[0].Type)\n\t}\n\tassert.False(t, config.HasKMSPlugin())\n\tpluginConf = []plugin.Config{\n\t\t{\n\t\t\tType: \"notifier\",\n\t\t},\n\t\t{\n\t\t\tType: \"kms\",\n\t\t},\n\t}\n\tconfig.SetPluginsConfig(pluginConf)\n\tassert.Len(t, config.GetPluginsConfig(), 2)\n\tassert.True(t, config.HasKMSPlugin())\n}\n\nfunc TestServiceToStart(t *testing.T) {\n\treset()\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tassert.True(t, config.HasServicesToStart())\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.Bindings[0].Port = 0\n\tconfig.SetSFTPDConfig(sftpdConf)\n\t// httpd service is enabled\n\tassert.True(t, config.HasServicesToStart())\n\thttpdConf := config.GetHTTPDConfig()\n\thttpdConf.Bindings[0].Port = 0\n\tassert.False(t, config.HasServicesToStart())\n\tftpdConf := config.GetFTPDConfig()\n\tftpdConf.Bindings[0].Port = 2121\n\tconfig.SetFTPDConfig(ftpdConf)\n\tassert.True(t, config.HasServicesToStart())\n\tftpdConf.Bindings[0].Port = 0\n\tconfig.SetFTPDConfig(ftpdConf)\n\twebdavdConf := config.GetWebDAVDConfig()\n\twebdavdConf.Bindings[0].Port = 9000\n\tconfig.SetWebDAVDConfig(webdavdConf)\n\tassert.True(t, config.HasServicesToStart())\n\twebdavdConf.Bindings[0].Port = 0\n\tconfig.SetWebDAVDConfig(webdavdConf)\n\tassert.False(t, config.HasServicesToStart())\n\tsftpdConf.Bindings[0].Port = 2022\n\tconfig.SetSFTPDConfig(sftpdConf)\n\tassert.True(t, config.HasServicesToStart())\n}\n\nfunc TestSSHCommandsFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_SFTPD__ENABLED_SSH_COMMANDS\", \"cd,scp\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__ENABLED_SSH_COMMANDS\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\n\tsftpdConf := config.GetSFTPDConfig()\n\tif assert.Len(t, sftpdConf.EnabledSSHCommands, 2) {\n\t\tassert.Equal(t, \"cd\", sftpdConf.EnabledSSHCommands[0])\n\t\tassert.Equal(t, \"scp\", sftpdConf.EnabledSSHCommands[1])\n\t}\n}\n\nfunc TestSMTPFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_SMTP__HOST\", \"smtp.example.com\")\n\tos.Setenv(\"SFTPGO_SMTP__PORT\", \"587\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_SMTP__HOST\")\n\t\tos.Unsetenv(\"SFTPGO_SMTP__PORT\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tsmtpConfig := config.GetSMTPConfig()\n\tassert.Equal(t, \"smtp.example.com\", smtpConfig.Host)\n\tassert.Equal(t, 587, smtpConfig.Port)\n}\n\nfunc TestMFAFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_MFA__TOTP__0__NAME\", \"main\")\n\tos.Setenv(\"SFTPGO_MFA__TOTP__1__NAME\", \"additional_name\")\n\tos.Setenv(\"SFTPGO_MFA__TOTP__1__ISSUER\", \"additional_issuer\")\n\tos.Setenv(\"SFTPGO_MFA__TOTP__1__ALGO\", \"sha256\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_MFA__TOTP__0__NAME\")\n\t\tos.Unsetenv(\"SFTPGO_MFA__TOTP__1__NAME\")\n\t\tos.Unsetenv(\"SFTPGO_MFA__TOTP__1__ISSUER\")\n\t\tos.Unsetenv(\"SFTPGO_MFA__TOTP__1__ALGO\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tmfaConf := config.GetMFAConfig()\n\trequire.Len(t, mfaConf.TOTP, 2)\n\trequire.Equal(t, \"main\", mfaConf.TOTP[0].Name)\n\trequire.Equal(t, \"SFTPGo\", mfaConf.TOTP[0].Issuer)\n\trequire.Equal(t, \"sha1\", mfaConf.TOTP[0].Algo)\n\trequire.Equal(t, \"additional_name\", mfaConf.TOTP[1].Name)\n\trequire.Equal(t, \"additional_issuer\", mfaConf.TOTP[1].Issuer)\n\trequire.Equal(t, \"sha256\", mfaConf.TOTP[1].Algo)\n}\n\nfunc TestDisabledMFAConfig(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tmfaConf := config.GetMFAConfig()\n\tassert.Len(t, mfaConf.TOTP, 1)\n\n\treset()\n\n\tc := make(map[string]mfa.Config)\n\tc[\"mfa\"] = mfa.Config{}\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tmfaConf = config.GetMFAConfig()\n\tassert.Len(t, mfaConf.TOTP, 0)\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestOverrideSliceValues(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\tc := make(map[string]any)\n\tc[\"common\"] = common.Configuration{\n\t\tRateLimitersConfig: []common.RateLimiterConfig{\n\t\t\t{\n\t\t\t\tType: 1,\n\t\t\t\tProtocols: []string{\"HTTP\"},\n\t\t\t},\n\t\t},\n\t}\n\tjsonConf, err := json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\trequire.Len(t, config.GetCommonConfig().RateLimitersConfig, 1)\n\trequire.Equal(t, []string{\"HTTP\"}, config.GetCommonConfig().RateLimitersConfig[0].Protocols)\n\n\treset()\n\n\t// empty ratelimiters, default value should be used\n\tc[\"common\"] = common.Configuration{}\n\tjsonConf, err = json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\trequire.Len(t, config.GetCommonConfig().RateLimitersConfig, 1)\n\trl := config.GetCommonConfig().RateLimitersConfig[0]\n\trequire.Equal(t, []string{\"SSH\", \"FTP\", \"DAV\", \"HTTP\"}, rl.Protocols)\n\trequire.Equal(t, int64(1000), rl.Period)\n\n\treset()\n\n\tc = make(map[string]any)\n\tc[\"httpd\"] = httpd.Conf{\n\t\tBindings: []httpd.Binding{\n\t\t\t{\n\t\t\t\tOIDC: httpd.OIDC{\n\t\t\t\t\tScopes: []string{\"scope1\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tjsonConf, err = json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\trequire.Len(t, config.GetHTTPDConfig().Bindings, 1)\n\trequire.Equal(t, []string{\"scope1\"}, config.GetHTTPDConfig().Bindings[0].OIDC.Scopes)\n\n\treset()\n\n\tc = make(map[string]any)\n\tc[\"httpd\"] = httpd.Conf{\n\t\tBindings: nil,\n\t}\n\tjsonConf, err = json.Marshal(c)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\trequire.Len(t, config.GetHTTPDConfig().Bindings, 1)\n\trequire.Equal(t, []string{\"openid\", \"profile\", \"email\"}, config.GetHTTPDConfig().Bindings[0].OIDC.Scopes)\n}\n\nfunc TestFTPDOverridesFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__IP\", \"192.168.1.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__NETWORKS\", \"192.168.1.0/24, 192.168.3.0/25\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__1__IP\", \"192.168.2.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__1__NETWORKS\", \"192.168.2.0/24\")\n\tcleanup := func() {\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__IP\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__NETWORKS\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__1__IP\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__1__NETWORKS\")\n\t}\n\tt.Cleanup(cleanup)\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tftpdConf := config.GetFTPDConfig()\n\trequire.Len(t, ftpdConf.Bindings, 1)\n\trequire.Len(t, ftpdConf.Bindings[0].PassiveIPOverrides, 2)\n\trequire.Equal(t, \"192.168.1.1\", ftpdConf.Bindings[0].PassiveIPOverrides[0].IP)\n\trequire.Len(t, ftpdConf.Bindings[0].PassiveIPOverrides[0].Networks, 2)\n\trequire.Equal(t, \"192.168.2.1\", ftpdConf.Bindings[0].PassiveIPOverrides[1].IP)\n\trequire.Len(t, ftpdConf.Bindings[0].PassiveIPOverrides[1].Networks, 1)\n\n\tcleanup()\n\tcfg := make(map[string]any)\n\tcfg[\"ftpd\"] = ftpdConf\n\tconfigAsJSON, err := json.Marshal(cfg)\n\trequire.NoError(t, err)\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr = os.WriteFile(configFilePath, configAsJSON, os.ModePerm)\n\tassert.NoError(t, err)\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__IP\", \"192.168.1.2\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__1__NETWORKS\", \"192.168.2.0/24,192.168.4.0/25\")\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tftpdConf = config.GetFTPDConfig()\n\trequire.Len(t, ftpdConf.Bindings, 1)\n\trequire.Len(t, ftpdConf.Bindings[0].PassiveIPOverrides, 2)\n\trequire.Equal(t, \"192.168.1.2\", ftpdConf.Bindings[0].PassiveIPOverrides[0].IP)\n\trequire.Len(t, ftpdConf.Bindings[0].PassiveIPOverrides[0].Networks, 2)\n\trequire.Equal(t, \"192.168.2.1\", ftpdConf.Bindings[0].PassiveIPOverrides[1].IP)\n\trequire.Len(t, ftpdConf.Bindings[0].PassiveIPOverrides[1].Networks, 2)\n\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPDSubObjectsFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__SECURITY__HTTPS_PROXY_HEADERS__0__KEY\", \"X-Forwarded-Proto\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__SECURITY__HTTPS_PROXY_HEADERS__0__VALUE\", \"https\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID\", \"client_id\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET\", \"client_secret\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET_FILE\", \"client_secret_file\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL\", \"config_url\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL\", \"redirect_base_url\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD\", \"email\")\n\tcleanup := func() {\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__SECURITY__HTTPS_PROXY_HEADERS__0__KEY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__SECURITY__HTTPS_PROXY_HEADERS__0__VALUE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_ID\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET_FILE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CONFIG_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__REDIRECT_BASE_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__USERNAME_FIELD\")\n\t}\n\tt.Cleanup(cleanup)\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\thttpdConf := config.GetHTTPDConfig()\n\trequire.Len(t, httpdConf.Bindings, 1)\n\trequire.Len(t, httpdConf.Bindings[0].Security.HTTPSProxyHeaders, 1)\n\trequire.Equal(t, \"client_id\", httpdConf.Bindings[0].OIDC.ClientID)\n\trequire.Equal(t, \"client_secret\", httpdConf.Bindings[0].OIDC.ClientSecret)\n\trequire.Equal(t, \"client_secret_file\", httpdConf.Bindings[0].OIDC.ClientSecretFile)\n\trequire.Equal(t, \"config_url\", httpdConf.Bindings[0].OIDC.ConfigURL)\n\trequire.Equal(t, \"redirect_base_url\", httpdConf.Bindings[0].OIDC.RedirectBaseURL)\n\trequire.Equal(t, \"email\", httpdConf.Bindings[0].OIDC.UsernameField)\n\n\tcleanup()\n\tcfg := make(map[string]any)\n\tcfg[\"httpd\"] = httpdConf\n\tconfigAsJSON, err := json.Marshal(cfg)\n\trequire.NoError(t, err)\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr = os.WriteFile(configFilePath, configAsJSON, os.ModePerm)\n\tassert.NoError(t, err)\n\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__SECURITY__HTTPS_PROXY_HEADERS__0__VALUE\", \"http\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__OIDC__CLIENT_SECRET\", \"new_client_secret\")\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\thttpdConf = config.GetHTTPDConfig()\n\trequire.Len(t, httpdConf.Bindings, 1)\n\trequire.Len(t, httpdConf.Bindings[0].Security.HTTPSProxyHeaders, 1)\n\trequire.Equal(t, \"http\", httpdConf.Bindings[0].Security.HTTPSProxyHeaders[0].Value)\n\trequire.Equal(t, \"client_id\", httpdConf.Bindings[0].OIDC.ClientID)\n\trequire.Equal(t, \"new_client_secret\", httpdConf.Bindings[0].OIDC.ClientSecret)\n\trequire.Equal(t, \"config_url\", httpdConf.Bindings[0].OIDC.ConfigURL)\n\trequire.Equal(t, \"redirect_base_url\", httpdConf.Bindings[0].OIDC.RedirectBaseURL)\n\trequire.Equal(t, \"email\", httpdConf.Bindings[0].OIDC.UsernameField)\n\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPluginsFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_PLUGINS__0__TYPE\", \"notifier\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__FS_EVENTS\", \"upload,download\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__PROVIDER_EVENTS\", \"add,update\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__PROVIDER_OBJECTS\", \"user,admin\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__LOG_EVENTS\", \"a,1,2\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__RETRY_MAX_TIME\", \"2\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__RETRY_QUEUE_MAX_SIZE\", \"1000\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__CMD\", \"plugin_start_cmd\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__ARGS\", \"arg1,arg2\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__SHA256SUM\", \"0a71ded61fccd59c4f3695b51c1b3d180da8d2d77ea09ccee20dac242675c193\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__AUTO_MTLS\", \"1\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__KMS_OPTIONS__SCHEME\", kms.SchemeAWS)\n\tos.Setenv(\"SFTPGO_PLUGINS__0__KMS_OPTIONS__ENCRYPTED_STATUS\", kms.SecretStatusAWS)\n\tos.Setenv(\"SFTPGO_PLUGINS__0__AUTH_OPTIONS__SCOPE\", \"14\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__ENV_PREFIX\", \"prefix_\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__ENV_VARS\", \"a, b\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__TYPE\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__FS_EVENTS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__PROVIDER_EVENTS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__PROVIDER_OBJECTS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__LOG_EVENTS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__RETRY_MAX_TIME\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__NOTIFIER_OPTIONS__RETRY_QUEUE_MAX_SIZE\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__CMD\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__ARGS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__SHA256SUM\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__AUTO_MTLS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__KMS_OPTIONS__SCHEME\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__KMS_OPTIONS__ENCRYPTED_STATUS\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__AUTH_OPTIONS__SCOPE\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__ENV_PREFIX\")\n\t\tos.Unsetenv(\"SFTPGO_PLUGINS__0__ENV_VARS\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tpluginsConf := config.GetPluginsConfig()\n\trequire.Len(t, pluginsConf, 1)\n\tpluginConf := pluginsConf[0]\n\trequire.Equal(t, \"notifier\", pluginConf.Type)\n\trequire.Len(t, pluginConf.NotifierOptions.FsEvents, 2)\n\trequire.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, \"upload\"))\n\trequire.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, \"download\"))\n\trequire.Len(t, pluginConf.NotifierOptions.ProviderEvents, 2)\n\trequire.Equal(t, \"add\", pluginConf.NotifierOptions.ProviderEvents[0])\n\trequire.Equal(t, \"update\", pluginConf.NotifierOptions.ProviderEvents[1])\n\trequire.Len(t, pluginConf.NotifierOptions.ProviderObjects, 2)\n\trequire.Equal(t, \"user\", pluginConf.NotifierOptions.ProviderObjects[0])\n\trequire.Equal(t, \"admin\", pluginConf.NotifierOptions.ProviderObjects[1])\n\trequire.Len(t, pluginConf.NotifierOptions.LogEvents, 2)\n\trequire.Equal(t, 1, pluginConf.NotifierOptions.LogEvents[0])\n\trequire.Equal(t, 2, pluginConf.NotifierOptions.LogEvents[1])\n\trequire.Equal(t, 2, pluginConf.NotifierOptions.RetryMaxTime)\n\trequire.Equal(t, 1000, pluginConf.NotifierOptions.RetryQueueMaxSize)\n\trequire.Equal(t, \"plugin_start_cmd\", pluginConf.Cmd)\n\trequire.Len(t, pluginConf.Args, 2)\n\trequire.Equal(t, \"arg1\", pluginConf.Args[0])\n\trequire.Equal(t, \"arg2\", pluginConf.Args[1])\n\trequire.Equal(t, \"0a71ded61fccd59c4f3695b51c1b3d180da8d2d77ea09ccee20dac242675c193\", pluginConf.SHA256Sum)\n\trequire.True(t, pluginConf.AutoMTLS)\n\trequire.Equal(t, kms.SchemeAWS, pluginConf.KMSOptions.Scheme)\n\trequire.Equal(t, kms.SecretStatusAWS, pluginConf.KMSOptions.EncryptedStatus)\n\trequire.Equal(t, 14, pluginConf.AuthOptions.Scope)\n\trequire.Equal(t, \"prefix_\", pluginConf.EnvPrefix)\n\trequire.Len(t, pluginConf.EnvVars, 2)\n\tassert.Equal(t, \"a\", pluginConf.EnvVars[0])\n\tassert.Equal(t, \"b\", pluginConf.EnvVars[1])\n\n\tcfg := make(map[string]any)\n\tcfg[\"plugins\"] = pluginConf\n\tconfigAsJSON, err := json.Marshal(cfg)\n\trequire.NoError(t, err)\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr = os.WriteFile(configFilePath, configAsJSON, os.ModePerm)\n\tassert.NoError(t, err)\n\n\tos.Setenv(\"SFTPGO_PLUGINS__0__CMD\", \"plugin_start_cmd1\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__ARGS\", \"\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__AUTO_MTLS\", \"0\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__KMS_OPTIONS__SCHEME\", kms.SchemeVaultTransit)\n\tos.Setenv(\"SFTPGO_PLUGINS__0__KMS_OPTIONS__ENCRYPTED_STATUS\", kms.SecretStatusVaultTransit)\n\tos.Setenv(\"SFTPGO_PLUGINS__0__ENV_PREFIX\", \"\")\n\tos.Setenv(\"SFTPGO_PLUGINS__0__ENV_VARS\", \"\")\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tpluginsConf = config.GetPluginsConfig()\n\trequire.Len(t, pluginsConf, 1)\n\tpluginConf = pluginsConf[0]\n\trequire.Equal(t, \"notifier\", pluginConf.Type)\n\trequire.Len(t, pluginConf.NotifierOptions.FsEvents, 2)\n\trequire.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, \"upload\"))\n\trequire.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, \"download\"))\n\trequire.Len(t, pluginConf.NotifierOptions.ProviderEvents, 2)\n\trequire.Equal(t, \"add\", pluginConf.NotifierOptions.ProviderEvents[0])\n\trequire.Equal(t, \"update\", pluginConf.NotifierOptions.ProviderEvents[1])\n\trequire.Len(t, pluginConf.NotifierOptions.ProviderObjects, 2)\n\trequire.Equal(t, \"user\", pluginConf.NotifierOptions.ProviderObjects[0])\n\trequire.Equal(t, \"admin\", pluginConf.NotifierOptions.ProviderObjects[1])\n\trequire.Equal(t, 2, pluginConf.NotifierOptions.RetryMaxTime)\n\trequire.Equal(t, 1000, pluginConf.NotifierOptions.RetryQueueMaxSize)\n\trequire.Equal(t, \"plugin_start_cmd1\", pluginConf.Cmd)\n\trequire.Len(t, pluginConf.Args, 0)\n\trequire.Equal(t, \"0a71ded61fccd59c4f3695b51c1b3d180da8d2d77ea09ccee20dac242675c193\", pluginConf.SHA256Sum)\n\trequire.False(t, pluginConf.AutoMTLS)\n\trequire.Equal(t, kms.SchemeVaultTransit, pluginConf.KMSOptions.Scheme)\n\trequire.Equal(t, kms.SecretStatusVaultTransit, pluginConf.KMSOptions.EncryptedStatus)\n\trequire.Equal(t, 14, pluginConf.AuthOptions.Scope)\n\tassert.Empty(t, pluginConf.EnvPrefix)\n\tassert.Len(t, pluginConf.EnvVars, 0)\n\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestRateLimitersFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__AVERAGE\", \"100\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__PERIOD\", \"2000\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__BURST\", \"10\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__TYPE\", \"2\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__PROTOCOLS\", \"SSH, FTP\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__GENERATE_DEFENDER_EVENTS\", \"1\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__ENTRIES_SOFT_LIMIT\", \"50\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__ENTRIES_HARD_LIMIT\", \"100\")\n\tos.Setenv(\"SFTPGO_COMMON__RATE_LIMITERS__8__AVERAGE\", \"50\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__AVERAGE\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__PERIOD\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__BURST\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__TYPE\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__PROTOCOLS\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__GENERATE_DEFENDER_EVENTS\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__ENTRIES_SOFT_LIMIT\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__0__ENTRIES_HARD_LIMIT\")\n\t\tos.Unsetenv(\"SFTPGO_COMMON__RATE_LIMITERS__8__AVERAGE\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tlimiters := config.GetCommonConfig().RateLimitersConfig\n\trequire.Len(t, limiters, 2)\n\trequire.Equal(t, int64(100), limiters[0].Average)\n\trequire.Equal(t, int64(2000), limiters[0].Period)\n\trequire.Equal(t, 10, limiters[0].Burst)\n\trequire.Equal(t, 2, limiters[0].Type)\n\tprotocols := limiters[0].Protocols\n\trequire.Len(t, protocols, 2)\n\trequire.True(t, slices.Contains(protocols, common.ProtocolFTP))\n\trequire.True(t, slices.Contains(protocols, common.ProtocolSSH))\n\trequire.True(t, limiters[0].GenerateDefenderEvents)\n\trequire.Equal(t, 50, limiters[0].EntriesSoftLimit)\n\trequire.Equal(t, 100, limiters[0].EntriesHardLimit)\n\trequire.Equal(t, int64(50), limiters[1].Average)\n\t// we check the default values here\n\trequire.Equal(t, int64(1000), limiters[1].Period)\n\trequire.Equal(t, 1, limiters[1].Burst)\n\trequire.Equal(t, 2, limiters[1].Type)\n\tprotocols = limiters[1].Protocols\n\trequire.Len(t, protocols, 4)\n\trequire.True(t, slices.Contains(protocols, common.ProtocolFTP))\n\trequire.True(t, slices.Contains(protocols, common.ProtocolSSH))\n\trequire.True(t, slices.Contains(protocols, common.ProtocolWebDAV))\n\trequire.True(t, slices.Contains(protocols, common.ProtocolHTTP))\n\trequire.False(t, limiters[1].GenerateDefenderEvents)\n\trequire.Equal(t, 100, limiters[1].EntriesSoftLimit)\n\trequire.Equal(t, 150, limiters[1].EntriesHardLimit)\n}\n\nfunc TestSFTPDBindingsFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_SFTPD__BINDINGS__0__ADDRESS\", \"127.0.0.1\")\n\tos.Setenv(\"SFTPGO_SFTPD__BINDINGS__0__PORT\", \"2200\")\n\tos.Setenv(\"SFTPGO_SFTPD__BINDINGS__0__APPLY_PROXY_CONFIG\", \"false\")\n\tos.Setenv(\"SFTPGO_SFTPD__BINDINGS__3__ADDRESS\", \"127.0.1.1\")\n\tos.Setenv(\"SFTPGO_SFTPD__BINDINGS__3__PORT\", \"2203\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__BINDINGS__0__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__BINDINGS__0__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__BINDINGS__0__APPLY_PROXY_CONFIG\")\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__BINDINGS__3__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__BINDINGS__3__PORT\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tbindings := config.GetSFTPDConfig().Bindings\n\trequire.Len(t, bindings, 2)\n\trequire.Equal(t, 2200, bindings[0].Port)\n\trequire.Equal(t, \"127.0.0.1\", bindings[0].Address)\n\trequire.False(t, bindings[0].ApplyProxyConfig)\n\trequire.Equal(t, 2203, bindings[1].Port)\n\trequire.Equal(t, \"127.0.1.1\", bindings[1].Address)\n\trequire.True(t, bindings[1].ApplyProxyConfig) // default value\n}\n\nfunc TestCommandsFromEnv(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tcommandConfig := config.GetCommandConfig()\n\tcommandConfig.Commands = append(commandConfig.Commands, command.Command{\n\t\tPath: \"cmd\",\n\t\tTimeout: 10,\n\t\tEnv: []string{\"a=a\"},\n\t})\n\tc := make(map[string]command.Config)\n\tc[\"command\"] = commandConfig\n\tjsonConf, err := json.Marshal(c)\n\trequire.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\trequire.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\trequire.NoError(t, err)\n\tcommandConfig = config.GetCommandConfig()\n\trequire.Equal(t, 30, commandConfig.Timeout)\n\trequire.Len(t, commandConfig.Env, 0)\n\trequire.Len(t, commandConfig.Commands, 1)\n\trequire.Equal(t, \"cmd\", commandConfig.Commands[0].Path)\n\trequire.Equal(t, 10, commandConfig.Commands[0].Timeout)\n\trequire.Equal(t, []string{\"a=a\"}, commandConfig.Commands[0].Env)\n\n\tos.Setenv(\"SFTPGO_COMMAND__TIMEOUT\", \"25\")\n\tos.Setenv(\"SFTPGO_COMMAND__ENV\", \"a=b,c=d\")\n\tos.Setenv(\"SFTPGO_COMMAND__COMMANDS__0__PATH\", \"cmd1\")\n\tos.Setenv(\"SFTPGO_COMMAND__COMMANDS__0__TIMEOUT\", \"11\")\n\tos.Setenv(\"SFTPGO_COMMAND__COMMANDS__1__PATH\", \"cmd2\")\n\tos.Setenv(\"SFTPGO_COMMAND__COMMANDS__1__TIMEOUT\", \"20\")\n\tos.Setenv(\"SFTPGO_COMMAND__COMMANDS__1__ENV\", \"e=f\")\n\tos.Setenv(\"SFTPGO_COMMAND__COMMANDS__1__ARGS\", \"arg1, arg2\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__TIMEOUT\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__ENV\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__COMMANDS__0__PATH\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__COMMANDS__0__TIMEOUT\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__COMMANDS__1__PATH\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__COMMANDS__1__TIMEOUT\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__COMMANDS__1__ENV\")\n\t\tos.Unsetenv(\"SFTPGO_COMMAND__COMMANDS__1__ARGS\")\n\t})\n\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tcommandConfig = config.GetCommandConfig()\n\trequire.Equal(t, 25, commandConfig.Timeout)\n\trequire.Equal(t, []string{\"a=b\", \"c=d\"}, commandConfig.Env)\n\trequire.Len(t, commandConfig.Commands, 2)\n\trequire.Equal(t, \"cmd1\", commandConfig.Commands[0].Path)\n\trequire.Equal(t, 11, commandConfig.Commands[0].Timeout)\n\trequire.Equal(t, []string{\"a=a\"}, commandConfig.Commands[0].Env)\n\trequire.Equal(t, \"cmd2\", commandConfig.Commands[1].Path)\n\trequire.Equal(t, 20, commandConfig.Commands[1].Timeout)\n\trequire.Equal(t, []string{\"e=f\"}, commandConfig.Commands[1].Env)\n\trequire.Equal(t, []string{\"arg1\", \"arg2\"}, commandConfig.Commands[1].Args)\n\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestFTPDBindingsFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__ADDRESS\", \"127.0.0.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PORT\", \"2200\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG\", \"f\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__TLS_MODE\", \"2\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP\", \"127.0.1.2\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__IP\", \"172.16.1.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_HOST\", \"127.0.1.3\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__TLS_CIPHER_SUITES\", \"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_CONNECTIONS_SECURITY\", \"1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__ADDRESS\", \"127.0.1.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__PORT\", \"2203\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__TLS_MODE\", \"1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__MIN_TLS_VERSION\", \"13\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__FORCE_PASSIVE_IP\", \"127.0.1.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__IP\", \"192.168.1.1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__NETWORKS\", \"192.168.1.0/24, 192.168.3.0/25\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__CLIENT_AUTH_TYPE\", \"2\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__DEBUG\", \"1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__ACTIVE_CONNECTIONS_SECURITY\", \"1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__IGNORE_ASCII_TRANSFER_TYPE\", \"1\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__CERTIFICATE_FILE\", \"cert.crt\")\n\tos.Setenv(\"SFTPGO_FTPD__BINDINGS__9__CERTIFICATE_KEY_FILE\", \"cert.key\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__TLS_MODE\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_IP_OVERRIDES__0__IP\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__PASSIVE_HOST\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__TLS_CIPHER_SUITES\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__0__ACTIVE_CONNECTIONS_SECURITY\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__TLS_MODE\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__MIN_TLS_VERSION\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__FORCE_PASSIVE_IP\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__IP\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__NETWORKS\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__CLIENT_AUTH_TYPE\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__DEBUG\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__ACTIVE_CONNECTIONS_SECURITY\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__IGNORE_ASCII_TRANSFER_TYPE\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__CERTIFICATE_FILE\")\n\t\tos.Unsetenv(\"SFTPGO_FTPD__BINDINGS__9__CERTIFICATE_KEY_FILE\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tbindings := config.GetFTPDConfig().Bindings\n\trequire.Len(t, bindings, 2)\n\trequire.Equal(t, 2200, bindings[0].Port)\n\trequire.Equal(t, \"127.0.0.1\", bindings[0].Address)\n\trequire.False(t, bindings[0].ApplyProxyConfig)\n\trequire.Equal(t, 2, bindings[0].TLSMode)\n\trequire.Equal(t, 12, bindings[0].MinTLSVersion)\n\trequire.Equal(t, \"127.0.1.2\", bindings[0].ForcePassiveIP)\n\trequire.Len(t, bindings[0].PassiveIPOverrides, 0)\n\trequire.Equal(t, \"127.0.1.3\", bindings[0].PassiveHost)\n\trequire.Equal(t, 0, bindings[0].ClientAuthType)\n\trequire.Len(t, bindings[0].TLSCipherSuites, 2)\n\trequire.Equal(t, \"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\", bindings[0].TLSCipherSuites[0])\n\trequire.Equal(t, \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", bindings[0].TLSCipherSuites[1])\n\trequire.False(t, bindings[0].Debug)\n\trequire.Equal(t, 1, bindings[0].PassiveConnectionsSecurity)\n\trequire.Equal(t, 0, bindings[0].ActiveConnectionsSecurity)\n\trequire.Equal(t, 2203, bindings[1].Port)\n\trequire.Equal(t, \"127.0.1.1\", bindings[1].Address)\n\trequire.True(t, bindings[1].ApplyProxyConfig) // default value\n\trequire.Equal(t, 1, bindings[1].TLSMode)\n\trequire.Equal(t, 13, bindings[1].MinTLSVersion)\n\trequire.Equal(t, \"127.0.1.1\", bindings[1].ForcePassiveIP)\n\trequire.Empty(t, bindings[1].PassiveHost)\n\trequire.Len(t, bindings[1].PassiveIPOverrides, 1)\n\trequire.Equal(t, \"192.168.1.1\", bindings[1].PassiveIPOverrides[0].IP)\n\trequire.Len(t, bindings[1].PassiveIPOverrides[0].Networks, 2)\n\trequire.Equal(t, \"192.168.1.0/24\", bindings[1].PassiveIPOverrides[0].Networks[0])\n\trequire.Equal(t, \"192.168.3.0/25\", bindings[1].PassiveIPOverrides[0].Networks[1])\n\trequire.Equal(t, 2, bindings[1].ClientAuthType)\n\trequire.Nil(t, bindings[1].TLSCipherSuites)\n\trequire.Equal(t, 0, bindings[1].PassiveConnectionsSecurity)\n\trequire.Equal(t, 1, bindings[1].ActiveConnectionsSecurity)\n\trequire.True(t, bindings[1].Debug)\n\trequire.Equal(t, \"cert.crt\", bindings[1].CertificateFile)\n\trequire.Equal(t, \"cert.key\", bindings[1].CertificateKeyFile)\n}\n\nfunc TestWebDAVMimeCache(t *testing.T) {\n\treset()\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\twebdavdConf := config.GetWebDAVDConfig()\n\twebdavdConf.Cache.MimeTypes.CustomMappings = []webdavd.CustomMimeMapping{\n\t\t{\n\t\t\tExt: \".custom\",\n\t\t\tMime: \"application/custom\",\n\t\t},\n\t}\n\tcfg := map[string]any{\n\t\t\"webdavd\": webdavdConf,\n\t}\n\tdata, err := json.Marshal(cfg)\n\tassert.NoError(t, err)\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr = os.WriteFile(configFilePath, data, 0666)\n\tassert.NoError(t, err)\n\n\treset()\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tmappings := config.GetWebDAVDConfig().Cache.MimeTypes.CustomMappings\n\tif assert.Len(t, mappings, 1) {\n\t\tassert.Equal(t, \".custom\", mappings[0].Ext)\n\t\tassert.Equal(t, \"application/custom\", mappings[0].Mime)\n\t}\n\t// now add from env\n\tos.Setenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__1__EXT\", \".custom1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__1__MIME\", \"application/custom1\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__0__EXT\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__0__MIME\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__1__EXT\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__1__MIME\")\n\t})\n\treset()\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tmappings = config.GetWebDAVDConfig().Cache.MimeTypes.CustomMappings\n\tif assert.Len(t, mappings, 2) {\n\t\tassert.Equal(t, \".custom\", mappings[0].Ext)\n\t\tassert.Equal(t, \"application/custom\", mappings[0].Mime)\n\t\tassert.Equal(t, \".custom1\", mappings[1].Ext)\n\t\tassert.Equal(t, \"application/custom1\", mappings[1].Mime)\n\t}\n\t// override from env\n\tos.Setenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__0__EXT\", \".custom0\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__0__MIME\", \"application/custom0\")\n\treset()\n\terr = config.LoadConfig(configDir, confName)\n\tassert.NoError(t, err)\n\tmappings = config.GetWebDAVDConfig().Cache.MimeTypes.CustomMappings\n\tif assert.Len(t, mappings, 2) {\n\t\tassert.Equal(t, \".custom0\", mappings[0].Ext)\n\t\tassert.Equal(t, \"application/custom0\", mappings[0].Mime)\n\t\tassert.Equal(t, \".custom1\", mappings[1].Ext)\n\t\tassert.Equal(t, \"application/custom1\", mappings[1].Mime)\n\t}\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebDAVBindingsFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS\", \"127.0.0.1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__PORT\", \"8000\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS\", \"0\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES\", \"TLS_RSA_WITH_AES_128_CBC_SHA \")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__TLS_PROTOCOLS\", \"http/1.1 \")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__PROXY_MODE\", \"1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__PROXY_ALLOWED\", \"192.168.10.1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_PROXY_HEADER\", \"X-Forwarded-For\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_HEADER_DEPTH\", \"2\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS\", \"127.0.1.1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__PORT\", \"9000\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS\", \"1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__MIN_TLS_VERSION\", \"13\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__CLIENT_AUTH_TYPE\", \"1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__PREFIX\", \"/dav2\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__CERTIFICATE_FILE\", \"webdav.crt\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__CERTIFICATE_KEY_FILE\", \"webdav.key\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__2__DISABLE_WWW_AUTH_HEADER\", \"1\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__TLS_PROTOCOLS\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__PROXY_MODE\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__PROXY_ALLOWED\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_PROXY_HEADER\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_HEADER_DEPTH\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__MIN_TLS_VERSION\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__CLIENT_AUTH_TYPE\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__PREFIX\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__CERTIFICATE_FILE\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__CERTIFICATE_KEY_FILE\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__2__DISABLE_WWW_AUTH_HEADER\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tbindings := config.GetWebDAVDConfig().Bindings\n\trequire.Len(t, bindings, 3)\n\trequire.Equal(t, 0, bindings[0].Port)\n\trequire.Empty(t, bindings[0].Address)\n\trequire.False(t, bindings[0].EnableHTTPS)\n\trequire.Equal(t, 12, bindings[0].MinTLSVersion)\n\trequire.Len(t, bindings[0].TLSCipherSuites, 0)\n\trequire.Len(t, bindings[0].Protocols, 0)\n\trequire.Equal(t, 0, bindings[0].ProxyMode)\n\trequire.Empty(t, bindings[0].Prefix)\n\trequire.Equal(t, 0, bindings[0].ClientIPHeaderDepth)\n\trequire.False(t, bindings[0].DisableWWWAuthHeader)\n\trequire.Equal(t, 8000, bindings[1].Port)\n\trequire.Equal(t, \"127.0.0.1\", bindings[1].Address)\n\trequire.False(t, bindings[1].EnableHTTPS)\n\trequire.Equal(t, 12, bindings[1].MinTLSVersion)\n\trequire.Equal(t, 0, bindings[1].ClientAuthType)\n\trequire.Len(t, bindings[1].TLSCipherSuites, 1)\n\trequire.Equal(t, \"TLS_RSA_WITH_AES_128_CBC_SHA\", bindings[1].TLSCipherSuites[0])\n\trequire.Len(t, bindings[1].Protocols, 1)\n\tassert.Equal(t, \"http/1.1\", bindings[1].Protocols[0])\n\trequire.Equal(t, 1, bindings[1].ProxyMode)\n\trequire.Equal(t, \"192.168.10.1\", bindings[1].ProxyAllowed[0])\n\trequire.Equal(t, \"X-Forwarded-For\", bindings[1].ClientIPProxyHeader)\n\trequire.Equal(t, 2, bindings[1].ClientIPHeaderDepth)\n\trequire.Empty(t, bindings[1].Prefix)\n\trequire.False(t, bindings[1].DisableWWWAuthHeader)\n\trequire.Equal(t, 9000, bindings[2].Port)\n\trequire.Equal(t, \"127.0.1.1\", bindings[2].Address)\n\trequire.True(t, bindings[2].EnableHTTPS)\n\trequire.Equal(t, 13, bindings[2].MinTLSVersion)\n\trequire.Equal(t, 1, bindings[2].ClientAuthType)\n\trequire.Equal(t, 0, bindings[2].ProxyMode)\n\trequire.Nil(t, bindings[2].TLSCipherSuites)\n\trequire.Equal(t, \"/dav2\", bindings[2].Prefix)\n\trequire.Equal(t, \"webdav.crt\", bindings[2].CertificateFile)\n\trequire.Equal(t, \"webdav.key\", bindings[2].CertificateKeyFile)\n\trequire.Equal(t, 0, bindings[2].ClientIPHeaderDepth)\n\trequire.True(t, bindings[2].DisableWWWAuthHeader)\n}\n\nfunc TestHTTPDBindingsFromEnv(t *testing.T) {\n\treset()\n\n\tsockPath := filepath.Clean(os.TempDir())\n\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__ADDRESS\", sockPath)\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__PORT\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__0__TLS_CIPHER_SUITES\", \" TLS_AES_128_GCM_SHA256\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__1__ADDRESS\", \"127.0.0.1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__1__PORT\", \"8000\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__1__HIDE_LOGIN_URL\", \" 1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__1__BRANDING__WEB_ADMIN__NAME\", \"Web Admin\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__1__BRANDING__WEB_CLIENT__SHORT_NAME\", \"WebClient\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__ADDRESS\", \"127.0.1.1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__PORT\", \"9000\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_REST_API\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLED_LOGIN_METHODS\", \"3\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__DISABLED_LOGIN_METHODS\", \"12\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BASE_URL\", \"https://example.com\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__LANGUAGES\", \"en,es\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS\", \"1 \")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION\", \"13\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES\", \" TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__TLS_PROTOCOLS\", \"h2, http/1.1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__PROXY_MODE\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED\", \" 192.168.9.1 , 172.16.25.0/24\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_PROXY_HEADER\", \"X-Real-IP\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_HEADER_DEPTH\", \"2\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__HIDE_LOGIN_URL\", \"3\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CLIENT_ID\", \"client id\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CLIENT_SECRET\", \"client secret\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CONFIG_URL\", \"config url\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__REDIRECT_BASE_URL\", \"redirect base url\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__USERNAME_FIELD\", \"preferred_username\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__ROLE_FIELD\", \"sftpgo_role\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__SCOPES\", \"openid\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__IMPLICIT_ROLES\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CUSTOM_FIELDS\", \"field1,field2\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__INSECURE_SKIP_SIGNATURE_CHECK\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__DEBUG\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__ENABLED\", \"true\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS\", \"*.example.com,*.example.net\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS_ARE_REGEX\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HOSTS_PROXY_HEADERS\", \"X-Forwarded-Host\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_REDIRECT\", \"1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_HOST\", \"www.example.com\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__KEY\", \"X-Forwarded-Proto\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__VALUE\", \"https\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_SECONDS\", \"31536000\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_INCLUDE_SUBDOMAINS\", \"false\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_PRELOAD\", \"0\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CONTENT_TYPE_NOSNIFF\", \"t\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CONTENT_SECURITY_POLICY\", \"script-src $NONCE\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__PERMISSIONS_POLICY\", \"fullscreen=(), geolocation=()\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_OPENER_POLICY\", \"same-origin\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_RESOURCE_POLICY\", \"same-site\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_EMBEDDER_POLICY\", \"require-corp\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CACHE_CONTROL\", \"private\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__REFERRER_POLICY\", \"no-referrer\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__0__PATH\", \"path1\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__1__PATH\", \"path2\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__FAVICON_PATH\", \"favicon.ico\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__LOGO_PATH\", \"logo.png\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DISCLAIMER_NAME\", \"disclaimer\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__DISCLAIMER_PATH\", \"disclaimer.html\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DEFAULT_CSS\", \"default.css\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__EXTRA_CSS\", \"1.css,2.css\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__CERTIFICATE_FILE\", \"httpd.crt\")\n\tos.Setenv(\"SFTPGO_HTTPD__BINDINGS__2__CERTIFICATE_KEY_FILE\", \"httpd.key\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__0__TLS_CIPHER_SUITES\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__HIDE_LOGIN_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__BRANDING__WEB_ADMIN__NAME\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__BRANDING__WEB_CLIENT__SHORT_NAME\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__1__EXTRA_CSS__0__PATH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLE_REST_API\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__ENABLED_LOGIN_METHODS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__DISABLED_LOGIN_METHODS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BASE_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__LANGUAGES\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__TLS_PROTOCOLS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__PROXY_MODE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_PROXY_HEADER\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_HEADER_DEPTH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__HIDE_LOGIN_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CLIENT_ID\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CLIENT_SECRET\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CONFIG_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__REDIRECT_BASE_URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__USERNAME_FIELD\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__ROLE_FIELD\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__SCOPES\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__IMPLICIT_ROLES\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__CUSTOM_FIELDS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__INSECURE_SKIP_SIGNATURE_CHECK\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__OIDC__DEBUG\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__ENABLED\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS_ARE_REGEX\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HOSTS_PROXY_HEADERS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_REDIRECT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_HOST\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__KEY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__VALUE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_SECONDS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_INCLUDE_SUBDOMAINS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_PRELOAD\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CONTENT_TYPE_NOSNIFF\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CONTENT_SECURITY_POLICY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__PERMISSIONS_POLICY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_OPENER_POLICY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_RESOURCE_POLICY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_EMBEDDER_POLICY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__CACHE_CONTROL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__SECURITY__REFERRER_POLICY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__0__PATH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__1__PATH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__FAVICON_PATH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__LOGO_PATH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DISCLAIMER_NAME\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__DISCLAIMER_PATH\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DEFAULT_CSS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__EXTRA_CSS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__CERTIFICATE_FILE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__BINDINGS__2__CERTIFICATE_KEY_FILE\")\n\t})\n\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tbindings := config.GetHTTPDConfig().Bindings\n\trequire.Len(t, bindings, 3)\n\trequire.Equal(t, 0, bindings[0].Port)\n\trequire.Equal(t, sockPath, bindings[0].Address)\n\trequire.False(t, bindings[0].EnableHTTPS)\n\trequire.Len(t, bindings[0].Protocols, 0)\n\trequire.Equal(t, 12, bindings[0].MinTLSVersion)\n\trequire.True(t, bindings[0].EnableWebAdmin)\n\trequire.True(t, bindings[0].EnableWebClient)\n\trequire.True(t, bindings[0].EnableRESTAPI)\n\trequire.Equal(t, 0, bindings[0].EnabledLoginMethods)\n\trequire.Equal(t, 0, bindings[0].DisabledLoginMethods)\n\trequire.True(t, bindings[0].RenderOpenAPI)\n\trequire.Empty(t, bindings[0].BaseURL)\n\trequire.Len(t, bindings[0].Languages, 1)\n\tassert.Contains(t, bindings[0].Languages, \"en\")\n\trequire.Len(t, bindings[0].TLSCipherSuites, 1)\n\trequire.Equal(t, 0, bindings[0].ProxyMode)\n\trequire.Empty(t, bindings[0].OIDC.ConfigURL)\n\trequire.Equal(t, \"TLS_AES_128_GCM_SHA256\", bindings[0].TLSCipherSuites[0])\n\trequire.Equal(t, 0, bindings[0].HideLoginURL)\n\trequire.False(t, bindings[0].Security.Enabled)\n\trequire.Equal(t, 0, bindings[0].ClientIPHeaderDepth)\n\trequire.Len(t, bindings[0].OIDC.Scopes, 3)\n\trequire.False(t, bindings[0].OIDC.InsecureSkipSignatureCheck)\n\trequire.False(t, bindings[0].OIDC.Debug)\n\trequire.Empty(t, bindings[0].Security.ReferrerPolicy)\n\trequire.Equal(t, 8000, bindings[1].Port)\n\trequire.Equal(t, \"127.0.0.1\", bindings[1].Address)\n\trequire.False(t, bindings[1].EnableHTTPS)\n\trequire.Equal(t, 12, bindings[0].MinTLSVersion)\n\trequire.True(t, bindings[1].EnableWebAdmin)\n\trequire.True(t, bindings[1].EnableWebClient)\n\trequire.True(t, bindings[1].EnableRESTAPI)\n\trequire.Equal(t, 0, bindings[1].EnabledLoginMethods)\n\trequire.Equal(t, 0, bindings[1].DisabledLoginMethods)\n\trequire.True(t, bindings[1].RenderOpenAPI)\n\trequire.Empty(t, bindings[1].BaseURL)\n\trequire.Len(t, bindings[1].Languages, 1)\n\tassert.Contains(t, bindings[1].Languages, \"en\")\n\trequire.Nil(t, bindings[1].TLSCipherSuites)\n\trequire.Equal(t, 1, bindings[1].HideLoginURL)\n\trequire.Empty(t, bindings[1].OIDC.ClientID)\n\trequire.Len(t, bindings[1].OIDC.Scopes, 3)\n\trequire.False(t, bindings[1].OIDC.InsecureSkipSignatureCheck)\n\trequire.False(t, bindings[1].OIDC.Debug)\n\trequire.False(t, bindings[1].Security.Enabled)\n\trequire.Equal(t, \"Web Admin\", bindings[1].Branding.WebAdmin.Name)\n\trequire.Equal(t, \"WebClient\", bindings[1].Branding.WebClient.ShortName)\n\trequire.Equal(t, 0, bindings[1].ProxyMode)\n\trequire.Equal(t, 0, bindings[1].ClientIPHeaderDepth)\n\trequire.Equal(t, 9000, bindings[2].Port)\n\trequire.Equal(t, \"127.0.1.1\", bindings[2].Address)\n\trequire.True(t, bindings[2].EnableHTTPS)\n\trequire.Equal(t, 13, bindings[2].MinTLSVersion)\n\trequire.False(t, bindings[2].EnableWebAdmin)\n\trequire.False(t, bindings[2].EnableWebClient)\n\trequire.False(t, bindings[2].EnableRESTAPI)\n\trequire.Equal(t, 3, bindings[2].EnabledLoginMethods)\n\trequire.Equal(t, 12, bindings[2].DisabledLoginMethods)\n\trequire.False(t, bindings[2].RenderOpenAPI)\n\trequire.Equal(t, \"https://example.com\", bindings[2].BaseURL)\n\trequire.Len(t, bindings[2].Languages, 2)\n\tassert.Contains(t, bindings[2].Languages, \"en\")\n\tassert.Contains(t, bindings[2].Languages, \"es\")\n\trequire.Equal(t, 1, bindings[2].ClientAuthType)\n\trequire.Len(t, bindings[2].TLSCipherSuites, 2)\n\trequire.Equal(t, \"TLS_AES_256_GCM_SHA384\", bindings[2].TLSCipherSuites[0])\n\trequire.Equal(t, \"TLS_CHACHA20_POLY1305_SHA256\", bindings[2].TLSCipherSuites[1])\n\trequire.Len(t, bindings[2].Protocols, 2)\n\trequire.Equal(t, \"h2\", bindings[2].Protocols[0])\n\trequire.Equal(t, \"http/1.1\", bindings[2].Protocols[1])\n\trequire.Equal(t, 1, bindings[2].ProxyMode)\n\trequire.Len(t, bindings[2].ProxyAllowed, 2)\n\trequire.Equal(t, \"192.168.9.1\", bindings[2].ProxyAllowed[0])\n\trequire.Equal(t, \"172.16.25.0/24\", bindings[2].ProxyAllowed[1])\n\trequire.Equal(t, \"X-Real-IP\", bindings[2].ClientIPProxyHeader)\n\trequire.Equal(t, 2, bindings[2].ClientIPHeaderDepth)\n\trequire.Equal(t, 3, bindings[2].HideLoginURL)\n\trequire.Equal(t, \"client id\", bindings[2].OIDC.ClientID)\n\trequire.Equal(t, \"client secret\", bindings[2].OIDC.ClientSecret)\n\trequire.Equal(t, \"config url\", bindings[2].OIDC.ConfigURL)\n\trequire.Equal(t, \"redirect base url\", bindings[2].OIDC.RedirectBaseURL)\n\trequire.Equal(t, \"preferred_username\", bindings[2].OIDC.UsernameField)\n\trequire.Equal(t, \"sftpgo_role\", bindings[2].OIDC.RoleField)\n\trequire.Len(t, bindings[2].OIDC.Scopes, 1)\n\trequire.Equal(t, \"openid\", bindings[2].OIDC.Scopes[0])\n\trequire.True(t, bindings[2].OIDC.ImplicitRoles)\n\trequire.Len(t, bindings[2].OIDC.CustomFields, 2)\n\trequire.Equal(t, \"field1\", bindings[2].OIDC.CustomFields[0])\n\trequire.Equal(t, \"field2\", bindings[2].OIDC.CustomFields[1])\n\trequire.True(t, bindings[2].OIDC.InsecureSkipSignatureCheck)\n\trequire.True(t, bindings[2].OIDC.Debug)\n\trequire.True(t, bindings[2].Security.Enabled)\n\trequire.Len(t, bindings[2].Security.AllowedHosts, 2)\n\trequire.Equal(t, \"*.example.com\", bindings[2].Security.AllowedHosts[0])\n\trequire.Equal(t, \"*.example.net\", bindings[2].Security.AllowedHosts[1])\n\trequire.True(t, bindings[2].Security.AllowedHostsAreRegex)\n\trequire.Len(t, bindings[2].Security.HostsProxyHeaders, 1)\n\trequire.Equal(t, \"X-Forwarded-Host\", bindings[2].Security.HostsProxyHeaders[0])\n\trequire.True(t, bindings[2].Security.HTTPSRedirect)\n\trequire.Equal(t, \"www.example.com\", bindings[2].Security.HTTPSHost)\n\trequire.Len(t, bindings[2].Security.HTTPSProxyHeaders, 1)\n\trequire.Equal(t, \"X-Forwarded-Proto\", bindings[2].Security.HTTPSProxyHeaders[0].Key)\n\trequire.Equal(t, \"https\", bindings[2].Security.HTTPSProxyHeaders[0].Value)\n\trequire.Equal(t, int64(31536000), bindings[2].Security.STSSeconds)\n\trequire.False(t, bindings[2].Security.STSIncludeSubdomains)\n\trequire.False(t, bindings[2].Security.STSPreload)\n\trequire.True(t, bindings[2].Security.ContentTypeNosniff)\n\trequire.Equal(t, \"script-src $NONCE\", bindings[2].Security.ContentSecurityPolicy)\n\trequire.Equal(t, \"fullscreen=(), geolocation=()\", bindings[2].Security.PermissionsPolicy)\n\trequire.Equal(t, \"same-origin\", bindings[2].Security.CrossOriginOpenerPolicy)\n\trequire.Equal(t, \"same-site\", bindings[2].Security.CrossOriginResourcePolicy)\n\trequire.Equal(t, \"require-corp\", bindings[2].Security.CrossOriginEmbedderPolicy)\n\trequire.Equal(t, \"private\", bindings[2].Security.CacheControl)\n\trequire.Equal(t, \"no-referrer\", bindings[2].Security.ReferrerPolicy)\n\trequire.Equal(t, \"favicon.ico\", bindings[2].Branding.WebAdmin.FaviconPath)\n\trequire.Equal(t, \"logo.png\", bindings[2].Branding.WebClient.LogoPath)\n\trequire.Equal(t, \"disclaimer\", bindings[2].Branding.WebClient.DisclaimerName)\n\trequire.Equal(t, \"disclaimer.html\", bindings[2].Branding.WebAdmin.DisclaimerPath)\n\trequire.Equal(t, []string{\"default.css\"}, bindings[2].Branding.WebClient.DefaultCSS)\n\trequire.Len(t, bindings[2].Branding.WebClient.ExtraCSS, 2)\n\trequire.Equal(t, \"1.css\", bindings[2].Branding.WebClient.ExtraCSS[0])\n\trequire.Equal(t, \"2.css\", bindings[2].Branding.WebClient.ExtraCSS[1])\n\trequire.Equal(t, \"httpd.crt\", bindings[2].CertificateFile)\n\trequire.Equal(t, \"httpd.key\", bindings[2].CertificateKeyFile)\n}\n\nfunc TestHTTPClientCertificatesFromEnv(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\thttpConf := config.GetHTTPConfig()\n\thttpConf.Certificates = append(httpConf.Certificates, httpclient.TLSKeyPair{\n\t\tCert: \"cert\",\n\t\tKey: \"key\",\n\t})\n\tc := make(map[string]httpclient.Config)\n\tc[\"http\"] = httpConf\n\tjsonConf, err := json.Marshal(c)\n\trequire.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\trequire.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\trequire.NoError(t, err)\n\trequire.Len(t, config.GetHTTPConfig().Certificates, 1)\n\trequire.Equal(t, \"cert\", config.GetHTTPConfig().Certificates[0].Cert)\n\trequire.Equal(t, \"key\", config.GetHTTPConfig().Certificates[0].Key)\n\n\tos.Setenv(\"SFTPGO_HTTP__CERTIFICATES__0__CERT\", \"cert0\")\n\tos.Setenv(\"SFTPGO_HTTP__CERTIFICATES__0__KEY\", \"key0\")\n\tos.Setenv(\"SFTPGO_HTTP__CERTIFICATES__8__CERT\", \"cert8\")\n\tos.Setenv(\"SFTPGO_HTTP__CERTIFICATES__9__CERT\", \"cert9\")\n\tos.Setenv(\"SFTPGO_HTTP__CERTIFICATES__9__KEY\", \"key9\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_HTTP__CERTIFICATES__0__CERT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__CERTIFICATES__0__KEY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__CERTIFICATES__8__CERT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__CERTIFICATES__9__CERT\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__CERTIFICATES__9__KEY\")\n\t})\n\n\terr = config.LoadConfig(configDir, confName)\n\trequire.NoError(t, err)\n\trequire.Len(t, config.GetHTTPConfig().Certificates, 2)\n\trequire.Equal(t, \"cert0\", config.GetHTTPConfig().Certificates[0].Cert)\n\trequire.Equal(t, \"key0\", config.GetHTTPConfig().Certificates[0].Key)\n\trequire.Equal(t, \"cert9\", config.GetHTTPConfig().Certificates[1].Cert)\n\trequire.Equal(t, \"key9\", config.GetHTTPConfig().Certificates[1].Key)\n\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n\n\tconfig.Init()\n\n\terr = config.LoadConfig(configDir, \"\")\n\trequire.NoError(t, err)\n\trequire.Len(t, config.GetHTTPConfig().Certificates, 2)\n\trequire.Equal(t, \"cert0\", config.GetHTTPConfig().Certificates[0].Cert)\n\trequire.Equal(t, \"key0\", config.GetHTTPConfig().Certificates[0].Key)\n\trequire.Equal(t, \"cert9\", config.GetHTTPConfig().Certificates[1].Cert)\n\trequire.Equal(t, \"key9\", config.GetHTTPConfig().Certificates[1].Key)\n}\n\nfunc TestHTTPClientHeadersFromEnv(t *testing.T) {\n\treset()\n\n\tconfName := tempConfigName + \".json\"\n\tconfigFilePath := filepath.Join(configDir, confName)\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\thttpConf := config.GetHTTPConfig()\n\thttpConf.Headers = append(httpConf.Headers, httpclient.Header{\n\t\tKey: \"key\",\n\t\tValue: \"value\",\n\t\tURL: \"url\",\n\t})\n\tc := make(map[string]httpclient.Config)\n\tc[\"http\"] = httpConf\n\tjsonConf, err := json.Marshal(c)\n\trequire.NoError(t, err)\n\terr = os.WriteFile(configFilePath, jsonConf, os.ModePerm)\n\trequire.NoError(t, err)\n\terr = config.LoadConfig(configDir, confName)\n\trequire.NoError(t, err)\n\trequire.Len(t, config.GetHTTPConfig().Headers, 1)\n\trequire.Equal(t, \"key\", config.GetHTTPConfig().Headers[0].Key)\n\trequire.Equal(t, \"value\", config.GetHTTPConfig().Headers[0].Value)\n\trequire.Equal(t, \"url\", config.GetHTTPConfig().Headers[0].URL)\n\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__0__KEY\", \"key0\")\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__0__VALUE\", \"value0\")\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__0__URL\", \"url0\")\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__8__KEY\", \"key8\")\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__9__KEY\", \"key9\")\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__9__VALUE\", \"value9\")\n\tos.Setenv(\"SFTPGO_HTTP__HEADERS__9__URL\", \"url9\")\n\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__0__KEY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__0__VALUE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__0__URL\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__8__KEY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__9__KEY\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__9__VALUE\")\n\t\tos.Unsetenv(\"SFTPGO_HTTP__HEADERS__9__URL\")\n\t})\n\n\terr = config.LoadConfig(configDir, confName)\n\trequire.NoError(t, err)\n\trequire.Len(t, config.GetHTTPConfig().Headers, 2)\n\trequire.Equal(t, \"key0\", config.GetHTTPConfig().Headers[0].Key)\n\trequire.Equal(t, \"value0\", config.GetHTTPConfig().Headers[0].Value)\n\trequire.Equal(t, \"url0\", config.GetHTTPConfig().Headers[0].URL)\n\trequire.Equal(t, \"key9\", config.GetHTTPConfig().Headers[1].Key)\n\trequire.Equal(t, \"value9\", config.GetHTTPConfig().Headers[1].Value)\n\trequire.Equal(t, \"url9\", config.GetHTTPConfig().Headers[1].URL)\n\n\terr = os.Remove(configFilePath)\n\tassert.NoError(t, err)\n\n\tconfig.Init()\n\n\terr = config.LoadConfig(configDir, \"\")\n\trequire.NoError(t, err)\n\trequire.Len(t, config.GetHTTPConfig().Headers, 2)\n\trequire.Equal(t, \"key0\", config.GetHTTPConfig().Headers[0].Key)\n\trequire.Equal(t, \"value0\", config.GetHTTPConfig().Headers[0].Value)\n\trequire.Equal(t, \"url0\", config.GetHTTPConfig().Headers[0].URL)\n\trequire.Equal(t, \"key9\", config.GetHTTPConfig().Headers[1].Key)\n\trequire.Equal(t, \"value9\", config.GetHTTPConfig().Headers[1].Value)\n\trequire.Equal(t, \"url9\", config.GetHTTPConfig().Headers[1].URL)\n}\n\nfunc TestConfigFromEnv(t *testing.T) {\n\treset()\n\n\tos.Setenv(\"SFTPGO_SFTPD__BINDINGS__0__ADDRESS\", \"127.0.0.1\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__BINDINGS__0__PORT\", \"12000\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__ARGON2_OPTIONS__ITERATIONS\", \"41\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__POOL_SIZE\", \"10\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__IS_SHARED\", \"1\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON\", \"add\")\n\tos.Setenv(\"SFTPGO_KMS__SECRETS__URL\", \"local\")\n\tos.Setenv(\"SFTPGO_KMS__SECRETS__MASTER_KEY_PATH\", \"path\")\n\tos.Setenv(\"SFTPGO_TELEMETRY__TLS_CIPHER_SUITES\", \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\")\n\tos.Setenv(\"SFTPGO_TELEMETRY__TLS_PROTOCOLS\", \"h2\")\n\tos.Setenv(\"SFTPGO_HTTPD__SETUP__INSTALLATION_CODE\", \"123\")\n\tos.Setenv(\"SFTPGO_ACME__HTTP01_CHALLENGE__PORT\", \"5002\")\n\tt.Cleanup(func() {\n\t\tos.Unsetenv(\"SFTPGO_SFTPD__BINDINGS__0__ADDRESS\")\n\t\tos.Unsetenv(\"SFTPGO_WEBDAVD__BINDINGS__0__PORT\")\n\t\tos.Unsetenv(\"SFTPGO_DATA_PROVIDER__PASSWORD_HASHING__ARGON2_OPTIONS__ITERATIONS\")\n\t\tos.Unsetenv(\"SFTPGO_DATA_PROVIDER__POOL_SIZE\")\n\t\tos.Unsetenv(\"SFTPGO_DATA_PROVIDER__IS_SHARED\")\n\t\tos.Unsetenv(\"SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON\")\n\t\tos.Unsetenv(\"SFTPGO_KMS__SECRETS__URL\")\n\t\tos.Unsetenv(\"SFTPGO_KMS__SECRETS__MASTER_KEY_PATH\")\n\t\tos.Unsetenv(\"SFTPGO_TELEMETRY__TLS_CIPHER_SUITES\")\n\t\tos.Unsetenv(\"SFTPGO_TELEMETRY__TLS_PROTOCOLS\")\n\t\tos.Unsetenv(\"SFTPGO_HTTPD__SETUP__INSTALLATION_CODE\")\n\t\tos.Unsetenv(\"SFTPGO_ACME__HTTP01_CHALLENGE_PORT\")\n\t})\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tsftpdConfig := config.GetSFTPDConfig()\n\tassert.Equal(t, \"127.0.0.1\", sftpdConfig.Bindings[0].Address)\n\tassert.Equal(t, 12000, config.GetWebDAVDConfig().Bindings[0].Port)\n\tdataProviderConf := config.GetProviderConf()\n\tassert.Equal(t, uint32(41), dataProviderConf.PasswordHashing.Argon2Options.Iterations)\n\tassert.Equal(t, 10, dataProviderConf.PoolSize)\n\tassert.Equal(t, 1, dataProviderConf.IsShared)\n\tassert.Len(t, dataProviderConf.Actions.ExecuteOn, 1)\n\tassert.Contains(t, dataProviderConf.Actions.ExecuteOn, \"add\")\n\tkmsConfig := config.GetKMSConfig()\n\tassert.Equal(t, \"local\", kmsConfig.Secrets.URL)\n\tassert.Equal(t, \"path\", kmsConfig.Secrets.MasterKeyPath)\n\ttelemetryConfig := config.GetTelemetryConfig()\n\trequire.Len(t, telemetryConfig.TLSCipherSuites, 2)\n\tassert.Equal(t, \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\", telemetryConfig.TLSCipherSuites[0])\n\tassert.Equal(t, \"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\", telemetryConfig.TLSCipherSuites[1])\n\trequire.Len(t, telemetryConfig.Protocols, 1)\n\tassert.Equal(t, \"h2\", telemetryConfig.Protocols[0])\n\tassert.Equal(t, \"123\", config.GetHTTPDConfig().Setup.InstallationCode)\n\tacmeConfig := config.GetACMEConfig()\n\tassert.Equal(t, 5002, acmeConfig.HTTP01Challenge.Port)\n}\n" }, { "path": "internal/dataprovider/actions.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"net/url\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/command\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\t// ActionExecutorSelf is used as username for self action, for example a user/admin that updates itself\n\tActionExecutorSelf = \"__self__\"\n\t// ActionExecutorSystem is used as username for actions with no explicit executor associated, for example\n\t// adding/updating a user/admin by loading initial data\n\tActionExecutorSystem = \"__system__\"\n)\n\nconst (\n\tactionObjectUser = \"user\"\n\tactionObjectFolder = \"folder\"\n\tactionObjectGroup = \"group\"\n\tactionObjectAdmin = \"admin\"\n\tactionObjectAPIKey = \"api_key\"\n\tactionObjectShare = \"share\"\n\tactionObjectEventAction = \"event_action\"\n\tactionObjectEventRule = \"event_rule\"\n\tactionObjectRole = \"role\"\n\tactionObjectIPListEntry = \"ip_list_entry\"\n\tactionObjectConfigs = \"configs\"\n)\n\nvar (\n\tactionsConcurrencyGuard = make(chan struct{}, 100)\n\treservedUsers = []string{ActionExecutorSelf, ActionExecutorSystem}\n)\n\nfunc executeAction(operation, executor, ip, objectType, objectName, role string, object plugin.Renderer) {\n\tif plugin.Handler.HasNotifiers() {\n\t\tplugin.Handler.NotifyProviderEvent(¬ifier.ProviderEvent{\n\t\t\tAction: operation,\n\t\t\tUsername: executor,\n\t\t\tObjectType: objectType,\n\t\t\tObjectName: objectName,\n\t\t\tIP: ip,\n\t\t\tRole: role,\n\t\t\tTimestamp: time.Now().UnixNano(),\n\t\t}, object)\n\t}\n\tif fnHandleRuleForProviderEvent != nil {\n\t\tfnHandleRuleForProviderEvent(operation, executor, ip, objectType, objectName, role, object)\n\t}\n\tif config.Actions.Hook == \"\" {\n\t\treturn\n\t}\n\tif !slices.Contains(config.Actions.ExecuteOn, operation) ||\n\t\t!slices.Contains(config.Actions.ExecuteFor, objectType) {\n\t\treturn\n\t}\n\n\tgo func() {\n\t\tactionsConcurrencyGuard <- struct{}{}\n\t\tdefer func() {\n\t\t\t<-actionsConcurrencyGuard\n\t\t}()\n\n\t\tdataAsJSON, err := object.RenderAsJSON(operation != operationDelete)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to serialize user as JSON for operation %q: %v\", operation, err)\n\t\t\treturn\n\t\t}\n\t\tif strings.HasPrefix(config.Actions.Hook, \"http\") {\n\t\t\tvar url *url.URL\n\t\t\turl, err := url.Parse(config.Actions.Hook)\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"Invalid http_notification_url %q for operation %q: %v\",\n\t\t\t\t\tconfig.Actions.Hook, operation, err)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tq := url.Query()\n\t\t\tq.Add(\"action\", operation)\n\t\t\tq.Add(\"username\", executor)\n\t\t\tq.Add(\"ip\", ip)\n\t\t\tq.Add(\"object_type\", objectType)\n\t\t\tq.Add(\"object_name\", objectName)\n\t\t\tif role != \"\" {\n\t\t\t\tq.Add(\"role\", role)\n\t\t\t}\n\t\t\tq.Add(\"timestamp\", fmt.Sprintf(\"%d\", time.Now().UnixNano()))\n\t\t\turl.RawQuery = q.Encode()\n\t\t\tstartTime := time.Now()\n\t\t\tresp, err := httpclient.RetryablePost(url.String(), \"application/json\", bytes.NewBuffer(dataAsJSON))\n\t\t\trespCode := 0\n\t\t\tif err == nil {\n\t\t\t\trespCode = resp.StatusCode\n\t\t\t\tresp.Body.Close()\n\t\t\t}\n\t\t\tproviderLog(logger.LevelDebug, \"notified operation %q to URL: %s status code: %d, elapsed: %s err: %v\",\n\t\t\t\toperation, url.Redacted(), respCode, time.Since(startTime), err)\n\t\t\treturn\n\t\t}\n\t\texecuteNotificationCommand(operation, executor, ip, objectType, objectName, role, dataAsJSON) //nolint:errcheck // the error is used in test cases only\n\t}()\n}\n\nfunc executeNotificationCommand(operation, executor, ip, objectType, objectName, role string, objectAsJSON []byte) error {\n\tif !filepath.IsAbs(config.Actions.Hook) {\n\t\terr := fmt.Errorf(\"invalid notification command %q\", config.Actions.Hook)\n\t\tlogger.Warn(logSender, \"\", \"unable to execute notification command: %v\", err)\n\t\treturn err\n\t}\n\n\ttimeout, env, args := command.GetConfig(config.Actions.Hook, command.HookProviderActions)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, config.Actions.Hook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_ACTION=%s\", operation),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_OBJECT_TYPE=%s\", objectType),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_OBJECT_NAME=%s\", objectName),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_USERNAME=%s\", executor),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_IP=%s\", ip),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_ROLE=%s\", role),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_TIMESTAMP=%d\", util.GetTimeAsMsSinceEpoch(time.Now())),\n\t\tfmt.Sprintf(\"SFTPGO_PROVIDER_OBJECT=%s\", objectAsJSON))\n\n\tstartTime := time.Now()\n\terr := cmd.Run()\n\tproviderLog(logger.LevelDebug, \"executed command %q, elapsed: %s, error: %v\", config.Actions.Hook,\n\t\ttime.Since(startTime), err)\n\treturn err\n}\n" }, { "path": "internal/dataprovider/admin.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/alexedwards/argon2id\"\n\t\"github.com/sftpgo/sdk\"\n\tpasswordvalidator \"github.com/wagslane/go-password-validator\"\n\t\"golang.org/x/crypto/bcrypt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// Available permissions for SFTPGo admins\nconst (\n\tPermAdminAny = \"*\"\n\tPermAdminAddUsers = \"add_users\"\n\tPermAdminChangeUsers = \"edit_users\"\n\tPermAdminDeleteUsers = \"del_users\"\n\tPermAdminViewUsers = \"view_users\"\n\tPermAdminViewConnections = \"view_conns\"\n\tPermAdminCloseConnections = \"close_conns\"\n\tPermAdminViewServerStatus = \"view_status\"\n\tPermAdminManageGroups = \"manage_groups\"\n\tPermAdminManageFolders = \"manage_folders\"\n\tPermAdminQuotaScans = \"quota_scans\"\n\tPermAdminManageDefender = \"manage_defender\"\n\tPermAdminViewDefender = \"view_defender\"\n\tPermAdminViewEvents = \"view_events\"\n\tPermAdminDisableMFA = \"disable_mfa\"\n)\n\nconst (\n\t// GroupAddToUsersAsMembership defines that the admin's group will be added as membership group for new users\n\tGroupAddToUsersAsMembership = iota\n\t// GroupAddToUsersAsPrimary defines that the admin's group will be added as primary group for new users\n\tGroupAddToUsersAsPrimary\n\t// GroupAddToUsersAsSecondary defines that the admin's group will be added as secondary group for new users\n\tGroupAddToUsersAsSecondary\n)\n\nvar (\n\tvalidAdminPerms = []string{PermAdminAny, PermAdminAddUsers, PermAdminChangeUsers, PermAdminDeleteUsers,\n\t\tPermAdminViewUsers, PermAdminManageFolders, PermAdminManageGroups, PermAdminViewConnections,\n\t\tPermAdminCloseConnections, PermAdminViewServerStatus, PermAdminQuotaScans,\n\t\tPermAdminManageDefender, PermAdminViewDefender, PermAdminViewEvents, PermAdminDisableMFA}\n\tforbiddenPermsForRoleAdmins = []string{PermAdminAny}\n)\n\n// AdminTOTPConfig defines the time-based one time password configuration\ntype AdminTOTPConfig struct {\n\tEnabled bool `json:\"enabled,omitempty\"`\n\tConfigName string `json:\"config_name,omitempty\"`\n\tSecret *kms.Secret `json:\"secret,omitempty\"`\n}\n\nfunc (c *AdminTOTPConfig) validate(username string) error {\n\tif !c.Enabled {\n\t\tc.ConfigName = \"\"\n\t\tc.Secret = kms.NewEmptySecret()\n\t\treturn nil\n\t}\n\tif c.ConfigName == \"\" {\n\t\treturn util.NewValidationError(\"totp: config name is mandatory\")\n\t}\n\tif !slices.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"totp: config name %q not found\", c.ConfigName))\n\t}\n\tif c.Secret.IsEmpty() {\n\t\treturn util.NewValidationError(\"totp: secret is mandatory\")\n\t}\n\tif c.Secret.IsPlain() {\n\t\tc.Secret.SetAdditionalData(username)\n\t\tif err := c.Secret.Encrypt(); err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"totp: unable to encrypt secret: %v\", err))\n\t\t}\n\t}\n\treturn nil\n}\n\n// AdminPreferences defines the admin preferences\ntype AdminPreferences struct {\n\t// Allow to hide some sections from the user page.\n\t// These are not security settings and are not enforced server side\n\t// in any way. They are only intended to simplify the user page in\n\t// the WebAdmin UI.\n\t//\n\t// 1 means hide groups section\n\t// 2 means hide filesystem section, \"users_base_dir\" must be set in the config file otherwise this setting is ignored\n\t// 4 means hide virtual folders section\n\t// 8 means hide profile section\n\t// 16 means hide ACLs section\n\t// 32 means hide disk and bandwidth quota limits section\n\t// 64 means hide advanced settings section\n\t//\n\t// The settings can be combined\n\tHideUserPageSections int `json:\"hide_user_page_sections,omitempty\"`\n\t// Defines the default expiration for newly created users as number of days.\n\t// 0 means no expiration\n\tDefaultUsersExpiration int `json:\"default_users_expiration,omitempty\"`\n}\n\n// HideGroups returns true if the groups section should be hidden\nfunc (p *AdminPreferences) HideGroups() bool {\n\treturn p.HideUserPageSections&1 != 0\n}\n\n// HideFilesystem returns true if the filesystem section should be hidden\nfunc (p *AdminPreferences) HideFilesystem() bool {\n\treturn config.UsersBaseDir != \"\" && p.HideUserPageSections&2 != 0\n}\n\n// HideVirtualFolders returns true if the virtual folder section should be hidden\nfunc (p *AdminPreferences) HideVirtualFolders() bool {\n\treturn p.HideUserPageSections&4 != 0\n}\n\n// HideProfile returns true if the profile section should be hidden\nfunc (p *AdminPreferences) HideProfile() bool {\n\treturn p.HideUserPageSections&8 != 0\n}\n\n// HideACLs returns true if the ACLs section should be hidden\nfunc (p *AdminPreferences) HideACLs() bool {\n\treturn p.HideUserPageSections&16 != 0\n}\n\n// HideDiskQuotaAndBandwidthLimits returns true if the disk quota and bandwidth limits\n// section should be hidden\nfunc (p *AdminPreferences) HideDiskQuotaAndBandwidthLimits() bool {\n\treturn p.HideUserPageSections&32 != 0\n}\n\n// HideAdvancedSettings returns true if the advanced settings section should be hidden\nfunc (p *AdminPreferences) HideAdvancedSettings() bool {\n\treturn p.HideUserPageSections&64 != 0\n}\n\n// VisibleUserPageSections returns the number of visible sections\n// in the user page\nfunc (p *AdminPreferences) VisibleUserPageSections() int {\n\tvar result int\n\n\tif !p.HideProfile() {\n\t\tresult++\n\t}\n\tif !p.HideACLs() {\n\t\tresult++\n\t}\n\tif !p.HideDiskQuotaAndBandwidthLimits() {\n\t\tresult++\n\t}\n\tif !p.HideAdvancedSettings() {\n\t\tresult++\n\t}\n\n\treturn result\n}\n\n// AdminFilters defines additional restrictions for SFTPGo admins\n// TODO: rename to AdminOptions in v3\ntype AdminFilters struct {\n\t// only clients connecting from these IP/Mask are allowed.\n\t// IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291\n\t// for example \"192.0.2.0/24\" or \"2001:db8::/32\"\n\tAllowList []string `json:\"allow_list,omitempty\"`\n\t// API key auth allows to impersonate this administrator with an API key\n\tAllowAPIKeyAuth bool `json:\"allow_api_key_auth,omitempty\"`\n\t// A password change is required at the next login\n\tRequirePasswordChange bool `json:\"require_password_change,omitempty\"`\n\t// Require two factor authentication\n\tRequireTwoFactor bool `json:\"require_two_factor\"`\n\t// Time-based one time passwords configuration\n\tTOTPConfig AdminTOTPConfig `json:\"totp_config,omitempty\"`\n\t// Recovery codes to use if the user loses access to their second factor auth device.\n\t// Each code can only be used once, you should use these codes to login and disable or\n\t// reset 2FA for your account\n\tRecoveryCodes []RecoveryCode `json:\"recovery_codes,omitempty\"`\n\tPreferences AdminPreferences `json:\"preferences\"`\n}\n\n// AdminGroupMappingOptions defines the options for admin/group mapping\ntype AdminGroupMappingOptions struct {\n\tAddToUsersAs int `json:\"add_to_users_as,omitempty\"`\n}\n\nfunc (o *AdminGroupMappingOptions) validate() error {\n\tif o.AddToUsersAs < GroupAddToUsersAsMembership || o.AddToUsersAs > GroupAddToUsersAsSecondary {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"Invalid mode to add groups to new users: %d\", o.AddToUsersAs))\n\t}\n\treturn nil\n}\n\n// GetUserGroupType returns the type for the matching user group\nfunc (o *AdminGroupMappingOptions) GetUserGroupType() int {\n\tswitch o.AddToUsersAs {\n\tcase GroupAddToUsersAsPrimary:\n\t\treturn sdk.GroupTypePrimary\n\tcase GroupAddToUsersAsSecondary:\n\t\treturn sdk.GroupTypeSecondary\n\tdefault:\n\t\treturn sdk.GroupTypeMembership\n\t}\n}\n\n// AdminGroupMapping defines the mapping between an SFTPGo admin and a group\ntype AdminGroupMapping struct {\n\tName string `json:\"name\"`\n\tOptions AdminGroupMappingOptions `json:\"options\"`\n}\n\n// Admin defines a SFTPGo admin\ntype Admin struct {\n\t// Database unique identifier\n\tID int64 `json:\"id\"`\n\t// 1 enabled, 0 disabled (login is not allowed)\n\tStatus int `json:\"status\"`\n\t// Username\n\tUsername string `json:\"username\"`\n\tPassword string `json:\"password,omitempty\"`\n\tEmail string `json:\"email,omitempty\"`\n\tPermissions []string `json:\"permissions\"`\n\tFilters AdminFilters `json:\"filters,omitempty\"`\n\tDescription string `json:\"description,omitempty\"`\n\tAdditionalInfo string `json:\"additional_info,omitempty\"`\n\t// Groups membership\n\tGroups []AdminGroupMapping `json:\"groups,omitempty\"`\n\t// Creation time as unix timestamp in milliseconds. It will be 0 for admins created before v2.2.0\n\tCreatedAt int64 `json:\"created_at\"`\n\t// last update time as unix timestamp in milliseconds\n\tUpdatedAt int64 `json:\"updated_at\"`\n\t// Last login as unix timestamp in milliseconds\n\tLastLogin int64 `json:\"last_login\"`\n\t// Role name. If set the admin can only administer users with the same role.\n\t// Role admins cannot be super administrators\n\tRole string `json:\"role,omitempty\"`\n}\n\n// CountUnusedRecoveryCodes returns the number of unused recovery codes\nfunc (a *Admin) CountUnusedRecoveryCodes() int {\n\tunused := 0\n\tfor _, code := range a.Filters.RecoveryCodes {\n\t\tif !code.Used {\n\t\t\tunused++\n\t\t}\n\t}\n\treturn unused\n}\n\nfunc (a *Admin) hashPassword() error {\n\tif a.Password != \"\" && !util.IsStringPrefixInSlice(a.Password, internalHashPwdPrefixes) {\n\t\tif config.PasswordValidation.Admins.MinEntropy > 0 {\n\t\t\tif err := passwordvalidator.Validate(a.Password, config.PasswordValidation.Admins.MinEntropy); err != nil {\n\t\t\t\treturn util.NewI18nError(util.NewValidationError(err.Error()), util.I18nErrorPasswordComplexity)\n\t\t\t}\n\t\t}\n\t\tif config.PasswordHashing.Algo == HashingAlgoBcrypt {\n\t\t\tpwd, err := bcrypt.GenerateFromPassword([]byte(a.Password), config.PasswordHashing.BcryptOptions.Cost)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\ta.Password = util.BytesToString(pwd)\n\t\t} else {\n\t\t\tpwd, err := argon2id.CreateHash(a.Password, argon2Params)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\ta.Password = pwd\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (a *Admin) hasRedactedSecret() bool {\n\treturn a.Filters.TOTPConfig.Secret.IsRedacted()\n}\n\nfunc (a *Admin) validateRecoveryCodes() error {\n\tfor i := 0; i < len(a.Filters.RecoveryCodes); i++ {\n\t\tcode := &a.Filters.RecoveryCodes[i]\n\t\tif code.Secret.IsEmpty() {\n\t\t\treturn util.NewValidationError(\"mfa: recovery code cannot be empty\")\n\t\t}\n\t\tif code.Secret.IsPlain() {\n\t\t\tcode.Secret.SetAdditionalData(a.Username)\n\t\t\tif err := code.Secret.Encrypt(); err != nil {\n\t\t\t\treturn util.NewValidationError(fmt.Sprintf(\"mfa: unable to encrypt recovery code: %v\", err))\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (a *Admin) validatePermissions() error {\n\ta.Permissions = util.RemoveDuplicates(a.Permissions, false)\n\tif len(a.Permissions) == 0 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"please grant some permissions to this admin\"),\n\t\t\tutil.I18nErrorPermissionsRequired,\n\t\t)\n\t}\n\tif slices.Contains(a.Permissions, PermAdminAny) {\n\t\ta.Permissions = []string{PermAdminAny}\n\t}\n\tfor _, perm := range a.Permissions {\n\t\tif !slices.Contains(validAdminPerms, perm) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid permission: %q\", perm))\n\t\t}\n\t\tif a.Role != \"\" {\n\t\t\tif slices.Contains(forbiddenPermsForRoleAdmins, perm) {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(\"a role admin cannot be a super admin\"),\n\t\t\t\t\tutil.I18nErrorRoleAdminPerms,\n\t\t\t\t)\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (a *Admin) validateGroups() error {\n\thasPrimary := false\n\tfor _, g := range a.Groups {\n\t\tif g.Name == \"\" {\n\t\t\treturn util.NewValidationError(\"group name is mandatory\")\n\t\t}\n\t\tif err := g.Options.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif g.Options.AddToUsersAs == GroupAddToUsersAsPrimary {\n\t\t\tif hasPrimary {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(\"only one primary group is allowed\"),\n\t\t\t\t\tutil.I18nErrorPrimaryGroup,\n\t\t\t\t)\n\t\t\t}\n\t\t\thasPrimary = true\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (a *Admin) applyNamingRules() {\n\ta.Username = config.convertName(a.Username)\n\ta.Role = config.convertName(a.Role)\n\tfor idx := range a.Groups {\n\t\ta.Groups[idx].Name = config.convertName(a.Groups[idx].Name)\n\t}\n}\n\nfunc (a *Admin) validate() error { //nolint:gocyclo\n\ta.SetEmptySecretsIfNil()\n\ta.applyNamingRules()\n\ta.Password = strings.TrimSpace(a.Password)\n\tif a.Username == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"username is mandatory\"), util.I18nErrorUsernameRequired)\n\t}\n\tif !util.IsNameValid(a.Username) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif err := checkReservedUsernames(a.Username); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorReservedUsername)\n\t}\n\tif a.Password == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"please set a password\"), util.I18nErrorPasswordRequired)\n\t}\n\tif a.hasRedactedSecret() {\n\t\treturn util.NewValidationError(\"cannot save an admin with a redacted secret\")\n\t}\n\tif err := a.Filters.TOTPConfig.validate(a.Username); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nError2FAInvalid)\n\t}\n\tif err := a.validateRecoveryCodes(); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorRecoveryCodesInvalid)\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(a.Username) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"username %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", a.Username)),\n\t\t\tutil.I18nErrorInvalidUser,\n\t\t)\n\t}\n\tif err := a.hashPassword(); err != nil {\n\t\treturn err\n\t}\n\tif err := a.validatePermissions(); err != nil {\n\t\treturn err\n\t}\n\tif a.Email != \"\" && !util.IsEmailValid(a.Email) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"email %q is not valid\", a.Email)),\n\t\t\tutil.I18nErrorInvalidEmail,\n\t\t)\n\t}\n\ta.Filters.AllowList = util.RemoveDuplicates(a.Filters.AllowList, false)\n\tfor _, IPMask := range a.Filters.AllowList {\n\t\t_, _, err := net.ParseCIDR(IPMask)\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not parse allow list entry %q : %v\", IPMask, err)),\n\t\t\t\tutil.I18nErrorInvalidIPMask,\n\t\t\t)\n\t\t}\n\t}\n\n\treturn a.validateGroups()\n}\n\n// CheckPassword verifies the admin password\nfunc (a *Admin) CheckPassword(password string) (bool, error) {\n\tif config.PasswordCaching {\n\t\tfound, match := cachedAdminPasswords.Check(a.Username, password, a.Password)\n\t\tif found {\n\t\t\tif !match {\n\t\t\t\treturn false, ErrInvalidCredentials\n\t\t\t}\n\t\t\treturn match, nil\n\t\t}\n\t}\n\tif strings.HasPrefix(a.Password, bcryptPwdPrefix) {\n\t\tif err := bcrypt.CompareHashAndPassword([]byte(a.Password), []byte(password)); err != nil {\n\t\t\treturn false, ErrInvalidCredentials\n\t\t}\n\t\tcachedAdminPasswords.Add(a.Username, password, a.Password)\n\t\treturn true, nil\n\t}\n\tmatch, err := argon2id.ComparePasswordAndHash(password, a.Password)\n\tif !match || err != nil {\n\t\treturn false, ErrInvalidCredentials\n\t}\n\tif match {\n\t\tcachedAdminPasswords.Add(a.Username, password, a.Password)\n\t}\n\treturn match, err\n}\n\n// CanLoginFromIP returns true if login from the given IP is allowed\nfunc (a *Admin) CanLoginFromIP(ip string) bool {\n\tif len(a.Filters.AllowList) == 0 {\n\t\treturn true\n\t}\n\tparsedIP := net.ParseIP(ip)\n\tif parsedIP == nil {\n\t\treturn len(a.Filters.AllowList) == 0\n\t}\n\n\tfor _, ipMask := range a.Filters.AllowList {\n\t\t_, network, err := net.ParseCIDR(ipMask)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tif network.Contains(parsedIP) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// CanLogin returns an error if the login is not allowed\nfunc (a *Admin) CanLogin(ip string) error {\n\tif a.Status != 1 {\n\t\treturn fmt.Errorf(\"admin %q is disabled\", a.Username)\n\t}\n\tif !a.CanLoginFromIP(ip) {\n\t\treturn fmt.Errorf(\"login from IP %v not allowed\", ip)\n\t}\n\treturn nil\n}\n\nfunc (a *Admin) checkUserAndPass(password, ip string) error {\n\tif err := a.CanLogin(ip); err != nil {\n\t\treturn err\n\t}\n\tif a.Password == \"\" || strings.TrimSpace(password) == \"\" {\n\t\treturn errors.New(\"credentials cannot be null or empty\")\n\t}\n\tmatch, err := a.CheckPassword(password)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !match {\n\t\treturn ErrInvalidCredentials\n\t}\n\treturn nil\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (a *Admin) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tadmin, err := provider.adminExists(a.Username)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload admin before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tadmin.HideConfidentialData()\n\t\treturn json.Marshal(admin)\n\t}\n\ta.HideConfidentialData()\n\treturn json.Marshal(a)\n}\n\n// HideConfidentialData hides admin confidential data\nfunc (a *Admin) HideConfidentialData() {\n\ta.Password = \"\"\n\tif a.Filters.TOTPConfig.Secret != nil {\n\t\ta.Filters.TOTPConfig.Secret.Hide()\n\t}\n\tfor _, code := range a.Filters.RecoveryCodes {\n\t\tif code.Secret != nil {\n\t\t\tcode.Secret.Hide()\n\t\t}\n\t}\n\ta.SetNilSecretsIfEmpty()\n}\n\n// SetEmptySecretsIfNil sets the secrets to empty if nil\nfunc (a *Admin) SetEmptySecretsIfNil() {\n\tif a.Filters.TOTPConfig.Secret == nil {\n\t\ta.Filters.TOTPConfig.Secret = kms.NewEmptySecret()\n\t}\n}\n\n// SetNilSecretsIfEmpty set the secrets to nil if empty.\n// This is useful before rendering as JSON so the empty fields\n// will not be serialized.\nfunc (a *Admin) SetNilSecretsIfEmpty() {\n\tif a.Filters.TOTPConfig.Secret != nil && a.Filters.TOTPConfig.Secret.IsEmpty() {\n\t\ta.Filters.TOTPConfig.Secret = nil\n\t}\n}\n\n// HasPermission returns true if the admin has the specified permission\nfunc (a *Admin) HasPermission(perm string) bool {\n\tif slices.Contains(a.Permissions, PermAdminAny) {\n\t\treturn true\n\t}\n\treturn slices.Contains(a.Permissions, perm)\n}\n\n// HasPermissions returns true if the admin has all the specified permissions\nfunc (a *Admin) HasPermissions(perms ...string) bool {\n\tfor _, perm := range perms {\n\t\tif !a.HasPermission(perm) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn len(perms) > 0\n}\n\n// GetAllowedIPAsString returns the allowed IP as comma separated string\nfunc (a *Admin) GetAllowedIPAsString() string {\n\treturn strings.Join(a.Filters.AllowList, \",\")\n}\n\n// GetValidPerms returns the allowed admin permissions\nfunc (a *Admin) GetValidPerms() []string {\n\treturn validAdminPerms\n}\n\n// CanManageMFA returns true if the admin can add a multi-factor authentication configuration\nfunc (a *Admin) CanManageMFA() bool {\n\treturn len(mfa.GetAvailableTOTPConfigs()) > 0\n}\n\n// GetSignature returns a signature for this admin.\n// It will change after an update\nfunc (a *Admin) GetSignature() string {\n\treturn strconv.FormatInt(a.UpdatedAt, 10)\n}\n\nfunc (a *Admin) getACopy() Admin {\n\ta.SetEmptySecretsIfNil()\n\tpermissions := make([]string, len(a.Permissions))\n\tcopy(permissions, a.Permissions)\n\tfilters := AdminFilters{}\n\tfilters.AllowList = make([]string, len(a.Filters.AllowList))\n\tfilters.AllowAPIKeyAuth = a.Filters.AllowAPIKeyAuth\n\tfilters.RequirePasswordChange = a.Filters.RequirePasswordChange\n\tfilters.RequireTwoFactor = a.Filters.RequireTwoFactor\n\tfilters.TOTPConfig.Enabled = a.Filters.TOTPConfig.Enabled\n\tfilters.TOTPConfig.ConfigName = a.Filters.TOTPConfig.ConfigName\n\tfilters.TOTPConfig.Secret = a.Filters.TOTPConfig.Secret.Clone()\n\tcopy(filters.AllowList, a.Filters.AllowList)\n\tfilters.RecoveryCodes = make([]RecoveryCode, 0)\n\tfor _, code := range a.Filters.RecoveryCodes {\n\t\tif code.Secret == nil {\n\t\t\tcode.Secret = kms.NewEmptySecret()\n\t\t}\n\t\tfilters.RecoveryCodes = append(filters.RecoveryCodes, RecoveryCode{\n\t\t\tSecret: code.Secret.Clone(),\n\t\t\tUsed: code.Used,\n\t\t})\n\t}\n\tfilters.Preferences = AdminPreferences{\n\t\tHideUserPageSections: a.Filters.Preferences.HideUserPageSections,\n\t\tDefaultUsersExpiration: a.Filters.Preferences.DefaultUsersExpiration,\n\t}\n\tgroups := make([]AdminGroupMapping, 0, len(a.Groups))\n\tfor _, g := range a.Groups {\n\t\tgroups = append(groups, AdminGroupMapping{\n\t\t\tName: g.Name,\n\t\t\tOptions: AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: g.Options.AddToUsersAs,\n\t\t\t},\n\t\t})\n\t}\n\n\treturn Admin{\n\t\tID: a.ID,\n\t\tStatus: a.Status,\n\t\tUsername: a.Username,\n\t\tPassword: a.Password,\n\t\tEmail: a.Email,\n\t\tPermissions: permissions,\n\t\tGroups: groups,\n\t\tFilters: filters,\n\t\tAdditionalInfo: a.AdditionalInfo,\n\t\tDescription: a.Description,\n\t\tLastLogin: a.LastLogin,\n\t\tCreatedAt: a.CreatedAt,\n\t\tUpdatedAt: a.UpdatedAt,\n\t\tRole: a.Role,\n\t}\n}\n\nfunc (a *Admin) setFromEnv() error {\n\tenvUsername := strings.TrimSpace(os.Getenv(\"SFTPGO_DEFAULT_ADMIN_USERNAME\"))\n\tenvPassword := strings.TrimSpace(os.Getenv(\"SFTPGO_DEFAULT_ADMIN_PASSWORD\"))\n\tif envUsername == \"\" || envPassword == \"\" {\n\t\treturn errors.New(`to create the default admin you need to set the env vars \"SFTPGO_DEFAULT_ADMIN_USERNAME\" and \"SFTPGO_DEFAULT_ADMIN_PASSWORD\"`)\n\t}\n\ta.Username = envUsername\n\ta.Password = envPassword\n\ta.Status = 1\n\ta.Permissions = []string{PermAdminAny}\n\treturn nil\n}\n" }, { "path": "internal/dataprovider/apikey.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/alexedwards/argon2id\"\n\t\"golang.org/x/crypto/bcrypt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// APIKeyScope defines the supported API key scopes\ntype APIKeyScope int\n\n// Supported API key scopes\nconst (\n\t// the API key will be used for an admin\n\tAPIKeyScopeAdmin APIKeyScope = iota + 1\n\t// the API key will be used for a user\n\tAPIKeyScopeUser\n)\n\n// APIKey defines a SFTPGo API key.\n// API keys can be used as authentication alternative to short lived tokens\n// for REST API\ntype APIKey struct {\n\t// Database unique identifier\n\tID int64 `json:\"-\"`\n\t// Unique key identifier, used for key lookups.\n\t// The generated key is in the format `KeyID.hash(Key)` so we can split\n\t// and lookup by KeyID and then verify if the key matches the recorded hash\n\tKeyID string `json:\"id\"`\n\t// User friendly key name\n\tName string `json:\"name\"`\n\t// we store the hash of the key, this is just like a password\n\tKey string `json:\"key,omitempty\"`\n\tScope APIKeyScope `json:\"scope\"`\n\tCreatedAt int64 `json:\"created_at\"`\n\tUpdatedAt int64 `json:\"updated_at\"`\n\t// 0 means never used\n\tLastUseAt int64 `json:\"last_use_at,omitempty\"`\n\t// 0 means never expire\n\tExpiresAt int64 `json:\"expires_at,omitempty\"`\n\tDescription string `json:\"description,omitempty\"`\n\t// Username associated with this API key.\n\t// If empty and the scope is APIKeyScopeUser the key is valid for any user\n\tUser string `json:\"user,omitempty\"`\n\t// Admin username associated with this API key.\n\t// If empty and the scope is APIKeyScopeAdmin the key is valid for any admin\n\tAdmin string `json:\"admin,omitempty\"`\n\t// these fields are for internal use\n\tuserID int64\n\tadminID int64\n\tplainKey string\n}\n\nfunc (k *APIKey) getACopy() APIKey {\n\treturn APIKey{\n\t\tID: k.ID,\n\t\tKeyID: k.KeyID,\n\t\tName: k.Name,\n\t\tKey: k.Key,\n\t\tScope: k.Scope,\n\t\tCreatedAt: k.CreatedAt,\n\t\tUpdatedAt: k.UpdatedAt,\n\t\tLastUseAt: k.LastUseAt,\n\t\tExpiresAt: k.ExpiresAt,\n\t\tDescription: k.Description,\n\t\tUser: k.User,\n\t\tAdmin: k.Admin,\n\t\tuserID: k.userID,\n\t\tadminID: k.adminID,\n\t}\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (k *APIKey) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tapiKey, err := provider.apiKeyExists(k.KeyID)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload api key before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tapiKey.HideConfidentialData()\n\t\treturn json.Marshal(apiKey)\n\t}\n\tk.HideConfidentialData()\n\treturn json.Marshal(k)\n}\n\n// HideConfidentialData hides API key confidential data\nfunc (k *APIKey) HideConfidentialData() {\n\tk.Key = \"\"\n}\n\nfunc (k *APIKey) hashKey() error {\n\tif k.Key != \"\" && !util.IsStringPrefixInSlice(k.Key, internalHashPwdPrefixes) {\n\t\tif config.PasswordHashing.Algo == HashingAlgoBcrypt {\n\t\t\thashed, err := bcrypt.GenerateFromPassword([]byte(k.Key), config.PasswordHashing.BcryptOptions.Cost)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tk.Key = util.BytesToString(hashed)\n\t\t} else {\n\t\t\thashed, err := argon2id.CreateHash(k.Key, argon2Params)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tk.Key = hashed\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (k *APIKey) generateKey() {\n\tif k.KeyID != \"\" || k.Key != \"\" {\n\t\treturn\n\t}\n\tk.KeyID = util.GenerateUniqueID()\n\tk.Key = util.GenerateUniqueID()\n\tk.plainKey = k.Key\n}\n\n// DisplayKey returns the key to show to the user\nfunc (k *APIKey) DisplayKey() string {\n\treturn fmt.Sprintf(\"%v.%v\", k.KeyID, k.plainKey)\n}\n\nfunc (k *APIKey) validate() error {\n\tif k.Name == \"\" {\n\t\treturn util.NewValidationError(\"name is mandatory\")\n\t}\n\tif !util.IsNameValid(k.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif k.Scope != APIKeyScopeAdmin && k.Scope != APIKeyScopeUser {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid scope: %v\", k.Scope))\n\t}\n\tk.generateKey()\n\tif err := k.hashKey(); err != nil {\n\t\treturn err\n\t}\n\tif k.User != \"\" && k.Admin != \"\" {\n\t\treturn util.NewValidationError(\"an API key can be related to a user or an admin, not both\")\n\t}\n\tif k.Scope == APIKeyScopeAdmin {\n\t\tk.User = \"\"\n\t}\n\tif k.Scope == APIKeyScopeUser {\n\t\tk.Admin = \"\"\n\t}\n\tif k.User != \"\" {\n\t\t_, err := provider.userExists(k.User, \"\")\n\t\tif err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unable to check API key user %v: %v\", k.User, err))\n\t\t}\n\t}\n\tif k.Admin != \"\" {\n\t\t_, err := provider.adminExists(k.Admin)\n\t\tif err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unable to check API key admin %v: %v\", k.Admin, err))\n\t\t}\n\t}\n\treturn nil\n}\n\n// Authenticate tries to authenticate the provided plain key\nfunc (k *APIKey) Authenticate(plainKey string) error {\n\tif k.ExpiresAt > 0 && k.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\treturn fmt.Errorf(\"API key %q is expired, expiration timestamp: %v current timestamp: %v\", k.KeyID,\n\t\t\tk.ExpiresAt, util.GetTimeAsMsSinceEpoch(time.Now()))\n\t}\n\tif config.PasswordCaching {\n\t\tfound, match := cachedAPIKeys.Check(k.KeyID, plainKey, k.Key)\n\t\tif found {\n\t\t\tif !match {\n\t\t\t\treturn ErrInvalidCredentials\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\tif strings.HasPrefix(k.Key, bcryptPwdPrefix) {\n\t\tif err := bcrypt.CompareHashAndPassword([]byte(k.Key), []byte(plainKey)); err != nil {\n\t\t\treturn ErrInvalidCredentials\n\t\t}\n\t} else if strings.HasPrefix(k.Key, argonPwdPrefix) {\n\t\tmatch, err := argon2id.ComparePasswordAndHash(plainKey, k.Key)\n\t\tif err != nil || !match {\n\t\t\treturn ErrInvalidCredentials\n\t\t}\n\t}\n\n\tcachedAPIKeys.Add(k.KeyID, plainKey, k.Key)\n\treturn nil\n}\n" }, { "path": "internal/dataprovider/bolt.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nobolt\n\npackage dataprovider\n\nimport (\n\t\"bytes\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"sort\"\n\t\"strconv\"\n\t\"time\"\n\n\tbolt \"go.etcd.io/bbolt\"\n\tbolterrors \"go.etcd.io/bbolt/errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tboltDatabaseVersion = 34\n)\n\nvar (\n\tusersBucket = []byte(\"users\")\n\tgroupsBucket = []byte(\"groups\")\n\tfoldersBucket = []byte(\"folders\")\n\tadminsBucket = []byte(\"admins\")\n\tapiKeysBucket = []byte(\"api_keys\")\n\tsharesBucket = []byte(\"shares\")\n\tactionsBucket = []byte(\"events_actions\")\n\trulesBucket = []byte(\"events_rules\")\n\trolesBucket = []byte(\"roles\")\n\tipListsBucket = []byte(\"ip_lists\")\n\tconfigsBucket = []byte(\"configs\")\n\tdbVersionBucket = []byte(\"db_version\")\n\tdbVersionKey = []byte(\"version\")\n\tconfigsKey = []byte(\"configs\")\n\tboltBuckets = [][]byte{usersBucket, groupsBucket, foldersBucket, adminsBucket, apiKeysBucket,\n\t\tsharesBucket, actionsBucket, rulesBucket, rolesBucket, ipListsBucket, configsBucket, dbVersionBucket}\n)\n\n// BoltProvider defines the auth provider for bolt key/value store\ntype BoltProvider struct {\n\tdbHandle *bolt.DB\n}\n\nfunc init() {\n\tversion.AddFeature(\"+bolt\")\n}\n\nfunc initializeBoltProvider(basePath string) error {\n\tvar err error\n\n\tdbPath := config.Name\n\tif !util.IsFileInputValid(dbPath) {\n\t\treturn fmt.Errorf(\"invalid database path: %q\", dbPath)\n\t}\n\tif !filepath.IsAbs(dbPath) {\n\t\tdbPath = filepath.Join(basePath, dbPath)\n\t}\n\tdbHandle, err := bolt.Open(dbPath, 0600, &bolt.Options{\n\t\tNoGrowSync: false,\n\t\tFreelistType: bolt.FreelistArrayType,\n\t\tTimeout: 5 * time.Second})\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"bolt key store handle created\")\n\n\t\tfor _, bucket := range boltBuckets {\n\t\t\tif err := dbHandle.Update(func(tx *bolt.Tx) error {\n\t\t\t\t_, e := tx.CreateBucketIfNotExists(bucket)\n\t\t\t\treturn e\n\t\t\t}); err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error creating bucket %q: %v\", string(bucket), err)\n\t\t\t}\n\t\t}\n\n\t\tprovider = &BoltProvider{dbHandle: dbHandle}\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error creating bolt key/value store handler: %v\", err)\n\t}\n\treturn err\n}\n\nfunc (p *BoltProvider) checkAvailability() error {\n\t_, err := getBoltDatabaseVersion(p.dbHandle)\n\treturn err\n}\n\nfunc (p *BoltProvider) validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error) {\n\tvar user User\n\tif tlsCert == nil {\n\t\treturn user, errors.New(\"TLS certificate cannot be null or empty\")\n\t}\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, err\n\t}\n\treturn checkUserAndTLSCertificate(&user, protocol, tlsCert)\n}\n\nfunc (p *BoltProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, err\n\t}\n\treturn checkUserAndPass(&user, password, ip, protocol)\n}\n\nfunc (p *BoltProvider) validateAdminAndPass(username, password, ip string) (Admin, error) {\n\tadmin, err := p.adminExists(username)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating admin %q: %v\", username, err)\n\t\treturn admin, err\n\t}\n\terr = admin.checkUserAndPass(password, ip)\n\treturn admin, err\n}\n\nfunc (p *BoltProvider) validateUserAndPubKey(username string, pubKey []byte, isSSHCert bool) (User, string, error) {\n\tvar user User\n\tif len(pubKey) == 0 {\n\t\treturn user, \"\", errors.New(\"credentials cannot be null or empty\")\n\t}\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, \"\", err\n\t}\n\treturn checkUserAndPubKey(&user, pubKey, isSSHCert)\n}\n\nfunc (p *BoltProvider) updateAPIKeyLastUse(keyID string) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(keyID)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"key %q does not exist, unable to update last use\", keyID))\n\t\t}\n\t\tvar apiKey APIKey\n\t\terr = json.Unmarshal(u, &apiKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tapiKey.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(apiKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(keyID), buf)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"error updating last use for key %q: %v\", keyID, err)\n\t\t\treturn err\n\t\t}\n\t\tproviderLog(logger.LevelDebug, \"last use updated for key %q\", keyID)\n\t\treturn nil\n\t})\n}\n\nfunc (p *BoltProvider) getAdminSignature(username string) (string, error) {\n\tvar updatedAt int64\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tu := bucket.Get([]byte(username))\n\t\tvar admin Admin\n\t\terr = json.Unmarshal(u, &admin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tupdatedAt = admin.UpdatedAt\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strconv.FormatInt(updatedAt, 10), nil\n}\n\nfunc (p *BoltProvider) getUserSignature(username string) (string, error) {\n\tvar updatedAt int64\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tu := bucket.Get([]byte(username))\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tupdatedAt = user.UpdatedAt\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strconv.FormatInt(updatedAt, 10), nil\n}\n\nfunc (p *BoltProvider) setUpdatedAt(username string) {\n\tp.dbHandle.Update(func(tx *bolt.Tx) error { //nolint:errcheck\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist, unable to update updated at\", username))\n\t\t}\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(username), buf)\n\t\tif err == nil {\n\t\t\tproviderLog(logger.LevelDebug, \"updated at set for user %q\", username)\n\t\t\tsetLastUserUpdate()\n\t\t} else {\n\t\t\tproviderLog(logger.LevelWarn, \"error setting updated_at for user %q: %v\", username, err)\n\t\t}\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) updateLastLogin(username string) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist, unable to update last login\", username))\n\t\t}\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(username), buf)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"error updating last login for user %q: %v\", username, err)\n\t\t} else {\n\t\t\tproviderLog(logger.LevelDebug, \"last login updated for user %q\", username)\n\t\t}\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) updateAdminLastLogin(username string) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar a []byte\n\t\tif a = bucket.Get([]byte(username)); a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"admin %q does not exist, unable to update last login\", username))\n\t\t}\n\t\tvar admin Admin\n\t\terr = json.Unmarshal(a, &admin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tadmin.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(admin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(username), buf)\n\t\tif err == nil {\n\t\t\tproviderLog(logger.LevelDebug, \"last login updated for admin %q\", username)\n\t\t\treturn err\n\t\t}\n\t\tproviderLog(logger.LevelWarn, \"error updating last login for admin %q: %v\", username, err)\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist, unable to update transfer quota\",\n\t\t\t\tusername))\n\t\t}\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !reset {\n\t\t\tuser.UsedUploadDataTransfer += uploadSize\n\t\t\tuser.UsedDownloadDataTransfer += downloadSize\n\t\t} else {\n\t\t\tuser.UsedUploadDataTransfer = uploadSize\n\t\t\tuser.UsedDownloadDataTransfer = downloadSize\n\t\t}\n\t\tuser.LastQuotaUpdate = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(username), buf)\n\t\tproviderLog(logger.LevelDebug, \"transfer quota updated for user %q, ul increment: %v dl increment: %v is reset? %v\",\n\t\t\tusername, uploadSize, downloadSize, reset)\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist, unable to update quota\", username))\n\t\t}\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif reset {\n\t\t\tuser.UsedQuotaSize = sizeAdd\n\t\t\tuser.UsedQuotaFiles = filesAdd\n\t\t} else {\n\t\t\tuser.UsedQuotaSize += sizeAdd\n\t\t\tuser.UsedQuotaFiles += filesAdd\n\t\t}\n\t\tuser.LastQuotaUpdate = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(username), buf)\n\t\tproviderLog(logger.LevelDebug, \"quota updated for user %q, files increment: %v size increment: %v is reset? %v\",\n\t\t\tusername, filesAdd, sizeAdd, reset)\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) getUsedQuota(username string) (int, int64, int64, int64, error) {\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get quota for user %v error: %v\", username, err)\n\t\treturn 0, 0, 0, 0, err\n\t}\n\treturn user.UsedQuotaFiles, user.UsedQuotaSize, user.UsedUploadDataTransfer, user.UsedDownloadDataTransfer, err\n}\n\nfunc (p *BoltProvider) adminExists(username string) (Admin, error) {\n\tvar admin Admin\n\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ta := bucket.Get([]byte(username))\n\t\tif a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"admin %v does not exist\", username))\n\t\t}\n\t\treturn json.Unmarshal(a, &admin)\n\t})\n\n\treturn admin, err\n}\n\nfunc (p *BoltProvider) addAdmin(admin *Admin) error {\n\terr := admin.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trolesBucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif a := bucket.Get([]byte(admin.Username)); a != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: admin %q already exists\", ErrDuplicatedKey, admin.Username),\n\t\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t\t)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tadmin.ID = int64(id)\n\t\tadmin.LastLogin = 0\n\t\tadmin.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tadmin.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tfor idx := range admin.Groups {\n\t\t\terr = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name, groupBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif err = p.addAdminToRole(admin.Username, admin.Role, rolesBucket); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tbuf, err := json.Marshal(admin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(admin.Username), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateAdmin(admin *Admin) error {\n\terr := admin.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trolesBucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar a []byte\n\t\tif a = bucket.Get([]byte(admin.Username)); a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"admin %v does not exist\", admin.Username))\n\t\t}\n\t\tvar oldAdmin Admin\n\t\terr = json.Unmarshal(a, &oldAdmin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tif err = p.removeAdminFromRole(oldAdmin.Username, oldAdmin.Role, rolesBucket); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor idx := range oldAdmin.Groups {\n\t\t\terr = p.removeAdminFromGroupMapping(oldAdmin.Username, oldAdmin.Groups[idx].Name, groupBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif err = p.addAdminToRole(admin.Username, admin.Role, rolesBucket); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor idx := range admin.Groups {\n\t\t\terr = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name, groupBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tadmin.ID = oldAdmin.ID\n\t\tadmin.CreatedAt = oldAdmin.CreatedAt\n\t\tadmin.LastLogin = oldAdmin.LastLogin\n\t\tadmin.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(admin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(admin.Username), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteAdmin(admin Admin) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tvar a []byte\n\t\tif a = bucket.Get([]byte(admin.Username)); a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"admin %v does not exist\", admin.Username))\n\t\t}\n\t\tvar oldAdmin Admin\n\t\terr = json.Unmarshal(a, &oldAdmin)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif len(oldAdmin.Groups) > 0 {\n\t\t\tgroupBucket, err := p.getGroupsBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor idx := range oldAdmin.Groups {\n\t\t\t\terr = p.removeAdminFromGroupMapping(oldAdmin.Username, oldAdmin.Groups[idx].Name, groupBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif oldAdmin.Role != \"\" {\n\t\t\trolesBucket, err := p.getRolesBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif err = p.removeAdminFromRole(oldAdmin.Username, oldAdmin.Role, rolesBucket); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\tif err := p.deleteRelatedAPIKey(tx, admin.Username, APIKeyScopeAdmin); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\treturn bucket.Delete([]byte(admin.Username))\n\t})\n}\n\nfunc (p *BoltProvider) getAdmins(limit int, offset int, order string) ([]Admin, error) {\n\tadmins := make([]Admin, 0, limit)\n\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar admin Admin\n\t\t\t\terr = json.Unmarshal(v, &admin)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tadmin.HideConfidentialData()\n\t\t\t\tadmins = append(admins, admin)\n\t\t\t\tif len(admins) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar admin Admin\n\t\t\t\terr = json.Unmarshal(v, &admin)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tadmin.HideConfidentialData()\n\t\t\t\tadmins = append(admins, admin)\n\t\t\t\tif len(admins) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn err\n\t})\n\n\treturn admins, err\n}\n\nfunc (p *BoltProvider) dumpAdmins() ([]Admin, error) {\n\tadmins := make([]Admin, 0, 30)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAdminsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar admin Admin\n\t\t\terr = json.Unmarshal(v, &admin)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tadmins = append(admins, admin)\n\t\t}\n\t\treturn err\n\t})\n\n\treturn admins, err\n}\n\nfunc (p *BoltProvider) userExists(username, role string) (User, error) {\n\tvar user User\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tu := bucket.Get([]byte(username))\n\t\tif u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser, err = p.joinUserAndFolders(u, foldersBucket)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !user.hasRole(role) {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t\t}\n\t\treturn nil\n\t})\n\treturn user, err\n}\n\nfunc (p *BoltProvider) addUser(user *User) error {\n\terr := ValidateUser(user)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trolesBucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif u := bucket.Get([]byte(user.Username)); u != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: username %v already exists\", ErrDuplicatedKey, user.Username),\n\t\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t\t)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser.ID = int64(id)\n\t\tuser.LastQuotaUpdate = 0\n\t\tuser.UsedQuotaSize = 0\n\t\tuser.UsedQuotaFiles = 0\n\t\tuser.UsedUploadDataTransfer = 0\n\t\tuser.UsedDownloadDataTransfer = 0\n\t\tuser.LastLogin = 0\n\t\tuser.FirstDownload = 0\n\t\tuser.FirstUpload = 0\n\t\tuser.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tif err := p.addUserToRole(user.Username, user.Role, rolesBucket); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor idx := range user.VirtualFolders {\n\t\t\terr = p.addRelationToFolderMapping(user.VirtualFolders[idx].Name, user, nil, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tfor idx := range user.Groups {\n\t\t\terr = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name, groupBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(user.Username), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateUser(user *User) error {\n\terr := ValidateUser(user)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(user.Username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", user.Username))\n\t\t}\n\t\tvar oldUser User\n\t\terr = json.Unmarshal(u, &oldUser)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err = p.updateUserRelations(tx, user, oldUser); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser.ID = oldUser.ID\n\t\tuser.LastQuotaUpdate = oldUser.LastQuotaUpdate\n\t\tuser.UsedQuotaSize = oldUser.UsedQuotaSize\n\t\tuser.UsedQuotaFiles = oldUser.UsedQuotaFiles\n\t\tuser.UsedUploadDataTransfer = oldUser.UsedUploadDataTransfer\n\t\tuser.UsedDownloadDataTransfer = oldUser.UsedDownloadDataTransfer\n\t\tuser.LastLogin = oldUser.LastLogin\n\t\tuser.FirstDownload = oldUser.FirstDownload\n\t\tuser.FirstUpload = oldUser.FirstUpload\n\t\tuser.CreatedAt = oldUser.CreatedAt\n\t\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\terr = bucket.Put([]byte(user.Username), buf)\n\t\tif err == nil {\n\t\t\tsetLastUserUpdate()\n\t\t}\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) deleteUser(user User, _ bool) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trolesBucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(user.Username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", user.Username))\n\t\t}\n\t\tvar oldUser User\n\t\terr = json.Unmarshal(u, &oldUser)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := p.removeUserFromRole(oldUser.Username, oldUser.Role, rolesBucket); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor idx := range oldUser.VirtualFolders {\n\t\t\terr = p.removeRelationFromFolderMapping(oldUser.VirtualFolders[idx], oldUser.Username, \"\", foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tfor idx := range oldUser.Groups {\n\t\t\terr = p.removeUserFromGroupMapping(oldUser.Username, oldUser.Groups[idx].Name, groupBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif err := p.deleteRelatedAPIKey(tx, user.Username, APIKeyScopeUser); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := p.deleteRelatedShares(tx, user.Username); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Delete([]byte(user.Username))\n\t})\n}\n\nfunc (p *BoltProvider) updateUserPassword(username, password string) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t\t}\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser.Password = password\n\t\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(username), buf)\n\t})\n}\n\nfunc (p *BoltProvider) dumpUsers() ([]User, error) {\n\tusers := make([]User, 0, 100)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tuser, err := p.joinUserAndFolders(v, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tusers = append(users, user)\n\t\t}\n\t\treturn err\n\t})\n\treturn users, err\n}\n\nfunc (p *BoltProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {\n\tif getLastUserUpdate() < after {\n\t\treturn nil, nil\n\t}\n\tusers := make([]User, 0, 10)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupsBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar user User\n\t\t\terr := json.Unmarshal(v, &user)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif user.UpdatedAt < after {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif len(user.VirtualFolders) > 0 {\n\t\t\t\tvar folders []vfs.VirtualFolder\n\t\t\t\tfor idx := range user.VirtualFolders {\n\t\t\t\t\tfolder := &user.VirtualFolders[idx]\n\t\t\t\t\tbaseFolder, err := p.folderExistsInternal(folder.Name, foldersBucket)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tfolder.BaseVirtualFolder = baseFolder\n\t\t\t\t\tfolders = append(folders, *folder)\n\t\t\t\t}\n\t\t\t\tuser.VirtualFolders = folders\n\t\t\t}\n\t\t\tif len(user.Groups) > 0 {\n\t\t\t\tgroupMapping := make(map[string]Group)\n\t\t\t\tfor idx := range user.Groups {\n\t\t\t\t\tgroup, err := p.groupExistsInternal(user.Groups[idx].Name, groupsBucket)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tgroupMapping[group.Name] = group\n\t\t\t\t}\n\t\t\t\tuser.applyGroupSettings(groupMapping)\n\t\t\t}\n\t\t\tuser.SetEmptySecretsIfNil()\n\t\t\tusers = append(users, user)\n\t\t}\n\t\treturn err\n\t})\n\treturn users, err\n}\n\nfunc (p *BoltProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {\n\tusers := make([]User, 0, 10)\n\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupsBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar user User\n\t\t\terr := json.Unmarshal(v, &user)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif needFolders, ok := toFetch[user.Username]; ok {\n\t\t\t\tif needFolders && len(user.VirtualFolders) > 0 {\n\t\t\t\t\tvar folders []vfs.VirtualFolder\n\t\t\t\t\tfor idx := range user.VirtualFolders {\n\t\t\t\t\t\tfolder := &user.VirtualFolders[idx]\n\t\t\t\t\t\tbaseFolder, err := p.folderExistsInternal(folder.Name, foldersBucket)\n\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\tfolder.BaseVirtualFolder = baseFolder\n\t\t\t\t\t\tfolders = append(folders, *folder)\n\t\t\t\t\t}\n\t\t\t\t\tuser.VirtualFolders = folders\n\t\t\t\t}\n\t\t\t\tif len(user.Groups) > 0 {\n\t\t\t\t\tgroupMapping := make(map[string]Group)\n\t\t\t\t\tfor idx := range user.Groups {\n\t\t\t\t\t\tgroup, err := p.groupExistsInternal(user.Groups[idx].Name, groupsBucket)\n\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\tcontinue\n\t\t\t\t\t\t}\n\t\t\t\t\t\tgroupMapping[group.Name] = group\n\t\t\t\t\t}\n\t\t\t\t\tuser.applyGroupSettings(groupMapping)\n\t\t\t\t}\n\n\t\t\t\tuser.SetEmptySecretsIfNil()\n\t\t\t\tuser.PrepareForRendering()\n\t\t\t\tusers = append(users, user)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\treturn users, err\n}\n\nfunc (p *BoltProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {\n\tusers := make([]User, 0, limit)\n\tvar err error\n\tif limit <= 0 {\n\t\treturn users, err\n\t}\n\terr = p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tuser, err := p.joinUserAndFolders(v, foldersBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif !user.hasRole(role) {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tuser.PrepareForRendering()\n\t\t\t\tusers = append(users, user)\n\t\t\t\tif len(users) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tuser, err := p.joinUserAndFolders(v, foldersBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif !user.hasRole(role) {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tuser.PrepareForRendering()\n\t\t\t\tusers = append(users, user)\n\t\t\t\tif len(users) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn err\n\t})\n\treturn users, err\n}\n\nfunc (p *BoltProvider) dumpFolders() ([]vfs.BaseVirtualFolder, error) {\n\tfolders := make([]vfs.BaseVirtualFolder, 0, 50)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar folder vfs.BaseVirtualFolder\n\t\t\terr = json.Unmarshal(v, &folder)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfolders = append(folders, folder)\n\t\t}\n\t\treturn err\n\t})\n\treturn folders, err\n}\n\nfunc (p *BoltProvider) getFolders(limit, offset int, order string, _ bool) ([]vfs.BaseVirtualFolder, error) {\n\tfolders := make([]vfs.BaseVirtualFolder, 0, limit)\n\tvar err error\n\tif limit <= 0 {\n\t\treturn folders, err\n\t}\n\terr = p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar folder vfs.BaseVirtualFolder\n\t\t\t\terr = json.Unmarshal(v, &folder)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfolder.PrepareForRendering()\n\t\t\t\tfolders = append(folders, folder)\n\t\t\t\tif len(folders) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar folder vfs.BaseVirtualFolder\n\t\t\t\terr = json.Unmarshal(v, &folder)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfolder.PrepareForRendering()\n\t\t\t\tfolders = append(folders, folder)\n\t\t\t\tif len(folders) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn err\n\t})\n\treturn folders, err\n}\n\nfunc (p *BoltProvider) getFolderByName(name string) (vfs.BaseVirtualFolder, error) {\n\tvar folder vfs.BaseVirtualFolder\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfolder, err = p.folderExistsInternal(name, bucket)\n\t\treturn err\n\t})\n\treturn folder, err\n}\n\nfunc (p *BoltProvider) addFolder(folder *vfs.BaseVirtualFolder) error {\n\terr := ValidateFolder(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif f := bucket.Get([]byte(folder.Name)); f != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: folder %q already exists\", ErrDuplicatedKey, folder.Name),\n\t\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t\t)\n\t\t}\n\t\tfolder.Users = nil\n\t\tfolder.Groups = nil\n\t\treturn p.addFolderInternal(*folder, bucket)\n\t})\n}\n\nfunc (p *BoltProvider) updateFolder(folder *vfs.BaseVirtualFolder) error {\n\terr := ValidateFolder(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar f []byte\n\n\t\tif f = bucket.Get([]byte(folder.Name)); f == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"folder %v does not exist\", folder.Name))\n\t\t}\n\t\tvar oldFolder vfs.BaseVirtualFolder\n\t\terr = json.Unmarshal(f, &oldFolder)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tfolder.ID = oldFolder.ID\n\t\tfolder.LastQuotaUpdate = oldFolder.LastQuotaUpdate\n\t\tfolder.UsedQuotaFiles = oldFolder.UsedQuotaFiles\n\t\tfolder.UsedQuotaSize = oldFolder.UsedQuotaSize\n\t\tfolder.Users = oldFolder.Users\n\t\tfolder.Groups = oldFolder.Groups\n\t\tbuf, err := json.Marshal(folder)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(folder.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteFolderMappings(folder vfs.BaseVirtualFolder, usersBucket, groupsBucket *bolt.Bucket) error {\n\tfor _, username := range folder.Users {\n\t\tvar u []byte\n\t\tif u = usersBucket.Get([]byte(username)); u == nil {\n\t\t\tcontinue\n\t\t}\n\t\tvar user User\n\t\terr := json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar folders []vfs.VirtualFolder\n\t\tfor _, userFolder := range user.VirtualFolders {\n\t\t\tif folder.Name != userFolder.Name {\n\t\t\t\tfolders = append(folders, userFolder)\n\t\t\t}\n\t\t}\n\t\tuser.VirtualFolders = folders\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = usersBucket.Put([]byte(user.Username), buf)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tfor _, groupname := range folder.Groups {\n\t\tvar u []byte\n\t\tif u = groupsBucket.Get([]byte(groupname)); u == nil {\n\t\t\tcontinue\n\t\t}\n\t\tvar group Group\n\t\terr := json.Unmarshal(u, &group)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar folders []vfs.VirtualFolder\n\t\tfor _, groupFolder := range group.VirtualFolders {\n\t\t\tif folder.Name != groupFolder.Name {\n\t\t\t\tfolders = append(folders, groupFolder)\n\t\t\t}\n\t\t}\n\t\tgroup.VirtualFolders = folders\n\t\tbuf, err := json.Marshal(group)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = groupsBucket.Put([]byte(group.Name), buf)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) deleteFolder(baseFolder vfs.BaseVirtualFolder) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tusersBucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroupsBucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tvar f []byte\n\t\tif f = bucket.Get([]byte(baseFolder.Name)); f == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"folder %v does not exist\", baseFolder.Name))\n\t\t}\n\t\tvar folder vfs.BaseVirtualFolder\n\t\terr = json.Unmarshal(f, &folder)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err = p.deleteFolderMappings(folder, usersBucket, groupsBucket); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\treturn bucket.Delete([]byte(folder.Name))\n\t})\n}\n\nfunc (p *BoltProvider) updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar f []byte\n\t\tif f = bucket.Get([]byte(name)); f == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"folder %q does not exist, unable to update quota\", name))\n\t\t}\n\t\tvar folder vfs.BaseVirtualFolder\n\t\terr = json.Unmarshal(f, &folder)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif reset {\n\t\t\tfolder.UsedQuotaSize = sizeAdd\n\t\t\tfolder.UsedQuotaFiles = filesAdd\n\t\t} else {\n\t\t\tfolder.UsedQuotaSize += sizeAdd\n\t\t\tfolder.UsedQuotaFiles += filesAdd\n\t\t}\n\t\tfolder.LastQuotaUpdate = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(folder)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(folder.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) getUsedFolderQuota(name string) (int, int64, error) {\n\tfolder, err := p.getFolderByName(name)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get quota for folder %q error: %v\", name, err)\n\t\treturn 0, 0, err\n\t}\n\treturn folder.UsedQuotaFiles, folder.UsedQuotaSize, err\n}\n\nfunc (p *BoltProvider) getGroups(limit, offset int, order string, _ bool) ([]Group, error) {\n\tgroups := make([]Group, 0, limit)\n\tvar err error\n\tif limit <= 0 {\n\t\treturn groups, err\n\t}\n\terr = p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar group Group\n\t\t\t\tgroup, err = p.joinGroupAndFolders(v, foldersBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tgroup.PrepareForRendering()\n\t\t\t\tgroups = append(groups, group)\n\t\t\t\tif len(groups) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar group Group\n\t\t\t\tgroup, err = p.joinGroupAndFolders(v, foldersBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tgroup.PrepareForRendering()\n\t\t\t\tgroups = append(groups, group)\n\t\t\t\tif len(groups) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn err\n\t})\n\treturn groups, err\n}\n\nfunc (p *BoltProvider) getGroupsWithNames(names []string) ([]Group, error) {\n\tvar groups []Group\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor _, name := range names {\n\t\t\tg := bucket.Get([]byte(name))\n\t\t\tif g == nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tgroup, err := p.joinGroupAndFolders(g, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tgroups = append(groups, group)\n\t\t}\n\t\treturn nil\n\t})\n\treturn groups, err\n}\n\nfunc (p *BoltProvider) getUsersInGroups(names []string) ([]string, error) {\n\tvar usernames []string\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor _, name := range names {\n\t\t\tg := bucket.Get([]byte(name))\n\t\t\tif g == nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvar group Group\n\t\t\terr := json.Unmarshal(g, &group)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tusernames = append(usernames, group.Users...)\n\t\t}\n\t\treturn nil\n\t})\n\treturn usernames, err\n}\n\nfunc (p *BoltProvider) groupExists(name string) (Group, error) {\n\tvar group Group\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tg := bucket.Get([]byte(name))\n\t\tif g == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", name))\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err = p.joinGroupAndFolders(g, foldersBucket)\n\t\treturn err\n\t})\n\treturn group, err\n}\n\nfunc (p *BoltProvider) addGroup(group *Group) error {\n\tif err := group.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif u := bucket.Get([]byte(group.Name)); u != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: group %q already exists\", ErrDuplicatedKey, group.Name),\n\t\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t\t)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup.ID = int64(id)\n\t\tgroup.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tgroup.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tgroup.Users = nil\n\t\tgroup.Admins = nil\n\t\tfor idx := range group.VirtualFolders {\n\t\t\terr = p.addRelationToFolderMapping(group.VirtualFolders[idx].Name, nil, group, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tbuf, err := json.Marshal(group)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(group.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateGroup(group *Group) error {\n\tif err := group.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar g []byte\n\t\tif g = bucket.Get([]byte(group.Name)); g == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", group.Name))\n\t\t}\n\t\tvar oldGroup Group\n\t\terr = json.Unmarshal(g, &oldGroup)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor idx := range oldGroup.VirtualFolders {\n\t\t\terr = p.removeRelationFromFolderMapping(oldGroup.VirtualFolders[idx], \"\", oldGroup.Name, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tfor idx := range group.VirtualFolders {\n\t\t\terr = p.addRelationToFolderMapping(group.VirtualFolders[idx].Name, nil, group, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tgroup.ID = oldGroup.ID\n\t\tgroup.CreatedAt = oldGroup.CreatedAt\n\t\tgroup.Users = oldGroup.Users\n\t\tgroup.Admins = oldGroup.Admins\n\t\tgroup.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(group)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(group.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteGroup(group Group) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar g []byte\n\t\tif g = bucket.Get([]byte(group.Name)); g == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", group.Name))\n\t\t}\n\t\tvar oldGroup Group\n\t\terr = json.Unmarshal(g, &oldGroup)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif len(oldGroup.Users) > 0 {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"the group %q is referenced, it cannot be removed\", oldGroup.Name))\n\t\t}\n\t\tif len(oldGroup.VirtualFolders) > 0 {\n\t\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor idx := range oldGroup.VirtualFolders {\n\t\t\t\terr = p.removeRelationFromFolderMapping(oldGroup.VirtualFolders[idx], \"\", oldGroup.Name, foldersBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif len(oldGroup.Admins) > 0 {\n\t\t\tadminsBucket, err := p.getAdminsBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor idx := range oldGroup.Admins {\n\t\t\t\terr = p.removeGroupFromAdminMapping(oldGroup.Name, oldGroup.Admins[idx], adminsBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn bucket.Delete([]byte(group.Name))\n\t})\n}\n\nfunc (p *BoltProvider) dumpGroups() ([]Group, error) {\n\tgroups := make([]Group, 0, 50)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getGroupsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfoldersBucket, err := p.getFoldersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tgroup, err := p.joinGroupAndFolders(v, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tgroups = append(groups, group)\n\t\t}\n\t\treturn err\n\t})\n\treturn groups, err\n}\n\nfunc (p *BoltProvider) apiKeyExists(keyID string) (APIKey, error) {\n\tvar apiKey APIKey\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tk := bucket.Get([]byte(keyID))\n\t\tif k == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"API key %v does not exist\", keyID))\n\t\t}\n\t\treturn json.Unmarshal(k, &apiKey)\n\t})\n\treturn apiKey, err\n}\n\nfunc (p *BoltProvider) addAPIKey(apiKey *APIKey) error {\n\terr := apiKey.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif a := bucket.Get([]byte(apiKey.KeyID)); a != nil {\n\t\t\treturn fmt.Errorf(\"API key %v already exists\", apiKey.KeyID)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tapiKey.ID = int64(id)\n\t\tapiKey.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tapiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tapiKey.LastUseAt = 0\n\t\tif apiKey.User != \"\" {\n\t\t\tif err := p.userExistsInternal(tx, apiKey.User); err != nil {\n\t\t\t\treturn fmt.Errorf(\"%w: related user %q does not exists\", ErrForeignKeyViolated, apiKey.User)\n\t\t\t}\n\t\t}\n\t\tif apiKey.Admin != \"\" {\n\t\t\tif err := p.adminExistsInternal(tx, apiKey.Admin); err != nil {\n\t\t\t\treturn fmt.Errorf(\"%w: related admin %q does not exists\", ErrForeignKeyViolated, apiKey.Admin)\n\t\t\t}\n\t\t}\n\t\tbuf, err := json.Marshal(apiKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(apiKey.KeyID), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateAPIKey(apiKey *APIKey) error {\n\terr := apiKey.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar a []byte\n\n\t\tif a = bucket.Get([]byte(apiKey.KeyID)); a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"API key %v does not exist\", apiKey.KeyID))\n\t\t}\n\t\tvar oldAPIKey APIKey\n\t\terr = json.Unmarshal(a, &oldAPIKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tapiKey.ID = oldAPIKey.ID\n\t\tapiKey.KeyID = oldAPIKey.KeyID\n\t\tapiKey.Key = oldAPIKey.Key\n\t\tapiKey.CreatedAt = oldAPIKey.CreatedAt\n\t\tapiKey.LastUseAt = oldAPIKey.LastUseAt\n\t\tapiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tif apiKey.User != \"\" {\n\t\t\tif err := p.userExistsInternal(tx, apiKey.User); err != nil {\n\t\t\t\treturn fmt.Errorf(\"%w: related user %q does not exists\", ErrForeignKeyViolated, apiKey.User)\n\t\t\t}\n\t\t}\n\t\tif apiKey.Admin != \"\" {\n\t\t\tif err := p.adminExistsInternal(tx, apiKey.Admin); err != nil {\n\t\t\t\treturn fmt.Errorf(\"%w: related admin %q does not exists\", ErrForeignKeyViolated, apiKey.Admin)\n\t\t\t}\n\t\t}\n\t\tbuf, err := json.Marshal(apiKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(apiKey.KeyID), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteAPIKey(apiKey APIKey) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tif bucket.Get([]byte(apiKey.KeyID)) == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"API key %v does not exist\", apiKey.KeyID))\n\t\t}\n\n\t\treturn bucket.Delete([]byte(apiKey.KeyID))\n\t})\n}\n\nfunc (p *BoltProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) {\n\tapiKeys := make([]APIKey, 0, limit)\n\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar apiKey APIKey\n\t\t\t\terr = json.Unmarshal(v, &apiKey)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tapiKey.HideConfidentialData()\n\t\t\t\tapiKeys = append(apiKeys, apiKey)\n\t\t\t\tif len(apiKeys) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvar apiKey APIKey\n\t\t\terr = json.Unmarshal(v, &apiKey)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tapiKey.HideConfidentialData()\n\t\t\tapiKeys = append(apiKeys, apiKey)\n\t\t\tif len(apiKeys) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\treturn apiKeys, err\n}\n\nfunc (p *BoltProvider) dumpAPIKeys() ([]APIKey, error) {\n\tapiKeys := make([]APIKey, 0, 30)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getAPIKeysBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar apiKey APIKey\n\t\t\terr = json.Unmarshal(v, &apiKey)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tapiKeys = append(apiKeys, apiKey)\n\t\t}\n\t\treturn err\n\t})\n\n\treturn apiKeys, err\n}\n\nfunc (p *BoltProvider) shareExists(shareID, username string) (Share, error) {\n\tvar share Share\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\ts := bucket.Get([]byte(shareID))\n\t\tif s == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"Share %v does not exist\", shareID))\n\t\t}\n\t\tif err := json.Unmarshal(s, &share); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif username != \"\" && share.Username != username {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"Share %v does not exist\", shareID))\n\t\t}\n\t\treturn nil\n\t})\n\treturn share, err\n}\n\nfunc (p *BoltProvider) addShare(share *Share) error {\n\terr := share.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif a := bucket.Get([]byte(share.ShareID)); a != nil {\n\t\t\treturn fmt.Errorf(\"share %q already exists\", share.ShareID)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tshare.ID = int64(id)\n\t\tif !share.IsRestore {\n\t\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\tshare.UpdatedAt = share.CreatedAt\n\t\t\tshare.LastUseAt = 0\n\t\t\tshare.UsedTokens = 0\n\t\t}\n\t\tif share.CreatedAt == 0 {\n\t\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t}\n\t\tif share.UpdatedAt == 0 {\n\t\t\tshare.UpdatedAt = share.CreatedAt\n\t\t}\n\t\tif err := p.userExistsInternal(tx, share.Username); err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"related user %q does not exists\", share.Username))\n\t\t}\n\t\tbuf, err := json.Marshal(share)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(share.ShareID), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateShare(share *Share) error {\n\tif err := share.validate(); err != nil {\n\t\treturn err\n\t}\n\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar s []byte\n\n\t\tif s = bucket.Get([]byte(share.ShareID)); s == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"Share %v does not exist\", share.ShareID))\n\t\t}\n\t\tvar oldObject Share\n\t\tif err = json.Unmarshal(s, &oldObject); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif oldObject.Username != share.Username {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"Share %v does not exist\", share.ShareID))\n\t\t}\n\n\t\tshare.ID = oldObject.ID\n\t\tshare.ShareID = oldObject.ShareID\n\t\tif !share.IsRestore {\n\t\t\tshare.UsedTokens = oldObject.UsedTokens\n\t\t\tshare.CreatedAt = oldObject.CreatedAt\n\t\t\tshare.LastUseAt = oldObject.LastUseAt\n\t\t\tshare.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t}\n\t\tif share.CreatedAt == 0 {\n\t\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t}\n\t\tif share.UpdatedAt == 0 {\n\t\t\tshare.UpdatedAt = share.CreatedAt\n\t\t}\n\t\tif err := p.userExistsInternal(tx, share.Username); err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"related user %q does not exists\", share.Username))\n\t\t}\n\t\tbuf, err := json.Marshal(share)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(share.ShareID), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteShare(share Share) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tvar s []byte\n\n\t\tif s = bucket.Get([]byte(share.ShareID)); s == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"Share %v does not exist\", share.ShareID))\n\t\t}\n\t\tvar oldObject Share\n\t\tif err = json.Unmarshal(s, &oldObject); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif oldObject.Username != share.Username {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"Share %v does not exist\", share.ShareID))\n\t\t}\n\n\t\treturn bucket.Delete([]byte(share.ShareID))\n\t})\n}\n\nfunc (p *BoltProvider) getShares(limit int, offset int, order, username string) ([]Share, error) {\n\tshares := make([]Share, 0, limit)\n\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\tvar share Share\n\t\t\t\tif err := json.Unmarshal(v, &share); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif share.Username != username {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tshare.HideConfidentialData()\n\t\t\t\tshares = append(shares, share)\n\t\t\t\tif len(shares) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\tvar share Share\n\t\t\terr = json.Unmarshal(v, &share)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif share.Username != username {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tshare.HideConfidentialData()\n\t\t\tshares = append(shares, share)\n\t\t\tif len(shares) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\n\treturn shares, err\n}\n\nfunc (p *BoltProvider) dumpShares() ([]Share, error) {\n\tshares := make([]Share, 0, 30)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar share Share\n\t\t\terr = json.Unmarshal(v, &share)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tshares = append(shares, share)\n\t\t}\n\t\treturn err\n\t})\n\n\treturn shares, err\n}\n\nfunc (p *BoltProvider) updateShareLastUse(shareID string, numTokens int) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getSharesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(shareID)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"share %q does not exist, unable to update last use\", shareID))\n\t\t}\n\t\tvar share Share\n\t\terr = json.Unmarshal(u, &share)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tshare.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tshare.UsedTokens += numTokens\n\t\tbuf, err := json.Marshal(share)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(shareID), buf)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"error updating last use for share %q: %v\", shareID, err)\n\t\t\treturn err\n\t\t}\n\t\tproviderLog(logger.LevelDebug, \"last use updated for share %q\", shareID)\n\t\treturn nil\n\t})\n}\n\nfunc (p *BoltProvider) getDefenderHosts(_ int64, _ int) ([]DefenderEntry, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (p *BoltProvider) getDefenderHostByIP(_ string, _ int64) (DefenderEntry, error) {\n\treturn DefenderEntry{}, ErrNotImplemented\n}\n\nfunc (p *BoltProvider) isDefenderHostBanned(_ string) (DefenderEntry, error) {\n\treturn DefenderEntry{}, ErrNotImplemented\n}\n\nfunc (p *BoltProvider) updateDefenderBanTime(_ string, _ int) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) deleteDefenderHost(_ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) addDefenderEvent(_ string, _ int) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) setDefenderBanTime(_ string, _ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) cleanupDefender(_ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) addActiveTransfer(_ ActiveTransfer) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) updateActiveTransferSizes(_, _, _ int64, _ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) removeActiveTransfer(_ int64, _ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) cleanupActiveTransfers(_ time.Time) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) getActiveTransfers(_ time.Time) ([]ActiveTransfer, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (p *BoltProvider) addSharedSession(_ Session) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) deleteSharedSession(_ string, _ SessionType) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) getSharedSession(_ string, _ SessionType) (Session, error) {\n\treturn Session{}, ErrNotImplemented\n}\n\nfunc (p *BoltProvider) cleanupSharedSessions(_ SessionType, _ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) getEventActions(limit, offset int, order string, _ bool) ([]BaseEventAction, error) {\n\tif limit <= 0 {\n\t\treturn nil, nil\n\t}\n\tactions := make([]BaseEventAction, 0, limit)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\titNum := 0\n\t\tcursor := bucket.Cursor()\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar action BaseEventAction\n\t\t\t\terr = json.Unmarshal(v, &action)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\taction.PrepareForRendering()\n\t\t\t\tactions = append(actions, action)\n\t\t\t\tif len(actions) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar action BaseEventAction\n\t\t\t\terr = json.Unmarshal(v, &action)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\taction.PrepareForRendering()\n\t\t\t\tactions = append(actions, action)\n\t\t\t\tif len(actions) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\treturn actions, err\n}\n\nfunc (p *BoltProvider) dumpEventActions() ([]BaseEventAction, error) {\n\tactions := make([]BaseEventAction, 0, 50)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar action BaseEventAction\n\t\t\terr = json.Unmarshal(v, &action)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tactions = append(actions, action)\n\t\t}\n\t\treturn nil\n\t})\n\treturn actions, err\n}\n\nfunc (p *BoltProvider) eventActionExists(name string) (BaseEventAction, error) {\n\tvar action BaseEventAction\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tk := bucket.Get([]byte(name))\n\t\tif k == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"action %q does not exist\", name))\n\t\t}\n\t\treturn json.Unmarshal(k, &action)\n\t})\n\treturn action, err\n}\n\nfunc (p *BoltProvider) addEventAction(action *BaseEventAction) error {\n\terr := action.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif a := bucket.Get([]byte(action.Name)); a != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: event action %q already exists\", ErrDuplicatedKey, action.Name),\n\t\t\t\tutil.I18nErrorDuplicatedName,\n\t\t\t)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\taction.ID = int64(id)\n\t\taction.Rules = nil\n\t\tbuf, err := json.Marshal(action)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(action.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateEventAction(action *BaseEventAction) error {\n\terr := action.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar a []byte\n\n\t\tif a = bucket.Get([]byte(action.Name)); a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"event action %s does not exist\", action.Name))\n\t\t}\n\t\tvar oldAction BaseEventAction\n\t\terr = json.Unmarshal(a, &oldAction)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\taction.ID = oldAction.ID\n\t\taction.Name = oldAction.Name\n\t\taction.Rules = nil\n\t\tif len(oldAction.Rules) > 0 {\n\t\t\trulesBucket, err := p.getRulesBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tvar relatedRules []string\n\t\t\tfor _, ruleName := range oldAction.Rules {\n\t\t\t\tr := rulesBucket.Get([]byte(ruleName))\n\t\t\t\tif r != nil {\n\t\t\t\t\trelatedRules = append(relatedRules, ruleName)\n\t\t\t\t\tvar rule EventRule\n\t\t\t\t\terr := json.Unmarshal(r, &rule)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\trule.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\t\t\tbuf, err := json.Marshal(rule)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tif err = rulesBucket.Put([]byte(rule.Name), buf); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tsetLastRuleUpdate()\n\t\t\t\t}\n\t\t\t}\n\t\t\taction.Rules = relatedRules\n\t\t}\n\t\tbuf, err := json.Marshal(action)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(action.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteEventAction(action BaseEventAction) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar a []byte\n\n\t\tif a = bucket.Get([]byte(action.Name)); a == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"action %s does not exist\", action.Name))\n\t\t}\n\t\tvar oldAction BaseEventAction\n\t\terr = json.Unmarshal(a, &oldAction)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif len(oldAction.Rules) > 0 {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"action %s is referenced, it cannot be removed\", oldAction.Name))\n\t\t}\n\t\treturn bucket.Delete([]byte(action.Name))\n\t})\n}\n\nfunc (p *BoltProvider) getEventRules(limit, offset int, order string) ([]EventRule, error) {\n\tif limit <= 0 {\n\t\treturn nil, nil\n\t}\n\trules := make([]EventRule, 0, limit)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\titNum := 0\n\t\tcursor := bucket.Cursor()\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar rule EventRule\n\t\t\t\trule, err = p.joinRuleAndActions(v, actionsBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\trule.PrepareForRendering()\n\t\t\t\trules = append(rules, rule)\n\t\t\t\tif len(rules) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar rule EventRule\n\t\t\t\trule, err = p.joinRuleAndActions(v, actionsBucket)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\trule.PrepareForRendering()\n\t\t\t\trules = append(rules, rule)\n\t\t\t\tif len(rules) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn err\n\t})\n\treturn rules, err\n}\n\nfunc (p *BoltProvider) dumpEventRules() ([]EventRule, error) {\n\trules := make([]EventRule, 0, 50)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\trule, err := p.joinRuleAndActions(v, actionsBucket)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\trules = append(rules, rule)\n\t\t}\n\t\treturn nil\n\t})\n\treturn rules, err\n}\n\nfunc (p *BoltProvider) getRecentlyUpdatedRules(after int64) ([]EventRule, error) {\n\tif getLastRuleUpdate() < after {\n\t\treturn nil, nil\n\t}\n\trules := make([]EventRule, 0, 10)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar rule EventRule\n\t\t\terr := json.Unmarshal(v, &rule)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif rule.UpdatedAt < after {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvar actions []EventAction\n\t\t\tfor idx := range rule.Actions {\n\t\t\t\taction := &rule.Actions[idx]\n\t\t\t\tvar baseAction BaseEventAction\n\t\t\t\tk := actionsBucket.Get([]byte(action.Name))\n\t\t\t\tif k == nil {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\terr = json.Unmarshal(k, &baseAction)\n\t\t\t\tif err != nil {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tbaseAction.Options.SetEmptySecretsIfNil()\n\t\t\t\taction.BaseEventAction = baseAction\n\t\t\t\tactions = append(actions, *action)\n\t\t\t}\n\t\t\trule.Actions = actions\n\t\t\trules = append(rules, rule)\n\t\t}\n\t\treturn nil\n\t})\n\treturn rules, err\n}\n\nfunc (p *BoltProvider) eventRuleExists(name string) (EventRule, error) {\n\tvar rule EventRule\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tr := bucket.Get([]byte(name))\n\t\tif r == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"event rule %q does not exist\", name))\n\t\t}\n\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trule, err = p.joinRuleAndActions(r, actionsBucket)\n\t\treturn err\n\t})\n\treturn rule, err\n}\n\nfunc (p *BoltProvider) addEventRule(rule *EventRule) error {\n\tif err := rule.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif r := bucket.Get([]byte(rule.Name)); r != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: event rule %q already exists\", ErrDuplicatedKey, rule.Name),\n\t\t\t\tutil.I18nErrorDuplicatedName,\n\t\t\t)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trule.ID = int64(id)\n\t\trule.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\trule.UpdatedAt = rule.CreatedAt\n\t\tfor idx := range rule.Actions {\n\t\t\tif err = p.addRuleToActionMapping(rule.Name, rule.Actions[idx].Name, actionsBucket); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tsort.Slice(rule.Actions, func(i, j int) bool {\n\t\t\treturn rule.Actions[i].Order < rule.Actions[j].Order\n\t\t})\n\t\tbuf, err := json.Marshal(rule)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = bucket.Put([]byte(rule.Name), buf)\n\t\tif err == nil {\n\t\t\tsetLastRuleUpdate()\n\t\t}\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) updateEventRule(rule *EventRule) error {\n\tif err := rule.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar r []byte\n\t\tif r = bucket.Get([]byte(rule.Name)); r == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"event rule %q does not exist\", rule.Name))\n\t\t}\n\t\tvar oldRule EventRule\n\t\tif err = json.Unmarshal(r, &oldRule); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor idx := range oldRule.Actions {\n\t\t\tif err = p.removeRuleFromActionMapping(rule.Name, oldRule.Actions[idx].Name, actionsBucket); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tfor idx := range rule.Actions {\n\t\t\tif err = p.addRuleToActionMapping(rule.Name, rule.Actions[idx].Name, actionsBucket); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\trule.ID = oldRule.ID\n\t\trule.CreatedAt = oldRule.CreatedAt\n\t\trule.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(rule)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsort.Slice(rule.Actions, func(i, j int) bool {\n\t\t\treturn rule.Actions[i].Order < rule.Actions[j].Order\n\t\t})\n\t\terr = bucket.Put([]byte(rule.Name), buf)\n\t\tif err == nil {\n\t\t\tsetLastRuleUpdate()\n\t\t}\n\t\treturn err\n\t})\n}\n\nfunc (p *BoltProvider) deleteEventRule(rule EventRule, _ bool) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRulesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar r []byte\n\t\tif r = bucket.Get([]byte(rule.Name)); r == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"event rule %q does not exist\", rule.Name))\n\t\t}\n\t\tvar oldRule EventRule\n\t\tif err = json.Unmarshal(r, &oldRule); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif len(oldRule.Actions) > 0 {\n\t\t\tactionsBucket, err := p.getActionsBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor idx := range oldRule.Actions {\n\t\t\t\tif err = p.removeRuleFromActionMapping(rule.Name, oldRule.Actions[idx].Name, actionsBucket); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn bucket.Delete([]byte(rule.Name))\n\t})\n}\n\nfunc (*BoltProvider) getTaskByName(_ string) (Task, error) {\n\treturn Task{}, ErrNotImplemented\n}\n\nfunc (*BoltProvider) addTask(_ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (*BoltProvider) updateTask(_ string, _ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (*BoltProvider) updateTaskTimestamp(_ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (*BoltProvider) addNode() error {\n\treturn ErrNotImplemented\n}\n\nfunc (*BoltProvider) getNodeByName(_ string) (Node, error) {\n\treturn Node{}, ErrNotImplemented\n}\n\nfunc (*BoltProvider) getNodes() ([]Node, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (*BoltProvider) updateNodeTimestamp() error {\n\treturn ErrNotImplemented\n}\n\nfunc (*BoltProvider) cleanupNodes() error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *BoltProvider) roleExists(name string) (Role, error) {\n\tvar role Role\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tr := bucket.Get([]byte(name))\n\t\tif r == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"role %q does not exist\", name))\n\t\t}\n\t\treturn json.Unmarshal(r, &role)\n\t})\n\treturn role, err\n}\n\nfunc (p *BoltProvider) addRole(role *Role) error {\n\tif err := role.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif r := bucket.Get([]byte(role.Name)); r != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: role %q already exists\", ErrDuplicatedKey, role.Name),\n\t\t\t\tutil.I18nErrorDuplicatedName,\n\t\t\t)\n\t\t}\n\t\tid, err := bucket.NextSequence()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole.ID = int64(id)\n\t\trole.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\trole.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\trole.Users = nil\n\t\trole.Admins = nil\n\t\tbuf, err := json.Marshal(role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(role.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateRole(role *Role) error {\n\tif err := role.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar r []byte\n\t\tif r = bucket.Get([]byte(role.Name)); r == nil {\n\t\t\treturn fmt.Errorf(\"role %q does not exist\", role.Name)\n\t\t}\n\t\tvar oldRole Role\n\t\terr = json.Unmarshal(r, &oldRole)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole.ID = oldRole.ID\n\t\trole.CreatedAt = oldRole.CreatedAt\n\t\trole.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\trole.Users = oldRole.Users\n\t\trole.Admins = oldRole.Admins\n\t\tbuf, err := json.Marshal(role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(role.Name), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteRole(role Role) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar r []byte\n\t\tif r = bucket.Get([]byte(role.Name)); r == nil {\n\t\t\treturn fmt.Errorf(\"role %q does not exist\", role.Name)\n\t\t}\n\t\tvar oldRole Role\n\t\terr = json.Unmarshal(r, &oldRole)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif len(oldRole.Admins) > 0 {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"the role %q is referenced, it cannot be removed\", oldRole.Name))\n\t\t}\n\t\tif len(oldRole.Users) > 0 {\n\t\t\tbucket, err := p.getUsersBucket(tx)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor _, username := range oldRole.Users {\n\t\t\t\tif err := p.removeRoleFromUser(username, oldRole.Name, bucket); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn bucket.Delete([]byte(role.Name))\n\t})\n}\n\nfunc (p *BoltProvider) getRoles(limit int, offset int, order string, _ bool) ([]Role, error) {\n\troles := make([]Role, 0, limit)\n\tif limit <= 0 {\n\t\treturn roles, nil\n\t}\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\titNum := 0\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar role Role\n\t\t\t\terr = json.Unmarshal(v, &role)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\troles = append(roles, role)\n\t\t\t\tif len(roles) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {\n\t\t\t\titNum++\n\t\t\t\tif itNum <= offset {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tvar role Role\n\t\t\t\terr = json.Unmarshal(v, &role)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\troles = append(roles, role)\n\t\t\t\tif len(roles) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\treturn roles, err\n}\n\nfunc (p *BoltProvider) dumpRoles() ([]Role, error) {\n\troles := make([]Role, 0, 10)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getRolesBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar role Role\n\t\t\terr = json.Unmarshal(v, &role)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\troles = append(roles, role)\n\t\t}\n\t\treturn err\n\t})\n\treturn roles, err\n}\n\nfunc (p *BoltProvider) ipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {\n\tentry := IPListEntry{\n\t\tIPOrNet: ipOrNet,\n\t\tType: listType,\n\t}\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\te := bucket.Get([]byte(entry.getKey()))\n\t\tif e == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"entry %q does not exist\", entry.IPOrNet))\n\t\t}\n\t\terr = json.Unmarshal(e, &entry)\n\t\tif err == nil {\n\t\t\tentry.PrepareForRendering()\n\t\t}\n\t\treturn err\n\t})\n\treturn entry, err\n}\n\nfunc (p *BoltProvider) addIPListEntry(entry *IPListEntry) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif e := bucket.Get([]byte(entry.getKey())); e != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: entry %q already exists\", ErrDuplicatedKey, entry.IPOrNet),\n\t\t\t\tutil.I18nErrorDuplicatedIPNet,\n\t\t\t)\n\t\t}\n\t\tentry.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tentry.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(entry)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(entry.getKey()), buf)\n\t})\n}\n\nfunc (p *BoltProvider) updateIPListEntry(entry *IPListEntry) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar e []byte\n\t\tif e = bucket.Get([]byte(entry.getKey())); e == nil {\n\t\t\treturn fmt.Errorf(\"entry %q does not exist\", entry.IPOrNet)\n\t\t}\n\t\tvar oldEntry IPListEntry\n\t\terr = json.Unmarshal(e, &oldEntry)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tentry.CreatedAt = oldEntry.CreatedAt\n\t\tentry.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(entry)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(entry.getKey()), buf)\n\t})\n}\n\nfunc (p *BoltProvider) deleteIPListEntry(entry IPListEntry, _ bool) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif e := bucket.Get([]byte(entry.getKey())); e == nil {\n\t\t\treturn fmt.Errorf(\"entry %q does not exist\", entry.IPOrNet)\n\t\t}\n\t\treturn bucket.Delete([]byte(entry.getKey()))\n\t})\n}\n\nfunc (p *BoltProvider) getIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {\n\tentries := make([]IPListEntry, 0, 15)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tprefix := []byte(fmt.Sprintf(\"%d_\", listType))\n\t\tacceptKey := func(k []byte) bool {\n\t\t\treturn k != nil && bytes.HasPrefix(k, prefix)\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tif order == OrderASC {\n\t\t\tfor k, v := cursor.Seek(prefix); acceptKey(k); k, v = cursor.Next() {\n\t\t\t\tvar entry IPListEntry\n\t\t\t\terr = json.Unmarshal(v, &entry)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif entry.satisfySearchConstraints(filter, from, order) {\n\t\t\t\t\tentry.PrepareForRendering()\n\t\t\t\t\tentries = append(entries, entry)\n\t\t\t\t\tif limit > 0 && len(entries) >= limit {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\tfor k, v := cursor.Last(); acceptKey(k); k, v = cursor.Prev() {\n\t\t\t\tvar entry IPListEntry\n\t\t\t\terr = json.Unmarshal(v, &entry)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif entry.satisfySearchConstraints(filter, from, order) {\n\t\t\t\t\tentry.PrepareForRendering()\n\t\t\t\t\tentries = append(entries, entry)\n\t\t\t\t\tif limit > 0 && len(entries) >= limit {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\treturn entries, err\n}\n\nfunc (p *BoltProvider) getRecentlyUpdatedIPListEntries(_ int64) ([]IPListEntry, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (p *BoltProvider) dumpIPListEntries() ([]IPListEntry, error) {\n\tentries := make([]IPListEntry, 0, 10)\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif count := bucket.Stats().KeyN; count > ipListMemoryLimit {\n\t\t\tproviderLog(logger.LevelInfo, \"IP lists excluded from dump, too many entries: %d\", count)\n\t\t\treturn nil\n\t\t}\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\t\tvar entry IPListEntry\n\t\t\terr = json.Unmarshal(v, &entry)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tentry.PrepareForRendering()\n\t\t\tentries = append(entries, entry)\n\t\t}\n\t\treturn nil\n\t})\n\treturn entries, err\n}\n\nfunc (p *BoltProvider) countIPListEntries(listType IPListType) (int64, error) {\n\tvar count int64\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif listType == 0 {\n\t\t\tcount = int64(bucket.Stats().KeyN)\n\t\t\treturn nil\n\t\t}\n\t\tprefix := []byte(fmt.Sprintf(\"%d_\", listType))\n\t\tcursor := bucket.Cursor()\n\t\tfor k, _ := cursor.Seek(prefix); k != nil && bytes.HasPrefix(k, prefix); k, _ = cursor.Next() {\n\t\t\tcount++\n\t\t}\n\t\treturn nil\n\t})\n\treturn count, err\n}\n\nfunc (p *BoltProvider) getListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error) {\n\tentries := make([]IPListEntry, 0, 3)\n\tipAddr, err := netip.ParseAddr(ip)\n\tif err != nil {\n\t\treturn entries, fmt.Errorf(\"invalid ip address %s\", ip)\n\t}\n\tvar netType int\n\tvar ipBytes []byte\n\tif ipAddr.Is4() || ipAddr.Is4In6() {\n\t\tnetType = ipTypeV4\n\t\tas4 := ipAddr.As4()\n\t\tipBytes = as4[:]\n\t} else {\n\t\tnetType = ipTypeV6\n\t\tas16 := ipAddr.As16()\n\t\tipBytes = as16[:]\n\t}\n\terr = p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getIPListsBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tprefix := []byte(fmt.Sprintf(\"%d_\", listType))\n\t\tcursor := bucket.Cursor()\n\t\tfor k, v := cursor.Seek(prefix); k != nil && bytes.HasPrefix(k, prefix); k, v = cursor.Next() {\n\t\t\tvar entry IPListEntry\n\t\t\terr = json.Unmarshal(v, &entry)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif entry.IPType == netType && bytes.Compare(ipBytes, entry.First) >= 0 && bytes.Compare(ipBytes, entry.Last) <= 0 {\n\t\t\t\tentry.PrepareForRendering()\n\t\t\t\tentries = append(entries, entry)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n\treturn entries, err\n}\n\nfunc (p *BoltProvider) getConfigs() (Configs, error) {\n\tvar configs Configs\n\terr := p.dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket := tx.Bucket(configsBucket)\n\t\tif bucket == nil {\n\t\t\treturn fmt.Errorf(\"unable to find configs bucket\")\n\t\t}\n\t\tdata := bucket.Get(configsKey)\n\t\tif data != nil {\n\t\t\treturn json.Unmarshal(data, &configs)\n\t\t}\n\t\treturn nil\n\t})\n\treturn configs, err\n}\n\nfunc (p *BoltProvider) setConfigs(configs *Configs) error {\n\tif err := configs.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket := tx.Bucket(configsBucket)\n\t\tif bucket == nil {\n\t\t\treturn fmt.Errorf(\"unable to find configs bucket\")\n\t\t}\n\t\tbuf, err := json.Marshal(configs)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put(configsKey, buf)\n\t})\n}\n\nfunc (p *BoltProvider) setFirstDownloadTimestamp(username string) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist, unable to set download timestamp\",\n\t\t\t\tusername))\n\t\t}\n\t\tvar user User\n\t\terr = json.Unmarshal(u, &user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif user.FirstDownload > 0 {\n\t\t\treturn util.NewGenericError(fmt.Sprintf(\"first download already set to %v\",\n\t\t\t\tutil.GetTimeFromMsecSinceEpoch(user.FirstDownload)))\n\t\t}\n\t\tuser.FirstDownload = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(username), buf)\n\t})\n}\n\nfunc (p *BoltProvider) setFirstUploadTimestamp(username string) error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket, err := p.getUsersBucket(tx)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar u []byte\n\t\tif u = bucket.Get([]byte(username)); u == nil {\n\t\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist, unable to set upload timestamp\",\n\t\t\t\tusername))\n\t\t}\n\t\tvar user User\n\t\tif err = json.Unmarshal(u, &user); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif user.FirstUpload > 0 {\n\t\t\treturn util.NewGenericError(fmt.Sprintf(\"first upload already set to %v\",\n\t\t\t\tutil.GetTimeFromMsecSinceEpoch(user.FirstUpload)))\n\t\t}\n\t\tuser.FirstUpload = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(username), buf)\n\t})\n}\n\nfunc (p *BoltProvider) close() error {\n\treturn p.dbHandle.Close()\n}\n\nfunc (p *BoltProvider) reloadConfig() error {\n\treturn nil\n}\n\n// initializeDatabase does nothing, no initilization is needed for bolt provider\nfunc (p *BoltProvider) initializeDatabase() error {\n\treturn ErrNoInitRequired\n}\n\nfunc (p *BoltProvider) migrateDatabase() error {\n\tdbVersion, err := getBoltDatabaseVersion(p.dbHandle)\n\tif err != nil {\n\t\treturn err\n\t}\n\tswitch version := dbVersion.Version; {\n\tcase version == boltDatabaseVersion:\n\t\tproviderLog(logger.LevelDebug, \"bolt database is up to date, current version: %d\", version)\n\t\treturn ErrNoInitRequired\n\tcase version < 33:\n\t\terr = errSchemaVersionTooOld(version)\n\t\tproviderLog(logger.LevelError, \"%v\", err)\n\t\tlogger.ErrorToConsole(\"%v\", err)\n\t\treturn err\n\tcase version == 33:\n\t\tlogger.InfoToConsole(\"updating database schema version: %d -> 34\", version)\n\t\tproviderLog(logger.LevelInfo, \"updating database schema version: %d -> 34\", version)\n\t\treturn updateBoltDatabaseVersion(p.dbHandle, 34)\n\n\tdefault:\n\t\tif version > boltDatabaseVersion {\n\t\t\tproviderLog(logger.LevelError, \"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tboltDatabaseVersion)\n\t\t\tlogger.WarnToConsole(\"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tboltDatabaseVersion)\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", version)\n\t}\n}\n\nfunc (p *BoltProvider) revertDatabase(targetVersion int) error {\n\tdbVersion, err := getBoltDatabaseVersion(p.dbHandle)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif dbVersion.Version == targetVersion {\n\t\treturn errors.New(\"current version match target version, nothing to do\")\n\t}\n\tswitch dbVersion.Version {\n\tcase 34:\n\t\tlogger.InfoToConsole(\"downgrading database schema version: %d -> 33\", dbVersion.Version)\n\t\tproviderLog(logger.LevelInfo, \"downgrading database schema version: %d -> 33\", dbVersion.Version)\n\t\treturn updateBoltDatabaseVersion(p.dbHandle, 33)\n\n\tdefault:\n\t\treturn fmt.Errorf(\"database schema version not handled: %v\", dbVersion.Version)\n\t}\n}\n\nfunc (p *BoltProvider) resetDatabase() error {\n\treturn p.dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tfor _, bucketName := range boltBuckets {\n\t\t\terr := tx.DeleteBucket(bucketName)\n\t\t\tif err != nil && !errors.Is(err, bolterrors.ErrBucketNotFound) {\n\t\t\t\treturn fmt.Errorf(\"unable to remove bucket %v: %w\", bucketName, err)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n}\n\nfunc (p *BoltProvider) joinRuleAndActions(r []byte, actionsBucket *bolt.Bucket) (EventRule, error) {\n\tvar rule EventRule\n\terr := json.Unmarshal(r, &rule)\n\tif err != nil {\n\t\treturn rule, err\n\t}\n\tvar actions []EventAction\n\tfor idx := range rule.Actions {\n\t\taction := &rule.Actions[idx]\n\t\tvar baseAction BaseEventAction\n\t\tk := actionsBucket.Get([]byte(action.Name))\n\t\tif k == nil {\n\t\t\tcontinue\n\t\t}\n\t\terr = json.Unmarshal(k, &baseAction)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tbaseAction.Options.SetEmptySecretsIfNil()\n\t\taction.BaseEventAction = baseAction\n\t\tactions = append(actions, *action)\n\t}\n\trule.Actions = actions\n\treturn rule, nil\n}\n\nfunc (p *BoltProvider) joinGroupAndFolders(g []byte, foldersBucket *bolt.Bucket) (Group, error) {\n\tvar group Group\n\terr := json.Unmarshal(g, &group)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tif len(group.VirtualFolders) > 0 {\n\t\tvar folders []vfs.VirtualFolder\n\t\tfor idx := range group.VirtualFolders {\n\t\t\tfolder := &group.VirtualFolders[idx]\n\t\t\tbaseFolder, err := p.folderExistsInternal(folder.Name, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfolder.BaseVirtualFolder = baseFolder\n\t\t\tfolders = append(folders, *folder)\n\t\t}\n\t\tgroup.VirtualFolders = folders\n\t}\n\tgroup.SetEmptySecretsIfNil()\n\treturn group, err\n}\n\nfunc (p *BoltProvider) joinUserAndFolders(u []byte, foldersBucket *bolt.Bucket) (User, error) {\n\tvar user User\n\terr := json.Unmarshal(u, &user)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tif len(user.VirtualFolders) > 0 {\n\t\tvar folders []vfs.VirtualFolder\n\t\tfor idx := range user.VirtualFolders {\n\t\t\tfolder := &user.VirtualFolders[idx]\n\t\t\tbaseFolder, err := p.folderExistsInternal(folder.Name, foldersBucket)\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfolder.BaseVirtualFolder = baseFolder\n\t\t\tfolders = append(folders, *folder)\n\t\t}\n\t\tuser.VirtualFolders = folders\n\t}\n\tuser.SetEmptySecretsIfNil()\n\treturn user, err\n}\n\nfunc (p *BoltProvider) groupExistsInternal(name string, bucket *bolt.Bucket) (Group, error) {\n\tvar group Group\n\tg := bucket.Get([]byte(name))\n\tif g == nil {\n\t\terr := util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", name))\n\t\treturn group, err\n\t}\n\terr := json.Unmarshal(g, &group)\n\treturn group, err\n}\n\nfunc (p *BoltProvider) folderExistsInternal(name string, bucket *bolt.Bucket) (vfs.BaseVirtualFolder, error) {\n\tvar folder vfs.BaseVirtualFolder\n\tf := bucket.Get([]byte(name))\n\tif f == nil {\n\t\terr := util.NewRecordNotFoundError(fmt.Sprintf(\"folder %q does not exist\", name))\n\t\treturn folder, err\n\t}\n\terr := json.Unmarshal(f, &folder)\n\treturn folder, err\n}\n\nfunc (p *BoltProvider) addFolderInternal(folder vfs.BaseVirtualFolder, bucket *bolt.Bucket) error {\n\tid, err := bucket.NextSequence()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfolder.ID = int64(id)\n\tbuf, err := json.Marshal(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn bucket.Put([]byte(folder.Name), buf)\n}\n\nfunc (p *BoltProvider) removeRoleFromUser(username, role string, bucket *bolt.Bucket) error {\n\tu := bucket.Get([]byte(username))\n\tif u == nil {\n\t\tproviderLog(logger.LevelWarn, \"user %q does not exist, cannot remove role %q\", username, role)\n\t\treturn nil\n\t}\n\tvar user User\n\terr := json.Unmarshal(u, &user)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif user.Role == role {\n\t\tuser.Role = \"\"\n\t\tbuf, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(user.Username), buf)\n\t}\n\tproviderLog(logger.LevelError, \"user %q does not have the expected role %q, actual %q\", username, role, user.Role)\n\treturn nil\n}\n\nfunc (p *BoltProvider) addAdminToRole(username, roleName string, bucket *bolt.Bucket) error {\n\tif roleName == \"\" {\n\t\treturn nil\n\t}\n\tr := bucket.Get([]byte(roleName))\n\tif r == nil {\n\t\treturn fmt.Errorf(\"%w: role %q does not exist\", ErrForeignKeyViolated, roleName)\n\t}\n\tvar role Role\n\terr := json.Unmarshal(r, &role)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(role.Admins, username) {\n\t\trole.Admins = append(role.Admins, username)\n\t\tbuf, err := json.Marshal(role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(role.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) removeAdminFromRole(username, roleName string, bucket *bolt.Bucket) error {\n\tif roleName == \"\" {\n\t\treturn nil\n\t}\n\tr := bucket.Get([]byte(roleName))\n\tif r == nil {\n\t\tproviderLog(logger.LevelWarn, \"role %q does not exist, cannot remove admin %q\", roleName, username)\n\t\treturn nil\n\t}\n\tvar role Role\n\terr := json.Unmarshal(r, &role)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif slices.Contains(role.Admins, username) {\n\t\tvar admins []string\n\t\tfor _, admin := range role.Admins {\n\t\t\tif admin != username {\n\t\t\t\tadmins = append(admins, admin)\n\t\t\t}\n\t\t}\n\t\trole.Admins = util.RemoveDuplicates(admins, false)\n\t\tbuf, err := json.Marshal(role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(role.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) addUserToRole(username, roleName string, bucket *bolt.Bucket) error {\n\tif roleName == \"\" {\n\t\treturn nil\n\t}\n\tr := bucket.Get([]byte(roleName))\n\tif r == nil {\n\t\treturn fmt.Errorf(\"%w: role %q does not exist\", ErrForeignKeyViolated, roleName)\n\t}\n\tvar role Role\n\terr := json.Unmarshal(r, &role)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(role.Users, username) {\n\t\trole.Users = append(role.Users, username)\n\t\tbuf, err := json.Marshal(role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(role.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) removeUserFromRole(username, roleName string, bucket *bolt.Bucket) error {\n\tif roleName == \"\" {\n\t\treturn nil\n\t}\n\tr := bucket.Get([]byte(roleName))\n\tif r == nil {\n\t\tproviderLog(logger.LevelWarn, \"role %q does not exist, cannot remove admin %q\", roleName, username)\n\t\treturn nil\n\t}\n\tvar role Role\n\terr := json.Unmarshal(r, &role)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif slices.Contains(role.Users, username) {\n\t\tvar users []string\n\t\tfor _, user := range role.Users {\n\t\t\tif user != username {\n\t\t\t\tusers = append(users, user)\n\t\t\t}\n\t\t}\n\t\tusers = util.RemoveDuplicates(users, false)\n\t\trole.Users = users\n\t\tbuf, err := json.Marshal(role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(role.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) addRuleToActionMapping(ruleName, actionName string, bucket *bolt.Bucket) error {\n\ta := bucket.Get([]byte(actionName))\n\tif a == nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"action %q does not exist\", actionName))\n\t}\n\tvar action BaseEventAction\n\terr := json.Unmarshal(a, &action)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(action.Rules, ruleName) {\n\t\taction.Rules = append(action.Rules, ruleName)\n\t\tbuf, err := json.Marshal(action)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(action.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) removeRuleFromActionMapping(ruleName, actionName string, bucket *bolt.Bucket) error {\n\ta := bucket.Get([]byte(actionName))\n\tif a == nil {\n\t\tproviderLog(logger.LevelWarn, \"action %q does not exist, cannot remove from mapping\", actionName)\n\t\treturn nil\n\t}\n\tvar action BaseEventAction\n\terr := json.Unmarshal(a, &action)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif slices.Contains(action.Rules, ruleName) {\n\t\tvar rules []string\n\t\tfor _, r := range action.Rules {\n\t\t\tif r != ruleName {\n\t\t\t\trules = append(rules, r)\n\t\t\t}\n\t\t}\n\t\taction.Rules = util.RemoveDuplicates(rules, false)\n\t\tbuf, err := json.Marshal(action)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(action.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) addUserToGroupMapping(username, groupname string, bucket *bolt.Bucket) error {\n\tg := bucket.Get([]byte(groupname))\n\tif g == nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"group %q does not exist\", groupname))\n\t}\n\tvar group Group\n\terr := json.Unmarshal(g, &group)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(group.Users, username) {\n\t\tgroup.Users = append(group.Users, username)\n\t\tbuf, err := json.Marshal(group)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(group.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) removeUserFromGroupMapping(username, groupname string, bucket *bolt.Bucket) error {\n\tg := bucket.Get([]byte(groupname))\n\tif g == nil {\n\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", groupname))\n\t}\n\tvar group Group\n\terr := json.Unmarshal(g, &group)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar users []string\n\tfor _, u := range group.Users {\n\t\tif u != username {\n\t\t\tusers = append(users, u)\n\t\t}\n\t}\n\tgroup.Users = util.RemoveDuplicates(users, false)\n\tbuf, err := json.Marshal(group)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn bucket.Put([]byte(group.Name), buf)\n}\n\nfunc (p *BoltProvider) addAdminToGroupMapping(username, groupname string, bucket *bolt.Bucket) error {\n\tg := bucket.Get([]byte(groupname))\n\tif g == nil {\n\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", groupname))\n\t}\n\tvar group Group\n\terr := json.Unmarshal(g, &group)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(group.Admins, username) {\n\t\tgroup.Admins = append(group.Admins, username)\n\t\tbuf, err := json.Marshal(group)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put([]byte(group.Name), buf)\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) removeAdminFromGroupMapping(username, groupname string, bucket *bolt.Bucket) error {\n\tg := bucket.Get([]byte(groupname))\n\tif g == nil {\n\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", groupname))\n\t}\n\tvar group Group\n\terr := json.Unmarshal(g, &group)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar admins []string\n\tfor _, a := range group.Admins {\n\t\tif a != username {\n\t\t\tadmins = append(admins, a)\n\t\t}\n\t}\n\tgroup.Admins = util.RemoveDuplicates(admins, false)\n\tbuf, err := json.Marshal(group)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn bucket.Put([]byte(group.Name), buf)\n}\n\nfunc (p *BoltProvider) removeGroupFromAdminMapping(groupName, adminName string, bucket *bolt.Bucket) error {\n\tvar a []byte\n\tif a = bucket.Get([]byte(adminName)); a == nil {\n\t\t// the admin does not exist so there is no associated group\n\t\treturn nil\n\t}\n\tvar admin Admin\n\terr := json.Unmarshal(a, &admin)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar newGroups []AdminGroupMapping\n\tfor _, g := range admin.Groups {\n\t\tif g.Name != groupName {\n\t\t\tnewGroups = append(newGroups, g)\n\t\t}\n\t}\n\tadmin.Groups = newGroups\n\tbuf, err := json.Marshal(admin)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn bucket.Put([]byte(adminName), buf)\n}\n\nfunc (p *BoltProvider) addRelationToFolderMapping(folderName string, user *User, group *Group, bucket *bolt.Bucket) error {\n\tf := bucket.Get([]byte(folderName))\n\tif f == nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"folder %q does not exist\", folderName))\n\t}\n\tvar folder vfs.BaseVirtualFolder\n\terr := json.Unmarshal(f, &folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\tupdated := false\n\tif user != nil && !slices.Contains(folder.Users, user.Username) {\n\t\tfolder.Users = append(folder.Users, user.Username)\n\t\tupdated = true\n\t}\n\tif group != nil && !slices.Contains(folder.Groups, group.Name) {\n\t\tfolder.Groups = append(folder.Groups, group.Name)\n\t\tupdated = true\n\t}\n\tif !updated {\n\t\treturn nil\n\t}\n\tbuf, err := json.Marshal(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn bucket.Put([]byte(folder.Name), buf)\n}\n\nfunc (p *BoltProvider) removeRelationFromFolderMapping(folder vfs.VirtualFolder, username, groupname string,\n\tbucket *bolt.Bucket,\n) error {\n\tvar f []byte\n\tif f = bucket.Get([]byte(folder.Name)); f == nil {\n\t\t// the folder does not exist so there is no associated user/group\n\t\treturn nil\n\t}\n\tvar baseFolder vfs.BaseVirtualFolder\n\terr := json.Unmarshal(f, &baseFolder)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfound := false\n\tif username != \"\" {\n\t\tfound = true\n\t\tvar newUserMapping []string\n\t\tfor _, u := range baseFolder.Users {\n\t\t\tif u != username {\n\t\t\t\tnewUserMapping = append(newUserMapping, u)\n\t\t\t}\n\t\t}\n\t\tbaseFolder.Users = newUserMapping\n\t}\n\tif groupname != \"\" {\n\t\tfound = true\n\t\tvar newGroupMapping []string\n\t\tfor _, g := range baseFolder.Groups {\n\t\t\tif g != groupname {\n\t\t\t\tnewGroupMapping = append(newGroupMapping, g)\n\t\t\t}\n\t\t}\n\t\tbaseFolder.Groups = newGroupMapping\n\t}\n\tif !found {\n\t\treturn nil\n\t}\n\tbuf, err := json.Marshal(baseFolder)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn bucket.Put([]byte(folder.Name), buf)\n}\n\nfunc (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User) error {\n\tfoldersBucket, err := p.getFoldersBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tgroupsBucket, err := p.getGroupsBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\trolesBucket, err := p.getRolesBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor idx := range oldUser.VirtualFolders {\n\t\terr = p.removeRelationFromFolderMapping(oldUser.VirtualFolders[idx], oldUser.Username, \"\", foldersBucket)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tfor idx := range oldUser.Groups {\n\t\terr = p.removeUserFromGroupMapping(user.Username, oldUser.Groups[idx].Name, groupsBucket)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif err = p.removeUserFromRole(oldUser.Username, oldUser.Role, rolesBucket); err != nil {\n\t\treturn err\n\t}\n\tfor idx := range user.VirtualFolders {\n\t\terr = p.addRelationToFolderMapping(user.VirtualFolders[idx].Name, user, nil, foldersBucket)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tfor idx := range user.Groups {\n\t\terr = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name, groupsBucket)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn p.addUserToRole(user.Username, user.Role, rolesBucket)\n}\n\nfunc (p *BoltProvider) adminExistsInternal(tx *bolt.Tx, username string) error {\n\tbucket, err := p.getAdminsBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\ta := bucket.Get([]byte(username))\n\tif a == nil {\n\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"admin %v does not exist\", username))\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) userExistsInternal(tx *bolt.Tx, username string) error {\n\tbucket, err := p.getUsersBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tu := bucket.Get([]byte(username))\n\tif u == nil {\n\t\treturn util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t}\n\treturn nil\n}\n\nfunc (p *BoltProvider) deleteRelatedShares(tx *bolt.Tx, username string) error {\n\tbucket, err := p.getSharesBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar toRemove []string\n\tcursor := bucket.Cursor()\n\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\tvar share Share\n\t\terr = json.Unmarshal(v, &share)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif share.Username == username {\n\t\t\ttoRemove = append(toRemove, share.ShareID)\n\t\t}\n\t}\n\n\tfor _, k := range toRemove {\n\t\tif err := bucket.Delete([]byte(k)); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (p *BoltProvider) deleteRelatedAPIKey(tx *bolt.Tx, username string, scope APIKeyScope) error {\n\tbucket, err := p.getAPIKeysBucket(tx)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar toRemove []string\n\tcursor := bucket.Cursor()\n\tfor k, v := cursor.First(); k != nil; k, v = cursor.Next() {\n\t\tvar apiKey APIKey\n\t\terr = json.Unmarshal(v, &apiKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif scope == APIKeyScopeUser {\n\t\t\tif apiKey.User == username {\n\t\t\t\ttoRemove = append(toRemove, apiKey.KeyID)\n\t\t\t}\n\t\t} else {\n\t\t\tif apiKey.Admin == username {\n\t\t\t\ttoRemove = append(toRemove, apiKey.KeyID)\n\t\t\t}\n\t\t}\n\t}\n\n\tfor _, k := range toRemove {\n\t\tif err := bucket.Delete([]byte(k)); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (p *BoltProvider) getSharesBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\n\tbucket := tx.Bucket(sharesBucket)\n\tif bucket == nil {\n\t\terr = errors.New(\"unable to find shares bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getAPIKeysBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\n\tbucket := tx.Bucket(apiKeysBucket)\n\tif bucket == nil {\n\t\terr = errors.New(\"unable to find api keys bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getAdminsBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\n\tbucket := tx.Bucket(adminsBucket)\n\tif bucket == nil {\n\t\terr = errors.New(\"unable to find admins bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getUsersBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(usersBucket)\n\tif bucket == nil {\n\t\terr = errors.New(\"unable to find users bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getGroupsBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(groupsBucket)\n\tif bucket == nil {\n\t\terr = fmt.Errorf(\"unable to find groups bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getRolesBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(rolesBucket)\n\tif bucket == nil {\n\t\terr = fmt.Errorf(\"unable to find roles bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getIPListsBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(rolesBucket)\n\tif bucket == nil {\n\t\terr = fmt.Errorf(\"unable to find IP lists bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getFoldersBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(foldersBucket)\n\tif bucket == nil {\n\t\terr = fmt.Errorf(\"unable to find folders bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getActionsBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(actionsBucket)\n\tif bucket == nil {\n\t\terr = fmt.Errorf(\"unable to find event actions bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc (p *BoltProvider) getRulesBucket(tx *bolt.Tx) (*bolt.Bucket, error) {\n\tvar err error\n\tbucket := tx.Bucket(rulesBucket)\n\tif bucket == nil {\n\t\terr = fmt.Errorf(\"unable to find event rules bucket, bolt database structure not correcly defined\")\n\t}\n\treturn bucket, err\n}\n\nfunc getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) {\n\tvar dbVersion schemaVersion\n\terr := dbHandle.View(func(tx *bolt.Tx) error {\n\t\tbucket := tx.Bucket(dbVersionBucket)\n\t\tif bucket == nil {\n\t\t\treturn fmt.Errorf(\"unable to find database schema version bucket\")\n\t\t}\n\t\tv := bucket.Get(dbVersionKey)\n\t\tif v == nil {\n\t\t\tdbVersion = schemaVersion{\n\t\t\t\tVersion: 33,\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\treturn json.Unmarshal(v, &dbVersion)\n\t})\n\treturn dbVersion, err\n}\n\nfunc updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error {\n\terr := dbHandle.Update(func(tx *bolt.Tx) error {\n\t\tbucket := tx.Bucket(dbVersionBucket)\n\t\tif bucket == nil {\n\t\t\treturn fmt.Errorf(\"unable to find database schema version bucket\")\n\t\t}\n\t\tnewDbVersion := schemaVersion{\n\t\t\tVersion: version,\n\t\t}\n\t\tbuf, err := json.Marshal(newDbVersion)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn bucket.Put(dbVersionKey, buf)\n\t})\n\treturn err\n}\n" }, { "path": "internal/dataprovider/bolt_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nobolt\n\npackage dataprovider\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-bolt\")\n}\n\nfunc initializeBoltProvider(_ string) error {\n\treturn errors.New(\"bolt disabled at build time\")\n}\n" }, { "path": "internal/dataprovider/cachedpassword.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"sort\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tcachedUserPasswords credentialsCache\n\tcachedAdminPasswords credentialsCache\n\tcachedAPIKeys credentialsCache\n)\n\nfunc init() {\n\tcachedUserPasswords = credentialsCache{\n\t\tname: \"users\",\n\t\tsizeLimit: 500,\n\t\tcache: make(map[string]credentialObject),\n\t}\n\tcachedAdminPasswords = credentialsCache{\n\t\tname: \"admins\",\n\t\tsizeLimit: 100,\n\t\tcache: make(map[string]credentialObject),\n\t}\n\tcachedAPIKeys = credentialsCache{\n\t\tname: \"API keys\",\n\t\tsizeLimit: 500,\n\t\tcache: make(map[string]credentialObject),\n\t}\n}\n\n// CheckCachedUserPassword is an utility method used only in test cases\nfunc CheckCachedUserPassword(username, password, hash string) (bool, bool) {\n\treturn cachedUserPasswords.Check(username, password, hash)\n}\n\ntype credentialObject struct {\n\tkey string\n\thash string\n\tpassword string\n\tusedAt *atomic.Int64\n}\n\ntype credentialsCache struct {\n\tname string\n\tsizeLimit int\n\tsync.RWMutex\n\tcache map[string]credentialObject\n}\n\nfunc (c *credentialsCache) Add(username, password, hash string) {\n\tif !config.PasswordCaching || username == \"\" || password == \"\" || hash == \"\" {\n\t\treturn\n\t}\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tobj := credentialObject{\n\t\tkey: username,\n\t\thash: hash,\n\t\tpassword: password,\n\t\tusedAt: &atomic.Int64{},\n\t}\n\tobj.usedAt.Store(util.GetTimeAsMsSinceEpoch(time.Now()))\n\n\tc.cache[username] = obj\n}\n\nfunc (c *credentialsCache) Remove(username string) {\n\tif !config.PasswordCaching {\n\t\treturn\n\t}\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tdelete(c.cache, username)\n}\n\n// Check returns if the username is found and if the password match\nfunc (c *credentialsCache) Check(username, password, hash string) (bool, bool) {\n\tif username == \"\" || password == \"\" || hash == \"\" {\n\t\treturn false, false\n\t}\n\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tcreds, ok := c.cache[username]\n\tif !ok {\n\t\treturn false, false\n\t}\n\tif creds.hash != hash {\n\t\tcreds.usedAt.Store(0)\n\t\treturn false, false\n\t}\n\tmatch := creds.password == password\n\tif match {\n\t\tcreds.usedAt.Store(util.GetTimeAsMsSinceEpoch(time.Now()))\n\t}\n\treturn true, match\n}\n\nfunc (c *credentialsCache) count() int {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\treturn len(c.cache)\n}\n\nfunc (c *credentialsCache) cleanup() {\n\tif !config.PasswordCaching {\n\t\treturn\n\t}\n\tif c.count() <= c.sizeLimit {\n\t\treturn\n\t}\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tfor k, v := range c.cache {\n\t\tif v.usedAt.Load() < util.GetTimeAsMsSinceEpoch(time.Now().Add(-60*time.Minute)) {\n\t\t\tdelete(c.cache, k)\n\t\t}\n\t}\n\tproviderLog(logger.LevelDebug, \"size for credentials %q after cleanup: %d\", c.name, len(c.cache))\n\n\tif len(c.cache) < c.sizeLimit*5 {\n\t\treturn\n\t}\n\tnumToRemove := len(c.cache) - c.sizeLimit\n\tproviderLog(logger.LevelDebug, \"additional item to remove from credentials %q: %d\", c.name, numToRemove)\n\tcredentials := make([]credentialObject, 0, len(c.cache))\n\tfor _, v := range c.cache {\n\t\tcredentials = append(credentials, v)\n\t}\n\tsort.Slice(credentials, func(i, j int) bool {\n\t\treturn credentials[i].usedAt.Load() < credentials[j].usedAt.Load()\n\t})\n\n\tfor idx := range credentials {\n\t\tif idx >= numToRemove {\n\t\t\tbreak\n\t\t}\n\t\tdelete(c.cache, credentials[idx].key)\n\t}\n\tproviderLog(logger.LevelDebug, \"size for credentials %q after additional cleanup: %d\", c.name, len(c.cache))\n}\n" }, { "path": "internal/dataprovider/cacheduser.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/webdav\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\twebDAVUsersCache *usersCache\n)\n\nfunc init() {\n\twebDAVUsersCache = &usersCache{\n\t\tusers: map[string]CachedUser{},\n\t}\n}\n\n// InitializeWebDAVUserCache initializes the cache for webdav users\nfunc InitializeWebDAVUserCache(maxSize int) {\n\twebDAVUsersCache = &usersCache{\n\t\tusers: map[string]CachedUser{},\n\t\tmaxSize: maxSize,\n\t}\n}\n\n// CachedUser adds fields useful for caching to a SFTPGo user\ntype CachedUser struct {\n\tUser User\n\tExpiration time.Time\n\tPassword string\n\tLockSystem webdav.LockSystem\n}\n\n// IsExpired returns true if the cached user is expired\nfunc (c *CachedUser) IsExpired() bool {\n\tif c.Expiration.IsZero() {\n\t\treturn false\n\t}\n\treturn c.Expiration.Before(time.Now())\n}\n\ntype usersCache struct {\n\tsync.RWMutex\n\tusers map[string]CachedUser\n\tmaxSize int\n}\n\nfunc (cache *usersCache) updateLastLogin(username string) {\n\tcache.Lock()\n\tdefer cache.Unlock()\n\n\tif cachedUser, ok := cache.users[username]; ok {\n\t\tcachedUser.User.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tcache.users[username] = cachedUser\n\t}\n}\n\n// swapWebDAVUser updates an existing cached user with the specified one\n// preserving the lock fs if possible\n// FIXME: this could be racy in rare cases\nfunc (cache *usersCache) swap(userRef *User, plainPassword string) {\n\tuser := userRef.getACopy()\n\terr := user.LoadAndApplyGroupSettings()\n\n\tcache.Lock()\n\tdefer cache.Unlock()\n\n\tif cachedUser, ok := cache.users[user.Username]; ok {\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelDebug, \"unable to load group settings, for user %q, removing from cache, err :%v\",\n\t\t\t\tuser.Username, err)\n\t\t\tdelete(cache.users, user.Username)\n\t\t\treturn\n\t\t}\n\t\tif plainPassword != \"\" {\n\t\t\tcachedUser.Password = plainPassword\n\t\t} else {\n\t\t\tif cachedUser.User.Password != user.Password {\n\t\t\t\tproviderLog(logger.LevelDebug, \"current password different from the cached one for user %q, removing from cache\",\n\t\t\t\t\tuser.Username)\n\t\t\t\t// the password changed, the cached user is no longer valid\n\t\t\t\tdelete(cache.users, user.Username)\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t\tif cachedUser.User.isFsEqual(&user) {\n\t\t\t// the updated user has the same fs as the cached one, we can preserve the lock filesystem\n\t\t\tproviderLog(logger.LevelDebug, \"current password and fs unchanged for for user %q, swap cached one\",\n\t\t\t\tuser.Username)\n\t\t\tcachedUser.User = user\n\t\t\tcache.users[user.Username] = cachedUser\n\t\t} else {\n\t\t\t// filesystem changed, the cached user is no longer valid\n\t\t\tproviderLog(logger.LevelDebug, \"current fs different from the cached one for user %q, removing from cache\",\n\t\t\t\tuser.Username)\n\t\t\tdelete(cache.users, user.Username)\n\t\t}\n\t}\n}\n\nfunc (cache *usersCache) add(cachedUser *CachedUser) {\n\tcache.Lock()\n\tdefer cache.Unlock()\n\n\tif cache.maxSize > 0 && len(cache.users) >= cache.maxSize {\n\t\tvar userToRemove string\n\t\tvar expirationTime time.Time\n\n\t\tfor k, v := range cache.users {\n\t\t\tif userToRemove == \"\" {\n\t\t\t\tuserToRemove = k\n\t\t\t\texpirationTime = v.Expiration\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\texpireTime := v.Expiration\n\t\t\tif !expireTime.IsZero() && expireTime.Before(expirationTime) {\n\t\t\t\tuserToRemove = k\n\t\t\t\texpirationTime = expireTime\n\t\t\t}\n\t\t}\n\n\t\tdelete(cache.users, userToRemove)\n\t}\n\n\tif cachedUser.User.Username != \"\" {\n\t\tcache.users[cachedUser.User.Username] = *cachedUser\n\t}\n}\n\nfunc (cache *usersCache) remove(username string) {\n\tcache.Lock()\n\tdefer cache.Unlock()\n\n\tdelete(cache.users, username)\n}\n\nfunc (cache *usersCache) get(username string) (*CachedUser, bool) {\n\tcache.RLock()\n\tdefer cache.RUnlock()\n\n\tcachedUser, ok := cache.users[username]\n\tif !ok {\n\t\treturn nil, false\n\t}\n\treturn &cachedUser, true\n}\n\n// CacheWebDAVUser add a user to the WebDAV cache\nfunc CacheWebDAVUser(cachedUser *CachedUser) {\n\twebDAVUsersCache.add(cachedUser)\n}\n\n// GetCachedWebDAVUser returns a previously cached WebDAV user\nfunc GetCachedWebDAVUser(username string) (*CachedUser, bool) {\n\treturn webDAVUsersCache.get(username)\n}\n\n// RemoveCachedWebDAVUser removes a cached WebDAV user\nfunc RemoveCachedWebDAVUser(username string) {\n\twebDAVUsersCache.remove(username)\n}\n" }, { "path": "internal/dataprovider/configs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"image/png\"\n\t\"net/url\"\n\t\"slices\"\n\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// Supported values for host keys, KEXs, ciphers, MACs\nvar (\n\tsupportedHostKeyAlgos = []string{ssh.KeyAlgoRSA}\n\tsupportedPublicKeyAlgos = []string{ssh.KeyAlgoRSA, ssh.InsecureKeyAlgoDSA} //nolint:staticcheck\n\tsupportedKexAlgos = []string{\n\t\tssh.KeyExchangeDH16SHA512, ssh.InsecureKeyExchangeDH14SHA1, ssh.InsecureKeyExchangeDH1SHA1,\n\t\tssh.InsecureKeyExchangeDHGEXSHA1,\n\t}\n\tsupportedCiphers = []string{\n\t\tssh.InsecureCipherAES128CBC,\n\t\tssh.InsecureCipherTripleDESCBC,\n\t}\n\tsupportedMACs = []string{\n\t\tssh.HMACSHA512ETM, ssh.HMACSHA512,\n\t\tssh.HMACSHA1, ssh.InsecureHMACSHA196,\n\t}\n)\n\n// SFTPDConfigs defines configurations for SFTPD\ntype SFTPDConfigs struct {\n\tHostKeyAlgos []string `json:\"host_key_algos,omitempty\"`\n\tPublicKeyAlgos []string `json:\"public_key_algos,omitempty\"`\n\tKexAlgorithms []string `json:\"kex_algorithms,omitempty\"`\n\tCiphers []string `json:\"ciphers,omitempty\"`\n\tMACs []string `json:\"macs,omitempty\"`\n}\n\nfunc (c *SFTPDConfigs) isEmpty() bool {\n\tif len(c.HostKeyAlgos) > 0 {\n\t\treturn false\n\t}\n\tif len(c.PublicKeyAlgos) > 0 {\n\t\treturn false\n\t}\n\tif len(c.KexAlgorithms) > 0 {\n\t\treturn false\n\t}\n\tif len(c.Ciphers) > 0 {\n\t\treturn false\n\t}\n\tif len(c.MACs) > 0 {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// GetSupportedHostKeyAlgos returns the supported legacy host key algos\nfunc (*SFTPDConfigs) GetSupportedHostKeyAlgos() []string {\n\treturn supportedHostKeyAlgos\n}\n\n// GetSupportedPublicKeyAlgos returns the supported legacy public key algos\nfunc (*SFTPDConfigs) GetSupportedPublicKeyAlgos() []string {\n\treturn supportedPublicKeyAlgos\n}\n\n// GetSupportedKEXAlgos returns the supported KEX algos\nfunc (*SFTPDConfigs) GetSupportedKEXAlgos() []string {\n\treturn supportedKexAlgos\n}\n\n// GetSupportedCiphers returns the supported ciphers\nfunc (*SFTPDConfigs) GetSupportedCiphers() []string {\n\treturn supportedCiphers\n}\n\n// GetSupportedMACs returns the supported MACs algos\nfunc (*SFTPDConfigs) GetSupportedMACs() []string {\n\treturn supportedMACs\n}\n\nfunc (c *SFTPDConfigs) validate() error {\n\tvar hostKeyAlgos []string\n\tfor _, algo := range c.HostKeyAlgos {\n\t\tif algo == ssh.CertAlgoRSAv01 {\n\t\t\tcontinue\n\t\t}\n\t\tif !slices.Contains(supportedHostKeyAlgos, algo) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported host key algorithm %q\", algo))\n\t\t}\n\t\thostKeyAlgos = append(hostKeyAlgos, algo)\n\t}\n\tc.HostKeyAlgos = hostKeyAlgos\n\tvar kexAlgos []string\n\tfor _, algo := range c.KexAlgorithms {\n\t\tif algo == \"diffie-hellman-group18-sha512\" || algo == ssh.KeyExchangeDHGEXSHA256 {\n\t\t\tcontinue\n\t\t}\n\t\tif !slices.Contains(supportedKexAlgos, algo) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported KEX algorithm %q\", algo))\n\t\t}\n\t\tkexAlgos = append(kexAlgos, algo)\n\t}\n\tc.KexAlgorithms = kexAlgos\n\tfor _, cipher := range c.Ciphers {\n\t\tif slices.Contains([]string{\"aes192-cbc\", \"aes256-cbc\"}, cipher) {\n\t\t\tcontinue\n\t\t}\n\t\tif !slices.Contains(supportedCiphers, cipher) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported cipher %q\", cipher))\n\t\t}\n\t}\n\tfor _, mac := range c.MACs {\n\t\tif !slices.Contains(supportedMACs, mac) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported MAC algorithm %q\", mac))\n\t\t}\n\t}\n\tfor _, algo := range c.PublicKeyAlgos {\n\t\tif !slices.Contains(supportedPublicKeyAlgos, algo) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported public key algorithm %q\", algo))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *SFTPDConfigs) getACopy() *SFTPDConfigs {\n\thostKeys := make([]string, len(c.HostKeyAlgos))\n\tcopy(hostKeys, c.HostKeyAlgos)\n\tpublicKeys := make([]string, len(c.PublicKeyAlgos))\n\tcopy(publicKeys, c.PublicKeyAlgos)\n\tkexs := make([]string, len(c.KexAlgorithms))\n\tcopy(kexs, c.KexAlgorithms)\n\tciphers := make([]string, len(c.Ciphers))\n\tcopy(ciphers, c.Ciphers)\n\tmacs := make([]string, len(c.MACs))\n\tcopy(macs, c.MACs)\n\n\treturn &SFTPDConfigs{\n\t\tHostKeyAlgos: hostKeys,\n\t\tPublicKeyAlgos: publicKeys,\n\t\tKexAlgorithms: kexs,\n\t\tCiphers: ciphers,\n\t\tMACs: macs,\n\t}\n}\n\nfunc validateSMTPSecret(secret *kms.Secret, name string) error {\n\tif secret.IsRedacted() {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"cannot save a redacted smtp %s\", name))\n\t}\n\tif secret.IsEncrypted() && !secret.IsValid() {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid encrypted smtp %s\", name))\n\t}\n\tif !secret.IsEmpty() && !secret.IsValidInput() {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid smtp %s\", name))\n\t}\n\tif secret.IsPlain() {\n\t\tsecret.SetAdditionalData(\"smtp\")\n\t\tif err := secret.Encrypt(); err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"could not encrypt smtp %s: %v\", name, err))\n\t\t}\n\t}\n\treturn nil\n}\n\n// SMTPOAuth2 defines the SMTP related OAuth2 configurations\ntype SMTPOAuth2 struct {\n\tProvider int `json:\"provider,omitempty\"`\n\tTenant string `json:\"tenant,omitempty\"`\n\tClientID string `json:\"client_id,omitempty\"`\n\tClientSecret *kms.Secret `json:\"client_secret,omitempty\"`\n\tRefreshToken *kms.Secret `json:\"refresh_token,omitempty\"`\n}\n\nfunc (c *SMTPOAuth2) validate() error {\n\tif c.Provider < 0 || c.Provider > 1 {\n\t\treturn util.NewValidationError(\"smtp oauth2: unsupported provider\")\n\t}\n\tif c.ClientID == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"smtp oauth2: client id is required\"),\n\t\t\tutil.I18nErrorClientIDRequired,\n\t\t)\n\t}\n\tif c.ClientSecret == nil || c.ClientSecret.IsEmpty() {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"smtp oauth2: client secret is required\"),\n\t\t\tutil.I18nErrorClientSecretRequired,\n\t\t)\n\t}\n\tif c.RefreshToken == nil || c.RefreshToken.IsEmpty() {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"smtp oauth2: refresh token is required\"),\n\t\t\tutil.I18nErrorRefreshTokenRequired,\n\t\t)\n\t}\n\tif err := validateSMTPSecret(c.ClientSecret, \"oauth2 client secret\"); err != nil {\n\t\treturn err\n\t}\n\treturn validateSMTPSecret(c.RefreshToken, \"oauth2 refresh token\")\n}\n\nfunc (c *SMTPOAuth2) getACopy() SMTPOAuth2 {\n\tvar clientSecret, refreshToken *kms.Secret\n\tif c.ClientSecret != nil {\n\t\tclientSecret = c.ClientSecret.Clone()\n\t}\n\tif c.RefreshToken != nil {\n\t\trefreshToken = c.RefreshToken.Clone()\n\t}\n\treturn SMTPOAuth2{\n\t\tProvider: c.Provider,\n\t\tTenant: c.Tenant,\n\t\tClientID: c.ClientID,\n\t\tClientSecret: clientSecret,\n\t\tRefreshToken: refreshToken,\n\t}\n}\n\n// SMTPConfigs defines configuration for SMTP\ntype SMTPConfigs struct {\n\tHost string `json:\"host,omitempty\"`\n\tPort int `json:\"port,omitempty\"`\n\tFrom string `json:\"from,omitempty\"`\n\tUser string `json:\"user,omitempty\"`\n\tPassword *kms.Secret `json:\"password,omitempty\"`\n\tAuthType int `json:\"auth_type,omitempty\"`\n\tEncryption int `json:\"encryption,omitempty\"`\n\tDomain string `json:\"domain,omitempty\"`\n\tDebug int `json:\"debug,omitempty\"`\n\tOAuth2 SMTPOAuth2 `json:\"oauth2\"`\n}\n\n// IsEmpty returns true if the configuration is empty\nfunc (c *SMTPConfigs) IsEmpty() bool {\n\treturn c.Host == \"\"\n}\n\nfunc (c *SMTPConfigs) validate() error {\n\tif c.IsEmpty() {\n\t\treturn nil\n\t}\n\tif c.Port <= 0 || c.Port > 65535 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"smtp: invalid port %d\", c.Port))\n\t}\n\tif c.Password != nil && c.AuthType != 3 {\n\t\tif err := validateSMTPSecret(c.Password, \"password\"); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.User == \"\" && c.From == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"smtp: from address and user cannot both be empty\"),\n\t\t\tutil.I18nErrorSMTPRequiredFields,\n\t\t)\n\t}\n\tif c.AuthType < 0 || c.AuthType > 3 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"smtp: invalid auth type %d\", c.AuthType))\n\t}\n\tif c.Encryption < 0 || c.Encryption > 2 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"smtp: invalid encryption %d\", c.Encryption))\n\t}\n\tif c.AuthType == 3 {\n\t\tc.Password = kms.NewEmptySecret()\n\t\treturn c.OAuth2.validate()\n\t}\n\tc.OAuth2 = SMTPOAuth2{}\n\treturn nil\n}\n\n// TryDecrypt tries to decrypt the encrypted secrets\nfunc (c *SMTPConfigs) TryDecrypt() error {\n\tif c.Password == nil {\n\t\tc.Password = kms.NewEmptySecret()\n\t}\n\tif c.OAuth2.ClientSecret == nil {\n\t\tc.OAuth2.ClientSecret = kms.NewEmptySecret()\n\t}\n\tif c.OAuth2.RefreshToken == nil {\n\t\tc.OAuth2.RefreshToken = kms.NewEmptySecret()\n\t}\n\tif err := c.Password.TryDecrypt(); err != nil {\n\t\treturn fmt.Errorf(\"unable to decrypt smtp password: %w\", err)\n\t}\n\tif err := c.OAuth2.ClientSecret.TryDecrypt(); err != nil {\n\t\treturn fmt.Errorf(\"unable to decrypt smtp oauth2 client secret: %w\", err)\n\t}\n\tif err := c.OAuth2.RefreshToken.TryDecrypt(); err != nil {\n\t\treturn fmt.Errorf(\"unable to decrypt smtp oauth2 refresh token: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc (c *SMTPConfigs) prepareForRendering() {\n\tif c.Password != nil {\n\t\tc.Password.Hide()\n\t\tif c.Password.IsEmpty() {\n\t\t\tc.Password = nil\n\t\t}\n\t}\n\tif c.OAuth2.ClientSecret != nil {\n\t\tc.OAuth2.ClientSecret.Hide()\n\t\tif c.OAuth2.ClientSecret.IsEmpty() {\n\t\t\tc.OAuth2.ClientSecret = nil\n\t\t}\n\t}\n\tif c.OAuth2.RefreshToken != nil {\n\t\tc.OAuth2.RefreshToken.Hide()\n\t\tif c.OAuth2.RefreshToken.IsEmpty() {\n\t\t\tc.OAuth2.RefreshToken = nil\n\t\t}\n\t}\n}\n\nfunc (c *SMTPConfigs) getACopy() *SMTPConfigs {\n\tvar password *kms.Secret\n\tif c.Password != nil {\n\t\tpassword = c.Password.Clone()\n\t}\n\treturn &SMTPConfigs{\n\t\tHost: c.Host,\n\t\tPort: c.Port,\n\t\tFrom: c.From,\n\t\tUser: c.User,\n\t\tPassword: password,\n\t\tAuthType: c.AuthType,\n\t\tEncryption: c.Encryption,\n\t\tDomain: c.Domain,\n\t\tDebug: c.Debug,\n\t\tOAuth2: c.OAuth2.getACopy(),\n\t}\n}\n\n// ACMEHTTP01Challenge defines the configuration for HTTP-01 challenge type\ntype ACMEHTTP01Challenge struct {\n\tPort int `json:\"port\"`\n}\n\n// ACMEConfigs defines ACME related configuration\ntype ACMEConfigs struct {\n\tDomain string `json:\"domain\"`\n\tEmail string `json:\"email\"`\n\tHTTP01Challenge ACMEHTTP01Challenge `json:\"http01_challenge\"`\n\t// apply the certificate for the specified protocols:\n\t//\n\t// 1 means HTTP\n\t// 2 means FTP\n\t// 4 means WebDAV\n\t//\n\t// Protocols can be combined\n\tProtocols int `json:\"protocols\"`\n}\n\nfunc (c *ACMEConfigs) isEmpty() bool {\n\treturn c.Domain == \"\"\n}\n\nfunc (c *ACMEConfigs) validate() error {\n\tif c.Domain == \"\" {\n\t\treturn nil\n\t}\n\tif c.Email == \"\" && !util.IsEmailValid(c.Email) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"acme: invalid email %q\", c.Email)),\n\t\t\tutil.I18nErrorInvalidEmail,\n\t\t)\n\t}\n\tif c.HTTP01Challenge.Port <= 0 || c.HTTP01Challenge.Port > 65535 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"acme: invalid HTTP-01 challenge port %d\", c.HTTP01Challenge.Port))\n\t}\n\treturn nil\n}\n\n// HasProtocol returns true if the ACME certificate must be used for the specified protocol\nfunc (c *ACMEConfigs) HasProtocol(protocol string) bool {\n\tswitch protocol {\n\tcase protocolHTTP:\n\t\treturn c.Protocols&1 != 0\n\tcase protocolFTP:\n\t\treturn c.Protocols&2 != 0\n\tcase protocolWebDAV:\n\t\treturn c.Protocols&4 != 0\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc (c *ACMEConfigs) getACopy() *ACMEConfigs {\n\treturn &ACMEConfigs{\n\t\tEmail: c.Email,\n\t\tDomain: c.Domain,\n\t\tHTTP01Challenge: ACMEHTTP01Challenge{Port: c.HTTP01Challenge.Port},\n\t\tProtocols: c.Protocols,\n\t}\n}\n\n// BrandingConfig defines the branding configuration\ntype BrandingConfig struct {\n\tName string `json:\"name\"`\n\tShortName string `json:\"short_name\"`\n\tLogo []byte `json:\"logo\"`\n\tFavicon []byte `json:\"favicon\"`\n\tDisclaimerName string `json:\"disclaimer_name\"`\n\tDisclaimerURL string `json:\"disclaimer_url\"`\n}\n\nfunc (c *BrandingConfig) isEmpty() bool {\n\tif c.Name != \"\" {\n\t\treturn false\n\t}\n\tif c.ShortName != \"\" {\n\t\treturn false\n\t}\n\tif len(c.Logo) > 0 {\n\t\treturn false\n\t}\n\tif len(c.Favicon) > 0 {\n\t\treturn false\n\t}\n\tif c.DisclaimerName != \"\" && c.DisclaimerURL != \"\" {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (*BrandingConfig) validatePNG(b []byte, maxWidth, maxHeight int) error {\n\tif len(b) == 0 {\n\t\treturn nil\n\t}\n\t// DecodeConfig is more efficient, but I'm not sure if this would lead to\n\t// accepting invalid images in some edge cases and performance does not\n\t// matter here.\n\timg, err := png.Decode(bytes.NewBuffer(b))\n\tif err != nil {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid PNG image\"),\n\t\t\tutil.I18nErrorInvalidPNG,\n\t\t)\n\t}\n\tbounds := img.Bounds()\n\tif bounds.Dx() > maxWidth || bounds.Dy() > maxHeight {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid PNG image size\"),\n\t\t\tutil.I18nErrorInvalidPNGSize,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc (c *BrandingConfig) validateDisclaimerURL() error {\n\tif c.DisclaimerURL == \"\" {\n\t\treturn nil\n\t}\n\tu, err := url.Parse(c.DisclaimerURL)\n\tif err != nil {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid disclaimer URL\"),\n\t\t\tutil.I18nErrorInvalidDisclaimerURL,\n\t\t)\n\t}\n\tif u.Scheme != \"http\" && u.Scheme != \"https\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid disclaimer URL scheme\"),\n\t\t\tutil.I18nErrorInvalidDisclaimerURL,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc (c *BrandingConfig) validate() error {\n\tif err := c.validateDisclaimerURL(); err != nil {\n\t\treturn err\n\t}\n\tif err := c.validatePNG(c.Logo, 512, 512); err != nil {\n\t\treturn err\n\t}\n\treturn c.validatePNG(c.Favicon, 256, 256)\n}\n\nfunc (c *BrandingConfig) getACopy() BrandingConfig {\n\tlogo := make([]byte, len(c.Logo))\n\tcopy(logo, c.Logo)\n\tfavicon := make([]byte, len(c.Favicon))\n\tcopy(favicon, c.Favicon)\n\n\treturn BrandingConfig{\n\t\tName: c.Name,\n\t\tShortName: c.ShortName,\n\t\tLogo: logo,\n\t\tFavicon: favicon,\n\t\tDisclaimerName: c.DisclaimerName,\n\t\tDisclaimerURL: c.DisclaimerURL,\n\t}\n}\n\n// BrandingConfigs defines the branding configuration for WebAdmin and WebClient UI\ntype BrandingConfigs struct {\n\tWebAdmin BrandingConfig\n\tWebClient BrandingConfig\n}\n\nfunc (c *BrandingConfigs) isEmpty() bool {\n\treturn c.WebAdmin.isEmpty() && c.WebClient.isEmpty()\n}\n\nfunc (c *BrandingConfigs) validate() error {\n\tif err := c.WebAdmin.validate(); err != nil {\n\t\treturn err\n\t}\n\treturn c.WebClient.validate()\n}\n\nfunc (c *BrandingConfigs) getACopy() *BrandingConfigs {\n\treturn &BrandingConfigs{\n\t\tWebAdmin: c.WebAdmin.getACopy(),\n\t\tWebClient: c.WebClient.getACopy(),\n\t}\n}\n\n// Configs allows to set configuration keys disabled by default without\n// modifying the config file or setting env vars\ntype Configs struct {\n\tSFTPD *SFTPDConfigs `json:\"sftpd,omitempty\"`\n\tSMTP *SMTPConfigs `json:\"smtp,omitempty\"`\n\tACME *ACMEConfigs `json:\"acme,omitempty\"`\n\tBranding *BrandingConfigs `json:\"branding,omitempty\"`\n\tUpdatedAt int64 `json:\"updated_at,omitempty\"`\n}\n\nfunc (c *Configs) validate() error {\n\tif c.SFTPD != nil {\n\t\tif err := c.SFTPD.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.SMTP != nil {\n\t\tif err := c.SMTP.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.ACME != nil {\n\t\tif err := c.ACME.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif c.Branding != nil {\n\t\tif err := c.Branding.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// PrepareForRendering prepares configs for rendering.\n// It hides confidential data and set to nil the empty structs/secrets\n// so they are not serialized\nfunc (c *Configs) PrepareForRendering() {\n\tif c.SFTPD != nil && c.SFTPD.isEmpty() {\n\t\tc.SFTPD = nil\n\t}\n\tif c.SMTP != nil && c.SMTP.IsEmpty() {\n\t\tc.SMTP = nil\n\t}\n\tif c.ACME != nil && c.ACME.isEmpty() {\n\t\tc.ACME = nil\n\t}\n\tif c.Branding != nil && c.Branding.isEmpty() {\n\t\tc.Branding = nil\n\t}\n\tif c.SMTP != nil {\n\t\tc.SMTP.prepareForRendering()\n\t}\n}\n\n// SetNilsToEmpty sets nil fields to empty\nfunc (c *Configs) SetNilsToEmpty() {\n\tif c.SFTPD == nil {\n\t\tc.SFTPD = &SFTPDConfigs{}\n\t}\n\tif c.SMTP == nil {\n\t\tc.SMTP = &SMTPConfigs{}\n\t}\n\tif c.SMTP.Password == nil {\n\t\tc.SMTP.Password = kms.NewEmptySecret()\n\t}\n\tif c.SMTP.OAuth2.ClientSecret == nil {\n\t\tc.SMTP.OAuth2.ClientSecret = kms.NewEmptySecret()\n\t}\n\tif c.SMTP.OAuth2.RefreshToken == nil {\n\t\tc.SMTP.OAuth2.RefreshToken = kms.NewEmptySecret()\n\t}\n\tif c.ACME == nil {\n\t\tc.ACME = &ACMEConfigs{}\n\t}\n\tif c.Branding == nil {\n\t\tc.Branding = &BrandingConfigs{}\n\t}\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (c *Configs) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tconfig, err := provider.getConfigs()\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload config overrides before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tconfig.PrepareForRendering()\n\t\treturn json.Marshal(config)\n\t}\n\tc.PrepareForRendering()\n\treturn json.Marshal(c)\n}\n\nfunc (c *Configs) getACopy() Configs {\n\tvar result Configs\n\tif c.SFTPD != nil {\n\t\tresult.SFTPD = c.SFTPD.getACopy()\n\t}\n\tif c.SMTP != nil {\n\t\tresult.SMTP = c.SMTP.getACopy()\n\t}\n\tif c.ACME != nil {\n\t\tresult.ACME = c.ACME.getACopy()\n\t}\n\tif c.Branding != nil {\n\t\tresult.Branding = c.Branding.getACopy()\n\t}\n\tresult.UpdatedAt = c.UpdatedAt\n\treturn result\n}\n" }, { "path": "internal/dataprovider/dataprovider.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package dataprovider provides data access.\n// It abstracts different data providers using a common API.\npackage dataprovider\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/md5\"\n\t\"crypto/rsa\"\n\t\"crypto/sha1\"\n\t\"crypto/sha256\"\n\t\"crypto/sha512\"\n\t\"crypto/subtle\"\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"fmt\"\n\t\"hash\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/GehirnInc/crypt\"\n\t\"github.com/GehirnInc/crypt/apr1_crypt\"\n\t\"github.com/GehirnInc/crypt/md5_crypt\"\n\t\"github.com/GehirnInc/crypt/sha256_crypt\"\n\t\"github.com/GehirnInc/crypt/sha512_crypt\"\n\t\"github.com/alexedwards/argon2id\"\n\t\"github.com/go-chi/render\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\tpasswordvalidator \"github.com/wagslane/go-password-validator\"\n\t\"golang.org/x/crypto/bcrypt\"\n\t\"golang.org/x/crypto/pbkdf2\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/command\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\t// SQLiteDataProviderName defines the name for SQLite database provider\n\tSQLiteDataProviderName = \"sqlite\"\n\t// PGSQLDataProviderName defines the name for PostgreSQL database provider\n\tPGSQLDataProviderName = \"postgresql\"\n\t// MySQLDataProviderName defines the name for MySQL database provider\n\tMySQLDataProviderName = \"mysql\"\n\t// BoltDataProviderName defines the name for bbolt key/value store provider\n\tBoltDataProviderName = \"bolt\"\n\t// MemoryDataProviderName defines the name for memory provider\n\tMemoryDataProviderName = \"memory\"\n\t// CockroachDataProviderName defines the for CockroachDB provider\n\tCockroachDataProviderName = \"cockroachdb\"\n\t// DumpVersion defines the version for the dump.\n\t// For restore/load we support the current version and the previous one\n\tDumpVersion = 17\n\n\targonPwdPrefix = \"$argon2id$\"\n\tbcryptPwdPrefix = \"$2a$\"\n\tpbkdf2SHA1Prefix = \"$pbkdf2-sha1$\"\n\tpbkdf2SHA256Prefix = \"$pbkdf2-sha256$\"\n\tpbkdf2SHA512Prefix = \"$pbkdf2-sha512$\"\n\tpbkdf2SHA256B64SaltPrefix = \"$pbkdf2-b64salt-sha256$\"\n\tmd5cryptPwdPrefix = \"$1$\"\n\tmd5cryptApr1PwdPrefix = \"$apr1$\"\n\tsha256cryptPwdPrefix = \"$5$\"\n\tsha512cryptPwdPrefix = \"$6$\"\n\tyescryptPwdPrefix = \"$y$\"\n\tmd5DigestPwdPrefix = \"{MD5}\"\n\tsha256DigestPwdPrefix = \"{SHA256}\"\n\tsha512DigestPwdPrefix = \"{SHA512}\"\n\ttrackQuotaDisabledError = \"please enable track_quota in your configuration to use this method\"\n\toperationAdd = \"add\"\n\toperationUpdate = \"update\"\n\toperationDelete = \"delete\"\n\tsqlPrefixValidChars = \"abcdefghijklmnopqrstuvwxyz_0123456789\"\n\tmaxHookResponseSize = 1048576 // 1MB\n)\n\n// Supported algorithms for hashing passwords.\n// These algorithms can be used when SFTPGo hashes a plain text password\nconst (\n\tHashingAlgoBcrypt = \"bcrypt\"\n\tHashingAlgoArgon2ID = \"argon2id\"\n)\n\n// ordering constants\nconst (\n\tOrderASC = \"ASC\"\n\tOrderDESC = \"DESC\"\n)\n\nconst (\n\tprotocolSSH = \"SSH\"\n\tprotocolFTP = \"FTP\"\n\tprotocolWebDAV = \"DAV\"\n\tprotocolHTTP = \"HTTP\"\n)\n\n// Dump scopes\nconst (\n\tDumpScopeUsers = \"users\"\n\tDumpScopeFolders = \"folders\"\n\tDumpScopeGroups = \"groups\"\n\tDumpScopeAdmins = \"admins\"\n\tDumpScopeAPIKeys = \"api_keys\"\n\tDumpScopeShares = \"shares\"\n\tDumpScopeActions = \"actions\"\n\tDumpScopeRules = \"rules\"\n\tDumpScopeRoles = \"roles\"\n\tDumpScopeIPLists = \"ip_lists\"\n\tDumpScopeConfigs = \"configs\"\n)\n\nconst (\n\tfieldUsername = 1\n\tfieldName = 2\n\tfieldIPNet = 3\n)\n\nvar (\n\t// SupportedProviders defines the supported data providers\n\tSupportedProviders = []string{SQLiteDataProviderName, PGSQLDataProviderName, MySQLDataProviderName,\n\t\tBoltDataProviderName, MemoryDataProviderName, CockroachDataProviderName}\n\t// ValidPerms defines all the valid permissions for a user\n\tValidPerms = []string{PermAny, PermListItems, PermDownload, PermUpload, PermOverwrite, PermCreateDirs, PermRename,\n\t\tPermRenameFiles, PermRenameDirs, PermDelete, PermDeleteFiles, PermDeleteDirs, PermCopy, PermCreateSymlinks,\n\t\tPermChmod, PermChown, PermChtimes}\n\t// ValidLoginMethods defines all the valid login methods\n\tValidLoginMethods = []string{SSHLoginMethodPublicKey, LoginMethodPassword, SSHLoginMethodPassword,\n\t\tSSHLoginMethodKeyboardInteractive, SSHLoginMethodKeyAndPassword, SSHLoginMethodKeyAndKeyboardInt,\n\t\tLoginMethodTLSCertificate, LoginMethodTLSCertificateAndPwd}\n\t// SSHMultiStepsLoginMethods defines the supported Multi-Step Authentications\n\tSSHMultiStepsLoginMethods = []string{SSHLoginMethodKeyAndPassword, SSHLoginMethodKeyAndKeyboardInt}\n\t// ErrNoAuthTried defines the error for connection closed before authentication\n\tErrNoAuthTried = errors.New(\"no auth tried\")\n\t// ErrNotImplemented defines the error for features not supported for a particular data provider\n\tErrNotImplemented = errors.New(\"feature not supported with the configured data provider\")\n\t// ValidProtocols defines all the valid protcols\n\tValidProtocols = []string{protocolSSH, protocolFTP, protocolWebDAV, protocolHTTP}\n\t// MFAProtocols defines the supported protocols for multi-factor authentication\n\tMFAProtocols = []string{protocolHTTP, protocolSSH, protocolFTP}\n\t// ErrNoInitRequired defines the error returned by InitProvider if no inizialization/update is required\n\tErrNoInitRequired = errors.New(\"the data provider is up to date\")\n\t// ErrInvalidCredentials defines the error to return if the supplied credentials are invalid\n\tErrInvalidCredentials = errors.New(\"invalid credentials\")\n\t// ErrLoginNotAllowedFromIP defines the error to return if login is denied from the current IP\n\tErrLoginNotAllowedFromIP = errors.New(\"login is not allowed from this IP\")\n\t// ErrDuplicatedKey occurs when there is a unique key constraint violation\n\tErrDuplicatedKey = errors.New(\"duplicated key not allowed\")\n\t// ErrForeignKeyViolated occurs when there is a foreign key constraint violation\n\tErrForeignKeyViolated = errors.New(\"violates foreign key constraint\")\n\terrInvalidInput = util.NewValidationError(\"Invalid input. Slashes (/ ), colons (:), control characters, and reserved system names are not allowed\")\n\ttz = \"\"\n\tisAdminCreated atomic.Bool\n\tvalidTLSUsernames = []string{string(sdk.TLSUsernameNone), string(sdk.TLSUsernameCN)}\n\tconfig Config\n\tprovider Provider\n\tsqlPlaceholders []string\n\tinternalHashPwdPrefixes = []string{argonPwdPrefix, bcryptPwdPrefix}\n\thashPwdPrefixes = []string{argonPwdPrefix, bcryptPwdPrefix, pbkdf2SHA1Prefix, pbkdf2SHA256Prefix,\n\t\tpbkdf2SHA512Prefix, pbkdf2SHA256B64SaltPrefix, md5cryptPwdPrefix, md5cryptApr1PwdPrefix, md5DigestPwdPrefix,\n\t\tsha256DigestPwdPrefix, sha512DigestPwdPrefix, sha256cryptPwdPrefix, sha512cryptPwdPrefix, yescryptPwdPrefix}\n\tpbkdfPwdPrefixes = []string{pbkdf2SHA1Prefix, pbkdf2SHA256Prefix, pbkdf2SHA512Prefix, pbkdf2SHA256B64SaltPrefix}\n\tpbkdfPwdB64SaltPrefixes = []string{pbkdf2SHA256B64SaltPrefix}\n\tunixPwdPrefixes = []string{md5cryptPwdPrefix, md5cryptApr1PwdPrefix, sha256cryptPwdPrefix, sha512cryptPwdPrefix,\n\t\tyescryptPwdPrefix}\n\tdigestPwdPrefixes = []string{md5DigestPwdPrefix, sha256DigestPwdPrefix, sha512DigestPwdPrefix}\n\tsharedProviders = []string{PGSQLDataProviderName, MySQLDataProviderName, CockroachDataProviderName}\n\tlogSender = \"dataprovider\"\n\tsqlTableUsers string\n\tsqlTableFolders string\n\tsqlTableUsersFoldersMapping string\n\tsqlTableAdmins string\n\tsqlTableAPIKeys string\n\tsqlTableShares string\n\tsqlTableSharesGroupsMapping string\n\tsqlTableDefenderHosts string\n\tsqlTableDefenderEvents string\n\tsqlTableActiveTransfers string\n\tsqlTableGroups string\n\tsqlTableUsersGroupsMapping string\n\tsqlTableAdminsGroupsMapping string\n\tsqlTableGroupsFoldersMapping string\n\tsqlTableSharedSessions string\n\tsqlTableEventsActions string\n\tsqlTableEventsRules string\n\tsqlTableRulesActionsMapping string\n\tsqlTableTasks string\n\tsqlTableNodes string\n\tsqlTableRoles string\n\tsqlTableIPLists string\n\tsqlTableConfigs string\n\tsqlTableSchemaVersion string\n\targon2Params *argon2id.Params\n\tlastLoginMinDelay = 10 * time.Minute\n\tusernameRegex = regexp.MustCompile(\"^[a-zA-Z0-9-_.~]+$\")\n\ttempPath string\n\tallowSelfConnections int\n\tfnReloadRules FnReloadRules\n\tfnRemoveRule FnRemoveRule\n\tfnHandleRuleForProviderEvent FnHandleRuleForProviderEvent\n)\n\nfunc initSQLTables() {\n\tsqlTableUsers = \"users\"\n\tsqlTableFolders = \"folders\"\n\tsqlTableUsersFoldersMapping = \"users_folders_mapping\"\n\tsqlTableAdmins = \"admins\"\n\tsqlTableAPIKeys = \"api_keys\"\n\tsqlTableShares = \"shares\"\n\tsqlTableSharesGroupsMapping = \"shares_groups_mapping\"\n\tsqlTableDefenderHosts = \"defender_hosts\"\n\tsqlTableDefenderEvents = \"defender_events\"\n\tsqlTableActiveTransfers = \"active_transfers\"\n\tsqlTableGroups = \"groups\"\n\tsqlTableUsersGroupsMapping = \"users_groups_mapping\"\n\tsqlTableGroupsFoldersMapping = \"groups_folders_mapping\"\n\tsqlTableAdminsGroupsMapping = \"admins_groups_mapping\"\n\tsqlTableSharedSessions = \"shared_sessions\"\n\tsqlTableEventsActions = \"events_actions\"\n\tsqlTableEventsRules = \"events_rules\"\n\tsqlTableRulesActionsMapping = \"rules_actions_mapping\"\n\tsqlTableTasks = \"tasks\"\n\tsqlTableNodes = \"nodes\"\n\tsqlTableRoles = \"roles\"\n\tsqlTableIPLists = \"ip_lists\"\n\tsqlTableConfigs = \"configurations\"\n\tsqlTableSchemaVersion = \"schema_version\"\n}\n\n// FnReloadRules defined the callback to reload event rules\ntype FnReloadRules func()\n\n// FnRemoveRule defines the callback to remove an event rule\ntype FnRemoveRule func(name string)\n\n// FnHandleRuleForProviderEvent define the callback to handle event rules for provider events\ntype FnHandleRuleForProviderEvent func(operation, executor, ip, objectType, objectName, role string, object plugin.Renderer)\n\n// SetEventRulesCallbacks sets the event rules callbacks\nfunc SetEventRulesCallbacks(reload FnReloadRules, remove FnRemoveRule, handle FnHandleRuleForProviderEvent) {\n\tfnReloadRules = reload\n\tfnRemoveRule = remove\n\tfnHandleRuleForProviderEvent = handle\n}\n\ntype schemaVersion struct {\n\tVersion int\n}\n\n// BcryptOptions defines the options for bcrypt password hashing\ntype BcryptOptions struct {\n\tCost int `json:\"cost\" mapstructure:\"cost\"`\n}\n\n// Argon2Options defines the options for argon2 password hashing\ntype Argon2Options struct {\n\tMemory uint32 `json:\"memory\" mapstructure:\"memory\"`\n\tIterations uint32 `json:\"iterations\" mapstructure:\"iterations\"`\n\tParallelism uint8 `json:\"parallelism\" mapstructure:\"parallelism\"`\n}\n\n// PasswordHashing defines the configuration for password hashing\ntype PasswordHashing struct {\n\tBcryptOptions BcryptOptions `json:\"bcrypt_options\" mapstructure:\"bcrypt_options\"`\n\tArgon2Options Argon2Options `json:\"argon2_options\" mapstructure:\"argon2_options\"`\n\t// Algorithm to use for hashing passwords. Available algorithms: argon2id, bcrypt. Default: bcrypt\n\tAlgo string `json:\"algo\" mapstructure:\"algo\"`\n}\n\n// PasswordValidationRules defines the password validation rules\ntype PasswordValidationRules struct {\n\t// MinEntropy defines the minimum password entropy.\n\t// 0 means disabled, any password will be accepted.\n\t// Take a look at the following link for more details\n\t// https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use\n\tMinEntropy float64 `json:\"min_entropy\" mapstructure:\"min_entropy\"`\n}\n\n// PasswordValidation defines the password validation rules for admins and protocol users\ntype PasswordValidation struct {\n\t// Password validation rules for SFTPGo admin users\n\tAdmins PasswordValidationRules `json:\"admins\" mapstructure:\"admins\"`\n\t// Password validation rules for SFTPGo protocol users\n\tUsers PasswordValidationRules `json:\"users\" mapstructure:\"users\"`\n}\n\ntype wrappedFolder struct {\n\tFolder vfs.BaseVirtualFolder\n}\n\nfunc (w *wrappedFolder) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tfolder, err := provider.getFolderByName(w.Folder.Name)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload folder before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tfolder.PrepareForRendering()\n\t\treturn json.Marshal(folder)\n\t}\n\tw.Folder.PrepareForRendering()\n\treturn json.Marshal(w.Folder)\n}\n\n// ObjectsActions defines the action to execute on user create, update, delete for the specified objects\ntype ObjectsActions struct {\n\t// Valid values are add, update, delete. Empty slice to disable\n\tExecuteOn []string `json:\"execute_on\" mapstructure:\"execute_on\"`\n\t// Valid values are user, admin, api_key\n\tExecuteFor []string `json:\"execute_for\" mapstructure:\"execute_for\"`\n\t// Absolute path to an external program or an HTTP URL\n\tHook string `json:\"hook\" mapstructure:\"hook\"`\n}\n\n// ProviderStatus defines the provider status\ntype ProviderStatus struct {\n\tDriver string `json:\"driver\"`\n\tIsActive bool `json:\"is_active\"`\n\tError string `json:\"error\"`\n}\n\n// Config defines the provider configuration\ntype Config struct {\n\t// Driver name, must be one of the SupportedProviders\n\tDriver string `json:\"driver\" mapstructure:\"driver\"`\n\t// Database name. For driver sqlite this can be the database name relative to the config dir\n\t// or the absolute path to the SQLite database.\n\tName string `json:\"name\" mapstructure:\"name\"`\n\t// Database host. For postgresql and cockroachdb driver you can specify multiple hosts separated by commas\n\tHost string `json:\"host\" mapstructure:\"host\"`\n\t// Database port\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\t// Database username\n\tUsername string `json:\"username\" mapstructure:\"username\"`\n\t// Database password\n\tPassword string `json:\"password\" mapstructure:\"password\"`\n\t// Used for drivers mysql and postgresql.\n\t// 0 disable SSL/TLS connections.\n\t// 1 require ssl.\n\t// 2 set ssl mode to verify-ca for driver postgresql and skip-verify for driver mysql.\n\t// 3 set ssl mode to verify-full for driver postgresql and preferred for driver mysql.\n\tSSLMode int `json:\"sslmode\" mapstructure:\"sslmode\"`\n\t// Used for drivers mysql, postgresql and cockroachdb. Set to true to disable SNI\n\tDisableSNI bool `json:\"disable_sni\" mapstructure:\"disable_sni\"`\n\t// TargetSessionAttrs is a postgresql and cockroachdb specific option.\n\t// It determines whether the session must have certain properties to be acceptable.\n\t// It's typically used in combination with multiple host names to select the first\n\t// acceptable alternative among several hosts\n\tTargetSessionAttrs string `json:\"target_session_attrs\" mapstructure:\"target_session_attrs\"`\n\t// Path to the root certificate authority used to verify that the server certificate was signed by a trusted CA\n\tRootCert string `json:\"root_cert\" mapstructure:\"root_cert\"`\n\t// Path to the client certificate for two-way TLS authentication\n\tClientCert string `json:\"client_cert\" mapstructure:\"client_cert\"`\n\t// Path to the client key for two-way TLS authentication\n\tClientKey string `json:\"client_key\" mapstructure:\"client_key\"`\n\t// Custom database connection string.\n\t// If not empty this connection string will be used instead of build one using the previous parameters\n\tConnectionString string `json:\"connection_string\" mapstructure:\"connection_string\"`\n\t// prefix for SQL tables\n\tSQLTablesPrefix string `json:\"sql_tables_prefix\" mapstructure:\"sql_tables_prefix\"`\n\t// Set the preferred way to track users quota between the following choices:\n\t// 0, disable quota tracking. REST API to scan user dir and update quota will do nothing\n\t// 1, quota is updated each time a user upload or delete a file even if the user has no quota restrictions\n\t// 2, quota is updated each time a user upload or delete a file but only for users with quota restrictions\n\t// and for virtual folders.\n\t// With this configuration the \"quota scan\" REST API can still be used to periodically update space usage\n\t// for users without quota restrictions\n\tTrackQuota int `json:\"track_quota\" mapstructure:\"track_quota\"`\n\t// Sets the maximum number of open connections for mysql and postgresql driver.\n\t// Default 0 (unlimited)\n\tPoolSize int `json:\"pool_size\" mapstructure:\"pool_size\"`\n\t// Users default base directory.\n\t// If no home dir is defined while adding a new user, and this value is\n\t// a valid absolute path, then the user home dir will be automatically\n\t// defined as the path obtained joining the base dir and the username\n\tUsersBaseDir string `json:\"users_base_dir\" mapstructure:\"users_base_dir\"`\n\t// Actions to execute on objects add, update, delete.\n\t// The supported objects are user, admin, api_key.\n\t// Update action will not be fired for internal updates such as the last login or the user quota fields.\n\tActions ObjectsActions `json:\"actions\" mapstructure:\"actions\"`\n\t// Absolute path to an external program or an HTTP URL to invoke for users authentication.\n\t// Leave empty to use builtin authentication.\n\t// If the authentication succeed the user will be automatically added/updated inside the defined data provider.\n\t// Actions defined for user added/updated will not be executed in this case.\n\t// This method is slower than built-in authentication methods, but it's very flexible as anyone can\n\t// easily write his own authentication hooks.\n\tExternalAuthHook string `json:\"external_auth_hook\" mapstructure:\"external_auth_hook\"`\n\t// ExternalAuthScope defines the scope for the external authentication hook.\n\t// - 0 means all supported authentication scopes, the external hook will be executed for password,\n\t// public key, keyboard interactive authentication and TLS certificates\n\t// - 1 means passwords only\n\t// - 2 means public keys only\n\t// - 4 means keyboard interactive only\n\t// - 8 means TLS certificates only\n\t// you can combine the scopes, for example 3 means password and public key, 5 password and keyboard\n\t// interactive and so on\n\tExternalAuthScope int `json:\"external_auth_scope\" mapstructure:\"external_auth_scope\"`\n\t// Absolute path to an external program or an HTTP URL to invoke just before the user login.\n\t// This program/URL allows to modify or create the user trying to login.\n\t// It is useful if you have users with dynamic fields to update just before the login.\n\t// Please note that if you want to create a new user, the pre-login hook response must\n\t// include all the mandatory user fields.\n\t//\n\t// The pre-login hook must finish within 30 seconds.\n\t//\n\t// If an error happens while executing the \"PreLoginHook\" then login will be denied.\n\t// PreLoginHook and ExternalAuthHook are mutally exclusive.\n\t// Leave empty to disable.\n\tPreLoginHook string `json:\"pre_login_hook\" mapstructure:\"pre_login_hook\"`\n\t// Absolute path to an external program or an HTTP URL to invoke after the user login.\n\t// Based on the configured scope you can choose if notify failed or successful logins\n\t// or both\n\tPostLoginHook string `json:\"post_login_hook\" mapstructure:\"post_login_hook\"`\n\t// PostLoginScope defines the scope for the post-login hook.\n\t// - 0 means notify both failed and successful logins\n\t// - 1 means notify failed logins\n\t// - 2 means notify successful logins\n\tPostLoginScope int `json:\"post_login_scope\" mapstructure:\"post_login_scope\"`\n\t// Absolute path to an external program or an HTTP URL to invoke just before password\n\t// authentication. This hook allows you to externally check the provided password,\n\t// its main use case is to allow to easily support things like password+OTP for protocols\n\t// without keyboard interactive support such as FTP and WebDAV. You can ask your users\n\t// to login using a string consisting of a fixed password and a One Time Token, you\n\t// can verify the token inside the hook and ask to SFTPGo to verify the fixed part.\n\tCheckPasswordHook string `json:\"check_password_hook\" mapstructure:\"check_password_hook\"`\n\t// CheckPasswordScope defines the scope for the check password hook.\n\t// - 0 means all protocols\n\t// - 1 means SSH\n\t// - 2 means FTP\n\t// - 4 means WebDAV\n\t// you can combine the scopes, for example 6 means FTP and WebDAV\n\tCheckPasswordScope int `json:\"check_password_scope\" mapstructure:\"check_password_scope\"`\n\t// Defines how the database will be initialized/updated:\n\t// - 0 means automatically\n\t// - 1 means manually using the initprovider sub-command\n\tUpdateMode int `json:\"update_mode\" mapstructure:\"update_mode\"`\n\t// PasswordHashing defines the configuration for password hashing\n\tPasswordHashing PasswordHashing `json:\"password_hashing\" mapstructure:\"password_hashing\"`\n\t// PasswordValidation defines the password validation rules\n\tPasswordValidation PasswordValidation `json:\"password_validation\" mapstructure:\"password_validation\"`\n\t// Verifying argon2 passwords has a high memory and computational cost,\n\t// by enabling, in memory, password caching you reduce this cost.\n\tPasswordCaching bool `json:\"password_caching\" mapstructure:\"password_caching\"`\n\t// DelayedQuotaUpdate defines the number of seconds to accumulate quota updates.\n\t// If there are a lot of close uploads, accumulating quota updates can save you many\n\t// queries to the data provider.\n\t// If you want to track quotas, a scheduled quota update is recommended in any case, the stored\n\t// quota size may be incorrect for several reasons, such as an unexpected shutdown, temporary provider\n\t// failures, file copied outside of SFTPGo, and so on.\n\t// 0 means immediate quota update.\n\tDelayedQuotaUpdate int `json:\"delayed_quota_update\" mapstructure:\"delayed_quota_update\"`\n\t// If enabled, a default admin user with username \"admin\" and password \"password\" will be created\n\t// on first start.\n\t// You can also create the first admin user by using the web interface or by loading initial data.\n\tCreateDefaultAdmin bool `json:\"create_default_admin\" mapstructure:\"create_default_admin\"`\n\t// Rules for usernames and folder names:\n\t// - 0 means no rules\n\t// - 1 means you can use any UTF-8 character. The names are used in URIs for REST API and Web admin.\n\t// By default only unreserved URI characters are allowed: ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\".\n\t// - 2 means names are converted to lowercase before saving/matching and so case\n\t// insensitive matching is possible\n\t// - 4 means trimming trailing and leading white spaces before saving/matching\n\t// Rules can be combined, for example 3 means both converting to lowercase and allowing any UTF-8 character.\n\t// Enabling these options for existing installations could be backward incompatible, some users\n\t// could be unable to login, for example existing users with mixed cases in their usernames.\n\t// You have to ensure that all existing users respect the defined rules.\n\tNamingRules int `json:\"naming_rules\" mapstructure:\"naming_rules\"`\n\t// If the data provider is shared across multiple SFTPGo instances, set this parameter to 1.\n\t// MySQL, PostgreSQL and CockroachDB can be shared, this setting is ignored for other data\n\t// providers. For shared data providers, SFTPGo periodically reloads the latest updated users,\n\t// based on the \"updated_at\" field, and updates its internal caches if users are updated from\n\t// a different instance. This check, if enabled, is executed every 10 minutes.\n\t// For shared data providers, active transfers are persisted in the database and thus\n\t// quota checks between ongoing transfers will work cross multiple instances\n\tIsShared int `json:\"is_shared\" mapstructure:\"is_shared\"`\n\t// Node defines the configuration for this cluster node.\n\t// Ignored if the provider is not shared/shareable\n\tNode NodeConfig `json:\"node\" mapstructure:\"node\"`\n\t// Path to the backup directory. This can be an absolute path or a path relative to the config dir\n\tBackupsPath string `json:\"backups_path\" mapstructure:\"backups_path\"`\n}\n\n// GetShared returns the provider share mode.\n// This method is called before the provider is initialized\nfunc (c *Config) GetShared() int {\n\tif !slices.Contains(sharedProviders, c.Driver) {\n\t\treturn 0\n\t}\n\treturn c.IsShared\n}\n\nfunc (c *Config) convertName(name string) string {\n\tif c.NamingRules <= 1 {\n\t\treturn name\n\t}\n\tif c.NamingRules&2 != 0 {\n\t\tname = strings.ToLower(name)\n\t}\n\tif c.NamingRules&4 != 0 {\n\t\tname = strings.TrimSpace(name)\n\t}\n\n\treturn name\n}\n\n// IsDefenderSupported returns true if the configured provider supports the defender\nfunc (c *Config) IsDefenderSupported() bool {\n\tswitch c.Driver {\n\tcase MySQLDataProviderName, PGSQLDataProviderName, CockroachDataProviderName:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc (c *Config) requireCustomTLSForMySQL() bool {\n\tif config.DisableSNI {\n\t\treturn config.SSLMode != 0\n\t}\n\tif config.RootCert != \"\" && util.IsFileInputValid(config.RootCert) {\n\t\treturn config.SSLMode != 0\n\t}\n\tif config.ClientCert != \"\" && config.ClientKey != \"\" && util.IsFileInputValid(config.ClientCert) &&\n\t\tutil.IsFileInputValid(config.ClientKey) {\n\t\treturn config.SSLMode != 0\n\t}\n\treturn false\n}\n\nfunc (c *Config) doBackup() (string, error) {\n\tnow := time.Now().UTC()\n\toutputFile := filepath.Join(c.BackupsPath, fmt.Sprintf(\"backup_%s_%d.json\", now.Weekday(), now.Hour()))\n\tproviderLog(logger.LevelDebug, \"starting backup to file %q\", outputFile)\n\terr := os.MkdirAll(filepath.Dir(outputFile), 0700)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to create backup dir %q: %v\", outputFile, err)\n\t\treturn outputFile, fmt.Errorf(\"unable to create backup dir: %w\", err)\n\t}\n\tbackup, err := DumpData(nil)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to execute backup: %v\", err)\n\t\treturn outputFile, fmt.Errorf(\"unable to dump backup data: %w\", err)\n\t}\n\tdump, err := json.Marshal(backup)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to marshal backup as JSON: %v\", err)\n\t\treturn outputFile, fmt.Errorf(\"unable to marshal backup data as JSON: %w\", err)\n\t}\n\terr = os.WriteFile(outputFile, dump, 0600)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to save backup: %v\", err)\n\t\treturn outputFile, fmt.Errorf(\"unable to save backup: %w\", err)\n\t}\n\tproviderLog(logger.LevelDebug, \"backup saved to %q\", outputFile)\n\treturn outputFile, nil\n}\n\n// SetTZ sets the configured timezone.\nfunc SetTZ(val string) {\n\ttz = val\n}\n\n// UseLocalTime returns true if local time should be used instead of UTC.\nfunc UseLocalTime() bool {\n\treturn tz == \"local\"\n}\n\n// ExecuteBackup executes a backup\nfunc ExecuteBackup() (string, error) {\n\treturn config.doBackup()\n}\n\n// ConvertName converts the given name based on the configured rules\nfunc ConvertName(name string) string {\n\treturn config.convertName(name)\n}\n\n// ActiveTransfer defines an active protocol transfer\ntype ActiveTransfer struct {\n\tID int64\n\tType int\n\tConnID string\n\tUsername string\n\tFolderName string\n\tIP string\n\tTruncatedSize int64\n\tCurrentULSize int64\n\tCurrentDLSize int64\n\tCreatedAt int64\n\tUpdatedAt int64\n}\n\n// TransferQuota stores the allowed transfer quota fields\ntype TransferQuota struct {\n\tULSize int64\n\tDLSize int64\n\tTotalSize int64\n\tAllowedULSize int64\n\tAllowedDLSize int64\n\tAllowedTotalSize int64\n}\n\n// HasSizeLimits returns true if any size limit is set\nfunc (q *TransferQuota) HasSizeLimits() bool {\n\treturn q.AllowedDLSize > 0 || q.AllowedULSize > 0 || q.AllowedTotalSize > 0\n}\n\n// HasUploadSpace returns true if there is transfer upload space available\nfunc (q *TransferQuota) HasUploadSpace() bool {\n\tif q.TotalSize <= 0 && q.ULSize <= 0 {\n\t\treturn true\n\t}\n\tif q.TotalSize > 0 {\n\t\treturn q.AllowedTotalSize > 0\n\t}\n\treturn q.AllowedULSize > 0\n}\n\n// HasDownloadSpace returns true if there is transfer download space available\nfunc (q *TransferQuota) HasDownloadSpace() bool {\n\tif q.TotalSize <= 0 && q.DLSize <= 0 {\n\t\treturn true\n\t}\n\tif q.TotalSize > 0 {\n\t\treturn q.AllowedTotalSize > 0\n\t}\n\treturn q.AllowedDLSize > 0\n}\n\n// DefenderEntry defines a defender entry\ntype DefenderEntry struct {\n\tID int64 `json:\"-\"`\n\tIP string `json:\"ip\"`\n\tScore int `json:\"score,omitempty\"`\n\tBanTime time.Time `json:\"ban_time,omitempty\"`\n}\n\n// GetID returns an unique ID for a defender entry\nfunc (d *DefenderEntry) GetID() string {\n\treturn hex.EncodeToString([]byte(d.IP))\n}\n\n// GetBanTime returns the ban time for a defender entry as string\nfunc (d *DefenderEntry) GetBanTime() string {\n\tif d.BanTime.IsZero() {\n\t\treturn \"\"\n\t}\n\treturn d.BanTime.UTC().Format(time.RFC3339)\n}\n\n// MarshalJSON returns the JSON encoding of a DefenderEntry.\nfunc (d *DefenderEntry) MarshalJSON() ([]byte, error) {\n\treturn json.Marshal(&struct {\n\t\tID string `json:\"id\"`\n\t\tIP string `json:\"ip\"`\n\t\tScore int `json:\"score,omitempty\"`\n\t\tBanTime string `json:\"ban_time,omitempty\"`\n\t}{\n\t\tID: d.GetID(),\n\t\tIP: d.IP,\n\t\tScore: d.Score,\n\t\tBanTime: d.GetBanTime(),\n\t})\n}\n\n// BackupData defines the structure for the backup/restore files\ntype BackupData struct {\n\tUsers []User `json:\"users\"`\n\tGroups []Group `json:\"groups\"`\n\tFolders []vfs.BaseVirtualFolder `json:\"folders\"`\n\tAdmins []Admin `json:\"admins\"`\n\tAPIKeys []APIKey `json:\"api_keys\"`\n\tShares []Share `json:\"shares\"`\n\tEventActions []BaseEventAction `json:\"event_actions\"`\n\tEventRules []EventRule `json:\"event_rules\"`\n\tRoles []Role `json:\"roles\"`\n\tIPLists []IPListEntry `json:\"ip_lists\"`\n\tConfigs *Configs `json:\"configs\"`\n\tVersion int `json:\"version\"`\n}\n\n// HasFolder returns true if the folder with the given name is included\nfunc (d *BackupData) HasFolder(name string) bool {\n\tfor _, folder := range d.Folders {\n\t\tif folder.Name == name {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\ntype checkPasswordRequest struct {\n\tUsername string `json:\"username\"`\n\tIP string `json:\"ip\"`\n\tPassword string `json:\"password\"`\n\tProtocol string `json:\"protocol\"`\n}\n\ntype checkPasswordResponse struct {\n\t// 0 KO, 1 OK, 2 partial success, -1 not executed\n\tStatus int `json:\"status\"`\n\t// for status = 2 this is the password to check against the one stored\n\t// inside the SFTPGo data provider\n\tToVerify string `json:\"to_verify\"`\n}\n\n// GetQuotaTracking returns the configured mode for user's quota tracking\nfunc GetQuotaTracking() int {\n\treturn config.TrackQuota\n}\n\n// HasUsersBaseDir returns true if users base dir is set\nfunc HasUsersBaseDir() bool {\n\treturn config.UsersBaseDir != \"\"\n}\n\n// Provider defines the interface that data providers must implement.\ntype Provider interface {\n\tvalidateUserAndPass(username, password, ip, protocol string) (User, error)\n\tvalidateUserAndPubKey(username string, pubKey []byte, isSSHCert bool) (User, string, error)\n\tvalidateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error)\n\tupdateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error\n\tupdateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error\n\tgetUsedQuota(username string) (int, int64, int64, int64, error)\n\tuserExists(username, role string) (User, error)\n\taddUser(user *User) error\n\tupdateUser(user *User) error\n\tdeleteUser(user User, softDelete bool) error\n\tupdateUserPassword(username, password string) error // used internally when converting passwords from other hash\n\tgetUsers(limit int, offset int, order, role string) ([]User, error)\n\tdumpUsers() ([]User, error)\n\tgetRecentlyUpdatedUsers(after int64) ([]User, error)\n\tgetUsersForQuotaCheck(toFetch map[string]bool) ([]User, error)\n\tupdateLastLogin(username string) error\n\tupdateAdminLastLogin(username string) error\n\tsetUpdatedAt(username string)\n\tgetAdminSignature(username string) (string, error)\n\tgetUserSignature(username string) (string, error)\n\tgetFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error)\n\tgetFolderByName(name string) (vfs.BaseVirtualFolder, error)\n\taddFolder(folder *vfs.BaseVirtualFolder) error\n\tupdateFolder(folder *vfs.BaseVirtualFolder) error\n\tdeleteFolder(folder vfs.BaseVirtualFolder) error\n\tupdateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error\n\tgetUsedFolderQuota(name string) (int, int64, error)\n\tdumpFolders() ([]vfs.BaseVirtualFolder, error)\n\tgetGroups(limit, offset int, order string, minimal bool) ([]Group, error)\n\tgetGroupsWithNames(names []string) ([]Group, error)\n\tgetUsersInGroups(names []string) ([]string, error)\n\tgroupExists(name string) (Group, error)\n\taddGroup(group *Group) error\n\tupdateGroup(group *Group) error\n\tdeleteGroup(group Group) error\n\tdumpGroups() ([]Group, error)\n\tadminExists(username string) (Admin, error)\n\taddAdmin(admin *Admin) error\n\tupdateAdmin(admin *Admin) error\n\tdeleteAdmin(admin Admin) error\n\tgetAdmins(limit int, offset int, order string) ([]Admin, error)\n\tdumpAdmins() ([]Admin, error)\n\tvalidateAdminAndPass(username, password, ip string) (Admin, error)\n\tapiKeyExists(keyID string) (APIKey, error)\n\taddAPIKey(apiKey *APIKey) error\n\tupdateAPIKey(apiKey *APIKey) error\n\tdeleteAPIKey(apiKey APIKey) error\n\tgetAPIKeys(limit int, offset int, order string) ([]APIKey, error)\n\tdumpAPIKeys() ([]APIKey, error)\n\tupdateAPIKeyLastUse(keyID string) error\n\tshareExists(shareID, username string) (Share, error)\n\taddShare(share *Share) error\n\tupdateShare(share *Share) error\n\tdeleteShare(share Share) error\n\tgetShares(limit int, offset int, order, username string) ([]Share, error)\n\tdumpShares() ([]Share, error)\n\tupdateShareLastUse(shareID string, numTokens int) error\n\tgetDefenderHosts(from int64, limit int) ([]DefenderEntry, error)\n\tgetDefenderHostByIP(ip string, from int64) (DefenderEntry, error)\n\tisDefenderHostBanned(ip string) (DefenderEntry, error)\n\tupdateDefenderBanTime(ip string, minutes int) error\n\tdeleteDefenderHost(ip string) error\n\taddDefenderEvent(ip string, score int) error\n\tsetDefenderBanTime(ip string, banTime int64) error\n\tcleanupDefender(from int64) error\n\taddActiveTransfer(transfer ActiveTransfer) error\n\tupdateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) error\n\tremoveActiveTransfer(transferID int64, connectionID string) error\n\tcleanupActiveTransfers(before time.Time) error\n\tgetActiveTransfers(from time.Time) ([]ActiveTransfer, error)\n\taddSharedSession(session Session) error\n\tdeleteSharedSession(key string, sessionType SessionType) error\n\tgetSharedSession(key string, sessionType SessionType) (Session, error)\n\tcleanupSharedSessions(sessionType SessionType, before int64) error\n\tgetEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error)\n\tdumpEventActions() ([]BaseEventAction, error)\n\teventActionExists(name string) (BaseEventAction, error)\n\taddEventAction(action *BaseEventAction) error\n\tupdateEventAction(action *BaseEventAction) error\n\tdeleteEventAction(action BaseEventAction) error\n\tgetEventRules(limit, offset int, order string) ([]EventRule, error)\n\tdumpEventRules() ([]EventRule, error)\n\tgetRecentlyUpdatedRules(after int64) ([]EventRule, error)\n\teventRuleExists(name string) (EventRule, error)\n\taddEventRule(rule *EventRule) error\n\tupdateEventRule(rule *EventRule) error\n\tdeleteEventRule(rule EventRule, softDelete bool) error\n\tgetTaskByName(name string) (Task, error)\n\taddTask(name string) error\n\tupdateTask(name string, version int64) error\n\tupdateTaskTimestamp(name string) error\n\tsetFirstDownloadTimestamp(username string) error\n\tsetFirstUploadTimestamp(username string) error\n\taddNode() error\n\tgetNodeByName(name string) (Node, error)\n\tgetNodes() ([]Node, error)\n\tupdateNodeTimestamp() error\n\tcleanupNodes() error\n\troleExists(name string) (Role, error)\n\taddRole(role *Role) error\n\tupdateRole(role *Role) error\n\tdeleteRole(role Role) error\n\tgetRoles(limit int, offset int, order string, minimal bool) ([]Role, error)\n\tdumpRoles() ([]Role, error)\n\tipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error)\n\taddIPListEntry(entry *IPListEntry) error\n\tupdateIPListEntry(entry *IPListEntry) error\n\tdeleteIPListEntry(entry IPListEntry, softDelete bool) error\n\tgetIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error)\n\tgetRecentlyUpdatedIPListEntries(after int64) ([]IPListEntry, error)\n\tdumpIPListEntries() ([]IPListEntry, error)\n\tcountIPListEntries(listType IPListType) (int64, error)\n\tgetListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error)\n\tgetConfigs() (Configs, error)\n\tsetConfigs(configs *Configs) error\n\tcheckAvailability() error\n\tclose() error\n\treloadConfig() error\n\tinitializeDatabase() error\n\tmigrateDatabase() error\n\trevertDatabase(targetVersion int) error\n\tresetDatabase() error\n}\n\n// SetAllowSelfConnections sets the desired behaviour for self connections\nfunc SetAllowSelfConnections(value int) {\n\tallowSelfConnections = value\n}\n\n// SetTempPath sets the path for temporary files\nfunc SetTempPath(fsPath string) {\n\ttempPath = fsPath\n}\n\nfunc checkSharedMode() {\n\tif !slices.Contains(sharedProviders, config.Driver) {\n\t\tconfig.IsShared = 0\n\t}\n}\n\n// Initialize the data provider.\n// An error is returned if the configured driver is invalid or if the data provider cannot be initialized\nfunc Initialize(cnf Config, basePath string, checkAdmins bool) error {\n\tconfig = cnf\n\tcheckSharedMode()\n\tconfig.Actions.ExecuteOn = util.RemoveDuplicates(config.Actions.ExecuteOn, true)\n\tconfig.Actions.ExecuteFor = util.RemoveDuplicates(config.Actions.ExecuteFor, true)\n\n\tcnf.BackupsPath = getConfigPath(cnf.BackupsPath, basePath)\n\tif cnf.BackupsPath == \"\" {\n\t\treturn fmt.Errorf(\"required directory is invalid, backup path %q\", cnf.BackupsPath)\n\t}\n\tabsoluteBackupPath, err := util.GetAbsolutePath(cnf.BackupsPath)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get absolute backup path: %w\", err)\n\t}\n\tconfig.BackupsPath = absoluteBackupPath\n\n\tif err := initializeHashingAlgo(&cnf); err != nil {\n\t\treturn err\n\t}\n\tif err := validateHooks(); err != nil {\n\t\treturn err\n\t}\n\tif err := createProvider(basePath); err != nil {\n\t\treturn err\n\t}\n\tif err := checkDatabase(checkAdmins); err != nil {\n\t\treturn err\n\t}\n\tadmins, err := provider.getAdmins(1, 0, OrderASC)\n\tif err != nil {\n\t\treturn err\n\t}\n\tisAdminCreated.Store(len(admins) > 0)\n\tif err := config.Node.validate(); err != nil {\n\t\treturn err\n\t}\n\tdelayedQuotaUpdater.start()\n\tif currentNode != nil {\n\t\tconfig.BackupsPath = filepath.Join(config.BackupsPath, currentNode.Name)\n\t}\n\tproviderLog(logger.LevelDebug, \"absolute backup path %q\", config.BackupsPath)\n\treturn startScheduler()\n}\n\nfunc checkDatabase(checkAdmins bool) error {\n\tif config.UpdateMode == 0 {\n\t\terr := provider.initializeDatabase()\n\t\tif err != nil && err != ErrNoInitRequired {\n\t\t\tlogger.WarnToConsole(\"unable to initialize data provider: %v\", err)\n\t\t\tproviderLog(logger.LevelError, \"unable to initialize data provider: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tif err == nil {\n\t\t\tlogger.DebugToConsole(\"data provider successfully initialized\")\n\t\t\tproviderLog(logger.LevelInfo, \"data provider successfully initialized\")\n\t\t}\n\t\terr = provider.migrateDatabase()\n\t\tif err != nil && err != ErrNoInitRequired {\n\t\t\tproviderLog(logger.LevelError, \"database migration error: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\tif checkAdmins && config.CreateDefaultAdmin {\n\t\t\terr = checkDefaultAdmin()\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"erro checking the default admin: %v\", err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t} else {\n\t\tproviderLog(logger.LevelInfo, \"database initialization/migration skipped, manual mode is configured\")\n\t}\n\treturn nil\n}\n\nfunc validateHooks() error {\n\tvar hooks []string\n\tif config.PreLoginHook != \"\" && !strings.HasPrefix(config.PreLoginHook, \"http\") {\n\t\thooks = append(hooks, config.PreLoginHook)\n\t}\n\tif config.ExternalAuthHook != \"\" && !strings.HasPrefix(config.ExternalAuthHook, \"http\") {\n\t\thooks = append(hooks, config.ExternalAuthHook)\n\t}\n\tif config.PostLoginHook != \"\" && !strings.HasPrefix(config.PostLoginHook, \"http\") {\n\t\thooks = append(hooks, config.PostLoginHook)\n\t}\n\tif config.CheckPasswordHook != \"\" && !strings.HasPrefix(config.CheckPasswordHook, \"http\") {\n\t\thooks = append(hooks, config.CheckPasswordHook)\n\t}\n\n\tfor _, hook := range hooks {\n\t\tif !filepath.IsAbs(hook) {\n\t\t\treturn fmt.Errorf(\"invalid hook: %q must be an absolute path\", hook)\n\t\t}\n\t\t_, err := os.Stat(hook)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"invalid hook: %v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// GetBackupsPath returns the normalized backups path\nfunc GetBackupsPath() string {\n\treturn config.BackupsPath\n}\n\n// GetProviderFromValue returns the FilesystemProvider matching the specified value.\n// If no match is found LocalFilesystemProvider is returned.\nfunc GetProviderFromValue(value string) sdk.FilesystemProvider {\n\tval, err := strconv.Atoi(value)\n\tif err != nil {\n\t\treturn sdk.LocalFilesystemProvider\n\t}\n\tresult := sdk.FilesystemProvider(val)\n\tif sdk.IsProviderSupported(result) {\n\t\treturn result\n\t}\n\treturn sdk.LocalFilesystemProvider\n}\n\nfunc initializeHashingAlgo(cnf *Config) error {\n\tparallelism := cnf.PasswordHashing.Argon2Options.Parallelism\n\tif parallelism == 0 {\n\t\tparallelism = uint8(runtime.NumCPU())\n\t}\n\targon2Params = &argon2id.Params{\n\t\tMemory: cnf.PasswordHashing.Argon2Options.Memory,\n\t\tIterations: cnf.PasswordHashing.Argon2Options.Iterations,\n\t\tParallelism: parallelism,\n\t\tSaltLength: 16,\n\t\tKeyLength: 32,\n\t}\n\n\tif config.PasswordHashing.Algo == HashingAlgoBcrypt {\n\t\tif config.PasswordHashing.BcryptOptions.Cost > bcrypt.MaxCost {\n\t\t\terr := fmt.Errorf(\"invalid bcrypt cost %v, max allowed %v\", config.PasswordHashing.BcryptOptions.Cost, bcrypt.MaxCost)\n\t\t\tlogger.WarnToConsole(\"Unable to initialize data provider: %v\", err)\n\t\t\tproviderLog(logger.LevelError, \"Unable to initialize data provider: %v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateSQLTablesPrefix() error {\n\tinitSQLTables()\n\tif config.SQLTablesPrefix != \"\" {\n\t\tfor _, char := range config.SQLTablesPrefix {\n\t\t\tif !strings.Contains(sqlPrefixValidChars, strings.ToLower(string(char))) {\n\t\t\t\treturn errors.New(\"invalid sql_tables_prefix only chars in range 'a..z', 'A..Z', '0-9' and '_' are allowed\")\n\t\t\t}\n\t\t}\n\t\tsqlTableUsers = config.SQLTablesPrefix + sqlTableUsers\n\t\tsqlTableFolders = config.SQLTablesPrefix + sqlTableFolders\n\t\tsqlTableUsersFoldersMapping = config.SQLTablesPrefix + sqlTableUsersFoldersMapping\n\t\tsqlTableAdmins = config.SQLTablesPrefix + sqlTableAdmins\n\t\tsqlTableAPIKeys = config.SQLTablesPrefix + sqlTableAPIKeys\n\t\tsqlTableShares = config.SQLTablesPrefix + sqlTableShares\n\t\tsqlTableSharesGroupsMapping = config.SQLTablesPrefix + sqlTableSharesGroupsMapping\n\t\tsqlTableDefenderEvents = config.SQLTablesPrefix + sqlTableDefenderEvents\n\t\tsqlTableDefenderHosts = config.SQLTablesPrefix + sqlTableDefenderHosts\n\t\tsqlTableActiveTransfers = config.SQLTablesPrefix + sqlTableActiveTransfers\n\t\tsqlTableGroups = config.SQLTablesPrefix + sqlTableGroups\n\t\tsqlTableUsersGroupsMapping = config.SQLTablesPrefix + sqlTableUsersGroupsMapping\n\t\tsqlTableAdminsGroupsMapping = config.SQLTablesPrefix + sqlTableAdminsGroupsMapping\n\t\tsqlTableGroupsFoldersMapping = config.SQLTablesPrefix + sqlTableGroupsFoldersMapping\n\t\tsqlTableSharedSessions = config.SQLTablesPrefix + sqlTableSharedSessions\n\t\tsqlTableEventsActions = config.SQLTablesPrefix + sqlTableEventsActions\n\t\tsqlTableEventsRules = config.SQLTablesPrefix + sqlTableEventsRules\n\t\tsqlTableRulesActionsMapping = config.SQLTablesPrefix + sqlTableRulesActionsMapping\n\t\tsqlTableTasks = config.SQLTablesPrefix + sqlTableTasks\n\t\tsqlTableNodes = config.SQLTablesPrefix + sqlTableNodes\n\t\tsqlTableRoles = config.SQLTablesPrefix + sqlTableRoles\n\t\tsqlTableIPLists = config.SQLTablesPrefix + sqlTableIPLists\n\t\tsqlTableConfigs = config.SQLTablesPrefix + sqlTableConfigs\n\t\tsqlTableSchemaVersion = config.SQLTablesPrefix + sqlTableSchemaVersion\n\t\tproviderLog(logger.LevelDebug, \"sql table for users %q, folders %q users folders mapping %q admins %q \"+\n\t\t\t\"api keys %q shares %q defender hosts %q defender events %q transfers %q groups %q \"+\n\t\t\t\"users groups mapping %q admins groups mapping %q groups folders mapping %q shared sessions %q \"+\n\t\t\t\"schema version %q events actions %q events rules %q rules actions mapping %q tasks %q nodes %q roles %q\"+\n\t\t\t\"ip lists %q share groups mapping %q configs %q\",\n\t\t\tsqlTableUsers, sqlTableFolders, sqlTableUsersFoldersMapping, sqlTableAdmins, sqlTableAPIKeys,\n\t\t\tsqlTableShares, sqlTableDefenderHosts, sqlTableDefenderEvents, sqlTableActiveTransfers, sqlTableGroups,\n\t\t\tsqlTableUsersGroupsMapping, sqlTableAdminsGroupsMapping, sqlTableGroupsFoldersMapping, sqlTableSharedSessions,\n\t\t\tsqlTableSchemaVersion, sqlTableEventsActions, sqlTableEventsRules, sqlTableRulesActionsMapping,\n\t\t\tsqlTableTasks, sqlTableNodes, sqlTableRoles, sqlTableIPLists, sqlTableSharesGroupsMapping, sqlTableConfigs)\n\t}\n\treturn nil\n}\n\nfunc checkDefaultAdmin() error {\n\tadmins, err := provider.getAdmins(1, 0, OrderASC)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(admins) > 0 {\n\t\treturn nil\n\t}\n\tlogger.Debug(logSender, \"\", \"no admins found, try to create the default one\")\n\t// we need to create the default admin\n\tadmin := &Admin{}\n\tif err := admin.setFromEnv(); err != nil {\n\t\treturn err\n\t}\n\treturn provider.addAdmin(admin)\n}\n\n// InitializeDatabase creates the initial database structure\nfunc InitializeDatabase(cnf Config, basePath string) error {\n\tconfig = cnf\n\n\tif err := initializeHashingAlgo(&cnf); err != nil {\n\t\treturn err\n\t}\n\n\terr := createProvider(basePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.initializeDatabase()\n\tif err != nil && err != ErrNoInitRequired {\n\t\treturn err\n\t}\n\treturn provider.migrateDatabase()\n}\n\n// RevertDatabase restores schema and/or data to a previous version\nfunc RevertDatabase(cnf Config, basePath string, targetVersion int) error {\n\tconfig = cnf\n\n\terr := createProvider(basePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.initializeDatabase()\n\tif err != nil && err != ErrNoInitRequired {\n\t\treturn err\n\t}\n\treturn provider.revertDatabase(targetVersion)\n}\n\n// ResetDatabase restores schema and/or data to a previous version\nfunc ResetDatabase(cnf Config, basePath string) error {\n\tconfig = cnf\n\n\tif err := createProvider(basePath); err != nil {\n\t\treturn err\n\t}\n\treturn provider.resetDatabase()\n}\n\n// CheckAdminAndPass validates the given admin and password connecting from ip\nfunc CheckAdminAndPass(username, password, ip string) (Admin, error) {\n\tusername = config.convertName(username)\n\treturn provider.validateAdminAndPass(username, password, ip)\n}\n\n// CheckCachedUserCredentials checks the credentials for a cached user\nfunc CheckCachedUserCredentials(user *CachedUser, password, ip, loginMethod, protocol string, tlsCert *x509.Certificate) (*CachedUser, *User, error) {\n\tif !user.User.skipExternalAuth() && isExternalAuthConfigured(loginMethod) {\n\t\tu, _, err := CheckCompositeCredentials(user.User.Username, password, ip, loginMethod, protocol, tlsCert)\n\t\tif err != nil {\n\t\t\treturn nil, nil, err\n\t\t}\n\t\twebDAVUsersCache.swap(&u, password)\n\t\tcu, _ := webDAVUsersCache.get(u.Username)\n\t\treturn cu, &u, nil\n\t}\n\tif err := user.User.CheckLoginConditions(); err != nil {\n\t\treturn user, nil, err\n\t}\n\tif loginMethod == LoginMethodPassword && user.User.Filters.IsAnonymous {\n\t\treturn user, nil, nil\n\t}\n\tif loginMethod != LoginMethodPassword {\n\t\t_, err := checkUserAndTLSCertificate(&user.User, protocol, tlsCert)\n\t\tif err != nil {\n\t\t\treturn user, nil, err\n\t\t}\n\t\tif loginMethod == LoginMethodTLSCertificate {\n\t\t\tif !user.User.IsLoginMethodAllowed(LoginMethodTLSCertificate, protocol) {\n\t\t\t\treturn user, nil, fmt.Errorf(\"certificate login method is not allowed for user %q\", user.User.Username)\n\t\t\t}\n\t\t\treturn user, nil, nil\n\t\t}\n\t}\n\tif password == \"\" {\n\t\treturn user, nil, ErrInvalidCredentials\n\t}\n\tif user.Password != \"\" {\n\t\tif password == user.Password {\n\t\t\treturn user, nil, nil\n\t\t}\n\t} else {\n\t\tif ok, _ := isPasswordOK(&user.User, password); ok {\n\t\t\treturn user, nil, nil\n\t\t}\n\t}\n\treturn user, nil, ErrInvalidCredentials\n}\n\n// CheckCompositeCredentials checks multiple credentials.\n// WebDAV users can send both a password and a TLS certificate within the same request\nfunc CheckCompositeCredentials(username, password, ip, loginMethod, protocol string, tlsCert *x509.Certificate) (User, string, error) {\n\tusername = config.convertName(username)\n\tif loginMethod == LoginMethodPassword {\n\t\tuser, err := CheckUserAndPass(username, password, ip, protocol)\n\t\treturn user, loginMethod, err\n\t}\n\tuser, err := CheckUserBeforeTLSAuth(username, ip, protocol, tlsCert)\n\tif err != nil {\n\t\treturn user, loginMethod, err\n\t}\n\tif !user.IsTLSVerificationEnabled() {\n\t\t// for backward compatibility with 2.0.x we only check the password and change the login method here\n\t\t// in future updates we have to return an error\n\t\tuser, err := CheckUserAndPass(username, password, ip, protocol)\n\t\treturn user, LoginMethodPassword, err\n\t}\n\tuser, err = checkUserAndTLSCertificate(&user, protocol, tlsCert)\n\tif err != nil {\n\t\treturn user, loginMethod, err\n\t}\n\tif loginMethod == LoginMethodTLSCertificate && !user.IsLoginMethodAllowed(LoginMethodTLSCertificate, protocol) {\n\t\treturn user, loginMethod, fmt.Errorf(\"certificate login method is not allowed for user %q\", user.Username)\n\t}\n\tif loginMethod == LoginMethodTLSCertificateAndPwd {\n\t\tif plugin.Handler.HasAuthScope(plugin.AuthScopePassword) {\n\t\t\tuser, err = doPluginAuth(username, password, nil, ip, protocol, nil, plugin.AuthScopePassword)\n\t\t} else if config.ExternalAuthHook != \"\" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) {\n\t\t\tuser, err = doExternalAuth(username, password, nil, \"\", ip, protocol, nil)\n\t\t} else if config.PreLoginHook != \"\" {\n\t\t\tuser, err = executePreLoginHook(username, LoginMethodPassword, ip, protocol, nil)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn user, loginMethod, err\n\t\t}\n\t\tuser, err = checkUserAndPass(&user, password, ip, protocol)\n\t}\n\treturn user, loginMethod, err\n}\n\n// CheckUserBeforeTLSAuth checks if a user exits before trying mutual TLS\nfunc CheckUserBeforeTLSAuth(username, ip, protocol string, tlsCert *x509.Certificate) (User, error) {\n\tusername = config.convertName(username)\n\tif plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate) {\n\t\tuser, err := doPluginAuth(username, \"\", nil, ip, protocol, tlsCert, plugin.AuthScopeTLSCertificate)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\terr = user.LoadAndApplyGroupSettings()\n\t\treturn user, err\n\t}\n\tif config.ExternalAuthHook != \"\" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&8 != 0) {\n\t\tuser, err := doExternalAuth(username, \"\", nil, \"\", ip, protocol, tlsCert)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\terr = user.LoadAndApplyGroupSettings()\n\t\treturn user, err\n\t}\n\tif config.PreLoginHook != \"\" {\n\t\tuser, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol, nil)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\terr = user.LoadAndApplyGroupSettings()\n\t\treturn user, err\n\t}\n\tuser, err := UserExists(username, \"\")\n\tif err != nil {\n\t\treturn user, err\n\t}\n\terr = user.LoadAndApplyGroupSettings()\n\treturn user, err\n}\n\n// CheckUserAndTLSCert returns the SFTPGo user with the given username and check if the\n// given TLS certificate allow authentication without password\nfunc CheckUserAndTLSCert(username, ip, protocol string, tlsCert *x509.Certificate) (User, error) {\n\tusername = config.convertName(username)\n\tif plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate) {\n\t\tuser, err := doPluginAuth(username, \"\", nil, ip, protocol, tlsCert, plugin.AuthScopeTLSCertificate)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\treturn checkUserAndTLSCertificate(&user, protocol, tlsCert)\n\t}\n\tif config.ExternalAuthHook != \"\" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&8 != 0) {\n\t\tuser, err := doExternalAuth(username, \"\", nil, \"\", ip, protocol, tlsCert)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\treturn checkUserAndTLSCertificate(&user, protocol, tlsCert)\n\t}\n\tif config.PreLoginHook != \"\" {\n\t\tuser, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol, nil)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\treturn checkUserAndTLSCertificate(&user, protocol, tlsCert)\n\t}\n\treturn provider.validateUserAndTLSCert(username, protocol, tlsCert)\n}\n\n// CheckUserAndPass retrieves the SFTPGo user with the given username and password if a match is found or an error\nfunc CheckUserAndPass(username, password, ip, protocol string) (User, error) {\n\tusername = config.convertName(username)\n\tif plugin.Handler.HasAuthScope(plugin.AuthScopePassword) {\n\t\tuser, err := doPluginAuth(username, password, nil, ip, protocol, nil, plugin.AuthScopePassword)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\treturn checkUserAndPass(&user, password, ip, protocol)\n\t}\n\tif config.ExternalAuthHook != \"\" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) {\n\t\tuser, err := doExternalAuth(username, password, nil, \"\", ip, protocol, nil)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\treturn checkUserAndPass(&user, password, ip, protocol)\n\t}\n\tif config.PreLoginHook != \"\" {\n\t\tuser, err := executePreLoginHook(username, LoginMethodPassword, ip, protocol, nil)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\treturn checkUserAndPass(&user, password, ip, protocol)\n\t}\n\treturn provider.validateUserAndPass(username, password, ip, protocol)\n}\n\n// CheckUserAndPubKey retrieves the SFTP user with the given username and public key if a match is found or an error\nfunc CheckUserAndPubKey(username string, pubKey []byte, ip, protocol string, isSSHCert bool) (User, string, error) {\n\tusername = config.convertName(username)\n\tif plugin.Handler.HasAuthScope(plugin.AuthScopePublicKey) {\n\t\tuser, err := doPluginAuth(username, \"\", pubKey, ip, protocol, nil, plugin.AuthScopePublicKey)\n\t\tif err != nil {\n\t\t\treturn user, \"\", err\n\t\t}\n\t\treturn checkUserAndPubKey(&user, pubKey, isSSHCert)\n\t}\n\tif config.ExternalAuthHook != \"\" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&2 != 0) {\n\t\tuser, err := doExternalAuth(username, \"\", pubKey, \"\", ip, protocol, nil)\n\t\tif err != nil {\n\t\t\treturn user, \"\", err\n\t\t}\n\t\treturn checkUserAndPubKey(&user, pubKey, isSSHCert)\n\t}\n\tif config.PreLoginHook != \"\" {\n\t\tuser, err := executePreLoginHook(username, SSHLoginMethodPublicKey, ip, protocol, nil)\n\t\tif err != nil {\n\t\t\treturn user, \"\", err\n\t\t}\n\t\treturn checkUserAndPubKey(&user, pubKey, isSSHCert)\n\t}\n\treturn provider.validateUserAndPubKey(username, pubKey, isSSHCert)\n}\n\n// CheckKeyboardInteractiveAuth checks the keyboard interactive authentication and returns\n// the authenticated user or an error\nfunc CheckKeyboardInteractiveAuth(username, authHook string, client ssh.KeyboardInteractiveChallenge,\n\tip, protocol string, isPartialAuth bool,\n) (User, error) {\n\tvar user User\n\tvar err error\n\tusername = config.convertName(username)\n\tif plugin.Handler.HasAuthScope(plugin.AuthScopeKeyboardInteractive) {\n\t\tuser, err = doPluginAuth(username, \"\", nil, ip, protocol, nil, plugin.AuthScopeKeyboardInteractive)\n\t} else if config.ExternalAuthHook != \"\" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&4 != 0) {\n\t\tuser, err = doExternalAuth(username, \"\", nil, \"1\", ip, protocol, nil)\n\t} else if config.PreLoginHook != \"\" {\n\t\tuser, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol, nil)\n\t} else {\n\t\tuser, err = provider.userExists(username, \"\")\n\t}\n\tif err != nil {\n\t\treturn user, err\n\t}\n\treturn doKeyboardInteractiveAuth(&user, authHook, client, ip, protocol, isPartialAuth)\n}\n\n// GetFTPPreAuthUser returns the SFTPGo user with the specified username\n// after receiving the FTP \"USER\" command.\n// If a pre-login hook is defined it will be executed so the SFTPGo user\n// can be created if it does not exist\nfunc GetFTPPreAuthUser(username, ip string) (User, error) {\n\tvar user User\n\tvar err error\n\tif config.PreLoginHook != \"\" {\n\t\tuser, err = executePreLoginHook(username, \"\", ip, protocolFTP, nil)\n\t} else {\n\t\tuser, err = UserExists(username, \"\")\n\t}\n\tif err != nil {\n\t\treturn user, err\n\t}\n\terr = user.LoadAndApplyGroupSettings()\n\treturn user, err\n}\n\n// GetUserAfterIDPAuth returns the SFTPGo user with the specified username\n// after a successful authentication with an external identity provider.\n// If a pre-login hook is defined it will be executed so the SFTPGo user\n// can be created if it does not exist\nfunc GetUserAfterIDPAuth(username, ip, protocol string, oidcTokenFields *map[string]any) (User, error) {\n\tvar user User\n\tvar err error\n\tif config.PreLoginHook != \"\" {\n\t\tuser, err = executePreLoginHook(username, LoginMethodIDP, ip, protocol, oidcTokenFields)\n\t\tuser.Filters.RequirePasswordChange = false\n\t} else {\n\t\tuser, err = UserExists(username, \"\")\n\t}\n\tif err != nil {\n\t\treturn user, err\n\t}\n\terr = user.LoadAndApplyGroupSettings()\n\treturn user, err\n}\n\n// GetDefenderHosts returns hosts that are banned or for which some violations have been detected\nfunc GetDefenderHosts(from int64, limit int) ([]DefenderEntry, error) {\n\treturn provider.getDefenderHosts(from, limit)\n}\n\n// GetDefenderHostByIP returns a defender host by ip, if any\nfunc GetDefenderHostByIP(ip string, from int64) (DefenderEntry, error) {\n\treturn provider.getDefenderHostByIP(ip, from)\n}\n\n// IsDefenderHostBanned returns a defender entry and no error if the specified host is banned\nfunc IsDefenderHostBanned(ip string) (DefenderEntry, error) {\n\treturn provider.isDefenderHostBanned(ip)\n}\n\n// UpdateDefenderBanTime increments ban time for the specified ip\nfunc UpdateDefenderBanTime(ip string, minutes int) error {\n\treturn provider.updateDefenderBanTime(ip, minutes)\n}\n\n// DeleteDefenderHost removes the specified IP from the defender lists\nfunc DeleteDefenderHost(ip string) error {\n\treturn provider.deleteDefenderHost(ip)\n}\n\n// AddDefenderEvent adds an event for the given IP with the given score\n// and returns the host with the updated score\nfunc AddDefenderEvent(ip string, score int, from int64) (DefenderEntry, error) {\n\tif err := provider.addDefenderEvent(ip, score); err != nil {\n\t\treturn DefenderEntry{}, err\n\t}\n\treturn provider.getDefenderHostByIP(ip, from)\n}\n\n// SetDefenderBanTime sets the ban time for the specified IP\nfunc SetDefenderBanTime(ip string, banTime int64) error {\n\treturn provider.setDefenderBanTime(ip, banTime)\n}\n\n// CleanupDefender removes events and hosts older than \"from\" from the data provider\nfunc CleanupDefender(from int64) error {\n\treturn provider.cleanupDefender(from)\n}\n\n// UpdateShareLastUse updates the LastUseAt and UsedTokens for the given share\nfunc UpdateShareLastUse(share *Share, numTokens int) error {\n\treturn provider.updateShareLastUse(share.ShareID, numTokens)\n}\n\n// UpdateAPIKeyLastUse updates the LastUseAt field for the given API key\nfunc UpdateAPIKeyLastUse(apiKey *APIKey) error {\n\tlastUse := util.GetTimeFromMsecSinceEpoch(apiKey.LastUseAt)\n\tdiff := -time.Until(lastUse)\n\tif diff < 0 || diff > lastLoginMinDelay {\n\t\treturn provider.updateAPIKeyLastUse(apiKey.KeyID)\n\t}\n\treturn nil\n}\n\n// UpdateLastLogin updates the last login field for the given SFTPGo user\nfunc UpdateLastLogin(user *User) {\n\tdelay := lastLoginMinDelay\n\tif user.Filters.ExternalAuthCacheTime > 0 {\n\t\tdelay = time.Duration(user.Filters.ExternalAuthCacheTime) * time.Second\n\t}\n\tif user.LastLogin <= user.UpdatedAt || !isLastActivityRecent(user.LastLogin, delay) {\n\t\terr := provider.updateLastLogin(user.Username)\n\t\tif err == nil {\n\t\t\twebDAVUsersCache.updateLastLogin(user.Username)\n\t\t}\n\t}\n}\n\n// UpdateAdminLastLogin updates the last login field for the given SFTPGo admin\nfunc UpdateAdminLastLogin(admin *Admin) {\n\tif !isLastActivityRecent(admin.LastLogin, lastLoginMinDelay) {\n\t\tprovider.updateAdminLastLogin(admin.Username) //nolint:errcheck\n\t}\n}\n\n// UpdateUserQuota updates the quota for the given SFTPGo user adding filesAdd and sizeAdd.\n// If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.\nfunc UpdateUserQuota(user *User, filesAdd int, sizeAdd int64, reset bool) error {\n\tif config.TrackQuota == 0 {\n\t\treturn util.NewMethodDisabledError(trackQuotaDisabledError)\n\t} else if config.TrackQuota == 2 && !reset && !user.HasQuotaRestrictions() {\n\t\treturn nil\n\t}\n\tif filesAdd == 0 && sizeAdd == 0 && !reset {\n\t\treturn nil\n\t}\n\tif config.DelayedQuotaUpdate == 0 || reset {\n\t\tif reset {\n\t\t\tdelayedQuotaUpdater.resetUserQuota(user.Username)\n\t\t}\n\t\treturn provider.updateQuota(user.Username, filesAdd, sizeAdd, reset)\n\t}\n\tdelayedQuotaUpdater.updateUserQuota(user.Username, filesAdd, sizeAdd)\n\treturn nil\n}\n\n// UpdateUserFolderQuota updates the quota for the given user and virtual folder.\nfunc UpdateUserFolderQuota(folder *vfs.VirtualFolder, user *User, filesAdd int, sizeAdd int64, reset bool) {\n\tif folder.IsIncludedInUserQuota() {\n\t\tUpdateUserQuota(user, filesAdd, sizeAdd, reset) //nolint:errcheck\n\t\treturn\n\t}\n\tUpdateVirtualFolderQuota(&folder.BaseVirtualFolder, filesAdd, sizeAdd, reset) //nolint:errcheck\n}\n\n// UpdateVirtualFolderQuota updates the quota for the given virtual folder adding filesAdd and sizeAdd.\n// If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.\nfunc UpdateVirtualFolderQuota(vfolder *vfs.BaseVirtualFolder, filesAdd int, sizeAdd int64, reset bool) error {\n\tif config.TrackQuota == 0 {\n\t\treturn util.NewMethodDisabledError(trackQuotaDisabledError)\n\t}\n\tif filesAdd == 0 && sizeAdd == 0 && !reset {\n\t\treturn nil\n\t}\n\tif config.DelayedQuotaUpdate == 0 || reset {\n\t\tif reset {\n\t\t\tdelayedQuotaUpdater.resetFolderQuota(vfolder.Name)\n\t\t}\n\t\treturn provider.updateFolderQuota(vfolder.Name, filesAdd, sizeAdd, reset)\n\t}\n\tdelayedQuotaUpdater.updateFolderQuota(vfolder.Name, filesAdd, sizeAdd)\n\treturn nil\n}\n\n// UpdateUserTransferQuota updates the transfer quota for the given SFTPGo user.\n// If reset is true uploadSize and downloadSize indicates the actual sizes instead of the difference.\nfunc UpdateUserTransferQuota(user *User, uploadSize, downloadSize int64, reset bool) error {\n\tif config.TrackQuota == 0 {\n\t\treturn util.NewMethodDisabledError(trackQuotaDisabledError)\n\t} else if config.TrackQuota == 2 && !reset && !user.HasTransferQuotaRestrictions() {\n\t\treturn nil\n\t}\n\tif downloadSize == 0 && uploadSize == 0 && !reset {\n\t\treturn nil\n\t}\n\tif config.DelayedQuotaUpdate == 0 || reset {\n\t\tif reset {\n\t\t\tdelayedQuotaUpdater.resetUserTransferQuota(user.Username)\n\t\t}\n\t\treturn provider.updateTransferQuota(user.Username, uploadSize, downloadSize, reset)\n\t}\n\tdelayedQuotaUpdater.updateUserTransferQuota(user.Username, uploadSize, downloadSize)\n\treturn nil\n}\n\n// UpdateUserTransferTimestamps updates the first download/upload fields if unset\nfunc UpdateUserTransferTimestamps(username string, isUpload bool) error {\n\tif isUpload {\n\t\terr := provider.setFirstUploadTimestamp(username)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"unable to set first upload: %v\", err)\n\t\t}\n\t\treturn err\n\t}\n\terr := provider.setFirstDownloadTimestamp(username)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"unable to set first download: %v\", err)\n\t}\n\treturn err\n}\n\n// GetUsedQuota returns the used quota for the given SFTPGo user.\nfunc GetUsedQuota(username string) (int, int64, int64, int64, error) {\n\tif config.TrackQuota == 0 {\n\t\treturn 0, 0, 0, 0, util.NewMethodDisabledError(trackQuotaDisabledError)\n\t}\n\tfiles, size, ulTransferSize, dlTransferSize, err := provider.getUsedQuota(username)\n\tif err != nil {\n\t\treturn files, size, ulTransferSize, dlTransferSize, err\n\t}\n\tdelayedFiles, delayedSize := delayedQuotaUpdater.getUserPendingQuota(username)\n\tdelayedUlTransferSize, delayedDLTransferSize := delayedQuotaUpdater.getUserPendingTransferQuota(username)\n\n\treturn files + delayedFiles, size + delayedSize, ulTransferSize + delayedUlTransferSize,\n\t\tdlTransferSize + delayedDLTransferSize, err\n}\n\n// GetUsedVirtualFolderQuota returns the used quota for the given virtual folder.\nfunc GetUsedVirtualFolderQuota(name string) (int, int64, error) {\n\tif config.TrackQuota == 0 {\n\t\treturn 0, 0, util.NewMethodDisabledError(trackQuotaDisabledError)\n\t}\n\tfiles, size, err := provider.getUsedFolderQuota(name)\n\tif err != nil {\n\t\treturn files, size, err\n\t}\n\tdelayedFiles, delayedSize := delayedQuotaUpdater.getFolderPendingQuota(name)\n\treturn files + delayedFiles, size + delayedSize, err\n}\n\n// GetConfigs returns the configurations\nfunc GetConfigs() (Configs, error) {\n\treturn provider.getConfigs()\n}\n\n// UpdateConfigs updates configurations\nfunc UpdateConfigs(configs *Configs, executor, ipAddress, role string) error {\n\tif configs == nil {\n\t\tconfigs = &Configs{}\n\t} else {\n\t\tconfigs.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t}\n\terr := provider.setConfigs(configs)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectConfigs, \"configs\", role, configs)\n\t}\n\treturn err\n}\n\n// AddShare adds a new share\nfunc AddShare(share *Share, executor, ipAddress, role string) error {\n\terr := provider.addShare(share)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectShare, share.ShareID, role, share)\n\t}\n\treturn err\n}\n\n// UpdateShare updates an existing share\nfunc UpdateShare(share *Share, executor, ipAddress, role string) error {\n\terr := provider.updateShare(share)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectShare, share.ShareID, role, share)\n\t}\n\treturn err\n}\n\n// DeleteShare deletes an existing share\nfunc DeleteShare(shareID string, executor, ipAddress, role string) error {\n\tshare, err := provider.shareExists(shareID, executor)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteShare(share)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectShare, shareID, role, &share)\n\t}\n\treturn err\n}\n\n// ShareExists returns the share with the given ID if it exists\nfunc ShareExists(shareID, username string) (Share, error) {\n\tif shareID == \"\" {\n\t\treturn Share{}, util.NewRecordNotFoundError(fmt.Sprintf(\"Share %q does not exist\", shareID))\n\t}\n\treturn provider.shareExists(shareID, username)\n}\n\n// AddIPListEntry adds a new IP list entry\nfunc AddIPListEntry(entry *IPListEntry, executor, ipAddress, executorRole string) error {\n\terr := provider.addIPListEntry(entry)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectIPListEntry, entry.getName(), executorRole, entry)\n\t\tfor _, l := range inMemoryLists {\n\t\t\tl.addEntry(entry)\n\t\t}\n\t}\n\treturn err\n}\n\n// UpdateIPListEntry updates an existing IP list entry\nfunc UpdateIPListEntry(entry *IPListEntry, executor, ipAddress, executorRole string) error {\n\terr := provider.updateIPListEntry(entry)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectIPListEntry, entry.getName(), executorRole, entry)\n\t\tfor _, l := range inMemoryLists {\n\t\t\tl.updateEntry(entry)\n\t\t}\n\t}\n\treturn err\n}\n\n// DeleteIPListEntry deletes an existing IP list entry\nfunc DeleteIPListEntry(ipOrNet string, listType IPListType, executor, ipAddress, executorRole string) error {\n\tentry, err := provider.ipListEntryExists(ipOrNet, listType)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteIPListEntry(entry, config.IsShared == 1)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectIPListEntry, entry.getName(), executorRole, &entry)\n\t\tfor _, l := range inMemoryLists {\n\t\t\tl.removeEntry(&entry)\n\t\t}\n\t}\n\treturn err\n}\n\n// IPListEntryExists returns the IP list entry with the given IP/net and type if it exists\nfunc IPListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {\n\treturn provider.ipListEntryExists(ipOrNet, listType)\n}\n\n// GetIPListEntries returns the IP list entries applying the specified criteria and search limit\nfunc GetIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {\n\tif !slices.Contains(supportedIPListType, listType) {\n\t\treturn nil, util.NewValidationError(fmt.Sprintf(\"invalid list type %d\", listType))\n\t}\n\treturn provider.getIPListEntries(listType, filter, from, order, limit)\n}\n\n// AddRole adds a new role\nfunc AddRole(role *Role, executor, ipAddress, executorRole string) error {\n\trole.Name = config.convertName(role.Name)\n\terr := provider.addRole(role)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectRole, role.Name, executorRole, role)\n\t}\n\treturn err\n}\n\n// UpdateRole updates an existing Role\nfunc UpdateRole(role *Role, executor, ipAddress, executorRole string) error {\n\terr := provider.updateRole(role)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectRole, role.Name, executorRole, role)\n\t}\n\treturn err\n}\n\n// DeleteRole deletes an existing Role\nfunc DeleteRole(name string, executor, ipAddress, executorRole string) error {\n\tname = config.convertName(name)\n\trole, err := provider.roleExists(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(role.Admins) > 0 {\n\t\terrorString := fmt.Sprintf(\"the role %q is referenced, it cannot be removed\", role.Name)\n\t\treturn util.NewValidationError(errorString)\n\t}\n\terr = provider.deleteRole(role)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectRole, role.Name, executorRole, &role)\n\t\tfor _, user := range role.Users {\n\t\t\tprovider.setUpdatedAt(user)\n\t\t\tu, err := provider.userExists(user, \"\")\n\t\t\tif err == nil {\n\t\t\t\twebDAVUsersCache.swap(&u, \"\")\n\t\t\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)\n\t\t\t}\n\t\t}\n\t}\n\treturn err\n}\n\n// RoleExists returns the Role with the given name if it exists\nfunc RoleExists(name string) (Role, error) {\n\tname = config.convertName(name)\n\treturn provider.roleExists(name)\n}\n\n// AddGroup adds a new group\nfunc AddGroup(group *Group, executor, ipAddress, role string) error {\n\tgroup.Name = config.convertName(group.Name)\n\terr := provider.addGroup(group)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectGroup, group.Name, role, group)\n\t}\n\treturn err\n}\n\n// UpdateGroup updates an existing Group\nfunc UpdateGroup(group *Group, users []string, executor, ipAddress, role string) error {\n\terr := provider.updateGroup(group)\n\tif err == nil {\n\t\tfor _, user := range users {\n\t\t\tprovider.setUpdatedAt(user)\n\t\t\tu, err := provider.userExists(user, \"\")\n\t\t\tif err == nil {\n\t\t\t\twebDAVUsersCache.swap(&u, \"\")\n\t\t\t} else {\n\t\t\t\tRemoveCachedWebDAVUser(user)\n\t\t\t}\n\t\t}\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectGroup, group.Name, role, group)\n\t}\n\treturn err\n}\n\n// DeleteGroup deletes an existing Group\nfunc DeleteGroup(name string, executor, ipAddress, role string) error {\n\tname = config.convertName(name)\n\tgroup, err := provider.groupExists(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(group.Users) > 0 {\n\t\terrorString := fmt.Sprintf(\"the group %q is referenced, it cannot be removed\", group.Name)\n\t\treturn util.NewValidationError(errorString)\n\t}\n\terr = provider.deleteGroup(group)\n\tif err == nil {\n\t\tfor _, user := range group.Users {\n\t\t\tprovider.setUpdatedAt(user)\n\t\t\tu, err := provider.userExists(user, \"\")\n\t\t\tif err == nil {\n\t\t\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)\n\t\t\t}\n\t\t\tRemoveCachedWebDAVUser(user)\n\t\t}\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectGroup, group.Name, role, &group)\n\t}\n\treturn err\n}\n\n// GroupExists returns the Group with the given name if it exists\nfunc GroupExists(name string) (Group, error) {\n\tname = config.convertName(name)\n\treturn provider.groupExists(name)\n}\n\n// AddAPIKey adds a new API key\nfunc AddAPIKey(apiKey *APIKey, executor, ipAddress, role string) error {\n\terr := provider.addAPIKey(apiKey)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, role, apiKey)\n\t}\n\treturn err\n}\n\n// UpdateAPIKey updates an existing API key\nfunc UpdateAPIKey(apiKey *APIKey, executor, ipAddress, role string) error {\n\terr := provider.updateAPIKey(apiKey)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, role, apiKey)\n\t}\n\treturn err\n}\n\n// DeleteAPIKey deletes an existing API key\nfunc DeleteAPIKey(keyID string, executor, ipAddress, role string) error {\n\tapiKey, err := provider.apiKeyExists(keyID)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteAPIKey(apiKey)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, role, &apiKey)\n\t\tcachedAPIKeys.Remove(keyID)\n\t}\n\treturn err\n}\n\n// APIKeyExists returns the API key with the given ID if it exists\nfunc APIKeyExists(keyID string) (APIKey, error) {\n\tif keyID == \"\" {\n\t\treturn APIKey{}, util.NewRecordNotFoundError(fmt.Sprintf(\"API key %q does not exist\", keyID))\n\t}\n\treturn provider.apiKeyExists(keyID)\n}\n\n// GetEventActions returns an array of event actions respecting limit and offset\nfunc GetEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error) {\n\treturn provider.getEventActions(limit, offset, order, minimal)\n}\n\n// EventActionExists returns the event action with the given name if it exists\nfunc EventActionExists(name string) (BaseEventAction, error) {\n\tname = config.convertName(name)\n\treturn provider.eventActionExists(name)\n}\n\n// AddEventAction adds a new event action\nfunc AddEventAction(action *BaseEventAction, executor, ipAddress, role string) error {\n\taction.Name = config.convertName(action.Name)\n\terr := provider.addEventAction(action)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectEventAction, action.Name, role, action)\n\t}\n\treturn err\n}\n\n// UpdateEventAction updates an existing event action\nfunc UpdateEventAction(action *BaseEventAction, executor, ipAddress, role string) error {\n\terr := provider.updateEventAction(action)\n\tif err == nil {\n\t\tif fnReloadRules != nil {\n\t\t\tfnReloadRules()\n\t\t}\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectEventAction, action.Name, role, action)\n\t}\n\treturn err\n}\n\n// DeleteEventAction deletes an existing event action\nfunc DeleteEventAction(name string, executor, ipAddress, role string) error {\n\tname = config.convertName(name)\n\taction, err := provider.eventActionExists(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(action.Rules) > 0 {\n\t\terrorString := fmt.Sprintf(\"the event action %#q is referenced, it cannot be removed\", action.Name)\n\t\treturn util.NewValidationError(errorString)\n\t}\n\terr = provider.deleteEventAction(action)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectEventAction, action.Name, role, &action)\n\t}\n\treturn err\n}\n\n// GetEventRules returns an array of event rules respecting limit and offset\nfunc GetEventRules(limit, offset int, order string) ([]EventRule, error) {\n\treturn provider.getEventRules(limit, offset, order)\n}\n\n// GetRecentlyUpdatedRules returns the event rules updated after the specified time\nfunc GetRecentlyUpdatedRules(after int64) ([]EventRule, error) {\n\treturn provider.getRecentlyUpdatedRules(after)\n}\n\n// EventRuleExists returns the event rule with the given name if it exists\nfunc EventRuleExists(name string) (EventRule, error) {\n\tname = config.convertName(name)\n\treturn provider.eventRuleExists(name)\n}\n\n// AddEventRule adds a new event rule\nfunc AddEventRule(rule *EventRule, executor, ipAddress, role string) error {\n\trule.Name = config.convertName(rule.Name)\n\terr := provider.addEventRule(rule)\n\tif err == nil {\n\t\tif fnReloadRules != nil {\n\t\t\tfnReloadRules()\n\t\t}\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectEventRule, rule.Name, role, rule)\n\t}\n\treturn err\n}\n\n// UpdateEventRule updates an existing event rule\nfunc UpdateEventRule(rule *EventRule, executor, ipAddress, role string) error {\n\terr := provider.updateEventRule(rule)\n\tif err == nil {\n\t\tif fnReloadRules != nil {\n\t\t\tfnReloadRules()\n\t\t}\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectEventRule, rule.Name, role, rule)\n\t}\n\treturn err\n}\n\n// DeleteEventRule deletes an existing event rule\nfunc DeleteEventRule(name string, executor, ipAddress, role string) error {\n\tname = config.convertName(name)\n\trule, err := provider.eventRuleExists(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteEventRule(rule, config.IsShared == 1)\n\tif err == nil {\n\t\tif fnRemoveRule != nil {\n\t\t\tfnRemoveRule(rule.Name)\n\t\t}\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectEventRule, rule.Name, role, &rule)\n\t}\n\treturn err\n}\n\n// RemoveEventRule delets an existing event rule without marking it as deleted\nfunc RemoveEventRule(rule EventRule) error {\n\treturn provider.deleteEventRule(rule, false)\n}\n\n// GetTaskByName returns the task with the specified name\nfunc GetTaskByName(name string) (Task, error) {\n\treturn provider.getTaskByName(name)\n}\n\n// AddTask add a task with the specified name\nfunc AddTask(name string) error {\n\treturn provider.addTask(name)\n}\n\n// UpdateTask updates the task with the specified name and version\nfunc UpdateTask(name string, version int64) error {\n\treturn provider.updateTask(name, version)\n}\n\n// UpdateTaskTimestamp updates the timestamp for the task with the specified name\nfunc UpdateTaskTimestamp(name string) error {\n\treturn provider.updateTaskTimestamp(name)\n}\n\n// GetNodes returns the other cluster nodes\nfunc GetNodes() ([]Node, error) {\n\tif currentNode == nil {\n\t\treturn nil, nil\n\t}\n\tnodes, err := provider.getNodes()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get other cluster nodes %v\", err)\n\t}\n\treturn nodes, err\n}\n\n// GetNodeByName returns a node, different from the current one, by name\nfunc GetNodeByName(name string) (Node, error) {\n\tif currentNode == nil {\n\t\treturn Node{}, util.NewRecordNotFoundError(errNoClusterNodes.Error())\n\t}\n\tif name == currentNode.Name {\n\t\treturn Node{}, util.NewValidationError(fmt.Sprintf(\"%s is the current node, it must refer to other nodes\", name))\n\t}\n\treturn provider.getNodeByName(name)\n}\n\n// HasAdmin returns true if the first admin has been created\n// and so SFTPGo is ready to be used\nfunc HasAdmin() bool {\n\treturn isAdminCreated.Load()\n}\n\n// AddAdmin adds a new SFTPGo admin\nfunc AddAdmin(admin *Admin, executor, ipAddress, role string) error {\n\tadmin.Filters.RecoveryCodes = nil\n\tadmin.Filters.TOTPConfig = AdminTOTPConfig{\n\t\tEnabled: false,\n\t}\n\tadmin.Username = config.convertName(admin.Username)\n\terr := provider.addAdmin(admin)\n\tif err == nil {\n\t\tisAdminCreated.Store(true)\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectAdmin, admin.Username, role, admin)\n\t}\n\treturn err\n}\n\n// UpdateAdmin updates an existing SFTPGo admin\nfunc UpdateAdmin(admin *Admin, executor, ipAddress, role string) error {\n\terr := provider.updateAdmin(admin)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectAdmin, admin.Username, role, admin)\n\t}\n\treturn err\n}\n\n// DeleteAdmin deletes an existing SFTPGo admin\nfunc DeleteAdmin(username, executor, ipAddress, role string) error {\n\tusername = config.convertName(username)\n\tadmin, err := provider.adminExists(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteAdmin(admin)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectAdmin, admin.Username, role, &admin)\n\t\tcachedAdminPasswords.Remove(username)\n\t}\n\treturn err\n}\n\n// AdminExists returns the admin with the given username if it exists\nfunc AdminExists(username string) (Admin, error) {\n\tusername = config.convertName(username)\n\treturn provider.adminExists(username)\n}\n\n// UserExists checks if the given SFTPGo username exists, returns an error if no match is found\nfunc UserExists(username, role string) (User, error) {\n\tusername = config.convertName(username)\n\treturn provider.userExists(username, role)\n}\n\n// GetAdminSignature returns the signature for the admin with the specified\n// username.\nfunc GetAdminSignature(username string) (string, error) {\n\tusername = config.convertName(username)\n\treturn provider.getAdminSignature(username)\n}\n\n// GetUserSignature returns the signature for the user with the specified\n// username.\nfunc GetUserSignature(username string) (string, error) {\n\tusername = config.convertName(username)\n\treturn provider.getUserSignature(username)\n}\n\n// GetUserWithGroupSettings tries to return the user with the specified username\n// loading also the group settings\nfunc GetUserWithGroupSettings(username, role string) (User, error) {\n\tusername = config.convertName(username)\n\tuser, err := provider.userExists(username, role)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\terr = user.LoadAndApplyGroupSettings()\n\treturn user, err\n}\n\n// GetUserVariants tries to return the user with the specified username with and without\n// group settings applied\nfunc GetUserVariants(username, role string) (User, User, error) {\n\tusername = config.convertName(username)\n\tuser, err := provider.userExists(username, role)\n\tif err != nil {\n\t\treturn user, User{}, err\n\t}\n\tuserWithGroupSettings := user.getACopy()\n\terr = userWithGroupSettings.LoadAndApplyGroupSettings()\n\treturn user, userWithGroupSettings, err\n}\n\n// AddUser adds a new SFTPGo user.\nfunc AddUser(user *User, executor, ipAddress, role string) error {\n\tuser.Username = config.convertName(user.Username)\n\terr := provider.addUser(user)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectUser, user.Username, role, user)\n\t}\n\treturn err\n}\n\n// UpdateUserPassword updates the user password\nfunc UpdateUserPassword(username, plainPwd, executor, ipAddress, role string) error {\n\tuser, err := provider.userExists(username, role)\n\tif err != nil {\n\t\treturn err\n\t}\n\tuserCopy := user.getACopy()\n\tuserCopy.Password = plainPwd\n\tif err := createUserPasswordHash(&userCopy); err != nil {\n\t\treturn err\n\t}\n\tuser.LastPasswordChange = userCopy.LastPasswordChange\n\tuser.Password = userCopy.Password\n\tuser.Filters.RequirePasswordChange = false\n\t// the last password change is set when validating the user\n\tif err := provider.updateUser(&user); err != nil {\n\t\treturn err\n\t}\n\twebDAVUsersCache.swap(&user, plainPwd)\n\texecuteAction(operationUpdate, executor, ipAddress, actionObjectUser, username, role, &user)\n\treturn nil\n}\n\n// UpdateUser updates an existing SFTPGo user.\nfunc UpdateUser(user *User, executor, ipAddress, role string) error {\n\tif user.groupSettingsApplied {\n\t\treturn errors.New(\"cannot save a user with group settings applied\")\n\t}\n\terr := provider.updateUser(user)\n\tif err == nil {\n\t\twebDAVUsersCache.swap(user, \"\")\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectUser, user.Username, role, user)\n\t}\n\treturn err\n}\n\n// DeleteUser deletes an existing SFTPGo user.\nfunc DeleteUser(username, executor, ipAddress, role string) error {\n\tusername = config.convertName(username)\n\tuser, err := provider.userExists(username, role)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteUser(user, config.IsShared == 1)\n\tif err == nil {\n\t\tRemoveCachedWebDAVUser(user.Username)\n\t\tdelayedQuotaUpdater.resetUserQuota(user.Username)\n\t\tcachedUserPasswords.Remove(username)\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectUser, user.Username, role, &user)\n\t}\n\treturn err\n}\n\n// AddActiveTransfer stores the specified transfer\nfunc AddActiveTransfer(transfer ActiveTransfer) {\n\tif err := provider.addActiveTransfer(transfer); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add transfer id %v, connection id %v: %v\",\n\t\t\ttransfer.ID, transfer.ConnID, err)\n\t}\n}\n\n// UpdateActiveTransferSizes updates the current upload and download sizes for the specified transfer\nfunc UpdateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) {\n\tif err := provider.updateActiveTransferSizes(ulSize, dlSize, transferID, connectionID); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to update sizes for transfer id %v, connection id %v: %v\",\n\t\t\ttransferID, connectionID, err)\n\t}\n}\n\n// RemoveActiveTransfer removes the specified transfer\nfunc RemoveActiveTransfer(transferID int64, connectionID string) {\n\tif err := provider.removeActiveTransfer(transferID, connectionID); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to delete transfer id %v, connection id %v: %v\",\n\t\t\ttransferID, connectionID, err)\n\t}\n}\n\n// CleanupActiveTransfers removes the transfer before the specified time\nfunc CleanupActiveTransfers(before time.Time) error {\n\terr := provider.cleanupActiveTransfers(before)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"deleted active transfers updated before: %v\", before)\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error deleting active transfers updated before %v: %v\", before, err)\n\t}\n\treturn err\n}\n\n// GetActiveTransfers retrieves the active transfers with an update time after the specified value\nfunc GetActiveTransfers(from time.Time) ([]ActiveTransfer, error) {\n\treturn provider.getActiveTransfers(from)\n}\n\n// AddSharedSession stores a new session within the data provider\nfunc AddSharedSession(session Session) error {\n\terr := provider.addSharedSession(session)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add shared session, key %q, type: %v, err: %v\",\n\t\t\tsession.Key, session.Type, err)\n\t}\n\treturn err\n}\n\n// DeleteSharedSession deletes the session with the specified key\nfunc DeleteSharedSession(key string, sessionType SessionType) error {\n\terr := provider.deleteSharedSession(key, sessionType)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add shared session, key %q, err: %v\", key, err)\n\t}\n\treturn err\n}\n\n// GetSharedSession retrieves the session with the specified key\nfunc GetSharedSession(key string, sessionType SessionType) (Session, error) {\n\treturn provider.getSharedSession(key, sessionType)\n}\n\n// CleanupSharedSessions removes the shared session with the specified type and\n// before the specified time\nfunc CleanupSharedSessions(sessionType SessionType, before time.Time) error {\n\terr := provider.cleanupSharedSessions(sessionType, util.GetTimeAsMsSinceEpoch(before))\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"deleted shared sessions before: %v, type: %v\", before, sessionType)\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error deleting shared session before %v, type %v: %v\", before, sessionType, err)\n\t}\n\treturn err\n}\n\n// ReloadConfig reloads provider configuration.\n// Currently only implemented for memory provider, allows to reload the users\n// from the configured file, if defined\nfunc ReloadConfig() error {\n\treturn provider.reloadConfig()\n}\n\n// GetShares returns an array of shares respecting limit and offset\nfunc GetShares(limit, offset int, order, username string) ([]Share, error) {\n\treturn provider.getShares(limit, offset, order, username)\n}\n\n// GetAPIKeys returns an array of API keys respecting limit and offset\nfunc GetAPIKeys(limit, offset int, order string) ([]APIKey, error) {\n\treturn provider.getAPIKeys(limit, offset, order)\n}\n\n// GetAdmins returns an array of admins respecting limit and offset\nfunc GetAdmins(limit, offset int, order string) ([]Admin, error) {\n\treturn provider.getAdmins(limit, offset, order)\n}\n\n// GetRoles returns an array of roles respecting limit and offset\nfunc GetRoles(limit, offset int, order string, minimal bool) ([]Role, error) {\n\treturn provider.getRoles(limit, offset, order, minimal)\n}\n\n// GetGroups returns an array of groups respecting limit and offset\nfunc GetGroups(limit, offset int, order string, minimal bool) ([]Group, error) {\n\treturn provider.getGroups(limit, offset, order, minimal)\n}\n\n// GetUsers returns an array of users respecting limit and offset\nfunc GetUsers(limit, offset int, order, role string) ([]User, error) {\n\treturn provider.getUsers(limit, offset, order, role)\n}\n\n// GetUsersForQuotaCheck returns the users with the fields required for a quota check\nfunc GetUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {\n\treturn provider.getUsersForQuotaCheck(toFetch)\n}\n\n// AddFolder adds a new virtual folder.\nfunc AddFolder(folder *vfs.BaseVirtualFolder, executor, ipAddress, role string) error {\n\tfolder.Name = config.convertName(folder.Name)\n\terr := provider.addFolder(folder)\n\tif err == nil {\n\t\texecuteAction(operationAdd, executor, ipAddress, actionObjectFolder, folder.Name, role, &wrappedFolder{Folder: *folder})\n\t}\n\treturn err\n}\n\n// UpdateFolder updates the specified virtual folder\nfunc UpdateFolder(folder *vfs.BaseVirtualFolder, users []string, groups []string, executor, ipAddress, role string) error {\n\terr := provider.updateFolder(folder)\n\tif err == nil {\n\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectFolder, folder.Name, role, &wrappedFolder{Folder: *folder})\n\t\tusersInGroups, errGrp := provider.getUsersInGroups(groups)\n\t\tif errGrp == nil {\n\t\t\tusers = append(users, usersInGroups...)\n\t\t\tusers = util.RemoveDuplicates(users, false)\n\t\t} else {\n\t\t\tproviderLog(logger.LevelWarn, \"unable to get users in groups %+v: %v\", groups, errGrp)\n\t\t}\n\t\tfor _, user := range users {\n\t\t\tprovider.setUpdatedAt(user)\n\t\t\tu, err := provider.userExists(user, \"\")\n\t\t\tif err == nil {\n\t\t\t\twebDAVUsersCache.swap(&u, \"\")\n\t\t\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)\n\t\t\t} else {\n\t\t\t\tRemoveCachedWebDAVUser(user)\n\t\t\t}\n\t\t}\n\t}\n\treturn err\n}\n\n// DeleteFolder deletes an existing folder.\nfunc DeleteFolder(folderName, executor, ipAddress, role string) error {\n\tfolderName = config.convertName(folderName)\n\tfolder, err := provider.getFolderByName(folderName)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = provider.deleteFolder(folder)\n\tif err == nil {\n\t\texecuteAction(operationDelete, executor, ipAddress, actionObjectFolder, folder.Name, role, &wrappedFolder{Folder: folder})\n\t\tusers := folder.Users\n\t\tusersInGroups, errGrp := provider.getUsersInGroups(folder.Groups)\n\t\tif errGrp == nil {\n\t\t\tusers = append(users, usersInGroups...)\n\t\t\tusers = util.RemoveDuplicates(users, false)\n\t\t} else {\n\t\t\tproviderLog(logger.LevelWarn, \"unable to get users in groups %+v: %v\", folder.Groups, errGrp)\n\t\t}\n\t\tfor _, user := range users {\n\t\t\tprovider.setUpdatedAt(user)\n\t\t\tu, err := provider.userExists(user, \"\")\n\t\t\tif err == nil {\n\t\t\t\texecuteAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)\n\t\t\t}\n\t\t\tRemoveCachedWebDAVUser(user)\n\t\t}\n\t\tdelayedQuotaUpdater.resetFolderQuota(folderName)\n\t}\n\treturn err\n}\n\n// GetFolderByName returns the folder with the specified name if any\nfunc GetFolderByName(name string) (vfs.BaseVirtualFolder, error) {\n\tname = config.convertName(name)\n\treturn provider.getFolderByName(name)\n}\n\n// GetFolders returns an array of folders respecting limit and offset\nfunc GetFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error) {\n\treturn provider.getFolders(limit, offset, order, minimal)\n}\n\nfunc dumpUsers(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeUsers) {\n\t\tusers, err := provider.dumpUsers()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Users = users\n\t}\n\treturn nil\n}\n\nfunc dumpFolders(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeFolders) {\n\t\tfolders, err := provider.dumpFolders()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Folders = folders\n\t}\n\treturn nil\n}\n\nfunc dumpGroups(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeGroups) {\n\t\tgroups, err := provider.dumpGroups()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Groups = groups\n\t}\n\treturn nil\n}\n\nfunc dumpAdmins(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeAdmins) {\n\t\tadmins, err := provider.dumpAdmins()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Admins = admins\n\t}\n\treturn nil\n}\n\nfunc dumpAPIKeys(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeAPIKeys) {\n\t\tapiKeys, err := provider.dumpAPIKeys()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.APIKeys = apiKeys\n\t}\n\treturn nil\n}\n\nfunc dumpShares(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeShares) {\n\t\tshares, err := provider.dumpShares()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Shares = shares\n\t}\n\treturn nil\n}\n\nfunc dumpActions(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeActions) {\n\t\tactions, err := provider.dumpEventActions()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.EventActions = actions\n\t}\n\treturn nil\n}\n\nfunc dumpRules(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeRules) {\n\t\trules, err := provider.dumpEventRules()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.EventRules = rules\n\t}\n\treturn nil\n}\n\nfunc dumpRoles(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeRoles) {\n\t\troles, err := provider.dumpRoles()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Roles = roles\n\t}\n\treturn nil\n}\n\nfunc dumpIPLists(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeIPLists) {\n\t\tipLists, err := provider.dumpIPListEntries()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.IPLists = ipLists\n\t}\n\treturn nil\n}\n\nfunc dumpConfigs(data *BackupData, scopes []string) error {\n\tif len(scopes) == 0 || slices.Contains(scopes, DumpScopeConfigs) {\n\t\tconfigs, err := provider.getConfigs()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdata.Configs = &configs\n\t}\n\treturn nil\n}\n\n// DumpData returns a dump containing the requested scopes.\n// Empty scopes means all\nfunc DumpData(scopes []string) (BackupData, error) {\n\tdata := BackupData{\n\t\tVersion: DumpVersion,\n\t}\n\tif err := dumpGroups(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpUsers(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpFolders(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpAdmins(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpAPIKeys(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpShares(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpActions(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpRules(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpRoles(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpIPLists(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\tif err := dumpConfigs(&data, scopes); err != nil {\n\t\treturn data, err\n\t}\n\n\treturn data, nil\n}\n\n// ParseDumpData tries to parse data as BackupData\nfunc ParseDumpData(data []byte) (BackupData, error) {\n\tvar dump BackupData\n\terr := json.Unmarshal(data, &dump)\n\tif err != nil {\n\t\treturn dump, err\n\t}\n\tif dump.Version < 17 {\n\t\tproviderLog(logger.LevelInfo, \"updating placeholders for actions restored from dump version %d\", dump.Version)\n\t\teventActions, err := updateEventActionPlaceholders(dump.EventActions)\n\t\tif err != nil {\n\t\t\treturn dump, fmt.Errorf(\"unable to update event action placeholders for dump version %d: %w\", dump.Version, err)\n\t\t}\n\t\tdump.EventActions = eventActions\n\t}\n\treturn dump, err\n}\n\n// GetProviderConfig returns the current provider configuration\nfunc GetProviderConfig() Config {\n\treturn config\n}\n\n// GetProviderStatus returns an error if the provider is not available\nfunc GetProviderStatus() ProviderStatus {\n\terr := provider.checkAvailability()\n\tstatus := ProviderStatus{\n\t\tDriver: config.Driver,\n\t}\n\tif err == nil {\n\t\tstatus.IsActive = true\n\t} else {\n\t\tstatus.IsActive = false\n\t\tstatus.Error = err.Error()\n\t}\n\treturn status\n}\n\n// Close releases all provider resources.\n// This method is used in test cases.\n// Closing an uninitialized provider is not supported\nfunc Close() error {\n\tstopScheduler()\n\treturn provider.close()\n}\n\nfunc createProvider(basePath string) error {\n\tsqlPlaceholders = getSQLPlaceholders()\n\tif err := validateSQLTablesPrefix(); err != nil {\n\t\treturn err\n\t}\n\tlogSender = fmt.Sprintf(\"dataprovider_%v\", config.Driver)\n\n\tswitch config.Driver {\n\tcase SQLiteDataProviderName:\n\t\treturn initializeSQLiteProvider(basePath)\n\tcase PGSQLDataProviderName, CockroachDataProviderName:\n\t\treturn initializePGSQLProvider()\n\tcase MySQLDataProviderName:\n\t\treturn initializeMySQLProvider()\n\tcase BoltDataProviderName:\n\t\treturn initializeBoltProvider(basePath)\n\tcase MemoryDataProviderName:\n\t\tif err := initializeMemoryProvider(basePath); err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"provider initialized but data loading failed: %v\", err)\n\t\t\tlogger.WarnToConsole(\"provider initialized but data loading failed: %v\", err)\n\t\t}\n\t\treturn nil\n\tdefault:\n\t\treturn fmt.Errorf(\"unsupported data provider: %v\", config.Driver)\n\t}\n}\n\nfunc copyBaseUserFilters(in sdk.BaseUserFilters) sdk.BaseUserFilters {\n\tfilters := sdk.BaseUserFilters{}\n\tfilters.MaxUploadFileSize = in.MaxUploadFileSize\n\tfilters.TLSUsername = in.TLSUsername\n\tfilters.UserType = in.UserType\n\tfilters.AllowedIP = make([]string, len(in.AllowedIP))\n\tcopy(filters.AllowedIP, in.AllowedIP)\n\tfilters.DeniedIP = make([]string, len(in.DeniedIP))\n\tcopy(filters.DeniedIP, in.DeniedIP)\n\tfilters.DeniedLoginMethods = make([]string, len(in.DeniedLoginMethods))\n\tcopy(filters.DeniedLoginMethods, in.DeniedLoginMethods)\n\tfilters.FilePatterns = make([]sdk.PatternsFilter, len(in.FilePatterns))\n\tcopy(filters.FilePatterns, in.FilePatterns)\n\tfilters.DeniedProtocols = make([]string, len(in.DeniedProtocols))\n\tcopy(filters.DeniedProtocols, in.DeniedProtocols)\n\tfilters.TwoFactorAuthProtocols = make([]string, len(in.TwoFactorAuthProtocols))\n\tcopy(filters.TwoFactorAuthProtocols, in.TwoFactorAuthProtocols)\n\tfilters.Hooks.ExternalAuthDisabled = in.Hooks.ExternalAuthDisabled\n\tfilters.Hooks.PreLoginDisabled = in.Hooks.PreLoginDisabled\n\tfilters.Hooks.CheckPasswordDisabled = in.Hooks.CheckPasswordDisabled\n\tfilters.DisableFsChecks = in.DisableFsChecks\n\tfilters.StartDirectory = in.StartDirectory\n\tfilters.FTPSecurity = in.FTPSecurity\n\tfilters.IsAnonymous = in.IsAnonymous\n\tfilters.AllowAPIKeyAuth = in.AllowAPIKeyAuth\n\tfilters.ExternalAuthCacheTime = in.ExternalAuthCacheTime\n\tfilters.DefaultSharesExpiration = in.DefaultSharesExpiration\n\tfilters.MaxSharesExpiration = in.MaxSharesExpiration\n\tfilters.PasswordExpiration = in.PasswordExpiration\n\tfilters.PasswordStrength = in.PasswordStrength\n\tfilters.WebClient = make([]string, len(in.WebClient))\n\tcopy(filters.WebClient, in.WebClient)\n\tfilters.TLSCerts = make([]string, len(in.TLSCerts))\n\tcopy(filters.TLSCerts, in.TLSCerts)\n\tfilters.BandwidthLimits = make([]sdk.BandwidthLimit, 0, len(in.BandwidthLimits))\n\tfor _, limit := range in.BandwidthLimits {\n\t\tbwLimit := sdk.BandwidthLimit{\n\t\t\tUploadBandwidth: limit.UploadBandwidth,\n\t\t\tDownloadBandwidth: limit.DownloadBandwidth,\n\t\t\tSources: make([]string, 0, len(limit.Sources)),\n\t\t}\n\t\tbwLimit.Sources = make([]string, len(limit.Sources))\n\t\tcopy(bwLimit.Sources, limit.Sources)\n\t\tfilters.BandwidthLimits = append(filters.BandwidthLimits, bwLimit)\n\t}\n\tfilters.AccessTime = make([]sdk.TimePeriod, 0, len(in.AccessTime))\n\tfor _, period := range in.AccessTime {\n\t\tfilters.AccessTime = append(filters.AccessTime, sdk.TimePeriod{\n\t\t\tDayOfWeek: period.DayOfWeek,\n\t\t\tFrom: period.From,\n\t\t\tTo: period.To,\n\t\t})\n\t}\n\treturn filters\n}\n\nfunc buildUserHomeDir(user *User) {\n\tif user.HomeDir == \"\" {\n\t\tif config.UsersBaseDir != \"\" {\n\t\t\tuser.HomeDir = filepath.Join(config.UsersBaseDir, user.Username)\n\t\t\treturn\n\t\t}\n\t\tswitch user.FsConfig.Provider {\n\t\tcase sdk.SFTPFilesystemProvider, sdk.S3FilesystemProvider, sdk.AzureBlobFilesystemProvider, sdk.GCSFilesystemProvider, sdk.HTTPFilesystemProvider:\n\t\t\tif tempPath != \"\" {\n\t\t\t\tuser.HomeDir = filepath.Join(tempPath, user.Username)\n\t\t\t} else {\n\t\t\t\tuser.HomeDir = filepath.Join(os.TempDir(), user.Username)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tuser.HomeDir = filepath.Clean(user.HomeDir)\n\t}\n}\n\nfunc validateFolderQuotaLimits(folder vfs.VirtualFolder) error {\n\tif folder.QuotaSize < -1 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid quota_size: %v folder path %q\", folder.QuotaSize, folder.MappedPath)),\n\t\t\tutil.I18nErrorFolderQuotaSizeInvalid,\n\t\t)\n\t}\n\tif folder.QuotaFiles < -1 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid quota_file: %v folder path %q\", folder.QuotaFiles, folder.MappedPath)),\n\t\t\tutil.I18nErrorFolderQuotaFileInvalid,\n\t\t)\n\t}\n\tif (folder.QuotaSize == -1 && folder.QuotaFiles != -1) || (folder.QuotaFiles == -1 && folder.QuotaSize != -1) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"virtual folder quota_size and quota_files must be both -1 or >= 0, quota_size: %v quota_files: %v\",\n\t\t\t\tfolder.QuotaFiles, folder.QuotaSize)),\n\t\t\tutil.I18nErrorFolderQuotaInvalid,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc validateUserGroups(user *User) error {\n\tif len(user.Groups) == 0 {\n\t\treturn nil\n\t}\n\thasPrimary := false\n\tgroupNames := make(map[string]bool)\n\n\tfor _, g := range user.Groups {\n\t\tif g.Type < sdk.GroupTypePrimary || g.Type > sdk.GroupTypeMembership {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid group type: %v\", g.Type))\n\t\t}\n\t\tif g.Type == sdk.GroupTypePrimary {\n\t\t\tif hasPrimary {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(\"only one primary group is allowed\"),\n\t\t\t\t\tutil.I18nErrorPrimaryGroup,\n\t\t\t\t)\n\t\t\t}\n\t\t\thasPrimary = true\n\t\t}\n\t\tif groupNames[g.Name] {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"the group %q is duplicated\", g.Name)),\n\t\t\t\tutil.I18nErrorDuplicateGroup,\n\t\t\t)\n\t\t}\n\t\tgroupNames[g.Name] = true\n\t}\n\treturn nil\n}\n\nfunc validateAssociatedVirtualFolders(vfolders []vfs.VirtualFolder) ([]vfs.VirtualFolder, error) {\n\tif len(vfolders) == 0 {\n\t\treturn []vfs.VirtualFolder{}, nil\n\t}\n\tvar virtualFolders []vfs.VirtualFolder\n\tfolderNames := make(map[string]bool)\n\n\tfor _, v := range vfolders {\n\t\tv.Name = config.convertName(v.Name)\n\t\tif v.VirtualPath == \"\" {\n\t\t\treturn nil, util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"mount/virtual path is mandatory\"),\n\t\t\t\tutil.I18nErrorFolderMountPathRequired,\n\t\t\t)\n\t\t}\n\t\tcleanedVPath := util.CleanPath(v.VirtualPath)\n\t\tif err := validateFolderQuotaLimits(v); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif v.Name == \"\" {\n\t\t\treturn nil, util.NewI18nError(util.NewValidationError(\"folder name is mandatory\"), util.I18nErrorFolderNameRequired)\n\t\t}\n\t\tif folderNames[v.Name] {\n\t\t\treturn nil, util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"the folder %q is duplicated\", v.Name)),\n\t\t\t\tutil.I18nErrorDuplicatedFolders,\n\t\t\t)\n\t\t}\n\t\tfor _, vFolder := range virtualFolders {\n\t\t\tif util.IsDirOverlapped(vFolder.VirtualPath, cleanedVPath, false, \"/\") {\n\t\t\t\treturn nil, util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid virtual folder %q, it overlaps with virtual folder %q\",\n\t\t\t\t\t\tv.VirtualPath, vFolder.VirtualPath)),\n\t\t\t\t\tutil.I18nErrorOverlappedFolders,\n\t\t\t\t)\n\t\t\t}\n\t\t}\n\t\tvirtualFolders = append(virtualFolders, vfs.VirtualFolder{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: v.Name,\n\t\t\t},\n\t\t\tVirtualPath: cleanedVPath,\n\t\t\tQuotaSize: v.QuotaSize,\n\t\t\tQuotaFiles: v.QuotaFiles,\n\t\t})\n\t\tfolderNames[v.Name] = true\n\t}\n\treturn virtualFolders, nil\n}\n\nfunc validateUserTOTPConfig(c *UserTOTPConfig, username string) error {\n\tif !c.Enabled {\n\t\tc.ConfigName = \"\"\n\t\tc.Secret = kms.NewEmptySecret()\n\t\tc.Protocols = nil\n\t\treturn nil\n\t}\n\tif c.ConfigName == \"\" {\n\t\treturn util.NewValidationError(\"totp: config name is mandatory\")\n\t}\n\tif !slices.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"totp: config name %q not found\", c.ConfigName))\n\t}\n\tif c.Secret.IsEmpty() {\n\t\treturn util.NewValidationError(\"totp: secret is mandatory\")\n\t}\n\tif c.Secret.IsPlain() {\n\t\tc.Secret.SetAdditionalData(username)\n\t\tif err := c.Secret.Encrypt(); err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"totp: unable to encrypt secret: %v\", err))\n\t\t}\n\t}\n\tif len(c.Protocols) == 0 {\n\t\treturn util.NewValidationError(\"totp: specify at least one protocol\")\n\t}\n\tfor _, protocol := range c.Protocols {\n\t\tif !slices.Contains(MFAProtocols, protocol) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"totp: invalid protocol %q\", protocol))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateUserRecoveryCodes(user *User) error {\n\tfor i := 0; i < len(user.Filters.RecoveryCodes); i++ {\n\t\tcode := &user.Filters.RecoveryCodes[i]\n\t\tif code.Secret.IsEmpty() {\n\t\t\treturn util.NewValidationError(\"mfa: recovery code cannot be empty\")\n\t\t}\n\t\tif code.Secret.IsPlain() {\n\t\t\tcode.Secret.SetAdditionalData(user.Username)\n\t\t\tif err := code.Secret.Encrypt(); err != nil {\n\t\t\t\treturn util.NewValidationError(fmt.Sprintf(\"mfa: unable to encrypt recovery code: %v\", err))\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateUserPermissions(permsToCheck map[string][]string) (map[string][]string, error) {\n\tpermissions := make(map[string][]string)\n\tfor dir, perms := range permsToCheck {\n\t\tif len(perms) == 0 && dir == \"/\" {\n\t\t\treturn permissions, util.NewValidationError(fmt.Sprintf(\"no permissions granted for the directory: %q\", dir))\n\t\t}\n\t\tif len(perms) > len(ValidPerms) {\n\t\t\treturn permissions, util.NewValidationError(\"invalid permissions\")\n\t\t}\n\t\tfor _, p := range perms {\n\t\t\tif !slices.Contains(ValidPerms, p) {\n\t\t\t\treturn permissions, util.NewValidationError(fmt.Sprintf(\"invalid permission: %q\", p))\n\t\t\t}\n\t\t}\n\t\tcleanedDir := filepath.ToSlash(path.Clean(dir))\n\t\tif cleanedDir != \"/\" {\n\t\t\tcleanedDir = strings.TrimSuffix(cleanedDir, \"/\")\n\t\t}\n\t\tif !path.IsAbs(cleanedDir) {\n\t\t\treturn permissions, util.NewValidationError(fmt.Sprintf(\"cannot set permissions for non absolute path: %q\", dir))\n\t\t}\n\t\tif dir != cleanedDir && cleanedDir == \"/\" {\n\t\t\treturn permissions, util.NewValidationError(fmt.Sprintf(\"cannot set permissions for invalid subdirectory: %q is an alias for \\\"/\\\"\", dir))\n\t\t}\n\t\tif slices.Contains(perms, PermAny) {\n\t\t\tpermissions[cleanedDir] = []string{PermAny}\n\t\t} else {\n\t\t\tpermissions[cleanedDir] = util.RemoveDuplicates(perms, false)\n\t\t}\n\t}\n\n\treturn permissions, nil\n}\n\nfunc validatePermissions(user *User) error {\n\tif len(user.Permissions) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"please grant some permissions to this user\"), util.I18nErrorNoPermission)\n\t}\n\tif _, ok := user.Permissions[\"/\"]; !ok {\n\t\treturn util.NewI18nError(util.NewValidationError(\"permissions for the root dir \\\"/\\\" must be set\"), util.I18nErrorNoRootPermission)\n\t}\n\tpermissions, err := validateUserPermissions(user.Permissions)\n\tif err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorGenericPermission)\n\t}\n\tuser.Permissions = permissions\n\treturn nil\n}\n\nfunc validatePublicKeys(user *User) error {\n\tif len(user.PublicKeys) == 0 {\n\t\tuser.PublicKeys = []string{}\n\t}\n\tvar validatedKeys []string\n\tfor idx, key := range user.PublicKeys {\n\t\tif key == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tout, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"error parsing public key at position %d: %v\", idx, err)),\n\t\t\t\tutil.I18nErrorPubKeyInvalid,\n\t\t\t)\n\t\t}\n\t\tif out.Type() == ssh.InsecureKeyAlgoDSA { //nolint:staticcheck\n\t\t\tproviderLog(logger.LevelError, \"dsa public key not accepted, position: %d\", idx)\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"DSA key format is insecure and it is not allowed for key at position %d\", idx)),\n\t\t\t\tutil.I18nErrorKeyInsecure,\n\t\t\t)\n\t\t}\n\t\tif k, ok := out.(ssh.CryptoPublicKey); ok {\n\t\t\tcryptoKey := k.CryptoPublicKey()\n\t\t\tif rsaKey, ok := cryptoKey.(*rsa.PublicKey); ok {\n\t\t\t\tif size := rsaKey.N.BitLen(); size < 2048 {\n\t\t\t\t\tproviderLog(logger.LevelError, \"rsa key with size %d at position %d not accepted, minimum 2048\", size, idx)\n\t\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid size %d for rsa key at position %d, minimum 2048\",\n\t\t\t\t\t\t\tsize, idx)),\n\t\t\t\t\t\tutil.I18nErrorKeySizeInvalid,\n\t\t\t\t\t)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tvalidatedKeys = append(validatedKeys, key)\n\t}\n\tuser.PublicKeys = util.RemoveDuplicates(validatedKeys, false)\n\treturn nil\n}\n\nfunc validateFiltersPatternExtensions(baseFilters *sdk.BaseUserFilters) error {\n\tif len(baseFilters.FilePatterns) == 0 {\n\t\tbaseFilters.FilePatterns = []sdk.PatternsFilter{}\n\t\treturn nil\n\t}\n\tfilteredPaths := []string{}\n\tvar filters []sdk.PatternsFilter\n\tfor _, f := range baseFilters.FilePatterns {\n\t\tcleanedPath := filepath.ToSlash(path.Clean(f.Path))\n\t\tif !path.IsAbs(cleanedPath) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid path %q for file patterns filter\", f.Path)),\n\t\t\t\tutil.I18nErrorFilePatternPathInvalid,\n\t\t\t)\n\t\t}\n\t\tif slices.Contains(filteredPaths, cleanedPath) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"duplicate file patterns filter for path %q\", f.Path)),\n\t\t\t\tutil.I18nErrorFilePatternDuplicated,\n\t\t\t)\n\t\t}\n\t\tif len(f.AllowedPatterns) == 0 && len(f.DeniedPatterns) == 0 {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"empty file patterns filter for path %q\", f.Path))\n\t\t}\n\t\tif f.DenyPolicy < sdk.DenyPolicyDefault || f.DenyPolicy > sdk.DenyPolicyHide {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid deny policy %v for path %q\", f.DenyPolicy, f.Path))\n\t\t}\n\t\tf.Path = cleanedPath\n\t\tallowed := make([]string, 0, len(f.AllowedPatterns))\n\t\tdenied := make([]string, 0, len(f.DeniedPatterns))\n\t\tfor _, pattern := range f.AllowedPatterns {\n\t\t\t_, err := path.Match(pattern, \"abc\")\n\t\t\tif err != nil {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid file pattern filter %q\", pattern)),\n\t\t\t\t\tutil.I18nErrorFilePatternInvalid,\n\t\t\t\t)\n\t\t\t}\n\t\t\tallowed = append(allowed, strings.ToLower(pattern))\n\t\t}\n\t\tfor _, pattern := range f.DeniedPatterns {\n\t\t\t_, err := path.Match(pattern, \"abc\")\n\t\t\tif err != nil {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid file pattern filter %q\", pattern)),\n\t\t\t\t\tutil.I18nErrorFilePatternInvalid,\n\t\t\t\t)\n\t\t\t}\n\t\t\tdenied = append(denied, strings.ToLower(pattern))\n\t\t}\n\t\tf.AllowedPatterns = util.RemoveDuplicates(allowed, false)\n\t\tf.DeniedPatterns = util.RemoveDuplicates(denied, false)\n\t\tfilters = append(filters, f)\n\t\tfilteredPaths = append(filteredPaths, cleanedPath)\n\t}\n\tbaseFilters.FilePatterns = filters\n\treturn nil\n}\n\nfunc checkEmptyFiltersStruct(filters *sdk.BaseUserFilters) {\n\tif len(filters.AllowedIP) == 0 {\n\t\tfilters.AllowedIP = []string{}\n\t}\n\tif len(filters.DeniedIP) == 0 {\n\t\tfilters.DeniedIP = []string{}\n\t}\n\tif len(filters.DeniedLoginMethods) == 0 {\n\t\tfilters.DeniedLoginMethods = []string{}\n\t}\n\tif len(filters.DeniedProtocols) == 0 {\n\t\tfilters.DeniedProtocols = []string{}\n\t}\n}\n\nfunc validateIPFilters(filters *sdk.BaseUserFilters) error {\n\tfilters.DeniedIP = util.RemoveDuplicates(filters.DeniedIP, false)\n\tfor _, IPMask := range filters.DeniedIP {\n\t\t_, _, err := net.ParseCIDR(IPMask)\n\t\tif err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"could not parse denied IP/Mask %q: %v\", IPMask, err))\n\t\t}\n\t}\n\tfilters.AllowedIP = util.RemoveDuplicates(filters.AllowedIP, false)\n\tfor _, IPMask := range filters.AllowedIP {\n\t\t_, _, err := net.ParseCIDR(IPMask)\n\t\tif err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"could not parse allowed IP/Mask %q: %v\", IPMask, err))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateBandwidthLimit(bl sdk.BandwidthLimit) error {\n\tif len(bl.Sources) == 0 {\n\t\treturn util.NewValidationError(\"no bandwidth limit source specified\")\n\t}\n\tfor _, source := range bl.Sources {\n\t\t_, _, err := net.ParseCIDR(source)\n\t\tif err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"could not parse bandwidth limit source %q: %v\", source, err))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateBandwidthLimitsFilter(filters *sdk.BaseUserFilters) error {\n\tfor idx, bandwidthLimit := range filters.BandwidthLimits {\n\t\tif err := validateBandwidthLimit(bandwidthLimit); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif bandwidthLimit.DownloadBandwidth < 0 {\n\t\t\tfilters.BandwidthLimits[idx].DownloadBandwidth = 0\n\t\t}\n\t\tif bandwidthLimit.UploadBandwidth < 0 {\n\t\t\tfilters.BandwidthLimits[idx].UploadBandwidth = 0\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc updateFiltersValues(filters *sdk.BaseUserFilters) {\n\tif filters.StartDirectory != \"\" {\n\t\tfilters.StartDirectory = util.CleanPath(filters.StartDirectory)\n\t\tif filters.StartDirectory == \"/\" {\n\t\t\tfilters.StartDirectory = \"\"\n\t\t}\n\t}\n}\n\nfunc validateFilterProtocols(filters *sdk.BaseUserFilters) error {\n\tif len(filters.DeniedProtocols) >= len(ValidProtocols) {\n\t\treturn util.NewValidationError(\"invalid denied_protocols\")\n\t}\n\tfor _, p := range filters.DeniedProtocols {\n\t\tif !slices.Contains(ValidProtocols, p) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid denied protocol %q\", p))\n\t\t}\n\t}\n\n\tfor _, p := range filters.TwoFactorAuthProtocols {\n\t\tif !slices.Contains(MFAProtocols, p) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid two factor protocol %q\", p))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateTLSCerts(certs []string) ([]string, error) {\n\tvar validateCerts []string\n\tfor idx, cert := range certs {\n\t\tif cert == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tderBlock, _ := pem.Decode([]byte(cert))\n\t\tif derBlock == nil {\n\t\t\treturn nil, util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid TLS certificate %d\", idx)),\n\t\t\t\tutil.I18nErrorInvalidTLSCert,\n\t\t\t)\n\t\t}\n\t\tcrt, err := x509.ParseCertificate(derBlock.Bytes)\n\t\tif err != nil {\n\t\t\treturn nil, util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"error parsing TLS certificate %d\", idx)),\n\t\t\t\tutil.I18nErrorInvalidTLSCert,\n\t\t\t)\n\t\t}\n\t\tif crt.PublicKeyAlgorithm == x509.RSA {\n\t\t\tif rsaCert, ok := crt.PublicKey.(*rsa.PublicKey); ok {\n\t\t\t\tif size := rsaCert.N.BitLen(); size < 2048 {\n\t\t\t\t\tproviderLog(logger.LevelError, \"rsa cert with size %d not accepted, minimum 2048\", size)\n\t\t\t\t\treturn nil, util.NewI18nError(\n\t\t\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid size %d for rsa cert at position %d, minimum 2048\",\n\t\t\t\t\t\t\tsize, idx)),\n\t\t\t\t\t\tutil.I18nErrorKeySizeInvalid,\n\t\t\t\t\t)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tvalidateCerts = append(validateCerts, cert)\n\t}\n\treturn validateCerts, nil\n}\n\nfunc validateBaseFilters(filters *sdk.BaseUserFilters) error {\n\tcheckEmptyFiltersStruct(filters)\n\tif err := validateIPFilters(filters); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorIPFiltersInvalid)\n\t}\n\tif err := validateBandwidthLimitsFilter(filters); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorSourceBWLimitInvalid)\n\t}\n\tif len(filters.DeniedLoginMethods) >= len(ValidLoginMethods) {\n\t\treturn util.NewValidationError(\"invalid denied_login_methods\")\n\t}\n\tfor _, loginMethod := range filters.DeniedLoginMethods {\n\t\tif !slices.Contains(ValidLoginMethods, loginMethod) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid login method: %q\", loginMethod))\n\t\t}\n\t}\n\tif err := validateFilterProtocols(filters); err != nil {\n\t\treturn err\n\t}\n\tif filters.TLSUsername != \"\" {\n\t\tif !slices.Contains(validTLSUsernames, string(filters.TLSUsername)) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid TLS username: %q\", filters.TLSUsername))\n\t\t}\n\t}\n\tcerts, err := validateTLSCerts(filters.TLSCerts)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfilters.TLSCerts = certs\n\tfor _, opts := range filters.WebClient {\n\t\tif !slices.Contains(sdk.WebClientOptions, opts) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid web client options %q\", opts))\n\t\t}\n\t}\n\tif filters.MaxSharesExpiration > 0 && filters.MaxSharesExpiration < filters.DefaultSharesExpiration {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"default shares expiration: %d must be less than or equal to max shares expiration: %d\",\n\t\t\t\tfilters.DefaultSharesExpiration, filters.MaxSharesExpiration)),\n\t\t\tutil.I18nErrorShareExpirationInvalid,\n\t\t)\n\t}\n\tupdateFiltersValues(filters)\n\n\tif err := validateAccessTimeFilters(filters); err != nil {\n\t\treturn err\n\t}\n\n\treturn validateFiltersPatternExtensions(filters)\n}\n\nfunc isTimeOfDayValid(value string) bool {\n\tif len(value) != 5 {\n\t\treturn false\n\t}\n\tparts := strings.Split(value, \":\")\n\tif len(parts) != 2 {\n\t\treturn false\n\t}\n\thour, err := strconv.Atoi(parts[0])\n\tif err != nil {\n\t\treturn false\n\t}\n\tif hour < 0 || hour > 23 {\n\t\treturn false\n\t}\n\tminute, err := strconv.Atoi(parts[1])\n\tif err != nil {\n\t\treturn false\n\t}\n\tif minute < 0 || minute > 59 {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc validateAccessTimeFilters(filters *sdk.BaseUserFilters) error {\n\tfor _, period := range filters.AccessTime {\n\t\tif period.DayOfWeek < int(time.Sunday) || period.DayOfWeek > int(time.Saturday) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid day of week: %d\", period.DayOfWeek))\n\t\t}\n\t\tif !isTimeOfDayValid(period.From) || !isTimeOfDayValid(period.To) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"invalid time of day. Supported format: HH:MM\"),\n\t\t\t\tutil.I18nErrorTimeOfDayInvalid,\n\t\t\t)\n\t\t}\n\t\tif period.To <= period.From {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"invalid time of day. The end time cannot be earlier than the start time\"),\n\t\t\t\tutil.I18nErrorTimeOfDayConflict,\n\t\t\t)\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc validateCombinedUserFilters(user *User) error {\n\tif user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"two-factor authentication cannot be disabled for a user with an active configuration\"),\n\t\t\tutil.I18nErrorDisableActive2FA,\n\t\t)\n\t}\n\tif user.Filters.RequirePasswordChange && slices.Contains(user.Filters.WebClient, sdk.WebClientPasswordChangeDisabled) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"you cannot require password change and at the same time disallow it\"),\n\t\t\tutil.I18nErrorPwdChangeConflict,\n\t\t)\n\t}\n\tif len(user.Filters.TwoFactorAuthProtocols) > 0 && slices.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"you cannot require two-factor authentication and at the same time disallow it\"),\n\t\t\tutil.I18nError2FAConflict,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc validateEmails(user *User) error {\n\tif user.Email != \"\" && !util.IsEmailValid(user.Email) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"email %q is not valid\", user.Email)),\n\t\t\tutil.I18nErrorInvalidEmail,\n\t\t)\n\t}\n\tfor _, email := range user.Filters.AdditionalEmails {\n\t\tif !util.IsEmailValid(email) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"email %q is not valid\", email)),\n\t\t\t\tutil.I18nErrorInvalidEmail,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc validateBaseParams(user *User) error {\n\tif user.Username == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"username is mandatory\"), util.I18nErrorUsernameRequired)\n\t}\n\tif !util.IsNameValid(user.Username) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif err := checkReservedUsernames(user.Username); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorReservedUsername)\n\t}\n\tif err := validateEmails(user); err != nil {\n\t\treturn err\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(user.Username) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"username %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", user.Username)),\n\t\t\tutil.I18nErrorInvalidUser,\n\t\t)\n\t}\n\tif user.hasRedactedSecret() {\n\t\treturn util.NewValidationError(\"cannot save a user with a redacted secret\")\n\t}\n\tif user.HomeDir == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"home_dir is mandatory\"), util.I18nErrorHomeRequired)\n\t}\n\t// we can have users with no passwords and public keys, they can authenticate via SSH user certs or OIDC\n\t/*if user.Password == \"\" && len(user.PublicKeys) == 0 {\n\t\treturn util.NewValidationError(\"please set a password or at least a public_key\")\n\t}*/\n\tif !filepath.IsAbs(user.HomeDir) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"home_dir must be an absolute path, actual value: %v\", user.HomeDir)),\n\t\t\tutil.I18nErrorHomeInvalid,\n\t\t)\n\t}\n\tif user.DownloadBandwidth < 0 {\n\t\tuser.DownloadBandwidth = 0\n\t}\n\tif user.UploadBandwidth < 0 {\n\t\tuser.UploadBandwidth = 0\n\t}\n\tif user.TotalDataTransfer > 0 {\n\t\t// if a total data transfer is defined we reset the separate upload and download limits\n\t\tuser.UploadDataTransfer = 0\n\t\tuser.DownloadDataTransfer = 0\n\t}\n\tif user.Filters.IsAnonymous {\n\t\tuser.setAnonymousSettings()\n\t}\n\terr := user.FsConfig.Validate(user.GetEncryptionAdditionalData())\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc hashPlainPassword(plainPwd string) (string, error) {\n\tif config.PasswordHashing.Algo == HashingAlgoBcrypt {\n\t\tpwd, err := bcrypt.GenerateFromPassword([]byte(plainPwd), config.PasswordHashing.BcryptOptions.Cost)\n\t\tif err != nil {\n\t\t\treturn \"\", fmt.Errorf(\"bcrypt hashing error: %w\", err)\n\t\t}\n\t\treturn util.BytesToString(pwd), nil\n\t}\n\tpwd, err := argon2id.CreateHash(plainPwd, argon2Params)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"argon2ID hashing error: %w\", err)\n\t}\n\treturn pwd, nil\n}\n\nfunc createUserPasswordHash(user *User) error {\n\tif user.Password != \"\" && !user.IsPasswordHashed() {\n\t\tfor _, g := range user.Groups {\n\t\t\tif g.Type == sdk.GroupTypePrimary {\n\t\t\t\tgroup, err := GroupExists(g.Name)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn errors.New(\"unable to load group password policies\")\n\t\t\t\t}\n\t\t\t\tif minEntropy := group.UserSettings.Filters.PasswordStrength; minEntropy > 0 {\n\t\t\t\t\tif err := passwordvalidator.Validate(user.Password, float64(minEntropy)); err != nil {\n\t\t\t\t\t\treturn util.NewI18nError(util.NewValidationError(err.Error()), util.I18nErrorPasswordComplexity)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif minEntropy := user.getMinPasswordEntropy(); minEntropy > 0 {\n\t\t\tif err := passwordvalidator.Validate(user.Password, minEntropy); err != nil {\n\t\t\t\treturn util.NewI18nError(util.NewValidationError(err.Error()), util.I18nErrorPasswordComplexity)\n\t\t\t}\n\t\t}\n\t\thashedPwd, err := hashPlainPassword(user.Password)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser.Password = hashedPwd\n\t\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now())\n\t}\n\treturn nil\n}\n\n// ValidateFolder returns an error if the folder is not valid\n// FIXME: this should be defined as Folder struct method\nfunc ValidateFolder(folder *vfs.BaseVirtualFolder) error {\n\tfolder.FsConfig.SetEmptySecretsIfNil()\n\tif folder.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"folder name is mandatory\"), util.I18nErrorNameRequired)\n\t}\n\tif !util.IsNameValid(folder.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(folder.Name) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"folder name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", folder.Name)),\n\t\t\tutil.I18nErrorInvalidName,\n\t\t)\n\t}\n\tif folder.FsConfig.Provider == sdk.LocalFilesystemProvider || folder.FsConfig.Provider == sdk.CryptedFilesystemProvider ||\n\t\tfolder.MappedPath != \"\" {\n\t\tcleanedMPath := filepath.Clean(folder.MappedPath)\n\t\tif !filepath.IsAbs(cleanedMPath) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid folder mapped path %q\", folder.MappedPath)),\n\t\t\t\tutil.I18nErrorInvalidHomeDir,\n\t\t\t)\n\t\t}\n\t\tfolder.MappedPath = cleanedMPath\n\t}\n\tif folder.HasRedactedSecret() {\n\t\treturn errors.New(\"cannot save a folder with a redacted secret\")\n\t}\n\treturn folder.FsConfig.Validate(folder.GetEncryptionAdditionalData())\n}\n\n// ValidateUser returns an error if the user is not valid\n// FIXME: this should be defined as User struct method\nfunc ValidateUser(user *User) error {\n\tuser.OIDCCustomFields = nil\n\tuser.HasPassword = false\n\tuser.SetEmptySecretsIfNil()\n\tuser.applyNamingRules()\n\tbuildUserHomeDir(user)\n\tif err := validateBaseParams(user); err != nil {\n\t\treturn err\n\t}\n\tif err := validateUserGroups(user); err != nil {\n\t\treturn err\n\t}\n\tif err := validatePermissions(user); err != nil {\n\t\treturn err\n\t}\n\tif err := validateUserTOTPConfig(&user.Filters.TOTPConfig, user.Username); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nError2FAInvalid)\n\t}\n\tif err := validateUserRecoveryCodes(user); err != nil {\n\t\treturn util.NewI18nError(err, util.I18nErrorRecoveryCodesInvalid)\n\t}\n\tvfolders, err := validateAssociatedVirtualFolders(user.VirtualFolders)\n\tif err != nil {\n\t\treturn err\n\t}\n\tuser.VirtualFolders = vfolders\n\tif user.Status < 0 || user.Status > 1 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid user status: %v\", user.Status))\n\t}\n\tif err := createUserPasswordHash(user); err != nil {\n\t\treturn err\n\t}\n\tif err := validatePublicKeys(user); err != nil {\n\t\treturn err\n\t}\n\tif err := validateBaseFilters(&user.Filters.BaseUserFilters); err != nil {\n\t\treturn err\n\t}\n\tif !user.HasExternalAuth() {\n\t\tuser.Filters.ExternalAuthCacheTime = 0\n\t}\n\treturn validateCombinedUserFilters(user)\n}\n\nfunc isPasswordOK(user *User, password string) (bool, error) {\n\tif config.PasswordCaching {\n\t\tfound, match := cachedUserPasswords.Check(user.Username, password, user.Password)\n\t\tif found {\n\t\t\treturn match, nil\n\t\t}\n\t}\n\n\tmatch := false\n\tupdatePwd := true\n\tvar err error\n\n\tswitch {\n\tcase strings.HasPrefix(user.Password, bcryptPwdPrefix):\n\t\tif err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil {\n\t\t\treturn match, ErrInvalidCredentials\n\t\t}\n\t\tmatch = true\n\t\tupdatePwd = config.PasswordHashing.Algo != HashingAlgoBcrypt\n\tcase strings.HasPrefix(user.Password, argonPwdPrefix):\n\t\tmatch, err = argon2id.ComparePasswordAndHash(password, user.Password)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error comparing password with argon hash: %v\", err)\n\t\t\treturn match, err\n\t\t}\n\t\tupdatePwd = config.PasswordHashing.Algo != HashingAlgoArgon2ID\n\tcase util.IsStringPrefixInSlice(user.Password, unixPwdPrefixes):\n\t\tmatch, err = compareUnixPasswordAndHash(user, password)\n\t\tif err != nil {\n\t\t\treturn match, err\n\t\t}\n\tcase util.IsStringPrefixInSlice(user.Password, pbkdfPwdPrefixes):\n\t\tmatch, err = comparePbkdf2PasswordAndHash(password, user.Password)\n\t\tif err != nil {\n\t\t\treturn match, err\n\t\t}\n\tcase util.IsStringPrefixInSlice(user.Password, digestPwdPrefixes):\n\t\tmatch = compareDigestPasswordAndHash(user, password)\n\t}\n\n\tif err == nil && match {\n\t\tcachedUserPasswords.Add(user.Username, password, user.Password)\n\t\tif updatePwd {\n\t\t\tconvertUserPassword(user.Username, password)\n\t\t}\n\t}\n\treturn match, err\n}\n\nfunc convertUserPassword(username, plainPwd string) {\n\thashedPwd, err := hashPlainPassword(plainPwd)\n\tif err == nil {\n\t\terr = provider.updateUserPassword(username, hashedPwd)\n\t}\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"unable to convert password for user %s: %v\", username, err)\n\t} else {\n\t\tproviderLog(logger.LevelDebug, \"password converted for user %s\", username)\n\t}\n}\n\nfunc checkUserAndTLSCertificate(user *User, protocol string, tlsCert *x509.Certificate) (User, error) {\n\terr := user.LoadAndApplyGroupSettings()\n\tif err != nil {\n\t\treturn *user, err\n\t}\n\terr = user.CheckLoginConditions()\n\tif err != nil {\n\t\treturn *user, err\n\t}\n\tswitch protocol {\n\tcase protocolFTP, protocolWebDAV:\n\t\tfor _, cert := range user.Filters.TLSCerts {\n\t\t\tderBlock, _ := pem.Decode(util.StringToBytes(cert))\n\t\t\tif derBlock != nil && bytes.Equal(derBlock.Bytes, tlsCert.Raw) {\n\t\t\t\treturn *user, nil\n\t\t\t}\n\t\t}\n\t\tif user.Filters.TLSUsername == sdk.TLSUsernameCN {\n\t\t\tif user.Username == tlsCert.Subject.CommonName {\n\t\t\t\treturn *user, nil\n\t\t\t}\n\t\t\treturn *user, fmt.Errorf(\"CN %q does not match username %q\", tlsCert.Subject.CommonName, user.Username)\n\t\t}\n\t\treturn *user, errors.New(\"TLS certificate is not valid\")\n\tdefault:\n\t\treturn *user, fmt.Errorf(\"certificate authentication is not supported for protocol %v\", protocol)\n\t}\n}\n\nfunc checkUserAndPass(user *User, password, ip, protocol string) (User, error) {\n\terr := user.LoadAndApplyGroupSettings()\n\tif err != nil {\n\t\treturn *user, err\n\t}\n\terr = user.CheckLoginConditions()\n\tif err != nil {\n\t\treturn *user, err\n\t}\n\tif protocol != protocolHTTP && user.MustChangePassword() {\n\t\treturn *user, errors.New(\"login not allowed, password change required\")\n\t}\n\tif user.Filters.IsAnonymous {\n\t\tuser.setAnonymousSettings()\n\t\treturn *user, nil\n\t}\n\tpassword, err = checkUserPasscode(user, password, protocol)\n\tif err != nil {\n\t\treturn *user, ErrInvalidCredentials\n\t}\n\tif user.Password == \"\" || strings.TrimSpace(password) == \"\" {\n\t\treturn *user, errors.New(\"credentials cannot be null or empty\")\n\t}\n\tif !user.Filters.Hooks.CheckPasswordDisabled {\n\t\thookResponse, err := executeCheckPasswordHook(user.Username, password, ip, protocol)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelDebug, \"error executing check password hook for user %q, ip %v, protocol %v: %v\",\n\t\t\t\tuser.Username, ip, protocol, err)\n\t\t\treturn *user, errors.New(\"unable to check credentials\")\n\t\t}\n\t\tswitch hookResponse.Status {\n\t\tcase -1:\n\t\t\t// no hook configured\n\t\tcase 1:\n\t\t\tproviderLog(logger.LevelDebug, \"password accepted by check password hook for user %q, ip %v, protocol %v\",\n\t\t\t\tuser.Username, ip, protocol)\n\t\t\treturn *user, nil\n\t\tcase 2:\n\t\t\tproviderLog(logger.LevelDebug, \"partial success from check password hook for user %q, ip %v, protocol %v\",\n\t\t\t\tuser.Username, ip, protocol)\n\t\t\tpassword = hookResponse.ToVerify\n\t\tdefault:\n\t\t\tproviderLog(logger.LevelDebug, \"password rejected by check password hook for user %q, ip %v, protocol %v, status: %v\",\n\t\t\t\tuser.Username, ip, protocol, hookResponse.Status)\n\t\t\treturn *user, ErrInvalidCredentials\n\t\t}\n\t}\n\n\tmatch, err := isPasswordOK(user, password)\n\tif !match {\n\t\terr = ErrInvalidCredentials\n\t}\n\treturn *user, err\n}\n\nfunc checkUserPasscode(user *User, password, protocol string) (string, error) {\n\tif user.Filters.TOTPConfig.Enabled {\n\t\tswitch protocol {\n\t\tcase protocolFTP:\n\t\t\tif slices.Contains(user.Filters.TOTPConfig.Protocols, protocol) {\n\t\t\t\t// the TOTP passcode has six digits\n\t\t\t\tpwdLen := len(password)\n\t\t\t\tif pwdLen < 7 {\n\t\t\t\t\tproviderLog(logger.LevelDebug, \"password len %v is too short to contain a passcode, user %q, protocol %v\",\n\t\t\t\t\t\tpwdLen, user.Username, protocol)\n\t\t\t\t\treturn \"\", util.NewValidationError(\"password too short, cannot contain the passcode\")\n\t\t\t\t}\n\t\t\t\terr := user.Filters.TOTPConfig.Secret.TryDecrypt()\n\t\t\t\tif err != nil {\n\t\t\t\t\tproviderLog(logger.LevelError, \"unable to decrypt TOTP secret for user %q, protocol %v, err: %v\",\n\t\t\t\t\t\tuser.Username, protocol, err)\n\t\t\t\t\treturn \"\", err\n\t\t\t\t}\n\t\t\t\tpwd := password[0:(pwdLen - 6)]\n\t\t\t\tpasscode := password[(pwdLen - 6):]\n\t\t\t\tmatch, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode,\n\t\t\t\t\tuser.Filters.TOTPConfig.Secret.GetPayload())\n\t\t\t\tif !match || err != nil {\n\t\t\t\t\tproviderLog(logger.LevelWarn, \"invalid passcode for user %q, protocol %v, err: %v\",\n\t\t\t\t\t\tuser.Username, protocol, err)\n\t\t\t\t\treturn \"\", util.NewValidationError(\"invalid passcode\")\n\t\t\t\t}\n\t\t\t\treturn pwd, nil\n\t\t\t}\n\t\t}\n\t}\n\treturn password, nil\n}\n\nfunc checkUserAndPubKey(user *User, pubKey []byte, isSSHCert bool) (User, string, error) {\n\terr := user.LoadAndApplyGroupSettings()\n\tif err != nil {\n\t\treturn *user, \"\", err\n\t}\n\terr = user.CheckLoginConditions()\n\tif err != nil {\n\t\treturn *user, \"\", err\n\t}\n\tif isSSHCert {\n\t\treturn *user, \"\", nil\n\t}\n\tif len(user.PublicKeys) == 0 {\n\t\treturn *user, \"\", ErrInvalidCredentials\n\t}\n\tfor idx, key := range user.PublicKeys {\n\t\tstoredKey, comment, _, _, err := ssh.ParseAuthorizedKey(util.StringToBytes(key))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error parsing stored public key %d for user %s: %v\", idx, user.Username, err)\n\t\t\treturn *user, \"\", err\n\t\t}\n\t\tif bytes.Equal(storedKey.Marshal(), pubKey) {\n\t\t\treturn *user, fmt.Sprintf(\"%s:%s\", ssh.FingerprintSHA256(storedKey), comment), nil\n\t\t}\n\t}\n\treturn *user, \"\", ErrInvalidCredentials\n}\n\nfunc compareDigestPasswordAndHash(user *User, password string) bool {\n\tif strings.HasPrefix(user.Password, md5DigestPwdPrefix) {\n\t\th := md5.New()\n\t\th.Write([]byte(password))\n\t\treturn fmt.Sprintf(\"%s%x\", md5DigestPwdPrefix, h.Sum(nil)) == user.Password\n\t}\n\tif strings.HasPrefix(user.Password, sha256DigestPwdPrefix) {\n\t\th := sha256.New()\n\t\th.Write([]byte(password))\n\t\treturn fmt.Sprintf(\"%s%x\", sha256DigestPwdPrefix, h.Sum(nil)) == user.Password\n\t}\n\tif strings.HasPrefix(user.Password, sha512DigestPwdPrefix) {\n\t\th := sha512.New()\n\t\th.Write([]byte(password))\n\t\treturn fmt.Sprintf(\"%s%x\", sha512DigestPwdPrefix, h.Sum(nil)) == user.Password\n\t}\n\treturn false\n}\n\nfunc compareUnixPasswordAndHash(user *User, password string) (bool, error) {\n\tif strings.HasPrefix(user.Password, yescryptPwdPrefix) {\n\t\treturn compareYescryptPassword(user.Password, password)\n\t}\n\tvar crypter crypt.Crypter\n\tif strings.HasPrefix(user.Password, sha512cryptPwdPrefix) {\n\t\tcrypter = sha512_crypt.New()\n\t} else if strings.HasPrefix(user.Password, sha256cryptPwdPrefix) {\n\t\tcrypter = sha256_crypt.New()\n\t} else if strings.HasPrefix(user.Password, md5cryptPwdPrefix) {\n\t\tcrypter = md5_crypt.New()\n\t} else if strings.HasPrefix(user.Password, md5cryptApr1PwdPrefix) {\n\t\tcrypter = apr1_crypt.New()\n\t} else {\n\t\treturn false, errors.New(\"unix crypt: invalid or unsupported hash format\")\n\t}\n\tif err := crypter.Verify(user.Password, []byte(password)); err != nil {\n\t\treturn false, err\n\t}\n\treturn true, nil\n}\n\nfunc comparePbkdf2PasswordAndHash(password, hashedPassword string) (bool, error) {\n\tvals := strings.Split(hashedPassword, \"$\")\n\tif len(vals) != 5 {\n\t\treturn false, fmt.Errorf(\"pbkdf2: hash is not in the correct format\")\n\t}\n\titerations, err := strconv.Atoi(vals[2])\n\tif err != nil {\n\t\treturn false, err\n\t}\n\texpected, err := base64.StdEncoding.DecodeString(vals[4])\n\tif err != nil {\n\t\treturn false, err\n\t}\n\tvar salt []byte\n\tif util.IsStringPrefixInSlice(hashedPassword, pbkdfPwdB64SaltPrefixes) {\n\t\tsalt, err = base64.StdEncoding.DecodeString(vals[3])\n\t\tif err != nil {\n\t\t\treturn false, err\n\t\t}\n\t} else {\n\t\tsalt = []byte(vals[3])\n\t}\n\tvar hashFunc func() hash.Hash\n\tif strings.HasPrefix(hashedPassword, pbkdf2SHA256Prefix) || strings.HasPrefix(hashedPassword, pbkdf2SHA256B64SaltPrefix) {\n\t\thashFunc = sha256.New\n\t} else if strings.HasPrefix(hashedPassword, pbkdf2SHA512Prefix) {\n\t\thashFunc = sha512.New\n\t} else if strings.HasPrefix(hashedPassword, pbkdf2SHA1Prefix) {\n\t\thashFunc = sha1.New\n\t} else {\n\t\treturn false, fmt.Errorf(\"pbkdf2: invalid or unsupported hash format %v\", vals[1])\n\t}\n\tdf := pbkdf2.Key([]byte(password), salt, iterations, len(expected), hashFunc)\n\treturn subtle.ConstantTimeCompare(df, expected) == 1, nil\n}\n\nfunc getSSLMode() string {\n\tswitch config.Driver {\n\tcase PGSQLDataProviderName, CockroachDataProviderName:\n\t\tswitch config.SSLMode {\n\t\tcase 0:\n\t\t\treturn \"disable\"\n\t\tcase 1:\n\t\t\treturn \"require\"\n\t\tcase 2:\n\t\t\treturn \"verify-ca\"\n\t\tcase 3:\n\t\t\treturn \"verify-full\"\n\t\tcase 4:\n\t\t\treturn \"prefer\"\n\t\tcase 5:\n\t\t\treturn \"allow\"\n\t\t}\n\tcase MySQLDataProviderName:\n\t\tif config.requireCustomTLSForMySQL() {\n\t\t\treturn \"custom\"\n\t\t}\n\t\tswitch config.SSLMode {\n\t\tcase 0:\n\t\t\treturn \"false\"\n\t\tcase 1:\n\t\t\treturn \"true\"\n\t\tcase 2:\n\t\t\treturn \"skip-verify\"\n\t\tcase 3:\n\t\t\treturn \"preferred\"\n\t\t}\n\t}\n\treturn \"\"\n}\n\nfunc terminateInteractiveAuthProgram(cmd *exec.Cmd, isFinished bool) {\n\tif isFinished {\n\t\treturn\n\t}\n\tproviderLog(logger.LevelInfo, \"kill interactive auth program after an unexpected error\")\n\terr := cmd.Process.Kill()\n\tif err != nil {\n\t\tproviderLog(logger.LevelDebug, \"error killing interactive auth program: %v\", err)\n\t}\n}\n\nfunc sendKeyboardAuthHTTPReq(url string, request *plugin.KeyboardAuthRequest) (*plugin.KeyboardAuthResponse, error) {\n\treqAsJSON, err := json.Marshal(request)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error serializing keyboard interactive auth request: %v\", err)\n\t\treturn nil, err\n\t}\n\tresp, err := httpclient.Post(url, \"application/json\", bytes.NewBuffer(reqAsJSON))\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error getting keyboard interactive auth hook HTTP response: %v\", err)\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"wrong keyboard interactive auth http status code: %v, expected 200\", resp.StatusCode)\n\t}\n\tvar response plugin.KeyboardAuthResponse\n\terr = render.DecodeJSON(resp.Body, &response)\n\treturn &response, err\n}\n\nfunc doBuiltinKeyboardInteractiveAuth(user *User, client ssh.KeyboardInteractiveChallenge,\n\tip, protocol string, isPartialAuth bool,\n) (int, error) {\n\tif err := user.LoadAndApplyGroupSettings(); err != nil {\n\t\treturn 0, err\n\t}\n\thasSecondFactor := user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH)\n\tif !isPartialAuth || !hasSecondFactor {\n\t\tanswers, err := client(\"\", \"\", []string{\"Password: \"}, []bool{false})\n\t\tif err != nil {\n\t\t\treturn 0, err\n\t\t}\n\t\tif len(answers) != 1 {\n\t\t\treturn 0, fmt.Errorf(\"unexpected number of answers: %d\", len(answers))\n\t\t}\n\t\t_, err = checkUserAndPass(user, answers[0], ip, protocol)\n\t\tif err != nil {\n\t\t\treturn 0, err\n\t\t}\n\t}\n\treturn checkKeyboardInteractiveSecondFactor(user, client, protocol)\n}\n\nfunc checkKeyboardInteractiveSecondFactor(user *User, client ssh.KeyboardInteractiveChallenge, protocol string) (int, error) {\n\tif !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {\n\t\treturn 1, nil\n\t}\n\terr := user.Filters.TOTPConfig.Secret.TryDecrypt()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to decrypt TOTP secret for user %q, protocol %v, err: %v\",\n\t\t\tuser.Username, protocol, err)\n\t\treturn 0, err\n\t}\n\tanswers, err := client(\"\", \"\", []string{\"Authentication code: \"}, []bool{false})\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\tif len(answers) != 1 {\n\t\treturn 0, fmt.Errorf(\"unexpected number of answers: %v\", len(answers))\n\t}\n\tmatch, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, answers[0],\n\t\tuser.Filters.TOTPConfig.Secret.GetPayload())\n\tif !match || err != nil {\n\t\tproviderLog(logger.LevelWarn, \"invalid passcode for user %q, protocol %v, err: %v\",\n\t\t\tuser.Username, protocol, err)\n\t\treturn 0, util.NewValidationError(\"invalid passcode\")\n\t}\n\treturn 1, nil\n}\n\nfunc executeKeyboardInteractivePlugin(user *User, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {\n\tauthResult := 0\n\trequestID := xid.New().String()\n\tauthStep := 1\n\treq := &plugin.KeyboardAuthRequest{\n\t\tUsername: user.Username,\n\t\tIP: ip,\n\t\tPassword: user.Password,\n\t\tRequestID: requestID,\n\t\tStep: authStep,\n\t}\n\tvar response *plugin.KeyboardAuthResponse\n\tvar err error\n\tfor {\n\t\tresponse, err = plugin.Handler.ExecuteKeyboardInteractiveStep(req)\n\t\tif err != nil {\n\t\t\treturn authResult, err\n\t\t}\n\t\tif response.AuthResult != 0 {\n\t\t\treturn response.AuthResult, err\n\t\t}\n\t\tif err = response.Validate(); err != nil {\n\t\t\tproviderLog(logger.LevelInfo, \"invalid response from keyboard interactive plugin: %v\", err)\n\t\t\treturn authResult, err\n\t\t}\n\t\tanswers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)\n\t\tif err != nil {\n\t\t\treturn authResult, err\n\t\t}\n\t\tauthStep++\n\t\treq = &plugin.KeyboardAuthRequest{\n\t\t\tRequestID: requestID,\n\t\t\tStep: authStep,\n\t\t\tUsername: user.Username,\n\t\t\tPassword: user.Password,\n\t\t\tAnswers: answers,\n\t\t\tQuestions: response.Questions,\n\t\t}\n\t}\n}\n\nfunc executeKeyboardInteractiveHTTPHook(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {\n\tauthResult := 0\n\trequestID := xid.New().String()\n\tauthStep := 1\n\treq := &plugin.KeyboardAuthRequest{\n\t\tUsername: user.Username,\n\t\tIP: ip,\n\t\tPassword: user.Password,\n\t\tRequestID: requestID,\n\t\tStep: authStep,\n\t}\n\tvar response *plugin.KeyboardAuthResponse\n\tvar err error\n\tfor {\n\t\tresponse, err = sendKeyboardAuthHTTPReq(authHook, req)\n\t\tif err != nil {\n\t\t\treturn authResult, err\n\t\t}\n\t\tif response.AuthResult != 0 {\n\t\t\treturn response.AuthResult, err\n\t\t}\n\t\tif err = response.Validate(); err != nil {\n\t\t\tproviderLog(logger.LevelInfo, \"invalid response from keyboard interactive http hook: %v\", err)\n\t\t\treturn authResult, err\n\t\t}\n\t\tanswers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)\n\t\tif err != nil {\n\t\t\treturn authResult, err\n\t\t}\n\t\tauthStep++\n\t\treq = &plugin.KeyboardAuthRequest{\n\t\t\tRequestID: requestID,\n\t\t\tStep: authStep,\n\t\t\tUsername: user.Username,\n\t\t\tPassword: user.Password,\n\t\t\tAnswers: answers,\n\t\t\tQuestions: response.Questions,\n\t\t}\n\t}\n}\n\nfunc getKeyboardInteractiveAnswers(client ssh.KeyboardInteractiveChallenge, response *plugin.KeyboardAuthResponse,\n\tuser *User, ip, protocol string,\n) ([]string, error) {\n\tquestions := response.Questions\n\tanswers, err := client(\"\", response.Instruction, questions, response.Echos)\n\tif err != nil {\n\t\tproviderLog(logger.LevelInfo, \"error getting interactive auth client response: %v\", err)\n\t\treturn answers, err\n\t}\n\tif len(answers) != len(questions) {\n\t\terr = fmt.Errorf(\"client answers does not match questions, expected: %v actual: %v\", questions, answers)\n\t\tproviderLog(logger.LevelInfo, \"keyboard interactive auth error: %v\", err)\n\t\treturn answers, err\n\t}\n\tif len(answers) == 1 && response.CheckPwd > 0 {\n\t\tif response.CheckPwd == 2 {\n\t\t\tif !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {\n\t\t\t\tproviderLog(logger.LevelInfo, \"keyboard interactive auth error: unable to check TOTP passcode, TOTP is not enabled for user %q\",\n\t\t\t\t\tuser.Username)\n\t\t\t\treturn answers, errors.New(\"TOTP not enabled for SSH protocol\")\n\t\t\t}\n\t\t\terr := user.Filters.TOTPConfig.Secret.TryDecrypt()\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"unable to decrypt TOTP secret for user %q, protocol %v, err: %v\",\n\t\t\t\t\tuser.Username, protocol, err)\n\t\t\t\treturn answers, fmt.Errorf(\"unable to decrypt TOTP secret: %w\", err)\n\t\t\t}\n\t\t\tmatch, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, answers[0],\n\t\t\t\tuser.Filters.TOTPConfig.Secret.GetPayload())\n\t\t\tif !match || err != nil {\n\t\t\t\tproviderLog(logger.LevelInfo, \"keyboard interactive auth error: unable to validate passcode for user %q, match? %v, err: %v\",\n\t\t\t\t\tuser.Username, match, err)\n\t\t\t\treturn answers, errors.New(\"unable to validate TOTP passcode\")\n\t\t\t}\n\t\t} else {\n\t\t\t_, err = checkUserAndPass(user, answers[0], ip, protocol)\n\t\t\tproviderLog(logger.LevelInfo, \"interactive auth hook requested password validation for user %q, validation error: %v\",\n\t\t\t\tuser.Username, err)\n\t\t\tif err != nil {\n\t\t\t\treturn answers, err\n\t\t\t}\n\t\t}\n\t\tanswers[0] = \"OK\"\n\t}\n\treturn answers, err\n}\n\nfunc handleProgramInteractiveQuestions(client ssh.KeyboardInteractiveChallenge, response *plugin.KeyboardAuthResponse,\n\tuser *User, stdin io.WriteCloser, ip, protocol string,\n) error {\n\tanswers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, answer := range answers {\n\t\tif runtime.GOOS == \"windows\" {\n\t\t\tanswer += \"\\r\"\n\t\t}\n\t\tanswer += \"\\n\"\n\t\t_, err = stdin.Write([]byte(answer))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to write client answer to keyboard interactive program: %v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc executeKeyboardInteractiveProgram(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {\n\tauthResult := 0\n\ttimeout, env, args := command.GetConfig(authHook, command.HookKeyboardInteractive)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, authHook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_USERNAME=%s\", user.Username),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_IP=%s\", ip),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_PASSWORD=%s\", user.Password))\n\tstdout, err := cmd.StdoutPipe()\n\tif err != nil {\n\t\treturn authResult, err\n\t}\n\tstdin, err := cmd.StdinPipe()\n\tif err != nil {\n\t\treturn authResult, err\n\t}\n\terr = cmd.Start()\n\tif err != nil {\n\t\treturn authResult, err\n\t}\n\tvar once sync.Once\n\tscanner := bufio.NewScanner(stdout)\n\tfor scanner.Scan() {\n\t\tvar response plugin.KeyboardAuthResponse\n\t\terr = json.Unmarshal(scanner.Bytes(), &response)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelInfo, \"interactive auth error parsing response: %v\", err)\n\t\t\tonce.Do(func() { terminateInteractiveAuthProgram(cmd, false) })\n\t\t\tbreak\n\t\t}\n\t\tif response.AuthResult != 0 {\n\t\t\tauthResult = response.AuthResult\n\t\t\tbreak\n\t\t}\n\t\tif err = response.Validate(); err != nil {\n\t\t\tproviderLog(logger.LevelInfo, \"invalid response from keyboard interactive program: %v\", err)\n\t\t\tonce.Do(func() { terminateInteractiveAuthProgram(cmd, false) })\n\t\t\tbreak\n\t\t}\n\t\tgo func() {\n\t\t\terr := handleProgramInteractiveQuestions(client, &response, user, stdin, ip, protocol)\n\t\t\tif err != nil {\n\t\t\t\tonce.Do(func() { terminateInteractiveAuthProgram(cmd, false) })\n\t\t\t}\n\t\t}()\n\t}\n\tstdin.Close()\n\tonce.Do(func() { terminateInteractiveAuthProgram(cmd, true) })\n\tgo func() {\n\t\t_, err := cmd.Process.Wait()\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"error waiting for %q process to exit: %v\", authHook, err)\n\t\t}\n\t}()\n\n\treturn authResult, err\n}\n\nfunc doKeyboardInteractiveAuth(user *User, authHook string, client ssh.KeyboardInteractiveChallenge,\n\tip, protocol string, isPartialAuth bool,\n) (User, error) {\n\tif err := user.LoadAndApplyGroupSettings(); err != nil {\n\t\treturn *user, err\n\t}\n\tvar authResult int\n\tvar err error\n\tif !user.Filters.Hooks.ExternalAuthDisabled {\n\t\tif plugin.Handler.HasAuthScope(plugin.AuthScopeKeyboardInteractive) {\n\t\t\tauthResult, err = executeKeyboardInteractivePlugin(user, client, ip, protocol)\n\t\t\tif authResult == 1 && err == nil {\n\t\t\t\tauthResult, err = checkKeyboardInteractiveSecondFactor(user, client, protocol)\n\t\t\t}\n\t\t} else if authHook != \"\" {\n\t\t\tif strings.HasPrefix(authHook, \"http\") {\n\t\t\t\tauthResult, err = executeKeyboardInteractiveHTTPHook(user, authHook, client, ip, protocol)\n\t\t\t} else {\n\t\t\t\tauthResult, err = executeKeyboardInteractiveProgram(user, authHook, client, ip, protocol)\n\t\t\t}\n\t\t} else {\n\t\t\tauthResult, err = doBuiltinKeyboardInteractiveAuth(user, client, ip, protocol, isPartialAuth)\n\t\t}\n\t} else {\n\t\tauthResult, err = doBuiltinKeyboardInteractiveAuth(user, client, ip, protocol, isPartialAuth)\n\t}\n\tif err != nil {\n\t\treturn *user, err\n\t}\n\tif authResult != 1 {\n\t\treturn *user, fmt.Errorf(\"keyboard interactive auth failed, result: %v\", authResult)\n\t}\n\terr = user.CheckLoginConditions()\n\tif err != nil {\n\t\treturn *user, err\n\t}\n\treturn *user, nil\n}\n\nfunc isCheckPasswordHookDefined(protocol string) bool {\n\tif config.CheckPasswordHook == \"\" {\n\t\treturn false\n\t}\n\tif config.CheckPasswordScope == 0 {\n\t\treturn true\n\t}\n\tswitch protocol {\n\tcase protocolSSH:\n\t\treturn config.CheckPasswordScope&1 != 0\n\tcase protocolFTP:\n\t\treturn config.CheckPasswordScope&2 != 0\n\tcase protocolWebDAV:\n\t\treturn config.CheckPasswordScope&4 != 0\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc getPasswordHookResponse(username, password, ip, protocol string) ([]byte, error) {\n\tif strings.HasPrefix(config.CheckPasswordHook, \"http\") {\n\t\tvar result []byte\n\t\treq := checkPasswordRequest{\n\t\t\tUsername: username,\n\t\t\tPassword: password,\n\t\t\tIP: ip,\n\t\t\tProtocol: protocol,\n\t\t}\n\t\treqAsJSON, err := json.Marshal(req)\n\t\tif err != nil {\n\t\t\treturn result, err\n\t\t}\n\t\tresp, err := httpclient.Post(config.CheckPasswordHook, \"application/json\", bytes.NewBuffer(reqAsJSON))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error getting check password hook response: %v\", err)\n\t\t\treturn result, err\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\tif resp.StatusCode != http.StatusOK {\n\t\t\treturn result, fmt.Errorf(\"wrong http status code from chek password hook: %v, expected 200\", resp.StatusCode)\n\t\t}\n\t\treturn io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))\n\t}\n\ttimeout, env, args := command.GetConfig(config.CheckPasswordHook, command.HookCheckPassword)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, config.CheckPasswordHook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_USERNAME=%s\", username),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_PASSWORD=%s\", password),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_IP=%s\", ip),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_PROTOCOL=%s\", protocol),\n\t)\n\treturn getCmdOutput(cmd, \"check_password_hook\")\n}\n\nfunc executeCheckPasswordHook(username, password, ip, protocol string) (checkPasswordResponse, error) {\n\tvar response checkPasswordResponse\n\n\tif !isCheckPasswordHookDefined(protocol) {\n\t\tresponse.Status = -1\n\t\treturn response, nil\n\t}\n\n\tstartTime := time.Now()\n\tout, err := getPasswordHookResponse(username, password, ip, protocol)\n\tproviderLog(logger.LevelDebug, \"check password hook executed, error: %v, elapsed: %v\", err, time.Since(startTime))\n\tif err != nil {\n\t\treturn response, err\n\t}\n\terr = json.Unmarshal(out, &response)\n\treturn response, err\n}\n\nfunc getPreLoginHookResponse(loginMethod, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\tif strings.HasPrefix(config.PreLoginHook, \"http\") {\n\t\tvar url *url.URL\n\t\tvar result []byte\n\t\turl, err := url.Parse(config.PreLoginHook)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"invalid url for pre-login hook %q, error: %v\", config.PreLoginHook, err)\n\t\t\treturn result, err\n\t\t}\n\t\tq := url.Query()\n\t\tq.Add(\"login_method\", loginMethod)\n\t\tq.Add(\"ip\", ip)\n\t\tq.Add(\"protocol\", protocol)\n\t\turl.RawQuery = q.Encode()\n\n\t\tresp, err := httpclient.Post(url.String(), \"application/json\", bytes.NewBuffer(userAsJSON))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"error getting pre-login hook response: %v\", err)\n\t\t\treturn result, err\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\tif resp.StatusCode == http.StatusNoContent {\n\t\t\treturn result, nil\n\t\t}\n\t\tif resp.StatusCode != http.StatusOK {\n\t\t\treturn result, fmt.Errorf(\"wrong pre-login hook http status code: %v, expected 200\", resp.StatusCode)\n\t\t}\n\t\treturn io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))\n\t}\n\ttimeout, env, args := command.GetConfig(config.PreLoginHook, command.HookPreLogin)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, config.PreLoginHook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_LOGIND_USER=%s\", userAsJSON),\n\t\tfmt.Sprintf(\"SFTPGO_LOGIND_METHOD=%s\", loginMethod),\n\t\tfmt.Sprintf(\"SFTPGO_LOGIND_IP=%s\", ip),\n\t\tfmt.Sprintf(\"SFTPGO_LOGIND_PROTOCOL=%s\", protocol),\n\t)\n\treturn getCmdOutput(cmd, \"pre_login_hook\")\n}\n\nfunc executePreLoginHook(username, loginMethod, ip, protocol string, oidcTokenFields *map[string]any) (User, error) {\n\tvar user User\n\n\tu, mergedUser, userAsJSON, err := getUserAndJSONForHook(username, oidcTokenFields)\n\tif err != nil {\n\t\treturn u, err\n\t}\n\tif mergedUser.Filters.Hooks.PreLoginDisabled {\n\t\treturn u, nil\n\t}\n\tstartTime := time.Now()\n\tout, err := getPreLoginHookResponse(loginMethod, ip, protocol, userAsJSON)\n\tif err != nil {\n\t\treturn u, fmt.Errorf(\"pre-login hook error: %v, username %q, ip %v, protocol %v elapsed %v\",\n\t\t\terr, username, ip, protocol, time.Since(startTime))\n\t}\n\tproviderLog(logger.LevelDebug, \"pre-login hook completed, elapsed: %s\", time.Since(startTime))\n\tif util.IsByteArrayEmpty(out) {\n\t\tproviderLog(logger.LevelDebug, \"empty response from pre-login hook, no modification requested for user %q id: %d\",\n\t\t\tusername, u.ID)\n\t\tif u.ID == 0 {\n\t\t\treturn u, util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t\t}\n\t\treturn u, nil\n\t}\n\terr = json.Unmarshal(out, &user)\n\tif err != nil {\n\t\treturn u, fmt.Errorf(\"invalid pre-login hook response %q, error: %v\", out, err)\n\t}\n\tif u.ID > 0 {\n\t\tuser.ID = u.ID\n\t\tuser.UsedQuotaSize = u.UsedQuotaSize\n\t\tuser.UsedQuotaFiles = u.UsedQuotaFiles\n\t\tuser.UsedUploadDataTransfer = u.UsedUploadDataTransfer\n\t\tuser.UsedDownloadDataTransfer = u.UsedDownloadDataTransfer\n\t\tuser.LastQuotaUpdate = u.LastQuotaUpdate\n\t\tuser.LastLogin = u.LastLogin\n\t\tuser.LastPasswordChange = u.LastPasswordChange\n\t\tuser.FirstDownload = u.FirstDownload\n\t\tuser.FirstUpload = u.FirstUpload\n\t\t// preserve TOTP config and recovery codes\n\t\tuser.Filters.TOTPConfig = u.Filters.TOTPConfig\n\t\tuser.Filters.RecoveryCodes = u.Filters.RecoveryCodes\n\t\tif err := provider.updateUser(&user); err != nil {\n\t\t\treturn u, err\n\t\t}\n\t} else {\n\t\tif err := provider.addUser(&user); err != nil {\n\t\t\treturn u, err\n\t\t}\n\t}\n\tuser, err = provider.userExists(user.Username, \"\")\n\tif err != nil {\n\t\treturn u, err\n\t}\n\tproviderLog(logger.LevelDebug, \"user %q added/updated from pre-login hook response, id: %d\", username, u.ID)\n\tif u.ID > 0 {\n\t\twebDAVUsersCache.swap(&user, \"\")\n\t}\n\treturn user, nil\n}\n\n// ExecutePostLoginHook executes the post login hook if defined\nfunc ExecutePostLoginHook(user *User, loginMethod, ip, protocol string, err error) {\n\tif config.PostLoginHook == \"\" {\n\t\treturn\n\t}\n\tif config.PostLoginScope == 1 && err == nil {\n\t\treturn\n\t}\n\tif config.PostLoginScope == 2 && err != nil {\n\t\treturn\n\t}\n\n\tgo func() {\n\t\tactionsConcurrencyGuard <- struct{}{}\n\t\tdefer func() {\n\t\t\t<-actionsConcurrencyGuard\n\t\t}()\n\n\t\tstatus := \"0\"\n\t\tif err == nil {\n\t\t\tstatus = \"1\"\n\t\t}\n\n\t\tuser.PrepareForRendering()\n\t\tuserAsJSON, err := json.Marshal(user)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error serializing user in post login hook: %v\", err)\n\t\t\treturn\n\t\t}\n\t\tif strings.HasPrefix(config.PostLoginHook, \"http\") {\n\t\t\tvar url *url.URL\n\t\t\turl, err := url.Parse(config.PostLoginHook)\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelDebug, \"Invalid post-login hook %q\", config.PostLoginHook)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tq := url.Query()\n\t\t\tq.Add(\"login_method\", loginMethod)\n\t\t\tq.Add(\"ip\", ip)\n\t\t\tq.Add(\"protocol\", protocol)\n\t\t\tq.Add(\"status\", status)\n\t\t\turl.RawQuery = q.Encode()\n\n\t\t\tstartTime := time.Now()\n\t\t\trespCode := 0\n\t\t\tresp, err := httpclient.RetryablePost(url.String(), \"application/json\", bytes.NewBuffer(userAsJSON))\n\t\t\tif err == nil {\n\t\t\t\trespCode = resp.StatusCode\n\t\t\t\tresp.Body.Close()\n\t\t\t}\n\t\t\tproviderLog(logger.LevelDebug, \"post login hook executed for user %q, ip %v, protocol %v, response code: %v, elapsed: %v err: %v\",\n\t\t\t\tuser.Username, ip, protocol, respCode, time.Since(startTime), err)\n\t\t\treturn\n\t\t}\n\t\ttimeout, env, args := command.GetConfig(config.PostLoginHook, command.HookPostLogin)\n\t\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\t\tdefer cancel()\n\n\t\tcmd := exec.CommandContext(ctx, config.PostLoginHook, args...)\n\t\tcmd.Env = append(env,\n\t\t\tfmt.Sprintf(\"SFTPGO_LOGIND_USER=%s\", userAsJSON),\n\t\t\tfmt.Sprintf(\"SFTPGO_LOGIND_IP=%s\", ip),\n\t\t\tfmt.Sprintf(\"SFTPGO_LOGIND_METHOD=%s\", loginMethod),\n\t\t\tfmt.Sprintf(\"SFTPGO_LOGIND_STATUS=%s\", status),\n\t\t\tfmt.Sprintf(\"SFTPGO_LOGIND_PROTOCOL=%s\", protocol))\n\t\tstartTime := time.Now()\n\t\terr = cmd.Run()\n\t\tproviderLog(logger.LevelDebug, \"post login hook executed for user %q, ip %v, protocol %v, elapsed %v err: %v\",\n\t\t\tuser.Username, ip, protocol, time.Since(startTime), err)\n\t}()\n}\n\nfunc getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol string, cert *x509.Certificate,\n\tuser User,\n) ([]byte, error) {\n\tvar tlsCert string\n\tif cert != nil {\n\t\tvar err error\n\t\ttlsCert, err = util.EncodeTLSCertToPem(cert)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tif strings.HasPrefix(config.ExternalAuthHook, \"http\") {\n\t\tvar result []byte\n\t\tauthRequest := make(map[string]any)\n\t\tauthRequest[\"username\"] = username\n\t\tauthRequest[\"ip\"] = ip\n\t\tauthRequest[\"password\"] = password\n\t\tauthRequest[\"public_key\"] = pkey\n\t\tauthRequest[\"protocol\"] = protocol\n\t\tauthRequest[\"keyboard_interactive\"] = keyboardInteractive\n\t\tauthRequest[\"tls_cert\"] = tlsCert\n\t\tif user.ID > 0 {\n\t\t\tauthRequest[\"user\"] = user\n\t\t}\n\t\tauthRequestAsJSON, err := json.Marshal(authRequest)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error serializing external auth request: %v\", err)\n\t\t\treturn result, err\n\t\t}\n\t\tresp, err := httpclient.Post(config.ExternalAuthHook, \"application/json\", bytes.NewBuffer(authRequestAsJSON))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"error getting external auth hook HTTP response: %v\", err)\n\t\t\treturn result, err\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\tproviderLog(logger.LevelDebug, \"external auth hook executed, response code: %v\", resp.StatusCode)\n\t\tif resp.StatusCode != http.StatusOK {\n\t\t\treturn result, fmt.Errorf(\"wrong external auth http status code: %v, expected 200\", resp.StatusCode)\n\t\t}\n\n\t\treturn io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))\n\t}\n\tvar userAsJSON []byte\n\tvar err error\n\tif user.ID > 0 {\n\t\tuserAsJSON, err = json.Marshal(user)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"unable to serialize user as JSON: %w\", err)\n\t\t}\n\t}\n\ttimeout, env, args := command.GetConfig(config.ExternalAuthHook, command.HookExternalAuth)\n\tctx, cancel := context.WithTimeout(context.Background(), timeout)\n\tdefer cancel()\n\n\tcmd := exec.CommandContext(ctx, config.ExternalAuthHook, args...)\n\tcmd.Env = append(env,\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_USERNAME=%s\", username),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_USER=%s\", userAsJSON),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_IP=%s\", ip),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_PASSWORD=%s\", password),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_PUBLIC_KEY=%s\", pkey),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_PROTOCOL=%s\", protocol),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_TLS_CERT=%s\", strings.ReplaceAll(tlsCert, \"\\n\", \"\\\\n\")),\n\t\tfmt.Sprintf(\"SFTPGO_AUTHD_KEYBOARD_INTERACTIVE=%v\", keyboardInteractive))\n\n\treturn getCmdOutput(cmd, \"external_auth_hook\")\n}\n\nfunc updateUserFromExtAuthResponse(user *User, password, pkey string) {\n\tif password != \"\" {\n\t\tuser.Password = password\n\t}\n\tif pkey != \"\" && !util.IsStringPrefixInSlice(pkey, user.PublicKeys) {\n\t\tuser.PublicKeys = append(user.PublicKeys, pkey)\n\t}\n\tuser.LastPasswordChange = 0\n}\n\nfunc checkPasswordAfterEmptyExtAuthResponse(user *User, plainPwd, protocol string) error {\n\tif plainPwd == \"\" {\n\t\treturn nil\n\t}\n\tmatch, err := isPasswordOK(user, plainPwd)\n\tif match && err == nil {\n\t\treturn nil\n\t}\n\n\thashedPwd, err := hashPlainPassword(plainPwd)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to hash password for user %q after empty external response: %v\",\n\t\t\tuser.Username, err)\n\t\treturn err\n\t}\n\terr = provider.updateUserPassword(user.Username, hashedPwd)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to update password for user %q after empty external response: %v\",\n\t\t\tuser.Username, err)\n\t}\n\tuser.Password = hashedPwd\n\tcachedUserPasswords.Add(user.Username, plainPwd, user.Password)\n\tif protocol != protocolWebDAV {\n\t\twebDAVUsersCache.swap(user, plainPwd)\n\t}\n\tproviderLog(logger.LevelDebug, \"updated password for user %q after empty external auth response\", user.Username)\n\treturn nil\n}\n\nfunc doExternalAuth(username, password string, pubKey []byte, keyboardInteractive, ip, protocol string,\n\ttlsCert *x509.Certificate,\n) (User, error) {\n\tvar user User\n\n\tu, mergedUser, err := getUserForHook(username, nil)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\n\tif mergedUser.skipExternalAuth() {\n\t\treturn u, nil\n\t}\n\n\tpkey, err := util.GetSSHPublicKeyAsString(pubKey)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\n\tstartTime := time.Now()\n\tout, err := getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol, tlsCert, u)\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"external auth error for user %q, elapsed: %s: %w\", username, time.Since(startTime), err)\n\t}\n\tproviderLog(logger.LevelDebug, \"external auth completed for user %q, elapsed: %s\", username, time.Since(startTime))\n\tif util.IsByteArrayEmpty(out) {\n\t\tproviderLog(logger.LevelDebug, \"empty response from external hook, no modification requested for user %q, id: %d\",\n\t\t\tusername, u.ID)\n\t\tif u.ID == 0 {\n\t\t\treturn u, util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t\t}\n\t\terr = checkPasswordAfterEmptyExtAuthResponse(&u, password, protocol)\n\t\treturn u, err\n\t}\n\terr = json.Unmarshal(out, &user)\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid external auth response: %v\", err)\n\t}\n\t// an empty username means authentication failure\n\tif user.Username == \"\" {\n\t\treturn user, ErrInvalidCredentials\n\t}\n\tupdateUserFromExtAuthResponse(&user, password, pkey)\n\t// some users want to map multiple login usernames with a single SFTPGo account\n\t// for example an SFTP user logins using \"user1\" or \"user2\" and the external auth\n\t// returns \"user\" in both cases, so we use the username returned from\n\t// external auth and not the one used to login\n\tif user.Username != username {\n\t\tu, err = provider.userExists(user.Username, \"\")\n\t}\n\tif u.ID > 0 && err == nil {\n\t\tuser.ID = u.ID\n\t\tuser.UsedQuotaSize = u.UsedQuotaSize\n\t\tuser.UsedQuotaFiles = u.UsedQuotaFiles\n\t\tuser.UsedUploadDataTransfer = u.UsedUploadDataTransfer\n\t\tuser.UsedDownloadDataTransfer = u.UsedDownloadDataTransfer\n\t\tuser.LastQuotaUpdate = u.LastQuotaUpdate\n\t\tuser.LastLogin = u.LastLogin\n\t\tuser.LastPasswordChange = u.LastPasswordChange\n\t\tuser.FirstDownload = u.FirstDownload\n\t\tuser.FirstUpload = u.FirstUpload\n\t\tuser.CreatedAt = u.CreatedAt\n\t\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t// preserve TOTP config and recovery codes\n\t\tuser.Filters.TOTPConfig = u.Filters.TOTPConfig\n\t\tuser.Filters.RecoveryCodes = u.Filters.RecoveryCodes\n\t\tuser, err = updateUserAfterExternalAuth(&user)\n\t\tif err == nil {\n\t\t\tif protocol != protocolWebDAV {\n\t\t\t\twebDAVUsersCache.swap(&user, password)\n\t\t\t}\n\t\t\tcachedUserPasswords.Add(user.Username, password, user.Password)\n\t\t}\n\t\treturn user, err\n\t}\n\terr = provider.addUser(&user)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\treturn provider.userExists(user.Username, \"\")\n}\n\nfunc doPluginAuth(username, password string, pubKey []byte, ip, protocol string,\n\ttlsCert *x509.Certificate, authScope int,\n) (User, error) {\n\tvar user User\n\n\tu, mergedUser, userAsJSON, err := getUserAndJSONForHook(username, nil)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\n\tif mergedUser.skipExternalAuth() {\n\t\treturn u, nil\n\t}\n\n\tpkey, err := util.GetSSHPublicKeyAsString(pubKey)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\n\tstartTime := time.Now()\n\n\tout, err := plugin.Handler.Authenticate(username, password, ip, protocol, pkey, tlsCert, authScope, userAsJSON)\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"plugin auth error for user %q: %v, elapsed: %v, auth scope: %d\",\n\t\t\tusername, err, time.Since(startTime), authScope)\n\t}\n\tproviderLog(logger.LevelDebug, \"plugin auth completed for user %q, elapsed: %v, auth scope: %d\",\n\t\tusername, time.Since(startTime), authScope)\n\tif util.IsByteArrayEmpty(out) {\n\t\tproviderLog(logger.LevelDebug, \"empty response from plugin auth, no modification requested for user %q id: %d, auth scope: %d\",\n\t\t\tusername, u.ID, authScope)\n\t\tif u.ID == 0 {\n\t\t\treturn u, util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t\t}\n\t\terr = checkPasswordAfterEmptyExtAuthResponse(&u, password, protocol)\n\t\treturn u, err\n\t}\n\terr = json.Unmarshal(out, &user)\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid plugin auth response: %v\", err)\n\t}\n\tupdateUserFromExtAuthResponse(&user, password, pkey)\n\tif u.ID > 0 {\n\t\tuser.ID = u.ID\n\t\tuser.UsedQuotaSize = u.UsedQuotaSize\n\t\tuser.UsedQuotaFiles = u.UsedQuotaFiles\n\t\tuser.UsedUploadDataTransfer = u.UsedUploadDataTransfer\n\t\tuser.UsedDownloadDataTransfer = u.UsedDownloadDataTransfer\n\t\tuser.LastQuotaUpdate = u.LastQuotaUpdate\n\t\tuser.LastLogin = u.LastLogin\n\t\tuser.LastPasswordChange = u.LastPasswordChange\n\t\tuser.FirstDownload = u.FirstDownload\n\t\tuser.FirstUpload = u.FirstUpload\n\t\t// preserve TOTP config and recovery codes\n\t\tuser.Filters.TOTPConfig = u.Filters.TOTPConfig\n\t\tuser.Filters.RecoveryCodes = u.Filters.RecoveryCodes\n\t\tuser, err = updateUserAfterExternalAuth(&user)\n\t\tif err == nil {\n\t\t\tif protocol != protocolWebDAV {\n\t\t\t\twebDAVUsersCache.swap(&user, password)\n\t\t\t}\n\t\t\tcachedUserPasswords.Add(user.Username, password, user.Password)\n\t\t}\n\t\treturn user, err\n\t}\n\terr = provider.addUser(&user)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\treturn provider.userExists(user.Username, \"\")\n}\n\nfunc updateUserAfterExternalAuth(user *User) (User, error) {\n\tif err := provider.updateUser(user); err != nil {\n\t\treturn *user, err\n\t}\n\treturn provider.userExists(user.Username, \"\")\n}\n\nfunc getUserForHook(username string, oidcTokenFields *map[string]any) (User, User, error) {\n\tu, err := provider.userExists(username, \"\")\n\tif err != nil {\n\t\tif !errors.Is(err, util.ErrNotFound) {\n\t\t\treturn u, u, err\n\t\t}\n\t\tu = User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tID: 0,\n\t\t\t\tUsername: username,\n\t\t\t},\n\t\t}\n\t}\n\tmergedUser := u.getACopy()\n\terr = mergedUser.LoadAndApplyGroupSettings()\n\tif err != nil {\n\t\treturn u, mergedUser, err\n\t}\n\n\tu.OIDCCustomFields = oidcTokenFields\n\treturn u, mergedUser, err\n}\n\nfunc getUserAndJSONForHook(username string, oidcTokenFields *map[string]any) (User, User, []byte, error) {\n\tu, mergedUser, err := getUserForHook(username, oidcTokenFields)\n\tif err != nil {\n\t\treturn u, mergedUser, nil, err\n\t}\n\tuserAsJSON, err := json.Marshal(u)\n\tif err != nil {\n\t\treturn u, mergedUser, userAsJSON, err\n\t}\n\treturn u, mergedUser, userAsJSON, err\n}\n\nfunc isLastActivityRecent(lastActivity int64, minDelay time.Duration) bool {\n\tlastActivityTime := util.GetTimeFromMsecSinceEpoch(lastActivity)\n\tdiff := -time.Until(lastActivityTime)\n\tif diff < -10*time.Second {\n\t\treturn false\n\t}\n\treturn diff < minDelay\n}\n\nfunc isExternalAuthConfigured(loginMethod string) bool {\n\tif config.ExternalAuthHook != \"\" {\n\t\tif config.ExternalAuthScope == 0 {\n\t\t\treturn true\n\t\t}\n\t\tswitch loginMethod {\n\t\tcase LoginMethodPassword:\n\t\t\treturn config.ExternalAuthScope&1 != 0\n\t\tcase LoginMethodTLSCertificate:\n\t\t\treturn config.ExternalAuthScope&8 != 0\n\t\tcase LoginMethodTLSCertificateAndPwd:\n\t\t\treturn config.ExternalAuthScope&1 != 0 || config.ExternalAuthScope&8 != 0\n\t\t}\n\t}\n\tswitch loginMethod {\n\tcase LoginMethodPassword:\n\t\treturn plugin.Handler.HasAuthScope(plugin.AuthScopePassword)\n\tcase LoginMethodTLSCertificate:\n\t\treturn plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate)\n\tcase LoginMethodTLSCertificateAndPwd:\n\t\treturn plugin.Handler.HasAuthScope(plugin.AuthScopePassword) ||\n\t\t\tplugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate)\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc replaceTemplateVars(input string) string {\n\tvar result strings.Builder\n\ti := 0\n\tfor i < len(input) {\n\t\tif i+2 <= len(input) && input[i:i+2] == \"{{\" {\n\t\t\tif i+2 < len(input) {\n\t\t\t\tnextChar := input[i+2]\n\t\t\t\tif nextChar == ' ' || nextChar == '.' || nextChar == '-' {\n\t\t\t\t\t// Don't replace if followed by space, dot or minus.\n\t\t\t\t\tresult.WriteString(\"{{\")\n\t\t\t\t\ti += 2\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Find the closing \"}}\"\n\t\t\tclosing := strings.Index(input[i:], \"}}\")\n\t\t\tif closing != -1 {\n\t\t\t\t// Replace with {{. only if it's a proper template variable.\n\t\t\t\tresult.WriteString(\"{{.\")\n\t\t\t\tresult.WriteString(input[i+2 : i+closing])\n\t\t\t\tresult.WriteString(\"}}\")\n\t\t\t\ti += closing + 2\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tresult.WriteByte(input[i])\n\t\ti++\n\t}\n\treturn result.String()\n}\n\nfunc updateEventActionPlaceholders(actions []BaseEventAction) ([]BaseEventAction, error) {\n\tvar result []BaseEventAction\n\n\tfor _, action := range actions {\n\t\toptions, err := json.Marshal(action.Options)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tconvertedOptions := replaceTemplateVars(string(options))\n\t\tvar opts BaseEventActionOptions\n\t\terr = json.Unmarshal([]byte(convertedOptions), &opts)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\taction.Options = opts\n\t\tresult = append(result, action)\n\t}\n\n\treturn result, nil\n}\n\nfunc getConfigPath(name, configDir string) string {\n\tif !util.IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif name != \"\" && !filepath.IsAbs(name) {\n\t\treturn filepath.Join(configDir, name)\n\t}\n\treturn name\n}\n\nfunc checkReservedUsernames(username string) error {\n\tif slices.Contains(reservedUsers, username) {\n\t\treturn util.NewValidationError(\"this username is reserved\")\n\t}\n\treturn nil\n}\n\nfunc errSchemaVersionTooOld(version int) error {\n\treturn fmt.Errorf(\"database schema version %d is too old, please see the upgrading docs: https://docs.sftpgo.com/latest/data-provider/#upgrading\", version)\n}\n\nfunc getCmdOutput(cmd *exec.Cmd, sender string) ([]byte, error) {\n\tvar stdout bytes.Buffer\n\tcmd.Stdout = &stdout\n\n\tstderr, err := cmd.StderrPipe()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\terr = cmd.Start()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tscanner := bufio.NewScanner(stderr)\n\n\tgo func() {\n\t\tfor scanner.Scan() {\n\t\t\tif out := scanner.Text(); out != \"\" {\n\t\t\t\tlogger.Log(logger.LevelWarn, sender, \"\", \"%s\", out)\n\t\t\t}\n\t\t}\n\t\tif err := scanner.Err(); err != nil {\n\t\t\tlogger.Log(logger.LevelError, sender, \"\", \"error reading stderr: %v\", err)\n\t\t}\n\t}()\n\n\terr = cmd.Wait()\n\treturn stdout.Bytes(), err\n}\n\nfunc providerLog(level logger.LogLevel, format string, v ...any) {\n\tlogger.Log(level, logSender, \"\", format, v...)\n}\n" }, { "path": "internal/dataprovider/eventrule.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/robfig/cron/v3\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// Supported event actions\nconst (\n\tActionTypeHTTP = iota + 1\n\tActionTypeCommand\n\tActionTypeEmail\n\tActionTypeBackup\n\tActionTypeUserQuotaReset\n\tActionTypeFolderQuotaReset\n\tActionTypeTransferQuotaReset\n\tActionTypeDataRetentionCheck\n\tActionTypeFilesystem\n\tactionTypeReserved\n\tActionTypePasswordExpirationCheck\n\tActionTypeUserExpirationCheck\n\tActionTypeIDPAccountCheck\n\tActionTypeUserInactivityCheck\n\tActionTypeRotateLogs\n)\n\nvar (\n\tsupportedEventActions = []int{ActionTypeHTTP, ActionTypeCommand, ActionTypeEmail, ActionTypeFilesystem,\n\t\tActionTypeBackup, ActionTypeUserQuotaReset, ActionTypeFolderQuotaReset, ActionTypeTransferQuotaReset,\n\t\tActionTypeDataRetentionCheck, ActionTypePasswordExpirationCheck, ActionTypeUserExpirationCheck,\n\t\tActionTypeUserInactivityCheck, ActionTypeIDPAccountCheck, ActionTypeRotateLogs}\n\t// EnabledActionCommands defines the system commands that can be executed via EventManager,\n\t// an empty list means that no command is allowed to be executed.\n\tEnabledActionCommands []string\n)\n\nfunc isActionTypeValid(action int) bool {\n\treturn slices.Contains(supportedEventActions, action)\n}\n\nfunc getActionTypeAsString(action int) string {\n\tswitch action {\n\tcase ActionTypeHTTP:\n\t\treturn util.I18nActionTypeHTTP\n\tcase ActionTypeEmail:\n\t\treturn util.I18nActionTypeEmail\n\tcase ActionTypeBackup:\n\t\treturn util.I18nActionTypeBackup\n\tcase ActionTypeUserQuotaReset:\n\t\treturn util.I18nActionTypeUserQuotaReset\n\tcase ActionTypeFolderQuotaReset:\n\t\treturn util.I18nActionTypeFolderQuotaReset\n\tcase ActionTypeTransferQuotaReset:\n\t\treturn util.I18nActionTypeTransferQuotaReset\n\tcase ActionTypeDataRetentionCheck:\n\t\treturn util.I18nActionTypeDataRetentionCheck\n\tcase ActionTypeFilesystem:\n\t\treturn util.I18nActionTypeFilesystem\n\tcase ActionTypePasswordExpirationCheck:\n\t\treturn util.I18nActionTypePwdExpirationCheck\n\tcase ActionTypeUserExpirationCheck:\n\t\treturn util.I18nActionTypeUserExpirationCheck\n\tcase ActionTypeUserInactivityCheck:\n\t\treturn util.I18nActionTypeUserInactivityCheck\n\tcase ActionTypeIDPAccountCheck:\n\t\treturn util.I18nActionTypeIDPCheck\n\tcase ActionTypeRotateLogs:\n\t\treturn util.I18nActionTypeRotateLogs\n\tdefault:\n\t\treturn util.I18nActionTypeCommand\n\t}\n}\n\n// Supported event triggers\nconst (\n\t// Filesystem events such as upload, download, mkdir ...\n\tEventTriggerFsEvent = iota + 1\n\t// Provider events such as add, update, delete\n\tEventTriggerProviderEvent\n\tEventTriggerSchedule\n\tEventTriggerIPBlocked\n\tEventTriggerCertificate\n\tEventTriggerOnDemand\n\tEventTriggerIDPLogin\n)\n\nvar (\n\tsupportedEventTriggers = []int{EventTriggerFsEvent, EventTriggerProviderEvent, EventTriggerSchedule,\n\t\tEventTriggerIPBlocked, EventTriggerCertificate, EventTriggerIDPLogin, EventTriggerOnDemand}\n)\n\nfunc isEventTriggerValid(trigger int) bool {\n\treturn slices.Contains(supportedEventTriggers, trigger)\n}\n\nfunc getTriggerTypeAsString(trigger int) string {\n\tswitch trigger {\n\tcase EventTriggerFsEvent:\n\t\treturn util.I18nTriggerFsEvent\n\tcase EventTriggerProviderEvent:\n\t\treturn util.I18nTriggerProviderEvent\n\tcase EventTriggerIPBlocked:\n\t\treturn util.I18nTriggerIPBlockedEvent\n\tcase EventTriggerCertificate:\n\t\treturn util.I18nTriggerCertificateRenewEvent\n\tcase EventTriggerOnDemand:\n\t\treturn util.I18nTriggerOnDemandEvent\n\tcase EventTriggerIDPLogin:\n\t\treturn util.I18nTriggerIDPLoginEvent\n\tdefault:\n\t\treturn util.I18nTriggerScheduleEvent\n\t}\n}\n\n// Supported IDP login events\nconst (\n\tIDPLoginAny = iota\n\tIDPLoginUser\n\tIDPLoginAdmin\n)\n\nvar (\n\tsupportedIDPLoginEvents = []int{IDPLoginAny, IDPLoginUser, IDPLoginAdmin}\n)\n\n// Supported filesystem actions\nconst (\n\tFilesystemActionRename = iota + 1\n\tFilesystemActionDelete\n\tFilesystemActionMkdirs\n\tFilesystemActionExist\n\tFilesystemActionCompress\n\tFilesystemActionCopy\n)\n\nconst (\n\t// RetentionReportPlaceHolder defines the placeholder for data retention reports\n\tRetentionReportPlaceHolder = \"{{RetentionReports}}\"\n)\n\nvar (\n\tsupportedFsActions = []int{FilesystemActionRename, FilesystemActionDelete, FilesystemActionMkdirs,\n\t\tFilesystemActionCopy, FilesystemActionCompress, FilesystemActionExist}\n)\n\nfunc isFilesystemActionValid(value int) bool {\n\treturn slices.Contains(supportedFsActions, value)\n}\n\nfunc getFsActionTypeAsString(value int) string {\n\tswitch value {\n\tcase FilesystemActionRename:\n\t\treturn util.I18nActionFsTypeRename\n\tcase FilesystemActionDelete:\n\t\treturn util.I18nActionFsTypeDelete\n\tcase FilesystemActionExist:\n\t\treturn util.I18nActionFsTypePathExists\n\tcase FilesystemActionCompress:\n\t\treturn util.I18nActionFsTypeCompress\n\tcase FilesystemActionCopy:\n\t\treturn util.I18nActionFsTypeCopy\n\tdefault:\n\t\treturn util.I18nActionFsTypeCreateDirs\n\t}\n}\n\n// TODO: replace the copied strings with shared constants\nvar (\n\t// SupportedFsEvents defines the supported filesystem events\n\tSupportedFsEvents = []string{\"upload\", \"pre-upload\", \"first-upload\", \"download\", \"pre-download\",\n\t\t\"first-download\", \"delete\", \"pre-delete\", \"rename\", \"mkdir\", \"rmdir\", \"copy\", \"ssh_cmd\"}\n\t// SupportedProviderEvents defines the supported provider events\n\tSupportedProviderEvents = []string{operationAdd, operationUpdate, operationDelete}\n\t// SupportedRuleConditionProtocols defines the supported protcols for rule conditions\n\tSupportedRuleConditionProtocols = []string{\"SFTP\", \"SCP\", \"SSH\", \"FTP\", \"DAV\", \"HTTP\", \"HTTPShare\",\n\t\t\"OIDC\"}\n\t// SupporteRuleConditionProviderObjects defines the supported provider objects for rule conditions\n\tSupporteRuleConditionProviderObjects = []string{actionObjectUser, actionObjectFolder, actionObjectGroup,\n\t\tactionObjectAdmin, actionObjectAPIKey, actionObjectShare, actionObjectEventRule, actionObjectEventAction}\n\t// SupportedHTTPActionMethods defines the supported methods for HTTP actions\n\tSupportedHTTPActionMethods = []string{http.MethodPost, http.MethodGet, http.MethodPut, http.MethodDelete}\n\tallowedSyncFsEvents = []string{\"upload\", \"pre-upload\", \"pre-download\", \"pre-delete\"}\n\tmandatorySyncFsEvents = []string{\"pre-upload\", \"pre-download\", \"pre-delete\"}\n)\n\n// enum mappings\nvar (\n\tEventActionTypes []EnumMapping\n\tEventTriggerTypes []EnumMapping\n\tFsActionTypes []EnumMapping\n)\n\nfunc init() {\n\tfor _, t := range supportedEventActions {\n\t\tEventActionTypes = append(EventActionTypes, EnumMapping{\n\t\t\tValue: t,\n\t\t\tName: getActionTypeAsString(t),\n\t\t})\n\t}\n\tfor _, t := range supportedEventTriggers {\n\t\tEventTriggerTypes = append(EventTriggerTypes, EnumMapping{\n\t\t\tValue: t,\n\t\t\tName: getTriggerTypeAsString(t),\n\t\t})\n\t}\n\tfor _, t := range supportedFsActions {\n\t\tFsActionTypes = append(FsActionTypes, EnumMapping{\n\t\t\tValue: t,\n\t\t\tName: getFsActionTypeAsString(t),\n\t\t})\n\t}\n}\n\n// EnumMapping defines a mapping between enum values and names\ntype EnumMapping struct {\n\tName string\n\tValue int\n}\n\n// KeyValue defines a key/value pair\ntype KeyValue struct {\n\tKey string `json:\"key\"`\n\tValue string `json:\"value\"`\n}\n\nfunc (k *KeyValue) isNotValid() bool {\n\treturn k.Key == \"\" || k.Value == \"\"\n}\n\n// HTTPPart defines a part for HTTP multipart requests\ntype HTTPPart struct {\n\tName string `json:\"name,omitempty\"`\n\tFilepath string `json:\"filepath,omitempty\"`\n\tHeaders []KeyValue `json:\"headers,omitempty\"`\n\tBody string `json:\"body,omitempty\"`\n\tOrder int `json:\"-\"`\n}\n\nfunc (p *HTTPPart) validate() error {\n\tif p.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"HTTP part name is required\"), util.I18nErrorHTTPPartNameRequired)\n\t}\n\tfor _, kv := range p.Headers {\n\t\tif kv.isNotValid() {\n\t\t\treturn util.NewValidationError(\"invalid HTTP part headers\")\n\t\t}\n\t}\n\tif p.Filepath == \"\" {\n\t\tif p.Body == \"\" {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"HTTP part body is required if no file path is provided\"),\n\t\t\t\tutil.I18nErrorHTTPPartBodyRequired,\n\t\t\t)\n\t\t}\n\t} else {\n\t\tp.Body = \"\"\n\t\tif p.Filepath != RetentionReportPlaceHolder {\n\t\t\tp.Filepath = util.CleanPath(p.Filepath)\n\t\t}\n\t}\n\treturn nil\n}\n\n// EventActionHTTPConfig defines the configuration for an HTTP event target\ntype EventActionHTTPConfig struct {\n\tEndpoint string `json:\"endpoint,omitempty\"`\n\tUsername string `json:\"username,omitempty\"`\n\tPassword *kms.Secret `json:\"password,omitempty\"`\n\tHeaders []KeyValue `json:\"headers,omitempty\"`\n\tTimeout int `json:\"timeout,omitempty\"`\n\tSkipTLSVerify bool `json:\"skip_tls_verify,omitempty\"`\n\tMethod string `json:\"method,omitempty\"`\n\tQueryParameters []KeyValue `json:\"query_parameters,omitempty\"`\n\tBody string `json:\"body,omitempty\"`\n\tParts []HTTPPart `json:\"parts,omitempty\"`\n}\n\n// HasJSONBody returns true if the content type header indicates a JSON body\nfunc (c *EventActionHTTPConfig) HasJSONBody() bool {\n\tfor _, h := range c.Headers {\n\t\tif http.CanonicalHeaderKey(h.Key) == \"Content-Type\" {\n\t\t\treturn strings.Contains(strings.ToLower(h.Value), \"application/json\")\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (c *EventActionHTTPConfig) isTimeoutNotValid() bool {\n\tif c.HasMultipartFiles() {\n\t\treturn false\n\t}\n\treturn c.Timeout < 1 || c.Timeout > 180\n}\n\nfunc (c *EventActionHTTPConfig) validateMultiparts() error {\n\tfilePaths := make(map[string]bool)\n\tfor idx := range c.Parts {\n\t\tif err := c.Parts[idx].validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif filePath := c.Parts[idx].Filepath; filePath != \"\" {\n\t\t\tif filePaths[filePath] {\n\t\t\t\treturn util.NewI18nError(fmt.Errorf(\"filepath %q is duplicated\", filePath), util.I18nErrorPathDuplicated)\n\t\t\t}\n\t\t\tfilePaths[filePath] = true\n\t\t}\n\t}\n\tif len(c.Parts) > 0 {\n\t\tif c.Body != \"\" {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"multipart requests require no body. The request body is build from the specified parts\"),\n\t\t\t\tutil.I18nErrorMultipartBody,\n\t\t\t)\n\t\t}\n\t\tfor _, k := range c.Headers {\n\t\t\tif strings.EqualFold(k.Key, \"content-type\") {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(\"content type is automatically set for multipart requests\"),\n\t\t\t\t\tutil.I18nErrorMultipartCType,\n\t\t\t\t)\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *EventActionHTTPConfig) validate(additionalData string) error {\n\tif c.Endpoint == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"HTTP endpoint is required\"), util.I18nErrorURLRequired)\n\t}\n\tif !util.IsStringPrefixInSlice(c.Endpoint, []string{\"http://\", \"https://\"}) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid HTTP endpoint schema: http and https are supported\"),\n\t\t\tutil.I18nErrorURLInvalid,\n\t\t)\n\t}\n\tif c.isTimeoutNotValid() {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid HTTP timeout %d\", c.Timeout))\n\t}\n\tfor _, kv := range c.Headers {\n\t\tif kv.isNotValid() {\n\t\t\treturn util.NewValidationError(\"invalid HTTP headers\")\n\t\t}\n\t}\n\tif err := c.validateMultiparts(); err != nil {\n\t\treturn err\n\t}\n\tif c.Password.IsRedacted() {\n\t\treturn util.NewValidationError(\"cannot save HTTP configuration with a redacted secret\")\n\t}\n\tif c.Password.IsPlain() {\n\t\tc.Password.SetAdditionalData(additionalData)\n\t\terr := c.Password.Encrypt()\n\t\tif err != nil {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"could not encrypt HTTP password: %v\", err))\n\t\t}\n\t}\n\tif !slices.Contains(SupportedHTTPActionMethods, c.Method) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported HTTP method: %s\", c.Method))\n\t}\n\tfor _, kv := range c.QueryParameters {\n\t\tif kv.isNotValid() {\n\t\t\treturn util.NewValidationError(\"invalid HTTP query parameters\")\n\t\t}\n\t}\n\treturn nil\n}\n\n// GetContext returns the context and the cancel func to use for the HTTP request\nfunc (c *EventActionHTTPConfig) GetContext() (context.Context, context.CancelFunc) {\n\tif c.HasMultipartFiles() {\n\t\treturn context.WithCancel(context.Background())\n\t}\n\treturn context.WithTimeout(context.Background(), time.Duration(c.Timeout)*time.Second)\n}\n\n// HasObjectData returns true if the {{ObjectData}} placeholder is defined\nfunc (c *EventActionHTTPConfig) HasObjectData() bool {\n\tif strings.Contains(c.Body, \"{{ObjectData}}\") || strings.Contains(c.Body, \"{{ObjectDataString}}\") {\n\t\treturn true\n\t}\n\tfor _, part := range c.Parts {\n\t\tif strings.Contains(part.Body, \"{{ObjectData}}\") || strings.Contains(part.Body, \"{{ObjectDataString}}\") {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// HasMultipartFiles returns true if at least a file must be uploaded via a multipart request\nfunc (c *EventActionHTTPConfig) HasMultipartFiles() bool {\n\tfor _, part := range c.Parts {\n\t\tif part.Filepath != \"\" && part.Filepath != RetentionReportPlaceHolder {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// TryDecryptPassword decrypts the password if encryptet\nfunc (c *EventActionHTTPConfig) TryDecryptPassword() error {\n\tif c.Password != nil && !c.Password.IsEmpty() {\n\t\tif err := c.Password.TryDecrypt(); err != nil {\n\t\t\treturn fmt.Errorf(\"unable to decrypt HTTP password: %w\", err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// GetHTTPClient returns an HTTP client based on the config\nfunc (c *EventActionHTTPConfig) GetHTTPClient() *http.Client {\n\tclient := &http.Client{}\n\tif c.SkipTLSVerify {\n\t\ttransport := http.DefaultTransport.(*http.Transport).Clone()\n\t\tif transport.TLSClientConfig != nil {\n\t\t\ttransport.TLSClientConfig.InsecureSkipVerify = true\n\t\t} else {\n\t\t\ttransport.TLSClientConfig = &tls.Config{\n\t\t\t\tInsecureSkipVerify: true,\n\t\t\t}\n\t\t}\n\t\tclient.Transport = transport\n\t}\n\treturn client\n}\n\n// IsActionCommandAllowed returns true if the specified command is allowed\nfunc IsActionCommandAllowed(cmd string) bool {\n\treturn slices.Contains(EnabledActionCommands, cmd)\n}\n\n// EventActionCommandConfig defines the configuration for a command event target\ntype EventActionCommandConfig struct {\n\tCmd string `json:\"cmd,omitempty\"`\n\tArgs []string `json:\"args,omitempty\"`\n\tTimeout int `json:\"timeout,omitempty\"`\n\tEnvVars []KeyValue `json:\"env_vars,omitempty\"`\n}\n\nfunc (c *EventActionCommandConfig) validate() error {\n\tif c.Cmd == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"command is required\"), util.I18nErrorCommandRequired)\n\t}\n\tif !IsActionCommandAllowed(c.Cmd) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"command %q is not allowed\", c.Cmd))\n\t}\n\tif !filepath.IsAbs(c.Cmd) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid command, it must be an absolute path\"),\n\t\t\tutil.I18nErrorCommandInvalid,\n\t\t)\n\t}\n\tif c.Timeout < 1 || c.Timeout > 120 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid command action timeout %d\", c.Timeout))\n\t}\n\tfor _, kv := range c.EnvVars {\n\t\tif kv.isNotValid() {\n\t\t\treturn util.NewValidationError(\"invalid command env vars\")\n\t\t}\n\t}\n\tc.Args = util.RemoveDuplicates(c.Args, true)\n\tfor _, arg := range c.Args {\n\t\tif arg == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid command args\")\n\t\t}\n\t}\n\treturn nil\n}\n\n// GetArgumentsAsString returns the list of command arguments as comma separated string\nfunc (c EventActionCommandConfig) GetArgumentsAsString() string {\n\treturn strings.Join(c.Args, \",\")\n}\n\n// EventActionEmailConfig defines the configuration options for SMTP event actions\ntype EventActionEmailConfig struct {\n\tRecipients []string `json:\"recipients,omitempty\"`\n\tBcc []string `json:\"bcc,omitempty\"`\n\tSubject string `json:\"subject,omitempty\"`\n\tBody string `json:\"body,omitempty\"`\n\tAttachments []string `json:\"attachments,omitempty\"`\n\tContentType int `json:\"content_type,omitempty\"`\n}\n\n// GetRecipientsAsString returns the list of recipients as comma separated string\nfunc (c EventActionEmailConfig) GetRecipientsAsString() string {\n\treturn strings.Join(c.Recipients, \",\")\n}\n\n// GetBccAsString returns the list of bcc as comma separated string\nfunc (c EventActionEmailConfig) GetBccAsString() string {\n\treturn strings.Join(c.Bcc, \",\")\n}\n\n// GetAttachmentsAsString returns the list of attachments as comma separated string\nfunc (c EventActionEmailConfig) GetAttachmentsAsString() string {\n\treturn strings.Join(c.Attachments, \",\")\n}\n\nfunc (c *EventActionEmailConfig) hasFilesAttachments() bool {\n\tfor _, a := range c.Attachments {\n\t\tif a != RetentionReportPlaceHolder {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (c *EventActionEmailConfig) validate() error {\n\tif len(c.Recipients) == 0 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"at least one email recipient is required\"),\n\t\t\tutil.I18nErrorEmailRecipientRequired,\n\t\t)\n\t}\n\tc.Recipients = util.RemoveDuplicates(c.Recipients, false)\n\tfor _, r := range c.Recipients {\n\t\tif r == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid email recipients\")\n\t\t}\n\t}\n\tc.Bcc = util.RemoveDuplicates(c.Bcc, false)\n\tfor _, r := range c.Bcc {\n\t\tif r == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid email bcc\")\n\t\t}\n\t}\n\tif c.Subject == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"email subject is required\"),\n\t\t\tutil.I18nErrorEmailSubjectRequired,\n\t\t)\n\t}\n\tif c.Body == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"email body is required\"),\n\t\t\tutil.I18nErrorEmailBodyRequired,\n\t\t)\n\t}\n\tif c.ContentType < 0 || c.ContentType > 1 {\n\t\treturn util.NewValidationError(\"invalid email content type\")\n\t}\n\tfor idx, val := range c.Attachments {\n\t\tval = strings.TrimSpace(val)\n\t\tif val == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid path to attach\")\n\t\t}\n\t\tif val == RetentionReportPlaceHolder {\n\t\t\tc.Attachments[idx] = val\n\t\t} else {\n\t\t\tc.Attachments[idx] = util.CleanPath(val)\n\t\t}\n\t}\n\tc.Attachments = util.RemoveDuplicates(c.Attachments, false)\n\treturn nil\n}\n\n// FolderRetention defines a folder retention configuration\ntype FolderRetention struct {\n\t// Path is the virtual directory path, if no other specific retention is defined,\n\t// the retention applies for sub directories too. For example if retention is defined\n\t// for the paths \"/\" and \"/sub\" then the retention for \"/\" is applied for any file outside\n\t// the \"/sub\" directory\n\tPath string `json:\"path\"`\n\t// Retention time in hours. 0 means exclude this path\n\tRetention int `json:\"retention\"`\n\t// DeleteEmptyDirs defines if empty directories will be deleted.\n\t// The user need the delete permission\n\tDeleteEmptyDirs bool `json:\"delete_empty_dirs,omitempty\"`\n}\n\n// Validate returns an error if the configuration is not valid\nfunc (f *FolderRetention) Validate() error {\n\tf.Path = util.CleanPath(f.Path)\n\tif f.Retention < 0 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid folder retention %v, it must be greater or equal to zero\",\n\t\t\tf.Retention))\n\t}\n\treturn nil\n}\n\n// EventActionDataRetentionConfig defines the configuration for a data retention check\ntype EventActionDataRetentionConfig struct {\n\tFolders []FolderRetention `json:\"folders,omitempty\"`\n}\n\nfunc (c *EventActionDataRetentionConfig) validate() error {\n\tfolderPaths := make(map[string]bool)\n\tnothingToDo := true\n\tfor idx := range c.Folders {\n\t\tf := &c.Folders[idx]\n\t\tif err := f.Validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif f.Retention > 0 {\n\t\t\tnothingToDo = false\n\t\t}\n\t\tif _, ok := folderPaths[f.Path]; ok {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"duplicated folder path %q\", f.Path)),\n\t\t\t\tutil.I18nErrorPathDuplicated,\n\t\t\t)\n\t\t}\n\t\tfolderPaths[f.Path] = true\n\t}\n\tif nothingToDo {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"nothing to delete!\"),\n\t\t\tutil.I18nErrorRetentionDirRequired,\n\t\t)\n\t}\n\treturn nil\n}\n\n// EventActionFsCompress defines the configuration for the compress filesystem action\ntype EventActionFsCompress struct {\n\t// Archive path\n\tName string `json:\"name,omitempty\"`\n\t// Paths to compress\n\tPaths []string `json:\"paths,omitempty\"`\n}\n\nfunc (c *EventActionFsCompress) validate() error {\n\tif c.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"archive name is mandatory\"), util.I18nErrorArchiveNameRequired)\n\t}\n\tc.Name = util.CleanPath(strings.TrimSpace(c.Name))\n\tif c.Name == \"/\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"invalid archive name\"), util.I18nErrorRootNotAllowed)\n\t}\n\tif len(c.Paths) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"no path to compress specified\"), util.I18nErrorPathRequired)\n\t}\n\tfor idx, val := range c.Paths {\n\t\tval = strings.TrimSpace(val)\n\t\tif val == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid path to compress\")\n\t\t}\n\t\tc.Paths[idx] = util.CleanPath(val)\n\t}\n\tc.Paths = util.RemoveDuplicates(c.Paths, false)\n\treturn nil\n}\n\n// RenameConfig defines the configuration for a filesystem rename\ntype RenameConfig struct {\n\t// key is the source and target the value\n\tKeyValue\n\t// This setting only applies to storage providers that support\n\t// changing modification times.\n\tUpdateModTime bool `json:\"update_modtime,omitempty\"`\n}\n\n// EventActionFilesystemConfig defines the configuration for filesystem actions\ntype EventActionFilesystemConfig struct {\n\t// Filesystem actions, see the above enum\n\tType int `json:\"type,omitempty\"`\n\t// files/dirs to rename\n\tRenames []RenameConfig `json:\"renames,omitempty\"`\n\t// directories to create\n\tMkDirs []string `json:\"mkdirs,omitempty\"`\n\t// files/dirs to delete\n\tDeletes []string `json:\"deletes,omitempty\"`\n\t// file/dirs to check for existence\n\tExist []string `json:\"exist,omitempty\"`\n\t// files/dirs to copy, key is the source and target the value\n\tCopy []KeyValue `json:\"copy,omitempty\"`\n\t// paths to compress and archive name\n\tCompress EventActionFsCompress `json:\"compress\"`\n}\n\n// GetDeletesAsString returns the list of items to delete as comma separated string.\n// Using a pointer receiver will not work in web templates\nfunc (c EventActionFilesystemConfig) GetDeletesAsString() string {\n\treturn strings.Join(c.Deletes, \",\")\n}\n\n// GetMkDirsAsString returns the list of directories to create as comma separated string.\n// Using a pointer receiver will not work in web templates\nfunc (c EventActionFilesystemConfig) GetMkDirsAsString() string {\n\treturn strings.Join(c.MkDirs, \",\")\n}\n\n// GetExistAsString returns the list of items to check for existence as comma separated string.\n// Using a pointer receiver will not work in web templates\nfunc (c EventActionFilesystemConfig) GetExistAsString() string {\n\treturn strings.Join(c.Exist, \",\")\n}\n\n// GetCompressPathsAsString returns the list of items to compress as comma separated string.\n// Using a pointer receiver will not work in web templates\nfunc (c EventActionFilesystemConfig) GetCompressPathsAsString() string {\n\treturn strings.Join(c.Compress.Paths, \",\")\n}\n\nfunc (c *EventActionFilesystemConfig) validateRenames() error {\n\tif len(c.Renames) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"no path to rename specified\"), util.I18nErrorPathRequired)\n\t}\n\tfor idx, cfg := range c.Renames {\n\t\tkey := strings.TrimSpace(cfg.Key)\n\t\tvalue := strings.TrimSpace(cfg.Value)\n\t\tif key == \"\" || value == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid paths to rename\")\n\t\t}\n\t\tkey = util.CleanPath(key)\n\t\tvalue = util.CleanPath(value)\n\t\tif key == value {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"rename source and target cannot be equal\"),\n\t\t\t\tutil.I18nErrorSourceDestMatch,\n\t\t\t)\n\t\t}\n\t\tif key == \"/\" || value == \"/\" {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"renaming the root directory is not allowed\"),\n\t\t\t\tutil.I18nErrorRootNotAllowed,\n\t\t\t)\n\t\t}\n\t\tc.Renames[idx] = RenameConfig{\n\t\t\tKeyValue: KeyValue{\n\t\t\t\tKey: key,\n\t\t\t\tValue: value,\n\t\t\t},\n\t\t\tUpdateModTime: cfg.UpdateModTime,\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *EventActionFilesystemConfig) validateCopy() error {\n\tif len(c.Copy) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"no path to copy specified\"), util.I18nErrorPathRequired)\n\t}\n\tfor idx, kv := range c.Copy {\n\t\tkey := strings.TrimSpace(kv.Key)\n\t\tvalue := strings.TrimSpace(kv.Value)\n\t\tif key == \"\" || value == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid paths to copy\")\n\t\t}\n\t\tkey = util.CleanPath(key)\n\t\tvalue = util.CleanPath(value)\n\t\tif key == value {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"copy source and target cannot be equal\"),\n\t\t\t\tutil.I18nErrorSourceDestMatch,\n\t\t\t)\n\t\t}\n\t\tif key == \"/\" || value == \"/\" {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"copying the root directory is not allowed\"),\n\t\t\t\tutil.I18nErrorRootNotAllowed,\n\t\t\t)\n\t\t}\n\t\tif strings.HasSuffix(c.Copy[idx].Key, \"/\") {\n\t\t\tkey += \"/\"\n\t\t}\n\t\tif strings.HasSuffix(c.Copy[idx].Value, \"/\") {\n\t\t\tvalue += \"/\"\n\t\t}\n\t\tc.Copy[idx] = KeyValue{\n\t\t\tKey: key,\n\t\t\tValue: value,\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *EventActionFilesystemConfig) validateDeletes() error {\n\tif len(c.Deletes) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"no path to delete specified\"), util.I18nErrorPathRequired)\n\t}\n\tfor idx, val := range c.Deletes {\n\t\tval = strings.TrimSpace(val)\n\t\tif val == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid path to delete\")\n\t\t}\n\t\tc.Deletes[idx] = util.CleanPath(val)\n\t}\n\tc.Deletes = util.RemoveDuplicates(c.Deletes, false)\n\treturn nil\n}\n\nfunc (c *EventActionFilesystemConfig) validateMkdirs() error {\n\tif len(c.MkDirs) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"no directory to create specified\"), util.I18nErrorPathRequired)\n\t}\n\tfor idx, val := range c.MkDirs {\n\t\tval = strings.TrimSpace(val)\n\t\tif val == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid directory to create\")\n\t\t}\n\t\tc.MkDirs[idx] = util.CleanPath(val)\n\t}\n\tc.MkDirs = util.RemoveDuplicates(c.MkDirs, false)\n\treturn nil\n}\n\nfunc (c *EventActionFilesystemConfig) validateExist() error {\n\tif len(c.Exist) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"no path to check for existence specified\"), util.I18nErrorPathRequired)\n\t}\n\tfor idx, val := range c.Exist {\n\t\tval = strings.TrimSpace(val)\n\t\tif val == \"\" {\n\t\t\treturn util.NewValidationError(\"invalid path to check for existence\")\n\t\t}\n\t\tc.Exist[idx] = util.CleanPath(val)\n\t}\n\tc.Exist = util.RemoveDuplicates(c.Exist, false)\n\treturn nil\n}\n\nfunc (c *EventActionFilesystemConfig) validate() error {\n\tif !isFilesystemActionValid(c.Type) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid filesystem action type: %d\", c.Type))\n\t}\n\tswitch c.Type {\n\tcase FilesystemActionRename:\n\t\tc.MkDirs = nil\n\t\tc.Deletes = nil\n\t\tc.Exist = nil\n\t\tc.Copy = nil\n\t\tc.Compress = EventActionFsCompress{}\n\t\tif err := c.validateRenames(); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase FilesystemActionDelete:\n\t\tc.Renames = nil\n\t\tc.MkDirs = nil\n\t\tc.Exist = nil\n\t\tc.Copy = nil\n\t\tc.Compress = EventActionFsCompress{}\n\t\tif err := c.validateDeletes(); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase FilesystemActionMkdirs:\n\t\tc.Renames = nil\n\t\tc.Deletes = nil\n\t\tc.Exist = nil\n\t\tc.Copy = nil\n\t\tc.Compress = EventActionFsCompress{}\n\t\tif err := c.validateMkdirs(); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase FilesystemActionExist:\n\t\tc.Renames = nil\n\t\tc.Deletes = nil\n\t\tc.MkDirs = nil\n\t\tc.Copy = nil\n\t\tc.Compress = EventActionFsCompress{}\n\t\tif err := c.validateExist(); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase FilesystemActionCompress:\n\t\tc.Renames = nil\n\t\tc.MkDirs = nil\n\t\tc.Deletes = nil\n\t\tc.Exist = nil\n\t\tc.Copy = nil\n\t\tif err := c.Compress.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase FilesystemActionCopy:\n\t\tc.Renames = nil\n\t\tc.Deletes = nil\n\t\tc.MkDirs = nil\n\t\tc.Exist = nil\n\t\tc.Compress = EventActionFsCompress{}\n\t\tif err := c.validateCopy(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *EventActionFilesystemConfig) getACopy() EventActionFilesystemConfig {\n\tmkdirs := make([]string, len(c.MkDirs))\n\tcopy(mkdirs, c.MkDirs)\n\tdeletes := make([]string, len(c.Deletes))\n\tcopy(deletes, c.Deletes)\n\texist := make([]string, len(c.Exist))\n\tcopy(exist, c.Exist)\n\tcompressPaths := make([]string, len(c.Compress.Paths))\n\tcopy(compressPaths, c.Compress.Paths)\n\n\treturn EventActionFilesystemConfig{\n\t\tType: c.Type,\n\t\tRenames: cloneRenameConfigs(c.Renames),\n\t\tMkDirs: mkdirs,\n\t\tDeletes: deletes,\n\t\tExist: exist,\n\t\tCopy: cloneKeyValues(c.Copy),\n\t\tCompress: EventActionFsCompress{\n\t\t\tPaths: compressPaths,\n\t\t\tName: c.Compress.Name,\n\t\t},\n\t}\n}\n\n// EventActionPasswordExpiration defines the configuration for password expiration actions\ntype EventActionPasswordExpiration struct {\n\t// An email notification will be generated for users whose password expires in a number\n\t// of days less than or equal to this threshold\n\tThreshold int `json:\"threshold,omitempty\"`\n}\n\nfunc (c *EventActionPasswordExpiration) validate() error {\n\tif c.Threshold <= 0 {\n\t\treturn util.NewValidationError(\"threshold must be greater than 0\")\n\t}\n\treturn nil\n}\n\n// EventActionUserInactivity defines the configuration for user inactivity checks.\ntype EventActionUserInactivity struct {\n\t// DisableThreshold defines inactivity in days, since the last login before disabling the account\n\tDisableThreshold int `json:\"disable_threshold,omitempty\"`\n\t// DeleteThreshold defines inactivity in days, since the last login before deleting the account\n\tDeleteThreshold int `json:\"delete_threshold,omitempty\"`\n}\n\nfunc (c *EventActionUserInactivity) validate() error {\n\tif c.DeleteThreshold < 0 {\n\t\tc.DeleteThreshold = 0\n\t}\n\tif c.DisableThreshold < 0 {\n\t\tc.DisableThreshold = 0\n\t}\n\tif c.DisableThreshold == 0 && c.DeleteThreshold == 0 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"at least a threshold must be defined\"),\n\t\t\tutil.I18nActionThresholdRequired,\n\t\t)\n\t}\n\tif c.DeleteThreshold > 0 && c.DisableThreshold > 0 {\n\t\tif c.DeleteThreshold <= c.DisableThreshold {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"deletion threshold %d must be greater than deactivation threshold: %d\", c.DeleteThreshold, c.DisableThreshold)),\n\t\t\t\tutil.I18nActionThresholdsInvalid,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\n// EventActionIDPAccountCheck defines the check to execute after a successful IDP login\ntype EventActionIDPAccountCheck struct {\n\t// 0 create/update, 1 create the account if it doesn't exist\n\tMode int `json:\"mode,omitempty\"`\n\tTemplateUser string `json:\"template_user,omitempty\"`\n\tTemplateAdmin string `json:\"template_admin,omitempty\"`\n}\n\nfunc (c *EventActionIDPAccountCheck) validate() error {\n\tif c.TemplateAdmin == \"\" && c.TemplateUser == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"at least a template must be set\"),\n\t\t\tutil.I18nErrorIDPTemplateRequired,\n\t\t)\n\t}\n\tif c.Mode < 0 || c.Mode > 1 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid account check mode: %d\", c.Mode))\n\t}\n\treturn nil\n}\n\n// BaseEventActionOptions defines the supported configuration options for a base event actions\ntype BaseEventActionOptions struct {\n\tHTTPConfig EventActionHTTPConfig `json:\"http_config\"`\n\tCmdConfig EventActionCommandConfig `json:\"cmd_config\"`\n\tEmailConfig EventActionEmailConfig `json:\"email_config\"`\n\tRetentionConfig EventActionDataRetentionConfig `json:\"retention_config\"`\n\tFsConfig EventActionFilesystemConfig `json:\"fs_config\"`\n\tPwdExpirationConfig EventActionPasswordExpiration `json:\"pwd_expiration_config\"`\n\tUserInactivityConfig EventActionUserInactivity `json:\"user_inactivity_config\"`\n\tIDPConfig EventActionIDPAccountCheck `json:\"idp_config\"`\n}\n\nfunc (o *BaseEventActionOptions) getACopy() BaseEventActionOptions {\n\to.SetEmptySecretsIfNil()\n\temailRecipients := make([]string, len(o.EmailConfig.Recipients))\n\tcopy(emailRecipients, o.EmailConfig.Recipients)\n\temailBcc := make([]string, len(o.EmailConfig.Bcc))\n\tcopy(emailBcc, o.EmailConfig.Bcc)\n\temailAttachments := make([]string, len(o.EmailConfig.Attachments))\n\tcopy(emailAttachments, o.EmailConfig.Attachments)\n\tcmdArgs := make([]string, len(o.CmdConfig.Args))\n\tcopy(cmdArgs, o.CmdConfig.Args)\n\tfolders := make([]FolderRetention, 0, len(o.RetentionConfig.Folders))\n\tfor _, folder := range o.RetentionConfig.Folders {\n\t\tfolders = append(folders, FolderRetention{\n\t\t\tPath: folder.Path,\n\t\t\tRetention: folder.Retention,\n\t\t\tDeleteEmptyDirs: folder.DeleteEmptyDirs,\n\t\t})\n\t}\n\thttpParts := make([]HTTPPart, 0, len(o.HTTPConfig.Parts))\n\tfor _, part := range o.HTTPConfig.Parts {\n\t\thttpParts = append(httpParts, HTTPPart{\n\t\t\tName: part.Name,\n\t\t\tFilepath: part.Filepath,\n\t\t\tHeaders: cloneKeyValues(part.Headers),\n\t\t\tBody: part.Body,\n\t\t})\n\t}\n\n\treturn BaseEventActionOptions{\n\t\tHTTPConfig: EventActionHTTPConfig{\n\t\t\tEndpoint: o.HTTPConfig.Endpoint,\n\t\t\tUsername: o.HTTPConfig.Username,\n\t\t\tPassword: o.HTTPConfig.Password.Clone(),\n\t\t\tHeaders: cloneKeyValues(o.HTTPConfig.Headers),\n\t\t\tTimeout: o.HTTPConfig.Timeout,\n\t\t\tSkipTLSVerify: o.HTTPConfig.SkipTLSVerify,\n\t\t\tMethod: o.HTTPConfig.Method,\n\t\t\tQueryParameters: cloneKeyValues(o.HTTPConfig.QueryParameters),\n\t\t\tBody: o.HTTPConfig.Body,\n\t\t\tParts: httpParts,\n\t\t},\n\t\tCmdConfig: EventActionCommandConfig{\n\t\t\tCmd: o.CmdConfig.Cmd,\n\t\t\tArgs: cmdArgs,\n\t\t\tTimeout: o.CmdConfig.Timeout,\n\t\t\tEnvVars: cloneKeyValues(o.CmdConfig.EnvVars),\n\t\t},\n\t\tEmailConfig: EventActionEmailConfig{\n\t\t\tRecipients: emailRecipients,\n\t\t\tBcc: emailBcc,\n\t\t\tSubject: o.EmailConfig.Subject,\n\t\t\tContentType: o.EmailConfig.ContentType,\n\t\t\tBody: o.EmailConfig.Body,\n\t\t\tAttachments: emailAttachments,\n\t\t},\n\t\tRetentionConfig: EventActionDataRetentionConfig{\n\t\t\tFolders: folders,\n\t\t},\n\t\tPwdExpirationConfig: EventActionPasswordExpiration{\n\t\t\tThreshold: o.PwdExpirationConfig.Threshold,\n\t\t},\n\t\tUserInactivityConfig: EventActionUserInactivity{\n\t\t\tDisableThreshold: o.UserInactivityConfig.DisableThreshold,\n\t\t\tDeleteThreshold: o.UserInactivityConfig.DeleteThreshold,\n\t\t},\n\t\tIDPConfig: EventActionIDPAccountCheck{\n\t\t\tMode: o.IDPConfig.Mode,\n\t\t\tTemplateUser: o.IDPConfig.TemplateUser,\n\t\t\tTemplateAdmin: o.IDPConfig.TemplateAdmin,\n\t\t},\n\t\tFsConfig: o.FsConfig.getACopy(),\n\t}\n}\n\n// SetEmptySecretsIfNil sets the secrets to empty if nil\nfunc (o *BaseEventActionOptions) SetEmptySecretsIfNil() {\n\tif o.HTTPConfig.Password == nil {\n\t\to.HTTPConfig.Password = kms.NewEmptySecret()\n\t}\n}\n\nfunc (o *BaseEventActionOptions) setNilSecretsIfEmpty() {\n\tif o.HTTPConfig.Password != nil && o.HTTPConfig.Password.IsEmpty() {\n\t\to.HTTPConfig.Password = nil\n\t}\n}\n\nfunc (o *BaseEventActionOptions) hideConfidentialData() {\n\tif o.HTTPConfig.Password != nil {\n\t\to.HTTPConfig.Password.Hide()\n\t}\n}\n\nfunc (o *BaseEventActionOptions) validate(action int, name string) error {\n\to.SetEmptySecretsIfNil()\n\tswitch action {\n\tcase ActionTypeHTTP:\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.HTTPConfig.validate(name)\n\tcase ActionTypeCommand:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.CmdConfig.validate()\n\tcase ActionTypeEmail:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.EmailConfig.validate()\n\tcase ActionTypeDataRetentionCheck:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.RetentionConfig.validate()\n\tcase ActionTypeFilesystem:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.FsConfig.validate()\n\tcase ActionTypePasswordExpirationCheck:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.PwdExpirationConfig.validate()\n\tcase ActionTypeUserInactivityCheck:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\treturn o.UserInactivityConfig.validate()\n\tcase ActionTypeIDPAccountCheck:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t\treturn o.IDPConfig.validate()\n\tdefault:\n\t\to.HTTPConfig = EventActionHTTPConfig{}\n\t\to.CmdConfig = EventActionCommandConfig{}\n\t\to.EmailConfig = EventActionEmailConfig{}\n\t\to.RetentionConfig = EventActionDataRetentionConfig{}\n\t\to.FsConfig = EventActionFilesystemConfig{}\n\t\to.PwdExpirationConfig = EventActionPasswordExpiration{}\n\t\to.IDPConfig = EventActionIDPAccountCheck{}\n\t\to.UserInactivityConfig = EventActionUserInactivity{}\n\t}\n\treturn nil\n}\n\n// BaseEventAction defines the common fields for an event action\ntype BaseEventAction struct {\n\t// Data provider unique identifier\n\tID int64 `json:\"id\"`\n\t// Action name\n\tName string `json:\"name\"`\n\t// optional description\n\tDescription string `json:\"description,omitempty\"`\n\t// ActionType, see the above enum\n\tType int `json:\"type\"`\n\t// Configuration options specific for the action type\n\tOptions BaseEventActionOptions `json:\"options\"`\n\t// list of rule names associated with this event action\n\tRules []string `json:\"rules,omitempty\"`\n}\n\nfunc (a *BaseEventAction) getACopy() BaseEventAction {\n\trules := make([]string, len(a.Rules))\n\tcopy(rules, a.Rules)\n\treturn BaseEventAction{\n\t\tID: a.ID,\n\t\tName: a.Name,\n\t\tDescription: a.Description,\n\t\tType: a.Type,\n\t\tOptions: a.Options.getACopy(),\n\t\tRules: rules,\n\t}\n}\n\n// GetTypeAsString returns the action type as string\nfunc (a *BaseEventAction) GetTypeAsString() string {\n\treturn getActionTypeAsString(a.Type)\n}\n\n// GetRulesAsString returns the list of rules as comma separated string\nfunc (a *BaseEventAction) GetRulesAsString() string {\n\treturn strings.Join(a.Rules, \",\")\n}\n\n// PrepareForRendering prepares a BaseEventAction for rendering.\n// It hides confidential data and set to nil the empty secrets\n// so they are not serialized\nfunc (a *BaseEventAction) PrepareForRendering() {\n\ta.Options.setNilSecretsIfEmpty()\n\ta.Options.hideConfidentialData()\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (a *BaseEventAction) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\taction, err := provider.eventActionExists(a.Name)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload event action before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\taction.PrepareForRendering()\n\t\treturn json.Marshal(action)\n\t}\n\ta.PrepareForRendering()\n\treturn json.Marshal(a)\n}\n\nfunc (a *BaseEventAction) validate() error {\n\tif a.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"name is mandatory\"), util.I18nErrorNameRequired)\n\t}\n\tif !util.IsNameValid(a.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(a.Name) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", a.Name)),\n\t\t\tutil.I18nErrorInvalidUser,\n\t\t)\n\t}\n\tif !isActionTypeValid(a.Type) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid action type: %d\", a.Type))\n\t}\n\treturn a.Options.validate(a.Type, a.Name)\n}\n\n// EventActionOptions defines the supported configuration options for an event action\ntype EventActionOptions struct {\n\tIsFailureAction bool `json:\"is_failure_action\"`\n\tStopOnFailure bool `json:\"stop_on_failure\"`\n\tExecuteSync bool `json:\"execute_sync\"`\n}\n\n// EventAction defines an event action\ntype EventAction struct {\n\tBaseEventAction\n\t// Order defines the execution order\n\tOrder int `json:\"order,omitempty\"`\n\tOptions EventActionOptions `json:\"relation_options\"`\n}\n\nfunc (a *EventAction) getACopy() EventAction {\n\treturn EventAction{\n\t\tBaseEventAction: a.BaseEventAction.getACopy(),\n\t\tOrder: a.Order,\n\t\tOptions: EventActionOptions{\n\t\t\tIsFailureAction: a.Options.IsFailureAction,\n\t\t\tStopOnFailure: a.Options.StopOnFailure,\n\t\t\tExecuteSync: a.Options.ExecuteSync,\n\t\t},\n\t}\n}\n\nfunc (a *EventAction) validateAssociation(trigger int, fsEvents []string) error {\n\tif a.Options.IsFailureAction {\n\t\tif a.Options.ExecuteSync {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"sync execution is not supported for failure actions\"),\n\t\t\t\tutil.I18nErrorEvSyncFailureActions,\n\t\t\t)\n\t\t}\n\t}\n\tif a.Options.ExecuteSync {\n\t\tif trigger != EventTriggerFsEvent && trigger != EventTriggerIDPLogin {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"sync execution is only supported for some filesystem events and Identity Provider logins\"),\n\t\t\t\tutil.I18nErrorEvSyncUnsupported,\n\t\t\t)\n\t\t}\n\t\tif trigger == EventTriggerFsEvent {\n\t\t\tfor _, ev := range fsEvents {\n\t\t\t\tif !slices.Contains(allowedSyncFsEvents, ev) {\n\t\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\t\tutil.NewValidationError(\"sync execution is only supported for upload and pre-* events\"),\n\t\t\t\t\t\tutil.I18nErrorEvSyncUnsupportedFs,\n\t\t\t\t\t)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\n// ConditionPattern defines a pattern for condition filters\ntype ConditionPattern struct {\n\tPattern string `json:\"pattern,omitempty\"`\n\tInverseMatch bool `json:\"inverse_match,omitempty\"`\n}\n\nfunc (p *ConditionPattern) validate() error {\n\tif p.Pattern == \"\" {\n\t\treturn util.NewValidationError(\"empty condition pattern not allowed\")\n\t}\n\t_, err := path.Match(p.Pattern, \"abc\")\n\tif err != nil {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid condition pattern %q\", p.Pattern))\n\t}\n\treturn nil\n}\n\n// ConditionOptions defines options for event conditions\ntype ConditionOptions struct {\n\t// Usernames or folder names\n\tNames []ConditionPattern `json:\"names,omitempty\"`\n\t// Group names\n\tGroupNames []ConditionPattern `json:\"group_names,omitempty\"`\n\t// Role names\n\tRoleNames []ConditionPattern `json:\"role_names,omitempty\"`\n\t// Virtual paths\n\tFsPaths []ConditionPattern `json:\"fs_paths,omitempty\"`\n\tProtocols []string `json:\"protocols,omitempty\"`\n\tProviderObjects []string `json:\"provider_objects,omitempty\"`\n\tMinFileSize int64 `json:\"min_size,omitempty\"`\n\tMaxFileSize int64 `json:\"max_size,omitempty\"`\n\tEventStatuses []int `json:\"event_statuses,omitempty\"`\n\t// allow to execute scheduled tasks concurrently from multiple instances\n\tConcurrentExecution bool `json:\"concurrent_execution,omitempty\"`\n}\n\nfunc (f *ConditionOptions) getACopy() ConditionOptions {\n\tprotocols := make([]string, len(f.Protocols))\n\tcopy(protocols, f.Protocols)\n\tproviderObjects := make([]string, len(f.ProviderObjects))\n\tcopy(providerObjects, f.ProviderObjects)\n\tstatuses := make([]int, len(f.EventStatuses))\n\tcopy(statuses, f.EventStatuses)\n\n\treturn ConditionOptions{\n\t\tNames: cloneConditionPatterns(f.Names),\n\t\tGroupNames: cloneConditionPatterns(f.GroupNames),\n\t\tRoleNames: cloneConditionPatterns(f.RoleNames),\n\t\tFsPaths: cloneConditionPatterns(f.FsPaths),\n\t\tProtocols: protocols,\n\t\tProviderObjects: providerObjects,\n\t\tMinFileSize: f.MinFileSize,\n\t\tMaxFileSize: f.MaxFileSize,\n\t\tEventStatuses: statuses,\n\t\tConcurrentExecution: f.ConcurrentExecution,\n\t}\n}\n\nfunc (f *ConditionOptions) validateStatuses() error {\n\tfor _, status := range f.EventStatuses {\n\t\tif status < 0 || status > 3 {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid event_status %d\", status))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (f *ConditionOptions) validate() error {\n\tif err := validateConditionPatterns(f.Names); err != nil {\n\t\treturn err\n\t}\n\tif err := validateConditionPatterns(f.GroupNames); err != nil {\n\t\treturn err\n\t}\n\tif err := validateConditionPatterns(f.RoleNames); err != nil {\n\t\treturn err\n\t}\n\tif err := validateConditionPatterns(f.FsPaths); err != nil {\n\t\treturn err\n\t}\n\n\tfor _, p := range f.Protocols {\n\t\tif !slices.Contains(SupportedRuleConditionProtocols, p) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported rule condition protocol: %q\", p))\n\t\t}\n\t}\n\tfor _, p := range f.ProviderObjects {\n\t\tif !slices.Contains(SupporteRuleConditionProviderObjects, p) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported provider object: %q\", p))\n\t\t}\n\t}\n\tif f.MinFileSize > 0 && f.MaxFileSize > 0 {\n\t\tif f.MaxFileSize <= f.MinFileSize {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid max file size %s, it is lesser or equal than min file size %s\",\n\t\t\t\tutil.ByteCountSI(f.MaxFileSize), util.ByteCountSI(f.MinFileSize)))\n\t\t}\n\t}\n\tif err := f.validateStatuses(); err != nil {\n\t\treturn err\n\t}\n\tif config.IsShared == 0 {\n\t\tf.ConcurrentExecution = false\n\t}\n\treturn nil\n}\n\n// Schedule defines an event schedule\ntype Schedule struct {\n\tHours string `json:\"hour\"`\n\tDayOfWeek string `json:\"day_of_week\"`\n\tDayOfMonth string `json:\"day_of_month\"`\n\tMonth string `json:\"month\"`\n}\n\n// GetCronSpec returns the cron compatible schedule string\nfunc (s *Schedule) GetCronSpec() string {\n\treturn fmt.Sprintf(\"0 %s %s %s %s\", s.Hours, s.DayOfMonth, s.Month, s.DayOfWeek)\n}\n\nfunc (s *Schedule) validate() error {\n\t_, err := cron.ParseStandard(s.GetCronSpec())\n\tif err != nil {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid schedule, hour: %q, day of month: %q, month: %q, day of week: %q\",\n\t\t\ts.Hours, s.DayOfMonth, s.Month, s.DayOfWeek))\n\t}\n\treturn nil\n}\n\n// EventConditions defines the conditions for an event rule\ntype EventConditions struct {\n\t// Only one between FsEvents, ProviderEvents and Schedule is allowed\n\tFsEvents []string `json:\"fs_events,omitempty\"`\n\tProviderEvents []string `json:\"provider_events,omitempty\"`\n\tSchedules []Schedule `json:\"schedules,omitempty\"`\n\t// 0 any, 1 user, 2 admin\n\tIDPLoginEvent int `json:\"idp_login_event,omitempty\"`\n\tOptions ConditionOptions `json:\"options\"`\n}\n\nfunc (c *EventConditions) getACopy() EventConditions {\n\tfsEvents := make([]string, len(c.FsEvents))\n\tcopy(fsEvents, c.FsEvents)\n\tproviderEvents := make([]string, len(c.ProviderEvents))\n\tcopy(providerEvents, c.ProviderEvents)\n\tschedules := make([]Schedule, 0, len(c.Schedules))\n\tfor _, schedule := range c.Schedules {\n\t\tschedules = append(schedules, Schedule{\n\t\t\tHours: schedule.Hours,\n\t\t\tDayOfWeek: schedule.DayOfWeek,\n\t\t\tDayOfMonth: schedule.DayOfMonth,\n\t\t\tMonth: schedule.Month,\n\t\t})\n\t}\n\n\treturn EventConditions{\n\t\tFsEvents: fsEvents,\n\t\tProviderEvents: providerEvents,\n\t\tSchedules: schedules,\n\t\tIDPLoginEvent: c.IDPLoginEvent,\n\t\tOptions: c.Options.getACopy(),\n\t}\n}\n\nfunc (c *EventConditions) validateSchedules() error {\n\tif len(c.Schedules) == 0 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"at least one schedule is required\"),\n\t\t\tutil.I18nErrorRuleScheduleRequired,\n\t\t)\n\t}\n\tfor _, schedule := range c.Schedules {\n\t\tif err := schedule.validate(); err != nil {\n\t\t\treturn util.NewI18nError(err, util.I18nErrorRuleScheduleInvalid)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *EventConditions) validate(trigger int) error {\n\tswitch trigger {\n\tcase EventTriggerFsEvent:\n\t\tc.ProviderEvents = nil\n\t\tc.Schedules = nil\n\t\tc.Options.ProviderObjects = nil\n\t\tc.IDPLoginEvent = 0\n\t\tif len(c.FsEvents) == 0 {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"at least one filesystem event is required\"),\n\t\t\t\tutil.I18nErrorRuleFsEventRequired,\n\t\t\t)\n\t\t}\n\t\tfor _, ev := range c.FsEvents {\n\t\t\tif !slices.Contains(SupportedFsEvents, ev) {\n\t\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported fs event: %q\", ev))\n\t\t\t}\n\t\t}\n\tcase EventTriggerProviderEvent:\n\t\tc.FsEvents = nil\n\t\tc.Schedules = nil\n\t\tc.Options.FsPaths = nil\n\t\tc.Options.Protocols = nil\n\t\tc.Options.EventStatuses = nil\n\t\tc.Options.MinFileSize = 0\n\t\tc.Options.MaxFileSize = 0\n\t\tc.IDPLoginEvent = 0\n\t\tif len(c.ProviderEvents) == 0 {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(\"at least one provider event is required\"),\n\t\t\t\tutil.I18nErrorRuleProviderEventRequired,\n\t\t\t)\n\t\t}\n\t\tfor _, ev := range c.ProviderEvents {\n\t\t\tif !slices.Contains(SupportedProviderEvents, ev) {\n\t\t\t\treturn util.NewValidationError(fmt.Sprintf(\"unsupported provider event: %q\", ev))\n\t\t\t}\n\t\t}\n\tcase EventTriggerSchedule:\n\t\tc.FsEvents = nil\n\t\tc.ProviderEvents = nil\n\t\tc.Options.FsPaths = nil\n\t\tc.Options.Protocols = nil\n\t\tc.Options.EventStatuses = nil\n\t\tc.Options.MinFileSize = 0\n\t\tc.Options.MaxFileSize = 0\n\t\tc.Options.ProviderObjects = nil\n\t\tc.IDPLoginEvent = 0\n\t\tif err := c.validateSchedules(); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase EventTriggerIPBlocked, EventTriggerCertificate:\n\t\tc.FsEvents = nil\n\t\tc.ProviderEvents = nil\n\t\tc.Options.Names = nil\n\t\tc.Options.GroupNames = nil\n\t\tc.Options.RoleNames = nil\n\t\tc.Options.FsPaths = nil\n\t\tc.Options.Protocols = nil\n\t\tc.Options.EventStatuses = nil\n\t\tc.Options.MinFileSize = 0\n\t\tc.Options.MaxFileSize = 0\n\t\tc.Schedules = nil\n\t\tc.IDPLoginEvent = 0\n\tcase EventTriggerOnDemand:\n\t\tc.FsEvents = nil\n\t\tc.ProviderEvents = nil\n\t\tc.Options.FsPaths = nil\n\t\tc.Options.Protocols = nil\n\t\tc.Options.EventStatuses = nil\n\t\tc.Options.MinFileSize = 0\n\t\tc.Options.MaxFileSize = 0\n\t\tc.Options.ProviderObjects = nil\n\t\tc.Schedules = nil\n\t\tc.IDPLoginEvent = 0\n\t\tc.Options.ConcurrentExecution = false\n\tcase EventTriggerIDPLogin:\n\t\tc.FsEvents = nil\n\t\tc.ProviderEvents = nil\n\t\tc.Options.GroupNames = nil\n\t\tc.Options.RoleNames = nil\n\t\tc.Options.FsPaths = nil\n\t\tc.Options.Protocols = nil\n\t\tc.Options.EventStatuses = nil\n\t\tc.Options.MinFileSize = 0\n\t\tc.Options.MaxFileSize = 0\n\t\tc.Schedules = nil\n\t\tif !slices.Contains(supportedIDPLoginEvents, c.IDPLoginEvent) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid Identity Provider login event %d\", c.IDPLoginEvent))\n\t\t}\n\tdefault:\n\t\tc.FsEvents = nil\n\t\tc.ProviderEvents = nil\n\t\tc.Options.GroupNames = nil\n\t\tc.Options.RoleNames = nil\n\t\tc.Options.FsPaths = nil\n\t\tc.Options.Protocols = nil\n\t\tc.Options.EventStatuses = nil\n\t\tc.Options.MinFileSize = 0\n\t\tc.Options.MaxFileSize = 0\n\t\tc.Schedules = nil\n\t\tc.IDPLoginEvent = 0\n\t}\n\n\treturn c.Options.validate()\n}\n\n// EventRule defines the trigger, conditions and actions for an event\ntype EventRule struct {\n\t// Data provider unique identifier\n\tID int64 `json:\"id\"`\n\t// Rule name\n\tName string `json:\"name\"`\n\t// 1 enabled, 0 disabled\n\tStatus int `json:\"status\"`\n\t// optional description\n\tDescription string `json:\"description,omitempty\"`\n\t// Creation time as unix timestamp in milliseconds\n\tCreatedAt int64 `json:\"created_at\"`\n\t// last update time as unix timestamp in milliseconds\n\tUpdatedAt int64 `json:\"updated_at\"`\n\t// Event trigger\n\tTrigger int `json:\"trigger\"`\n\t// Event conditions\n\tConditions EventConditions `json:\"conditions\"`\n\t// actions to execute\n\tActions []EventAction `json:\"actions\"`\n\t// in multi node setups we mark the rule as deleted to be able to update the cache\n\tDeletedAt int64 `json:\"-\"`\n}\n\nfunc (r *EventRule) getACopy() EventRule {\n\tactions := make([]EventAction, 0, len(r.Actions))\n\tfor _, action := range r.Actions {\n\t\tactions = append(actions, action.getACopy())\n\t}\n\n\treturn EventRule{\n\t\tID: r.ID,\n\t\tName: r.Name,\n\t\tStatus: r.Status,\n\t\tDescription: r.Description,\n\t\tCreatedAt: r.CreatedAt,\n\t\tUpdatedAt: r.UpdatedAt,\n\t\tTrigger: r.Trigger,\n\t\tConditions: r.Conditions.getACopy(),\n\t\tActions: actions,\n\t\tDeletedAt: r.DeletedAt,\n\t}\n}\n\n// GuardFromConcurrentExecution returns true if the rule cannot be executed concurrently\n// from multiple instances\nfunc (r *EventRule) GuardFromConcurrentExecution() bool {\n\tif config.IsShared == 0 {\n\t\treturn false\n\t}\n\treturn !r.Conditions.Options.ConcurrentExecution\n}\n\n// GetTriggerAsString returns the rule trigger as string\nfunc (r *EventRule) GetTriggerAsString() string {\n\treturn getTriggerTypeAsString(r.Trigger)\n}\n\n// GetActionsAsString returns the list of action names as comma separated string\nfunc (r *EventRule) GetActionsAsString() string {\n\tactions := make([]string, 0, len(r.Actions))\n\tfor _, action := range r.Actions {\n\t\tactions = append(actions, action.Name)\n\t}\n\treturn strings.Join(actions, \",\")\n}\n\nfunc (r *EventRule) isStatusValid() bool {\n\treturn r.Status >= 0 && r.Status <= 1\n}\n\nfunc (r *EventRule) validate() error { //nolint:gocyclo\n\tif r.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"name is mandatory\"), util.I18nErrorNameRequired)\n\t}\n\tif !util.IsNameValid(r.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(r.Name) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", r.Name)),\n\t\t\tutil.I18nErrorInvalidUser,\n\t\t)\n\t}\n\tif !r.isStatusValid() {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid event rule status: %d\", r.Status))\n\t}\n\tif !isEventTriggerValid(r.Trigger) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid event rule trigger: %d\", r.Trigger))\n\t}\n\tif err := r.Conditions.validate(r.Trigger); err != nil {\n\t\treturn err\n\t}\n\tif len(r.Actions) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"at least one action is required\"), util.I18nErrorRuleActionRequired)\n\t}\n\tactionNames := make(map[string]bool)\n\tactionOrders := make(map[int]bool)\n\tfailureActions := 0\n\thasSyncAction := false\n\tfor idx := range r.Actions {\n\t\tif r.Actions[idx].Name == \"\" {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid action at position %d, name not specified\", idx))\n\t\t}\n\t\tif actionNames[r.Actions[idx].Name] {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"duplicated action %q\", r.Actions[idx].Name)),\n\t\t\t\tutil.I18nErrorRuleDuplicateActions,\n\t\t\t)\n\t\t}\n\t\tif actionOrders[r.Actions[idx].Order] {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"duplicated order %d for action %q\",\n\t\t\t\tr.Actions[idx].Order, r.Actions[idx].Name))\n\t\t}\n\t\tif err := r.Actions[idx].validateAssociation(r.Trigger, r.Conditions.FsEvents); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif r.Actions[idx].Options.IsFailureAction {\n\t\t\tfailureActions++\n\t\t}\n\t\tif r.Actions[idx].Options.ExecuteSync {\n\t\t\thasSyncAction = true\n\t\t}\n\t\tactionNames[r.Actions[idx].Name] = true\n\t\tactionOrders[r.Actions[idx].Order] = true\n\t}\n\tif len(r.Actions) == failureActions {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"at least a non-failure action is required\"),\n\t\t\tutil.I18nErrorRuleFailureActionsOnly,\n\t\t)\n\t}\n\tif !hasSyncAction {\n\t\treturn r.validateMandatorySyncActions()\n\t}\n\treturn nil\n}\n\nfunc (r *EventRule) validateMandatorySyncActions() error {\n\tif r.Trigger != EventTriggerFsEvent {\n\t\treturn nil\n\t}\n\tfor _, ev := range r.Conditions.FsEvents {\n\t\tif slices.Contains(mandatorySyncFsEvents, ev) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"event %q requires at least a sync action\", ev)),\n\t\t\t\tutil.I18nErrorRuleSyncActionRequired,\n\t\t\t\tutil.I18nErrorArgs(map[string]any{\n\t\t\t\t\t\"val\": ev,\n\t\t\t\t}),\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (r *EventRule) checkIPBlockedAndCertificateActions() error {\n\tunavailableActions := []int{ActionTypeUserQuotaReset, ActionTypeFolderQuotaReset, ActionTypeTransferQuotaReset,\n\t\tActionTypeDataRetentionCheck, ActionTypeFilesystem, ActionTypePasswordExpirationCheck,\n\t\tActionTypeUserExpirationCheck}\n\tfor _, action := range r.Actions {\n\t\tif slices.Contains(unavailableActions, action.Type) {\n\t\t\treturn fmt.Errorf(\"action %q, type %q is not supported for event trigger %q\",\n\t\t\t\taction.Name, getActionTypeAsString(action.Type), getTriggerTypeAsString(r.Trigger))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (r *EventRule) checkProviderEventActions(providerObjectType string) error {\n\t// user quota reset, transfer quota reset, data retention check and filesystem actions\n\t// can be executed only if we modify a user. They will be executed for the\n\t// affected user. Folder quota reset can be executed only for folders.\n\tuserSpecificActions := []int{ActionTypeUserQuotaReset, ActionTypeTransferQuotaReset,\n\t\tActionTypeDataRetentionCheck, ActionTypeFilesystem,\n\t\tActionTypePasswordExpirationCheck, ActionTypeUserExpirationCheck}\n\tfor _, action := range r.Actions {\n\t\tif slices.Contains(userSpecificActions, action.Type) && providerObjectType != actionObjectUser {\n\t\t\treturn fmt.Errorf(\"action %q, type %q is only supported for provider user events\",\n\t\t\t\taction.Name, getActionTypeAsString(action.Type))\n\t\t}\n\t\tif action.Type == ActionTypeFolderQuotaReset && providerObjectType != actionObjectFolder {\n\t\t\treturn fmt.Errorf(\"action %q, type %q is only supported for provider folder events\",\n\t\t\t\taction.Name, getActionTypeAsString(action.Type))\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (r *EventRule) hasUserAssociated(providerObjectType string) bool {\n\tswitch r.Trigger {\n\tcase EventTriggerProviderEvent:\n\t\treturn providerObjectType == actionObjectUser\n\tcase EventTriggerFsEvent:\n\t\treturn true\n\tdefault:\n\t\tif len(r.Actions) > 0 {\n\t\t\t// should we allow schedules where backup is not the first action?\n\t\t\t// maybe we could pass the action index and check before that index\n\t\t\treturn r.Actions[0].Type == ActionTypeBackup\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (r *EventRule) checkActions(providerObjectType string) error {\n\tnumSyncAction := 0\n\thasIDPAccountCheck := false\n\tfor _, action := range r.Actions {\n\t\tif action.Options.ExecuteSync {\n\t\t\tnumSyncAction++\n\t\t}\n\t\tif action.Type == ActionTypeEmail && action.BaseEventAction.Options.EmailConfig.hasFilesAttachments() {\n\t\t\tif !r.hasUserAssociated(providerObjectType) {\n\t\t\t\treturn errors.New(\"cannot send an email with attachments for a rule with no user associated\")\n\t\t\t}\n\t\t}\n\t\tif action.Type == ActionTypeHTTP && action.BaseEventAction.Options.HTTPConfig.HasMultipartFiles() {\n\t\t\tif !r.hasUserAssociated(providerObjectType) {\n\t\t\t\treturn errors.New(\"cannot upload file/s for a rule with no user associated\")\n\t\t\t}\n\t\t}\n\t\tif action.Type == ActionTypeIDPAccountCheck {\n\t\t\tif r.Trigger != EventTriggerIDPLogin {\n\t\t\t\treturn errors.New(\"IDP account check action is only supported for IDP login trigger\")\n\t\t\t}\n\t\t\tif !action.Options.ExecuteSync {\n\t\t\t\treturn errors.New(\"IDP account check must be a sync action\")\n\t\t\t}\n\t\t\thasIDPAccountCheck = true\n\t\t}\n\t}\n\tif hasIDPAccountCheck && numSyncAction != 1 {\n\t\treturn errors.New(\"IDP account check must be the only sync action\")\n\t}\n\treturn nil\n}\n\n// CheckActionsConsistency returns an error if the actions cannot be executed\nfunc (r *EventRule) CheckActionsConsistency(providerObjectType string) error {\n\tswitch r.Trigger {\n\tcase EventTriggerProviderEvent:\n\t\tif err := r.checkProviderEventActions(providerObjectType); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase EventTriggerFsEvent:\n\t\t// folder quota reset cannot be executed\n\t\tfor _, action := range r.Actions {\n\t\t\tif action.Type == ActionTypeFolderQuotaReset {\n\t\t\t\treturn fmt.Errorf(\"action %q, type %q is not supported for filesystem events\",\n\t\t\t\t\taction.Name, getActionTypeAsString(action.Type))\n\t\t\t}\n\t\t}\n\tcase EventTriggerIPBlocked, EventTriggerCertificate:\n\t\tif err := r.checkIPBlockedAndCertificateActions(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn r.checkActions(providerObjectType)\n}\n\n// PrepareForRendering prepares an EventRule for rendering.\n// It hides confidential data and set to nil the empty secrets\n// so they are not serialized\nfunc (r *EventRule) PrepareForRendering() {\n\tfor idx := range r.Actions {\n\t\tr.Actions[idx].PrepareForRendering()\n\t}\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (r *EventRule) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\trule, err := provider.eventRuleExists(r.Name)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload event rule before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\trule.PrepareForRendering()\n\t\treturn json.Marshal(rule)\n\t}\n\tr.PrepareForRendering()\n\treturn json.Marshal(r)\n}\n\nfunc cloneRenameConfigs(renames []RenameConfig) []RenameConfig {\n\tres := make([]RenameConfig, 0, len(renames))\n\tfor _, c := range renames {\n\t\tres = append(res, RenameConfig{\n\t\t\tKeyValue: KeyValue{\n\t\t\t\tKey: c.Key,\n\t\t\t\tValue: c.Value,\n\t\t\t},\n\t\t\tUpdateModTime: c.UpdateModTime,\n\t\t})\n\t}\n\treturn res\n}\n\nfunc cloneKeyValues(keyVals []KeyValue) []KeyValue {\n\tres := make([]KeyValue, 0, len(keyVals))\n\tfor _, kv := range keyVals {\n\t\tres = append(res, KeyValue{\n\t\t\tKey: kv.Key,\n\t\t\tValue: kv.Value,\n\t\t})\n\t}\n\treturn res\n}\n\nfunc cloneConditionPatterns(patterns []ConditionPattern) []ConditionPattern {\n\tres := make([]ConditionPattern, 0, len(patterns))\n\tfor _, p := range patterns {\n\t\tres = append(res, ConditionPattern{\n\t\t\tPattern: p.Pattern,\n\t\t\tInverseMatch: p.InverseMatch,\n\t\t})\n\t}\n\treturn res\n}\n\nfunc validateConditionPatterns(patterns []ConditionPattern) error {\n\tfor _, name := range patterns {\n\t\tif err := name.validate(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// Task stores the state for a scheduled task\ntype Task struct {\n\tName string `json:\"name\"`\n\tUpdateAt int64 `json:\"updated_at\"`\n\tVersion int64 `json:\"version\"`\n}\n" }, { "path": "internal/dataprovider/group.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// GroupUserSettings defines the settings to apply to users\ntype GroupUserSettings struct {\n\tsdk.BaseGroupUserSettings\n\t// Filesystem configuration details\n\tFsConfig vfs.Filesystem `json:\"filesystem\"`\n}\n\n// Group defines an SFTPGo group.\n// Groups are used to easily configure similar users\ntype Group struct {\n\tsdk.BaseGroup\n\t// settings to apply to users for whom this is a primary group\n\tUserSettings GroupUserSettings `json:\"user_settings,omitempty\"`\n\t// Mapping between virtual paths and virtual folders\n\tVirtualFolders []vfs.VirtualFolder `json:\"virtual_folders,omitempty\"`\n}\n\n// GetPermissions returns the permissions as list\nfunc (g *Group) GetPermissions() []sdk.DirectoryPermissions {\n\tresult := make([]sdk.DirectoryPermissions, 0, len(g.UserSettings.Permissions))\n\tfor k, v := range g.UserSettings.Permissions {\n\t\tresult = append(result, sdk.DirectoryPermissions{\n\t\t\tPath: k,\n\t\t\tPermissions: v,\n\t\t})\n\t}\n\treturn result\n}\n\n// GetAllowedIPAsString returns the allowed IP as comma separated string\nfunc (g *Group) GetAllowedIPAsString() string {\n\treturn strings.Join(g.UserSettings.Filters.AllowedIP, \",\")\n}\n\n// GetDeniedIPAsString returns the denied IP as comma separated string\nfunc (g *Group) GetDeniedIPAsString() string {\n\treturn strings.Join(g.UserSettings.Filters.DeniedIP, \",\")\n}\n\n// HasExternalAuth returns true if the external authentication is globally enabled\n// and it is not disabled for this group\nfunc (g *Group) HasExternalAuth() bool {\n\tif g.UserSettings.Filters.Hooks.ExternalAuthDisabled {\n\t\treturn false\n\t}\n\tif config.ExternalAuthHook != \"\" {\n\t\treturn true\n\t}\n\treturn plugin.Handler.HasAuthenticators()\n}\n\n// SetEmptySecretsIfNil sets the secrets to empty if nil\nfunc (g *Group) SetEmptySecretsIfNil() {\n\tg.UserSettings.FsConfig.SetEmptySecretsIfNil()\n\tfor idx := range g.VirtualFolders {\n\t\tvfolder := &g.VirtualFolders[idx]\n\t\tvfolder.FsConfig.SetEmptySecretsIfNil()\n\t}\n}\n\n// PrepareForRendering prepares a group for rendering.\n// It hides confidential data and set to nil the empty secrets\n// so they are not serialized\nfunc (g *Group) PrepareForRendering() {\n\tg.UserSettings.FsConfig.HideConfidentialData()\n\tg.UserSettings.FsConfig.SetNilSecretsIfEmpty()\n\tfor idx := range g.VirtualFolders {\n\t\tfolder := &g.VirtualFolders[idx]\n\t\tfolder.PrepareForRendering()\n\t}\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (g *Group) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tgroup, err := provider.groupExists(g.Name)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload group before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tgroup.PrepareForRendering()\n\t\treturn json.Marshal(group)\n\t}\n\tg.PrepareForRendering()\n\treturn json.Marshal(g)\n}\n\n// GetEncryptionAdditionalData returns the additional data to use for AEAD\nfunc (g *Group) GetEncryptionAdditionalData() string {\n\treturn fmt.Sprintf(\"group_%v\", g.Name)\n}\n\n// HasRedactedSecret returns true if the user has a redacted secret\nfunc (g *Group) hasRedactedSecret() bool {\n\tfor idx := range g.VirtualFolders {\n\t\tfolder := &g.VirtualFolders[idx]\n\t\tif folder.HasRedactedSecret() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn g.UserSettings.FsConfig.HasRedactedSecret()\n}\n\nfunc (g *Group) applyNamingRules() {\n\tg.Name = config.convertName(g.Name)\n\tfor idx := range g.VirtualFolders {\n\t\tg.VirtualFolders[idx].Name = config.convertName(g.VirtualFolders[idx].Name)\n\t}\n}\n\nfunc (g *Group) validate() error {\n\tg.SetEmptySecretsIfNil()\n\tg.applyNamingRules()\n\tif g.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"name is mandatory\"), util.I18nErrorNameRequired)\n\t}\n\tif !util.IsNameValid(g.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(g.Name) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", g.Name)),\n\t\t\tutil.I18nErrorInvalidName,\n\t\t)\n\t}\n\tif g.hasRedactedSecret() {\n\t\treturn util.NewValidationError(\"cannot save a group with a redacted secret\")\n\t}\n\tvfolders, err := validateAssociatedVirtualFolders(g.VirtualFolders)\n\tif err != nil {\n\t\treturn err\n\t}\n\tg.VirtualFolders = vfolders\n\treturn g.validateUserSettings()\n}\n\nfunc (g *Group) validateUserSettings() error {\n\tif g.UserSettings.HomeDir != \"\" {\n\t\tg.UserSettings.HomeDir = filepath.Clean(g.UserSettings.HomeDir)\n\t\tif !filepath.IsAbs(g.UserSettings.HomeDir) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"home_dir must be an absolute path, actual value: %v\", g.UserSettings.HomeDir)),\n\t\t\t\tutil.I18nErrorInvalidHomeDir,\n\t\t\t)\n\t\t}\n\t}\n\tif err := g.UserSettings.FsConfig.Validate(g.GetEncryptionAdditionalData()); err != nil {\n\t\treturn err\n\t}\n\tif g.UserSettings.TotalDataTransfer > 0 {\n\t\t// if a total data transfer is defined we reset the separate upload and download limits\n\t\tg.UserSettings.UploadDataTransfer = 0\n\t\tg.UserSettings.DownloadDataTransfer = 0\n\t}\n\tif len(g.UserSettings.Permissions) > 0 {\n\t\tpermissions, err := validateUserPermissions(g.UserSettings.Permissions)\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(err, util.I18nErrorGenericPermission)\n\t\t}\n\t\tg.UserSettings.Permissions = permissions\n\t}\n\tg.UserSettings.Filters.TLSCerts = nil\n\tif err := validateBaseFilters(&g.UserSettings.Filters); err != nil {\n\t\treturn err\n\t}\n\tif !g.HasExternalAuth() {\n\t\tg.UserSettings.Filters.ExternalAuthCacheTime = 0\n\t}\n\tg.UserSettings.Filters.UserType = \"\"\n\treturn nil\n}\n\nfunc (g *Group) getACopy() Group {\n\tusers := make([]string, len(g.Users))\n\tcopy(users, g.Users)\n\tadmins := make([]string, len(g.Admins))\n\tcopy(admins, g.Admins)\n\tvirtualFolders := make([]vfs.VirtualFolder, 0, len(g.VirtualFolders))\n\tfor idx := range g.VirtualFolders {\n\t\tvfolder := g.VirtualFolders[idx].GetACopy()\n\t\tvirtualFolders = append(virtualFolders, vfolder)\n\t}\n\tpermissions := make(map[string][]string)\n\tfor k, v := range g.UserSettings.Permissions {\n\t\tperms := make([]string, len(v))\n\t\tcopy(perms, v)\n\t\tpermissions[k] = perms\n\t}\n\n\treturn Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tID: g.ID,\n\t\t\tName: g.Name,\n\t\t\tDescription: g.Description,\n\t\t\tCreatedAt: g.CreatedAt,\n\t\t\tUpdatedAt: g.UpdatedAt,\n\t\t\tUsers: users,\n\t\t\tAdmins: admins,\n\t\t},\n\t\tUserSettings: GroupUserSettings{\n\t\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\t\tHomeDir: g.UserSettings.HomeDir,\n\t\t\t\tMaxSessions: g.UserSettings.MaxSessions,\n\t\t\t\tQuotaSize: g.UserSettings.QuotaSize,\n\t\t\t\tQuotaFiles: g.UserSettings.QuotaFiles,\n\t\t\t\tPermissions: permissions,\n\t\t\t\tUploadBandwidth: g.UserSettings.UploadBandwidth,\n\t\t\t\tDownloadBandwidth: g.UserSettings.DownloadBandwidth,\n\t\t\t\tUploadDataTransfer: g.UserSettings.UploadDataTransfer,\n\t\t\t\tDownloadDataTransfer: g.UserSettings.DownloadDataTransfer,\n\t\t\t\tTotalDataTransfer: g.UserSettings.TotalDataTransfer,\n\t\t\t\tExpiresIn: g.UserSettings.ExpiresIn,\n\t\t\t\tFilters: copyBaseUserFilters(g.UserSettings.Filters),\n\t\t\t},\n\t\t\tFsConfig: g.UserSettings.FsConfig.GetACopy(),\n\t\t},\n\t\tVirtualFolders: virtualFolders,\n\t}\n}\n" }, { "path": "internal/dataprovider/iplist.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/netip\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\n\t\"github.com/yl2chen/cidranger\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\t// maximum number of entries to match in memory\n\t// if the list contains more elements than this limit a\n\t// database query will be executed\n\tipListMemoryLimit = 15000\n)\n\nvar (\n\tinMemoryLists map[IPListType]*IPList\n)\n\nfunc init() {\n\tinMemoryLists = map[IPListType]*IPList{}\n}\n\n// IPListType is the enumerable for the supported IP list types\ntype IPListType int\n\n// AsString returns the string representation for the list type\nfunc (t IPListType) AsString() string {\n\tswitch t {\n\tcase IPListTypeAllowList:\n\t\treturn \"Allow list\"\n\tcase IPListTypeDefender:\n\t\treturn \"Defender\"\n\tcase IPListTypeRateLimiterSafeList:\n\t\treturn \"Rate limiters safe list\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n\n// Supported IP list types\nconst (\n\tIPListTypeAllowList IPListType = iota + 1\n\tIPListTypeDefender\n\tIPListTypeRateLimiterSafeList\n)\n\n// Supported IP list modes\nconst (\n\tListModeAllow = iota + 1\n\tListModeDeny\n)\n\nconst (\n\tipTypeV4 = iota + 1\n\tipTypeV6\n)\n\nvar (\n\tsupportedIPListType = []IPListType{IPListTypeAllowList, IPListTypeDefender, IPListTypeRateLimiterSafeList}\n)\n\n// CheckIPListType returns an error if the provided IP list type is not valid\nfunc CheckIPListType(t IPListType) error {\n\tif !slices.Contains(supportedIPListType, t) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid list type %d\", t))\n\t}\n\treturn nil\n}\n\n// IPListEntry defines an entry for the IP addresses list\ntype IPListEntry struct {\n\tIPOrNet string `json:\"ipornet\"`\n\tDescription string `json:\"description,omitempty\"`\n\tType IPListType `json:\"type\"`\n\tMode int `json:\"mode\"`\n\t// Defines the protocols the entry applies to\n\t// - 0 all the supported protocols\n\t// - 1 SSH\n\t// - 2 FTP\n\t// - 4 WebDAV\n\t// - 8 HTTP\n\t// Protocols can be combined\n\tProtocols int `json:\"protocols\"`\n\tFirst []byte `json:\"first,omitempty\"`\n\tLast []byte `json:\"last,omitempty\"`\n\tIPType int `json:\"ip_type,omitempty\"`\n\t// Creation time as unix timestamp in milliseconds\n\tCreatedAt int64 `json:\"created_at\"`\n\t// last update time as unix timestamp in milliseconds\n\tUpdatedAt int64 `json:\"updated_at\"`\n\t// in multi node setups we mark the rule as deleted to be able to update the cache\n\tDeletedAt int64 `json:\"-\"`\n}\n\n// PrepareForRendering prepares an IP list entry for rendering.\n// It hides internal fields\nfunc (e *IPListEntry) PrepareForRendering() {\n\te.First = nil\n\te.Last = nil\n\te.IPType = 0\n}\n\n// HasProtocol returns true if the specified protocol is defined\nfunc (e *IPListEntry) HasProtocol(proto string) bool {\n\tswitch proto {\n\tcase protocolSSH:\n\t\treturn e.Protocols&1 != 0\n\tcase protocolFTP:\n\t\treturn e.Protocols&2 != 0\n\tcase protocolWebDAV:\n\t\treturn e.Protocols&4 != 0\n\tcase protocolHTTP:\n\t\treturn e.Protocols&8 != 0\n\tdefault:\n\t\treturn false\n\t}\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (e *IPListEntry) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tentry, err := provider.ipListEntryExists(e.IPOrNet, e.Type)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload IP list entry before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tentry.PrepareForRendering()\n\t\treturn json.Marshal(entry)\n\t}\n\te.PrepareForRendering()\n\treturn json.Marshal(e)\n}\n\nfunc (e *IPListEntry) getKey() string {\n\treturn fmt.Sprintf(\"%d_%s\", e.Type, e.IPOrNet)\n}\n\nfunc (e *IPListEntry) getName() string {\n\treturn e.Type.AsString() + \"-\" + e.IPOrNet\n}\n\nfunc (e *IPListEntry) getFirst() netip.Addr {\n\tif e.IPType == ipTypeV4 {\n\t\tvar a4 [4]byte\n\t\tcopy(a4[:], e.First)\n\t\treturn netip.AddrFrom4(a4)\n\t}\n\tvar a16 [16]byte\n\tcopy(a16[:], e.First)\n\treturn netip.AddrFrom16(a16)\n}\n\nfunc (e *IPListEntry) getLast() netip.Addr {\n\tif e.IPType == ipTypeV4 {\n\t\tvar a4 [4]byte\n\t\tcopy(a4[:], e.Last)\n\t\treturn netip.AddrFrom4(a4)\n\t}\n\tvar a16 [16]byte\n\tcopy(a16[:], e.Last)\n\treturn netip.AddrFrom16(a16)\n}\n\nfunc (e *IPListEntry) checkProtocols() {\n\tfor _, proto := range ValidProtocols {\n\t\tif !e.HasProtocol(proto) {\n\t\t\treturn\n\t\t}\n\t}\n\te.Protocols = 0\n}\n\nfunc (e *IPListEntry) validate() error {\n\tif err := CheckIPListType(e.Type); err != nil {\n\t\treturn err\n\t}\n\te.checkProtocols()\n\tswitch e.Type {\n\tcase IPListTypeDefender:\n\t\tif e.Mode < ListModeAllow || e.Mode > ListModeDeny {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid list mode: %d\", e.Mode))\n\t\t}\n\tdefault:\n\t\tif e.Mode != ListModeAllow {\n\t\t\treturn util.NewValidationError(\"invalid list mode\")\n\t\t}\n\t}\n\te.PrepareForRendering()\n\tif !strings.Contains(e.IPOrNet, \"/\") {\n\t\t// parse as IP\n\t\tparsed, err := netip.ParseAddr(e.IPOrNet)\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(util.NewValidationError(fmt.Sprintf(\"invalid IP %q\", e.IPOrNet)), util.I18nErrorIPInvalid)\n\t\t}\n\t\tif parsed.Is4() {\n\t\t\te.IPOrNet += \"/32\"\n\t\t} else if parsed.Is4In6() {\n\t\t\te.IPOrNet = netip.AddrFrom4(parsed.As4()).String() + \"/32\"\n\t\t} else {\n\t\t\te.IPOrNet += \"/128\"\n\t\t}\n\t}\n\tprefix, err := netip.ParsePrefix(e.IPOrNet)\n\tif err != nil {\n\t\treturn util.NewI18nError(util.NewValidationError(fmt.Sprintf(\"invalid network %q: %v\", e.IPOrNet, err)), util.I18nErrorNetInvalid)\n\t}\n\tprefix = prefix.Masked()\n\tif prefix.Addr().Is4In6() {\n\t\te.IPOrNet = fmt.Sprintf(\"%s/%d\", netip.AddrFrom4(prefix.Addr().As4()).String(), prefix.Bits()-96)\n\t}\n\t// TODO: to remove when the in memory ranger switch to netip\n\t_, _, err = net.ParseCIDR(e.IPOrNet)\n\tif err != nil {\n\t\treturn util.NewI18nError(util.NewValidationError(fmt.Sprintf(\"invalid network: %v\", err)), util.I18nErrorNetInvalid)\n\t}\n\tif prefix.Addr().Is4() || prefix.Addr().Is4In6() {\n\t\te.IPType = ipTypeV4\n\t\tfirst := prefix.Addr().As4()\n\t\tlast := util.GetLastIPForPrefix(prefix).As4()\n\t\te.First = first[:]\n\t\te.Last = last[:]\n\t} else {\n\t\te.IPType = ipTypeV6\n\t\tfirst := prefix.Addr().As16()\n\t\tlast := util.GetLastIPForPrefix(prefix).As16()\n\t\te.First = first[:]\n\t\te.Last = last[:]\n\t}\n\treturn nil\n}\n\nfunc (e *IPListEntry) getACopy() IPListEntry {\n\tfirst := make([]byte, len(e.First))\n\tcopy(first, e.First)\n\tlast := make([]byte, len(e.Last))\n\tcopy(last, e.Last)\n\n\treturn IPListEntry{\n\t\tIPOrNet: e.IPOrNet,\n\t\tDescription: e.Description,\n\t\tType: e.Type,\n\t\tMode: e.Mode,\n\t\tFirst: first,\n\t\tLast: last,\n\t\tIPType: e.IPType,\n\t\tProtocols: e.Protocols,\n\t\tCreatedAt: e.CreatedAt,\n\t\tUpdatedAt: e.UpdatedAt,\n\t\tDeletedAt: e.DeletedAt,\n\t}\n}\n\n// getAsRangerEntry returns the entry as cidranger.RangerEntry\nfunc (e *IPListEntry) getAsRangerEntry() (cidranger.RangerEntry, error) {\n\t_, network, err := net.ParseCIDR(e.IPOrNet)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tentry := e.getACopy()\n\treturn &rangerEntry{\n\t\tentry: &entry,\n\t\tnetwork: *network,\n\t}, nil\n}\n\nfunc (e IPListEntry) satisfySearchConstraints(filter, from, order string) bool {\n\tif filter != \"\" && !strings.HasPrefix(e.IPOrNet, filter) {\n\t\treturn false\n\t}\n\tif from != \"\" {\n\t\tif order == OrderASC {\n\t\t\treturn e.IPOrNet > from\n\t\t}\n\t\treturn e.IPOrNet < from\n\t}\n\treturn true\n}\n\ntype rangerEntry struct {\n\tentry *IPListEntry\n\tnetwork net.IPNet\n}\n\nfunc (e *rangerEntry) Network() net.IPNet {\n\treturn e.network\n}\n\n// IPList defines an IP list\ntype IPList struct {\n\tisInMemory atomic.Bool\n\tlistType IPListType\n\tmu sync.RWMutex\n\tRanges cidranger.Ranger\n}\n\nfunc (l *IPList) addEntry(e *IPListEntry) {\n\tif l.listType != e.Type {\n\t\treturn\n\t}\n\tif !l.isInMemory.Load() {\n\t\treturn\n\t}\n\tentry, err := e.getAsRangerEntry()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get entry to add %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t\treturn\n\t}\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\tif err := l.Ranges.Insert(entry); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add entry %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t\treturn\n\t}\n\tif l.Ranges.Len() >= ipListMemoryLimit {\n\t\tproviderLog(logger.LevelError, \"memory limit exceeded for list type %d, disabling memory mode\", l.listType)\n\t\tl.isInMemory.Store(false)\n\t}\n}\n\nfunc (l *IPList) removeEntry(e *IPListEntry) {\n\tif l.listType != e.Type {\n\t\treturn\n\t}\n\tif !l.isInMemory.Load() {\n\t\treturn\n\t}\n\tentry, err := e.getAsRangerEntry()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get entry to remove %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t\treturn\n\t}\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\tif _, err := l.Ranges.Remove(entry.Network()); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to remove entry %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t}\n}\n\nfunc (l *IPList) updateEntry(e *IPListEntry) {\n\tif l.listType != e.Type {\n\t\treturn\n\t}\n\tif !l.isInMemory.Load() {\n\t\treturn\n\t}\n\tentry, err := e.getAsRangerEntry()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get entry to update %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t\treturn\n\t}\n\tl.mu.Lock()\n\tdefer l.mu.Unlock()\n\n\tif _, err := l.Ranges.Remove(entry.Network()); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to remove entry to update %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t\treturn\n\t}\n\tif err := l.Ranges.Insert(entry); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add entry to update %q for list type %d, disabling memory mode, err: %v\",\n\t\t\te.IPOrNet, l.listType, err)\n\t\tl.isInMemory.Store(false)\n\t}\n\tif l.Ranges.Len() >= ipListMemoryLimit {\n\t\tproviderLog(logger.LevelError, \"memory limit exceeded for list type %d, disabling memory mode\", l.listType)\n\t\tl.isInMemory.Store(false)\n\t}\n}\n\n// DisableMemoryMode disables memory mode forcing database queries\nfunc (l *IPList) DisableMemoryMode() {\n\tl.isInMemory.Store(false)\n}\n\n// IsListed checks if there is a match for the specified IP and protocol.\n// If there are multiple matches, the first one is returned, in no particular order,\n// so the behavior is undefined\nfunc (l *IPList) IsListed(ip, protocol string) (bool, int, error) {\n\tif l.isInMemory.Load() {\n\t\tl.mu.RLock()\n\t\tdefer l.mu.RUnlock()\n\n\t\tif l.Ranges.Len() == 0 {\n\t\t\treturn false, 0, nil\n\t\t}\n\n\t\tparsedIP := net.ParseIP(ip)\n\t\tif parsedIP == nil {\n\t\t\treturn false, 0, fmt.Errorf(\"invalid IP %s\", ip)\n\t\t}\n\n\t\tentries, err := l.Ranges.ContainingNetworks(parsedIP)\n\t\tif err != nil {\n\t\t\treturn false, 0, fmt.Errorf(\"unable to find containing networks for ip %q: %w\", ip, err)\n\t\t}\n\t\tfor _, e := range entries {\n\t\t\tentry, ok := e.(*rangerEntry)\n\t\t\tif ok {\n\t\t\t\tif entry.entry.Protocols == 0 || entry.entry.HasProtocol(protocol) {\n\t\t\t\t\treturn true, entry.entry.Mode, nil\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false, 0, nil\n\t}\n\n\tentries, err := provider.getListEntriesForIP(ip, l.listType)\n\tif err != nil {\n\t\treturn false, 0, err\n\t}\n\tfor _, e := range entries {\n\t\tif e.Protocols == 0 || e.HasProtocol(protocol) {\n\t\t\treturn true, e.Mode, nil\n\t\t}\n\t}\n\n\treturn false, 0, nil\n}\n\n// NewIPList returns a new IP list for the specified type\nfunc NewIPList(listType IPListType) (*IPList, error) {\n\tdelete(inMemoryLists, listType)\n\tcount, err := provider.countIPListEntries(listType)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif count < ipListMemoryLimit {\n\t\tproviderLog(logger.LevelInfo, \"using in-memory matching for list type %d, num entries: %d\", listType, count)\n\t\tentries, err := provider.getIPListEntries(listType, \"\", \"\", OrderASC, 0)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tipList := &IPList{\n\t\t\tlistType: listType,\n\t\t\tRanges: cidranger.NewPCTrieRanger(),\n\t\t}\n\t\tfor idx := range entries {\n\t\t\te := entries[idx]\n\t\t\tentry, err := e.getAsRangerEntry()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"unable to get ranger for entry %q: %w\", e.IPOrNet, err)\n\t\t\t}\n\t\t\tif err := ipList.Ranges.Insert(entry); err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"unable to add ranger for entry %q: %w\", e.IPOrNet, err)\n\t\t\t}\n\t\t}\n\t\tipList.isInMemory.Store(true)\n\t\tinMemoryLists[listType] = ipList\n\n\t\treturn ipList, nil\n\t}\n\tproviderLog(logger.LevelInfo, \"list type %d has %d entries, in-memory matching disabled\", listType, count)\n\tipList := &IPList{\n\t\tlistType: listType,\n\t\tRanges: nil,\n\t}\n\tipList.isInMemory.Store(false)\n\treturn ipList, nil\n}\n" }, { "path": "internal/dataprovider/memory.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"bytes\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"sort\"\n\t\"strconv\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\terrMemoryProviderClosed = errors.New(\"memory provider is closed\")\n)\n\ntype memoryProviderHandle struct {\n\t// configuration file to use for loading users\n\tconfigFile string\n\tsync.Mutex\n\tisClosed bool\n\t// slice with ordered usernames\n\tusernames []string\n\t// map for users, username is the key\n\tusers map[string]User\n\t// slice with ordered group names\n\tgroupnames []string\n\t// map for group, group name is the key\n\tgroups map[string]Group\n\t// map for virtual folders, folder name is the key\n\tvfolders map[string]vfs.BaseVirtualFolder\n\t// slice with ordered folder names\n\tvfoldersNames []string\n\t// map for admins, username is the key\n\tadmins map[string]Admin\n\t// slice with ordered admins\n\tadminsUsernames []string\n\t// map for API keys, keyID is the key\n\tapiKeys map[string]APIKey\n\t// slice with ordered API keys KeyID\n\tapiKeysIDs []string\n\t// map for shares, shareID is the key\n\tshares map[string]Share\n\t// slice with ordered shares shareID\n\tsharesIDs []string\n\t// map for event actions, name is the key\n\tactions map[string]BaseEventAction\n\t// slice with ordered actions\n\tactionsNames []string\n\t// map for event actions, name is the key\n\trules map[string]EventRule\n\t// slice with ordered rules\n\trulesNames []string\n\t// map for roles, name is the key\n\troles map[string]Role\n\t// slice with ordered roles\n\troleNames []string\n\t// map for IP List entry\n\tipListEntries map[string]IPListEntry\n\t// slice with ordered IP list entries\n\tipListEntriesKeys []string\n\t// configurations\n\tconfigs Configs\n}\n\n// MemoryProvider defines the auth provider for a memory store\ntype MemoryProvider struct {\n\tdbHandle *memoryProviderHandle\n}\n\nfunc initializeMemoryProvider(basePath string) error {\n\tconfigFile := \"\"\n\tif util.IsFileInputValid(config.Name) {\n\t\tconfigFile = config.Name\n\t\tif !filepath.IsAbs(configFile) {\n\t\t\tconfigFile = filepath.Join(basePath, configFile)\n\t\t}\n\t}\n\tprovider = &MemoryProvider{\n\t\tdbHandle: &memoryProviderHandle{\n\t\t\tisClosed: false,\n\t\t\tusernames: []string{},\n\t\t\tusers: make(map[string]User),\n\t\t\tgroupnames: []string{},\n\t\t\tgroups: make(map[string]Group),\n\t\t\tvfolders: make(map[string]vfs.BaseVirtualFolder),\n\t\t\tvfoldersNames: []string{},\n\t\t\tadmins: make(map[string]Admin),\n\t\t\tadminsUsernames: []string{},\n\t\t\tapiKeys: make(map[string]APIKey),\n\t\t\tapiKeysIDs: []string{},\n\t\t\tshares: make(map[string]Share),\n\t\t\tsharesIDs: []string{},\n\t\t\tactions: make(map[string]BaseEventAction),\n\t\t\tactionsNames: []string{},\n\t\t\trules: make(map[string]EventRule),\n\t\t\trulesNames: []string{},\n\t\t\troles: map[string]Role{},\n\t\t\troleNames: []string{},\n\t\t\tipListEntries: map[string]IPListEntry{},\n\t\t\tipListEntriesKeys: []string{},\n\t\t\tconfigs: Configs{},\n\t\t\tconfigFile: configFile,\n\t\t},\n\t}\n\treturn provider.reloadConfig()\n}\n\nfunc (p *MemoryProvider) checkAvailability() error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) close() error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tp.dbHandle.isClosed = true\n\treturn nil\n}\n\nfunc (p *MemoryProvider) validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error) {\n\tvar user User\n\tif tlsCert == nil {\n\t\treturn user, errors.New(\"TLS certificate cannot be null or empty\")\n\t}\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, err\n\t}\n\treturn checkUserAndTLSCertificate(&user, protocol, tlsCert)\n}\n\nfunc (p *MemoryProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, err\n\t}\n\treturn checkUserAndPass(&user, password, ip, protocol)\n}\n\nfunc (p *MemoryProvider) validateUserAndPubKey(username string, pubKey []byte, isSSHCert bool) (User, string, error) {\n\tvar user User\n\tif len(pubKey) == 0 {\n\t\treturn user, \"\", errors.New(\"credentials cannot be null or empty\")\n\t}\n\tuser, err := p.userExists(username, \"\")\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, \"\", err\n\t}\n\treturn checkUserAndPubKey(&user, pubKey, isSSHCert)\n}\n\nfunc (p *MemoryProvider) validateAdminAndPass(username, password, ip string) (Admin, error) {\n\tadmin, err := p.adminExists(username)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating admin %q: %v\", username, err)\n\t\treturn admin, err\n\t}\n\terr = admin.checkUserAndPass(password, ip)\n\treturn admin, err\n}\n\nfunc (p *MemoryProvider) updateAPIKeyLastUse(keyID string) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tapiKey, err := p.apiKeyExistsInternal(keyID)\n\tif err != nil {\n\t\treturn err\n\t}\n\tapiKey.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.apiKeys[apiKey.KeyID] = apiKey\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getAdminSignature(username string) (string, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn \"\", errMemoryProviderClosed\n\t}\n\tadmin, err := p.adminExistsInternal(username)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strconv.FormatInt(admin.UpdatedAt, 10), nil\n}\n\nfunc (p *MemoryProvider) getUserSignature(username string) (string, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn \"\", errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strconv.FormatInt(user.UpdatedAt, 10), nil\n}\n\nfunc (p *MemoryProvider) setUpdatedAt(username string) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn\n\t}\n\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.users[user.Username] = user\n\tsetLastUserUpdate()\n}\n\nfunc (p *MemoryProvider) updateLastLogin(username string) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tuser.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.users[user.Username] = user\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateAdminLastLogin(username string) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tadmin, err := p.adminExistsInternal(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tadmin.LastLogin = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.admins[admin.Username] = admin\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to update transfer quota for user %q error: %v\", username, err)\n\t\treturn err\n\t}\n\tif reset {\n\t\tuser.UsedUploadDataTransfer = uploadSize\n\t\tuser.UsedDownloadDataTransfer = downloadSize\n\t} else {\n\t\tuser.UsedUploadDataTransfer += uploadSize\n\t\tuser.UsedDownloadDataTransfer += downloadSize\n\t}\n\tuser.LastQuotaUpdate = util.GetTimeAsMsSinceEpoch(time.Now())\n\tproviderLog(logger.LevelDebug, \"transfer quota updated for user %q, ul increment: %v dl increment: %v is reset? %v\",\n\t\tusername, uploadSize, downloadSize, reset)\n\tp.dbHandle.users[user.Username] = user\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to update quota for user %q error: %v\", username, err)\n\t\treturn err\n\t}\n\tif reset {\n\t\tuser.UsedQuotaSize = sizeAdd\n\t\tuser.UsedQuotaFiles = filesAdd\n\t} else {\n\t\tuser.UsedQuotaSize += sizeAdd\n\t\tuser.UsedQuotaFiles += filesAdd\n\t}\n\tuser.LastQuotaUpdate = util.GetTimeAsMsSinceEpoch(time.Now())\n\tproviderLog(logger.LevelDebug, \"quota updated for user %q, files increment: %v size increment: %v is reset? %v\",\n\t\tusername, filesAdd, sizeAdd, reset)\n\tp.dbHandle.users[user.Username] = user\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getUsedQuota(username string) (int, int64, int64, int64, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn 0, 0, 0, 0, errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get quota for user %q error: %v\", username, err)\n\t\treturn 0, 0, 0, 0, err\n\t}\n\treturn user.UsedQuotaFiles, user.UsedQuotaSize, user.UsedUploadDataTransfer, user.UsedDownloadDataTransfer, err\n}\n\nfunc (p *MemoryProvider) addUser(user *User) error {\n\terr := ValidateUser(user)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\t_, err = p.userExistsInternal(user.Username)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: username %v already exists\", ErrDuplicatedKey, user.Username),\n\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t)\n\t}\n\tuser.ID = p.getNextID()\n\tuser.LastQuotaUpdate = 0\n\tuser.UsedQuotaSize = 0\n\tuser.UsedQuotaFiles = 0\n\tuser.UsedUploadDataTransfer = 0\n\tuser.UsedDownloadDataTransfer = 0\n\tuser.LastLogin = 0\n\tuser.FirstUpload = 0\n\tuser.FirstDownload = 0\n\tuser.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tif err := p.addUserToRole(user.Username, user.Role); err != nil {\n\t\treturn err\n\t}\n\tvar mappedGroups []string\n\tfor idx := range user.Groups {\n\t\tif err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name); err != nil {\n\t\t\t// try to remove group mapping\n\t\t\tfor _, g := range mappedGroups {\n\t\t\t\tp.removeUserFromGroupMapping(user.Username, g)\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t\tmappedGroups = append(mappedGroups, user.Groups[idx].Name)\n\t}\n\tvar mappedFolders []string\n\tfor idx := range user.VirtualFolders {\n\t\tif err = p.addUserToFolderMapping(user.Username, user.VirtualFolders[idx].Name); err != nil {\n\t\t\t// try to remove folder mapping\n\t\t\tfor _, f := range mappedFolders {\n\t\t\t\tp.removeRelationFromFolderMapping(f, user.Username, \"\")\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t\tmappedFolders = append(mappedFolders, user.VirtualFolders[idx].Name)\n\t}\n\tp.dbHandle.users[user.Username] = user.getACopy()\n\tp.dbHandle.usernames = append(p.dbHandle.usernames, user.Username)\n\tsort.Strings(p.dbHandle.usernames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateUser(user *User) error { //nolint:gocyclo\n\terr := ValidateUser(user)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\tu, err := p.userExistsInternal(user.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tp.removeUserFromRole(u.Username, u.Role)\n\tif err := p.addUserToRole(user.Username, user.Role); err != nil {\n\t\t// try ro add old role\n\t\tif errRollback := p.addUserToRole(u.Username, u.Role); errRollback != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to rollback old role %q for user %q, error: %v\",\n\t\t\t\tu.Role, u.Username, errRollback)\n\t\t}\n\t\treturn err\n\t}\n\tfor idx := range u.Groups {\n\t\tp.removeUserFromGroupMapping(u.Username, u.Groups[idx].Name)\n\t}\n\tfor idx := range user.Groups {\n\t\tif err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name); err != nil {\n\t\t\t// try to add old mapping\n\t\t\tfor _, g := range u.Groups {\n\t\t\t\tif errRollback := p.addUserToGroupMapping(user.Username, g.Name); errRollback != nil {\n\t\t\t\t\tproviderLog(logger.LevelError, \"unable to rollback old group mapping %q for user %q, error: %v\",\n\t\t\t\t\t\tg.Name, user.Username, errRollback)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t}\n\tfor _, oldFolder := range u.VirtualFolders {\n\t\tp.removeRelationFromFolderMapping(oldFolder.Name, u.Username, \"\")\n\t}\n\tfor idx := range user.VirtualFolders {\n\t\tif err = p.addUserToFolderMapping(user.Username, user.VirtualFolders[idx].Name); err != nil {\n\t\t\t// try to add old mapping\n\t\t\tfor _, f := range u.VirtualFolders {\n\t\t\t\tif errRollback := p.addUserToFolderMapping(user.Username, f.Name); errRollback != nil {\n\t\t\t\t\tproviderLog(logger.LevelError, \"unable to rollback old folder mapping %q for user %q, error: %v\",\n\t\t\t\t\t\tf.Name, user.Username, errRollback)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t}\n\tuser.LastQuotaUpdate = u.LastQuotaUpdate\n\tuser.UsedQuotaSize = u.UsedQuotaSize\n\tuser.UsedQuotaFiles = u.UsedQuotaFiles\n\tuser.UsedUploadDataTransfer = u.UsedUploadDataTransfer\n\tuser.UsedDownloadDataTransfer = u.UsedDownloadDataTransfer\n\tuser.LastLogin = u.LastLogin\n\tuser.FirstDownload = u.FirstDownload\n\tuser.FirstUpload = u.FirstUpload\n\tuser.CreatedAt = u.CreatedAt\n\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tuser.ID = u.ID\n\t// pre-login and external auth hook will use the passed *user so save a copy\n\tp.dbHandle.users[user.Username] = user.getACopy()\n\tsetLastUserUpdate()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteUser(user User, _ bool) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tu, err := p.userExistsInternal(user.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tp.removeUserFromRole(u.Username, u.Role)\n\tfor _, oldFolder := range u.VirtualFolders {\n\t\tp.removeRelationFromFolderMapping(oldFolder.Name, u.Username, \"\")\n\t}\n\tfor idx := range u.Groups {\n\t\tp.removeUserFromGroupMapping(u.Username, u.Groups[idx].Name)\n\t}\n\tdelete(p.dbHandle.users, user.Username)\n\t// this could be more efficient\n\tp.dbHandle.usernames = make([]string, 0, len(p.dbHandle.users))\n\tfor username := range p.dbHandle.users {\n\t\tp.dbHandle.usernames = append(p.dbHandle.usernames, username)\n\t}\n\tsort.Strings(p.dbHandle.usernames)\n\tp.deleteAPIKeysWithUser(user.Username)\n\tp.deleteSharesWithUser(user.Username)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateUserPassword(username, password string) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tuser.Password = password\n\tuser.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.users[username] = user\n\treturn nil\n}\n\nfunc (p *MemoryProvider) dumpUsers() ([]User, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tusers := make([]User, 0, len(p.dbHandle.usernames))\n\tvar err error\n\tif p.dbHandle.isClosed {\n\t\treturn users, errMemoryProviderClosed\n\t}\n\tfor _, username := range p.dbHandle.usernames {\n\t\tu := p.dbHandle.users[username]\n\t\tuser := u.getACopy()\n\t\tp.addVirtualFoldersToUser(&user)\n\t\tusers = append(users, user)\n\t}\n\treturn users, err\n}\n\nfunc (p *MemoryProvider) dumpFolders() ([]vfs.BaseVirtualFolder, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tfolders := make([]vfs.BaseVirtualFolder, 0, len(p.dbHandle.vfoldersNames))\n\tif p.dbHandle.isClosed {\n\t\treturn folders, errMemoryProviderClosed\n\t}\n\tfor _, f := range p.dbHandle.vfolders {\n\t\tfolders = append(folders, f)\n\t}\n\treturn folders, nil\n}\n\nfunc (p *MemoryProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {\n\tif getLastUserUpdate() < after {\n\t\treturn nil, nil\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tusers := make([]User, 0, 10)\n\tfor _, username := range p.dbHandle.usernames {\n\t\tu := p.dbHandle.users[username]\n\t\tif u.UpdatedAt < after {\n\t\t\tcontinue\n\t\t}\n\t\tuser := u.getACopy()\n\t\tp.addVirtualFoldersToUser(&user)\n\t\tif len(user.Groups) > 0 {\n\t\t\tgroupMapping := make(map[string]Group)\n\t\t\tfor idx := range user.Groups {\n\t\t\t\tgroup, err := p.groupExistsInternal(user.Groups[idx].Name)\n\t\t\t\tif err != nil {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tgroupMapping[group.Name] = group\n\t\t\t}\n\t\t\tuser.applyGroupSettings(groupMapping)\n\t\t}\n\n\t\tuser.SetEmptySecretsIfNil()\n\t\tusers = append(users, user)\n\t}\n\n\treturn users, nil\n}\n\nfunc (p *MemoryProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {\n\tusers := make([]User, 0, 30)\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn users, errMemoryProviderClosed\n\t}\n\tfor _, username := range p.dbHandle.usernames {\n\t\tif needFolders, ok := toFetch[username]; ok {\n\t\t\tu := p.dbHandle.users[username]\n\t\t\tuser := u.getACopy()\n\t\t\tif needFolders {\n\t\t\t\tp.addVirtualFoldersToUser(&user)\n\t\t\t}\n\t\t\tif len(user.Groups) > 0 {\n\t\t\t\tgroupMapping := make(map[string]Group)\n\t\t\t\tfor idx := range user.Groups {\n\t\t\t\t\tgroup, err := p.groupExistsInternal(user.Groups[idx].Name)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tgroupMapping[group.Name] = group\n\t\t\t\t}\n\t\t\t\tuser.applyGroupSettings(groupMapping)\n\t\t\t}\n\t\t\tuser.SetEmptySecretsIfNil()\n\t\t\tuser.PrepareForRendering()\n\t\t\tusers = append(users, user)\n\t\t}\n\t}\n\n\treturn users, nil\n}\n\nfunc (p *MemoryProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {\n\tusers := make([]User, 0, limit)\n\tvar err error\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn users, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn users, err\n\t}\n\titNum := 0\n\tif order == OrderASC {\n\t\tfor _, username := range p.dbHandle.usernames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tu := p.dbHandle.users[username]\n\t\t\tuser := u.getACopy()\n\t\t\tif !user.hasRole(role) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tp.addVirtualFoldersToUser(&user)\n\t\t\tuser.PrepareForRendering()\n\t\t\tusers = append(users, user)\n\t\t\tif len(users) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.usernames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tusername := p.dbHandle.usernames[i]\n\t\t\tu := p.dbHandle.users[username]\n\t\t\tuser := u.getACopy()\n\t\t\tif !user.hasRole(role) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tp.addVirtualFoldersToUser(&user)\n\t\t\tuser.PrepareForRendering()\n\t\t\tusers = append(users, user)\n\t\t\tif len(users) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn users, err\n}\n\nfunc (p *MemoryProvider) userExists(username, role string) (User, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn User{}, errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tif !user.hasRole(role) {\n\t\treturn User{}, util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n\t}\n\tp.addVirtualFoldersToUser(&user)\n\treturn user, nil\n}\n\nfunc (p *MemoryProvider) userExistsInternal(username string) (User, error) {\n\tif val, ok := p.dbHandle.users[username]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn User{}, util.NewRecordNotFoundError(fmt.Sprintf(\"username %q does not exist\", username))\n}\n\nfunc (p *MemoryProvider) groupExistsInternal(name string) (Group, error) {\n\tif val, ok := p.dbHandle.groups[name]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn Group{}, util.NewRecordNotFoundError(fmt.Sprintf(\"group %q does not exist\", name))\n}\n\nfunc (p *MemoryProvider) actionExistsInternal(name string) (BaseEventAction, error) {\n\tif val, ok := p.dbHandle.actions[name]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn BaseEventAction{}, util.NewRecordNotFoundError(fmt.Sprintf(\"event action %q does not exist\", name))\n}\n\nfunc (p *MemoryProvider) ruleExistsInternal(name string) (EventRule, error) {\n\tif val, ok := p.dbHandle.rules[name]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn EventRule{}, util.NewRecordNotFoundError(fmt.Sprintf(\"event rule %q does not exist\", name))\n}\n\nfunc (p *MemoryProvider) roleExistsInternal(name string) (Role, error) {\n\tif val, ok := p.dbHandle.roles[name]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn Role{}, util.NewRecordNotFoundError(fmt.Sprintf(\"role %q does not exist\", name))\n}\n\nfunc (p *MemoryProvider) ipListEntryExistsInternal(entry *IPListEntry) (IPListEntry, error) {\n\tif val, ok := p.dbHandle.ipListEntries[entry.getKey()]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn IPListEntry{}, util.NewRecordNotFoundError(fmt.Sprintf(\"IP list entry %q does not exist\", entry.getName()))\n}\n\nfunc (p *MemoryProvider) addAdmin(admin *Admin) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\terr := admin.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = p.adminExistsInternal(admin.Username)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: admin %q already exists\", ErrDuplicatedKey, admin.Username),\n\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t)\n\t}\n\tadmin.ID = p.getNextAdminID()\n\tadmin.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tadmin.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tadmin.LastLogin = 0\n\tif err := p.addAdminToRole(admin.Username, admin.Role); err != nil {\n\t\treturn err\n\t}\n\tvar mappedAdmins []string\n\tfor idx := range admin.Groups {\n\t\tif err = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name); err != nil {\n\t\t\t// try to remove group mapping\n\t\t\tfor _, g := range mappedAdmins {\n\t\t\t\tp.removeAdminFromGroupMapping(admin.Username, g)\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t\tmappedAdmins = append(mappedAdmins, admin.Groups[idx].Name)\n\t}\n\tp.dbHandle.admins[admin.Username] = admin.getACopy()\n\tp.dbHandle.adminsUsernames = append(p.dbHandle.adminsUsernames, admin.Username)\n\tsort.Strings(p.dbHandle.adminsUsernames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateAdmin(admin *Admin) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\terr := admin.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\ta, err := p.adminExistsInternal(admin.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tp.removeAdminFromRole(a.Username, a.Role)\n\tif err := p.addAdminToRole(admin.Username, admin.Role); err != nil {\n\t\t// try ro add old role\n\t\tif errRollback := p.addAdminToRole(a.Username, a.Role); errRollback != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to rollback old role %q for admin %q, error: %v\",\n\t\t\t\ta.Role, a.Username, errRollback)\n\t\t}\n\t\treturn err\n\t}\n\tfor idx := range a.Groups {\n\t\tp.removeAdminFromGroupMapping(a.Username, a.Groups[idx].Name)\n\t}\n\tfor idx := range admin.Groups {\n\t\tif err = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name); err != nil {\n\t\t\t// try to add old mapping\n\t\t\tfor _, oldGroup := range a.Groups {\n\t\t\t\tif errRollback := p.addAdminToGroupMapping(a.Username, oldGroup.Name); errRollback != nil {\n\t\t\t\t\tproviderLog(logger.LevelError, \"unable to rollback old group mapping %q for admin %q, error: %v\",\n\t\t\t\t\t\toldGroup.Name, a.Username, errRollback)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t}\n\tadmin.ID = a.ID\n\tadmin.CreatedAt = a.CreatedAt\n\tadmin.LastLogin = a.LastLogin\n\tadmin.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.admins[admin.Username] = admin.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteAdmin(admin Admin) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\ta, err := p.adminExistsInternal(admin.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tp.removeAdminFromRole(a.Username, a.Role)\n\tfor idx := range a.Groups {\n\t\tp.removeAdminFromGroupMapping(a.Username, a.Groups[idx].Name)\n\t}\n\n\tdelete(p.dbHandle.admins, admin.Username)\n\t// this could be more efficient\n\tp.dbHandle.adminsUsernames = make([]string, 0, len(p.dbHandle.admins))\n\tfor username := range p.dbHandle.admins {\n\t\tp.dbHandle.adminsUsernames = append(p.dbHandle.adminsUsernames, username)\n\t}\n\tsort.Strings(p.dbHandle.adminsUsernames)\n\tp.deleteAPIKeysWithAdmin(admin.Username)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) adminExists(username string) (Admin, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn Admin{}, errMemoryProviderClosed\n\t}\n\treturn p.adminExistsInternal(username)\n}\n\nfunc (p *MemoryProvider) adminExistsInternal(username string) (Admin, error) {\n\tif val, ok := p.dbHandle.admins[username]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn Admin{}, util.NewRecordNotFoundError(fmt.Sprintf(\"admin %q does not exist\", username))\n}\n\nfunc (p *MemoryProvider) dumpAdmins() ([]Admin, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tadmins := make([]Admin, 0, len(p.dbHandle.admins))\n\tif p.dbHandle.isClosed {\n\t\treturn admins, errMemoryProviderClosed\n\t}\n\tfor _, admin := range p.dbHandle.admins {\n\t\tadmins = append(admins, admin)\n\t}\n\treturn admins, nil\n}\n\nfunc (p *MemoryProvider) getAdmins(limit int, offset int, order string) ([]Admin, error) {\n\tadmins := make([]Admin, 0, limit)\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn admins, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn admins, nil\n\t}\n\titNum := 0\n\tif order == OrderASC {\n\t\tfor _, username := range p.dbHandle.adminsUsernames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\ta := p.dbHandle.admins[username]\n\t\t\tadmin := a.getACopy()\n\t\t\tadmin.HideConfidentialData()\n\t\t\tadmins = append(admins, admin)\n\t\t\tif len(admins) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.adminsUsernames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tusername := p.dbHandle.adminsUsernames[i]\n\t\t\ta := p.dbHandle.admins[username]\n\t\t\tadmin := a.getACopy()\n\t\t\tadmin.HideConfidentialData()\n\t\t\tadmins = append(admins, admin)\n\t\t\tif len(admins) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\treturn admins, nil\n}\n\nfunc (p *MemoryProvider) updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tfolder, err := p.folderExistsInternal(name)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to update quota for folder %q error: %v\", name, err)\n\t\treturn err\n\t}\n\tif reset {\n\t\tfolder.UsedQuotaSize = sizeAdd\n\t\tfolder.UsedQuotaFiles = filesAdd\n\t} else {\n\t\tfolder.UsedQuotaSize += sizeAdd\n\t\tfolder.UsedQuotaFiles += filesAdd\n\t}\n\tfolder.LastQuotaUpdate = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.vfolders[name] = folder\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getGroups(limit, offset int, order string, _ bool) ([]Group, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn nil, nil\n\t}\n\tgroups := make([]Group, 0, limit)\n\titNum := 0\n\tif order == OrderASC {\n\t\tfor _, name := range p.dbHandle.groupnames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tg := p.dbHandle.groups[name]\n\t\t\tgroup := g.getACopy()\n\t\t\tp.addVirtualFoldersToGroup(&group)\n\t\t\tgroup.PrepareForRendering()\n\t\t\tgroups = append(groups, group)\n\t\t\tif len(groups) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.groupnames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tname := p.dbHandle.groupnames[i]\n\t\t\tg := p.dbHandle.groups[name]\n\t\t\tgroup := g.getACopy()\n\t\t\tp.addVirtualFoldersToGroup(&group)\n\t\t\tgroup.PrepareForRendering()\n\t\t\tgroups = append(groups, group)\n\t\t\tif len(groups) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn groups, nil\n}\n\nfunc (p *MemoryProvider) getGroupsWithNames(names []string) ([]Group, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tgroups := make([]Group, 0, len(names))\n\tfor _, name := range names {\n\t\tif val, ok := p.dbHandle.groups[name]; ok {\n\t\t\tgroup := val.getACopy()\n\t\t\tp.addVirtualFoldersToGroup(&group)\n\t\t\tgroups = append(groups, group)\n\t\t}\n\t}\n\n\treturn groups, nil\n}\n\nfunc (p *MemoryProvider) getUsersInGroups(names []string) ([]string, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tvar users []string\n\tfor _, name := range names {\n\t\tif val, ok := p.dbHandle.groups[name]; ok {\n\t\t\tgroup := val.getACopy()\n\t\t\tusers = append(users, group.Users...)\n\t\t}\n\t}\n\n\treturn users, nil\n}\n\nfunc (p *MemoryProvider) groupExists(name string) (Group, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn Group{}, errMemoryProviderClosed\n\t}\n\tgroup, err := p.groupExistsInternal(name)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tp.addVirtualFoldersToGroup(&group)\n\treturn group, nil\n}\n\nfunc (p *MemoryProvider) addGroup(group *Group) error {\n\tif err := group.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\t_, err := p.groupExistsInternal(group.Name)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: group %q already exists\", ErrDuplicatedKey, group.Name),\n\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t)\n\t}\n\tgroup.ID = p.getNextGroupID()\n\tgroup.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tgroup.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tgroup.Users = nil\n\tgroup.Admins = nil\n\tvar mappedFolders []string\n\tfor idx := range group.VirtualFolders {\n\t\tif err = p.addGroupToFolderMapping(group.Name, group.VirtualFolders[idx].Name); err != nil {\n\t\t\t// try to remove folder mapping\n\t\t\tfor _, f := range mappedFolders {\n\t\t\t\tp.removeRelationFromFolderMapping(f, \"\", group.Name)\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t\tmappedFolders = append(mappedFolders, group.VirtualFolders[idx].Name)\n\t}\n\tp.dbHandle.groups[group.Name] = group.getACopy()\n\tp.dbHandle.groupnames = append(p.dbHandle.groupnames, group.Name)\n\tsort.Strings(p.dbHandle.groupnames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateGroup(group *Group) error {\n\tif err := group.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tg, err := p.groupExistsInternal(group.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, oldFolder := range g.VirtualFolders {\n\t\tp.removeRelationFromFolderMapping(oldFolder.Name, \"\", g.Name)\n\t}\n\tfor idx := range group.VirtualFolders {\n\t\tif err = p.addGroupToFolderMapping(group.Name, group.VirtualFolders[idx].Name); err != nil {\n\t\t\t// try to add old mapping\n\t\t\tfor _, f := range g.VirtualFolders {\n\t\t\t\tif errRollback := p.addGroupToFolderMapping(group.Name, f.Name); errRollback != nil {\n\t\t\t\t\tproviderLog(logger.LevelError, \"unable to rollback old folder mapping %q for group %q, error: %v\",\n\t\t\t\t\t\tf.Name, group.Name, errRollback)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t}\n\tgroup.CreatedAt = g.CreatedAt\n\tgroup.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tgroup.ID = g.ID\n\tgroup.Users = g.Users\n\tgroup.Admins = g.Admins\n\tp.dbHandle.groups[group.Name] = group.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteGroup(group Group) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tg, err := p.groupExistsInternal(group.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(g.Users) > 0 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"the group %q is referenced, it cannot be removed\", group.Name))\n\t}\n\tfor _, oldFolder := range g.VirtualFolders {\n\t\tp.removeRelationFromFolderMapping(oldFolder.Name, \"\", g.Name)\n\t}\n\tfor _, a := range g.Admins {\n\t\tp.removeGroupFromAdminMapping(g.Name, a)\n\t}\n\tdelete(p.dbHandle.groups, group.Name)\n\t// this could be more efficient\n\tp.dbHandle.groupnames = make([]string, 0, len(p.dbHandle.groups))\n\tfor name := range p.dbHandle.groups {\n\t\tp.dbHandle.groupnames = append(p.dbHandle.groupnames, name)\n\t}\n\tsort.Strings(p.dbHandle.groupnames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) dumpGroups() ([]Group, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tgroups := make([]Group, 0, len(p.dbHandle.groups))\n\tvar err error\n\tif p.dbHandle.isClosed {\n\t\treturn groups, errMemoryProviderClosed\n\t}\n\tfor _, name := range p.dbHandle.groupnames {\n\t\tg := p.dbHandle.groups[name]\n\t\tgroup := g.getACopy()\n\t\tp.addVirtualFoldersToGroup(&group)\n\t\tgroups = append(groups, group)\n\t}\n\treturn groups, err\n}\n\nfunc (p *MemoryProvider) getUsedFolderQuota(name string) (int, int64, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn 0, 0, errMemoryProviderClosed\n\t}\n\tfolder, err := p.folderExistsInternal(name)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get quota for folder %q error: %v\", name, err)\n\t\treturn 0, 0, err\n\t}\n\treturn folder.UsedQuotaFiles, folder.UsedQuotaSize, err\n}\n\nfunc (p *MemoryProvider) addVirtualFoldersToGroup(group *Group) {\n\tif len(group.VirtualFolders) > 0 {\n\t\tvar folders []vfs.VirtualFolder\n\t\tfor idx := range group.VirtualFolders {\n\t\t\tfolder := &group.VirtualFolders[idx]\n\t\t\tbaseFolder, err := p.folderExistsInternal(folder.Name)\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfolder.BaseVirtualFolder = baseFolder.GetACopy()\n\t\t\tfolders = append(folders, *folder)\n\t\t}\n\t\tgroup.VirtualFolders = folders\n\t}\n}\n\nfunc (p *MemoryProvider) addActionsToRule(rule *EventRule) {\n\tvar actions []EventAction\n\tfor idx := range rule.Actions {\n\t\taction := &rule.Actions[idx]\n\t\tbaseAction, err := p.actionExistsInternal(action.Name)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tbaseAction.Options.SetEmptySecretsIfNil()\n\t\taction.BaseEventAction = baseAction\n\t\tactions = append(actions, *action)\n\t}\n\trule.Actions = actions\n}\n\nfunc (p *MemoryProvider) addRuleToActionMapping(ruleName, actionName string) error {\n\ta, err := p.actionExistsInternal(actionName)\n\tif err != nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"action %q does not exist\", actionName))\n\t}\n\tif !slices.Contains(a.Rules, ruleName) {\n\t\ta.Rules = append(a.Rules, ruleName)\n\t\tp.dbHandle.actions[actionName] = a\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) removeRuleFromActionMapping(ruleName, actionName string) {\n\ta, err := p.actionExistsInternal(actionName)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"action %q does not exist, cannot remove from mapping\", actionName)\n\t\treturn\n\t}\n\tif slices.Contains(a.Rules, ruleName) {\n\t\tvar rules []string\n\t\tfor _, r := range a.Rules {\n\t\t\tif r != ruleName {\n\t\t\t\trules = append(rules, r)\n\t\t\t}\n\t\t}\n\t\ta.Rules = rules\n\t\tp.dbHandle.actions[actionName] = a\n\t}\n}\n\nfunc (p *MemoryProvider) addAdminToGroupMapping(username, groupname string) error {\n\tg, err := p.groupExistsInternal(groupname)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(g.Admins, username) {\n\t\tg.Admins = append(g.Admins, username)\n\t\tp.dbHandle.groups[groupname] = g\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) removeAdminFromGroupMapping(username, groupname string) {\n\tg, err := p.groupExistsInternal(groupname)\n\tif err != nil {\n\t\treturn\n\t}\n\tvar admins []string\n\tfor _, a := range g.Admins {\n\t\tif a != username {\n\t\t\tadmins = append(admins, a)\n\t\t}\n\t}\n\tg.Admins = admins\n\tp.dbHandle.groups[groupname] = g\n}\n\nfunc (p *MemoryProvider) removeGroupFromAdminMapping(groupname, username string) {\n\tadmin, err := p.adminExistsInternal(username)\n\tif err != nil {\n\t\t// the admin does not exist so there is no associated group\n\t\treturn\n\t}\n\tvar newGroups []AdminGroupMapping\n\tfor _, g := range admin.Groups {\n\t\tif g.Name != groupname {\n\t\t\tnewGroups = append(newGroups, g)\n\t\t}\n\t}\n\tadmin.Groups = newGroups\n\tp.dbHandle.admins[admin.Username] = admin\n}\n\nfunc (p *MemoryProvider) addUserToGroupMapping(username, groupname string) error {\n\tg, err := p.groupExistsInternal(groupname)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(g.Users, username) {\n\t\tg.Users = append(g.Users, username)\n\t\tp.dbHandle.groups[groupname] = g\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) removeUserFromGroupMapping(username, groupname string) {\n\tg, err := p.groupExistsInternal(groupname)\n\tif err != nil {\n\t\treturn\n\t}\n\tvar users []string\n\tfor _, u := range g.Users {\n\t\tif u != username {\n\t\t\tusers = append(users, u)\n\t\t}\n\t}\n\tg.Users = users\n\tp.dbHandle.groups[groupname] = g\n}\n\nfunc (p *MemoryProvider) addAdminToRole(username, role string) error {\n\tif role == \"\" {\n\t\treturn nil\n\t}\n\tr, err := p.roleExistsInternal(role)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"%w: role %q does not exist\", ErrForeignKeyViolated, role)\n\t}\n\tif !slices.Contains(r.Admins, username) {\n\t\tr.Admins = append(r.Admins, username)\n\t\tp.dbHandle.roles[role] = r\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) removeAdminFromRole(username, role string) {\n\tif role == \"\" {\n\t\treturn\n\t}\n\tr, err := p.roleExistsInternal(role)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"role %q does not exist, cannot remove admin %q\", role, username)\n\t\treturn\n\t}\n\tvar admins []string\n\tfor _, a := range r.Admins {\n\t\tif a != username {\n\t\t\tadmins = append(admins, a)\n\t\t}\n\t}\n\tr.Admins = admins\n\tp.dbHandle.roles[role] = r\n}\n\nfunc (p *MemoryProvider) addUserToRole(username, role string) error {\n\tif role == \"\" {\n\t\treturn nil\n\t}\n\tr, err := p.roleExistsInternal(role)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"%w: role %q does not exist\", ErrForeignKeyViolated, role)\n\t}\n\tif !slices.Contains(r.Users, username) {\n\t\tr.Users = append(r.Users, username)\n\t\tp.dbHandle.roles[role] = r\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) removeUserFromRole(username, role string) {\n\tif role == \"\" {\n\t\treturn\n\t}\n\tr, err := p.roleExistsInternal(role)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"role %q does not exist, cannot remove user %q\", role, username)\n\t\treturn\n\t}\n\tvar users []string\n\tfor _, u := range r.Users {\n\t\tif u != username {\n\t\t\tusers = append(users, u)\n\t\t}\n\t}\n\tr.Users = users\n\tp.dbHandle.roles[role] = r\n}\n\nfunc (p *MemoryProvider) addUserToFolderMapping(username, foldername string) error {\n\tf, err := p.folderExistsInternal(foldername)\n\tif err != nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"unable to get folder %q: %v\", foldername, err))\n\t}\n\tif !slices.Contains(f.Users, username) {\n\t\tf.Users = append(f.Users, username)\n\t\tp.dbHandle.vfolders[foldername] = f\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) addGroupToFolderMapping(name, foldername string) error {\n\tf, err := p.folderExistsInternal(foldername)\n\tif err != nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"unable to get folder %q: %v\", foldername, err))\n\t}\n\tif !slices.Contains(f.Groups, name) {\n\t\tf.Groups = append(f.Groups, name)\n\t\tp.dbHandle.vfolders[foldername] = f\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) addVirtualFoldersToUser(user *User) {\n\tif len(user.VirtualFolders) > 0 {\n\t\tvar folders []vfs.VirtualFolder\n\t\tfor idx := range user.VirtualFolders {\n\t\t\tfolder := &user.VirtualFolders[idx]\n\t\t\tbaseFolder, err := p.folderExistsInternal(folder.Name)\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfolder.BaseVirtualFolder = baseFolder.GetACopy()\n\t\t\tfolders = append(folders, *folder)\n\t\t}\n\t\tuser.VirtualFolders = folders\n\t}\n}\n\nfunc (p *MemoryProvider) removeRelationFromFolderMapping(folderName, username, groupname string) {\n\tfolder, err := p.folderExistsInternal(folderName)\n\tif err != nil {\n\t\treturn\n\t}\n\tif username != \"\" {\n\t\tvar usernames []string\n\t\tfor _, user := range folder.Users {\n\t\t\tif user != username {\n\t\t\t\tusernames = append(usernames, user)\n\t\t\t}\n\t\t}\n\t\tfolder.Users = usernames\n\t}\n\tif groupname != \"\" {\n\t\tvar groups []string\n\t\tfor _, group := range folder.Groups {\n\t\t\tif group != groupname {\n\t\t\t\tgroups = append(groups, group)\n\t\t\t}\n\t\t}\n\t\tfolder.Groups = groups\n\t}\n\tp.dbHandle.vfolders[folder.Name] = folder\n}\n\nfunc (p *MemoryProvider) folderExistsInternal(name string) (vfs.BaseVirtualFolder, error) {\n\tif val, ok := p.dbHandle.vfolders[name]; ok {\n\t\treturn val, nil\n\t}\n\treturn vfs.BaseVirtualFolder{}, util.NewRecordNotFoundError(fmt.Sprintf(\"folder %q does not exist\", name))\n}\n\nfunc (p *MemoryProvider) getFolders(limit, offset int, order string, _ bool) ([]vfs.BaseVirtualFolder, error) {\n\tfolders := make([]vfs.BaseVirtualFolder, 0, limit)\n\tvar err error\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn folders, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn folders, err\n\t}\n\titNum := 0\n\tif order == OrderASC {\n\t\tfor _, name := range p.dbHandle.vfoldersNames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tf := p.dbHandle.vfolders[name]\n\t\t\tfolder := f.GetACopy()\n\t\t\tfolder.PrepareForRendering()\n\t\t\tfolders = append(folders, folder)\n\t\t\tif len(folders) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.vfoldersNames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tname := p.dbHandle.vfoldersNames[i]\n\t\t\tf := p.dbHandle.vfolders[name]\n\t\t\tfolder := f.GetACopy()\n\t\t\tfolder.PrepareForRendering()\n\t\t\tfolders = append(folders, folder)\n\t\t\tif len(folders) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn folders, err\n}\n\nfunc (p *MemoryProvider) getFolderByName(name string) (vfs.BaseVirtualFolder, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn vfs.BaseVirtualFolder{}, errMemoryProviderClosed\n\t}\n\tfolder, err := p.folderExistsInternal(name)\n\tif err != nil {\n\t\treturn vfs.BaseVirtualFolder{}, err\n\t}\n\treturn folder.GetACopy(), nil\n}\n\nfunc (p *MemoryProvider) addFolder(folder *vfs.BaseVirtualFolder) error {\n\terr := ValidateFolder(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\t_, err = p.folderExistsInternal(folder.Name)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: folder %q already exists\", ErrDuplicatedKey, folder.Name),\n\t\t\tutil.I18nErrorDuplicatedUsername,\n\t\t)\n\t}\n\tfolder.ID = p.getNextFolderID()\n\tfolder.Users = nil\n\tfolder.Groups = nil\n\tp.dbHandle.vfolders[folder.Name] = folder.GetACopy()\n\tp.dbHandle.vfoldersNames = append(p.dbHandle.vfoldersNames, folder.Name)\n\tsort.Strings(p.dbHandle.vfoldersNames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateFolder(folder *vfs.BaseVirtualFolder) error {\n\terr := ValidateFolder(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tf, err := p.folderExistsInternal(folder.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfolder.ID = f.ID\n\tfolder.LastQuotaUpdate = f.LastQuotaUpdate\n\tfolder.UsedQuotaFiles = f.UsedQuotaFiles\n\tfolder.UsedQuotaSize = f.UsedQuotaSize\n\tfolder.Users = f.Users\n\tfolder.Groups = f.Groups\n\tp.dbHandle.vfolders[folder.Name] = folder.GetACopy()\n\t// now update the related users\n\tfor _, username := range folder.Users {\n\t\tuser, err := p.userExistsInternal(username)\n\t\tif err == nil {\n\t\t\tvar folders []vfs.VirtualFolder\n\t\t\tfor idx := range user.VirtualFolders {\n\t\t\t\tuserFolder := &user.VirtualFolders[idx]\n\t\t\t\tif folder.Name == userFolder.Name {\n\t\t\t\t\tuserFolder.BaseVirtualFolder = folder.GetACopy()\n\t\t\t\t}\n\t\t\t\tfolders = append(folders, *userFolder)\n\t\t\t}\n\t\t\tuser.VirtualFolders = folders\n\t\t\tp.dbHandle.users[user.Username] = user\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteFolder(f vfs.BaseVirtualFolder) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\tfolder, err := p.folderExistsInternal(f.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, username := range folder.Users {\n\t\tuser, err := p.userExistsInternal(username)\n\t\tif err == nil {\n\t\t\tvar folders []vfs.VirtualFolder\n\t\t\tfor idx := range user.VirtualFolders {\n\t\t\t\tuserFolder := &user.VirtualFolders[idx]\n\t\t\t\tif folder.Name != userFolder.Name {\n\t\t\t\t\tfolders = append(folders, *userFolder)\n\t\t\t\t}\n\t\t\t}\n\t\t\tuser.VirtualFolders = folders\n\t\t\tp.dbHandle.users[user.Username] = user\n\t\t}\n\t}\n\tfor _, groupname := range folder.Groups {\n\t\tgroup, err := p.groupExistsInternal(groupname)\n\t\tif err == nil {\n\t\t\tvar folders []vfs.VirtualFolder\n\t\t\tfor idx := range group.VirtualFolders {\n\t\t\t\tgroupFolder := &group.VirtualFolders[idx]\n\t\t\t\tif folder.Name != groupFolder.Name {\n\t\t\t\t\tfolders = append(folders, *groupFolder)\n\t\t\t\t}\n\t\t\t}\n\t\t\tgroup.VirtualFolders = folders\n\t\t\tp.dbHandle.groups[group.Name] = group\n\t\t}\n\t}\n\tdelete(p.dbHandle.vfolders, folder.Name)\n\tp.dbHandle.vfoldersNames = []string{}\n\tfor name := range p.dbHandle.vfolders {\n\t\tp.dbHandle.vfoldersNames = append(p.dbHandle.vfoldersNames, name)\n\t}\n\tsort.Strings(p.dbHandle.vfoldersNames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) apiKeyExistsInternal(keyID string) (APIKey, error) {\n\tif val, ok := p.dbHandle.apiKeys[keyID]; ok {\n\t\treturn val.getACopy(), nil\n\t}\n\treturn APIKey{}, util.NewRecordNotFoundError(fmt.Sprintf(\"API key %q does not exist\", keyID))\n}\n\nfunc (p *MemoryProvider) apiKeyExists(keyID string) (APIKey, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn APIKey{}, errMemoryProviderClosed\n\t}\n\treturn p.apiKeyExistsInternal(keyID)\n}\n\nfunc (p *MemoryProvider) addAPIKey(apiKey *APIKey) error {\n\terr := apiKey.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\t_, err = p.apiKeyExistsInternal(apiKey.KeyID)\n\tif err == nil {\n\t\treturn fmt.Errorf(\"API key %q already exists\", apiKey.KeyID)\n\t}\n\tif apiKey.User != \"\" {\n\t\tif _, err := p.userExistsInternal(apiKey.User); err != nil {\n\t\t\treturn fmt.Errorf(\"%w: related user %q does not exists\", ErrForeignKeyViolated, apiKey.User)\n\t\t}\n\t}\n\tif apiKey.Admin != \"\" {\n\t\tif _, err := p.adminExistsInternal(apiKey.Admin); err != nil {\n\t\t\treturn fmt.Errorf(\"%w: related admin %q does not exists\", ErrForeignKeyViolated, apiKey.Admin)\n\t\t}\n\t}\n\tapiKey.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tapiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tapiKey.LastUseAt = 0\n\tp.dbHandle.apiKeys[apiKey.KeyID] = apiKey.getACopy()\n\tp.dbHandle.apiKeysIDs = append(p.dbHandle.apiKeysIDs, apiKey.KeyID)\n\tsort.Strings(p.dbHandle.apiKeysIDs)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateAPIKey(apiKey *APIKey) error {\n\terr := apiKey.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tk, err := p.apiKeyExistsInternal(apiKey.KeyID)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif apiKey.User != \"\" {\n\t\tif _, err := p.userExistsInternal(apiKey.User); err != nil {\n\t\t\treturn fmt.Errorf(\"%w: related user %q does not exists\", ErrForeignKeyViolated, apiKey.User)\n\t\t}\n\t}\n\tif apiKey.Admin != \"\" {\n\t\tif _, err := p.adminExistsInternal(apiKey.Admin); err != nil {\n\t\t\treturn fmt.Errorf(\"%w: related admin %q does not exists\", ErrForeignKeyViolated, apiKey.Admin)\n\t\t}\n\t}\n\tapiKey.ID = k.ID\n\tapiKey.KeyID = k.KeyID\n\tapiKey.Key = k.Key\n\tapiKey.CreatedAt = k.CreatedAt\n\tapiKey.LastUseAt = k.LastUseAt\n\tapiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.apiKeys[apiKey.KeyID] = apiKey.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteAPIKey(apiKey APIKey) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\t_, err := p.apiKeyExistsInternal(apiKey.KeyID)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdelete(p.dbHandle.apiKeys, apiKey.KeyID)\n\tp.updateAPIKeysOrdering()\n\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) {\n\tapiKeys := make([]APIKey, 0, limit)\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn apiKeys, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn apiKeys, nil\n\t}\n\titNum := 0\n\tif order == OrderDESC {\n\t\tfor i := len(p.dbHandle.apiKeysIDs) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tkeyID := p.dbHandle.apiKeysIDs[i]\n\t\t\tk := p.dbHandle.apiKeys[keyID]\n\t\t\tapiKey := k.getACopy()\n\t\t\tapiKey.HideConfidentialData()\n\t\t\tapiKeys = append(apiKeys, apiKey)\n\t\t\tif len(apiKeys) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor _, keyID := range p.dbHandle.apiKeysIDs {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tk := p.dbHandle.apiKeys[keyID]\n\t\t\tapiKey := k.getACopy()\n\t\t\tapiKey.HideConfidentialData()\n\t\t\tapiKeys = append(apiKeys, apiKey)\n\t\t\tif len(apiKeys) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\treturn apiKeys, nil\n}\n\nfunc (p *MemoryProvider) dumpAPIKeys() ([]APIKey, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tapiKeys := make([]APIKey, 0, len(p.dbHandle.apiKeys))\n\tif p.dbHandle.isClosed {\n\t\treturn apiKeys, errMemoryProviderClosed\n\t}\n\tfor _, k := range p.dbHandle.apiKeys {\n\t\tapiKeys = append(apiKeys, k)\n\t}\n\treturn apiKeys, nil\n}\n\nfunc (p *MemoryProvider) deleteAPIKeysWithUser(username string) {\n\tfound := false\n\tfor k, v := range p.dbHandle.apiKeys {\n\t\tif v.User == username {\n\t\t\tdelete(p.dbHandle.apiKeys, k)\n\t\t\tfound = true\n\t\t}\n\t}\n\tif found {\n\t\tp.updateAPIKeysOrdering()\n\t}\n}\n\nfunc (p *MemoryProvider) deleteAPIKeysWithAdmin(username string) {\n\tfound := false\n\tfor k, v := range p.dbHandle.apiKeys {\n\t\tif v.Admin == username {\n\t\t\tdelete(p.dbHandle.apiKeys, k)\n\t\t\tfound = true\n\t\t}\n\t}\n\tif found {\n\t\tp.updateAPIKeysOrdering()\n\t}\n}\n\nfunc (p *MemoryProvider) deleteSharesWithUser(username string) {\n\tfound := false\n\tfor k, v := range p.dbHandle.shares {\n\t\tif v.Username == username {\n\t\t\tdelete(p.dbHandle.shares, k)\n\t\t\tfound = true\n\t\t}\n\t}\n\tif found {\n\t\tp.updateSharesOrdering()\n\t}\n}\n\nfunc (p *MemoryProvider) updateAPIKeysOrdering() {\n\t// this could be more efficient\n\tp.dbHandle.apiKeysIDs = make([]string, 0, len(p.dbHandle.apiKeys))\n\tfor keyID := range p.dbHandle.apiKeys {\n\t\tp.dbHandle.apiKeysIDs = append(p.dbHandle.apiKeysIDs, keyID)\n\t}\n\tsort.Strings(p.dbHandle.apiKeysIDs)\n}\n\nfunc (p *MemoryProvider) updateSharesOrdering() {\n\t// this could be more efficient\n\tp.dbHandle.sharesIDs = make([]string, 0, len(p.dbHandle.shares))\n\tfor shareID := range p.dbHandle.shares {\n\t\tp.dbHandle.sharesIDs = append(p.dbHandle.sharesIDs, shareID)\n\t}\n\tsort.Strings(p.dbHandle.sharesIDs)\n}\n\nfunc (p *MemoryProvider) shareExistsInternal(shareID, username string) (Share, error) {\n\tif val, ok := p.dbHandle.shares[shareID]; ok {\n\t\tif username != \"\" && val.Username != username {\n\t\t\treturn Share{}, util.NewRecordNotFoundError(fmt.Sprintf(\"Share %q does not exist\", shareID))\n\t\t}\n\t\treturn val.getACopy(), nil\n\t}\n\treturn Share{}, util.NewRecordNotFoundError(fmt.Sprintf(\"Share %q does not exist\", shareID))\n}\n\nfunc (p *MemoryProvider) shareExists(shareID, username string) (Share, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn Share{}, errMemoryProviderClosed\n\t}\n\treturn p.shareExistsInternal(shareID, username)\n}\n\nfunc (p *MemoryProvider) addShare(share *Share) error {\n\terr := share.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\t_, err = p.shareExistsInternal(share.ShareID, share.Username)\n\tif err == nil {\n\t\treturn fmt.Errorf(\"share %q already exists\", share.ShareID)\n\t}\n\tif _, err := p.userExistsInternal(share.Username); err != nil {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"related user %q does not exists\", share.Username))\n\t}\n\tif !share.IsRestore {\n\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\tshare.UpdatedAt = share.CreatedAt\n\t\tshare.LastUseAt = 0\n\t\tshare.UsedTokens = 0\n\t}\n\tif share.CreatedAt == 0 {\n\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t}\n\tif share.UpdatedAt == 0 {\n\t\tshare.UpdatedAt = share.CreatedAt\n\t}\n\tp.dbHandle.shares[share.ShareID] = share.getACopy()\n\tp.dbHandle.sharesIDs = append(p.dbHandle.sharesIDs, share.ShareID)\n\tsort.Strings(p.dbHandle.sharesIDs)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateShare(share *Share) error {\n\terr := share.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\ts, err := p.shareExistsInternal(share.ShareID, share.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif _, err := p.userExistsInternal(share.Username); err != nil {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"related user %q does not exists\", share.Username))\n\t}\n\tshare.ID = s.ID\n\tshare.ShareID = s.ShareID\n\tif !share.IsRestore {\n\t\tshare.UsedTokens = s.UsedTokens\n\t\tshare.CreatedAt = s.CreatedAt\n\t\tshare.LastUseAt = s.LastUseAt\n\t\tshare.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t}\n\tif share.CreatedAt == 0 {\n\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t}\n\tif share.UpdatedAt == 0 {\n\t\tshare.UpdatedAt = share.CreatedAt\n\t}\n\tp.dbHandle.shares[share.ShareID] = share.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteShare(share Share) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\t_, err := p.shareExistsInternal(share.ShareID, share.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdelete(p.dbHandle.shares, share.ShareID)\n\tp.updateSharesOrdering()\n\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getShares(limit int, offset int, order, username string) ([]Share, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn []Share{}, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn []Share{}, nil\n\t}\n\tshares := make([]Share, 0, limit)\n\titNum := 0\n\tif order == OrderDESC {\n\t\tfor i := len(p.dbHandle.sharesIDs) - 1; i >= 0; i-- {\n\t\t\tshareID := p.dbHandle.sharesIDs[i]\n\t\t\ts := p.dbHandle.shares[shareID]\n\t\t\tif s.Username != username {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tshare := s.getACopy()\n\t\t\tshare.HideConfidentialData()\n\t\t\tshares = append(shares, share)\n\t\t\tif len(shares) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor _, shareID := range p.dbHandle.sharesIDs {\n\t\t\ts := p.dbHandle.shares[shareID]\n\t\t\tif s.Username != username {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tshare := s.getACopy()\n\t\t\tshare.HideConfidentialData()\n\t\t\tshares = append(shares, share)\n\t\t\tif len(shares) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\treturn shares, nil\n}\n\nfunc (p *MemoryProvider) dumpShares() ([]Share, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tshares := make([]Share, 0, len(p.dbHandle.shares))\n\tif p.dbHandle.isClosed {\n\t\treturn shares, errMemoryProviderClosed\n\t}\n\tfor _, s := range p.dbHandle.shares {\n\t\tshares = append(shares, s)\n\t}\n\treturn shares, nil\n}\n\nfunc (p *MemoryProvider) updateShareLastUse(shareID string, numTokens int) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tshare, err := p.shareExistsInternal(shareID, \"\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tshare.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tshare.UsedTokens += numTokens\n\tp.dbHandle.shares[share.ShareID] = share\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getDefenderHosts(_ int64, _ int) ([]DefenderEntry, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) getDefenderHostByIP(_ string, _ int64) (DefenderEntry, error) {\n\treturn DefenderEntry{}, ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) isDefenderHostBanned(_ string) (DefenderEntry, error) {\n\treturn DefenderEntry{}, ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) updateDefenderBanTime(_ string, _ int) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) deleteDefenderHost(_ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) addDefenderEvent(_ string, _ int) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) setDefenderBanTime(_ string, _ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) cleanupDefender(_ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) addActiveTransfer(_ ActiveTransfer) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) updateActiveTransferSizes(_, _, _ int64, _ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) removeActiveTransfer(_ int64, _ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) cleanupActiveTransfers(_ time.Time) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) getActiveTransfers(_ time.Time) ([]ActiveTransfer, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) addSharedSession(_ Session) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) deleteSharedSession(_ string, _ SessionType) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) getSharedSession(_ string, _ SessionType) (Session, error) {\n\treturn Session{}, ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) cleanupSharedSessions(_ SessionType, _ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) getEventActions(limit, offset int, order string, _ bool) ([]BaseEventAction, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn nil, nil\n\t}\n\tactions := make([]BaseEventAction, 0, limit)\n\titNum := 0\n\tif order == OrderASC {\n\t\tfor _, name := range p.dbHandle.actionsNames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\ta := p.dbHandle.actions[name]\n\t\t\taction := a.getACopy()\n\t\t\taction.PrepareForRendering()\n\t\t\tactions = append(actions, action)\n\t\t\tif len(actions) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.actionsNames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tname := p.dbHandle.actionsNames[i]\n\t\t\ta := p.dbHandle.actions[name]\n\t\t\taction := a.getACopy()\n\t\t\taction.PrepareForRendering()\n\t\t\tactions = append(actions, action)\n\t\t\tif len(actions) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn actions, nil\n}\n\nfunc (p *MemoryProvider) dumpEventActions() ([]BaseEventAction, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tactions := make([]BaseEventAction, 0, len(p.dbHandle.actions))\n\tfor _, name := range p.dbHandle.actionsNames {\n\t\ta := p.dbHandle.actions[name]\n\t\taction := a.getACopy()\n\t\tactions = append(actions, action)\n\t}\n\treturn actions, nil\n}\n\nfunc (p *MemoryProvider) eventActionExists(name string) (BaseEventAction, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn BaseEventAction{}, errMemoryProviderClosed\n\t}\n\treturn p.actionExistsInternal(name)\n}\n\nfunc (p *MemoryProvider) addEventAction(action *BaseEventAction) error {\n\terr := action.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\t_, err = p.actionExistsInternal(action.Name)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: event action %q already exists\", ErrDuplicatedKey, action.Name),\n\t\t\tutil.I18nErrorDuplicatedName,\n\t\t)\n\t}\n\taction.ID = p.getNextActionID()\n\taction.Rules = nil\n\tp.dbHandle.actions[action.Name] = action.getACopy()\n\tp.dbHandle.actionsNames = append(p.dbHandle.actionsNames, action.Name)\n\tsort.Strings(p.dbHandle.actionsNames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateEventAction(action *BaseEventAction) error {\n\terr := action.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldAction, err := p.actionExistsInternal(action.Name)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"event action %s does not exist\", action.Name)\n\t}\n\taction.ID = oldAction.ID\n\taction.Name = oldAction.Name\n\taction.Rules = nil\n\tif len(oldAction.Rules) > 0 {\n\t\tvar relatedRules []string\n\t\tfor _, ruleName := range oldAction.Rules {\n\t\t\trule, err := p.ruleExistsInternal(ruleName)\n\t\t\tif err == nil {\n\t\t\t\trelatedRules = append(relatedRules, ruleName)\n\t\t\t\trule.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\t\tp.dbHandle.rules[ruleName] = rule\n\t\t\t\tsetLastRuleUpdate()\n\t\t\t}\n\t\t}\n\t\taction.Rules = relatedRules\n\t}\n\tp.dbHandle.actions[action.Name] = action.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteEventAction(action BaseEventAction) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldAction, err := p.actionExistsInternal(action.Name)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"event action %s does not exist\", action.Name)\n\t}\n\tif len(oldAction.Rules) > 0 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"action %s is referenced, it cannot be removed\", oldAction.Name))\n\t}\n\tdelete(p.dbHandle.actions, action.Name)\n\t// this could be more efficient\n\tp.dbHandle.actionsNames = make([]string, 0, len(p.dbHandle.actions))\n\tfor name := range p.dbHandle.actions {\n\t\tp.dbHandle.actionsNames = append(p.dbHandle.actionsNames, name)\n\t}\n\tsort.Strings(p.dbHandle.actionsNames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getEventRules(limit, offset int, order string) ([]EventRule, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn nil, nil\n\t}\n\titNum := 0\n\trules := make([]EventRule, 0, limit)\n\tif order == OrderASC {\n\t\tfor _, name := range p.dbHandle.rulesNames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tr := p.dbHandle.rules[name]\n\t\t\trule := r.getACopy()\n\t\t\tp.addActionsToRule(&rule)\n\t\t\trule.PrepareForRendering()\n\t\t\trules = append(rules, rule)\n\t\t\tif len(rules) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.rulesNames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tname := p.dbHandle.rulesNames[i]\n\t\t\tr := p.dbHandle.rules[name]\n\t\t\trule := r.getACopy()\n\t\t\tp.addActionsToRule(&rule)\n\t\t\trule.PrepareForRendering()\n\t\t\trules = append(rules, rule)\n\t\t\tif len(rules) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn rules, nil\n}\n\nfunc (p *MemoryProvider) dumpEventRules() ([]EventRule, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\trules := make([]EventRule, 0, len(p.dbHandle.rules))\n\tfor _, name := range p.dbHandle.rulesNames {\n\t\tr := p.dbHandle.rules[name]\n\t\trule := r.getACopy()\n\t\tp.addActionsToRule(&rule)\n\t\trules = append(rules, rule)\n\t}\n\treturn rules, nil\n}\n\nfunc (p *MemoryProvider) getRecentlyUpdatedRules(after int64) ([]EventRule, error) {\n\tif getLastRuleUpdate() < after {\n\t\treturn nil, nil\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\trules := make([]EventRule, 0, 10)\n\tfor _, name := range p.dbHandle.rulesNames {\n\t\tr := p.dbHandle.rules[name]\n\t\tif r.UpdatedAt < after {\n\t\t\tcontinue\n\t\t}\n\t\trule := r.getACopy()\n\t\tp.addActionsToRule(&rule)\n\t\trules = append(rules, rule)\n\t}\n\treturn rules, nil\n}\n\nfunc (p *MemoryProvider) eventRuleExists(name string) (EventRule, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn EventRule{}, errMemoryProviderClosed\n\t}\n\trule, err := p.ruleExistsInternal(name)\n\tif err != nil {\n\t\treturn rule, err\n\t}\n\tp.addActionsToRule(&rule)\n\treturn rule, nil\n}\n\nfunc (p *MemoryProvider) addEventRule(rule *EventRule) error {\n\tif err := rule.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\t_, err := p.ruleExistsInternal(rule.Name)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: event rule %q already exists\", ErrDuplicatedKey, rule.Name),\n\t\t\tutil.I18nErrorDuplicatedName,\n\t\t)\n\t}\n\trule.ID = p.getNextRuleID()\n\trule.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\trule.UpdatedAt = rule.CreatedAt\n\tvar mappedActions []string\n\tfor idx := range rule.Actions {\n\t\tif err := p.addRuleToActionMapping(rule.Name, rule.Actions[idx].Name); err != nil {\n\t\t\t// try to remove action mapping\n\t\t\tfor _, a := range mappedActions {\n\t\t\t\tp.removeRuleFromActionMapping(rule.Name, a)\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t\tmappedActions = append(mappedActions, rule.Actions[idx].Name)\n\t}\n\tsort.Slice(rule.Actions, func(i, j int) bool {\n\t\treturn rule.Actions[i].Order < rule.Actions[j].Order\n\t})\n\tp.dbHandle.rules[rule.Name] = rule.getACopy()\n\tp.dbHandle.rulesNames = append(p.dbHandle.rulesNames, rule.Name)\n\tsort.Strings(p.dbHandle.rulesNames)\n\tsetLastRuleUpdate()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateEventRule(rule *EventRule) error {\n\tif err := rule.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldRule, err := p.ruleExistsInternal(rule.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor idx := range oldRule.Actions {\n\t\tp.removeRuleFromActionMapping(rule.Name, oldRule.Actions[idx].Name)\n\t}\n\tfor idx := range rule.Actions {\n\t\tif err = p.addRuleToActionMapping(rule.Name, rule.Actions[idx].Name); err != nil {\n\t\t\t// try to add old mapping\n\t\t\tfor _, oldAction := range oldRule.Actions {\n\t\t\t\tif errRollback := p.addRuleToActionMapping(oldRule.Name, oldAction.Name); errRollback != nil {\n\t\t\t\t\tproviderLog(logger.LevelError, \"unable to rollback old action mapping %q for rule %q, error: %v\",\n\t\t\t\t\t\toldAction.Name, oldRule.Name, errRollback)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn err\n\t\t}\n\t}\n\trule.ID = oldRule.ID\n\trule.CreatedAt = oldRule.CreatedAt\n\trule.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tsort.Slice(rule.Actions, func(i, j int) bool {\n\t\treturn rule.Actions[i].Order < rule.Actions[j].Order\n\t})\n\tp.dbHandle.rules[rule.Name] = rule.getACopy()\n\tsetLastRuleUpdate()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteEventRule(rule EventRule, _ bool) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldRule, err := p.ruleExistsInternal(rule.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(oldRule.Actions) > 0 {\n\t\tfor idx := range oldRule.Actions {\n\t\t\tp.removeRuleFromActionMapping(rule.Name, oldRule.Actions[idx].Name)\n\t\t}\n\t}\n\tdelete(p.dbHandle.rules, rule.Name)\n\tp.dbHandle.rulesNames = make([]string, 0, len(p.dbHandle.rules))\n\tfor name := range p.dbHandle.rules {\n\t\tp.dbHandle.rulesNames = append(p.dbHandle.rulesNames, name)\n\t}\n\tsort.Strings(p.dbHandle.rulesNames)\n\tsetLastRuleUpdate()\n\treturn nil\n}\n\nfunc (*MemoryProvider) getTaskByName(_ string) (Task, error) {\n\treturn Task{}, ErrNotImplemented\n}\n\nfunc (*MemoryProvider) addTask(_ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (*MemoryProvider) updateTask(_ string, _ int64) error {\n\treturn ErrNotImplemented\n}\n\nfunc (*MemoryProvider) updateTaskTimestamp(_ string) error {\n\treturn ErrNotImplemented\n}\n\nfunc (*MemoryProvider) addNode() error {\n\treturn ErrNotImplemented\n}\n\nfunc (*MemoryProvider) getNodeByName(_ string) (Node, error) {\n\treturn Node{}, ErrNotImplemented\n}\n\nfunc (*MemoryProvider) getNodes() ([]Node, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (*MemoryProvider) updateNodeTimestamp() error {\n\treturn ErrNotImplemented\n}\n\nfunc (*MemoryProvider) cleanupNodes() error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) roleExists(name string) (Role, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn Role{}, errMemoryProviderClosed\n\t}\n\trole, err := p.roleExistsInternal(name)\n\tif err != nil {\n\t\treturn role, err\n\t}\n\treturn role, nil\n}\n\nfunc (p *MemoryProvider) addRole(role *Role) error {\n\tif err := role.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\n\t_, err := p.roleExistsInternal(role.Name)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: role %q already exists\", ErrDuplicatedKey, role.Name),\n\t\t\tutil.I18nErrorDuplicatedName,\n\t\t)\n\t}\n\trole.ID = p.getNextRoleID()\n\trole.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\trole.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\trole.Users = nil\n\trole.Admins = nil\n\tp.dbHandle.roles[role.Name] = role.getACopy()\n\tp.dbHandle.roleNames = append(p.dbHandle.roleNames, role.Name)\n\tsort.Strings(p.dbHandle.roleNames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateRole(role *Role) error {\n\tif err := role.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldRole, err := p.roleExistsInternal(role.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\trole.ID = oldRole.ID\n\trole.CreatedAt = oldRole.CreatedAt\n\trole.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\trole.Users = oldRole.Users\n\trole.Admins = oldRole.Admins\n\tp.dbHandle.roles[role.Name] = role.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteRole(role Role) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldRole, err := p.roleExistsInternal(role.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif len(oldRole.Admins) > 0 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"the role %q is referenced, it cannot be removed\", oldRole.Name))\n\t}\n\tfor _, username := range oldRole.Users {\n\t\tuser, err := p.userExistsInternal(username)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tif user.Role == role.Name {\n\t\t\tuser.Role = \"\"\n\t\t\tp.dbHandle.users[username] = user\n\t\t} else {\n\t\t\tproviderLog(logger.LevelError, \"user %q does not have the expected role %q, actual %q\", username, role.Name, user.Role)\n\t\t}\n\t}\n\tdelete(p.dbHandle.roles, role.Name)\n\tp.dbHandle.roleNames = make([]string, 0, len(p.dbHandle.roles))\n\tfor name := range p.dbHandle.roles {\n\t\tp.dbHandle.roleNames = append(p.dbHandle.roleNames, name)\n\t}\n\tsort.Strings(p.dbHandle.roleNames)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getRoles(limit int, offset int, order string, _ bool) ([]Role, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tif limit <= 0 {\n\t\treturn nil, nil\n\t}\n\troles := make([]Role, 0, 10)\n\titNum := 0\n\tif order == OrderASC {\n\t\tfor _, name := range p.dbHandle.roleNames {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tr := p.dbHandle.roles[name]\n\t\t\trole := r.getACopy()\n\t\t\troles = append(roles, role)\n\t\t\tif len(roles) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.roleNames) - 1; i >= 0; i-- {\n\t\t\titNum++\n\t\t\tif itNum <= offset {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tname := p.dbHandle.roleNames[i]\n\t\t\tr := p.dbHandle.roles[name]\n\t\t\trole := r.getACopy()\n\t\t\troles = append(roles, role)\n\t\t\tif len(roles) >= limit {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn roles, nil\n}\n\nfunc (p *MemoryProvider) dumpRoles() ([]Role, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\n\troles := make([]Role, 0, len(p.dbHandle.roles))\n\tfor _, name := range p.dbHandle.roleNames {\n\t\tr := p.dbHandle.roles[name]\n\t\troles = append(roles, r.getACopy())\n\t}\n\treturn roles, nil\n}\n\nfunc (p *MemoryProvider) ipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn IPListEntry{}, errMemoryProviderClosed\n\t}\n\tentry, err := p.ipListEntryExistsInternal(&IPListEntry{IPOrNet: ipOrNet, Type: listType})\n\tif err != nil {\n\t\treturn entry, err\n\t}\n\tentry.PrepareForRendering()\n\treturn entry, nil\n}\n\nfunc (p *MemoryProvider) addIPListEntry(entry *IPListEntry) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\t_, err := p.ipListEntryExistsInternal(entry)\n\tif err == nil {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"%w: entry %q already exists\", ErrDuplicatedKey, entry.IPOrNet),\n\t\t\tutil.I18nErrorDuplicatedIPNet,\n\t\t)\n\t}\n\tentry.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tentry.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.ipListEntries[entry.getKey()] = entry.getACopy()\n\tp.dbHandle.ipListEntriesKeys = append(p.dbHandle.ipListEntriesKeys, entry.getKey())\n\tsort.Strings(p.dbHandle.ipListEntriesKeys)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) updateIPListEntry(entry *IPListEntry) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\toldEntry, err := p.ipListEntryExistsInternal(entry)\n\tif err != nil {\n\t\treturn err\n\t}\n\tentry.CreatedAt = oldEntry.CreatedAt\n\tentry.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.ipListEntries[entry.getKey()] = entry.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) deleteIPListEntry(entry IPListEntry, _ bool) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\t_, err := p.ipListEntryExistsInternal(&entry)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdelete(p.dbHandle.ipListEntries, entry.getKey())\n\tp.dbHandle.ipListEntriesKeys = make([]string, 0, len(p.dbHandle.ipListEntries))\n\tfor k := range p.dbHandle.ipListEntries {\n\t\tp.dbHandle.ipListEntriesKeys = append(p.dbHandle.ipListEntriesKeys, k)\n\t}\n\tsort.Strings(p.dbHandle.ipListEntriesKeys)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tentries := make([]IPListEntry, 0, 15)\n\tif order == OrderASC {\n\t\tfor _, k := range p.dbHandle.ipListEntriesKeys {\n\t\t\te := p.dbHandle.ipListEntries[k]\n\t\t\tif e.Type == listType && e.satisfySearchConstraints(filter, from, order) {\n\t\t\t\tentry := e.getACopy()\n\t\t\t\tentry.PrepareForRendering()\n\t\t\t\tentries = append(entries, entry)\n\t\t\t\tif limit > 0 && len(entries) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\tfor i := len(p.dbHandle.ipListEntriesKeys) - 1; i >= 0; i-- {\n\t\t\te := p.dbHandle.ipListEntries[p.dbHandle.ipListEntriesKeys[i]]\n\t\t\tif e.Type == listType && e.satisfySearchConstraints(filter, from, order) {\n\t\t\t\tentry := e.getACopy()\n\t\t\t\tentry.PrepareForRendering()\n\t\t\t\tentries = append(entries, entry)\n\t\t\t\tif limit > 0 && len(entries) >= limit {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn entries, nil\n}\n\nfunc (p *MemoryProvider) getRecentlyUpdatedIPListEntries(_ int64) ([]IPListEntry, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (p *MemoryProvider) dumpIPListEntries() ([]IPListEntry, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tif count := len(p.dbHandle.ipListEntriesKeys); count > ipListMemoryLimit {\n\t\tproviderLog(logger.LevelInfo, \"IP lists excluded from dump, too many entries: %d\", count)\n\t\treturn nil, nil\n\t}\n\tentries := make([]IPListEntry, 0, len(p.dbHandle.ipListEntries))\n\tfor _, k := range p.dbHandle.ipListEntriesKeys {\n\t\te := p.dbHandle.ipListEntries[k]\n\t\tentry := e.getACopy()\n\t\tentry.PrepareForRendering()\n\t\tentries = append(entries, entry)\n\t}\n\treturn entries, nil\n}\n\nfunc (p *MemoryProvider) countIPListEntries(listType IPListType) (int64, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn 0, errMemoryProviderClosed\n\t}\n\tif listType == 0 {\n\t\treturn int64(len(p.dbHandle.ipListEntriesKeys)), nil\n\t}\n\tvar count int64\n\tfor _, k := range p.dbHandle.ipListEntriesKeys {\n\t\te := p.dbHandle.ipListEntries[k]\n\t\tif e.Type == listType {\n\t\t\tcount++\n\t\t}\n\t}\n\treturn count, nil\n}\n\nfunc (p *MemoryProvider) getListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tif p.dbHandle.isClosed {\n\t\treturn nil, errMemoryProviderClosed\n\t}\n\tentries := make([]IPListEntry, 0, 3)\n\tipAddr, err := netip.ParseAddr(ip)\n\tif err != nil {\n\t\treturn entries, fmt.Errorf(\"invalid ip address %s\", ip)\n\t}\n\tvar netType int\n\tvar ipBytes []byte\n\tif ipAddr.Is4() || ipAddr.Is4In6() {\n\t\tnetType = ipTypeV4\n\t\tas4 := ipAddr.As4()\n\t\tipBytes = as4[:]\n\t} else {\n\t\tnetType = ipTypeV6\n\t\tas16 := ipAddr.As16()\n\t\tipBytes = as16[:]\n\t}\n\tfor _, k := range p.dbHandle.ipListEntriesKeys {\n\t\te := p.dbHandle.ipListEntries[k]\n\t\tif e.Type == listType && e.IPType == netType && bytes.Compare(ipBytes, e.First) >= 0 && bytes.Compare(ipBytes, e.Last) <= 0 {\n\t\t\tentry := e.getACopy()\n\t\t\tentry.PrepareForRendering()\n\t\t\tentries = append(entries, entry)\n\t\t}\n\t}\n\treturn entries, nil\n}\n\nfunc (p *MemoryProvider) getConfigs() (Configs, error) {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn Configs{}, errMemoryProviderClosed\n\t}\n\treturn p.dbHandle.configs.getACopy(), nil\n}\n\nfunc (p *MemoryProvider) setConfigs(configs *Configs) error {\n\tif err := configs.validate(); err != nil {\n\t\treturn err\n\t}\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tp.dbHandle.configs = configs.getACopy()\n\treturn nil\n}\n\nfunc (p *MemoryProvider) setFirstDownloadTimestamp(username string) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif user.FirstDownload > 0 {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"first download already set to %s\",\n\t\t\tutil.GetTimeFromMsecSinceEpoch(user.FirstDownload)))\n\t}\n\tuser.FirstDownload = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.users[user.Username] = user\n\treturn nil\n}\n\nfunc (p *MemoryProvider) setFirstUploadTimestamp(username string) error {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\tif p.dbHandle.isClosed {\n\t\treturn errMemoryProviderClosed\n\t}\n\tuser, err := p.userExistsInternal(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif user.FirstUpload > 0 {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"first upload already set to %s\",\n\t\t\tutil.GetTimeFromMsecSinceEpoch(user.FirstUpload)))\n\t}\n\tuser.FirstUpload = util.GetTimeAsMsSinceEpoch(time.Now())\n\tp.dbHandle.users[user.Username] = user\n\treturn nil\n}\n\nfunc (p *MemoryProvider) getNextID() int64 {\n\tnextID := int64(1)\n\tfor _, v := range p.dbHandle.users {\n\t\tif v.ID >= nextID {\n\t\t\tnextID = v.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) getNextFolderID() int64 {\n\tnextID := int64(1)\n\tfor _, v := range p.dbHandle.vfolders {\n\t\tif v.ID >= nextID {\n\t\t\tnextID = v.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) getNextAdminID() int64 {\n\tnextID := int64(1)\n\tfor _, a := range p.dbHandle.admins {\n\t\tif a.ID >= nextID {\n\t\t\tnextID = a.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) getNextGroupID() int64 {\n\tnextID := int64(1)\n\tfor _, g := range p.dbHandle.groups {\n\t\tif g.ID >= nextID {\n\t\t\tnextID = g.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) getNextActionID() int64 {\n\tnextID := int64(1)\n\tfor _, a := range p.dbHandle.actions {\n\t\tif a.ID >= nextID {\n\t\t\tnextID = a.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) getNextRuleID() int64 {\n\tnextID := int64(1)\n\tfor _, r := range p.dbHandle.rules {\n\t\tif r.ID >= nextID {\n\t\t\tnextID = r.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) getNextRoleID() int64 {\n\tnextID := int64(1)\n\tfor _, r := range p.dbHandle.roles {\n\t\tif r.ID >= nextID {\n\t\t\tnextID = r.ID + 1\n\t\t}\n\t}\n\treturn nextID\n}\n\nfunc (p *MemoryProvider) clear() {\n\tp.dbHandle.Lock()\n\tdefer p.dbHandle.Unlock()\n\n\tp.dbHandle.usernames = []string{}\n\tp.dbHandle.users = make(map[string]User)\n\tp.dbHandle.groupnames = []string{}\n\tp.dbHandle.groups = map[string]Group{}\n\tp.dbHandle.vfoldersNames = []string{}\n\tp.dbHandle.vfolders = make(map[string]vfs.BaseVirtualFolder)\n\tp.dbHandle.admins = make(map[string]Admin)\n\tp.dbHandle.adminsUsernames = []string{}\n\tp.dbHandle.apiKeys = make(map[string]APIKey)\n\tp.dbHandle.apiKeysIDs = []string{}\n\tp.dbHandle.shares = make(map[string]Share)\n\tp.dbHandle.sharesIDs = []string{}\n\tp.dbHandle.actions = map[string]BaseEventAction{}\n\tp.dbHandle.actionsNames = []string{}\n\tp.dbHandle.rules = map[string]EventRule{}\n\tp.dbHandle.rulesNames = []string{}\n\tp.dbHandle.roles = map[string]Role{}\n\tp.dbHandle.roleNames = []string{}\n\tp.dbHandle.ipListEntries = map[string]IPListEntry{}\n\tp.dbHandle.ipListEntriesKeys = []string{}\n\tp.dbHandle.configs = Configs{}\n}\n\nfunc (p *MemoryProvider) reloadConfig() error {\n\tif p.dbHandle.configFile == \"\" {\n\t\tproviderLog(logger.LevelDebug, \"no dump configuration file defined\")\n\t\treturn nil\n\t}\n\tproviderLog(logger.LevelDebug, \"loading dump from file: %q\", p.dbHandle.configFile)\n\tfi, err := os.Stat(p.dbHandle.configFile)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error loading dump: %v\", err)\n\t\treturn err\n\t}\n\tif fi.Size() == 0 {\n\t\terr = errors.New(\"dump configuration file is invalid, its size must be > 0\")\n\t\tproviderLog(logger.LevelError, \"error loading dump: %v\", err)\n\t\treturn err\n\t}\n\tif fi.Size() > 20971520 {\n\t\terr = errors.New(\"dump configuration file is invalid, its size must be <= 20971520 bytes\")\n\t\tproviderLog(logger.LevelError, \"error loading dump: %v\", err)\n\t\treturn err\n\t}\n\tcontent, err := os.ReadFile(p.dbHandle.configFile)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error loading dump: %v\", err)\n\t\treturn err\n\t}\n\tdump, err := ParseDumpData(content)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error loading dump: %v\", err)\n\t\treturn err\n\t}\n\treturn p.restoreDump(&dump)\n}\n\nfunc (p *MemoryProvider) restoreDump(dump *BackupData) error {\n\tp.clear()\n\n\tif err := p.restoreConfigs(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreIPListEntries(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreRoles(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreFolders(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreGroups(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreUsers(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreAdmins(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreAPIKeys(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreShares(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreEventActions(dump); err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.restoreEventRules(dump); err != nil {\n\t\treturn err\n\t}\n\n\tproviderLog(logger.LevelDebug, \"config loaded from file: %q\", p.dbHandle.configFile)\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreEventActions(dump *BackupData) error {\n\tfor idx := range dump.EventActions {\n\t\taction := dump.EventActions[idx]\n\t\ta, err := p.eventActionExists(action.Name)\n\t\tif err == nil {\n\t\t\taction.ID = a.ID\n\t\t\terr = UpdateEventAction(&action, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating event action %q: %v\", action.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddEventAction(&action, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding event action %q: %v\", action.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreEventRules(dump *BackupData) error {\n\tfor idx := range dump.EventRules {\n\t\trule := dump.EventRules[idx]\n\t\tr, err := p.eventRuleExists(rule.Name)\n\t\tif dump.Version < 15 {\n\t\t\trule.Status = 1\n\t\t}\n\t\tif err == nil {\n\t\t\trule.ID = r.ID\n\t\t\terr = UpdateEventRule(&rule, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating event rule %q: %v\", rule.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddEventRule(&rule, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding event rule %q: %v\", rule.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreShares(dump *BackupData) error {\n\tfor idx := range dump.Shares {\n\t\tshare := dump.Shares[idx]\n\t\ts, err := p.shareExists(share.ShareID, \"\")\n\t\tshare.IsRestore = true\n\t\tif err == nil {\n\t\t\tshare.ID = s.ID\n\t\t\terr = UpdateShare(&share, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating share %q: %v\", share.ShareID, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddShare(&share, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding share %q: %v\", share.ShareID, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreAPIKeys(dump *BackupData) error {\n\tfor idx := range dump.APIKeys {\n\t\tapiKey := dump.APIKeys[idx]\n\t\tif apiKey.Key == \"\" {\n\t\t\treturn fmt.Errorf(\"cannot restore an empty API key: %+v\", apiKey)\n\t\t}\n\t\tk, err := p.apiKeyExists(apiKey.KeyID)\n\t\tif err == nil {\n\t\t\tapiKey.ID = k.ID\n\t\t\terr = UpdateAPIKey(&apiKey, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating API key %q: %v\", apiKey.KeyID, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddAPIKey(&apiKey, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding API key %q: %v\", apiKey.KeyID, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreAdmins(dump *BackupData) error {\n\tfor idx := range dump.Admins {\n\t\tadmin := dump.Admins[idx]\n\t\tadmin.Username = config.convertName(admin.Username)\n\t\ta, err := p.adminExists(admin.Username)\n\t\tif err == nil {\n\t\t\tadmin.ID = a.ID\n\t\t\terr = UpdateAdmin(&admin, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating admin %q: %v\", admin.Username, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddAdmin(&admin, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding admin %q: %v\", admin.Username, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreConfigs(dump *BackupData) error {\n\tif dump.Configs != nil && dump.Configs.UpdatedAt > 0 {\n\t\treturn UpdateConfigs(dump.Configs, ActionExecutorSystem, \"\", \"\")\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreIPListEntries(dump *BackupData) error {\n\tfor idx := range dump.IPLists {\n\t\tentry := dump.IPLists[idx]\n\t\t_, err := p.ipListEntryExists(entry.IPOrNet, entry.Type)\n\t\tif err == nil {\n\t\t\terr = UpdateIPListEntry(&entry, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating IP list entry %q: %v\", entry.getName(), err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddIPListEntry(&entry, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding IP list entry %q: %v\", entry.getName(), err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreRoles(dump *BackupData) error {\n\tfor idx := range dump.Roles {\n\t\trole := dump.Roles[idx]\n\t\trole.Name = config.convertName(role.Name)\n\t\tr, err := p.roleExists(role.Name)\n\t\tif err == nil {\n\t\t\trole.ID = r.ID\n\t\t\terr = UpdateRole(&role, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating role %q: %v\", role.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\trole.Admins = nil\n\t\t\trole.Users = nil\n\t\t\terr = AddRole(&role, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding role %q: %v\", role.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreGroups(dump *BackupData) error {\n\tfor idx := range dump.Groups {\n\t\tgroup := dump.Groups[idx]\n\t\tgroup.Name = config.convertName(group.Name)\n\t\tg, err := p.groupExists(group.Name)\n\t\tif err == nil {\n\t\t\tgroup.ID = g.ID\n\t\t\terr = UpdateGroup(&group, g.Users, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating group %q: %v\", group.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\tgroup.Users = nil\n\t\t\terr = AddGroup(&group, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding group %q: %v\", group.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreFolders(dump *BackupData) error {\n\tfor idx := range dump.Folders {\n\t\tfolder := dump.Folders[idx]\n\t\tfolder.Name = config.convertName(folder.Name)\n\t\tf, err := p.getFolderByName(folder.Name)\n\t\tif err == nil {\n\t\t\tfolder.ID = f.ID\n\t\t\terr = UpdateFolder(&folder, f.Users, f.Groups, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating folder %q: %v\", folder.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\tfolder.Users = nil\n\t\t\terr = AddFolder(&folder, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding folder %q: %v\", folder.Name, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (p *MemoryProvider) restoreUsers(dump *BackupData) error {\n\tfor idx := range dump.Users {\n\t\tuser := dump.Users[idx]\n\t\tuser.Username = config.convertName(user.Username)\n\t\tu, err := p.userExists(user.Username, \"\")\n\t\tif err == nil {\n\t\t\tuser.ID = u.ID\n\t\t\terr = UpdateUser(&user, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error updating user %q: %v\", user.Username, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\terr = AddUser(&user, ActionExecutorSystem, \"\", \"\")\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"error adding user %q: %v\", user.Username, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\n// initializeDatabase does nothing, no initilization is needed for memory provider\nfunc (p *MemoryProvider) initializeDatabase() error {\n\treturn ErrNoInitRequired\n}\n\nfunc (p *MemoryProvider) migrateDatabase() error {\n\treturn ErrNoInitRequired\n}\n\nfunc (p *MemoryProvider) revertDatabase(_ int) error {\n\treturn errors.New(\"memory provider does not store data, revert not possible\")\n}\n\nfunc (p *MemoryProvider) resetDatabase() error {\n\treturn errors.New(\"memory provider does not store data, reset not possible\")\n}\n" }, { "path": "internal/dataprovider/mysql.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nomysql\n\npackage dataprovider\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"database/sql\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-sql-driver/mysql\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tmysqlResetSQL = \"DROP TABLE IF EXISTS `{{api_keys}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{users_folders_mapping}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{users_groups_mapping}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{admins_groups_mapping}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{groups_folders_mapping}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{shares_groups_mapping}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{admins}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{folders}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{shares}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{users}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{groups}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{defender_events}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{defender_hosts}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{active_transfers}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{shared_sessions}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{rules_actions_mapping}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{events_actions}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{events_rules}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{tasks}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{nodes}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{roles}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{ip_lists}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{configs}}` CASCADE;\" +\n\t\t\"DROP TABLE IF EXISTS `{{schema_version}}` CASCADE;\"\n\tmysqlInitialSQL = \"CREATE TABLE `{{schema_version}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `version` integer NOT NULL);\" +\n\t\t\"CREATE TABLE `{{admins}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `username` varchar(255) NOT NULL UNIQUE, \" +\n\t\t\"`description` varchar(512) NULL, `password` varchar(255) NOT NULL, `email` varchar(255) NULL, `status` integer NOT NULL, \" +\n\t\t\"`permissions` longtext NOT NULL, `filters` longtext NULL, `additional_info` longtext NULL, `last_login` bigint NOT NULL, \" +\n\t\t\"`role_id` integer NULL, `created_at` bigint NOT NULL, `updated_at` bigint NOT NULL);\" +\n\t\t\"CREATE TABLE `{{active_transfers}}` (`id` bigint AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`connection_id` varchar(100) NOT NULL, `transfer_id` bigint NOT NULL, `transfer_type` integer NOT NULL, \" +\n\t\t\"`username` varchar(255) NOT NULL, `folder_name` varchar(255) NULL, `ip` varchar(50) NOT NULL, \" +\n\t\t\"`truncated_size` bigint NOT NULL, `current_ul_size` bigint NOT NULL, `current_dl_size` bigint NOT NULL, \" +\n\t\t\"`created_at` bigint NOT NULL, `updated_at` bigint NOT NULL);\" +\n\t\t\"CREATE TABLE `{{defender_hosts}}` (`id` bigint AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`ip` varchar(50) NOT NULL UNIQUE, `ban_time` bigint NOT NULL, `updated_at` bigint NOT NULL);\" +\n\t\t\"CREATE TABLE `{{defender_events}}` (`id` bigint AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`date_time` bigint NOT NULL, `score` integer NOT NULL, `host_id` bigint NOT NULL);\" +\n\t\t\"ALTER TABLE `{{defender_events}}` ADD CONSTRAINT `{{prefix}}defender_events_host_id_fk_defender_hosts_id` \" +\n\t\t\"FOREIGN KEY (`host_id`) REFERENCES `{{defender_hosts}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"CREATE TABLE `{{folders}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL UNIQUE, \" +\n\t\t\"`description` varchar(512) NULL, `path` longtext NULL, `used_quota_size` bigint NOT NULL, \" +\n\t\t\"`used_quota_files` integer NOT NULL, `last_quota_update` bigint NOT NULL, `filesystem` longtext NULL);\" +\n\t\t\"CREATE TABLE `{{groups}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`name` varchar(255) NOT NULL UNIQUE, `description` varchar(512) NULL, `created_at` bigint NOT NULL, \" +\n\t\t\"`updated_at` bigint NOT NULL, `user_settings` longtext NULL);\" +\n\t\t\"CREATE TABLE `{{shared_sessions}}` (`key` varchar(128) NOT NULL, `type` integer NOT NULL, `data` longtext NOT NULL, \" +\n\t\t\"`timestamp` bigint NOT NULL, PRIMARY KEY (`key`, `type`));\" +\n\t\t\"CREATE TABLE `{{users}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `username` varchar(255) NOT NULL UNIQUE, \" +\n\t\t\"`status` integer NOT NULL, `expiration_date` bigint NOT NULL, `description` varchar(512) NULL, `password` longtext NULL, \" +\n\t\t\"`public_keys` longtext NULL, `home_dir` longtext NOT NULL, `uid` bigint NOT NULL, `gid` bigint NOT NULL, \" +\n\t\t\"`max_sessions` integer NOT NULL, `quota_size` bigint NOT NULL, `quota_files` integer NOT NULL, \" +\n\t\t\"`permissions` longtext NOT NULL, `used_quota_size` bigint NOT NULL, `used_quota_files` integer NOT NULL, \" +\n\t\t\"`last_quota_update` bigint NOT NULL, `upload_bandwidth` integer NOT NULL, `download_bandwidth` integer NOT NULL, \" +\n\t\t\"`last_login` bigint NOT NULL, `filters` longtext NULL, `filesystem` longtext NULL, `additional_info` longtext NULL, \" +\n\t\t\"`created_at` bigint NOT NULL, `updated_at` bigint NOT NULL, `email` varchar(255) NULL, \" +\n\t\t\"`upload_data_transfer` integer NOT NULL, `download_data_transfer` integer NOT NULL, \" +\n\t\t\"`total_data_transfer` integer NOT NULL, `used_upload_data_transfer` bigint NOT NULL, \" +\n\t\t\"`used_download_data_transfer` bigint NOT NULL, `deleted_at` bigint NOT NULL, `first_download` bigint NOT NULL, \" +\n\t\t\"`first_upload` bigint NOT NULL, `last_password_change` bigint NOT NULL, `role_id` integer NULL);\" +\n\t\t\"CREATE TABLE `{{groups_folders_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`group_id` integer NOT NULL, `folder_id` integer NOT NULL, \" +\n\t\t\"`virtual_path` longtext NOT NULL, `quota_size` bigint NOT NULL, `quota_files` integer NOT NULL, `sort_order` integer NOT NULL);\" +\n\t\t\"CREATE TABLE `{{users_groups_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`user_id` integer NOT NULL, `group_id` integer NOT NULL, `group_type` integer NOT NULL, `sort_order` integer NOT NULL);\" +\n\t\t\"CREATE TABLE `{{users_folders_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `virtual_path` longtext NOT NULL, \" +\n\t\t\"`quota_size` bigint NOT NULL, `quota_files` integer NOT NULL, `folder_id` integer NOT NULL, `user_id` integer NOT NULL, `sort_order` integer NOT NULL);\" +\n\t\t\"ALTER TABLE `{{users_folders_mapping}}` ADD CONSTRAINT `{{prefix}}unique_user_folder_mapping` \" +\n\t\t\"UNIQUE (`user_id`, `folder_id`);\" +\n\t\t\"ALTER TABLE `{{users_folders_mapping}}` ADD CONSTRAINT `{{prefix}}users_folders_mapping_user_id_fk_users_id` \" +\n\t\t\"FOREIGN KEY (`user_id`) REFERENCES `{{users}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"ALTER TABLE `{{users_folders_mapping}}` ADD CONSTRAINT `{{prefix}}users_folders_mapping_folder_id_fk_folders_id` \" +\n\t\t\"FOREIGN KEY (`folder_id`) REFERENCES `{{folders}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"CREATE INDEX `{{prefix}}users_folders_mapping_sort_order_idx` ON `{{users_folders_mapping}}` (`sort_order`);\" +\n\t\t\"ALTER TABLE `{{users_groups_mapping}}` ADD CONSTRAINT `{{prefix}}unique_user_group_mapping` UNIQUE (`user_id`, `group_id`);\" +\n\t\t\"ALTER TABLE `{{groups_folders_mapping}}` ADD CONSTRAINT `{{prefix}}unique_group_folder_mapping` UNIQUE (`group_id`, `folder_id`);\" +\n\t\t\"ALTER TABLE `{{users_groups_mapping}}` ADD CONSTRAINT `{{prefix}}users_groups_mapping_group_id_fk_groups_id` \" +\n\t\t\"FOREIGN KEY (`group_id`) REFERENCES `{{groups}}` (`id`) ON DELETE NO ACTION;\" +\n\t\t\"ALTER TABLE `{{users_groups_mapping}}` ADD CONSTRAINT `{{prefix}}users_groups_mapping_user_id_fk_users_id` \" +\n\t\t\"FOREIGN KEY (`user_id`) REFERENCES `{{users}}` (`id`) ON DELETE CASCADE; \" +\n\t\t\"CREATE INDEX `{{prefix}}users_groups_mapping_sort_order_idx` ON `{{users_groups_mapping}}` (`sort_order`);\" +\n\t\t\"ALTER TABLE `{{groups_folders_mapping}}` ADD CONSTRAINT `{{prefix}}groups_folders_mapping_folder_id_fk_folders_id` \" +\n\t\t\"FOREIGN KEY (`folder_id`) REFERENCES `{{folders}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"ALTER TABLE `{{groups_folders_mapping}}` ADD CONSTRAINT `{{prefix}}groups_folders_mapping_group_id_fk_groups_id` \" +\n\t\t\"FOREIGN KEY (`group_id`) REFERENCES `{{groups}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"CREATE INDEX `{{prefix}}groups_folders_mapping_sort_order_idx` ON `{{groups_folders_mapping}}` (`sort_order`); \" +\n\t\t\"CREATE TABLE `{{shares}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`share_id` varchar(60) NOT NULL UNIQUE, `name` varchar(255) NOT NULL, `description` varchar(512) NULL, \" +\n\t\t\"`scope` integer NOT NULL, `paths` longtext NOT NULL, `created_at` bigint NOT NULL, \" +\n\t\t\"`updated_at` bigint NOT NULL, `last_use_at` bigint NOT NULL, `expires_at` bigint NOT NULL, \" +\n\t\t\"`password` longtext NULL, `max_tokens` integer NOT NULL, `used_tokens` integer NOT NULL, \" +\n\t\t\"`allow_from` longtext NULL, `options` longtext NULL, `user_id` integer NOT NULL);\" +\n\t\t\"ALTER TABLE `{{shares}}` ADD CONSTRAINT `{{prefix}}shares_user_id_fk_users_id` \" +\n\t\t\"FOREIGN KEY (`user_id`) REFERENCES `{{users}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"CREATE TABLE `{{api_keys}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL, `key_id` varchar(50) NOT NULL UNIQUE,\" +\n\t\t\"`api_key` varchar(255) NOT NULL UNIQUE, `scope` integer NOT NULL, `created_at` bigint NOT NULL, `updated_at` bigint NOT NULL, `last_use_at` bigint NOT NULL, \" +\n\t\t\"`expires_at` bigint NOT NULL, `description` longtext NULL, `admin_id` integer NULL, `user_id` integer NULL);\" +\n\t\t\"ALTER TABLE `{{api_keys}}` ADD CONSTRAINT `{{prefix}}api_keys_admin_id_fk_admins_id` FOREIGN KEY (`admin_id`) REFERENCES `{{admins}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"ALTER TABLE `{{api_keys}}` ADD CONSTRAINT `{{prefix}}api_keys_user_id_fk_users_id` FOREIGN KEY (`user_id`) REFERENCES `{{users}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"CREATE TABLE `{{events_rules}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`name` varchar(255) NOT NULL UNIQUE, `status` integer NOT NULL, `description` varchar(512) NULL, `created_at` bigint NOT NULL, \" +\n\t\t\"`updated_at` bigint NOT NULL, `trigger` integer NOT NULL, `conditions` longtext NOT NULL, `deleted_at` bigint NOT NULL);\" +\n\t\t\"CREATE TABLE `{{events_actions}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`name` varchar(255) NOT NULL UNIQUE, `description` varchar(512) NULL, `type` integer NOT NULL, \" +\n\t\t\"`options` longtext NOT NULL);\" +\n\t\t\"CREATE TABLE `{{rules_actions_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`rule_id` integer NOT NULL, `action_id` integer NOT NULL, `order` integer NOT NULL, `options` longtext NOT NULL);\" +\n\t\t\"CREATE TABLE `{{tasks}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL UNIQUE, \" +\n\t\t\"`updated_at` bigint NOT NULL, `version` bigint NOT NULL);\" +\n\t\t\"ALTER TABLE `{{rules_actions_mapping}}` ADD CONSTRAINT `{{prefix}}unique_rule_action_mapping` UNIQUE (`rule_id`, `action_id`);\" +\n\t\t\"ALTER TABLE `{{rules_actions_mapping}}` ADD CONSTRAINT `{{prefix}}rules_actions_mapping_rule_id_fk_events_rules_id` \" +\n\t\t\"FOREIGN KEY (`rule_id`) REFERENCES `{{events_rules}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"ALTER TABLE `{{rules_actions_mapping}}` ADD CONSTRAINT `{{prefix}}rules_actions_mapping_action_id_fk_events_targets_id` \" +\n\t\t\"FOREIGN KEY (`action_id`) REFERENCES `{{events_actions}}` (`id`) ON DELETE NO ACTION;\" +\n\t\t\"CREATE TABLE `{{admins_groups_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\" `admin_id` integer NOT NULL, `group_id` integer NOT NULL, `options` longtext NOT NULL, `sort_order` integer NOT NULL);\" +\n\t\t\"ALTER TABLE `{{admins_groups_mapping}}` ADD CONSTRAINT `{{prefix}}unique_admin_group_mapping` \" +\n\t\t\"UNIQUE (`admin_id`, `group_id`);\" +\n\t\t\"ALTER TABLE `{{admins_groups_mapping}}` ADD CONSTRAINT `{{prefix}}admins_groups_mapping_admin_id_fk_admins_id` \" +\n\t\t\"FOREIGN KEY (`admin_id`) REFERENCES `{{admins}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"ALTER TABLE `{{admins_groups_mapping}}` ADD CONSTRAINT `{{prefix}}admins_groups_mapping_group_id_fk_groups_id` \" +\n\t\t\"FOREIGN KEY (`group_id`) REFERENCES `{{groups}}` (`id`) ON DELETE CASCADE;\" +\n\t\t\"CREATE INDEX `{{prefix}}admins_groups_mapping_sort_order_idx` ON `{{admins_groups_mapping}}` (`sort_order`); \" +\n\t\t\"CREATE TABLE `{{nodes}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, \" +\n\t\t\"`name` varchar(255) NOT NULL UNIQUE, `data` longtext NOT NULL, `created_at` bigint NOT NULL, \" +\n\t\t\"`updated_at` bigint NOT NULL);\" +\n\t\t\"CREATE TABLE `{{roles}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL UNIQUE, \" +\n\t\t\"`description` varchar(512) NULL, `created_at` bigint NOT NULL, `updated_at` bigint NOT NULL);\" +\n\t\t\"ALTER TABLE `{{admins}}` ADD CONSTRAINT `{{prefix}}admins_role_id_fk_roles_id` FOREIGN KEY (`role_id`) \" +\n\t\t\"REFERENCES `{{roles}}`(`id`) ON DELETE NO ACTION;\" +\n\t\t\"ALTER TABLE `{{users}}` ADD CONSTRAINT `{{prefix}}users_role_id_fk_roles_id` FOREIGN KEY (`role_id`) \" +\n\t\t\"REFERENCES `{{roles}}`(`id`) ON DELETE SET NULL;\" +\n\t\t\"CREATE TABLE `{{ip_lists}}` (`id` bigint AUTO_INCREMENT NOT NULL PRIMARY KEY, `type` integer NOT NULL, \" +\n\t\t\"`ipornet` varchar(50) NOT NULL, `mode` integer NOT NULL, `description` varchar(512) NULL, \" +\n\t\t\"`first` VARBINARY(16) NOT NULL, `last` VARBINARY(16) NOT NULL, `ip_type` integer NOT NULL, `protocols` integer NOT NULL, \" +\n\t\t\"`created_at` bigint NOT NULL, `updated_at` bigint NOT NULL, `deleted_at` bigint NOT NULL);\" +\n\t\t\"ALTER TABLE `{{ip_lists}}` ADD CONSTRAINT `{{prefix}}unique_ipornet_type_mapping` UNIQUE (`type`, `ipornet`);\" +\n\t\t\"CREATE TABLE `{{configs}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `configs` longtext NOT NULL);\" +\n\t\t\"INSERT INTO {{configs}} (configs) VALUES ('{}');\" +\n\t\t\"CREATE INDEX `{{prefix}}users_updated_at_idx` ON `{{users}}` (`updated_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}users_deleted_at_idx` ON `{{users}}` (`deleted_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}defender_hosts_updated_at_idx` ON `{{defender_hosts}}` (`updated_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}defender_hosts_ban_time_idx` ON `{{defender_hosts}}` (`ban_time`);\" +\n\t\t\"CREATE INDEX `{{prefix}}defender_events_date_time_idx` ON `{{defender_events}}` (`date_time`);\" +\n\t\t\"CREATE INDEX `{{prefix}}active_transfers_connection_id_idx` ON `{{active_transfers}}` (`connection_id`);\" +\n\t\t\"CREATE INDEX `{{prefix}}active_transfers_transfer_id_idx` ON `{{active_transfers}}` (`transfer_id`);\" +\n\t\t\"CREATE INDEX `{{prefix}}active_transfers_updated_at_idx` ON `{{active_transfers}}` (`updated_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}shared_sessions_type_idx` ON `{{shared_sessions}}` (`type`);\" +\n\t\t\"CREATE INDEX `{{prefix}}shared_sessions_timestamp_idx` ON `{{shared_sessions}}` (`timestamp`);\" +\n\t\t\"CREATE INDEX `{{prefix}}events_rules_updated_at_idx` ON `{{events_rules}}` (`updated_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}events_rules_deleted_at_idx` ON `{{events_rules}}` (`deleted_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}events_rules_trigger_idx` ON `{{events_rules}}` (`trigger`);\" +\n\t\t\"CREATE INDEX `{{prefix}}rules_actions_mapping_order_idx` ON `{{rules_actions_mapping}}` (`order`);\" +\n\t\t\"CREATE INDEX `{{prefix}}ip_lists_type_idx` ON `{{ip_lists}}` (`type`);\" +\n\t\t\"CREATE INDEX `{{prefix}}ip_lists_ipornet_idx` ON `{{ip_lists}}` (`ipornet`);\" +\n\t\t\"CREATE INDEX `{{prefix}}ip_lists_ip_type_idx` ON `{{ip_lists}}` (`ip_type`);\" +\n\t\t\"CREATE INDEX `{{prefix}}ip_lists_updated_at_idx` ON `{{ip_lists}}` (`updated_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}ip_lists_deleted_at_idx` ON `{{ip_lists}}` (`deleted_at`);\" +\n\t\t\"CREATE INDEX `{{prefix}}ip_lists_first_last_idx` ON `{{ip_lists}}` (`first`, `last`);\" +\n\t\t\"INSERT INTO {{schema_version}} (version) VALUES (33);\"\n\tmysqlV34SQL = \"CREATE TABLE `{{shares_groups_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY,\" +\n\t\t\"`share_id` integer NOT NULL, `group_id` integer NOT NULL, `permissions` integer NOT NULL,\" +\n\t\t\"`sort_order` integer NOT NULL,\" +\n\t\t\"CONSTRAINT `{{prefix}}unique_share_group_mapping` UNIQUE (`share_id`, `group_id`),\" +\n\t\t\"CONSTRAINT `{{prefix}}shares_groups_mapping_share_id_fk` FOREIGN KEY (`share_id`) REFERENCES `{{shares}}` (`id`) ON DELETE CASCADE,\" +\n\t\t\"CONSTRAINT `{{prefix}}shares_groups_mapping_group_id_fk` FOREIGN KEY (`group_id`) REFERENCES `{{groups}}` (`id`) ON DELETE CASCADE); \" +\n\t\t\"CREATE INDEX `{{prefix}}shares_groups_mapping_sort_order_idx` ON `{{shares_groups_mapping}}` (`sort_order`); \" +\n\t\t\"CREATE INDEX `{{prefix}}shares_groups_mapping_share_id_idx` ON `{{shares_groups_mapping}}` (`share_id`); \" +\n\t\t\"CREATE INDEX `{{prefix}}shares_groups_mapping_group_id_idx` ON `{{shares_groups_mapping}}` (`group_id`);\"\n\tmysqlV34DownSQL = \"DROP TABLE IF EXISTS `{{shares_groups_mapping}}`;\"\n)\n\n// MySQLProvider defines the auth provider for MySQL/MariaDB database\ntype MySQLProvider struct {\n\tdbHandle *sql.DB\n}\n\nfunc init() {\n\tversion.AddFeature(\"+mysql\")\n}\n\nfunc initializeMySQLProvider() error {\n\tconnString, err := getMySQLConnectionString(false)\n\tif err != nil {\n\t\treturn err\n\t}\n\tredactedConnString, err := getMySQLConnectionString(true)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdbHandle, err := sql.Open(\"mysql\", connString)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error creating mysql database handler, connection string: %q, error: %v\",\n\t\t\tredactedConnString, err)\n\t\treturn err\n\t}\n\tproviderLog(logger.LevelDebug, \"mysql database handle created, connection string: %q, pool size: %v\",\n\t\tredactedConnString, config.PoolSize)\n\tdbHandle.SetMaxOpenConns(config.PoolSize)\n\tif config.PoolSize > 0 {\n\t\tdbHandle.SetMaxIdleConns(config.PoolSize)\n\t} else {\n\t\tdbHandle.SetMaxIdleConns(2)\n\t}\n\tdbHandle.SetConnMaxLifetime(240 * time.Second)\n\tdbHandle.SetConnMaxIdleTime(120 * time.Second)\n\tprovider = &MySQLProvider{dbHandle: dbHandle}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn dbHandle.PingContext(ctx)\n}\nfunc getMySQLConnectionString(redactedPwd bool) (string, error) {\n\tvar connectionString string\n\tif config.ConnectionString == \"\" {\n\t\tpassword := config.Password\n\t\tif redactedPwd && password != \"\" {\n\t\t\tpassword = \"[redacted]\"\n\t\t}\n\t\tsslMode := getSSLMode()\n\t\tif sslMode == \"custom\" && !redactedPwd {\n\t\t\tif err := registerMySQLCustomTLSConfig(); err != nil {\n\t\t\t\treturn \"\", err\n\t\t\t}\n\t\t}\n\t\tconnectionString = fmt.Sprintf(\"%s:%s@tcp([%s]:%d)/%s?collation=utf8mb4_unicode_ci&interpolateParams=true&timeout=10s&parseTime=true&clientFoundRows=true&tls=%s&writeTimeout=60s&readTimeout=60s\",\n\t\t\tconfig.Username, password, config.Host, config.Port, config.Name, sslMode)\n\t} else {\n\t\tconnectionString = config.ConnectionString\n\t}\n\treturn connectionString, nil\n}\n\nfunc registerMySQLCustomTLSConfig() error {\n\ttlsConfig := &tls.Config{}\n\tif config.RootCert != \"\" {\n\t\trootCAs, err := x509.SystemCertPool()\n\t\tif err != nil {\n\t\t\trootCAs = x509.NewCertPool()\n\t\t}\n\t\trootCrt, err := os.ReadFile(config.RootCert)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to load root certificate %q: %v\", config.RootCert, err)\n\t\t}\n\t\tif !rootCAs.AppendCertsFromPEM(rootCrt) {\n\t\t\treturn fmt.Errorf(\"unable to parse root certificate %q\", config.RootCert)\n\t\t}\n\t\ttlsConfig.RootCAs = rootCAs\n\t}\n\tif config.ClientCert != \"\" && config.ClientKey != \"\" {\n\t\tclientCert := make([]tls.Certificate, 0, 1)\n\t\ttlsCert, err := tls.LoadX509KeyPair(config.ClientCert, config.ClientKey)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to load key pair %q, %q: %v\", config.ClientCert, config.ClientKey, err)\n\t\t}\n\t\tclientCert = append(clientCert, tlsCert)\n\t\ttlsConfig.Certificates = clientCert\n\t}\n\tif config.SSLMode == 2 || config.SSLMode == 3 {\n\t\ttlsConfig.InsecureSkipVerify = true\n\t}\n\tif !filepath.IsAbs(config.Host) && !config.DisableSNI {\n\t\ttlsConfig.ServerName = config.Host\n\t}\n\tproviderLog(logger.LevelInfo, \"registering custom TLS config, root cert %q, client cert %q, client key %q, disable SNI? %v\",\n\t\tconfig.RootCert, config.ClientCert, config.ClientKey, config.DisableSNI)\n\tif err := mysql.RegisterTLSConfig(\"custom\", tlsConfig); err != nil {\n\t\treturn fmt.Errorf(\"unable to register tls config: %v\", err)\n\t}\n\treturn nil\n}\n\nfunc (p *MySQLProvider) checkAvailability() error {\n\treturn sqlCommonCheckAvailability(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {\n\treturn sqlCommonValidateUserAndPass(username, password, ip, protocol, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error) {\n\treturn sqlCommonValidateUserAndTLSCertificate(username, protocol, tlsCert, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) validateUserAndPubKey(username string, publicKey []byte, isSSHCert bool) (User, string, error) {\n\treturn sqlCommonValidateUserAndPubKey(username, publicKey, isSSHCert, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error {\n\treturn sqlCommonUpdateTransferQuota(username, uploadSize, downloadSize, reset, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn sqlCommonUpdateQuota(username, filesAdd, sizeAdd, reset, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getUsedQuota(username string) (int, int64, int64, int64, error) {\n\treturn sqlCommonGetUsedQuota(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getAdminSignature(username string) (string, error) {\n\treturn sqlCommonGetAdminSignature(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getUserSignature(username string) (string, error) {\n\treturn sqlCommonGetUserSignature(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) setUpdatedAt(username string) {\n\tsqlCommonSetUpdatedAt(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateLastLogin(username string) error {\n\treturn sqlCommonUpdateLastLogin(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateAdminLastLogin(username string) error {\n\treturn sqlCommonUpdateAdminLastLogin(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) userExists(username, role string) (User, error) {\n\treturn sqlCommonGetUserByUsername(username, role, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addUser(user *User) error {\n\treturn p.normalizeError(sqlCommonAddUser(user, p.dbHandle), fieldUsername)\n}\n\nfunc (p *MySQLProvider) updateUser(user *User) error {\n\treturn p.normalizeError(sqlCommonUpdateUser(user, p.dbHandle), -1)\n}\n\nfunc (p *MySQLProvider) deleteUser(user User, softDelete bool) error {\n\treturn sqlCommonDeleteUser(user, softDelete, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateUserPassword(username, password string) error {\n\treturn sqlCommonUpdateUserPassword(username, password, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpUsers() ([]User, error) {\n\treturn sqlCommonDumpUsers(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {\n\treturn sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {\n\treturn sqlCommonGetUsers(limit, offset, order, role, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {\n\treturn sqlCommonGetUsersForQuotaCheck(toFetch, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpFolders() ([]vfs.BaseVirtualFolder, error) {\n\treturn sqlCommonDumpFolders(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error) {\n\treturn sqlCommonGetFolders(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getFolderByName(name string) (vfs.BaseVirtualFolder, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\treturn sqlCommonGetFolderByName(ctx, name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addFolder(folder *vfs.BaseVirtualFolder) error {\n\treturn p.normalizeError(sqlCommonAddFolder(folder, p.dbHandle), fieldName)\n}\n\nfunc (p *MySQLProvider) updateFolder(folder *vfs.BaseVirtualFolder) error {\n\treturn sqlCommonUpdateFolder(folder, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteFolder(folder vfs.BaseVirtualFolder) error {\n\treturn sqlCommonDeleteFolder(folder, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn sqlCommonUpdateFolderQuota(name, filesAdd, sizeAdd, reset, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getUsedFolderQuota(name string) (int, int64, error) {\n\treturn sqlCommonGetFolderUsedQuota(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getGroups(limit, offset int, order string, minimal bool) ([]Group, error) {\n\treturn sqlCommonGetGroups(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getGroupsWithNames(names []string) ([]Group, error) {\n\treturn sqlCommonGetGroupsWithNames(names, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getUsersInGroups(names []string) ([]string, error) {\n\treturn sqlCommonGetUsersInGroups(names, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) groupExists(name string) (Group, error) {\n\treturn sqlCommonGetGroupByName(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addGroup(group *Group) error {\n\treturn p.normalizeError(sqlCommonAddGroup(group, p.dbHandle), fieldName)\n}\n\nfunc (p *MySQLProvider) updateGroup(group *Group) error {\n\treturn sqlCommonUpdateGroup(group, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteGroup(group Group) error {\n\treturn sqlCommonDeleteGroup(group, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpGroups() ([]Group, error) {\n\treturn sqlCommonDumpGroups(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) adminExists(username string) (Admin, error) {\n\treturn sqlCommonGetAdminByUsername(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addAdmin(admin *Admin) error {\n\treturn p.normalizeError(sqlCommonAddAdmin(admin, p.dbHandle), fieldUsername)\n}\n\nfunc (p *MySQLProvider) updateAdmin(admin *Admin) error {\n\treturn p.normalizeError(sqlCommonUpdateAdmin(admin, p.dbHandle), -1)\n}\n\nfunc (p *MySQLProvider) deleteAdmin(admin Admin) error {\n\treturn sqlCommonDeleteAdmin(admin, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getAdmins(limit int, offset int, order string) ([]Admin, error) {\n\treturn sqlCommonGetAdmins(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpAdmins() ([]Admin, error) {\n\treturn sqlCommonDumpAdmins(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) validateAdminAndPass(username, password, ip string) (Admin, error) {\n\treturn sqlCommonValidateAdminAndPass(username, password, ip, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) apiKeyExists(keyID string) (APIKey, error) {\n\treturn sqlCommonGetAPIKeyByID(keyID, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addAPIKey(apiKey *APIKey) error {\n\treturn p.normalizeError(sqlCommonAddAPIKey(apiKey, p.dbHandle), -1)\n}\n\nfunc (p *MySQLProvider) updateAPIKey(apiKey *APIKey) error {\n\treturn p.normalizeError(sqlCommonUpdateAPIKey(apiKey, p.dbHandle), -1)\n}\n\nfunc (p *MySQLProvider) deleteAPIKey(apiKey APIKey) error {\n\treturn sqlCommonDeleteAPIKey(apiKey, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) {\n\treturn sqlCommonGetAPIKeys(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpAPIKeys() ([]APIKey, error) {\n\treturn sqlCommonDumpAPIKeys(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateAPIKeyLastUse(keyID string) error {\n\treturn sqlCommonUpdateAPIKeyLastUse(keyID, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) shareExists(shareID, username string) (Share, error) {\n\treturn sqlCommonGetShareByID(shareID, username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addShare(share *Share) error {\n\treturn p.normalizeError(sqlCommonAddShare(share, p.dbHandle), fieldName)\n}\n\nfunc (p *MySQLProvider) updateShare(share *Share) error {\n\treturn p.normalizeError(sqlCommonUpdateShare(share, p.dbHandle), -1)\n}\n\nfunc (p *MySQLProvider) deleteShare(share Share) error {\n\treturn sqlCommonDeleteShare(share, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getShares(limit int, offset int, order, username string) ([]Share, error) {\n\treturn sqlCommonGetShares(limit, offset, order, username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpShares() ([]Share, error) {\n\treturn sqlCommonDumpShares(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateShareLastUse(shareID string, numTokens int) error {\n\treturn sqlCommonUpdateShareLastUse(shareID, numTokens, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getDefenderHosts(from int64, limit int) ([]DefenderEntry, error) {\n\treturn sqlCommonGetDefenderHosts(from, limit, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getDefenderHostByIP(ip string, from int64) (DefenderEntry, error) {\n\treturn sqlCommonGetDefenderHostByIP(ip, from, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) isDefenderHostBanned(ip string) (DefenderEntry, error) {\n\treturn sqlCommonIsDefenderHostBanned(ip, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateDefenderBanTime(ip string, minutes int) error {\n\treturn sqlCommonDefenderIncrementBanTime(ip, minutes, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteDefenderHost(ip string) error {\n\treturn sqlCommonDeleteDefenderHost(ip, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addDefenderEvent(ip string, score int) error {\n\treturn sqlCommonAddDefenderHostAndEvent(ip, score, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) setDefenderBanTime(ip string, banTime int64) error {\n\treturn sqlCommonSetDefenderBanTime(ip, banTime, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) cleanupDefender(from int64) error {\n\treturn sqlCommonDefenderCleanup(from, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addActiveTransfer(transfer ActiveTransfer) error {\n\treturn sqlCommonAddActiveTransfer(transfer, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) error {\n\treturn sqlCommonUpdateActiveTransferSizes(ulSize, dlSize, transferID, connectionID, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) removeActiveTransfer(transferID int64, connectionID string) error {\n\treturn sqlCommonRemoveActiveTransfer(transferID, connectionID, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) cleanupActiveTransfers(before time.Time) error {\n\treturn sqlCommonCleanupActiveTransfers(before, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getActiveTransfers(from time.Time) ([]ActiveTransfer, error) {\n\treturn sqlCommonGetActiveTransfers(from, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addSharedSession(session Session) error {\n\treturn sqlCommonAddSession(session, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteSharedSession(key string, sessionType SessionType) error {\n\treturn sqlCommonDeleteSession(key, sessionType, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getSharedSession(key string, sessionType SessionType) (Session, error) {\n\treturn sqlCommonGetSession(key, sessionType, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) cleanupSharedSessions(sessionType SessionType, before int64) error {\n\treturn sqlCommonCleanupSessions(sessionType, before, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error) {\n\treturn sqlCommonGetEventActions(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpEventActions() ([]BaseEventAction, error) {\n\treturn sqlCommonDumpEventActions(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) eventActionExists(name string) (BaseEventAction, error) {\n\treturn sqlCommonGetEventActionByName(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addEventAction(action *BaseEventAction) error {\n\treturn p.normalizeError(sqlCommonAddEventAction(action, p.dbHandle), fieldName)\n}\n\nfunc (p *MySQLProvider) updateEventAction(action *BaseEventAction) error {\n\treturn sqlCommonUpdateEventAction(action, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteEventAction(action BaseEventAction) error {\n\treturn sqlCommonDeleteEventAction(action, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getEventRules(limit, offset int, order string) ([]EventRule, error) {\n\treturn sqlCommonGetEventRules(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpEventRules() ([]EventRule, error) {\n\treturn sqlCommonDumpEventRules(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getRecentlyUpdatedRules(after int64) ([]EventRule, error) {\n\treturn sqlCommonGetRecentlyUpdatedRules(after, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) eventRuleExists(name string) (EventRule, error) {\n\treturn sqlCommonGetEventRuleByName(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addEventRule(rule *EventRule) error {\n\treturn p.normalizeError(sqlCommonAddEventRule(rule, p.dbHandle), fieldName)\n}\n\nfunc (p *MySQLProvider) updateEventRule(rule *EventRule) error {\n\treturn sqlCommonUpdateEventRule(rule, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteEventRule(rule EventRule, softDelete bool) error {\n\treturn sqlCommonDeleteEventRule(rule, softDelete, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getTaskByName(name string) (Task, error) {\n\treturn sqlCommonGetTaskByName(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addTask(name string) error {\n\treturn sqlCommonAddTask(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateTask(name string, version int64) error {\n\treturn sqlCommonUpdateTask(name, version, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateTaskTimestamp(name string) error {\n\treturn sqlCommonUpdateTaskTimestamp(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addNode() error {\n\treturn sqlCommonAddNode(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getNodeByName(name string) (Node, error) {\n\treturn sqlCommonGetNodeByName(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getNodes() ([]Node, error) {\n\treturn sqlCommonGetNodes(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) updateNodeTimestamp() error {\n\treturn sqlCommonUpdateNodeTimestamp(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) cleanupNodes() error {\n\treturn sqlCommonCleanupNodes(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) roleExists(name string) (Role, error) {\n\treturn sqlCommonGetRoleByName(name, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addRole(role *Role) error {\n\treturn p.normalizeError(sqlCommonAddRole(role, p.dbHandle), fieldName)\n}\n\nfunc (p *MySQLProvider) updateRole(role *Role) error {\n\treturn sqlCommonUpdateRole(role, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteRole(role Role) error {\n\treturn sqlCommonDeleteRole(role, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {\n\treturn sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpRoles() ([]Role, error) {\n\treturn sqlCommonDumpRoles(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) ipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {\n\treturn sqlCommonGetIPListEntry(ipOrNet, listType, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) addIPListEntry(entry *IPListEntry) error {\n\treturn p.normalizeError(sqlCommonAddIPListEntry(entry, p.dbHandle), fieldIPNet)\n}\n\nfunc (p *MySQLProvider) updateIPListEntry(entry *IPListEntry) error {\n\treturn sqlCommonUpdateIPListEntry(entry, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) deleteIPListEntry(entry IPListEntry, softDelete bool) error {\n\treturn sqlCommonDeleteIPListEntry(entry, softDelete, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {\n\treturn sqlCommonGetIPListEntries(listType, filter, from, order, limit, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getRecentlyUpdatedIPListEntries(after int64) ([]IPListEntry, error) {\n\treturn sqlCommonGetRecentlyUpdatedIPListEntries(after, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) dumpIPListEntries() ([]IPListEntry, error) {\n\treturn sqlCommonDumpIPListEntries(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) countIPListEntries(listType IPListType) (int64, error) {\n\treturn sqlCommonCountIPListEntries(listType, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error) {\n\treturn sqlCommonGetListEntriesForIP(ip, listType, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) getConfigs() (Configs, error) {\n\treturn sqlCommonGetConfigs(p.dbHandle)\n}\n\nfunc (p *MySQLProvider) setConfigs(configs *Configs) error {\n\treturn sqlCommonSetConfigs(configs, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) setFirstDownloadTimestamp(username string) error {\n\treturn sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) setFirstUploadTimestamp(username string) error {\n\treturn sqlCommonSetFirstUploadTimestamp(username, p.dbHandle)\n}\n\nfunc (p *MySQLProvider) close() error {\n\treturn p.dbHandle.Close()\n}\n\nfunc (p *MySQLProvider) reloadConfig() error {\n\treturn nil\n}\n\n// initializeDatabase creates the initial database structure\nfunc (p *MySQLProvider) initializeDatabase() error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, false)\n\tif err == nil && dbVersion.Version > 0 {\n\t\treturn ErrNoInitRequired\n\t}\n\tif errors.Is(err, sql.ErrNoRows) {\n\t\treturn errSchemaVersionEmpty\n\t}\n\tlogger.InfoToConsole(\"creating initial database schema, version 33\")\n\tproviderLog(logger.LevelInfo, \"creating initial database schema, version 33\")\n\tinitialSQL := sqlReplaceAll(mysqlInitialSQL)\n\n\treturn sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, strings.Split(initialSQL, \";\"), 33, true)\n}\n\nfunc (p *MySQLProvider) migrateDatabase() error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tswitch version := dbVersion.Version; {\n\tcase version == sqlDatabaseVersion:\n\t\tproviderLog(logger.LevelDebug, \"sql database is up to date, current version: %d\", version)\n\t\treturn ErrNoInitRequired\n\tcase version < 33:\n\t\terr = errSchemaVersionTooOld(version)\n\t\tproviderLog(logger.LevelError, \"%v\", err)\n\t\tlogger.ErrorToConsole(\"%v\", err)\n\t\treturn err\n\tcase version == 33:\n\t\treturn updateMySQLDatabaseFromV33(p.dbHandle)\n\tdefault:\n\t\tif version > sqlDatabaseVersion {\n\t\t\tproviderLog(logger.LevelError, \"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tsqlDatabaseVersion)\n\t\t\tlogger.WarnToConsole(\"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tsqlDatabaseVersion)\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", version)\n\t}\n}\n\nfunc (p *MySQLProvider) revertDatabase(targetVersion int) error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif dbVersion.Version == targetVersion {\n\t\treturn errors.New(\"current version match target version, nothing to do\")\n\t}\n\n\tswitch dbVersion.Version {\n\tcase 34:\n\t\treturn downgradeMySQLDatabaseFromV34(p.dbHandle)\n\tdefault:\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", dbVersion.Version)\n\t}\n}\n\nfunc (p *MySQLProvider) resetDatabase() error {\n\tsql := sqlReplaceAll(mysqlResetSQL)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, strings.Split(sql, \";\"), 0, false)\n}\n\nfunc (p *MySQLProvider) normalizeError(err error, fieldType int) error {\n\tif err == nil {\n\t\treturn nil\n\t}\n\tvar mysqlErr *mysql.MySQLError\n\tif errors.As(err, &mysqlErr) {\n\t\tswitch mysqlErr.Number {\n\t\tcase 1062:\n\t\t\tvar message string\n\t\t\tswitch fieldType {\n\t\t\tcase fieldUsername:\n\t\t\t\tmessage = util.I18nErrorDuplicatedUsername\n\t\t\tcase fieldIPNet:\n\t\t\t\tmessage = util.I18nErrorDuplicatedIPNet\n\t\t\tdefault:\n\t\t\t\tmessage = util.I18nErrorDuplicatedName\n\t\t\t}\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: %s\", ErrDuplicatedKey, err.Error()),\n\t\t\t\tmessage,\n\t\t\t)\n\t\tcase 1452:\n\t\t\treturn fmt.Errorf(\"%w: %s\", ErrForeignKeyViolated, err.Error())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc updateMySQLDatabaseFromV33(dbHandle *sql.DB) error {\n\treturn updateMySQLDatabaseFrom33To34(dbHandle)\n}\n\nfunc downgradeMySQLDatabaseFromV34(dbHandle *sql.DB) error {\n\treturn downgradeMySQLDatabaseFrom34To33(dbHandle)\n}\n\nfunc updateMySQLDatabaseFrom33To34(dbHandle *sql.DB) error {\n\tlogger.InfoToConsole(\"updating database schema version: 33 -> 34\")\n\tproviderLog(logger.LevelInfo, \"updating database schema version: 33 -> 34\")\n\n\tsql := strings.ReplaceAll(mysqlV34SQL, \"{{prefix}}\", config.SQLTablesPrefix)\n\tsql = strings.ReplaceAll(sql, \"{{shares}}\", sqlTableShares)\n\tsql = strings.ReplaceAll(sql, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{groups}}\", sqlTableGroups)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, \";\"), 34, true)\n}\n\nfunc downgradeMySQLDatabaseFrom34To33(dbHandle *sql.DB) error {\n\tlogger.InfoToConsole(\"downgrading database schema version: 34 -> 33\")\n\tproviderLog(logger.LevelInfo, \"downgrading database schema version: 34 -> 33\")\n\n\tsql := strings.ReplaceAll(mysqlV34DownSQL, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, \";\"), 33, false)\n}\n" }, { "path": "internal/dataprovider/mysql_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nomysql\n\npackage dataprovider\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-mysql\")\n}\n\nfunc initializeMySQLProvider() error {\n\treturn errors.New(\"MySQL disabled at build time\")\n}\n" }, { "path": "internal/dataprovider/node.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/sha256\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// Supported protocols for connecting to other nodes\nconst (\n\tNodeProtoHTTP = \"http\"\n\tNodeProtoHTTPS = \"https\"\n)\n\nconst (\n\t// NodeTokenHeader defines the header to use for the node auth token\n\tNodeTokenHeader = \"X-SFTPGO-Node\"\n\tnodeTokenAudience = \"node\"\n)\n\nvar (\n\t// current node\n\tcurrentNode *Node\n\terrNoClusterNodes = errors.New(\"no cluster node defined\")\n\tactiveNodeTimeDiff = -2 * time.Minute\n\tnodeReqTimeout = 8 * time.Second\n)\n\n// NodeConfig defines the node configuration\ntype NodeConfig struct {\n\tHost string `json:\"host\" mapstructure:\"host\"`\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\tProto string `json:\"proto\" mapstructure:\"proto\"`\n}\n\nfunc (n *NodeConfig) validate() error {\n\tcurrentNode = nil\n\tif config.IsShared != 1 {\n\t\treturn nil\n\t}\n\tif n.Host == \"\" {\n\t\treturn nil\n\t}\n\tcurrentNode = &Node{\n\t\tData: NodeData{\n\t\t\tHost: n.Host,\n\t\t\tPort: n.Port,\n\t\t\tProto: n.Proto,\n\t\t},\n\t}\n\treturn provider.addNode()\n}\n\n// NodeData defines the details to connect to a cluster node\ntype NodeData struct {\n\tHost string `json:\"host\"`\n\tPort int `json:\"port\"`\n\tProto string `json:\"proto\"`\n\tKey *kms.Secret `json:\"api_key\"`\n}\n\nfunc (n *NodeData) validate() error {\n\tif n.Host == \"\" {\n\t\treturn util.NewValidationError(\"node host is mandatory\")\n\t}\n\tif n.Port < 0 || n.Port > 65535 {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid node port: %d\", n.Port))\n\t}\n\tif n.Proto != NodeProtoHTTP && n.Proto != NodeProtoHTTPS {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"invalid node proto: %s\", n.Proto))\n\t}\n\tn.Key = kms.NewPlainSecret(util.GenerateOpaqueString())\n\tn.Key.SetAdditionalData(n.Host)\n\tif err := n.Key.Encrypt(); err != nil {\n\t\treturn fmt.Errorf(\"unable to encrypt node key: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc (n *NodeData) getNodeName() string {\n\th := sha256.New()\n\tvar b bytes.Buffer\n\n\tfmt.Fprintf(&b, \"%s:%d\", n.Host, n.Port)\n\th.Write(b.Bytes())\n\treturn hex.EncodeToString(h.Sum(nil))\n}\n\n// Node defines a cluster node\ntype Node struct {\n\tName string `json:\"name\"`\n\tData NodeData `json:\"data\"`\n\tCreatedAt int64 `json:\"created_at\"`\n\tUpdatedAt int64 `json:\"updated_at\"`\n}\n\nfunc (n *Node) validate() error {\n\tif n.Name == \"\" {\n\t\tn.Name = n.Data.getNodeName()\n\t}\n\treturn n.Data.validate()\n}\n\nfunc (n *Node) authenticate(token string) (*jwt.Claims, error) {\n\tif err := n.Data.Key.TryDecrypt(); err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to decrypt node key: %v\", err)\n\t\treturn nil, err\n\t}\n\tif token == \"\" {\n\t\treturn nil, ErrInvalidCredentials\n\t}\n\tclaims, err := jwt.VerifyTokenWithKey(token, []jose.SignatureAlgorithm{jose.HS256}, []byte(n.Data.Key.GetPayload()))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to parse and validate token: %v\", err)\n\t}\n\tif claims.Username == \"\" {\n\t\treturn nil, errors.New(\"no admin username associated with node token\")\n\t}\n\tif !claims.Audience.Contains(nodeTokenAudience) {\n\t\treturn nil, errors.New(\"invalid node token audience\")\n\t}\n\n\treturn claims, nil\n}\n\n// getBaseURL returns the base URL for this node\nfunc (n *Node) getBaseURL() string {\n\tvar sb strings.Builder\n\tsb.WriteString(n.Data.Proto)\n\tsb.WriteString(\"://\")\n\tsb.WriteString(n.Data.Host)\n\tif n.Data.Port > 0 {\n\t\tsb.WriteString(\":\")\n\t\tsb.WriteString(strconv.Itoa(n.Data.Port))\n\t}\n\treturn sb.String()\n}\n\n// generateAuthToken generates a new auth token\nfunc (n *Node) generateAuthToken(username, role string, permissions []string) (string, error) {\n\tif err := n.Data.Key.TryDecrypt(); err != nil {\n\t\treturn \"\", fmt.Errorf(\"unable to decrypt node key: %w\", err)\n\t}\n\tsigner, err := jwt.NewSigner(jose.HS256, []byte(n.Data.Key.GetPayload()))\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"unable to create signer: %w\", err)\n\t}\n\tclaims := &jwt.Claims{\n\t\tUsername: username,\n\t\tRole: role,\n\t\tPermissions: permissions,\n\t}\n\tclaims.Audience = []string{nodeTokenAudience}\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\tpayload, err := signer.Sign(claims)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"unable to sign authentication token: %w\", err)\n\t}\n\treturn payload, nil\n}\n\nfunc (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string,\n\tpermissions []string, body io.Reader,\n) (*http.Request, error) {\n\turl := fmt.Sprintf(\"%s%s\", n.getBaseURL(), relativeURL)\n\treq, err := http.NewRequestWithContext(ctx, method, url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\ttoken, err := n.generateAuthToken(username, role, permissions)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq.Header.Set(NodeTokenHeader, fmt.Sprintf(\"Bearer %s\", token))\n\treturn req, nil\n}\n\n// SendGetRequest sends an HTTP GET request to this node.\n// The responseHolder must be a pointer\nfunc (n *Node) SendGetRequest(username, role, relativeURL string, permissions []string, responseHolder any) error {\n\tctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)\n\tdefer cancel()\n\n\treq, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, permissions, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := httpclient.GetHTTPClient()\n\tdefer client.CloseIdleConnections()\n\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to send HTTP GET to node %s: %w\", n.Name, err)\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusNoContent {\n\t\treturn fmt.Errorf(\"unexpected status code: %d\", resp.StatusCode)\n\t}\n\trespBody, err := io.ReadAll(io.LimitReader(resp.Body, 10485760))\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to read response body: %w\", err)\n\t}\n\terr = json.Unmarshal(respBody, responseHolder)\n\tif err != nil {\n\t\treturn errors.New(\"unable to decode response as json\")\n\t}\n\treturn nil\n}\n\n// SendDeleteRequest sends an HTTP DELETE request to this node\nfunc (n *Node) SendDeleteRequest(username, role, relativeURL string, permissions []string) error {\n\tctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)\n\tdefer cancel()\n\n\treq, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, permissions, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := httpclient.GetHTTPClient()\n\tdefer client.CloseIdleConnections()\n\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to send HTTP DELETE to node %s: %w\", n.Name, err)\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusNoContent {\n\t\treturn fmt.Errorf(\"unexpected status code: %d\", resp.StatusCode)\n\t}\n\treturn nil\n}\n\n// AuthenticateNodeToken check the validity of the provided token\nfunc AuthenticateNodeToken(token string) (*jwt.Claims, error) {\n\tif currentNode == nil {\n\t\treturn nil, errNoClusterNodes\n\t}\n\treturn currentNode.authenticate(token)\n}\n\n// GetNodeName returns the node name or an empty string\nfunc GetNodeName() string {\n\tif currentNode == nil {\n\t\treturn \"\"\n\t}\n\treturn currentNode.Name\n}\n" }, { "path": "internal/dataprovider/pgsql.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nopgsql\n\npackage dataprovider\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"database/sql\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/jackc/pgx/v5\"\n\t\"github.com/jackc/pgx/v5/pgconn\"\n\t\"github.com/jackc/pgx/v5/stdlib\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tpgsqlResetSQL = `DROP TABLE IF EXISTS \"{{api_keys}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{users_folders_mapping}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{users_groups_mapping}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{admins_groups_mapping}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{groups_folders_mapping}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{shares_groups_mapping}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{admins}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{folders}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{shares}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{users}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{groups}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{defender_events}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{defender_hosts}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{active_transfers}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{shared_sessions}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{rules_actions_mapping}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{events_actions}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{events_rules}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{tasks}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{nodes}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{roles}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{ip_lists}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{configs}}\" CASCADE;\nDROP TABLE IF EXISTS \"{{schema_version}}\" CASCADE;\n`\n\tpgsqlInitial = `CREATE TABLE \"{{schema_version}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"version\" integer NOT NULL);\nCREATE TABLE \"{{admins}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"username\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"password\" varchar(255) NOT NULL, \"email\" varchar(255) NULL, \"status\" integer NOT NULL,\n\"permissions\" text NOT NULL, \"filters\" text NULL, \"additional_info\" text NULL, \"last_login\" bigint NOT NULL,\n\"role_id\" integer NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{active_transfers}}\" (\"id\" bigint NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"connection_id\" varchar(100) NOT NULL,\n\"transfer_id\" bigint NOT NULL, \"transfer_type\" integer NOT NULL, \"username\" varchar(255) NOT NULL,\n\"folder_name\" varchar(255) NULL, \"ip\" varchar(50) NOT NULL, \"truncated_size\" bigint NOT NULL,\n\"current_ul_size\" bigint NOT NULL, \"current_dl_size\" bigint NOT NULL, \"created_at\" bigint NOT NULL,\n\"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{defender_hosts}}\" (\"id\" bigint NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"ip\" varchar(50) NOT NULL UNIQUE,\n\"ban_time\" bigint NOT NULL, \"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{defender_events}}\" (\"id\" bigint NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"date_time\" bigint NOT NULL, \"score\" integer NOT NULL,\n\"host_id\" bigint NOT NULL);\nALTER TABLE \"{{defender_events}}\" ADD CONSTRAINT \"{{prefix}}defender_events_host_id_fk_defender_hosts_id\" FOREIGN KEY\n(\"host_id\") REFERENCES \"{{defender_hosts}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE TABLE \"{{folders}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE, \"description\" varchar(512) NULL,\n\"path\" text NULL, \"used_quota_size\" bigint NOT NULL, \"used_quota_files\" integer NOT NULL, \"last_quota_update\" bigint NOT NULL,\n\"filesystem\" text NULL);\nCREATE TABLE \"{{groups}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"user_settings\" text NULL);\nCREATE TABLE \"{{shared_sessions}}\" (\"key\" varchar(128) NOT NULL, \"type\" integer NOT NULL,\n\"data\" text NOT NULL, \"timestamp\" bigint NOT NULL, PRIMARY KEY (\"key\", \"type\"));\nCREATE TABLE \"{{users}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"username\" varchar(255) NOT NULL UNIQUE, \"status\" integer NOT NULL,\n\"expiration_date\" bigint NOT NULL, \"description\" varchar(512) NULL, \"password\" text NULL, \"public_keys\" text NULL,\n\"home_dir\" text NOT NULL, \"uid\" bigint NOT NULL, \"gid\" bigint NOT NULL, \"max_sessions\" integer NOT NULL,\n\"quota_size\" bigint NOT NULL, \"quota_files\" integer NOT NULL, \"permissions\" text NOT NULL, \"used_quota_size\" bigint NOT NULL,\n\"used_quota_files\" integer NOT NULL, \"last_quota_update\" bigint NOT NULL, \"upload_bandwidth\" integer NOT NULL,\n\"download_bandwidth\" integer NOT NULL, \"last_login\" bigint NOT NULL, \"filters\" text NULL, \"filesystem\" text NULL,\n\"additional_info\" text NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"email\" varchar(255) NULL,\n\"upload_data_transfer\" integer NOT NULL, \"download_data_transfer\" integer NOT NULL, \"total_data_transfer\" integer NOT NULL,\n\"used_upload_data_transfer\" bigint NOT NULL, \"used_download_data_transfer\" bigint NOT NULL, \"deleted_at\" bigint NOT NULL,\n\"first_download\" bigint NOT NULL, \"first_upload\" bigint NOT NULL, \"last_password_change\" bigint NOT NULL, \"role_id\" integer NULL);\nCREATE TABLE \"{{groups_folders_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"group_id\" integer NOT NULL,\n\"folder_id\" integer NOT NULL, \"virtual_path\" text NOT NULL, \"quota_size\" bigint NOT NULL, \"quota_files\" integer NOT NULL, \"sort_order\" integer NOT NULL);\nCREATE TABLE \"{{users_groups_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"user_id\" integer NOT NULL,\n\"group_id\" integer NOT NULL, \"group_type\" integer NOT NULL, \"sort_order\" integer NOT NULL);\nCREATE TABLE \"{{users_folders_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"virtual_path\" text NOT NULL,\n\"quota_size\" bigint NOT NULL, \"quota_files\" integer NOT NULL, \"sort_order\" integer NOT NULL, \"folder_id\" integer NOT NULL, \"user_id\" integer NOT NULL);\nALTER TABLE \"{{users_folders_mapping}}\" ADD CONSTRAINT \"{{prefix}}unique_user_folder_mapping\" UNIQUE (\"user_id\", \"folder_id\");\nALTER TABLE \"{{users_folders_mapping}}\" ADD CONSTRAINT \"{{prefix}}users_folders_mapping_folder_id_fk_folders_id\"\nFOREIGN KEY (\"folder_id\") REFERENCES \"{{folders}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nALTER TABLE \"{{users_folders_mapping}}\" ADD CONSTRAINT \"{{prefix}}users_folders_mapping_user_id_fk_users_id\"\nFOREIGN KEY (\"user_id\") REFERENCES \"{{users}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE TABLE \"{{shares}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY,\n\"share_id\" varchar(60) NOT NULL UNIQUE, \"name\" varchar(255) NOT NULL, \"description\" varchar(512) NULL,\n\"scope\" integer NOT NULL, \"paths\" text NOT NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL,\n\"last_use_at\" bigint NOT NULL, \"expires_at\" bigint NOT NULL, \"password\" text NULL,\n\"max_tokens\" integer NOT NULL, \"used_tokens\" integer NOT NULL, \"allow_from\" text NULL, \"options\" text NULL,\n\"user_id\" integer NOT NULL);\nALTER TABLE \"{{shares}}\" ADD CONSTRAINT \"{{prefix}}shares_user_id_fk_users_id\" FOREIGN KEY (\"user_id\")\nREFERENCES \"{{users}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE TABLE \"{{api_keys}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL,\n\"key_id\" varchar(50) NOT NULL UNIQUE, \"api_key\" varchar(255) NOT NULL UNIQUE, \"scope\" integer NOT NULL,\n\"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"last_use_at\" bigint NOT NULL,\"expires_at\" bigint NOT NULL,\n\"description\" text NULL, \"admin_id\" integer NULL, \"user_id\" integer NULL);\nALTER TABLE \"{{api_keys}}\" ADD CONSTRAINT \"{{prefix}}api_keys_admin_id_fk_admins_id\" FOREIGN KEY (\"admin_id\")\nREFERENCES \"{{admins}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nALTER TABLE \"{{api_keys}}\" ADD CONSTRAINT \"{{prefix}}api_keys_user_id_fk_users_id\" FOREIGN KEY (\"user_id\")\nREFERENCES \"{{users}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nALTER TABLE \"{{users_groups_mapping}}\" ADD CONSTRAINT \"{{prefix}}unique_user_group_mapping\" UNIQUE (\"user_id\", \"group_id\");\nALTER TABLE \"{{groups_folders_mapping}}\" ADD CONSTRAINT \"{{prefix}}unique_group_folder_mapping\" UNIQUE (\"group_id\", \"folder_id\");\nCREATE INDEX \"{{prefix}}users_groups_mapping_group_id_idx\" ON \"{{users_groups_mapping}}\" (\"group_id\");\nALTER TABLE \"{{users_groups_mapping}}\" ADD CONSTRAINT \"{{prefix}}users_groups_mapping_group_id_fk_groups_id\"\nFOREIGN KEY (\"group_id\") REFERENCES \"{{groups}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE NO ACTION;\nCREATE INDEX \"{{prefix}}users_groups_mapping_user_id_idx\" ON \"{{users_groups_mapping}}\" (\"user_id\");\nALTER TABLE \"{{users_groups_mapping}}\" ADD CONSTRAINT \"{{prefix}}users_groups_mapping_user_id_fk_users_id\"\nFOREIGN KEY (\"user_id\") REFERENCES \"{{users}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE INDEX \"{{prefix}}users_groups_mapping_sort_order_idx\" ON \"{{users_groups_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}groups_folders_mapping_folder_id_idx\" ON \"{{groups_folders_mapping}}\" (\"folder_id\");\nALTER TABLE \"{{groups_folders_mapping}}\" ADD CONSTRAINT \"{{prefix}}groups_folders_mapping_folder_id_fk_folders_id\"\nFOREIGN KEY (\"folder_id\") REFERENCES \"{{folders}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE INDEX \"{{prefix}}groups_folders_mapping_group_id_idx\" ON \"{{groups_folders_mapping}}\" (\"group_id\");\nALTER TABLE \"{{groups_folders_mapping}}\" ADD CONSTRAINT \"{{prefix}}groups_folders_mapping_group_id_fk_groups_id\"\nFOREIGN KEY (\"group_id\") REFERENCES \"{{groups}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE INDEX \"{{prefix}}groups_folders_mapping_sort_order_idx\" ON \"{{groups_folders_mapping}}\" (\"sort_order\");\nCREATE TABLE \"{{events_rules}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"status\" integer NOT NULL, \"description\" varchar(512) NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL,\n\"trigger\" integer NOT NULL, \"conditions\" text NOT NULL, \"deleted_at\" bigint NOT NULL);\nCREATE TABLE \"{{events_actions}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"type\" integer NOT NULL, \"options\" text NOT NULL);\nCREATE TABLE \"{{rules_actions_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"rule_id\" integer NOT NULL,\n\"action_id\" integer NOT NULL, \"order\" integer NOT NULL, \"options\" text NOT NULL);\nCREATE TABLE \"{{tasks}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE, \"updated_at\" bigint NOT NULL,\n\"version\" bigint NOT NULL);\nALTER TABLE \"{{rules_actions_mapping}}\" ADD CONSTRAINT \"{{prefix}}unique_rule_action_mapping\" UNIQUE (\"rule_id\", \"action_id\");\nALTER TABLE \"{{rules_actions_mapping}}\" ADD CONSTRAINT \"{{prefix}}rules_actions_mapping_rule_id_fk_events_rules_id\"\nFOREIGN KEY (\"rule_id\") REFERENCES \"{{events_rules}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nALTER TABLE \"{{rules_actions_mapping}}\" ADD CONSTRAINT \"{{prefix}}rules_actions_mapping_action_id_fk_events_targets_id\"\nFOREIGN KEY (\"action_id\") REFERENCES \"{{events_actions}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE NO ACTION;\nCREATE TABLE \"{{admins_groups_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY,\n\"admin_id\" integer NOT NULL, \"group_id\" integer NOT NULL, \"options\" text NOT NULL, \"sort_order\" integer NOT NULL);\nALTER TABLE \"{{admins_groups_mapping}}\" ADD CONSTRAINT \"{{prefix}}unique_admin_group_mapping\" UNIQUE (\"admin_id\", \"group_id\");\nALTER TABLE \"{{admins_groups_mapping}}\" ADD CONSTRAINT \"{{prefix}}admins_groups_mapping_admin_id_fk_admins_id\"\nFOREIGN KEY (\"admin_id\") REFERENCES \"{{admins}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nALTER TABLE \"{{admins_groups_mapping}}\" ADD CONSTRAINT \"{{prefix}}admins_groups_mapping_group_id_fk_groups_id\"\nFOREIGN KEY (\"group_id\") REFERENCES \"{{groups}}\" (\"id\") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE;\nCREATE TABLE \"{{nodes}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"data\" text NOT NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{roles}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL);\nALTER TABLE \"{{admins}}\" ADD CONSTRAINT \"{{prefix}}admins_role_id_fk_roles_id\" FOREIGN KEY (\"role_id\")\nREFERENCES \"{{roles}}\" (\"id\") ON DELETE NO ACTION;\nALTER TABLE \"{{users}}\" ADD CONSTRAINT \"{{prefix}}users_role_id_fk_roles_id\" FOREIGN KEY (\"role_id\")\nREFERENCES \"{{roles}}\" (\"id\") ON DELETE SET NULL;\nCREATE TABLE \"{{ip_lists}}\" (\"id\" bigint NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"type\" integer NOT NULL,\n\"ipornet\" varchar(50) NOT NULL, \"mode\" integer NOT NULL, \"description\" varchar(512) NULL, \"first\" inet NOT NULL,\n\"last\" inet NOT NULL, \"ip_type\" integer NOT NULL, \"protocols\" integer NOT NULL, \"created_at\" bigint NOT NULL,\n\"updated_at\" bigint NOT NULL, \"deleted_at\" bigint NOT NULL);\nALTER TABLE \"{{ip_lists}}\" ADD CONSTRAINT \"{{prefix}}unique_ipornet_type_mapping\" UNIQUE (\"type\", \"ipornet\");\nCREATE TABLE \"{{configs}}\" (\"id\" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, \"configs\" text NOT NULL);\nINSERT INTO {{configs}} (configs) VALUES ('{}');\nCREATE INDEX \"{{prefix}}users_folders_mapping_folder_id_idx\" ON \"{{users_folders_mapping}}\" (\"folder_id\");\nCREATE INDEX \"{{prefix}}users_folders_mapping_user_id_idx\" ON \"{{users_folders_mapping}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}users_folders_mapping_sort_order_idx\" ON \"{{users_folders_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}api_keys_admin_id_idx\" ON \"{{api_keys}}\" (\"admin_id\");\nCREATE INDEX \"{{prefix}}api_keys_user_id_idx\" ON \"{{api_keys}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}users_updated_at_idx\" ON \"{{users}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}users_deleted_at_idx\" ON \"{{users}}\" (\"deleted_at\");\nCREATE INDEX \"{{prefix}}shares_user_id_idx\" ON \"{{shares}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}defender_hosts_updated_at_idx\" ON \"{{defender_hosts}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}defender_hosts_ban_time_idx\" ON \"{{defender_hosts}}\" (\"ban_time\");\nCREATE INDEX \"{{prefix}}defender_events_date_time_idx\" ON \"{{defender_events}}\" (\"date_time\");\nCREATE INDEX \"{{prefix}}defender_events_host_id_idx\" ON \"{{defender_events}}\" (\"host_id\");\nCREATE INDEX \"{{prefix}}active_transfers_connection_id_idx\" ON \"{{active_transfers}}\" (\"connection_id\");\nCREATE INDEX \"{{prefix}}active_transfers_transfer_id_idx\" ON \"{{active_transfers}}\" (\"transfer_id\");\nCREATE INDEX \"{{prefix}}active_transfers_updated_at_idx\" ON \"{{active_transfers}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}shared_sessions_type_idx\" ON \"{{shared_sessions}}\" (\"type\");\nCREATE INDEX \"{{prefix}}shared_sessions_timestamp_idx\" ON \"{{shared_sessions}}\" (\"timestamp\");\nCREATE INDEX \"{{prefix}}events_rules_updated_at_idx\" ON \"{{events_rules}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}events_rules_deleted_at_idx\" ON \"{{events_rules}}\" (\"deleted_at\");\nCREATE INDEX \"{{prefix}}events_rules_trigger_idx\" ON \"{{events_rules}}\" (\"trigger\");\nCREATE INDEX \"{{prefix}}rules_actions_mapping_rule_id_idx\" ON \"{{rules_actions_mapping}}\" (\"rule_id\");\nCREATE INDEX \"{{prefix}}rules_actions_mapping_action_id_idx\" ON \"{{rules_actions_mapping}}\" (\"action_id\");\nCREATE INDEX \"{{prefix}}rules_actions_mapping_order_idx\" ON \"{{rules_actions_mapping}}\" (\"order\");\nCREATE INDEX \"{{prefix}}admins_groups_mapping_admin_id_idx\" ON \"{{admins_groups_mapping}}\" (\"admin_id\");\nCREATE INDEX \"{{prefix}}admins_groups_mapping_group_id_idx\" ON \"{{admins_groups_mapping}}\" (\"group_id\");\nCREATE INDEX \"{{prefix}}admins_groups_mapping_sort_order_idx\" ON \"{{admins_groups_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}admins_role_id_idx\" ON \"{{admins}}\" (\"role_id\");\nCREATE INDEX \"{{prefix}}users_role_id_idx\" ON \"{{users}}\" (\"role_id\");\nCREATE INDEX \"{{prefix}}ip_lists_type_idx\" ON \"{{ip_lists}}\" (\"type\");\nCREATE INDEX \"{{prefix}}ip_lists_ipornet_idx\" ON \"{{ip_lists}}\" (\"ipornet\");\nCREATE INDEX \"{{prefix}}ip_lists_updated_at_idx\" ON \"{{ip_lists}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}ip_lists_deleted_at_idx\" ON \"{{ip_lists}}\" (\"deleted_at\");\nCREATE INDEX \"{{prefix}}ip_lists_first_last_idx\" ON \"{{ip_lists}}\" (\"first\", \"last\");\nINSERT INTO {{schema_version}} (version) VALUES (33);\n`\n\t// not supported in CockroachDB\n\tipListsLikeIndex = `CREATE INDEX \"{{prefix}}ip_lists_ipornet_like_idx\" ON \"{{ip_lists}}\" (\"ipornet\" varchar_pattern_ops);`\n\tpgsqlV34SQL = `CREATE TABLE \"{{shares_groups_mapping}}\" (\n\"id\" integer NOT NULL PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY,\n\"share_id\" integer NOT NULL,\n\"group_id\" integer NOT NULL,\n\"permissions\" integer NOT NULL,\n\"sort_order\" integer NOT NULL,\nCONSTRAINT \"{{prefix}}unique_share_group_mapping\" UNIQUE (\"share_id\", \"group_id\"),\nCONSTRAINT \"{{prefix}}shares_groups_mapping_share_id_fk\" FOREIGN KEY (\"share_id\") REFERENCES \"{{shares}}\"(\"id\") ON DELETE CASCADE,\nCONSTRAINT \"{{prefix}}shares_groups_mapping_group_id_fk\" FOREIGN KEY (\"group_id\") REFERENCES \"{{groups}}\"(\"id\") ON DELETE CASCADE);\nCREATE INDEX \"{{prefix}}shares_groups_mapping_sort_order_idx\" ON \"{{shares_groups_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}shares_groups_mapping_share_id_idx\" ON \"{{shares_groups_mapping}}\" (\"share_id\");\nCREATE INDEX \"{{prefix}}shares_groups_mapping_group_id_idx\" ON \"{{shares_groups_mapping}}\" (\"group_id\");\n`\n\tpgsqlV34DownSQL = `DROP TABLE IF EXISTS \"{{shares_groups_mapping}}\";`\n)\n\nvar (\n\tpgSQLTargetSessionAttrs = []string{\"any\", \"read-write\", \"read-only\", \"primary\", \"standby\", \"prefer-standby\"}\n)\n\n// PGSQLProvider defines the auth provider for PostgreSQL database\ntype PGSQLProvider struct {\n\tdbHandle *sql.DB\n}\n\nfunc init() {\n\tversion.AddFeature(\"+pgsql\")\n}\n\nfunc initializePGSQLProvider() error {\n\tvar dbHandle *sql.DB\n\tif config.TargetSessionAttrs == \"any\" {\n\t\tpgxConfig, err := pgx.ParseConfig(getPGSQLConnectionString(false))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error parsing postgres configuration, connection string: %q, error: %v\",\n\t\t\t\tgetPGSQLConnectionString(true), err)\n\t\t\treturn err\n\t\t}\n\t\tdbHandle = stdlib.OpenDB(*pgxConfig, stdlib.OptionBeforeConnect(stdlib.RandomizeHostOrderFunc))\n\t} else {\n\t\tvar err error\n\t\tdbHandle, err = sql.Open(\"pgx\", getPGSQLConnectionString(false))\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error creating postgres database handler, connection string: %q, error: %v\",\n\t\t\t\tgetPGSQLConnectionString(true), err)\n\t\t\treturn err\n\t\t}\n\t}\n\tproviderLog(logger.LevelDebug, \"postgres database handle created, connection string: %q, pool size: %d\",\n\t\tgetPGSQLConnectionString(true), config.PoolSize)\n\tdbHandle.SetMaxOpenConns(config.PoolSize)\n\tif config.PoolSize > 0 {\n\t\tdbHandle.SetMaxIdleConns(config.PoolSize)\n\t} else {\n\t\tdbHandle.SetMaxIdleConns(2)\n\t}\n\tdbHandle.SetConnMaxLifetime(240 * time.Second)\n\tdbHandle.SetConnMaxIdleTime(120 * time.Second)\n\tprovider = &PGSQLProvider{dbHandle: dbHandle}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn dbHandle.PingContext(ctx)\n}\n\nfunc getPGSQLHostsAndPorts(configHost string, configPort int) (string, string) {\n\tvar hosts, ports []string\n\tdefaultPort := strconv.Itoa(configPort)\n\tif defaultPort == \"0\" {\n\t\tdefaultPort = \"5432\"\n\t}\n\n\tfor hostport := range strings.SplitSeq(configHost, \",\") {\n\t\thostport = strings.TrimSpace(hostport)\n\t\tif hostport == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\thost, port, err := net.SplitHostPort(hostport)\n\t\tif err == nil {\n\t\t\thosts = append(hosts, host)\n\t\t\tports = append(ports, port)\n\t\t} else {\n\t\t\thosts = append(hosts, hostport)\n\t\t\tports = append(ports, defaultPort)\n\t\t}\n\t}\n\n\treturn strings.Join(hosts, \",\"), strings.Join(ports, \",\")\n}\n\nfunc getPGSQLConnectionString(redactedPwd bool) string {\n\tvar connectionString string\n\tif config.ConnectionString == \"\" {\n\t\tpassword := config.Password\n\t\tif redactedPwd && password != \"\" {\n\t\t\tpassword = \"[redacted]\"\n\t\t}\n\t\thost, port := getPGSQLHostsAndPorts(config.Host, config.Port)\n\t\tconnectionString = fmt.Sprintf(\"host='%s' port='%s' dbname='%s' user='%s' password='%s' sslmode=%s connect_timeout=10\",\n\t\t\thost, port, config.Name, config.Username, password, getSSLMode())\n\t\tif config.RootCert != \"\" {\n\t\t\tconnectionString += fmt.Sprintf(\" sslrootcert='%s'\", config.RootCert)\n\t\t}\n\t\tif config.ClientCert != \"\" && config.ClientKey != \"\" {\n\t\t\tconnectionString += fmt.Sprintf(\" sslcert='%s' sslkey='%s'\", config.ClientCert, config.ClientKey)\n\t\t}\n\t\tif config.DisableSNI {\n\t\t\tconnectionString += \" sslsni=0\"\n\t\t}\n\t\tif slices.Contains(pgSQLTargetSessionAttrs, config.TargetSessionAttrs) {\n\t\t\tconnectionString += fmt.Sprintf(\" target_session_attrs='%s'\", config.TargetSessionAttrs)\n\t\t}\n\t} else {\n\t\tconnectionString = config.ConnectionString\n\t}\n\treturn connectionString\n}\n\nfunc (p *PGSQLProvider) checkAvailability() error {\n\treturn sqlCommonCheckAvailability(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {\n\treturn sqlCommonValidateUserAndPass(username, password, ip, protocol, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error) {\n\treturn sqlCommonValidateUserAndTLSCertificate(username, protocol, tlsCert, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) validateUserAndPubKey(username string, publicKey []byte, isSSHCert bool) (User, string, error) {\n\treturn sqlCommonValidateUserAndPubKey(username, publicKey, isSSHCert, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error {\n\treturn sqlCommonUpdateTransferQuota(username, uploadSize, downloadSize, reset, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn sqlCommonUpdateQuota(username, filesAdd, sizeAdd, reset, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getUsedQuota(username string) (int, int64, int64, int64, error) {\n\treturn sqlCommonGetUsedQuota(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getAdminSignature(username string) (string, error) {\n\treturn sqlCommonGetAdminSignature(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getUserSignature(username string) (string, error) {\n\treturn sqlCommonGetUserSignature(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) setUpdatedAt(username string) {\n\tsqlCommonSetUpdatedAt(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateLastLogin(username string) error {\n\treturn sqlCommonUpdateLastLogin(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateAdminLastLogin(username string) error {\n\treturn sqlCommonUpdateAdminLastLogin(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) userExists(username, role string) (User, error) {\n\treturn sqlCommonGetUserByUsername(username, role, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addUser(user *User) error {\n\treturn p.normalizeError(sqlCommonAddUser(user, p.dbHandle), fieldUsername)\n}\n\nfunc (p *PGSQLProvider) updateUser(user *User) error {\n\treturn p.normalizeError(sqlCommonUpdateUser(user, p.dbHandle), -1)\n}\n\nfunc (p *PGSQLProvider) deleteUser(user User, softDelete bool) error {\n\treturn sqlCommonDeleteUser(user, softDelete, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateUserPassword(username, password string) error {\n\treturn sqlCommonUpdateUserPassword(username, password, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpUsers() ([]User, error) {\n\treturn sqlCommonDumpUsers(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {\n\treturn sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {\n\treturn sqlCommonGetUsers(limit, offset, order, role, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {\n\treturn sqlCommonGetUsersForQuotaCheck(toFetch, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpFolders() ([]vfs.BaseVirtualFolder, error) {\n\treturn sqlCommonDumpFolders(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error) {\n\treturn sqlCommonGetFolders(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getFolderByName(name string) (vfs.BaseVirtualFolder, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\treturn sqlCommonGetFolderByName(ctx, name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addFolder(folder *vfs.BaseVirtualFolder) error {\n\treturn p.normalizeError(sqlCommonAddFolder(folder, p.dbHandle), fieldName)\n}\n\nfunc (p *PGSQLProvider) updateFolder(folder *vfs.BaseVirtualFolder) error {\n\treturn sqlCommonUpdateFolder(folder, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteFolder(folder vfs.BaseVirtualFolder) error {\n\treturn sqlCommonDeleteFolder(folder, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn sqlCommonUpdateFolderQuota(name, filesAdd, sizeAdd, reset, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getUsedFolderQuota(name string) (int, int64, error) {\n\treturn sqlCommonGetFolderUsedQuota(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getGroups(limit, offset int, order string, minimal bool) ([]Group, error) {\n\treturn sqlCommonGetGroups(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getGroupsWithNames(names []string) ([]Group, error) {\n\treturn sqlCommonGetGroupsWithNames(names, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getUsersInGroups(names []string) ([]string, error) {\n\treturn sqlCommonGetUsersInGroups(names, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) groupExists(name string) (Group, error) {\n\treturn sqlCommonGetGroupByName(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addGroup(group *Group) error {\n\treturn p.normalizeError(sqlCommonAddGroup(group, p.dbHandle), fieldName)\n}\n\nfunc (p *PGSQLProvider) updateGroup(group *Group) error {\n\treturn sqlCommonUpdateGroup(group, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteGroup(group Group) error {\n\treturn sqlCommonDeleteGroup(group, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpGroups() ([]Group, error) {\n\treturn sqlCommonDumpGroups(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) adminExists(username string) (Admin, error) {\n\treturn sqlCommonGetAdminByUsername(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addAdmin(admin *Admin) error {\n\treturn p.normalizeError(sqlCommonAddAdmin(admin, p.dbHandle), fieldUsername)\n}\n\nfunc (p *PGSQLProvider) updateAdmin(admin *Admin) error {\n\treturn p.normalizeError(sqlCommonUpdateAdmin(admin, p.dbHandle), -1)\n}\n\nfunc (p *PGSQLProvider) deleteAdmin(admin Admin) error {\n\treturn sqlCommonDeleteAdmin(admin, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getAdmins(limit int, offset int, order string) ([]Admin, error) {\n\treturn sqlCommonGetAdmins(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpAdmins() ([]Admin, error) {\n\treturn sqlCommonDumpAdmins(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) validateAdminAndPass(username, password, ip string) (Admin, error) {\n\treturn sqlCommonValidateAdminAndPass(username, password, ip, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) apiKeyExists(keyID string) (APIKey, error) {\n\treturn sqlCommonGetAPIKeyByID(keyID, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addAPIKey(apiKey *APIKey) error {\n\treturn p.normalizeError(sqlCommonAddAPIKey(apiKey, p.dbHandle), -1)\n}\n\nfunc (p *PGSQLProvider) updateAPIKey(apiKey *APIKey) error {\n\treturn p.normalizeError(sqlCommonUpdateAPIKey(apiKey, p.dbHandle), -1)\n}\n\nfunc (p *PGSQLProvider) deleteAPIKey(apiKey APIKey) error {\n\treturn sqlCommonDeleteAPIKey(apiKey, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) {\n\treturn sqlCommonGetAPIKeys(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpAPIKeys() ([]APIKey, error) {\n\treturn sqlCommonDumpAPIKeys(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateAPIKeyLastUse(keyID string) error {\n\treturn sqlCommonUpdateAPIKeyLastUse(keyID, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) shareExists(shareID, username string) (Share, error) {\n\treturn sqlCommonGetShareByID(shareID, username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addShare(share *Share) error {\n\treturn p.normalizeError(sqlCommonAddShare(share, p.dbHandle), fieldName)\n}\n\nfunc (p *PGSQLProvider) updateShare(share *Share) error {\n\treturn p.normalizeError(sqlCommonUpdateShare(share, p.dbHandle), -1)\n}\n\nfunc (p *PGSQLProvider) deleteShare(share Share) error {\n\treturn sqlCommonDeleteShare(share, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getShares(limit int, offset int, order, username string) ([]Share, error) {\n\treturn sqlCommonGetShares(limit, offset, order, username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpShares() ([]Share, error) {\n\treturn sqlCommonDumpShares(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateShareLastUse(shareID string, numTokens int) error {\n\treturn sqlCommonUpdateShareLastUse(shareID, numTokens, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getDefenderHosts(from int64, limit int) ([]DefenderEntry, error) {\n\treturn sqlCommonGetDefenderHosts(from, limit, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getDefenderHostByIP(ip string, from int64) (DefenderEntry, error) {\n\treturn sqlCommonGetDefenderHostByIP(ip, from, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) isDefenderHostBanned(ip string) (DefenderEntry, error) {\n\treturn sqlCommonIsDefenderHostBanned(ip, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateDefenderBanTime(ip string, minutes int) error {\n\treturn sqlCommonDefenderIncrementBanTime(ip, minutes, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteDefenderHost(ip string) error {\n\treturn sqlCommonDeleteDefenderHost(ip, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addDefenderEvent(ip string, score int) error {\n\treturn sqlCommonAddDefenderHostAndEvent(ip, score, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) setDefenderBanTime(ip string, banTime int64) error {\n\treturn sqlCommonSetDefenderBanTime(ip, banTime, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) cleanupDefender(from int64) error {\n\treturn sqlCommonDefenderCleanup(from, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addActiveTransfer(transfer ActiveTransfer) error {\n\treturn sqlCommonAddActiveTransfer(transfer, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) error {\n\treturn sqlCommonUpdateActiveTransferSizes(ulSize, dlSize, transferID, connectionID, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) removeActiveTransfer(transferID int64, connectionID string) error {\n\treturn sqlCommonRemoveActiveTransfer(transferID, connectionID, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) cleanupActiveTransfers(before time.Time) error {\n\treturn sqlCommonCleanupActiveTransfers(before, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getActiveTransfers(from time.Time) ([]ActiveTransfer, error) {\n\treturn sqlCommonGetActiveTransfers(from, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addSharedSession(session Session) error {\n\treturn sqlCommonAddSession(session, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteSharedSession(key string, sessionType SessionType) error {\n\treturn sqlCommonDeleteSession(key, sessionType, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getSharedSession(key string, sessionType SessionType) (Session, error) {\n\treturn sqlCommonGetSession(key, sessionType, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) cleanupSharedSessions(sessionType SessionType, before int64) error {\n\treturn sqlCommonCleanupSessions(sessionType, before, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error) {\n\treturn sqlCommonGetEventActions(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpEventActions() ([]BaseEventAction, error) {\n\treturn sqlCommonDumpEventActions(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) eventActionExists(name string) (BaseEventAction, error) {\n\treturn sqlCommonGetEventActionByName(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addEventAction(action *BaseEventAction) error {\n\treturn p.normalizeError(sqlCommonAddEventAction(action, p.dbHandle), fieldName)\n}\n\nfunc (p *PGSQLProvider) updateEventAction(action *BaseEventAction) error {\n\treturn sqlCommonUpdateEventAction(action, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteEventAction(action BaseEventAction) error {\n\treturn sqlCommonDeleteEventAction(action, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getEventRules(limit, offset int, order string) ([]EventRule, error) {\n\treturn sqlCommonGetEventRules(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpEventRules() ([]EventRule, error) {\n\treturn sqlCommonDumpEventRules(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getRecentlyUpdatedRules(after int64) ([]EventRule, error) {\n\treturn sqlCommonGetRecentlyUpdatedRules(after, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) eventRuleExists(name string) (EventRule, error) {\n\treturn sqlCommonGetEventRuleByName(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addEventRule(rule *EventRule) error {\n\treturn p.normalizeError(sqlCommonAddEventRule(rule, p.dbHandle), fieldName)\n}\n\nfunc (p *PGSQLProvider) updateEventRule(rule *EventRule) error {\n\treturn sqlCommonUpdateEventRule(rule, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteEventRule(rule EventRule, softDelete bool) error {\n\treturn sqlCommonDeleteEventRule(rule, softDelete, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getTaskByName(name string) (Task, error) {\n\treturn sqlCommonGetTaskByName(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addTask(name string) error {\n\treturn sqlCommonAddTask(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateTask(name string, version int64) error {\n\treturn sqlCommonUpdateTask(name, version, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateTaskTimestamp(name string) error {\n\treturn sqlCommonUpdateTaskTimestamp(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addNode() error {\n\treturn sqlCommonAddNode(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getNodeByName(name string) (Node, error) {\n\treturn sqlCommonGetNodeByName(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getNodes() ([]Node, error) {\n\treturn sqlCommonGetNodes(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) updateNodeTimestamp() error {\n\treturn sqlCommonUpdateNodeTimestamp(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) cleanupNodes() error {\n\treturn sqlCommonCleanupNodes(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) roleExists(name string) (Role, error) {\n\treturn sqlCommonGetRoleByName(name, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addRole(role *Role) error {\n\treturn p.normalizeError(sqlCommonAddRole(role, p.dbHandle), fieldName)\n}\n\nfunc (p *PGSQLProvider) updateRole(role *Role) error {\n\treturn sqlCommonUpdateRole(role, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteRole(role Role) error {\n\treturn sqlCommonDeleteRole(role, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {\n\treturn sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpRoles() ([]Role, error) {\n\treturn sqlCommonDumpRoles(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) ipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {\n\treturn sqlCommonGetIPListEntry(ipOrNet, listType, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) addIPListEntry(entry *IPListEntry) error {\n\treturn p.normalizeError(sqlCommonAddIPListEntry(entry, p.dbHandle), fieldIPNet)\n}\n\nfunc (p *PGSQLProvider) updateIPListEntry(entry *IPListEntry) error {\n\treturn sqlCommonUpdateIPListEntry(entry, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) deleteIPListEntry(entry IPListEntry, softDelete bool) error {\n\treturn sqlCommonDeleteIPListEntry(entry, softDelete, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {\n\treturn sqlCommonGetIPListEntries(listType, filter, from, order, limit, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getRecentlyUpdatedIPListEntries(after int64) ([]IPListEntry, error) {\n\treturn sqlCommonGetRecentlyUpdatedIPListEntries(after, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) dumpIPListEntries() ([]IPListEntry, error) {\n\treturn sqlCommonDumpIPListEntries(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) countIPListEntries(listType IPListType) (int64, error) {\n\treturn sqlCommonCountIPListEntries(listType, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error) {\n\treturn sqlCommonGetListEntriesForIP(ip, listType, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) getConfigs() (Configs, error) {\n\treturn sqlCommonGetConfigs(p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) setConfigs(configs *Configs) error {\n\treturn sqlCommonSetConfigs(configs, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) setFirstDownloadTimestamp(username string) error {\n\treturn sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) setFirstUploadTimestamp(username string) error {\n\treturn sqlCommonSetFirstUploadTimestamp(username, p.dbHandle)\n}\n\nfunc (p *PGSQLProvider) close() error {\n\treturn p.dbHandle.Close()\n}\n\nfunc (p *PGSQLProvider) reloadConfig() error {\n\treturn nil\n}\n\n// initializeDatabase creates the initial database structure\nfunc (p *PGSQLProvider) initializeDatabase() error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, false)\n\tif err == nil && dbVersion.Version > 0 {\n\t\treturn ErrNoInitRequired\n\t}\n\tif errors.Is(err, sql.ErrNoRows) {\n\t\treturn errSchemaVersionEmpty\n\t}\n\tlogger.InfoToConsole(\"creating initial database schema, version 33\")\n\tproviderLog(logger.LevelInfo, \"creating initial database schema, version 33\")\n\tvar initialSQL string\n\tif config.Driver == CockroachDataProviderName {\n\t\tinitialSQL = sqlReplaceAll(pgsqlInitial)\n\t\tinitialSQL = strings.ReplaceAll(initialSQL, \"GENERATED ALWAYS AS IDENTITY\", \"DEFAULT unordered_unique_rowid()\")\n\t} else {\n\t\tinitialSQL = sqlReplaceAll(pgsqlInitial + ipListsLikeIndex)\n\t}\n\n\treturn sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{initialSQL}, 33, true)\n}\n\nfunc (p *PGSQLProvider) migrateDatabase() error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tswitch version := dbVersion.Version; {\n\tcase version == sqlDatabaseVersion:\n\t\tproviderLog(logger.LevelDebug, \"sql database is up to date, current version: %d\", version)\n\t\treturn ErrNoInitRequired\n\tcase version < 33:\n\t\terr = errSchemaVersionTooOld(version)\n\t\tproviderLog(logger.LevelError, \"%v\", err)\n\t\tlogger.ErrorToConsole(\"%v\", err)\n\t\treturn err\n\tcase version == 33:\n\t\treturn updatePGSQLDatabaseFromV33(p.dbHandle)\n\tdefault:\n\t\tif version > sqlDatabaseVersion {\n\t\t\tproviderLog(logger.LevelError, \"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tsqlDatabaseVersion)\n\t\t\tlogger.WarnToConsole(\"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tsqlDatabaseVersion)\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", version)\n\t}\n}\n\nfunc (p *PGSQLProvider) revertDatabase(targetVersion int) error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif dbVersion.Version == targetVersion {\n\t\treturn errors.New(\"current version match target version, nothing to do\")\n\t}\n\n\tswitch dbVersion.Version {\n\tcase 34:\n\t\treturn downgradePGSQLDatabaseFromV34(p.dbHandle)\n\tdefault:\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", dbVersion.Version)\n\t}\n}\n\nfunc (p *PGSQLProvider) resetDatabase() error {\n\tsql := sqlReplaceAll(pgsqlResetSQL)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 0, false)\n}\n\nfunc (p *PGSQLProvider) normalizeError(err error, fieldType int) error {\n\tif err == nil {\n\t\treturn nil\n\t}\n\tvar pgsqlErr *pgconn.PgError\n\tif errors.As(err, &pgsqlErr) {\n\t\tswitch pgsqlErr.Code {\n\t\tcase \"23505\":\n\t\t\tvar message string\n\t\t\tswitch fieldType {\n\t\t\tcase fieldUsername:\n\t\t\t\tmessage = util.I18nErrorDuplicatedUsername\n\t\t\tcase fieldIPNet:\n\t\t\t\tmessage = util.I18nErrorDuplicatedIPNet\n\t\t\tdefault:\n\t\t\t\tmessage = util.I18nErrorDuplicatedName\n\t\t\t}\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: %s\", ErrDuplicatedKey, err.Error()),\n\t\t\t\tmessage,\n\t\t\t)\n\t\tcase \"23503\":\n\t\t\treturn fmt.Errorf(\"%w: %s\", ErrForeignKeyViolated, err.Error())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc updatePGSQLDatabaseFromV33(dbHandle *sql.DB) error {\n\treturn updatePGSQLDatabaseFrom33To34(dbHandle)\n}\n\nfunc downgradePGSQLDatabaseFromV34(dbHandle *sql.DB) error {\n\treturn downgradePGSQLDatabaseFrom34To33(dbHandle)\n}\n\nfunc updatePGSQLDatabaseFrom33To34(dbHandle *sql.DB) error {\n\tlogger.InfoToConsole(\"updating database schema version: 33 -> 34\")\n\tproviderLog(logger.LevelInfo, \"updating database schema version: 33 -> 34\")\n\n\tsql := strings.ReplaceAll(pgsqlV34SQL, \"{{prefix}}\", config.SQLTablesPrefix)\n\tsql = strings.ReplaceAll(sql, \"{{shares}}\", sqlTableShares)\n\tsql = strings.ReplaceAll(sql, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{groups}}\", sqlTableGroups)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 34, true)\n}\n\nfunc downgradePGSQLDatabaseFrom34To33(dbHandle *sql.DB) error {\n\tlogger.InfoToConsole(\"downgrading database schema version: 34 -> 33\")\n\tproviderLog(logger.LevelInfo, \"downgrading database schema version: 34 -> 33\")\n\n\tsql := strings.ReplaceAll(pgsqlV34DownSQL, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 33, false)\n}\n" }, { "path": "internal/dataprovider/pgsql_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nopgsql\n\npackage dataprovider\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-pgsql\")\n}\n\nfunc initializePGSQLProvider() error {\n\treturn errors.New(\"PostgreSQL disabled at build time\")\n}\n" }, { "path": "internal/dataprovider/quotaupdater.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\nvar delayedQuotaUpdater quotaUpdater\n\nfunc init() {\n\tdelayedQuotaUpdater = newQuotaUpdater()\n}\n\ntype quotaObject struct {\n\tsize int64\n\tfiles int\n}\n\ntype transferQuotaObject struct {\n\tulSize int64\n\tdlSize int64\n}\n\ntype quotaUpdater struct {\n\tparamsMutex sync.RWMutex\n\twaitTime time.Duration\n\tsync.RWMutex\n\tpendingUserQuotaUpdates map[string]quotaObject\n\tpendingFolderQuotaUpdates map[string]quotaObject\n\tpendingTransferQuotaUpdates map[string]transferQuotaObject\n}\n\nfunc newQuotaUpdater() quotaUpdater {\n\treturn quotaUpdater{\n\t\tpendingUserQuotaUpdates: make(map[string]quotaObject),\n\t\tpendingFolderQuotaUpdates: make(map[string]quotaObject),\n\t\tpendingTransferQuotaUpdates: make(map[string]transferQuotaObject),\n\t}\n}\n\nfunc (q *quotaUpdater) start() {\n\tq.setWaitTime(config.DelayedQuotaUpdate)\n\n\tgo q.loop()\n}\n\nfunc (q *quotaUpdater) loop() {\n\twaitTime := q.getWaitTime()\n\tproviderLog(logger.LevelDebug, \"delayed quota update loop started, wait time: %v\", waitTime)\n\tfor waitTime > 0 {\n\t\t// We do this with a time.Sleep instead of a time.Ticker because we don't know\n\t\t// how long each quota processing cycle will take, and we want to make\n\t\t// sure we wait the configured seconds between each iteration\n\t\ttime.Sleep(waitTime)\n\t\tproviderLog(logger.LevelDebug, \"delayed quota update check start\")\n\t\tq.storeUsersQuota()\n\t\tq.storeFoldersQuota()\n\t\tq.storeUsersTransferQuota()\n\t\tproviderLog(logger.LevelDebug, \"delayed quota update check end\")\n\t\twaitTime = q.getWaitTime()\n\t}\n\tproviderLog(logger.LevelDebug, \"delayed quota update loop ended, wait time: %v\", waitTime)\n}\n\nfunc (q *quotaUpdater) setWaitTime(secs int) {\n\tq.paramsMutex.Lock()\n\tdefer q.paramsMutex.Unlock()\n\n\tq.waitTime = time.Duration(secs) * time.Second\n}\n\nfunc (q *quotaUpdater) getWaitTime() time.Duration {\n\tq.paramsMutex.RLock()\n\tdefer q.paramsMutex.RUnlock()\n\n\treturn q.waitTime\n}\n\nfunc (q *quotaUpdater) resetUserQuota(username string) {\n\tq.Lock()\n\tdefer q.Unlock()\n\n\tdelete(q.pendingUserQuotaUpdates, username)\n}\n\nfunc (q *quotaUpdater) updateUserQuota(username string, files int, size int64) {\n\tq.Lock()\n\tdefer q.Unlock()\n\n\tobj := q.pendingUserQuotaUpdates[username]\n\tobj.size += size\n\tobj.files += files\n\tif obj.files == 0 && obj.size == 0 {\n\t\tdelete(q.pendingUserQuotaUpdates, username)\n\t\treturn\n\t}\n\tq.pendingUserQuotaUpdates[username] = obj\n}\n\nfunc (q *quotaUpdater) getUserPendingQuota(username string) (int, int64) {\n\tq.RLock()\n\tdefer q.RUnlock()\n\n\tobj := q.pendingUserQuotaUpdates[username]\n\n\treturn obj.files, obj.size\n}\n\nfunc (q *quotaUpdater) resetFolderQuota(name string) {\n\tq.Lock()\n\tdefer q.Unlock()\n\n\tdelete(q.pendingFolderQuotaUpdates, name)\n}\n\nfunc (q *quotaUpdater) updateFolderQuota(name string, files int, size int64) {\n\tq.Lock()\n\tdefer q.Unlock()\n\n\tobj := q.pendingFolderQuotaUpdates[name]\n\tobj.size += size\n\tobj.files += files\n\tif obj.files == 0 && obj.size == 0 {\n\t\tdelete(q.pendingFolderQuotaUpdates, name)\n\t\treturn\n\t}\n\tq.pendingFolderQuotaUpdates[name] = obj\n}\n\nfunc (q *quotaUpdater) getFolderPendingQuota(name string) (int, int64) {\n\tq.RLock()\n\tdefer q.RUnlock()\n\n\tobj := q.pendingFolderQuotaUpdates[name]\n\n\treturn obj.files, obj.size\n}\n\nfunc (q *quotaUpdater) resetUserTransferQuota(username string) {\n\tq.Lock()\n\tdefer q.Unlock()\n\n\tdelete(q.pendingTransferQuotaUpdates, username)\n}\n\nfunc (q *quotaUpdater) updateUserTransferQuota(username string, ulSize, dlSize int64) {\n\tq.Lock()\n\tdefer q.Unlock()\n\n\tobj := q.pendingTransferQuotaUpdates[username]\n\tobj.ulSize += ulSize\n\tobj.dlSize += dlSize\n\tif obj.ulSize == 0 && obj.dlSize == 0 {\n\t\tdelete(q.pendingTransferQuotaUpdates, username)\n\t\treturn\n\t}\n\tq.pendingTransferQuotaUpdates[username] = obj\n}\n\nfunc (q *quotaUpdater) getUserPendingTransferQuota(username string) (int64, int64) {\n\tq.RLock()\n\tdefer q.RUnlock()\n\n\tobj := q.pendingTransferQuotaUpdates[username]\n\n\treturn obj.ulSize, obj.dlSize\n}\n\nfunc (q *quotaUpdater) getUsernames() []string {\n\tq.RLock()\n\tdefer q.RUnlock()\n\n\tresult := make([]string, 0, len(q.pendingUserQuotaUpdates))\n\tfor username := range q.pendingUserQuotaUpdates {\n\t\tresult = append(result, username)\n\t}\n\n\treturn result\n}\n\nfunc (q *quotaUpdater) getFoldernames() []string {\n\tq.RLock()\n\tdefer q.RUnlock()\n\n\tresult := make([]string, 0, len(q.pendingFolderQuotaUpdates))\n\tfor name := range q.pendingFolderQuotaUpdates {\n\t\tresult = append(result, name)\n\t}\n\n\treturn result\n}\n\nfunc (q *quotaUpdater) getTransferQuotaUsernames() []string {\n\tq.RLock()\n\tdefer q.RUnlock()\n\n\tresult := make([]string, 0, len(q.pendingTransferQuotaUpdates))\n\tfor username := range q.pendingTransferQuotaUpdates {\n\t\tresult = append(result, username)\n\t}\n\n\treturn result\n}\n\nfunc (q *quotaUpdater) storeUsersQuota() {\n\tfor _, username := range q.getUsernames() {\n\t\tfiles, size := q.getUserPendingQuota(username)\n\t\tif size != 0 || files != 0 {\n\t\t\terr := provider.updateQuota(username, files, size, false)\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelWarn, \"unable to update quota delayed for user %q: %v\", username, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tq.updateUserQuota(username, -files, -size)\n\t\t}\n\t}\n}\n\nfunc (q *quotaUpdater) storeFoldersQuota() {\n\tfor _, name := range q.getFoldernames() {\n\t\tfiles, size := q.getFolderPendingQuota(name)\n\t\tif size != 0 || files != 0 {\n\t\t\terr := provider.updateFolderQuota(name, files, size, false)\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelWarn, \"unable to update quota delayed for folder %q: %v\", name, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tq.updateFolderQuota(name, -files, -size)\n\t\t}\n\t}\n}\n\nfunc (q *quotaUpdater) storeUsersTransferQuota() {\n\tfor _, username := range q.getTransferQuotaUsernames() {\n\t\tulSize, dlSize := q.getUserPendingTransferQuota(username)\n\t\tif ulSize != 0 || dlSize != 0 {\n\t\t\terr := provider.updateTransferQuota(username, ulSize, dlSize, false)\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelWarn, \"unable to update transfer quota delayed for user %q: %v\", username, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tq.updateUserTransferQuota(username, -ulSize, -dlSize)\n\t\t}\n\t}\n}\n" }, { "path": "internal/dataprovider/role.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// Role defines an SFTPGo role.\ntype Role struct {\n\t// Data provider unique identifier\n\tID int64 `json:\"id\"`\n\t// Role name\n\tName string `json:\"name\"`\n\t// optional description\n\tDescription string `json:\"description,omitempty\"`\n\t// Creation time as unix timestamp in milliseconds\n\tCreatedAt int64 `json:\"created_at\"`\n\t// last update time as unix timestamp in milliseconds\n\tUpdatedAt int64 `json:\"updated_at\"`\n\t// list of admins associated with this role\n\tAdmins []string `json:\"admins,omitempty\"`\n\t// list of usernames associated with this role\n\tUsers []string `json:\"users,omitempty\"`\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (r *Role) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\trole, err := provider.roleExists(r.Name)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload role before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\treturn json.Marshal(role)\n\t}\n\treturn json.Marshal(r)\n}\n\nfunc (r *Role) validate() error {\n\tif r.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"name is mandatory\"), util.I18nErrorNameRequired)\n\t}\n\tif !util.IsNameValid(r.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif len(r.Name) > 255 {\n\t\treturn util.NewValidationError(\"name is too long, 255 is the maximum length allowed\")\n\t}\n\tif config.NamingRules&1 == 0 && !usernameRegex.MatchString(r.Name) {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~\", r.Name)),\n\t\t\tutil.I18nErrorInvalidName,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc (r *Role) getACopy() Role {\n\tusers := make([]string, len(r.Users))\n\tcopy(users, r.Users)\n\tadmins := make([]string, len(r.Admins))\n\tcopy(admins, r.Admins)\n\n\treturn Role{\n\t\tID: r.ID,\n\t\tName: r.Name,\n\t\tDescription: r.Description,\n\t\tCreatedAt: r.CreatedAt,\n\t\tUpdatedAt: r.UpdatedAt,\n\t\tUsers: users,\n\t\tAdmins: admins,\n\t}\n}\n" }, { "path": "internal/dataprovider/scheduler.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"fmt\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/robfig/cron/v3\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tscheduler *cron.Cron\n\tlastUserCacheUpdate atomic.Int64\n\tlastIPListsCacheUpdate atomic.Int64\n\t// used for bolt and memory providers, so we avoid iterating all users/rules\n\t// to find recently modified ones\n\tlastUserUpdate atomic.Int64\n\tlastRuleUpdate atomic.Int64\n)\n\nfunc stopScheduler() {\n\tif scheduler != nil {\n\t\tscheduler.Stop()\n\t\tscheduler = nil\n\t}\n}\n\nfunc startScheduler() error {\n\tstopScheduler()\n\n\tscheduler = cron.New(cron.WithLocation(time.UTC), cron.WithLogger(cron.DiscardLogger))\n\t_, err := scheduler.AddFunc(\"@every 55s\", checkDataprovider)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to schedule dataprovider availability check: %w\", err)\n\t}\n\terr = addScheduledCacheUpdates()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif currentNode != nil {\n\t\t_, err = scheduler.AddFunc(\"@every 30m\", func() {\n\t\t\terr := provider.cleanupNodes()\n\t\t\tif err != nil {\n\t\t\t\tproviderLog(logger.LevelError, \"unable to cleanup nodes: %v\", err)\n\t\t\t} else {\n\t\t\t\tproviderLog(logger.LevelDebug, \"cleanup nodes ok\")\n\t\t\t}\n\t\t})\n\t}\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to schedule nodes cleanup: %w\", err)\n\t}\n\tscheduler.Start()\n\treturn nil\n}\n\nfunc addScheduledCacheUpdates() error {\n\tlastUserCacheUpdate.Store(util.GetTimeAsMsSinceEpoch(time.Now()))\n\tlastIPListsCacheUpdate.Store(util.GetTimeAsMsSinceEpoch(time.Now()))\n\t_, err := scheduler.AddFunc(\"@every 10m\", checkCacheUpdates)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to schedule cache updates: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc checkDataprovider() {\n\tif currentNode != nil {\n\t\terr := provider.updateNodeTimestamp()\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to update node timestamp: %v\", err)\n\t\t} else {\n\t\t\tproviderLog(logger.LevelDebug, \"node timestamp updated\")\n\t\t}\n\t\tmetric.UpdateDataProviderAvailability(err)\n\t\treturn\n\t}\n\terr := provider.checkAvailability()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"check availability error: %v\", err)\n\t}\n\tmetric.UpdateDataProviderAvailability(err)\n}\n\nfunc checkCacheUpdates() {\n\tcheckUserCache()\n\tcheckIPListEntryCache()\n\tcachedUserPasswords.cleanup()\n\tcachedAdminPasswords.cleanup()\n\tcachedAPIKeys.cleanup()\n}\n\nfunc checkUserCache() {\n\tlastCheck := lastUserCacheUpdate.Load()\n\tproviderLog(logger.LevelDebug, \"start user cache check, update time %v\", util.GetTimeFromMsecSinceEpoch(lastCheck))\n\tcheckTime := util.GetTimeAsMsSinceEpoch(time.Now())\n\tif config.IsShared == 1 {\n\t\tlastCheck -= 5000\n\t}\n\tusers, err := provider.getRecentlyUpdatedUsers(lastCheck)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get recently updated users: %v\", err)\n\t\treturn\n\t}\n\tfor idx := range users {\n\t\tuser := users[idx]\n\t\tproviderLog(logger.LevelDebug, \"invalidate caches for user %q\", user.Username)\n\t\tif user.DeletedAt > 0 {\n\t\t\tdeletedAt := util.GetTimeFromMsecSinceEpoch(user.DeletedAt)\n\t\t\tif deletedAt.Add(30 * time.Minute).Before(time.Now()) {\n\t\t\t\tproviderLog(logger.LevelDebug, \"removing user %q deleted at %s\", user.Username, deletedAt)\n\t\t\t\tgo provider.deleteUser(user, false) //nolint:errcheck\n\t\t\t}\n\t\t\twebDAVUsersCache.remove(user.Username)\n\t\t\tcachedUserPasswords.Remove(user.Username)\n\t\t\tdelayedQuotaUpdater.resetUserQuota(user.Username)\n\t\t} else {\n\t\t\twebDAVUsersCache.swap(&user, \"\")\n\t\t}\n\t}\n\tlastUserCacheUpdate.Store(checkTime)\n\tproviderLog(logger.LevelDebug, \"end user cache check, new update time %v\", util.GetTimeFromMsecSinceEpoch(lastUserCacheUpdate.Load()))\n}\n\nfunc checkIPListEntryCache() {\n\tif config.IsShared != 1 {\n\t\treturn\n\t}\n\thasMemoryLists := false\n\tfor _, l := range inMemoryLists {\n\t\tif l.isInMemory.Load() {\n\t\t\thasMemoryLists = true\n\t\t\tbreak\n\t\t}\n\t}\n\tif !hasMemoryLists {\n\t\treturn\n\t}\n\tproviderLog(logger.LevelDebug, \"start IP list cache check, update time %v\", util.GetTimeFromMsecSinceEpoch(lastIPListsCacheUpdate.Load()))\n\tcheckTime := util.GetTimeAsMsSinceEpoch(time.Now())\n\tentries, err := provider.getRecentlyUpdatedIPListEntries(lastIPListsCacheUpdate.Load() - 5000)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get recently updated IP list entries: %v\", err)\n\t\treturn\n\t}\n\tfor idx := range entries {\n\t\te := entries[idx]\n\t\tproviderLog(logger.LevelDebug, \"update cache for IP list entry %q\", e.getName())\n\t\tif e.DeletedAt > 0 {\n\t\t\tdeletedAt := util.GetTimeFromMsecSinceEpoch(e.DeletedAt)\n\t\t\tif deletedAt.Add(30 * time.Minute).Before(time.Now()) {\n\t\t\t\tproviderLog(logger.LevelDebug, \"removing IP list entry %q deleted at %s\", e.getName(), deletedAt)\n\t\t\t\tgo provider.deleteIPListEntry(e, false) //nolint:errcheck\n\t\t\t}\n\t\t\tfor _, l := range inMemoryLists {\n\t\t\t\tl.removeEntry(&e)\n\t\t\t}\n\t\t} else {\n\t\t\tfor _, l := range inMemoryLists {\n\t\t\t\tl.updateEntry(&e)\n\t\t\t}\n\t\t}\n\t}\n\tlastIPListsCacheUpdate.Store(checkTime)\n\tproviderLog(logger.LevelDebug, \"end IP list entries cache check, new update time %v\", util.GetTimeFromMsecSinceEpoch(lastIPListsCacheUpdate.Load()))\n}\n\nfunc setLastUserUpdate() {\n\tlastUserUpdate.Store(util.GetTimeAsMsSinceEpoch(time.Now()))\n}\n\nfunc getLastUserUpdate() int64 {\n\treturn lastUserUpdate.Load()\n}\n\nfunc setLastRuleUpdate() {\n\tlastRuleUpdate.Store(util.GetTimeAsMsSinceEpoch(time.Now()))\n}\n\nfunc getLastRuleUpdate() int64 {\n\treturn lastRuleUpdate.Load()\n}\n" }, { "path": "internal/dataprovider/session.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n)\n\n// SessionType defines the supported session types\ntype SessionType int\n\n// Supported session types\nconst (\n\tSessionTypeOIDCAuth SessionType = iota + 1\n\tSessionTypeOIDCToken\n\tSessionTypeResetCode\n\tSessionTypeOAuth2Auth\n\tSessionTypeInvalidToken\n\tSessionTypeWebTask\n)\n\n// Session defines a shared session persisted in the data provider\ntype Session struct {\n\tKey string\n\tData any\n\tType SessionType\n\tTimestamp int64\n}\n\nfunc (s *Session) validate() error {\n\tif s.Key == \"\" {\n\t\treturn errors.New(\"unable to save a session with an empty key\")\n\t}\n\tif s.Type < SessionTypeOIDCAuth || s.Type > SessionTypeWebTask {\n\t\treturn fmt.Errorf(\"invalid session type: %v\", s.Type)\n\t}\n\treturn nil\n}\n" }, { "path": "internal/dataprovider/share.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/alexedwards/argon2id\"\n\tpasswordvalidator \"github.com/wagslane/go-password-validator\"\n\t\"golang.org/x/crypto/bcrypt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// ShareScope defines the supported share scopes\ntype ShareScope int\n\n// Supported share scopes\nconst (\n\tShareScopeRead ShareScope = iota + 1\n\tShareScopeWrite\n\tShareScopeReadWrite\n)\n\nconst (\n\tredactedPassword = \"[**redacted**]\"\n)\n\n// Share defines files and or directories shared with external users\ntype Share struct {\n\t// Database unique identifier\n\tID int64 `json:\"-\"`\n\t// Unique ID used to access this object\n\tShareID string `json:\"id\"`\n\tName string `json:\"name\"`\n\tDescription string `json:\"description,omitempty\"`\n\tScope ShareScope `json:\"scope\"`\n\t// Paths to files or directories, for ShareScopeWrite it must be exactly one directory\n\tPaths []string `json:\"paths\"`\n\t// Username who shared this object\n\tUsername string `json:\"username\"`\n\tCreatedAt int64 `json:\"created_at\"`\n\tUpdatedAt int64 `json:\"updated_at\"`\n\t// 0 means never used\n\tLastUseAt int64 `json:\"last_use_at,omitempty\"`\n\t// ExpiresAt expiration date/time as unix timestamp in milliseconds, 0 means no expiration\n\tExpiresAt int64 `json:\"expires_at,omitempty\"`\n\t// Optional password to protect the share\n\tPassword string `json:\"password\"`\n\t// Limit the available access tokens, 0 means no limit\n\tMaxTokens int `json:\"max_tokens,omitempty\"`\n\t// Used tokens\n\tUsedTokens int `json:\"used_tokens,omitempty\"`\n\t// Limit the share availability to these IPs/CIDR networks\n\tAllowFrom []string `json:\"allow_from,omitempty\"`\n\t// set for restores, we don't have to validate the expiration date\n\t// otherwise we fail to restore existing shares and we have to insert\n\t// all the previous values with no modifications\n\tIsRestore bool `json:\"-\"`\n}\n\n// IsExpired returns true if the share is expired\nfunc (s *Share) IsExpired() bool {\n\tif s.ExpiresAt > 0 {\n\t\treturn s.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now())\n\t}\n\treturn false\n}\n\n// GetAllowedFromAsString returns the allowed IP as comma separated string\nfunc (s *Share) GetAllowedFromAsString() string {\n\treturn strings.Join(s.AllowFrom, \",\")\n}\n\n// IsPasswordHashed returns true if the password is hashed\nfunc (s *Share) IsPasswordHashed() bool {\n\treturn util.IsStringPrefixInSlice(s.Password, hashPwdPrefixes)\n}\n\nfunc (s *Share) getACopy() Share {\n\tallowFrom := make([]string, len(s.AllowFrom))\n\tcopy(allowFrom, s.AllowFrom)\n\n\treturn Share{\n\t\tID: s.ID,\n\t\tShareID: s.ShareID,\n\t\tName: s.Name,\n\t\tDescription: s.Description,\n\t\tScope: s.Scope,\n\t\tPaths: s.Paths,\n\t\tUsername: s.Username,\n\t\tCreatedAt: s.CreatedAt,\n\t\tUpdatedAt: s.UpdatedAt,\n\t\tLastUseAt: s.LastUseAt,\n\t\tExpiresAt: s.ExpiresAt,\n\t\tPassword: s.Password,\n\t\tMaxTokens: s.MaxTokens,\n\t\tUsedTokens: s.UsedTokens,\n\t\tAllowFrom: allowFrom,\n\t}\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (s *Share) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tshare, err := provider.shareExists(s.ShareID, s.Username)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload share before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tshare.HideConfidentialData()\n\t\treturn json.Marshal(share)\n\t}\n\ts.HideConfidentialData()\n\treturn json.Marshal(s)\n}\n\n// HideConfidentialData hides share confidential data\nfunc (s *Share) HideConfidentialData() {\n\tif s.Password != \"\" {\n\t\ts.Password = redactedPassword\n\t}\n}\n\n// HasRedactedPassword returns true if this share has a redacted password\nfunc (s *Share) HasRedactedPassword() bool {\n\treturn s.Password == redactedPassword\n}\n\nfunc (s *Share) hashPassword() error {\n\tif s.Password != \"\" && !util.IsStringPrefixInSlice(s.Password, internalHashPwdPrefixes) {\n\t\tuser, err := GetUserWithGroupSettings(s.Username, \"\")\n\t\tif err != nil {\n\t\t\treturn util.NewGenericError(fmt.Sprintf(\"unable to validate user: %v\", err))\n\t\t}\n\t\tif minEntropy := user.getMinPasswordEntropy(); minEntropy > 0 {\n\t\t\tif err := passwordvalidator.Validate(s.Password, minEntropy); err != nil {\n\t\t\t\treturn util.NewI18nError(util.NewValidationError(err.Error()), util.I18nErrorPasswordComplexity)\n\t\t\t}\n\t\t}\n\t\tif config.PasswordHashing.Algo == HashingAlgoBcrypt {\n\t\t\thashed, err := bcrypt.GenerateFromPassword([]byte(s.Password), config.PasswordHashing.BcryptOptions.Cost)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\ts.Password = util.BytesToString(hashed)\n\t\t} else {\n\t\t\thashed, err := argon2id.CreateHash(s.Password, argon2Params)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\ts.Password = hashed\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (s *Share) validatePaths() error {\n\tvar paths []string\n\tfor _, p := range s.Paths {\n\t\tif strings.TrimSpace(p) != \"\" {\n\t\t\tpaths = append(paths, p)\n\t\t}\n\t}\n\ts.Paths = paths\n\tif len(s.Paths) == 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"at least a shared path is required\"), util.I18nErrorSharePathRequired)\n\t}\n\tfor idx := range s.Paths {\n\t\ts.Paths[idx] = util.CleanPath(s.Paths[idx])\n\t}\n\ts.Paths = util.RemoveDuplicates(s.Paths, false)\n\tif s.Scope >= ShareScopeWrite && len(s.Paths) != 1 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"the write share scope requires exactly one path\"), util.I18nErrorShareWriteScope)\n\t}\n\t// check nested paths\n\tif len(s.Paths) > 1 {\n\t\tfor idx := range s.Paths {\n\t\t\tfor innerIdx := range s.Paths {\n\t\t\t\tif idx == innerIdx {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tif s.Paths[idx] == \"/\" || s.Paths[innerIdx] == \"/\" || util.IsDirOverlapped(s.Paths[idx], s.Paths[innerIdx], true, \"/\") {\n\t\t\t\t\treturn util.NewI18nError(util.NewGenericError(\"shared paths cannot be nested\"), util.I18nErrorShareNestedPaths)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (s *Share) validate() error { //nolint:gocyclo\n\tif s.ShareID == \"\" {\n\t\treturn util.NewValidationError(\"share_id is mandatory\")\n\t}\n\tif s.Name == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"name is mandatory\"), util.I18nErrorNameRequired)\n\t}\n\tif !util.IsNameValid(s.Name) {\n\t\treturn util.NewI18nError(errInvalidInput, util.I18nErrorInvalidInput)\n\t}\n\tif s.Scope < ShareScopeRead || s.Scope > ShareScopeReadWrite {\n\t\treturn util.NewI18nError(util.NewValidationError(fmt.Sprintf(\"invalid scope: %v\", s.Scope)), util.I18nErrorShareScope)\n\t}\n\tif err := s.validatePaths(); err != nil {\n\t\treturn err\n\t}\n\tif s.ExpiresAt > 0 {\n\t\tif !s.IsRestore && s.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\t\treturn util.NewI18nError(util.NewValidationError(\"expiration must be in the future\"), util.I18nErrorShareExpirationPast)\n\t\t}\n\t} else {\n\t\ts.ExpiresAt = 0\n\t}\n\tif s.MaxTokens < 0 {\n\t\treturn util.NewI18nError(util.NewValidationError(\"invalid max tokens\"), util.I18nErrorShareMaxTokens)\n\t}\n\tif s.Username == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"username is mandatory\"), util.I18nErrorUsernameRequired)\n\t}\n\tif s.HasRedactedPassword() {\n\t\treturn util.NewValidationError(\"cannot save a share with a redacted password\")\n\t}\n\tif err := s.hashPassword(); err != nil {\n\t\treturn err\n\t}\n\ts.AllowFrom = util.RemoveDuplicates(s.AllowFrom, false)\n\tfor _, IPMask := range s.AllowFrom {\n\t\t_, _, err := net.ParseCIDR(IPMask)\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not parse allow from entry %q : %v\", IPMask, err)),\n\t\t\t\tutil.I18nErrorInvalidIPMask,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\n// CheckCredentials verifies the share credentials if a password if set\nfunc (s *Share) CheckCredentials(password string) (bool, error) {\n\tif s.Password == \"\" {\n\t\treturn true, nil\n\t}\n\tif password == \"\" {\n\t\treturn false, ErrInvalidCredentials\n\t}\n\tif strings.HasPrefix(s.Password, bcryptPwdPrefix) {\n\t\tif err := bcrypt.CompareHashAndPassword([]byte(s.Password), []byte(password)); err != nil {\n\t\t\treturn false, ErrInvalidCredentials\n\t\t}\n\t\treturn true, nil\n\t}\n\tmatch, err := argon2id.ComparePasswordAndHash(password, s.Password)\n\tif !match || err != nil {\n\t\treturn false, ErrInvalidCredentials\n\t}\n\treturn match, err\n}\n\n// GetRelativePath returns the specified absolute path as relative to the share base path\nfunc (s *Share) GetRelativePath(name string) string {\n\tif len(s.Paths) == 0 {\n\t\treturn \"\"\n\t}\n\treturn util.CleanPath(strings.TrimPrefix(name, s.Paths[0]))\n}\n\n// IsUsable checks if the share is usable from the specified IP\nfunc (s *Share) IsUsable(ip string) (bool, error) {\n\tif s.MaxTokens > 0 && s.UsedTokens >= s.MaxTokens {\n\t\treturn false, util.NewI18nError(util.NewRecordNotFoundError(\"max share usage exceeded\"), util.I18nErrorShareUsage)\n\t}\n\tif s.ExpiresAt > 0 {\n\t\tif s.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\t\treturn false, util.NewI18nError(util.NewRecordNotFoundError(\"share expired\"), util.I18nErrorShareExpired)\n\t\t}\n\t}\n\tif len(s.AllowFrom) == 0 {\n\t\treturn true, nil\n\t}\n\tparsedIP := net.ParseIP(ip)\n\tif parsedIP == nil {\n\t\treturn false, util.NewI18nError(ErrLoginNotAllowedFromIP, util.I18nErrorLoginFromIPDenied)\n\t}\n\tfor _, ipMask := range s.AllowFrom {\n\t\t_, network, err := net.ParseCIDR(ipMask)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tif network.Contains(parsedIP) {\n\t\t\treturn true, nil\n\t\t}\n\t}\n\treturn false, util.NewI18nError(ErrLoginNotAllowedFromIP, util.I18nErrorLoginFromIPDenied)\n}\n" }, { "path": "internal/dataprovider/sqlcommon.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"database/sql\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/netip\"\n\t\"runtime/debug\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/cockroachdb/cockroach-go/v2/crdb\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tsqlDatabaseVersion = 34\n\tdefaultSQLQueryTimeout = 10 * time.Second\n\tlongSQLQueryTimeout = 60 * time.Second\n)\n\nvar (\n\terrSQLFoldersAssociation = errors.New(\"unable to associate virtual folders to user\")\n\terrSQLGroupsAssociation = errors.New(\"unable to associate groups to user\")\n\terrSQLUsersAssociation = errors.New(\"unable to associate users to group\")\n\terrSchemaVersionEmpty = errors.New(\"we can't determine schema version because the schema_migration table is empty. The SFTPGo database might be corrupted. Consider using the \\\"resetprovider\\\" sub-command\")\n)\n\ntype sqlQuerier interface {\n\tQueryRowContext(ctx context.Context, query string, args ...any) *sql.Row\n\tQueryContext(ctx context.Context, query string, args ...any) (*sql.Rows, error)\n\tExecContext(ctx context.Context, query string, args ...any) (sql.Result, error)\n\tPrepareContext(ctx context.Context, query string) (*sql.Stmt, error)\n}\n\ntype sqlScanner interface {\n\tScan(dest ...any) error\n}\n\nfunc sqlReplaceAll(sql string) string {\n\tsql = strings.ReplaceAll(sql, \"{{schema_version}}\", sqlTableSchemaVersion)\n\tsql = strings.ReplaceAll(sql, \"{{admins}}\", sqlTableAdmins)\n\tsql = strings.ReplaceAll(sql, \"{{folders}}\", sqlTableFolders)\n\tsql = strings.ReplaceAll(sql, \"{{users}}\", sqlTableUsers)\n\tsql = strings.ReplaceAll(sql, \"{{groups}}\", sqlTableGroups)\n\tsql = strings.ReplaceAll(sql, \"{{users_folders_mapping}}\", sqlTableUsersFoldersMapping)\n\tsql = strings.ReplaceAll(sql, \"{{users_groups_mapping}}\", sqlTableUsersGroupsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{admins_groups_mapping}}\", sqlTableAdminsGroupsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{groups_folders_mapping}}\", sqlTableGroupsFoldersMapping)\n\tsql = strings.ReplaceAll(sql, \"{{api_keys}}\", sqlTableAPIKeys)\n\tsql = strings.ReplaceAll(sql, \"{{shares}}\", sqlTableShares)\n\tsql = strings.ReplaceAll(sql, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{defender_events}}\", sqlTableDefenderEvents)\n\tsql = strings.ReplaceAll(sql, \"{{defender_hosts}}\", sqlTableDefenderHosts)\n\tsql = strings.ReplaceAll(sql, \"{{active_transfers}}\", sqlTableActiveTransfers)\n\tsql = strings.ReplaceAll(sql, \"{{shared_sessions}}\", sqlTableSharedSessions)\n\tsql = strings.ReplaceAll(sql, \"{{events_actions}}\", sqlTableEventsActions)\n\tsql = strings.ReplaceAll(sql, \"{{events_rules}}\", sqlTableEventsRules)\n\tsql = strings.ReplaceAll(sql, \"{{rules_actions_mapping}}\", sqlTableRulesActionsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{tasks}}\", sqlTableTasks)\n\tsql = strings.ReplaceAll(sql, \"{{nodes}}\", sqlTableNodes)\n\tsql = strings.ReplaceAll(sql, \"{{roles}}\", sqlTableRoles)\n\tsql = strings.ReplaceAll(sql, \"{{ip_lists}}\", sqlTableIPLists)\n\tsql = strings.ReplaceAll(sql, \"{{configs}}\", sqlTableConfigs)\n\tsql = strings.ReplaceAll(sql, \"{{prefix}}\", config.SQLTablesPrefix)\n\treturn sql\n}\n\nfunc sqlCommonGetShareByID(shareID, username string, dbHandle sqlQuerier) (Share, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tfilterUser := username != \"\"\n\tq := getShareByIDQuery(filterUser)\n\n\tvar row *sql.Row\n\tif filterUser {\n\t\trow = dbHandle.QueryRowContext(ctx, q, shareID, username)\n\t} else {\n\t\trow = dbHandle.QueryRowContext(ctx, q, shareID)\n\t}\n\n\treturn getShareFromDbRow(row)\n}\n\nfunc sqlCommonAddShare(share *Share, dbHandle *sql.DB) error {\n\terr := share.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tuser, err := provider.userExists(share.Username, \"\")\n\tif err != nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"unable to validate user %q\", share.Username))\n\t}\n\n\tpaths, err := json.Marshal(share.Paths)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar allowFrom []byte\n\tif len(share.AllowFrom) > 0 {\n\t\tres, err := json.Marshal(share.AllowFrom)\n\t\tif err == nil {\n\t\t\tallowFrom = res\n\t\t}\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddShareQuery()\n\tusedTokens := 0\n\tcreatedAt := util.GetTimeAsMsSinceEpoch(time.Now())\n\tupdatedAt := createdAt\n\tlastUseAt := int64(0)\n\tif share.IsRestore {\n\t\tusedTokens = share.UsedTokens\n\t\tif share.CreatedAt > 0 {\n\t\t\tcreatedAt = share.CreatedAt\n\t\t}\n\t\tif share.UpdatedAt > 0 {\n\t\t\tupdatedAt = share.UpdatedAt\n\t\t}\n\t\tlastUseAt = share.LastUseAt\n\t}\n\t_, err = dbHandle.ExecContext(ctx, q, share.ShareID, share.Name, share.Description, share.Scope,\n\t\tpaths, createdAt, updatedAt, lastUseAt, share.ExpiresAt, share.Password,\n\t\tshare.MaxTokens, usedTokens, allowFrom, user.ID)\n\treturn err\n}\n\nfunc sqlCommonUpdateShare(share *Share, dbHandle *sql.DB) error {\n\terr := share.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpaths, err := json.Marshal(share.Paths)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar allowFrom []byte\n\tif len(share.AllowFrom) > 0 {\n\t\tres, err := json.Marshal(share.AllowFrom)\n\t\tif err == nil {\n\t\t\tallowFrom = res\n\t\t}\n\t}\n\n\tuser, err := provider.userExists(share.Username, \"\")\n\tif err != nil {\n\t\treturn util.NewGenericError(fmt.Sprintf(\"unable to validate user %q\", share.Username))\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tvar q string\n\tif share.IsRestore {\n\t\tq = getUpdateShareRestoreQuery()\n\t} else {\n\t\tq = getUpdateShareQuery()\n\t}\n\n\tvar res sql.Result\n\tif share.IsRestore {\n\t\tif share.CreatedAt == 0 {\n\t\t\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t}\n\t\tif share.UpdatedAt == 0 {\n\t\t\tshare.UpdatedAt = share.CreatedAt\n\t\t}\n\t\tres, err = dbHandle.ExecContext(ctx, q, share.Name, share.Description, share.Scope, paths,\n\t\t\tshare.CreatedAt, share.UpdatedAt, share.LastUseAt, share.ExpiresAt, share.Password, share.MaxTokens,\n\t\t\tshare.UsedTokens, allowFrom, user.ID, share.ShareID)\n\t} else {\n\t\tres, err = dbHandle.ExecContext(ctx, q, share.Name, share.Description, share.Scope, paths,\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), share.ExpiresAt, share.Password, share.MaxTokens,\n\t\t\tallowFrom, user.ID, share.ShareID)\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDeleteShare(share Share, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteShareQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, share.ShareID)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetShares(limit, offset int, order, username string, dbHandle sqlQuerier) ([]Share, error) {\n\tshares := make([]Share, 0, limit)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getSharesQuery(order)\n\trows, err := dbHandle.QueryContext(ctx, q, username, limit, offset)\n\tif err != nil {\n\t\treturn shares, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\ts, err := getShareFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn shares, err\n\t\t}\n\t\ts.HideConfidentialData()\n\t\tshares = append(shares, s)\n\t}\n\n\treturn shares, rows.Err()\n}\n\nfunc sqlCommonDumpShares(dbHandle sqlQuerier) ([]Share, error) {\n\tshares := make([]Share, 0, 30)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpSharesQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn shares, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\ts, err := getShareFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn shares, err\n\t\t}\n\t\tshares = append(shares, s)\n\t}\n\n\treturn shares, rows.Err()\n}\n\nfunc sqlCommonGetAPIKeyByID(keyID string, dbHandle sqlQuerier) (APIKey, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAPIKeyByIDQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, keyID)\n\n\tapiKey, err := getAPIKeyFromDbRow(row)\n\tif err != nil {\n\t\treturn apiKey, err\n\t}\n\treturn getAPIKeyWithRelatedFields(ctx, apiKey, dbHandle)\n}\n\nfunc sqlCommonAddAPIKey(apiKey *APIKey, dbHandle *sql.DB) error {\n\terr := apiKey.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tuserID, adminID, err := sqlCommonGetAPIKeyRelatedIDs(apiKey)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddAPIKeyQuery()\n\t_, err = dbHandle.ExecContext(ctx, q, apiKey.KeyID, apiKey.Name, apiKey.Key, apiKey.Scope,\n\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), util.GetTimeAsMsSinceEpoch(time.Now()), apiKey.LastUseAt,\n\t\tapiKey.ExpiresAt, apiKey.Description, userID, adminID)\n\treturn err\n}\n\nfunc sqlCommonUpdateAPIKey(apiKey *APIKey, dbHandle *sql.DB) error {\n\terr := apiKey.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tuserID, adminID, err := sqlCommonGetAPIKeyRelatedIDs(apiKey)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateAPIKeyQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, apiKey.Name, apiKey.Scope, apiKey.ExpiresAt, userID, adminID,\n\t\tapiKey.Description, util.GetTimeAsMsSinceEpoch(time.Now()), apiKey.KeyID)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDeleteAPIKey(apiKey APIKey, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteAPIKeyQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, apiKey.KeyID)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetAPIKeys(limit, offset int, order string, dbHandle sqlQuerier) ([]APIKey, error) {\n\tapiKeys := make([]APIKey, 0, limit)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAPIKeysQuery(order)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tk, err := getAPIKeyFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn apiKeys, err\n\t\t}\n\t\tk.HideConfidentialData()\n\t\tapiKeys = append(apiKeys, k)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\tapiKeys, err = getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeAdmin)\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\n\treturn getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeUser)\n}\n\nfunc sqlCommonDumpAPIKeys(dbHandle sqlQuerier) ([]APIKey, error) {\n\tapiKeys := make([]APIKey, 0, 30)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpAPIKeysQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tk, err := getAPIKeyFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn apiKeys, err\n\t\t}\n\t\tapiKeys = append(apiKeys, k)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\tapiKeys, err = getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeAdmin)\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\n\treturn getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeUser)\n}\n\nfunc sqlCommonGetAdminByUsername(username string, dbHandle sqlQuerier) (Admin, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAdminByUsernameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, username)\n\n\tadmin, err := getAdminFromDbRow(row)\n\tif err != nil {\n\t\treturn admin, err\n\t}\n\treturn getAdminWithGroups(ctx, admin, dbHandle)\n}\n\nfunc sqlCommonValidateAdminAndPass(username, password, ip string, dbHandle *sql.DB) (Admin, error) {\n\tadmin, err := sqlCommonGetAdminByUsername(username, dbHandle)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating admin %q: %v\", username, err)\n\t\treturn admin, err\n\t}\n\terr = admin.checkUserAndPass(password, ip)\n\treturn admin, err\n}\n\nfunc sqlCommonAddAdmin(admin *Admin, dbHandle *sql.DB) error {\n\terr := admin.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tperms, err := json.Marshal(admin.Permissions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfilters, err := json.Marshal(admin.Filters)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getAddAdminQuery(admin.Role)\n\t\t_, err = tx.ExecContext(ctx, q, admin.Username, admin.Password, admin.Status, admin.Email, perms,\n\t\t\tfilters, admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), admin.Role)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateAdminGroupMapping(ctx, admin, tx)\n\t})\n}\n\nfunc sqlCommonUpdateAdmin(admin *Admin, dbHandle *sql.DB) error {\n\terr := admin.validate()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tperms, err := json.Marshal(admin.Permissions)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfilters, err := json.Marshal(admin.Filters)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getUpdateAdminQuery(admin.Role)\n\t\t_, err = tx.ExecContext(ctx, q, admin.Password, admin.Status, admin.Email, perms, filters,\n\t\t\tadmin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()), admin.Role, admin.Username)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateAdminGroupMapping(ctx, admin, tx)\n\t})\n}\n\nfunc sqlCommonDeleteAdmin(admin Admin, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteAdminQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, admin.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetAdmins(limit, offset int, order string, dbHandle sqlQuerier) ([]Admin, error) {\n\tadmins := make([]Admin, 0, limit)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAdminsQuery(order)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn admins, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\ta, err := getAdminFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn admins, err\n\t\t}\n\t\ta.HideConfidentialData()\n\t\tadmins = append(admins, a)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn admins, err\n\t}\n\treturn getAdminsWithGroups(ctx, admins, dbHandle)\n}\n\nfunc sqlCommonDumpAdmins(dbHandle sqlQuerier) ([]Admin, error) {\n\tadmins := make([]Admin, 0, 30)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpAdminsQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn admins, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\ta, err := getAdminFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn admins, err\n\t\t}\n\t\tadmins = append(admins, a)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn admins, err\n\t}\n\treturn getAdminsWithGroups(ctx, admins, dbHandle)\n}\n\nfunc sqlCommonGetIPListEntry(ipOrNet string, listType IPListType, dbHandle sqlQuerier) (IPListEntry, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getIPListEntryQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, listType, ipOrNet)\n\treturn getIPListEntryFromDbRow(row)\n}\n\nfunc sqlCommonDumpIPListEntries(dbHandle *sql.DB) ([]IPListEntry, error) {\n\tcount, err := sqlCommonCountIPListEntries(0, dbHandle)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif count > ipListMemoryLimit {\n\t\tproviderLog(logger.LevelInfo, \"IP lists excluded from dump, too many entries: %d\", count)\n\t\treturn nil, nil\n\t}\n\tentries := make([]IPListEntry, 0, 100)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpListEntriesQuery()\n\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn entries, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tentry, err := getIPListEntryFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn entries, err\n\t\t}\n\t\tentries = append(entries, entry)\n\t}\n\treturn entries, rows.Err()\n}\n\nfunc sqlCommonCountIPListEntries(listType IPListType, dbHandle *sql.DB) (int64, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tvar q string\n\tvar args []any\n\tif listType == 0 {\n\t\tq = getCountAllIPListEntriesQuery()\n\t} else {\n\t\tq = getCountIPListEntriesQuery()\n\t\targs = append(args, listType)\n\t}\n\tvar count int64\n\terr := dbHandle.QueryRowContext(ctx, q, args...).Scan(&count)\n\treturn count, err\n}\n\nfunc sqlCommonGetIPListEntries(listType IPListType, filter, from, order string, limit int, dbHandle sqlQuerier) ([]IPListEntry, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getIPListEntriesQuery(filter, from, order, limit)\n\targs := []any{listType}\n\tif from != \"\" {\n\t\targs = append(args, from)\n\t}\n\tif filter != \"\" {\n\t\targs = append(args, filter+\"%\")\n\t}\n\tif limit > 0 {\n\t\targs = append(args, limit)\n\t}\n\tentries := make([]IPListEntry, 0, limit)\n\trows, err := dbHandle.QueryContext(ctx, q, args...)\n\tif err != nil {\n\t\treturn entries, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tentry, err := getIPListEntryFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn entries, err\n\t\t}\n\t\tentries = append(entries, entry)\n\t}\n\treturn entries, rows.Err()\n}\n\nfunc sqlCommonGetRecentlyUpdatedIPListEntries(after int64, dbHandle sqlQuerier) ([]IPListEntry, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRecentlyUpdatedIPListQuery()\n\tentries := make([]IPListEntry, 0, 5)\n\trows, err := dbHandle.QueryContext(ctx, q, after)\n\tif err != nil {\n\t\treturn entries, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tentry, err := getIPListEntryFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn entries, err\n\t\t}\n\t\tentries = append(entries, entry)\n\t}\n\treturn entries, rows.Err()\n}\n\nfunc sqlCommonGetListEntriesForIP(ip string, listType IPListType, dbHandle sqlQuerier) ([]IPListEntry, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tvar rows *sql.Rows\n\tvar err error\n\n\tentries := make([]IPListEntry, 0, 2)\n\tif config.Driver == PGSQLDataProviderName || config.Driver == CockroachDataProviderName {\n\t\trows, err = dbHandle.QueryContext(ctx, getIPListEntriesForIPQueryPg(), listType, ip)\n\t\tif err != nil {\n\t\t\treturn entries, err\n\t\t}\n\t} else {\n\t\tipAddr, err := netip.ParseAddr(ip)\n\t\tif err != nil {\n\t\t\treturn entries, fmt.Errorf(\"invalid ip address %s\", ip)\n\t\t}\n\t\tvar netType int\n\t\tvar ipBytes []byte\n\t\tif ipAddr.Is4() || ipAddr.Is4In6() {\n\t\t\tnetType = ipTypeV4\n\t\t\tas4 := ipAddr.As4()\n\t\t\tipBytes = as4[:]\n\t\t} else {\n\t\t\tnetType = ipTypeV6\n\t\t\tas16 := ipAddr.As16()\n\t\t\tipBytes = as16[:]\n\t\t}\n\t\trows, err = dbHandle.QueryContext(ctx, getIPListEntriesForIPQueryNoPg(), listType, netType, ipBytes)\n\t\tif err != nil {\n\t\t\treturn entries, err\n\t\t}\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tentry, err := getIPListEntryFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn entries, err\n\t\t}\n\t\tentries = append(entries, entry)\n\t}\n\treturn entries, rows.Err()\n}\n\nfunc sqlCommonAddIPListEntry(entry *IPListEntry, dbHandle *sql.DB) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tvar err error\n\tq := getAddIPListEntryQuery()\n\tfirst := entry.getFirst()\n\tlast := entry.getLast()\n\tvar netType int\n\tif first.Is4() {\n\t\tnetType = ipTypeV4\n\t} else {\n\t\tnetType = ipTypeV6\n\t}\n\tif config.IsShared == 1 {\n\t\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\t\t_, err := tx.ExecContext(ctx, getRemoveSoftDeletedIPListEntryQuery(), entry.Type, entry.IPOrNet)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif config.Driver == PGSQLDataProviderName || config.Driver == CockroachDataProviderName {\n\t\t\t\t_, err = tx.ExecContext(ctx, q, entry.Type, entry.IPOrNet, first.String(), last.String(),\n\t\t\t\t\tnetType, entry.Protocols, entry.Description, entry.Mode, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()))\n\t\t\t} else {\n\t\t\t\t_, err = tx.ExecContext(ctx, q, entry.Type, entry.IPOrNet, entry.First, entry.Last,\n\t\t\t\t\tnetType, entry.Protocols, entry.Description, entry.Mode, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()))\n\t\t\t}\n\t\t\treturn err\n\t\t})\n\t}\n\tif config.Driver == PGSQLDataProviderName || config.Driver == CockroachDataProviderName {\n\t\t_, err = dbHandle.ExecContext(ctx, q, entry.Type, entry.IPOrNet, first.String(), last.String(),\n\t\t\tnetType, entry.Protocols, entry.Description, entry.Mode, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()))\n\t} else {\n\t\t_, err = dbHandle.ExecContext(ctx, q, entry.Type, entry.IPOrNet, entry.First, entry.Last,\n\t\t\tnetType, entry.Protocols, entry.Description, entry.Mode, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()))\n\t}\n\treturn err\n}\n\nfunc sqlCommonUpdateIPListEntry(entry *IPListEntry, dbHandle *sql.DB) error {\n\tif err := entry.validate(); err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateIPListEntryQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, entry.Mode, entry.Protocols, entry.Description,\n\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), entry.Type, entry.IPOrNet)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDeleteIPListEntry(entry IPListEntry, softDelete bool, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteIPListEntryQuery(softDelete)\n\tvar args []any\n\tif softDelete {\n\t\tts := util.GetTimeAsMsSinceEpoch(time.Now())\n\t\targs = append(args, ts, ts)\n\t}\n\targs = append(args, entry.Type, entry.IPOrNet)\n\tres, err := dbHandle.ExecContext(ctx, q, args...)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetRoleByName(name string, dbHandle sqlQuerier) (Role, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRoleByNameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, name)\n\trole, err := getRoleFromDbRow(row)\n\tif err != nil {\n\t\treturn role, err\n\t}\n\trole, err = getRoleWithUsers(ctx, role, dbHandle)\n\tif err != nil {\n\t\treturn role, err\n\t}\n\treturn getRoleWithAdmins(ctx, role, dbHandle)\n}\n\nfunc sqlCommonDumpRoles(dbHandle sqlQuerier) ([]Role, error) {\n\troles := make([]Role, 0, 10)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpRolesQuery()\n\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn roles, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\trole, err := getRoleFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn roles, err\n\t\t}\n\t\troles = append(roles, role)\n\t}\n\treturn roles, rows.Err()\n}\n\nfunc sqlCommonGetRoles(limit int, offset int, order string, minimal bool, dbHandle sqlQuerier) ([]Role, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRolesQuery(order, minimal)\n\n\troles := make([]Role, 0, limit)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn roles, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar role Role\n\t\tif minimal {\n\t\t\terr = rows.Scan(&role.ID, &role.Name)\n\t\t} else {\n\t\t\trole, err = getRoleFromDbRow(rows)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn roles, err\n\t\t}\n\t\troles = append(roles, role)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn roles, err\n\t}\n\tif minimal {\n\t\treturn roles, nil\n\t}\n\troles, err = getRolesWithUsers(ctx, roles, dbHandle)\n\tif err != nil {\n\t\treturn roles, err\n\t}\n\treturn getRolesWithAdmins(ctx, roles, dbHandle)\n}\n\nfunc sqlCommonAddRole(role *Role, dbHandle *sql.DB) error {\n\tif err := role.validate(); err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddRoleQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, role.Name, role.Description, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tutil.GetTimeAsMsSinceEpoch(time.Now()))\n\treturn err\n}\n\nfunc sqlCommonUpdateRole(role *Role, dbHandle *sql.DB) error {\n\tif err := role.validate(); err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateRoleQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, role.Description, util.GetTimeAsMsSinceEpoch(time.Now()), role.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDeleteRole(role Role, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteRoleQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, role.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetGroupByName(name string, dbHandle sqlQuerier) (Group, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getGroupByNameQuery()\n\n\trow := dbHandle.QueryRowContext(ctx, q, name)\n\tgroup, err := getGroupFromDbRow(row)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tgroup, err = getGroupWithVirtualFolders(ctx, group, dbHandle)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tgroup, err = getGroupWithUsers(ctx, group, dbHandle)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\treturn getGroupWithAdmins(ctx, group, dbHandle)\n}\n\nfunc sqlCommonDumpGroups(dbHandle sqlQuerier) ([]Group, error) {\n\tgroups := make([]Group, 0, 50)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpGroupsQuery()\n\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tgroup, err := getGroupFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tgroups = append(groups, group)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\treturn getGroupsWithVirtualFolders(ctx, groups, dbHandle)\n}\n\nfunc sqlCommonGetUsersInGroups(names []string, dbHandle sqlQuerier) ([]string, error) {\n\tif len(names) == 0 {\n\t\treturn nil, nil\n\t}\n\tmaxNames := len(sqlPlaceholders)\n\tusernames := make([]string, 0, len(names))\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tfor len(names) > 0 {\n\t\tif maxNames > len(names) {\n\t\t\tmaxNames = len(names)\n\t\t}\n\n\t\tq := getUsersInGroupsQuery(maxNames)\n\t\targs := make([]any, 0, maxNames)\n\t\tfor _, name := range names[:maxNames] {\n\t\t\targs = append(args, name)\n\t\t}\n\n\t\trows, err := dbHandle.QueryContext(ctx, q, args...)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tdefer rows.Close()\n\n\t\tfor rows.Next() {\n\t\t\tvar username string\n\t\t\terr = rows.Scan(&username)\n\t\t\tif err != nil {\n\t\t\t\treturn usernames, err\n\t\t\t}\n\t\t\tusernames = append(usernames, username)\n\t\t}\n\t\terr = rows.Err()\n\t\tif err != nil {\n\t\t\treturn usernames, err\n\t\t}\n\t\tnames = names[maxNames:]\n\t}\n\treturn usernames, nil\n}\n\nfunc sqlCommonGetGroupsWithNames(names []string, dbHandle sqlQuerier) ([]Group, error) {\n\tif len(names) == 0 {\n\t\treturn nil, nil\n\t}\n\tmaxNames := len(sqlPlaceholders)\n\tgroups := make([]Group, 0, len(names))\n\tfor len(names) > 0 {\n\t\tif maxNames > len(names) {\n\t\t\tmaxNames = len(names)\n\t\t}\n\t\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\t\tdefer cancel()\n\n\t\tq := getGroupsWithNamesQuery(maxNames)\n\t\targs := make([]any, 0, maxNames)\n\t\tfor _, name := range names[:maxNames] {\n\t\t\targs = append(args, name)\n\t\t}\n\t\trows, err := dbHandle.QueryContext(ctx, q, args...)\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tdefer rows.Close()\n\n\t\tfor rows.Next() {\n\t\t\tgroup, err := getGroupFromDbRow(rows)\n\t\t\tif err != nil {\n\t\t\t\treturn groups, err\n\t\t\t}\n\t\t\tgroups = append(groups, group)\n\t\t}\n\t\terr = rows.Err()\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tnames = names[maxNames:]\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn getGroupsWithVirtualFolders(ctx, groups, dbHandle)\n}\n\nfunc sqlCommonGetGroups(limit int, offset int, order string, minimal bool, dbHandle sqlQuerier) ([]Group, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getGroupsQuery(order, minimal)\n\n\tgroups := make([]Group, 0, limit)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar group Group\n\t\tif minimal {\n\t\t\terr = rows.Scan(&group.ID, &group.Name)\n\t\t} else {\n\t\t\tgroup, err = getGroupFromDbRow(rows)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tgroups = append(groups, group)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tif minimal {\n\t\treturn groups, nil\n\t}\n\tgroups, err = getGroupsWithVirtualFolders(ctx, groups, dbHandle)\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tgroups, err = getGroupsWithUsers(ctx, groups, dbHandle)\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tgroups, err = getGroupsWithAdmins(ctx, groups, dbHandle)\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tfor idx := range groups {\n\t\tgroups[idx].PrepareForRendering()\n\t}\n\treturn groups, nil\n}\n\nfunc sqlCommonAddGroup(group *Group, dbHandle *sql.DB) error {\n\tif err := group.validate(); err != nil {\n\t\treturn err\n\t}\n\tsettings, err := json.Marshal(group.UserSettings)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getAddGroupQuery()\n\t\t_, err := tx.ExecContext(ctx, q, group.Name, group.Description, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), settings)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateGroupVirtualFoldersMapping(ctx, group, tx)\n\t})\n}\n\nfunc sqlCommonUpdateGroup(group *Group, dbHandle *sql.DB) error {\n\tif err := group.validate(); err != nil {\n\t\treturn err\n\t}\n\n\tsettings, err := json.Marshal(group.UserSettings)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getUpdateGroupQuery()\n\t\t_, err := tx.ExecContext(ctx, q, group.Description, settings, util.GetTimeAsMsSinceEpoch(time.Now()), group.Name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateGroupVirtualFoldersMapping(ctx, group, tx)\n\t})\n}\n\nfunc sqlCommonDeleteGroup(group Group, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteGroupQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, group.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetUserByUsername(username, role string, dbHandle sqlQuerier) (User, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUserByUsernameQuery(role)\n\targs := []any{username}\n\tif role != \"\" {\n\t\targs = append(args, role)\n\t}\n\trow := dbHandle.QueryRowContext(ctx, q, args...)\n\tuser, err := getUserFromDbRow(row)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tuser, err = getUserWithVirtualFolders(ctx, user, dbHandle)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\treturn getUserWithGroups(ctx, user, dbHandle)\n}\n\nfunc sqlCommonValidateUserAndPass(username, password, ip, protocol string, dbHandle *sql.DB) (User, error) {\n\tuser, err := sqlCommonGetUserByUsername(username, \"\", dbHandle)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, err\n\t}\n\treturn checkUserAndPass(&user, password, ip, protocol)\n}\n\nfunc sqlCommonValidateUserAndTLSCertificate(username, protocol string, tlsCert *x509.Certificate, dbHandle *sql.DB) (User, error) {\n\tvar user User\n\tif tlsCert == nil {\n\t\treturn user, errors.New(\"TLS certificate cannot be null or empty\")\n\t}\n\tuser, err := sqlCommonGetUserByUsername(username, \"\", dbHandle)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, err\n\t}\n\treturn checkUserAndTLSCertificate(&user, protocol, tlsCert)\n}\n\nfunc sqlCommonValidateUserAndPubKey(username string, pubKey []byte, isSSHCert bool, dbHandle *sql.DB) (User, string, error) {\n\tvar user User\n\tif len(pubKey) == 0 {\n\t\treturn user, \"\", errors.New(\"credentials cannot be null or empty\")\n\t}\n\tuser, err := sqlCommonGetUserByUsername(username, \"\", dbHandle)\n\tif err != nil {\n\t\tproviderLog(logger.LevelWarn, \"error authenticating user %q: %v\", username, err)\n\t\treturn user, \"\", err\n\t}\n\treturn checkUserAndPubKey(&user, pubKey, isSSHCert)\n}\n\nfunc sqlCommonCheckAvailability(dbHandle *sql.DB) (err error) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tproviderLog(logger.LevelError, \"panic in check provider availability, stack trace: %s\", string(debug.Stack()))\n\t\t\terr = errors.New(\"unable to check provider status\")\n\t\t}\n\t}()\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\terr = dbHandle.PingContext(ctx)\n\treturn\n}\n\nfunc sqlCommonUpdateTransferQuota(username string, uploadSize, downloadSize int64, reset bool, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateTransferQuotaQuery(reset)\n\t_, err := dbHandle.ExecContext(ctx, q, uploadSize, downloadSize, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"transfer quota updated for user %q, ul increment: %d dl increment: %d is reset? %t\",\n\t\t\tusername, uploadSize, downloadSize, reset)\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error updating quota for user %q: %v\", username, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonUpdateQuota(username string, filesAdd int, sizeAdd int64, reset bool, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateQuotaQuery(reset)\n\t_, err := dbHandle.ExecContext(ctx, q, sizeAdd, filesAdd, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"quota updated for user %q, files increment: %d size increment: %d is reset? %t\",\n\t\t\tusername, filesAdd, sizeAdd, reset)\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error updating quota for user %q: %v\", username, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonGetAdminSignature(username string, dbHandle *sql.DB) (string, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAdminSignatureQuery()\n\tvar updatedAt int64\n\terr := dbHandle.QueryRowContext(ctx, q, username).Scan(&updatedAt)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strconv.FormatInt(updatedAt, 10), nil\n}\n\nfunc sqlCommonGetUserSignature(username string, dbHandle *sql.DB) (string, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUserSignatureQuery()\n\tvar updatedAt int64\n\terr := dbHandle.QueryRowContext(ctx, q, username).Scan(&updatedAt)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strconv.FormatInt(updatedAt, 10), nil\n}\n\nfunc sqlCommonGetUsedQuota(username string, dbHandle *sql.DB) (int, int64, int64, int64, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getQuotaQuery()\n\tvar usedFiles int\n\tvar usedSize, usedUploadSize, usedDownloadSize int64\n\terr := dbHandle.QueryRowContext(ctx, q, username).Scan(&usedSize, &usedFiles, &usedUploadSize, &usedDownloadSize)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error getting quota for user: %v, error: %v\", username, err)\n\t\treturn 0, 0, 0, 0, err\n\t}\n\treturn usedFiles, usedSize, usedUploadSize, usedDownloadSize, err\n}\n\nfunc sqlCommonUpdateShareLastUse(shareID string, numTokens int, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateShareLastUseQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), numTokens, shareID)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"last use updated for shared object %q\", shareID)\n\t} else {\n\t\tproviderLog(logger.LevelWarn, \"error updating last use for shared object %q: %v\", shareID, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonUpdateAPIKeyLastUse(keyID string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateAPIKeyLastUseQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), keyID)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"last use updated for key %q\", keyID)\n\t} else {\n\t\tproviderLog(logger.LevelWarn, \"error updating last use for key %q: %v\", keyID, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonUpdateAdminLastLogin(username string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateAdminLastLoginQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"last login updated for admin %q\", username)\n\t} else {\n\t\tproviderLog(logger.LevelWarn, \"error updating last login for admin %q: %v\", username, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonSetUpdatedAt(username string, dbHandle *sql.DB) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getSetUpdateAtQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"updated_at set for user %q\", username)\n\t} else {\n\t\tproviderLog(logger.LevelWarn, \"error setting updated_at for user %q: %v\", username, err)\n\t}\n}\n\nfunc sqlCommonSetFirstDownloadTimestamp(username string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getSetFirstDownloadQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonSetFirstUploadTimestamp(username string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getSetFirstUploadQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonUpdateLastLogin(username string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateLastLoginQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"last login updated for user %q\", username)\n\t} else {\n\t\tproviderLog(logger.LevelWarn, \"error updating last login for user %q: %v\", username, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonAddUser(user *User, dbHandle *sql.DB) error {\n\terr := ValidateUser(user)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpermissions, err := user.GetPermissionsAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tpublicKeys, err := user.GetPublicKeysAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfilters, err := user.GetFiltersAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfsConfig, err := user.GetFsConfigAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tif config.IsShared == 1 {\n\t\t\t_, err := tx.ExecContext(ctx, getRemoveSoftDeletedUserQuery(), user.Username)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tq := getAddUserQuery(user.Role)\n\t\t_, err := tx.ExecContext(ctx, q, user.Username, user.Password, publicKeys, user.HomeDir, user.UID, user.GID,\n\t\t\tuser.MaxSessions, user.QuotaSize, user.QuotaFiles, permissions, user.UploadBandwidth,\n\t\t\tuser.DownloadBandwidth, user.Status, user.ExpirationDate, filters, fsConfig, user.AdditionalInfo,\n\t\t\tuser.Description, user.Email, util.GetTimeAsMsSinceEpoch(time.Now()), util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tuser.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer, user.Role, user.LastPasswordChange)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := generateUserVirtualFoldersMapping(ctx, user, tx); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateUserGroupMapping(ctx, user, tx)\n\t})\n}\n\nfunc sqlCommonUpdateUserPassword(username, password string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateUserPasswordQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, password, util.GetTimeAsMsSinceEpoch(time.Now()), username)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonUpdateUser(user *User, dbHandle *sql.DB) error {\n\terr := ValidateUser(user)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpermissions, err := user.GetPermissionsAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tpublicKeys, err := user.GetPublicKeysAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfilters, err := user.GetFiltersAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tfsConfig, err := user.GetFsConfigAsJSON()\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getUpdateUserQuery(user.Role)\n\t\tres, err := tx.ExecContext(ctx, q, user.Password, publicKeys, user.HomeDir, user.UID, user.GID, user.MaxSessions,\n\t\t\tuser.QuotaSize, user.QuotaFiles, permissions, user.UploadBandwidth, user.DownloadBandwidth, user.Status,\n\t\t\tuser.ExpirationDate, filters, fsConfig, user.AdditionalInfo, user.Description, user.Email,\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer,\n\t\t\tuser.Role, user.LastPasswordChange, user.Username)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := sqlCommonRequireRowAffected(res); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := generateUserVirtualFoldersMapping(ctx, user, tx); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateUserGroupMapping(ctx, user, tx)\n\t})\n}\n\nfunc sqlCommonDeleteUser(user User, softDelete bool, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteUserQuery(softDelete)\n\tif softDelete {\n\t\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\t\tif err := sqlCommonClearUserFolderMapping(ctx, &user, tx); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif err := sqlCommonClearUserGroupMapping(ctx, &user, tx); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tts := util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\tres, err := tx.ExecContext(ctx, q, ts, ts, user.Username)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn sqlCommonRequireRowAffected(res)\n\t\t})\n\t}\n\tres, err := dbHandle.ExecContext(ctx, q, user.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDumpUsers(dbHandle sqlQuerier) ([]User, error) {\n\tusers := make([]User, 0, 100)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpUsersQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tu, err := getUserFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tusers = append(users, u)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tusers, err = getUsersWithVirtualFolders(ctx, users, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\treturn getUsersWithGroups(ctx, users, dbHandle)\n}\n\nfunc sqlCommonGetRecentlyUpdatedUsers(after int64, dbHandle sqlQuerier) ([]User, error) {\n\tusers := make([]User, 0, 10)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRecentlyUpdatedUsersQuery()\n\n\trows, err := dbHandle.QueryContext(ctx, q, after)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tu, err := getUserFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tusers = append(users, u)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tusers, err = getUsersWithVirtualFolders(ctx, users, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tusers, err = getUsersWithGroups(ctx, users, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tvar groupNames []string\n\tfor _, u := range users {\n\t\tfor _, g := range u.Groups {\n\t\t\tgroupNames = append(groupNames, g.Name)\n\t\t}\n\t}\n\tgroupNames = util.RemoveDuplicates(groupNames, false)\n\tif len(groupNames) == 0 {\n\t\treturn users, nil\n\t}\n\tgroups, err := sqlCommonGetGroupsWithNames(groupNames, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tif len(groups) == 0 {\n\t\treturn users, nil\n\t}\n\tgroupsMapping := make(map[string]Group)\n\tfor idx := range groups {\n\t\tgroupsMapping[groups[idx].Name] = groups[idx]\n\t}\n\tfor idx := range users {\n\t\tref := &users[idx]\n\t\tref.applyGroupSettings(groupsMapping)\n\t}\n\treturn users, nil\n}\n\nfunc sqlGetMaxUsersForQuotaCheckRange() int {\n\tmaxUsers := 50\n\tif maxUsers > len(sqlPlaceholders) {\n\t\tmaxUsers = len(sqlPlaceholders)\n\t}\n\treturn maxUsers\n}\n\nfunc sqlCommonGetUsersForQuotaCheck(toFetch map[string]bool, dbHandle sqlQuerier) ([]User, error) {\n\tmaxUsers := sqlGetMaxUsersForQuotaCheckRange()\n\tusers := make([]User, 0, maxUsers)\n\n\tusernames := make([]string, 0, len(toFetch))\n\tfor k := range toFetch {\n\t\tusernames = append(usernames, k)\n\t}\n\n\tfor len(usernames) > 0 {\n\t\tif maxUsers > len(usernames) {\n\t\t\tmaxUsers = len(usernames)\n\t\t}\n\t\tusersRange, err := sqlCommonGetUsersRangeForQuotaCheck(usernames[:maxUsers], dbHandle)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tusers = append(users, usersRange...)\n\t\tusernames = usernames[maxUsers:]\n\t}\n\n\tvar usersWithFolders []User\n\n\tvalidIdx := 0\n\tfor _, user := range users {\n\t\tif toFetch[user.Username] {\n\t\t\tusersWithFolders = append(usersWithFolders, user)\n\t\t} else {\n\t\t\tusers[validIdx] = user\n\t\t\tvalidIdx++\n\t\t}\n\t}\n\tusers = users[:validIdx]\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tusersWithFolders, err := getUsersWithVirtualFolders(ctx, usersWithFolders, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tusers = append(users, usersWithFolders...)\n\tusers, err = getUsersWithGroups(ctx, users, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tvar groupNames []string\n\tfor _, u := range users {\n\t\tfor _, g := range u.Groups {\n\t\t\tgroupNames = append(groupNames, g.Name)\n\t\t}\n\t}\n\tgroupNames = util.RemoveDuplicates(groupNames, false)\n\tif len(groupNames) == 0 {\n\t\treturn users, nil\n\t}\n\tgroups, err := sqlCommonGetGroupsWithNames(groupNames, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tgroupsMapping := make(map[string]Group)\n\tfor idx := range groups {\n\t\tgroupsMapping[groups[idx].Name] = groups[idx]\n\t}\n\tfor idx := range users {\n\t\tref := &users[idx]\n\t\tref.applyGroupSettings(groupsMapping)\n\t}\n\treturn users, nil\n}\n\nfunc sqlCommonGetUsersRangeForQuotaCheck(usernames []string, dbHandle sqlQuerier) ([]User, error) {\n\tusers := make([]User, 0, len(usernames))\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUsersForQuotaCheckQuery(len(usernames))\n\tqueryArgs := make([]any, 0, len(usernames))\n\tfor idx := range usernames {\n\t\tqueryArgs = append(queryArgs, usernames[idx])\n\t}\n\n\trows, err := dbHandle.QueryContext(ctx, q, queryArgs...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar user User\n\t\tvar filters []byte\n\t\terr = rows.Scan(&user.ID, &user.Username, &user.QuotaSize, &user.UsedQuotaSize, &user.TotalDataTransfer,\n\t\t\t&user.UploadDataTransfer, &user.DownloadDataTransfer, &user.UsedUploadDataTransfer,\n\t\t\t&user.UsedDownloadDataTransfer, &filters)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tvar userFilters UserFilters\n\t\terr = json.Unmarshal(filters, &userFilters)\n\t\tif err == nil {\n\t\t\tuser.Filters = userFilters\n\t\t}\n\t\tusers = append(users, user)\n\t}\n\n\treturn users, rows.Err()\n}\n\nfunc sqlCommonAddActiveTransfer(transfer ActiveTransfer, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddActiveTransferQuery()\n\tnow := util.GetTimeAsMsSinceEpoch(time.Now())\n\t_, err := dbHandle.ExecContext(ctx, q, transfer.ID, transfer.ConnID, transfer.Type, transfer.Username,\n\t\ttransfer.FolderName, transfer.IP, transfer.TruncatedSize, transfer.CurrentULSize, transfer.CurrentDLSize,\n\t\tnow, now)\n\treturn err\n}\n\nfunc sqlCommonUpdateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateActiveTransferSizesQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, ulSize, dlSize, util.GetTimeAsMsSinceEpoch(time.Now()), connectionID, transferID)\n\treturn err\n}\n\nfunc sqlCommonRemoveActiveTransfer(transferID int64, connectionID string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRemoveActiveTransferQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, connectionID, transferID)\n\treturn err\n}\n\nfunc sqlCommonCleanupActiveTransfers(before time.Time, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getCleanupActiveTransfersQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(before))\n\treturn err\n}\n\nfunc sqlCommonGetActiveTransfers(from time.Time, dbHandle sqlQuerier) ([]ActiveTransfer, error) {\n\ttransfers := make([]ActiveTransfer, 0, 30)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getActiveTransfersQuery()\n\trows, err := dbHandle.QueryContext(ctx, q, util.GetTimeAsMsSinceEpoch(from))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar transfer ActiveTransfer\n\t\tvar folderName sql.NullString\n\t\terr = rows.Scan(&transfer.ID, &transfer.ConnID, &transfer.Type, &transfer.Username, &folderName, &transfer.IP,\n\t\t\t&transfer.TruncatedSize, &transfer.CurrentULSize, &transfer.CurrentDLSize, &transfer.CreatedAt,\n\t\t\t&transfer.UpdatedAt)\n\t\tif err != nil {\n\t\t\treturn transfers, err\n\t\t}\n\t\tif folderName.Valid {\n\t\t\ttransfer.FolderName = folderName.String\n\t\t}\n\t\ttransfers = append(transfers, transfer)\n\t}\n\n\treturn transfers, rows.Err()\n}\n\nfunc sqlCommonGetUsers(limit int, offset int, order, role string, dbHandle sqlQuerier) ([]User, error) {\n\tusers := make([]User, 0, limit)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUsersQuery(order, role)\n\tvar args []any\n\tif role == \"\" {\n\t\targs = append(args, limit, offset)\n\t} else {\n\t\targs = append(args, role, limit, offset)\n\t}\n\trows, err := dbHandle.QueryContext(ctx, q, args...)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tu, err := getUserFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tusers = append(users, u)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tusers, err = getUsersWithVirtualFolders(ctx, users, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tusers, err = getUsersWithGroups(ctx, users, dbHandle)\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tfor idx := range users {\n\t\tusers[idx].PrepareForRendering()\n\t}\n\treturn users, nil\n}\n\nfunc sqlCommonGetDefenderHosts(from int64, limit int, dbHandle sqlQuerier) ([]DefenderEntry, error) {\n\thosts := make([]DefenderEntry, 0, 100)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderHostsQuery()\n\trows, err := dbHandle.QueryContext(ctx, q, from, limit)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get defender hosts: %v\", err)\n\t\treturn hosts, err\n\t}\n\tdefer rows.Close()\n\n\tvar idForScores []int64\n\n\tfor rows.Next() {\n\t\tvar banTime sql.NullInt64\n\t\thost := DefenderEntry{}\n\t\terr = rows.Scan(&host.ID, &host.IP, &banTime)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to scan defender host row: %v\", err)\n\t\t\treturn hosts, err\n\t\t}\n\t\tvar hostBanTime time.Time\n\t\tif banTime.Valid && banTime.Int64 > 0 {\n\t\t\thostBanTime = util.GetTimeFromMsecSinceEpoch(banTime.Int64)\n\t\t}\n\t\tif hostBanTime.IsZero() || hostBanTime.Before(time.Now()) {\n\t\t\tidForScores = append(idForScores, host.ID)\n\t\t} else {\n\t\t\thost.BanTime = hostBanTime\n\t\t}\n\t\thosts = append(hosts, host)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to iterate over defender host rows: %v\", err)\n\t\treturn hosts, err\n\t}\n\n\treturn getDefenderHostsWithScores(ctx, hosts, from, idForScores, dbHandle)\n}\n\nfunc sqlCommonIsDefenderHostBanned(ip string, dbHandle sqlQuerier) (DefenderEntry, error) {\n\tvar host DefenderEntry\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderIsHostBannedQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, ip, util.GetTimeAsMsSinceEpoch(time.Now()))\n\terr := row.Scan(&host.ID)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn host, util.NewRecordNotFoundError(\"host not found\")\n\t\t}\n\t\tproviderLog(logger.LevelError, \"unable to check ban status for host %q: %v\", ip, err)\n\t\treturn host, err\n\t}\n\n\treturn host, nil\n}\n\nfunc sqlCommonGetDefenderHostByIP(ip string, from int64, dbHandle sqlQuerier) (DefenderEntry, error) {\n\tvar host DefenderEntry\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderHostQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, ip, from)\n\tvar banTime sql.NullInt64\n\terr := row.Scan(&host.ID, &host.IP, &banTime)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn host, util.NewRecordNotFoundError(\"host not found\")\n\t\t}\n\t\tproviderLog(logger.LevelError, \"unable to get host for ip %q: %v\", ip, err)\n\t\treturn host, err\n\t}\n\tif banTime.Valid && banTime.Int64 > 0 {\n\t\thostBanTime := util.GetTimeFromMsecSinceEpoch(banTime.Int64)\n\t\tif !hostBanTime.IsZero() && hostBanTime.After(time.Now()) {\n\t\t\thost.BanTime = hostBanTime\n\t\t\treturn host, nil\n\t\t}\n\t}\n\n\thosts, err := getDefenderHostsWithScores(ctx, []DefenderEntry{host}, from, []int64{host.ID}, dbHandle)\n\tif err != nil {\n\t\treturn host, err\n\t}\n\tif len(hosts) == 0 {\n\t\treturn host, util.NewRecordNotFoundError(\"host not found\")\n\t}\n\n\treturn hosts[0], nil\n}\n\nfunc sqlCommonDefenderIncrementBanTime(ip string, minutesToAdd int, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderIncrementBanTimeQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, minutesToAdd*60000, ip)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"ban time updated for ip %q, increment (minutes): %v\",\n\t\t\tip, minutesToAdd)\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error updating ban time for ip %q: %v\", ip, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonSetDefenderBanTime(ip string, banTime int64, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderSetBanTimeQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, banTime, ip)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"ip %q banned until %v\", ip, util.GetTimeFromMsecSinceEpoch(banTime))\n\t} else {\n\t\tproviderLog(logger.LevelError, \"error setting ban time for ip %q: %v\", ip, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonDeleteDefenderHost(ip string, dbHandle sqlQuerier) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteDefenderHostQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, ip)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to delete defender host %q: %v\", ip, err)\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonAddDefenderHostAndEvent(ip string, score int, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tif err := sqlCommonAddDefenderHost(ctx, ip, tx); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn sqlCommonAddDefenderEvent(ctx, ip, score, tx)\n\t})\n}\n\nfunc sqlCommonDefenderCleanup(from int64, dbHandler *sql.DB) error {\n\tif err := sqlCommonCleanupDefenderEvents(from, dbHandler); err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonCleanupDefenderHosts(from, dbHandler)\n}\n\nfunc sqlCommonAddDefenderHost(ctx context.Context, ip string, tx *sql.Tx) error {\n\tq := getAddDefenderHostQuery()\n\t_, err := tx.ExecContext(ctx, q, ip, util.GetTimeAsMsSinceEpoch(time.Now()))\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add defender host %q: %v\", ip, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonAddDefenderEvent(ctx context.Context, ip string, score int, tx *sql.Tx) error {\n\tq := getAddDefenderEventQuery()\n\t_, err := tx.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), score, ip)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to add defender event for %q: %v\", ip, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonCleanupDefenderHosts(from int64, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderHostsCleanupQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), from)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to cleanup defender hosts: %v\", err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonCleanupDefenderEvents(from int64, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDefenderEventsCleanupQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, from)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to cleanup defender events: %v\", err)\n\t}\n\treturn err\n}\n\nfunc getShareFromDbRow(row sqlScanner) (Share, error) {\n\tvar share Share\n\tvar description, password sql.NullString\n\tvar allowFrom, paths []byte\n\n\terr := row.Scan(&share.ShareID, &share.Name, &description, &share.Scope,\n\t\t&paths, &share.Username, &share.CreatedAt, &share.UpdatedAt,\n\t\t&share.LastUseAt, &share.ExpiresAt, &password, &share.MaxTokens,\n\t\t&share.UsedTokens, &allowFrom)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn share, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn share, err\n\t}\n\tvar list []string\n\terr = json.Unmarshal(paths, &list)\n\tif err != nil {\n\t\treturn share, err\n\t}\n\tshare.Paths = list\n\tif description.Valid {\n\t\tshare.Description = description.String\n\t}\n\tif password.Valid {\n\t\tshare.Password = password.String\n\t}\n\tlist = nil\n\terr = json.Unmarshal(allowFrom, &list)\n\tif err == nil {\n\t\tshare.AllowFrom = list\n\t}\n\treturn share, nil\n}\n\nfunc getAPIKeyFromDbRow(row sqlScanner) (APIKey, error) {\n\tvar apiKey APIKey\n\tvar userID, adminID sql.NullInt64\n\tvar description sql.NullString\n\n\terr := row.Scan(&apiKey.KeyID, &apiKey.Name, &apiKey.Key, &apiKey.Scope, &apiKey.CreatedAt, &apiKey.UpdatedAt,\n\t\t&apiKey.LastUseAt, &apiKey.ExpiresAt, &description, &userID, &adminID)\n\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn apiKey, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn apiKey, err\n\t}\n\n\tif userID.Valid {\n\t\tapiKey.userID = userID.Int64\n\t}\n\tif adminID.Valid {\n\t\tapiKey.adminID = adminID.Int64\n\t}\n\tif description.Valid {\n\t\tapiKey.Description = description.String\n\t}\n\n\treturn apiKey, nil\n}\n\nfunc getAdminFromDbRow(row sqlScanner) (Admin, error) {\n\tvar admin Admin\n\tvar email, additionalInfo, description, role sql.NullString\n\tvar permissions, filters []byte\n\n\terr := row.Scan(&admin.ID, &admin.Username, &admin.Password, &admin.Status, &email, &permissions,\n\t\t&filters, &additionalInfo, &description, &admin.CreatedAt, &admin.UpdatedAt, &admin.LastLogin, &role)\n\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn admin, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn admin, err\n\t}\n\n\tvar perms []string\n\terr = json.Unmarshal(permissions, &perms)\n\tif err != nil {\n\t\treturn admin, err\n\t}\n\tadmin.Permissions = perms\n\n\tif email.Valid {\n\t\tadmin.Email = email.String\n\t}\n\n\tvar adminFilters AdminFilters\n\terr = json.Unmarshal(filters, &adminFilters)\n\tif err == nil {\n\t\tadmin.Filters = adminFilters\n\t}\n\tif additionalInfo.Valid {\n\t\tadmin.AdditionalInfo = additionalInfo.String\n\t}\n\tif description.Valid {\n\t\tadmin.Description = description.String\n\t}\n\tif role.Valid {\n\t\tadmin.Role = role.String\n\t}\n\n\tadmin.SetEmptySecretsIfNil()\n\treturn admin, nil\n}\n\nfunc getEventActionFromDbRow(row sqlScanner) (BaseEventAction, error) {\n\tvar action BaseEventAction\n\tvar description sql.NullString\n\tvar options []byte\n\n\terr := row.Scan(&action.ID, &action.Name, &description, &action.Type, &options)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn action, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn action, err\n\t}\n\tif description.Valid {\n\t\taction.Description = description.String\n\t}\n\tvar actionOptions BaseEventActionOptions\n\terr = json.Unmarshal(options, &actionOptions)\n\tif err == nil {\n\t\taction.Options = actionOptions\n\t}\n\treturn action, nil\n}\n\nfunc getEventRuleFromDbRow(row sqlScanner) (EventRule, error) {\n\tvar rule EventRule\n\tvar description sql.NullString\n\tvar conditions []byte\n\n\terr := row.Scan(&rule.ID, &rule.Name, &description, &rule.CreatedAt, &rule.UpdatedAt, &rule.Trigger,\n\t\t&conditions, &rule.DeletedAt, &rule.Status)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn rule, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn rule, err\n\t}\n\tvar ruleConditions EventConditions\n\terr = json.Unmarshal(conditions, &ruleConditions)\n\tif err == nil {\n\t\trule.Conditions = ruleConditions\n\t}\n\n\tif description.Valid {\n\t\trule.Description = description.String\n\t}\n\treturn rule, nil\n}\n\nfunc getIPListEntryFromDbRow(row sqlScanner) (IPListEntry, error) {\n\tvar entry IPListEntry\n\tvar description sql.NullString\n\n\terr := row.Scan(&entry.Type, &entry.IPOrNet, &entry.Mode, &entry.Protocols, &description,\n\t\t&entry.CreatedAt, &entry.UpdatedAt, &entry.DeletedAt)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn entry, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn entry, err\n\t}\n\tif description.Valid {\n\t\tentry.Description = description.String\n\t}\n\treturn entry, err\n}\n\nfunc getRoleFromDbRow(row sqlScanner) (Role, error) {\n\tvar role Role\n\tvar description sql.NullString\n\n\terr := row.Scan(&role.ID, &role.Name, &description, &role.CreatedAt, &role.UpdatedAt)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn role, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn role, err\n\t}\n\tif description.Valid {\n\t\trole.Description = description.String\n\t}\n\n\treturn role, nil\n}\n\nfunc getGroupFromDbRow(row sqlScanner) (Group, error) {\n\tvar group Group\n\tvar description sql.NullString\n\tvar userSettings []byte\n\n\terr := row.Scan(&group.ID, &group.Name, &description, &group.CreatedAt, &group.UpdatedAt, &userSettings)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn group, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn group, err\n\t}\n\tif description.Valid {\n\t\tgroup.Description = description.String\n\t}\n\n\tvar settings GroupUserSettings\n\terr = json.Unmarshal(userSettings, &settings)\n\tif err == nil {\n\t\tgroup.UserSettings = settings\n\t}\n\n\treturn group, nil\n}\n\nfunc getUserFromDbRow(row sqlScanner) (User, error) {\n\tvar user User\n\tvar password sql.NullString\n\tvar permissions, publicKey, filters, fsConfig []byte\n\tvar additionalInfo, description, email, role sql.NullString\n\n\terr := row.Scan(&user.ID, &user.Username, &password, &publicKey, &user.HomeDir, &user.UID, &user.GID, &user.MaxSessions,\n\t\t&user.QuotaSize, &user.QuotaFiles, &permissions, &user.UsedQuotaSize, &user.UsedQuotaFiles, &user.LastQuotaUpdate,\n\t\t&user.UploadBandwidth, &user.DownloadBandwidth, &user.ExpirationDate, &user.LastLogin, &user.Status, &filters, &fsConfig,\n\t\t&additionalInfo, &description, &email, &user.CreatedAt, &user.UpdatedAt, &user.UploadDataTransfer, &user.DownloadDataTransfer,\n\t\t&user.TotalDataTransfer, &user.UsedUploadDataTransfer, &user.UsedDownloadDataTransfer, &user.DeletedAt, &user.FirstDownload,\n\t\t&user.FirstUpload, &role, &user.LastPasswordChange)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn user, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn user, err\n\t}\n\tif password.Valid {\n\t\tuser.Password = password.String\n\t}\n\tperms := make(map[string][]string)\n\terr = json.Unmarshal(permissions, &perms)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to deserialize permissions for user %q: %v\", user.Username, err)\n\t\treturn user, fmt.Errorf(\"unable to deserialize permissions for user %q: %v\", user.Username, err)\n\t}\n\tuser.Permissions = perms\n\t// we can have a empty string or an invalid json in null string\n\t// so we do a relaxed test if the field is optional, for example we\n\t// populate public keys only if unmarshal does not return an error\n\tvar pKeys []string\n\terr = json.Unmarshal(publicKey, &pKeys)\n\tif err == nil {\n\t\tuser.PublicKeys = pKeys\n\t}\n\tvar userFilters UserFilters\n\terr = json.Unmarshal(filters, &userFilters)\n\tif err == nil {\n\t\tuser.Filters = userFilters\n\t}\n\tvar fs vfs.Filesystem\n\terr = json.Unmarshal(fsConfig, &fs)\n\tif err == nil {\n\t\tuser.FsConfig = fs\n\t}\n\tif additionalInfo.Valid {\n\t\tuser.AdditionalInfo = additionalInfo.String\n\t}\n\tif description.Valid {\n\t\tuser.Description = description.String\n\t}\n\tif email.Valid {\n\t\tuser.Email = email.String\n\t}\n\tif role.Valid {\n\t\tuser.Role = role.String\n\t}\n\tuser.SetEmptySecretsIfNil()\n\treturn user, nil\n}\n\nfunc sqlCommonGetFolder(ctx context.Context, name string, dbHandle sqlQuerier) (vfs.BaseVirtualFolder, error) {\n\tvar folder vfs.BaseVirtualFolder\n\tq := getFolderByNameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, name)\n\tvar mappedPath, description sql.NullString\n\tvar fsConfig []byte\n\terr := row.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate,\n\t\t&folder.Name, &description, &fsConfig)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn folder, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn folder, err\n\t}\n\tif mappedPath.Valid {\n\t\tfolder.MappedPath = mappedPath.String\n\t}\n\tif description.Valid {\n\t\tfolder.Description = description.String\n\t}\n\tvar fs vfs.Filesystem\n\terr = json.Unmarshal(fsConfig, &fs)\n\tif err == nil {\n\t\tfolder.FsConfig = fs\n\t}\n\treturn folder, err\n}\n\nfunc sqlCommonGetFolderByName(ctx context.Context, name string, dbHandle sqlQuerier) (vfs.BaseVirtualFolder, error) {\n\tfolder, err := sqlCommonGetFolder(ctx, name, dbHandle)\n\tif err != nil {\n\t\treturn folder, err\n\t}\n\tfolders, err := getVirtualFoldersWithUsers([]vfs.BaseVirtualFolder{folder}, dbHandle)\n\tif err != nil {\n\t\treturn folder, err\n\t}\n\tif len(folders) != 1 {\n\t\treturn folder, fmt.Errorf(\"unable to associate users with folder %q\", name)\n\t}\n\tfolders, err = getVirtualFoldersWithGroups([]vfs.BaseVirtualFolder{folders[0]}, dbHandle)\n\tif err != nil {\n\t\treturn folder, err\n\t}\n\tif len(folders) != 1 {\n\t\treturn folder, fmt.Errorf(\"unable to associate groups with folder %q\", name)\n\t}\n\treturn folders[0], nil\n}\n\nfunc sqlCommonAddFolder(folder *vfs.BaseVirtualFolder, dbHandle sqlQuerier) error {\n\terr := ValidateFolder(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfsConfig, err := json.Marshal(folder.FsConfig)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddFolderQuery()\n\t_, err = dbHandle.ExecContext(ctx, q, folder.MappedPath, folder.UsedQuotaSize, folder.UsedQuotaFiles,\n\t\tfolder.LastQuotaUpdate, folder.Name, folder.Description, fsConfig)\n\treturn err\n}\n\nfunc sqlCommonUpdateFolder(folder *vfs.BaseVirtualFolder, dbHandle sqlQuerier) error {\n\terr := ValidateFolder(folder)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfsConfig, err := json.Marshal(folder.FsConfig)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateFolderQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, folder.MappedPath, folder.Description, fsConfig, folder.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDeleteFolder(folder vfs.BaseVirtualFolder, dbHandle sqlQuerier) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteFolderQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, folder.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDumpFolders(dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) {\n\tfolders := make([]vfs.BaseVirtualFolder, 0, 50)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpFoldersQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn folders, err\n\t}\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar folder vfs.BaseVirtualFolder\n\t\tvar mappedPath, description sql.NullString\n\t\tvar fsConfig []byte\n\t\terr = rows.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,\n\t\t\t&folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig)\n\t\tif err != nil {\n\t\t\treturn folders, err\n\t\t}\n\t\tif mappedPath.Valid {\n\t\t\tfolder.MappedPath = mappedPath.String\n\t\t}\n\t\tif description.Valid {\n\t\t\tfolder.Description = description.String\n\t\t}\n\t\tvar fs vfs.Filesystem\n\t\terr = json.Unmarshal(fsConfig, &fs)\n\t\tif err == nil {\n\t\t\tfolder.FsConfig = fs\n\t\t}\n\t\tfolders = append(folders, folder)\n\t}\n\treturn folders, rows.Err()\n}\n\nfunc sqlCommonGetFolders(limit, offset int, order string, minimal bool, dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) {\n\tfolders := make([]vfs.BaseVirtualFolder, 0, limit)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getFoldersQuery(order, minimal)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn folders, err\n\t}\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar folder vfs.BaseVirtualFolder\n\t\tif minimal {\n\t\t\terr = rows.Scan(&folder.ID, &folder.Name)\n\t\t\tif err != nil {\n\t\t\t\treturn folders, err\n\t\t\t}\n\t\t} else {\n\t\t\tvar mappedPath, description sql.NullString\n\t\t\tvar fsConfig []byte\n\t\t\terr = rows.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,\n\t\t\t\t&folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig)\n\t\t\tif err != nil {\n\t\t\t\treturn folders, err\n\t\t\t}\n\t\t\tif mappedPath.Valid {\n\t\t\t\tfolder.MappedPath = mappedPath.String\n\t\t\t}\n\t\t\tif description.Valid {\n\t\t\t\tfolder.Description = description.String\n\t\t\t}\n\t\t\tvar fs vfs.Filesystem\n\t\t\terr = json.Unmarshal(fsConfig, &fs)\n\t\t\tif err == nil {\n\t\t\t\tfolder.FsConfig = fs\n\t\t\t}\n\t\t}\n\t\tfolder.PrepareForRendering()\n\t\tfolders = append(folders, folder)\n\t}\n\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn folders, err\n\t}\n\tif minimal {\n\t\treturn folders, nil\n\t}\n\tfolders, err = getVirtualFoldersWithUsers(folders, dbHandle)\n\tif err != nil {\n\t\treturn folders, err\n\t}\n\treturn getVirtualFoldersWithGroups(folders, dbHandle)\n}\n\nfunc sqlCommonClearUserFolderMapping(ctx context.Context, user *User, dbHandle sqlQuerier) error {\n\tq := getClearUserFolderMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, user.Username)\n\treturn err\n}\n\nfunc sqlCommonClearGroupFolderMapping(ctx context.Context, group *Group, dbHandle sqlQuerier) error {\n\tq := getClearGroupFolderMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, group.Name)\n\treturn err\n}\n\nfunc sqlCommonClearUserGroupMapping(ctx context.Context, user *User, dbHandle sqlQuerier) error {\n\tq := getClearUserGroupMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, user.Username)\n\treturn err\n}\n\nfunc sqlCommonAddUserFolderMapping(ctx context.Context, user *User, folder *vfs.VirtualFolder, sortOrder int, dbHandle sqlQuerier) error {\n\tq := getAddUserFolderMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, folder.VirtualPath, folder.QuotaSize, folder.QuotaFiles, folder.Name, user.Username, sortOrder)\n\treturn err\n}\n\nfunc sqlCommonClearAdminGroupMapping(ctx context.Context, admin *Admin, dbHandle sqlQuerier) error {\n\tq := getClearAdminGroupMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, admin.Username)\n\treturn err\n}\n\nfunc sqlCommonAddGroupFolderMapping(ctx context.Context, group *Group, folder *vfs.VirtualFolder, sortOrder int,\n\tdbHandle sqlQuerier,\n) error {\n\tq := getAddGroupFolderMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, folder.VirtualPath, folder.QuotaSize, folder.QuotaFiles, folder.Name, group.Name, sortOrder)\n\treturn err\n}\n\nfunc sqlCommonAddUserGroupMapping(ctx context.Context, username, groupName string, groupType, sortOrder int, dbHandle sqlQuerier) error {\n\tq := getAddUserGroupMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, username, groupName, groupType, sortOrder)\n\treturn err\n}\n\nfunc sqlCommonAddAdminGroupMapping(ctx context.Context, username, groupName string, mappingOptions AdminGroupMappingOptions,\n\tsortOrder int, dbHandle sqlQuerier,\n) error {\n\toptions, err := json.Marshal(mappingOptions)\n\tif err != nil {\n\t\treturn err\n\t}\n\tq := getAddAdminGroupMappingQuery()\n\t_, err = dbHandle.ExecContext(ctx, q, username, groupName, options, sortOrder)\n\treturn err\n}\n\nfunc generateGroupVirtualFoldersMapping(ctx context.Context, group *Group, dbHandle sqlQuerier) error {\n\terr := sqlCommonClearGroupFolderMapping(ctx, group, dbHandle)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor idx := range group.VirtualFolders {\n\t\tvfolder := &group.VirtualFolders[idx]\n\t\terr = sqlCommonAddGroupFolderMapping(ctx, group, vfolder, idx, dbHandle)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn err\n}\n\nfunc generateUserVirtualFoldersMapping(ctx context.Context, user *User, dbHandle sqlQuerier) error {\n\terr := sqlCommonClearUserFolderMapping(ctx, user, dbHandle)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor idx := range user.VirtualFolders {\n\t\tvfolder := &user.VirtualFolders[idx]\n\t\terr = sqlCommonAddUserFolderMapping(ctx, user, vfolder, idx, dbHandle)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn err\n}\n\nfunc generateUserGroupMapping(ctx context.Context, user *User, dbHandle sqlQuerier) error {\n\terr := sqlCommonClearUserGroupMapping(ctx, user, dbHandle)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor idx, group := range user.Groups {\n\t\terr = sqlCommonAddUserGroupMapping(ctx, user.Username, group.Name, group.Type, idx, dbHandle)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn err\n}\n\nfunc generateAdminGroupMapping(ctx context.Context, admin *Admin, dbHandle sqlQuerier) error {\n\terr := sqlCommonClearAdminGroupMapping(ctx, admin, dbHandle)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor idx, group := range admin.Groups {\n\t\terr = sqlCommonAddAdminGroupMapping(ctx, admin.Username, group.Name, group.Options, idx, dbHandle)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn err\n}\n\nfunc getDefenderHostsWithScores(ctx context.Context, hosts []DefenderEntry, from int64, idForScores []int64,\n\tdbHandle sqlQuerier) (\n\t[]DefenderEntry,\n\terror,\n) {\n\tif len(idForScores) == 0 {\n\t\treturn hosts, nil\n\t}\n\n\thostsWithScores := make(map[int64]int)\n\tq := getDefenderEventsQuery(idForScores)\n\trows, err := dbHandle.QueryContext(ctx, q, from)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"unable to get score for hosts with id %+v: %v\", idForScores, err)\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar hostID int64\n\t\tvar score int\n\t\terr = rows.Scan(&hostID, &score)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"error scanning host score row: %v\", err)\n\t\t\treturn hosts, err\n\t\t}\n\t\tif score > 0 {\n\t\t\thostsWithScores[hostID] = score\n\t\t}\n\t}\n\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn hosts, err\n\t}\n\n\tresult := make([]DefenderEntry, 0, len(hosts))\n\n\tfor idx := range hosts {\n\t\thosts[idx].Score = hostsWithScores[hosts[idx].ID]\n\t\tif hosts[idx].Score > 0 || !hosts[idx].BanTime.IsZero() {\n\t\t\tresult = append(result, hosts[idx])\n\t\t}\n\t}\n\n\treturn result, nil\n}\n\nfunc getAdminWithGroups(ctx context.Context, admin Admin, dbHandle sqlQuerier) (Admin, error) {\n\tadmins, err := getAdminsWithGroups(ctx, []Admin{admin}, dbHandle)\n\tif err != nil {\n\t\treturn admin, err\n\t}\n\tif len(admins) == 0 {\n\t\treturn admin, errSQLGroupsAssociation\n\t}\n\treturn admins[0], err\n}\n\nfunc getAdminsWithGroups(ctx context.Context, admins []Admin, dbHandle sqlQuerier) ([]Admin, error) {\n\tif len(admins) == 0 {\n\t\treturn admins, nil\n\t}\n\tadminsGroups := make(map[int64][]AdminGroupMapping)\n\tq := getRelatedGroupsForAdminsQuery(admins)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar group AdminGroupMapping\n\t\tvar adminID int64\n\t\tvar options []byte\n\t\terr = rows.Scan(&group.Name, &options, &adminID)\n\t\tif err != nil {\n\t\t\treturn admins, err\n\t\t}\n\t\terr = json.Unmarshal(options, &group.Options)\n\t\tif err != nil {\n\t\t\treturn admins, err\n\t\t}\n\t\tadminsGroups[adminID] = append(adminsGroups[adminID], group)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn admins, err\n\t}\n\tif len(adminsGroups) == 0 {\n\t\treturn admins, err\n\t}\n\tfor idx := range admins {\n\t\tref := &admins[idx]\n\t\tref.Groups = adminsGroups[ref.ID]\n\t}\n\treturn admins, err\n}\n\nfunc getUserWithVirtualFolders(ctx context.Context, user User, dbHandle sqlQuerier) (User, error) {\n\tusers, err := getUsersWithVirtualFolders(ctx, []User{user}, dbHandle)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tif len(users) == 0 {\n\t\treturn user, errSQLFoldersAssociation\n\t}\n\treturn users[0], err\n}\n\nfunc getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQuerier) ([]User, error) {\n\tif len(users) == 0 {\n\t\treturn users, nil\n\t}\n\n\tusersVirtualFolders := make(map[int64][]vfs.VirtualFolder)\n\tq := getRelatedFoldersForUsersQuery(users)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar folder vfs.VirtualFolder\n\t\tvar userID int64\n\t\tvar mappedPath, description sql.NullString\n\t\tvar fsConfig []byte\n\t\terr = rows.Scan(&folder.ID, &folder.Name, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,\n\t\t\t&folder.LastQuotaUpdate, &folder.VirtualPath, &folder.QuotaSize, &folder.QuotaFiles, &userID, &fsConfig,\n\t\t\t&description)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tif mappedPath.Valid {\n\t\t\tfolder.MappedPath = mappedPath.String\n\t\t}\n\t\tif description.Valid {\n\t\t\tfolder.Description = description.String\n\t\t}\n\t\tvar fs vfs.Filesystem\n\t\terr = json.Unmarshal(fsConfig, &fs)\n\t\tif err == nil {\n\t\t\tfolder.FsConfig = fs\n\t\t}\n\t\tusersVirtualFolders[userID] = append(usersVirtualFolders[userID], folder)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tif len(usersVirtualFolders) == 0 {\n\t\treturn users, err\n\t}\n\tfor idx := range users {\n\t\tref := &users[idx]\n\t\tref.VirtualFolders = usersVirtualFolders[ref.ID]\n\t}\n\treturn users, err\n}\n\nfunc getUserWithGroups(ctx context.Context, user User, dbHandle sqlQuerier) (User, error) {\n\tusers, err := getUsersWithGroups(ctx, []User{user}, dbHandle)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tif len(users) == 0 {\n\t\treturn user, errSQLGroupsAssociation\n\t}\n\treturn users[0], err\n}\n\nfunc getUsersWithGroups(ctx context.Context, users []User, dbHandle sqlQuerier) ([]User, error) {\n\tif len(users) == 0 {\n\t\treturn users, nil\n\t}\n\tusersGroups := make(map[int64][]sdk.GroupMapping)\n\tq := getRelatedGroupsForUsersQuery(users)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar group sdk.GroupMapping\n\t\tvar userID int64\n\t\terr = rows.Scan(&group.Name, &group.Type, &userID)\n\t\tif err != nil {\n\t\t\treturn users, err\n\t\t}\n\t\tusersGroups[userID] = append(usersGroups[userID], group)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn users, err\n\t}\n\tif len(usersGroups) == 0 {\n\t\treturn users, err\n\t}\n\tfor idx := range users {\n\t\tref := &users[idx]\n\t\tref.Groups = usersGroups[ref.ID]\n\t}\n\treturn users, err\n}\n\nfunc getGroupWithUsers(ctx context.Context, group Group, dbHandle sqlQuerier) (Group, error) {\n\tgroups, err := getGroupsWithUsers(ctx, []Group{group}, dbHandle)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tif len(groups) == 0 {\n\t\treturn group, errSQLUsersAssociation\n\t}\n\treturn groups[0], err\n}\n\nfunc getRoleWithUsers(ctx context.Context, role Role, dbHandle sqlQuerier) (Role, error) {\n\troles, err := getRolesWithUsers(ctx, []Role{role}, dbHandle)\n\tif err != nil {\n\t\treturn role, err\n\t}\n\tif len(roles) == 0 {\n\t\treturn role, errors.New(\"unable to associate users with role\")\n\t}\n\treturn roles[0], err\n}\n\nfunc getRoleWithAdmins(ctx context.Context, role Role, dbHandle sqlQuerier) (Role, error) {\n\troles, err := getRolesWithAdmins(ctx, []Role{role}, dbHandle)\n\tif err != nil {\n\t\treturn role, err\n\t}\n\tif len(roles) == 0 {\n\t\treturn role, errors.New(\"unable to associate admins with role\")\n\t}\n\treturn roles[0], err\n}\n\nfunc getGroupWithAdmins(ctx context.Context, group Group, dbHandle sqlQuerier) (Group, error) {\n\tgroups, err := getGroupsWithAdmins(ctx, []Group{group}, dbHandle)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tif len(groups) == 0 {\n\t\treturn group, errSQLUsersAssociation\n\t}\n\treturn groups[0], err\n}\n\nfunc getGroupWithVirtualFolders(ctx context.Context, group Group, dbHandle sqlQuerier) (Group, error) {\n\tgroups, err := getGroupsWithVirtualFolders(ctx, []Group{group}, dbHandle)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tif len(groups) == 0 {\n\t\treturn group, errSQLFoldersAssociation\n\t}\n\treturn groups[0], err\n}\n\nfunc getGroupsWithVirtualFolders(ctx context.Context, groups []Group, dbHandle sqlQuerier) ([]Group, error) {\n\tif len(groups) == 0 {\n\t\treturn groups, nil\n\t}\n\tq := getRelatedFoldersForGroupsQuery(groups)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\tgroupsVirtualFolders := make(map[int64][]vfs.VirtualFolder)\n\n\tfor rows.Next() {\n\t\tvar groupID int64\n\t\tvar folder vfs.VirtualFolder\n\t\tvar mappedPath, description sql.NullString\n\t\tvar fsConfig []byte\n\t\terr = rows.Scan(&folder.ID, &folder.Name, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,\n\t\t\t&folder.LastQuotaUpdate, &folder.VirtualPath, &folder.QuotaSize, &folder.QuotaFiles, &groupID, &fsConfig,\n\t\t\t&description)\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tif mappedPath.Valid {\n\t\t\tfolder.MappedPath = mappedPath.String\n\t\t}\n\t\tif description.Valid {\n\t\t\tfolder.Description = description.String\n\t\t}\n\t\tvar fs vfs.Filesystem\n\t\terr = json.Unmarshal(fsConfig, &fs)\n\t\tif err == nil {\n\t\t\tfolder.FsConfig = fs\n\t\t}\n\t\tgroupsVirtualFolders[groupID] = append(groupsVirtualFolders[groupID], folder)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tif len(groupsVirtualFolders) == 0 {\n\t\treturn groups, err\n\t}\n\tfor idx := range groups {\n\t\tref := &groups[idx]\n\t\tref.VirtualFolders = groupsVirtualFolders[ref.ID]\n\t}\n\treturn groups, err\n}\n\nfunc getGroupsWithUsers(ctx context.Context, groups []Group, dbHandle sqlQuerier) ([]Group, error) {\n\tif len(groups) == 0 {\n\t\treturn groups, nil\n\t}\n\tq := getRelatedUsersForGroupsQuery(groups)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\tgroupsUsers := make(map[int64][]string)\n\n\tfor rows.Next() {\n\t\tvar username string\n\t\tvar groupID int64\n\t\terr = rows.Scan(&groupID, &username)\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tgroupsUsers[groupID] = append(groupsUsers[groupID], username)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tif len(groupsUsers) == 0 {\n\t\treturn groups, err\n\t}\n\tfor idx := range groups {\n\t\tref := &groups[idx]\n\t\tref.Users = groupsUsers[ref.ID]\n\t}\n\treturn groups, err\n}\n\nfunc getRolesWithUsers(ctx context.Context, roles []Role, dbHandle sqlQuerier) ([]Role, error) {\n\tif len(roles) == 0 {\n\t\treturn roles, nil\n\t}\n\trows, err := dbHandle.QueryContext(ctx, getUsersWithRolesQuery(roles))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\trolesUsers := make(map[int64][]string)\n\tfor rows.Next() {\n\t\tvar roleID int64\n\t\tvar username string\n\t\terr = rows.Scan(&roleID, &username)\n\t\tif err != nil {\n\t\t\treturn roles, err\n\t\t}\n\t\trolesUsers[roleID] = append(rolesUsers[roleID], username)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn roles, err\n\t}\n\tif len(rolesUsers) > 0 {\n\t\tfor idx := range roles {\n\t\t\tref := &roles[idx]\n\t\t\tref.Users = rolesUsers[ref.ID]\n\t\t}\n\t}\n\treturn roles, nil\n}\n\nfunc getRolesWithAdmins(ctx context.Context, roles []Role, dbHandle sqlQuerier) ([]Role, error) {\n\tif len(roles) == 0 {\n\t\treturn roles, nil\n\t}\n\trows, err := dbHandle.QueryContext(ctx, getAdminsWithRolesQuery(roles))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\trolesAdmins := make(map[int64][]string)\n\tfor rows.Next() {\n\t\tvar roleID int64\n\t\tvar username string\n\t\terr = rows.Scan(&roleID, &username)\n\t\tif err != nil {\n\t\t\treturn roles, err\n\t\t}\n\t\trolesAdmins[roleID] = append(rolesAdmins[roleID], username)\n\t}\n\tif err = rows.Err(); err != nil {\n\t\treturn roles, err\n\t}\n\tif len(rolesAdmins) > 0 {\n\t\tfor idx := range roles {\n\t\t\tref := &roles[idx]\n\t\t\tref.Admins = rolesAdmins[ref.ID]\n\t\t}\n\t}\n\treturn roles, nil\n}\n\nfunc getGroupsWithAdmins(ctx context.Context, groups []Group, dbHandle sqlQuerier) ([]Group, error) {\n\tif len(groups) == 0 {\n\t\treturn groups, nil\n\t}\n\tq := getRelatedAdminsForGroupsQuery(groups)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tgroupsAdmins := make(map[int64][]string)\n\tfor rows.Next() {\n\t\tvar groupID int64\n\t\tvar username string\n\t\terr = rows.Scan(&groupID, &username)\n\t\tif err != nil {\n\t\t\treturn groups, err\n\t\t}\n\t\tgroupsAdmins[groupID] = append(groupsAdmins[groupID], username)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn groups, err\n\t}\n\tif len(groupsAdmins) > 0 {\n\t\tfor idx := range groups {\n\t\t\tref := &groups[idx]\n\t\t\tref.Admins = groupsAdmins[ref.ID]\n\t\t}\n\t}\n\treturn groups, nil\n}\n\nfunc getVirtualFoldersWithGroups(folders []vfs.BaseVirtualFolder, dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) {\n\tif len(folders) == 0 {\n\t\treturn folders, nil\n\t}\n\tvFoldersGroups := make(map[int64][]string)\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRelatedGroupsForFoldersQuery(folders)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar name string\n\t\tvar folderID int64\n\t\terr = rows.Scan(&folderID, &name)\n\t\tif err != nil {\n\t\t\treturn folders, err\n\t\t}\n\t\tvFoldersGroups[folderID] = append(vFoldersGroups[folderID], name)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn folders, err\n\t}\n\tif len(vFoldersGroups) == 0 {\n\t\treturn folders, err\n\t}\n\tfor idx := range folders {\n\t\tref := &folders[idx]\n\t\tref.Groups = vFoldersGroups[ref.ID]\n\t}\n\treturn folders, err\n}\n\nfunc getVirtualFoldersWithUsers(folders []vfs.BaseVirtualFolder, dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) {\n\tif len(folders) == 0 {\n\t\treturn folders, nil\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRelatedUsersForFoldersQuery(folders)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tvFoldersUsers := make(map[int64][]string)\n\tfor rows.Next() {\n\t\tvar username string\n\t\tvar folderID int64\n\t\terr = rows.Scan(&folderID, &username)\n\t\tif err != nil {\n\t\t\treturn folders, err\n\t\t}\n\t\tvFoldersUsers[folderID] = append(vFoldersUsers[folderID], username)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn folders, err\n\t}\n\tif len(vFoldersUsers) == 0 {\n\t\treturn folders, err\n\t}\n\tfor idx := range folders {\n\t\tref := &folders[idx]\n\t\tref.Users = vFoldersUsers[ref.ID]\n\t}\n\treturn folders, err\n}\n\nfunc sqlCommonUpdateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateFolderQuotaQuery(reset)\n\t_, err := dbHandle.ExecContext(ctx, q, sizeAdd, filesAdd, util.GetTimeAsMsSinceEpoch(time.Now()), name)\n\tif err == nil {\n\t\tproviderLog(logger.LevelDebug, \"quota updated for folder %q, files increment: %d size increment: %d is reset? %t\",\n\t\t\tname, filesAdd, sizeAdd, reset)\n\t} else {\n\t\tproviderLog(logger.LevelWarn, \"error updating quota for folder %q: %v\", name, err)\n\t}\n\treturn err\n}\n\nfunc sqlCommonGetFolderUsedQuota(mappedPath string, dbHandle *sql.DB) (int, int64, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getQuotaFolderQuery()\n\tvar usedFiles int\n\tvar usedSize int64\n\terr := dbHandle.QueryRowContext(ctx, q, mappedPath).Scan(&usedSize, &usedFiles)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error getting quota for folder: %v, error: %v\", mappedPath, err)\n\t\treturn 0, 0, err\n\t}\n\treturn usedFiles, usedSize, err\n}\n\nfunc getAPIKeyWithRelatedFields(ctx context.Context, apiKey APIKey, dbHandle sqlQuerier) (APIKey, error) {\n\tvar apiKeys []APIKey\n\tvar err error\n\n\tscope := APIKeyScopeAdmin\n\tif apiKey.userID > 0 {\n\t\tscope = APIKeyScopeUser\n\t}\n\tapiKeys, err = getRelatedValuesForAPIKeys(ctx, []APIKey{apiKey}, dbHandle, scope)\n\tif err != nil {\n\t\treturn apiKey, err\n\t}\n\tif len(apiKeys) > 0 {\n\t\tapiKey = apiKeys[0]\n\t}\n\treturn apiKey, nil\n}\n\nfunc getRelatedValuesForAPIKeys(ctx context.Context, apiKeys []APIKey, dbHandle sqlQuerier, scope APIKeyScope) ([]APIKey, error) {\n\tif len(apiKeys) == 0 {\n\t\treturn apiKeys, nil\n\t}\n\tvalues := make(map[int64]string)\n\tvar q string\n\tif scope == APIKeyScopeUser {\n\t\tq = getRelatedUsersForAPIKeysQuery(apiKeys)\n\t} else {\n\t\tq = getRelatedAdminsForAPIKeysQuery(apiKeys)\n\t}\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar valueID int64\n\t\tvar valueName string\n\t\terr = rows.Scan(&valueID, &valueName)\n\t\tif err != nil {\n\t\t\treturn apiKeys, err\n\t\t}\n\t\tvalues[valueID] = valueName\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn apiKeys, err\n\t}\n\tif len(values) == 0 {\n\t\treturn apiKeys, nil\n\t}\n\tfor idx := range apiKeys {\n\t\tref := &apiKeys[idx]\n\t\tif scope == APIKeyScopeUser {\n\t\t\tref.User = values[ref.userID]\n\t\t} else {\n\t\t\tref.Admin = values[ref.adminID]\n\t\t}\n\t}\n\treturn apiKeys, nil\n}\n\nfunc sqlCommonGetAPIKeyRelatedIDs(apiKey *APIKey) (sql.NullInt64, sql.NullInt64, error) {\n\tvar userID, adminID sql.NullInt64\n\tif apiKey.User != \"\" {\n\t\tu, err := provider.userExists(apiKey.User, \"\")\n\t\tif err != nil {\n\t\t\treturn userID, adminID, util.NewGenericError(fmt.Sprintf(\"unable to validate user %v\", apiKey.User))\n\t\t}\n\t\tuserID.Valid = true\n\t\tuserID.Int64 = u.ID\n\t}\n\tif apiKey.Admin != \"\" {\n\t\ta, err := provider.adminExists(apiKey.Admin)\n\t\tif err != nil {\n\t\t\treturn userID, adminID, util.NewValidationError(fmt.Sprintf(\"unable to validate admin %v\", apiKey.Admin))\n\t\t}\n\t\tadminID.Valid = true\n\t\tadminID.Int64 = a.ID\n\t}\n\treturn userID, adminID, nil\n}\n\nfunc sqlCommonAddSession(session Session, dbHandle *sql.DB) error {\n\tif err := session.validate(); err != nil {\n\t\treturn err\n\t}\n\tdata, err := json.Marshal(session.Data)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddSessionQuery()\n\t_, err = dbHandle.ExecContext(ctx, q, session.Key, data, session.Type, session.Timestamp)\n\treturn err\n}\n\nfunc sqlCommonGetSession(key string, sessionType SessionType, dbHandle sqlQuerier) (Session, error) {\n\tvar session Session\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getSessionQuery()\n\tvar data []byte // type hint, some driver will use string instead of []byte if the type is any\n\terr := dbHandle.QueryRowContext(ctx, q, key, sessionType).Scan(&session.Key, &data, &session.Type, &session.Timestamp)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn session, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn session, err\n\t}\n\tsession.Data = data\n\treturn session, nil\n}\n\nfunc sqlCommonDeleteSession(key string, sessionType SessionType, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteSessionQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, key, sessionType)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonCleanupSessions(sessionType SessionType, before int64, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getCleanupSessionsQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, sessionType, before)\n\treturn err\n}\n\nfunc getActionsWithRuleNames(ctx context.Context, actions []BaseEventAction, dbHandle sqlQuerier,\n) ([]BaseEventAction, error) {\n\tif len(actions) == 0 {\n\t\treturn actions, nil\n\t}\n\tq := getRelatedRulesForActionsQuery(actions)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tactionsRules := make(map[int64][]string)\n\tfor rows.Next() {\n\t\tvar name string\n\t\tvar actionID int64\n\t\tif err = rows.Scan(&actionID, &name); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tactionsRules[actionID] = append(actionsRules[actionID], name)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif len(actionsRules) == 0 {\n\t\treturn actions, nil\n\t}\n\tfor idx := range actions {\n\t\tref := &actions[idx]\n\t\tref.Rules = actionsRules[ref.ID]\n\t}\n\treturn actions, nil\n}\n\nfunc getRulesWithActions(ctx context.Context, rules []EventRule, dbHandle sqlQuerier) ([]EventRule, error) {\n\tif len(rules) == 0 {\n\t\treturn rules, nil\n\t}\n\trulesActions := make(map[int64][]EventAction)\n\tq := getRelatedActionsForRulesQuery(rules)\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar action EventAction\n\t\tvar ruleID int64\n\t\tvar description sql.NullString\n\t\tvar baseOptions, options []byte\n\t\terr = rows.Scan(&action.ID, &action.Name, &description, &action.Type, &baseOptions, &options,\n\t\t\t&action.Order, &ruleID)\n\t\tif err != nil {\n\t\t\treturn rules, err\n\t\t}\n\t\tif len(baseOptions) > 0 {\n\t\t\terr = json.Unmarshal(baseOptions, &action.BaseEventAction.Options)\n\t\t\tif err != nil {\n\t\t\t\treturn rules, err\n\t\t\t}\n\t\t}\n\t\tif len(options) > 0 {\n\t\t\terr = json.Unmarshal(options, &action.Options)\n\t\t\tif err != nil {\n\t\t\t\treturn rules, err\n\t\t\t}\n\t\t}\n\t\taction.BaseEventAction.Options.SetEmptySecretsIfNil()\n\t\trulesActions[ruleID] = append(rulesActions[ruleID], action)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\tif len(rulesActions) == 0 {\n\t\treturn rules, nil\n\t}\n\tfor idx := range rules {\n\t\tref := &rules[idx]\n\t\tref.Actions = rulesActions[ref.ID]\n\t}\n\treturn rules, nil\n}\n\nfunc generateEventRuleActionsMapping(ctx context.Context, rule *EventRule, dbHandle sqlQuerier) error {\n\tq := getClearRuleActionMappingQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, rule.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfor _, action := range rule.Actions {\n\t\toptions, err := json.Marshal(action.Options)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tq = getAddRuleActionMappingQuery()\n\t\t_, err = dbHandle.ExecContext(ctx, q, rule.Name, action.Name, action.Order, options)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc sqlCommonGetEventActionByName(name string, dbHandle sqlQuerier) (BaseEventAction, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getEventActionByNameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, name)\n\n\taction, err := getEventActionFromDbRow(row)\n\tif err != nil {\n\t\treturn action, err\n\t}\n\tactions, err := getActionsWithRuleNames(ctx, []BaseEventAction{action}, dbHandle)\n\tif err != nil {\n\t\treturn action, err\n\t}\n\tif len(actions) != 1 {\n\t\treturn action, fmt.Errorf(\"unable to associate rules with action %q\", name)\n\t}\n\treturn actions[0], nil\n}\n\nfunc sqlCommonDumpEventActions(dbHandle sqlQuerier) ([]BaseEventAction, error) {\n\tactions := make([]BaseEventAction, 0, 10)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpEventActionsQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn actions, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\taction, err := getEventActionFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn actions, err\n\t\t}\n\t\tactions = append(actions, action)\n\t}\n\treturn actions, rows.Err()\n}\n\nfunc sqlCommonGetEventActions(limit int, offset int, order string, minimal bool,\n\tdbHandle sqlQuerier,\n) ([]BaseEventAction, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getEventsActionsQuery(order, minimal)\n\n\tactions := make([]BaseEventAction, 0, limit)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn actions, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\tvar action BaseEventAction\n\t\tif minimal {\n\t\t\terr = rows.Scan(&action.ID, &action.Name)\n\t\t} else {\n\t\t\taction, err = getEventActionFromDbRow(rows)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn actions, err\n\t\t}\n\t\tactions = append(actions, action)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif minimal {\n\t\treturn actions, nil\n\t}\n\tactions, err = getActionsWithRuleNames(ctx, actions, dbHandle)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfor idx := range actions {\n\t\tactions[idx].PrepareForRendering()\n\t}\n\treturn actions, nil\n}\n\nfunc sqlCommonAddEventAction(action *BaseEventAction, dbHandle *sql.DB) error {\n\tif err := action.validate(); err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddEventActionQuery()\n\toptions, err := json.Marshal(action.Options)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = dbHandle.ExecContext(ctx, q, action.Name, action.Description, action.Type, options)\n\treturn err\n}\n\nfunc sqlCommonUpdateEventAction(action *BaseEventAction, dbHandle *sql.DB) error {\n\tif err := action.validate(); err != nil {\n\t\treturn err\n\t}\n\toptions, err := json.Marshal(action.Options)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getUpdateEventActionQuery()\n\t\tres, err := tx.ExecContext(ctx, q, action.Description, action.Type, options, action.Name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := sqlCommonRequireRowAffected(res); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tq = getUpdateRulesTimestampQuery()\n\t\t_, err = tx.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), action.Name)\n\t\treturn err\n\t})\n}\n\nfunc sqlCommonDeleteEventAction(action BaseEventAction, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteEventActionQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, action.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetEventRuleByName(name string, dbHandle sqlQuerier) (EventRule, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getEventRulesByNameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, name)\n\trule, err := getEventRuleFromDbRow(row)\n\tif err != nil {\n\t\treturn rule, err\n\t}\n\trules, err := getRulesWithActions(ctx, []EventRule{rule}, dbHandle)\n\tif err != nil {\n\t\treturn rule, err\n\t}\n\tif len(rules) != 1 {\n\t\treturn rule, fmt.Errorf(\"unable to associate rule %q with actions\", name)\n\t}\n\treturn rules[0], nil\n}\n\nfunc sqlCommonDumpEventRules(dbHandle sqlQuerier) ([]EventRule, error) {\n\trules := make([]EventRule, 0, 10)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDumpEventRulesQuery()\n\trows, err := dbHandle.QueryContext(ctx, q)\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\trule, err := getEventRuleFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn rules, err\n\t\t}\n\t\trules = append(rules, rule)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\treturn getRulesWithActions(ctx, rules, dbHandle)\n}\n\nfunc sqlCommonGetRecentlyUpdatedRules(after int64, dbHandle sqlQuerier) ([]EventRule, error) {\n\trules := make([]EventRule, 0, 10)\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getRecentlyUpdatedRulesQuery()\n\trows, err := dbHandle.QueryContext(ctx, q, after)\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\trule, err := getEventRuleFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn rules, err\n\t\t}\n\t\trules = append(rules, rule)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\treturn getRulesWithActions(ctx, rules, dbHandle)\n}\n\nfunc sqlCommonGetEventRules(limit int, offset int, order string, dbHandle sqlQuerier) ([]EventRule, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getEventRulesQuery(order)\n\n\trules := make([]EventRule, 0, limit)\n\trows, err := dbHandle.QueryContext(ctx, q, limit, offset)\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\tdefer rows.Close()\n\n\tfor rows.Next() {\n\t\trule, err := getEventRuleFromDbRow(rows)\n\t\tif err != nil {\n\t\t\treturn rules, err\n\t\t}\n\t\trules = append(rules, rule)\n\t}\n\terr = rows.Err()\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\trules, err = getRulesWithActions(ctx, rules, dbHandle)\n\tif err != nil {\n\t\treturn rules, err\n\t}\n\tfor idx := range rules {\n\t\trules[idx].PrepareForRendering()\n\t}\n\treturn rules, nil\n}\n\nfunc sqlCommonAddEventRule(rule *EventRule, dbHandle *sql.DB) error {\n\tif err := rule.validate(); err != nil {\n\t\treturn err\n\t}\n\tconditions, err := json.Marshal(rule.Conditions)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tif config.IsShared == 1 {\n\t\t\t_, err := tx.ExecContext(ctx, getRemoveSoftDeletedRuleQuery(), rule.Name)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tq := getAddEventRuleQuery()\n\t\t_, err := tx.ExecContext(ctx, q, rule.Name, rule.Description, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\tutil.GetTimeAsMsSinceEpoch(time.Now()), rule.Trigger, conditions, rule.Status)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateEventRuleActionsMapping(ctx, rule, tx)\n\t})\n}\n\nfunc sqlCommonUpdateEventRule(rule *EventRule, dbHandle *sql.DB) error {\n\tif err := rule.validate(); err != nil {\n\t\treturn err\n\t}\n\tconditions, err := json.Marshal(rule.Conditions)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tq := getUpdateEventRuleQuery()\n\t\t_, err := tx.ExecContext(ctx, q, rule.Description, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\t\trule.Trigger, conditions, rule.Status, rule.Name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn generateEventRuleActionsMapping(ctx, rule, tx)\n\t})\n}\n\nfunc sqlCommonDeleteEventRule(rule EventRule, softDelete bool, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\treturn sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {\n\t\tif softDelete {\n\t\t\tq := getClearRuleActionMappingQuery()\n\t\t\t_, err := tx.ExecContext(ctx, q, rule.Name)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tq := getDeleteEventRuleQuery(softDelete)\n\t\tif softDelete {\n\t\t\tts := util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\tres, err := tx.ExecContext(ctx, q, ts, ts, rule.Name)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\treturn sqlCommonRequireRowAffected(res)\n\t\t}\n\t\tres, err := tx.ExecContext(ctx, q, rule.Name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err = sqlCommonRequireRowAffected(res); err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn sqlCommonDeleteTask(rule.Name, tx)\n\t})\n}\n\nfunc sqlCommonGetTaskByName(name string, dbHandle sqlQuerier) (Task, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\ttask := Task{\n\t\tName: name,\n\t}\n\tq := getTaskByNameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, name)\n\terr := row.Scan(&task.UpdateAt, &task.Version)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn task, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t}\n\treturn task, err\n}\n\nfunc sqlCommonAddTask(name string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddTaskQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, name, util.GetTimeAsMsSinceEpoch(time.Now()))\n\treturn err\n}\n\nfunc sqlCommonUpdateTask(name string, version int64, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateTaskQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), name, version)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonUpdateTaskTimestamp(name string, dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateTaskTimestampQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonDeleteTask(name string, dbHandle sqlQuerier) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDeleteTaskQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, name)\n\treturn err\n}\n\nfunc sqlCommonAddNode(dbHandle *sql.DB) error {\n\tif err := currentNode.validate(); err != nil {\n\t\treturn fmt.Errorf(\"unable to register cluster node: %w\", err)\n\t}\n\tdata, err := json.Marshal(currentNode.Data)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getAddNodeQuery()\n\t_, err = dbHandle.ExecContext(ctx, q, currentNode.Name, data, util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tutil.GetTimeAsMsSinceEpoch(time.Now()))\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to register cluster node: %w\", err)\n\t}\n\tproviderLog(logger.LevelInfo, \"registered as cluster node %q, port: %d, proto: %s\",\n\t\tcurrentNode.Name, currentNode.Data.Port, currentNode.Data.Proto)\n\n\treturn nil\n}\n\nfunc sqlCommonGetNodeByName(name string, dbHandle *sql.DB) (Node, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tvar data []byte\n\tvar node Node\n\n\tq := getNodeByNameQuery()\n\trow := dbHandle.QueryRowContext(ctx, q, name, util.GetTimeAsMsSinceEpoch(time.Now().Add(activeNodeTimeDiff)))\n\terr := row.Scan(&node.Name, &data, &node.CreatedAt, &node.UpdatedAt)\n\tif err != nil {\n\t\tif errors.Is(err, sql.ErrNoRows) {\n\t\t\treturn node, util.NewRecordNotFoundError(err.Error())\n\t\t}\n\t\treturn node, err\n\t}\n\terr = json.Unmarshal(data, &node.Data)\n\treturn node, err\n}\n\nfunc sqlCommonGetNodes(dbHandle *sql.DB) ([]Node, error) {\n\tvar nodes []Node\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getNodesQuery()\n\trows, err := dbHandle.QueryContext(ctx, q, currentNode.Name,\n\t\tutil.GetTimeAsMsSinceEpoch(time.Now().Add(activeNodeTimeDiff)))\n\tif err != nil {\n\t\treturn nodes, err\n\t}\n\tdefer rows.Close()\n\tfor rows.Next() {\n\t\tvar node Node\n\t\tvar data []byte\n\n\t\terr = rows.Scan(&node.Name, &data, &node.CreatedAt, &node.UpdatedAt)\n\t\tif err != nil {\n\t\t\treturn nodes, err\n\t\t}\n\t\terr = json.Unmarshal(data, &node.Data)\n\t\tif err != nil {\n\t\t\treturn nodes, err\n\t\t}\n\t\tnodes = append(nodes, node)\n\t}\n\n\treturn nodes, rows.Err()\n}\n\nfunc sqlCommonUpdateNodeTimestamp(dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateNodeTimestampQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now()), currentNode.Name)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonCleanupNodes(dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getCleanupNodesQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, util.GetTimeAsMsSinceEpoch(time.Now().Add(10*activeNodeTimeDiff)))\n\treturn err\n}\n\nfunc sqlCommonGetConfigs(dbHandle sqlQuerier) (Configs, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tvar result Configs\n\tvar configs []byte\n\tq := getConfigsQuery()\n\terr := dbHandle.QueryRowContext(ctx, q).Scan(&configs)\n\tif err != nil {\n\t\treturn result, err\n\t}\n\terr = json.Unmarshal(configs, &result)\n\treturn result, err\n}\n\nfunc sqlCommonSetConfigs(configs *Configs, dbHandle *sql.DB) error {\n\tif err := configs.validate(); err != nil {\n\t\treturn err\n\t}\n\tasJSON, err := json.Marshal(configs)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getUpdateConfigsQuery()\n\tres, err := dbHandle.ExecContext(ctx, q, asJSON)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn sqlCommonRequireRowAffected(res)\n}\n\nfunc sqlCommonGetDatabaseVersion(dbHandle sqlQuerier, showInitWarn bool) (schemaVersion, error) {\n\tvar result schemaVersion\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tq := getDatabaseVersionQuery()\n\tstmt, err := dbHandle.PrepareContext(ctx, q)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error preparing database query %q: %v\", q, err)\n\t\tif showInitWarn && strings.Contains(err.Error(), sqlTableSchemaVersion) {\n\t\t\tlogger.WarnToConsole(\"database query error, did you forgot to run the \\\"initprovider\\\" command?\")\n\t\t}\n\t\treturn result, err\n\t}\n\tdefer stmt.Close()\n\trow := stmt.QueryRowContext(ctx)\n\terr = row.Scan(&result.Version)\n\treturn result, err\n}\n\nfunc sqlCommonRequireRowAffected(res sql.Result) error {\n\taffected, err := res.RowsAffected()\n\tif err == nil && affected == 0 {\n\t\treturn util.NewRecordNotFoundError(sql.ErrNoRows.Error())\n\t}\n\treturn nil\n}\n\nfunc sqlCommonUpdateDatabaseVersion(ctx context.Context, dbHandle sqlQuerier, version int) error {\n\tq := getUpdateDBVersionQuery()\n\t_, err := dbHandle.ExecContext(ctx, q, version)\n\treturn err\n}\n\nfunc sqlCommonExecSQLAndUpdateDBVersion(dbHandle *sql.DB, sqlQueries []string, newVersion int, isUp bool) error {\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tconn, err := dbHandle.Conn(ctx)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get connection from pool: %w\", err)\n\t}\n\tdefer conn.Close()\n\n\tif err := sqlAcquireLock(conn); err != nil {\n\t\treturn err\n\t}\n\tdefer sqlReleaseLock(conn)\n\n\tif newVersion > 0 {\n\t\tcurrentVersion, err := sqlCommonGetDatabaseVersion(conn, false)\n\t\tif err == nil {\n\t\t\tif (isUp && currentVersion.Version >= newVersion) || (!isUp && currentVersion.Version <= newVersion) {\n\t\t\t\tproviderLog(logger.LevelInfo, \"current schema version: %v, requested: %v, did you execute simultaneous migrations?\",\n\t\t\t\t\tcurrentVersion.Version, newVersion)\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\n\treturn sqlCommonExecuteTxOnConn(ctx, conn, func(tx *sql.Tx) error {\n\t\tfor _, q := range sqlQueries {\n\t\t\tif strings.TrimSpace(q) == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t_, err := tx.ExecContext(ctx, q)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif newVersion == 0 {\n\t\t\treturn nil\n\t\t}\n\t\treturn sqlCommonUpdateDatabaseVersion(ctx, tx, newVersion)\n\t})\n}\n\nfunc sqlAcquireLock(dbHandle *sql.Conn) error {\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tswitch config.Driver {\n\tcase PGSQLDataProviderName:\n\t\t_, err := dbHandle.ExecContext(ctx, `SELECT pg_advisory_lock(101,1)`)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to get advisory lock: %w\", err)\n\t\t}\n\t\tproviderLog(logger.LevelInfo, \"acquired database lock\")\n\tcase MySQLDataProviderName:\n\t\tvar lockResult sql.NullInt64\n\t\terr := dbHandle.QueryRowContext(ctx, `SELECT GET_LOCK('sftpgo.migration',30)`).Scan(&lockResult)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to get lock: %w\", err)\n\t\t}\n\t\tif !lockResult.Valid {\n\t\t\treturn errors.New(\"unable to get lock: null value returned\")\n\t\t}\n\t\tif lockResult.Int64 != 1 {\n\t\t\treturn fmt.Errorf(\"unable to get lock, result: %d\", lockResult.Int64)\n\t\t}\n\t\tproviderLog(logger.LevelInfo, \"acquired database lock\")\n\t}\n\n\treturn nil\n}\n\nfunc sqlReleaseLock(dbHandle *sql.Conn) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\tswitch config.Driver {\n\tcase PGSQLDataProviderName:\n\t\t_, err := dbHandle.ExecContext(ctx, `SELECT pg_advisory_unlock(101,1)`)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"unable to release lock: %v\", err)\n\t\t} else {\n\t\t\tproviderLog(logger.LevelInfo, \"released database lock\")\n\t\t}\n\tcase MySQLDataProviderName:\n\t\t_, err := dbHandle.ExecContext(ctx, `SELECT RELEASE_LOCK('sftpgo.migration')`)\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelWarn, \"unable to release lock: %v\", err)\n\t\t} else {\n\t\t\tproviderLog(logger.LevelInfo, \"released database lock\")\n\t\t}\n\t}\n}\n\nfunc sqlCommonExecuteTxOnConn(ctx context.Context, conn *sql.Conn, txFn func(*sql.Tx) error) error {\n\ttx, err := conn.BeginTx(ctx, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\terr = txFn(tx)\n\tif err != nil {\n\t\ttx.Rollback() //nolint:errcheck\n\t\treturn err\n\t}\n\treturn tx.Commit()\n}\n\nfunc sqlCommonExecuteTx(ctx context.Context, dbHandle *sql.DB, txFn func(*sql.Tx) error) error {\n\tif config.Driver == CockroachDataProviderName {\n\t\treturn crdb.ExecuteTx(ctx, dbHandle, nil, txFn)\n\t}\n\n\ttx, err := dbHandle.BeginTx(ctx, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\terr = txFn(tx)\n\tif err != nil {\n\t\t// we don't change the returned error\n\t\ttx.Rollback() //nolint:errcheck\n\t\treturn err\n\t}\n\treturn tx.Commit()\n}\n" }, { "path": "internal/dataprovider/sqlite.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nosqlite && cgo\n\npackage dataprovider\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"database/sql\"\n\t\"errors\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/mattn/go-sqlite3\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tsqliteResetSQL = `DROP TABLE IF EXISTS \"{{api_keys}}\";\nDROP TABLE IF EXISTS \"{{users_folders_mapping}}\";\nDROP TABLE IF EXISTS \"{{users_groups_mapping}}\";\nDROP TABLE IF EXISTS \"{{admins_groups_mapping}}\";\nDROP TABLE IF EXISTS \"{{groups_folders_mapping}}\";\nDROP TABLE IF EXISTS \"{{shares_groups_mapping}}\";\nDROP TABLE IF EXISTS \"{{admins}}\";\nDROP TABLE IF EXISTS \"{{folders}}\";\nDROP TABLE IF EXISTS \"{{shares}}\";\nDROP TABLE IF EXISTS \"{{users}}\";\nDROP TABLE IF EXISTS \"{{groups}}\";\nDROP TABLE IF EXISTS \"{{defender_events}}\";\nDROP TABLE IF EXISTS \"{{defender_hosts}}\";\nDROP TABLE IF EXISTS \"{{active_transfers}}\";\nDROP TABLE IF EXISTS \"{{shared_sessions}}\";\nDROP TABLE IF EXISTS \"{{rules_actions_mapping}}\";\nDROP TABLE IF EXISTS \"{{events_rules}}\";\nDROP TABLE IF EXISTS \"{{events_actions}}\";\nDROP TABLE IF EXISTS \"{{tasks}}\";\nDROP TABLE IF EXISTS \"{{roles}}\";\nDROP TABLE IF EXISTS \"{{ip_lists}}\";\nDROP TABLE IF EXISTS \"{{configs}}\";\nDROP TABLE IF EXISTS \"{{schema_version}}\";\n`\n\tsqliteInitialSQL = `CREATE TABLE \"{{schema_version}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"version\" integer NOT NULL);\nCREATE TABLE \"{{roles}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{admins}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"username\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"password\" varchar(255) NOT NULL, \"email\" varchar(255) NULL, \"status\" integer NOT NULL,\n\"permissions\" text NOT NULL, \"filters\" text NULL, \"additional_info\" text NULL, \"last_login\" bigint NOT NULL,\n\"role_id\" integer NULL REFERENCES \"{{roles}}\" (\"id\") ON DELETE NO ACTION, \"created_at\" bigint NOT NULL,\n\"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{active_transfers}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"connection_id\" varchar(100) NOT NULL,\n\"transfer_id\" bigint NOT NULL, \"transfer_type\" integer NOT NULL, \"username\" varchar(255) NOT NULL,\n\"folder_name\" varchar(255) NULL, \"ip\" varchar(50) NOT NULL, \"truncated_size\" bigint NOT NULL,\n\"current_ul_size\" bigint NOT NULL, \"current_dl_size\" bigint NOT NULL, \"created_at\" bigint NOT NULL,\n\"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{defender_hosts}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"ip\" varchar(50) NOT NULL UNIQUE,\n\"ban_time\" bigint NOT NULL, \"updated_at\" bigint NOT NULL);\nCREATE TABLE \"{{defender_events}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"date_time\" bigint NOT NULL,\n\"score\" integer NOT NULL, \"host_id\" integer NOT NULL REFERENCES \"{{defender_hosts}}\" (\"id\") ON DELETE CASCADE\nDEFERRABLE INITIALLY DEFERRED);\nCREATE TABLE \"{{folders}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"path\" text NULL, \"used_quota_size\" bigint NOT NULL, \"used_quota_files\" integer NOT NULL,\n\"last_quota_update\" bigint NOT NULL, \"filesystem\" text NULL);\nCREATE TABLE \"{{groups}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"user_settings\" text NULL);\nCREATE TABLE \"{{shared_sessions}}\" (\"key\" varchar(128) NOT NULL, \"type\" integer NOT NULL,\n\"data\" text NOT NULL, \"timestamp\" bigint NOT NULL, PRIMARY KEY (\"key\", \"type\"));\nCREATE TABLE \"{{users}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"username\" varchar(255) NOT NULL UNIQUE,\n\"status\" integer NOT NULL, \"expiration_date\" bigint NOT NULL, \"description\" varchar(512) NULL, \"password\" text NULL,\n\"public_keys\" text NULL, \"home_dir\" text NOT NULL, \"uid\" bigint NOT NULL, \"gid\" bigint NOT NULL,\n\"max_sessions\" integer NOT NULL, \"quota_size\" bigint NOT NULL, \"quota_files\" integer NOT NULL, \"permissions\" text NOT NULL,\n\"used_quota_size\" bigint NOT NULL, \"used_quota_files\" integer NOT NULL, \"last_quota_update\" bigint NOT NULL,\n\"upload_bandwidth\" integer NOT NULL, \"download_bandwidth\" integer NOT NULL, \"last_login\" bigint NOT NULL,\n\"filters\" text NULL, \"filesystem\" text NULL, \"additional_info\" text NULL, \"created_at\" bigint NOT NULL,\n\"updated_at\" bigint NOT NULL, \"email\" varchar(255) NULL, \"upload_data_transfer\" integer NOT NULL,\n\"download_data_transfer\" integer NOT NULL, \"total_data_transfer\" integer NOT NULL, \"used_upload_data_transfer\" bigint NOT NULL,\n\"used_download_data_transfer\" bigint NOT NULL, \"deleted_at\" bigint NOT NULL, \"first_download\" bigint NOT NULL,\n\"first_upload\" bigint NOT NULL, \"last_password_change\" bigint NOT NULL, \"role_id\" integer NULL REFERENCES \"{{roles}}\" (\"id\") ON DELETE SET NULL);\nCREATE TABLE \"{{groups_folders_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"folder_id\" integer NOT NULL REFERENCES \"{{folders}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"group_id\" integer NOT NULL REFERENCES \"{{groups}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"virtual_path\" text NOT NULL, \"quota_size\" bigint NOT NULL, \"quota_files\" integer NOT NULL, \"sort_order\" integer NOT NULL,\nCONSTRAINT \"{{prefix}}unique_group_folder_mapping\" UNIQUE (\"group_id\", \"folder_id\"));\nCREATE TABLE \"{{users_groups_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"user_id\" integer NOT NULL REFERENCES \"{{users}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"group_id\" integer NOT NULL REFERENCES \"{{groups}}\" (\"id\") ON DELETE NO ACTION,\n\"group_type\" integer NOT NULL, \"sort_order\" integer NOT NULL, CONSTRAINT \"{{prefix}}unique_user_group_mapping\" UNIQUE (\"user_id\", \"group_id\"));\nCREATE TABLE \"{{users_folders_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"user_id\" integer NOT NULL REFERENCES \"{{users}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"folder_id\" integer NOT NULL REFERENCES \"{{folders}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"virtual_path\" text NOT NULL, \"quota_size\" bigint NOT NULL, \"quota_files\" integer NOT NULL, \"sort_order\" integer NOT NULL,\nCONSTRAINT \"{{prefix}}unique_user_folder_mapping\" UNIQUE (\"user_id\", \"folder_id\"));\nCREATE TABLE \"{{shares}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"share_id\" varchar(60) NOT NULL UNIQUE,\n\"name\" varchar(255) NOT NULL, \"description\" varchar(512) NULL, \"scope\" integer NOT NULL, \"paths\" text NOT NULL,\n\"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"last_use_at\" bigint NOT NULL, \"expires_at\" bigint NOT NULL,\n\"password\" text NULL, \"max_tokens\" integer NOT NULL, \"used_tokens\" integer NOT NULL, \"allow_from\" text NULL, \"options\" text NULL,\n\"user_id\" integer NOT NULL REFERENCES \"{{users}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED);\nCREATE TABLE \"{{api_keys}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"name\" varchar(255) NOT NULL,\n\"key_id\" varchar(50) NOT NULL UNIQUE, \"api_key\" varchar(255) NOT NULL UNIQUE, \"scope\" integer NOT NULL,\n\"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"last_use_at\" bigint NOT NULL, \"expires_at\" bigint NOT NULL,\n\"description\" text NULL, \"admin_id\" integer NULL REFERENCES \"{{admins}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"user_id\" integer NULL REFERENCES \"{{users}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED);\nCREATE TABLE \"{{events_rules}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"name\" varchar(255) NOT NULL UNIQUE, \"status\" integer NOT NULL, \"description\" varchar(512) NULL, \"created_at\" bigint NOT NULL,\n\"updated_at\" bigint NOT NULL, \"trigger\" integer NOT NULL, \"conditions\" text NOT NULL, \"deleted_at\" bigint NOT NULL);\nCREATE TABLE \"{{events_actions}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"description\" varchar(512) NULL, \"type\" integer NOT NULL, \"options\" text NOT NULL);\nCREATE TABLE \"{{rules_actions_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"rule_id\" integer NOT NULL REFERENCES \"{{events_rules}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"action_id\" integer NOT NULL REFERENCES \"{{events_actions}}\" (\"id\") ON DELETE NO ACTION DEFERRABLE INITIALLY DEFERRED,\n\"order\" integer NOT NULL, \"options\" text NOT NULL,\nCONSTRAINT \"{{prefix}}unique_rule_action_mapping\" UNIQUE (\"rule_id\", \"action_id\"));\nCREATE TABLE \"{{tasks}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"name\" varchar(255) NOT NULL UNIQUE,\n\"updated_at\" bigint NOT NULL, \"version\" bigint NOT NULL);\nCREATE TABLE \"{{admins_groups_mapping}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"admin_id\" integer NOT NULL REFERENCES \"{{admins}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"group_id\" integer NOT NULL REFERENCES \"{{groups}}\" (\"id\") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED,\n\"options\" text NOT NULL, \"sort_order\" integer NOT NULL, CONSTRAINT \"{{prefix}}unique_admin_group_mapping\" UNIQUE (\"admin_id\", \"group_id\"));\nCREATE TABLE \"{{ip_lists}}\" (\"id\" integer NOT NULL PRIMARY KEY,\n\"type\" integer NOT NULL, \"ipornet\" varchar(50) NOT NULL, \"mode\" integer NOT NULL, \"description\" varchar(512) NULL,\n\"first\" BLOB NOT NULL, \"last\" BLOB NOT NULL, \"ip_type\" integer NOT NULL, \"protocols\" integer NOT NULL,\n\"created_at\" bigint NOT NULL, \"updated_at\" bigint NOT NULL, \"deleted_at\" bigint NOT NULL,\nCONSTRAINT \"{{prefix}}unique_ipornet_type_mapping\" UNIQUE (\"type\", \"ipornet\"));\nCREATE TABLE \"{{configs}}\" (\"id\" integer NOT NULL PRIMARY KEY, \"configs\" text NOT NULL);\nINSERT INTO {{configs}} (configs) VALUES ('{}');\nCREATE INDEX \"{{prefix}}users_folders_mapping_folder_id_idx\" ON \"{{users_folders_mapping}}\" (\"folder_id\");\nCREATE INDEX \"{{prefix}}users_folders_mapping_user_id_idx\" ON \"{{users_folders_mapping}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}users_folders_mapping_sort_order_idx\" ON \"{{users_folders_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}users_groups_mapping_group_id_idx\" ON \"{{users_groups_mapping}}\" (\"group_id\");\nCREATE INDEX \"{{prefix}}users_groups_mapping_user_id_idx\" ON \"{{users_groups_mapping}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}users_groups_mapping_sort_order_idx\" ON \"{{users_groups_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}groups_folders_mapping_folder_id_idx\" ON \"{{groups_folders_mapping}}\" (\"folder_id\");\nCREATE INDEX \"{{prefix}}groups_folders_mapping_group_id_idx\" ON \"{{groups_folders_mapping}}\" (\"group_id\");\nCREATE INDEX \"{{prefix}}groups_folders_mapping_sort_order_idx\" ON \"{{groups_folders_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}api_keys_admin_id_idx\" ON \"{{api_keys}}\" (\"admin_id\");\nCREATE INDEX \"{{prefix}}api_keys_user_id_idx\" ON \"{{api_keys}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}users_updated_at_idx\" ON \"{{users}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}users_deleted_at_idx\" ON \"{{users}}\" (\"deleted_at\");\nCREATE INDEX \"{{prefix}}shares_user_id_idx\" ON \"{{shares}}\" (\"user_id\");\nCREATE INDEX \"{{prefix}}defender_hosts_updated_at_idx\" ON \"{{defender_hosts}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}defender_hosts_ban_time_idx\" ON \"{{defender_hosts}}\" (\"ban_time\");\nCREATE INDEX \"{{prefix}}defender_events_date_time_idx\" ON \"{{defender_events}}\" (\"date_time\");\nCREATE INDEX \"{{prefix}}defender_events_host_id_idx\" ON \"{{defender_events}}\" (\"host_id\");\nCREATE INDEX \"{{prefix}}active_transfers_connection_id_idx\" ON \"{{active_transfers}}\" (\"connection_id\");\nCREATE INDEX \"{{prefix}}active_transfers_transfer_id_idx\" ON \"{{active_transfers}}\" (\"transfer_id\");\nCREATE INDEX \"{{prefix}}active_transfers_updated_at_idx\" ON \"{{active_transfers}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}shared_sessions_type_idx\" ON \"{{shared_sessions}}\" (\"type\");\nCREATE INDEX \"{{prefix}}shared_sessions_timestamp_idx\" ON \"{{shared_sessions}}\" (\"timestamp\");\nCREATE INDEX \"{{prefix}}events_rules_updated_at_idx\" ON \"{{events_rules}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}events_rules_deleted_at_idx\" ON \"{{events_rules}}\" (\"deleted_at\");\nCREATE INDEX \"{{prefix}}events_rules_trigger_idx\" ON \"{{events_rules}}\" (\"trigger\");\nCREATE INDEX \"{{prefix}}rules_actions_mapping_rule_id_idx\" ON \"{{rules_actions_mapping}}\" (\"rule_id\");\nCREATE INDEX \"{{prefix}}rules_actions_mapping_action_id_idx\" ON \"{{rules_actions_mapping}}\" (\"action_id\");\nCREATE INDEX \"{{prefix}}rules_actions_mapping_order_idx\" ON \"{{rules_actions_mapping}}\" (\"order\");\nCREATE INDEX \"{{prefix}}admins_groups_mapping_admin_id_idx\" ON \"{{admins_groups_mapping}}\" (\"admin_id\");\nCREATE INDEX \"{{prefix}}admins_groups_mapping_group_id_idx\" ON \"{{admins_groups_mapping}}\" (\"group_id\");\nCREATE INDEX \"{{prefix}}admins_groups_mapping_sort_order_idx\" ON \"{{admins_groups_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}users_role_id_idx\" ON \"{{users}}\" (\"role_id\");\nCREATE INDEX \"{{prefix}}admins_role_id_idx\" ON \"{{admins}}\" (\"role_id\");\nCREATE INDEX \"{{prefix}}ip_lists_type_idx\" ON \"{{ip_lists}}\" (\"type\");\nCREATE INDEX \"{{prefix}}ip_lists_ipornet_idx\" ON \"{{ip_lists}}\" (\"ipornet\");\nCREATE INDEX \"{{prefix}}ip_lists_ip_type_idx\" ON \"{{ip_lists}}\" (\"ip_type\");\nCREATE INDEX \"{{prefix}}ip_lists_ip_updated_at_idx\" ON \"{{ip_lists}}\" (\"updated_at\");\nCREATE INDEX \"{{prefix}}ip_lists_ip_deleted_at_idx\" ON \"{{ip_lists}}\" (\"deleted_at\");\nCREATE INDEX \"{{prefix}}ip_lists_first_last_idx\" ON \"{{ip_lists}}\" (\"first\", \"last\");\nINSERT INTO {{schema_version}} (version) VALUES (33);\n`\n\tsqliteV34SQL = `\nCREATE TABLE \"{{shares_groups_mapping}}\" (\n \"id\" integer NOT NULL PRIMARY KEY AUTOINCREMENT,\n \"share_id\" integer NOT NULL REFERENCES \"{{shares}}\" (\"id\") ON DELETE CASCADE,\n \"group_id\" integer NOT NULL REFERENCES \"{{groups}}\" (\"id\") ON DELETE CASCADE,\n \"permissions\" integer NOT NULL,\n \"sort_order\" integer NOT NULL,\n CONSTRAINT \"{{prefix}}unique_share_group_mapping\" UNIQUE (\"share_id\", \"group_id\")\n);\nCREATE INDEX \"{{prefix}}shares_groups_mapping_sort_order_idx\" ON \"{{shares_groups_mapping}}\" (\"sort_order\");\nCREATE INDEX \"{{prefix}}shares_groups_mapping_group_id_idx\" ON \"{{shares_groups_mapping}}\" (\"group_id\");\nCREATE INDEX \"{{prefix}}shares_groups_mapping_share_id_idx\" ON \"{{shares_groups_mapping}}\" (\"share_id\");\n`\n\tsqliteV34DownSQL = `DROP TABLE IF EXISTS \"{{shares_groups_mapping}}\";`\n)\n\n// SQLiteProvider defines the auth provider for SQLite database\ntype SQLiteProvider struct {\n\tdbHandle *sql.DB\n}\n\nfunc init() {\n\tversion.AddFeature(\"+sqlite\")\n}\n\nfunc initializeSQLiteProvider(basePath string) error {\n\tvar connectionString string\n\n\tif config.ConnectionString == \"\" {\n\t\tdbPath := config.Name\n\t\tif !util.IsFileInputValid(dbPath) {\n\t\t\treturn fmt.Errorf(\"invalid database path: %q\", dbPath)\n\t\t}\n\t\tif !filepath.IsAbs(dbPath) {\n\t\t\tdbPath = filepath.Join(basePath, dbPath)\n\t\t}\n\t\tconnectionString = fmt.Sprintf(\"file:%s?cache=shared&_foreign_keys=1\", dbPath)\n\t} else {\n\t\tconnectionString = config.ConnectionString\n\t}\n\tdbHandle, err := sql.Open(\"sqlite3\", connectionString)\n\tif err != nil {\n\t\tproviderLog(logger.LevelError, \"error creating sqlite database handler, connection string: %q, error: %v\",\n\t\t\tconnectionString, err)\n\t\treturn err\n\t}\n\tproviderLog(logger.LevelDebug, \"sqlite database handle created, connection string: %q\", connectionString)\n\tdbHandle.SetMaxOpenConns(1)\n\tprovider = &SQLiteProvider{dbHandle: dbHandle}\n\treturn executePragmaOptimize(dbHandle)\n}\n\nfunc (p *SQLiteProvider) checkAvailability() error {\n\treturn sqlCommonCheckAvailability(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {\n\treturn sqlCommonValidateUserAndPass(username, password, ip, protocol, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error) {\n\treturn sqlCommonValidateUserAndTLSCertificate(username, protocol, tlsCert, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) validateUserAndPubKey(username string, publicKey []byte, isSSHCert bool) (User, string, error) {\n\treturn sqlCommonValidateUserAndPubKey(username, publicKey, isSSHCert, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error {\n\treturn sqlCommonUpdateTransferQuota(username, uploadSize, downloadSize, reset, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn sqlCommonUpdateQuota(username, filesAdd, sizeAdd, reset, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getUsedQuota(username string) (int, int64, int64, int64, error) {\n\treturn sqlCommonGetUsedQuota(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getAdminSignature(username string) (string, error) {\n\treturn sqlCommonGetAdminSignature(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getUserSignature(username string) (string, error) {\n\treturn sqlCommonGetUserSignature(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) setUpdatedAt(username string) {\n\tsqlCommonSetUpdatedAt(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateLastLogin(username string) error {\n\treturn sqlCommonUpdateLastLogin(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateAdminLastLogin(username string) error {\n\treturn sqlCommonUpdateAdminLastLogin(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) userExists(username, role string) (User, error) {\n\treturn sqlCommonGetUserByUsername(username, role, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addUser(user *User) error {\n\treturn p.normalizeError(sqlCommonAddUser(user, p.dbHandle), fieldUsername)\n}\n\nfunc (p *SQLiteProvider) updateUser(user *User) error {\n\treturn p.normalizeError(sqlCommonUpdateUser(user, p.dbHandle), -1)\n}\n\nfunc (p *SQLiteProvider) deleteUser(user User, softDelete bool) error {\n\treturn sqlCommonDeleteUser(user, softDelete, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateUserPassword(username, password string) error {\n\treturn sqlCommonUpdateUserPassword(username, password, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpUsers() ([]User, error) {\n\treturn sqlCommonDumpUsers(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {\n\treturn sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {\n\treturn sqlCommonGetUsers(limit, offset, order, role, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {\n\treturn sqlCommonGetUsersForQuotaCheck(toFetch, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpFolders() ([]vfs.BaseVirtualFolder, error) {\n\treturn sqlCommonDumpFolders(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error) {\n\treturn sqlCommonGetFolders(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getFolderByName(name string) (vfs.BaseVirtualFolder, error) {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\treturn sqlCommonGetFolderByName(ctx, name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addFolder(folder *vfs.BaseVirtualFolder) error {\n\treturn p.normalizeError(sqlCommonAddFolder(folder, p.dbHandle), fieldName)\n}\n\nfunc (p *SQLiteProvider) updateFolder(folder *vfs.BaseVirtualFolder) error {\n\treturn sqlCommonUpdateFolder(folder, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteFolder(folder vfs.BaseVirtualFolder) error {\n\treturn sqlCommonDeleteFolder(folder, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error {\n\treturn sqlCommonUpdateFolderQuota(name, filesAdd, sizeAdd, reset, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getUsedFolderQuota(name string) (int, int64, error) {\n\treturn sqlCommonGetFolderUsedQuota(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getGroups(limit, offset int, order string, minimal bool) ([]Group, error) {\n\treturn sqlCommonGetGroups(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getGroupsWithNames(names []string) ([]Group, error) {\n\treturn sqlCommonGetGroupsWithNames(names, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getUsersInGroups(names []string) ([]string, error) {\n\treturn sqlCommonGetUsersInGroups(names, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) groupExists(name string) (Group, error) {\n\treturn sqlCommonGetGroupByName(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addGroup(group *Group) error {\n\treturn p.normalizeError(sqlCommonAddGroup(group, p.dbHandle), fieldName)\n}\n\nfunc (p *SQLiteProvider) updateGroup(group *Group) error {\n\treturn sqlCommonUpdateGroup(group, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteGroup(group Group) error {\n\treturn sqlCommonDeleteGroup(group, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpGroups() ([]Group, error) {\n\treturn sqlCommonDumpGroups(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) adminExists(username string) (Admin, error) {\n\treturn sqlCommonGetAdminByUsername(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addAdmin(admin *Admin) error {\n\treturn p.normalizeError(sqlCommonAddAdmin(admin, p.dbHandle), fieldUsername)\n}\n\nfunc (p *SQLiteProvider) updateAdmin(admin *Admin) error {\n\treturn p.normalizeError(sqlCommonUpdateAdmin(admin, p.dbHandle), -1)\n}\n\nfunc (p *SQLiteProvider) deleteAdmin(admin Admin) error {\n\treturn sqlCommonDeleteAdmin(admin, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getAdmins(limit int, offset int, order string) ([]Admin, error) {\n\treturn sqlCommonGetAdmins(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpAdmins() ([]Admin, error) {\n\treturn sqlCommonDumpAdmins(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) validateAdminAndPass(username, password, ip string) (Admin, error) {\n\treturn sqlCommonValidateAdminAndPass(username, password, ip, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) apiKeyExists(keyID string) (APIKey, error) {\n\treturn sqlCommonGetAPIKeyByID(keyID, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addAPIKey(apiKey *APIKey) error {\n\treturn p.normalizeError(sqlCommonAddAPIKey(apiKey, p.dbHandle), -1)\n}\n\nfunc (p *SQLiteProvider) updateAPIKey(apiKey *APIKey) error {\n\treturn p.normalizeError(sqlCommonUpdateAPIKey(apiKey, p.dbHandle), -1)\n}\n\nfunc (p *SQLiteProvider) deleteAPIKey(apiKey APIKey) error {\n\treturn sqlCommonDeleteAPIKey(apiKey, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) {\n\treturn sqlCommonGetAPIKeys(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpAPIKeys() ([]APIKey, error) {\n\treturn sqlCommonDumpAPIKeys(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateAPIKeyLastUse(keyID string) error {\n\treturn sqlCommonUpdateAPIKeyLastUse(keyID, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) shareExists(shareID, username string) (Share, error) {\n\treturn sqlCommonGetShareByID(shareID, username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addShare(share *Share) error {\n\treturn p.normalizeError(sqlCommonAddShare(share, p.dbHandle), fieldName)\n}\n\nfunc (p *SQLiteProvider) updateShare(share *Share) error {\n\treturn p.normalizeError(sqlCommonUpdateShare(share, p.dbHandle), -1)\n}\n\nfunc (p *SQLiteProvider) deleteShare(share Share) error {\n\treturn sqlCommonDeleteShare(share, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getShares(limit int, offset int, order, username string) ([]Share, error) {\n\treturn sqlCommonGetShares(limit, offset, order, username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpShares() ([]Share, error) {\n\treturn sqlCommonDumpShares(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateShareLastUse(shareID string, numTokens int) error {\n\treturn sqlCommonUpdateShareLastUse(shareID, numTokens, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getDefenderHosts(from int64, limit int) ([]DefenderEntry, error) {\n\treturn sqlCommonGetDefenderHosts(from, limit, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getDefenderHostByIP(ip string, from int64) (DefenderEntry, error) {\n\treturn sqlCommonGetDefenderHostByIP(ip, from, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) isDefenderHostBanned(ip string) (DefenderEntry, error) {\n\treturn sqlCommonIsDefenderHostBanned(ip, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateDefenderBanTime(ip string, minutes int) error {\n\treturn sqlCommonDefenderIncrementBanTime(ip, minutes, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteDefenderHost(ip string) error {\n\treturn sqlCommonDeleteDefenderHost(ip, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addDefenderEvent(ip string, score int) error {\n\treturn sqlCommonAddDefenderHostAndEvent(ip, score, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) setDefenderBanTime(ip string, banTime int64) error {\n\treturn sqlCommonSetDefenderBanTime(ip, banTime, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) cleanupDefender(from int64) error {\n\treturn sqlCommonDefenderCleanup(from, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addActiveTransfer(transfer ActiveTransfer) error {\n\treturn sqlCommonAddActiveTransfer(transfer, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) error {\n\treturn sqlCommonUpdateActiveTransferSizes(ulSize, dlSize, transferID, connectionID, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) removeActiveTransfer(transferID int64, connectionID string) error {\n\treturn sqlCommonRemoveActiveTransfer(transferID, connectionID, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) cleanupActiveTransfers(before time.Time) error {\n\treturn sqlCommonCleanupActiveTransfers(before, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getActiveTransfers(from time.Time) ([]ActiveTransfer, error) {\n\treturn sqlCommonGetActiveTransfers(from, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addSharedSession(session Session) error {\n\treturn sqlCommonAddSession(session, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteSharedSession(key string, sessionType SessionType) error {\n\treturn sqlCommonDeleteSession(key, sessionType, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getSharedSession(key string, sessionType SessionType) (Session, error) {\n\treturn sqlCommonGetSession(key, sessionType, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) cleanupSharedSessions(sessionType SessionType, before int64) error {\n\treturn sqlCommonCleanupSessions(sessionType, before, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error) {\n\treturn sqlCommonGetEventActions(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpEventActions() ([]BaseEventAction, error) {\n\treturn sqlCommonDumpEventActions(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) eventActionExists(name string) (BaseEventAction, error) {\n\treturn sqlCommonGetEventActionByName(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addEventAction(action *BaseEventAction) error {\n\treturn p.normalizeError(sqlCommonAddEventAction(action, p.dbHandle), fieldName)\n}\n\nfunc (p *SQLiteProvider) updateEventAction(action *BaseEventAction) error {\n\treturn sqlCommonUpdateEventAction(action, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteEventAction(action BaseEventAction) error {\n\treturn sqlCommonDeleteEventAction(action, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getEventRules(limit, offset int, order string) ([]EventRule, error) {\n\treturn sqlCommonGetEventRules(limit, offset, order, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpEventRules() ([]EventRule, error) {\n\treturn sqlCommonDumpEventRules(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getRecentlyUpdatedRules(after int64) ([]EventRule, error) {\n\treturn sqlCommonGetRecentlyUpdatedRules(after, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) eventRuleExists(name string) (EventRule, error) {\n\treturn sqlCommonGetEventRuleByName(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addEventRule(rule *EventRule) error {\n\treturn p.normalizeError(sqlCommonAddEventRule(rule, p.dbHandle), fieldName)\n}\n\nfunc (p *SQLiteProvider) updateEventRule(rule *EventRule) error {\n\treturn sqlCommonUpdateEventRule(rule, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteEventRule(rule EventRule, softDelete bool) error {\n\treturn sqlCommonDeleteEventRule(rule, softDelete, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getTaskByName(name string) (Task, error) {\n\treturn sqlCommonGetTaskByName(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addTask(name string) error {\n\treturn sqlCommonAddTask(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateTask(name string, version int64) error {\n\treturn sqlCommonUpdateTask(name, version, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) updateTaskTimestamp(name string) error {\n\treturn sqlCommonUpdateTaskTimestamp(name, p.dbHandle)\n}\n\nfunc (*SQLiteProvider) addNode() error {\n\treturn ErrNotImplemented\n}\n\nfunc (*SQLiteProvider) getNodeByName(_ string) (Node, error) {\n\treturn Node{}, ErrNotImplemented\n}\n\nfunc (*SQLiteProvider) getNodes() ([]Node, error) {\n\treturn nil, ErrNotImplemented\n}\n\nfunc (*SQLiteProvider) updateNodeTimestamp() error {\n\treturn ErrNotImplemented\n}\n\nfunc (*SQLiteProvider) cleanupNodes() error {\n\treturn ErrNotImplemented\n}\n\nfunc (p *SQLiteProvider) roleExists(name string) (Role, error) {\n\treturn sqlCommonGetRoleByName(name, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addRole(role *Role) error {\n\treturn p.normalizeError(sqlCommonAddRole(role, p.dbHandle), fieldName)\n}\n\nfunc (p *SQLiteProvider) updateRole(role *Role) error {\n\treturn sqlCommonUpdateRole(role, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteRole(role Role) error {\n\treturn sqlCommonDeleteRole(role, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {\n\treturn sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpRoles() ([]Role, error) {\n\treturn sqlCommonDumpRoles(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) ipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {\n\treturn sqlCommonGetIPListEntry(ipOrNet, listType, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) addIPListEntry(entry *IPListEntry) error {\n\treturn p.normalizeError(sqlCommonAddIPListEntry(entry, p.dbHandle), fieldIPNet)\n}\n\nfunc (p *SQLiteProvider) updateIPListEntry(entry *IPListEntry) error {\n\treturn sqlCommonUpdateIPListEntry(entry, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) deleteIPListEntry(entry IPListEntry, softDelete bool) error {\n\treturn sqlCommonDeleteIPListEntry(entry, softDelete, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {\n\treturn sqlCommonGetIPListEntries(listType, filter, from, order, limit, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getRecentlyUpdatedIPListEntries(after int64) ([]IPListEntry, error) {\n\treturn sqlCommonGetRecentlyUpdatedIPListEntries(after, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) dumpIPListEntries() ([]IPListEntry, error) {\n\treturn sqlCommonDumpIPListEntries(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) countIPListEntries(listType IPListType) (int64, error) {\n\treturn sqlCommonCountIPListEntries(listType, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error) {\n\treturn sqlCommonGetListEntriesForIP(ip, listType, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) getConfigs() (Configs, error) {\n\treturn sqlCommonGetConfigs(p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) setConfigs(configs *Configs) error {\n\treturn sqlCommonSetConfigs(configs, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) setFirstDownloadTimestamp(username string) error {\n\treturn sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) setFirstUploadTimestamp(username string) error {\n\treturn sqlCommonSetFirstUploadTimestamp(username, p.dbHandle)\n}\n\nfunc (p *SQLiteProvider) close() error {\n\treturn p.dbHandle.Close()\n}\n\nfunc (p *SQLiteProvider) reloadConfig() error {\n\treturn nil\n}\n\n// initializeDatabase creates the initial database structure\nfunc (p *SQLiteProvider) initializeDatabase() error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, false)\n\tif err == nil && dbVersion.Version > 0 {\n\t\treturn ErrNoInitRequired\n\t}\n\tif errors.Is(err, sql.ErrNoRows) {\n\t\treturn errSchemaVersionEmpty\n\t}\n\tlogger.InfoToConsole(\"creating initial database schema, version 33\")\n\tproviderLog(logger.LevelInfo, \"creating initial database schema, version 33\")\n\tsql := sqlReplaceAll(sqliteInitialSQL)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 33, true)\n}\n\nfunc (p *SQLiteProvider) migrateDatabase() error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tswitch version := dbVersion.Version; {\n\tcase version == sqlDatabaseVersion:\n\t\tproviderLog(logger.LevelDebug, \"sql database is up to date, current version: %d\", version)\n\t\treturn ErrNoInitRequired\n\tcase version < 33:\n\t\terr = errSchemaVersionTooOld(version)\n\t\tproviderLog(logger.LevelError, \"%v\", err)\n\t\tlogger.ErrorToConsole(\"%v\", err)\n\t\treturn err\n\tcase version == 33:\n\t\treturn updateSQLiteDatabaseFromV33(p.dbHandle)\n\tdefault:\n\t\tif version > sqlDatabaseVersion {\n\t\t\tproviderLog(logger.LevelError, \"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tsqlDatabaseVersion)\n\t\t\tlogger.WarnToConsole(\"database schema version %d is newer than the supported one: %d\", version,\n\t\t\t\tsqlDatabaseVersion)\n\t\t\treturn nil\n\t\t}\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", version)\n\t}\n}\n\nfunc (p *SQLiteProvider) revertDatabase(targetVersion int) error {\n\tdbVersion, err := sqlCommonGetDatabaseVersion(p.dbHandle, true)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif dbVersion.Version == targetVersion {\n\t\treturn errors.New(\"current version match target version, nothing to do\")\n\t}\n\n\tswitch dbVersion.Version {\n\tcase 34:\n\t\treturn downgradeSQLiteDatabaseFromV34(p.dbHandle)\n\tdefault:\n\t\treturn fmt.Errorf(\"database schema version not handled: %d\", dbVersion.Version)\n\t}\n}\n\nfunc (p *SQLiteProvider) resetDatabase() error {\n\tsql := sqlReplaceAll(sqliteResetSQL)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 0, false)\n}\n\nfunc (p *SQLiteProvider) normalizeError(err error, fieldType int) error {\n\tif err == nil {\n\t\treturn nil\n\t}\n\tif e, ok := err.(sqlite3.Error); ok {\n\t\tswitch e.ExtendedCode {\n\t\tcase 1555, 2067:\n\t\t\tvar message string\n\t\t\tswitch fieldType {\n\t\t\tcase fieldUsername:\n\t\t\t\tmessage = util.I18nErrorDuplicatedUsername\n\t\t\tcase fieldIPNet:\n\t\t\t\tmessage = util.I18nErrorDuplicatedIPNet\n\t\t\tdefault:\n\t\t\t\tmessage = util.I18nErrorDuplicatedName\n\t\t\t}\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"%w: %s\", ErrDuplicatedKey, err.Error()),\n\t\t\t\tmessage,\n\t\t\t)\n\t\tcase 787:\n\t\t\treturn fmt.Errorf(\"%w: %s\", ErrForeignKeyViolated, err.Error())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc executePragmaOptimize(dbHandle *sql.DB) error {\n\tctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)\n\tdefer cancel()\n\n\t_, err := dbHandle.ExecContext(ctx, \"PRAGMA optimize;\")\n\treturn err\n}\n\nfunc updateSQLiteDatabaseFromV33(dbHandle *sql.DB) error {\n\treturn updateSQLiteDatabaseFrom33To34(dbHandle)\n}\n\nfunc downgradeSQLiteDatabaseFromV34(dbHandle *sql.DB) error {\n\treturn downgradeSQLiteDatabaseFrom34To33(dbHandle)\n}\n\nfunc updateSQLiteDatabaseFrom33To34(dbHandle *sql.DB) error {\n\tlogger.InfoToConsole(\"updating database schema version: 33 -> 34\")\n\tproviderLog(logger.LevelInfo, \"updating database schema version: 33 -> 34\")\n\n\tsql := strings.ReplaceAll(sqliteV34SQL, \"{{prefix}}\", config.SQLTablesPrefix)\n\tsql = strings.ReplaceAll(sql, \"{{shares}}\", sqlTableShares)\n\tsql = strings.ReplaceAll(sql, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\tsql = strings.ReplaceAll(sql, \"{{groups}}\", sqlTableGroups)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 34, true)\n}\n\nfunc downgradeSQLiteDatabaseFrom34To33(dbHandle *sql.DB) error {\n\tlogger.InfoToConsole(\"downgrading database schema version: 34 -> 33\")\n\tproviderLog(logger.LevelInfo, \"downgrading database schema version: 34 -> 33\")\n\n\tsql := strings.ReplaceAll(sqliteV34DownSQL, \"{{shares_groups_mapping}}\", sqlTableSharesGroupsMapping)\n\treturn sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 33, false)\n}\n\n/*func setPragmaFK(dbHandle *sql.DB, value string) error {\n\tctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)\n\tdefer cancel()\n\n\tsql := fmt.Sprintf(\"PRAGMA foreign_keys=%v;\", value)\n\n\t_, err := dbHandle.ExecContext(ctx, sql)\n\treturn err\n}*/\n" }, { "path": "internal/dataprovider/sqlite_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nosqlite || !cgo\n\npackage dataprovider\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-sqlite\")\n}\n\nfunc initializeSQLiteProvider(_ string) error {\n\treturn errors.New(\"SQLite disabled at build time\")\n}\n" }, { "path": "internal/dataprovider/sqlqueries.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tselectUserFields = \"u.id,u.username,u.password,u.public_keys,u.home_dir,u.uid,u.gid,u.max_sessions,u.quota_size,u.quota_files,\" +\n\t\t\"u.permissions,u.used_quota_size,u.used_quota_files,u.last_quota_update,u.upload_bandwidth,u.download_bandwidth,\" +\n\t\t\"u.expiration_date,u.last_login,u.status,u.filters,u.filesystem,u.additional_info,u.description,u.email,u.created_at,\" +\n\t\t\"u.updated_at,u.upload_data_transfer,u.download_data_transfer,u.total_data_transfer,\" +\n\t\t\"u.used_upload_data_transfer,u.used_download_data_transfer,u.deleted_at,u.first_download,u.first_upload,r.name,u.last_password_change\"\n\tselectFolderFields = \"id,path,used_quota_size,used_quota_files,last_quota_update,name,description,filesystem\"\n\tselectAdminFields = \"a.id,a.username,a.password,a.status,a.email,a.permissions,a.filters,a.additional_info,a.description,a.created_at,a.updated_at,a.last_login,r.name\"\n\tselectAPIKeyFields = \"key_id,name,api_key,scope,created_at,updated_at,last_use_at,expires_at,description,user_id,admin_id\"\n\tselectShareFields = \"s.share_id,s.name,s.description,s.scope,s.paths,u.username,s.created_at,s.updated_at,s.last_use_at,\" +\n\t\t\"s.expires_at,s.password,s.max_tokens,s.used_tokens,s.allow_from\"\n\tselectGroupFields = \"id,name,description,created_at,updated_at,user_settings\"\n\tselectEventActionFields = \"id,name,description,type,options\"\n\tselectRoleFields = \"id,name,description,created_at,updated_at\"\n\tselectIPListEntryFields = \"type,ipornet,mode,protocols,description,created_at,updated_at,deleted_at\"\n\tselectMinimalFields = \"id,name\"\n)\n\nfunc getSQLPlaceholders() []string {\n\tvar placeholders []string\n\tfor i := 1; i <= 100; i++ {\n\t\tif config.Driver == PGSQLDataProviderName || config.Driver == CockroachDataProviderName {\n\t\t\tplaceholders = append(placeholders, fmt.Sprintf(\"$%d\", i))\n\t\t} else {\n\t\t\tplaceholders = append(placeholders, \"?\")\n\t\t}\n\t}\n\treturn placeholders\n}\n\nfunc getSQLQuotedName(name string) string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn fmt.Sprintf(\"`%s`\", name)\n\t}\n\n\treturn fmt.Sprintf(`\"%s\"`, name)\n}\n\nfunc getSelectEventRuleFields() string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn \"id,name,description,created_at,updated_at,`trigger`,conditions,deleted_at,status\"\n\t}\n\n\treturn `id,name,description,created_at,updated_at,\"trigger\",conditions,deleted_at,status`\n}\n\nfunc getCoalesceDefaultForRole(role string) string {\n\tif role != \"\" {\n\t\treturn \"0\"\n\t}\n\treturn \"NULL\"\n}\n\nfunc getAddSessionQuery() string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn fmt.Sprintf(\"INSERT INTO %s (`key`,`data`,`type`,`timestamp`) VALUES (%s,%s,%s,%s) \"+\n\t\t\t\"ON DUPLICATE KEY UPDATE `data`=VALUES(`data`), `timestamp`=VALUES(`timestamp`)\",\n\t\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n\t}\n\treturn fmt.Sprintf(`INSERT INTO %s (key,data,type,timestamp) VALUES (%s,%s,%s,%s) ON CONFLICT(key,type) DO UPDATE SET data=\n\t\tEXCLUDED.data, timestamp=EXCLUDED.timestamp`,\n\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getDeleteSessionQuery() string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn fmt.Sprintf(\"DELETE FROM %s WHERE `key` = %s AND `type` = %s\",\n\t\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1])\n\t}\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE key = %s AND type = %s`,\n\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getSessionQuery() string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn fmt.Sprintf(\"SELECT `key`,`data`,`type`,`timestamp` FROM %s WHERE `key` = %s AND `type` = %s\",\n\t\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1])\n\t}\n\treturn fmt.Sprintf(`SELECT key,data,type,timestamp FROM %s WHERE key = %s AND type = %s`,\n\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getCleanupSessionsQuery() string {\n\treturn fmt.Sprintf(`DELETE from %s WHERE type = %s AND timestamp < %s`,\n\t\tsqlTableSharedSessions, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getAddDefenderHostQuery() string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn fmt.Sprintf(\"INSERT INTO %s (`ip`,`updated_at`,`ban_time`) VALUES (%s,%s,0) ON DUPLICATE KEY UPDATE `updated_at`=VALUES(`updated_at`)\",\n\t\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n\t}\n\treturn fmt.Sprintf(`INSERT INTO %s (ip,updated_at,ban_time) VALUES (%s,%s,0) ON CONFLICT (ip) DO UPDATE SET updated_at = EXCLUDED.updated_at RETURNING id`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getAddDefenderEventQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (date_time,score,host_id) VALUES (%s,%s,(SELECT id from %s WHERE ip = %s))`,\n\t\tsqlTableDefenderEvents, sqlPlaceholders[0], sqlPlaceholders[1], sqlTableDefenderHosts, sqlPlaceholders[2])\n}\n\nfunc getDefenderHostsQuery() string {\n\treturn fmt.Sprintf(`SELECT id,ip,ban_time FROM %s WHERE updated_at >= %s OR ban_time > 0 ORDER BY updated_at DESC LIMIT %s`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDefenderHostQuery() string {\n\treturn fmt.Sprintf(`SELECT id,ip,ban_time FROM %s WHERE ip = %s AND (updated_at >= %s OR ban_time > 0)`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDefenderEventsQuery(hostIDs []int64) string {\n\tvar sb strings.Builder\n\tfor _, hID := range hostIDs {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(hID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t} else {\n\t\tsb.WriteString(\"(0)\")\n\t}\n\treturn fmt.Sprintf(`SELECT host_id,SUM(score) FROM %s WHERE date_time >= %s AND host_id IN %s GROUP BY host_id`,\n\t\tsqlTableDefenderEvents, sqlPlaceholders[0], sb.String())\n}\n\nfunc getDefenderIsHostBannedQuery() string {\n\treturn fmt.Sprintf(`SELECT id FROM %s WHERE ip = %s AND ban_time >= %s`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDefenderIncrementBanTimeQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET ban_time = ban_time + %s WHERE ip = %s`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDefenderSetBanTimeQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET ban_time = %s WHERE ip = %s`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDeleteDefenderHostQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE ip = %s`, sqlTableDefenderHosts, sqlPlaceholders[0])\n}\n\nfunc getDefenderHostsCleanupQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE ban_time < %s AND NOT EXISTS (\n\t\tSELECT id FROM %s WHERE %s.host_id = %s.id AND %s.date_time > %s)`,\n\t\tsqlTableDefenderHosts, sqlPlaceholders[0], sqlTableDefenderEvents, sqlTableDefenderEvents, sqlTableDefenderHosts,\n\t\tsqlTableDefenderEvents, sqlPlaceholders[1])\n}\n\nfunc getDefenderEventsCleanupQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE date_time < %s`, sqlTableDefenderEvents, sqlPlaceholders[0])\n}\n\nfunc getIPListEntryQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE type = %s AND ipornet = %s AND deleted_at = 0`,\n\t\tselectIPListEntryFields, sqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getIPListEntriesQuery(filter, from, order string, limit int) string {\n\tvar sb strings.Builder\n\tvar idx int\n\n\tsb.WriteString(\"SELECT \")\n\tsb.WriteString(selectIPListEntryFields)\n\tsb.WriteString(\" FROM \")\n\tsb.WriteString(sqlTableIPLists)\n\tsb.WriteString(\" WHERE type = \")\n\tsb.WriteString(sqlPlaceholders[idx])\n\tidx++\n\tif from != \"\" {\n\t\tif order == OrderASC {\n\t\t\tsb.WriteString(\" AND ipornet > \")\n\t\t} else {\n\t\t\tsb.WriteString(\" AND ipornet < \")\n\t\t}\n\t\tsb.WriteString(sqlPlaceholders[idx])\n\t\tidx++\n\t}\n\tif filter != \"\" {\n\t\tsb.WriteString(\" AND ipornet LIKE \")\n\t\tsb.WriteString(sqlPlaceholders[idx])\n\t\tidx++\n\t}\n\tsb.WriteString(\" AND deleted_at = 0 \")\n\tsb.WriteString(\" ORDER BY ipornet \")\n\tsb.WriteString(order)\n\tif limit > 0 {\n\t\tsb.WriteString(\" LIMIT \")\n\t\tsb.WriteString(sqlPlaceholders[idx])\n\t}\n\treturn sb.String()\n}\n\nfunc getCountIPListEntriesQuery() string {\n\treturn fmt.Sprintf(`SELECT count(ipornet) FROM %s WHERE type = %s AND deleted_at = 0`, sqlTableIPLists, sqlPlaceholders[0])\n}\n\nfunc getCountAllIPListEntriesQuery() string {\n\treturn fmt.Sprintf(`SELECT count(ipornet) FROM %s WHERE deleted_at = 0`, sqlTableIPLists)\n}\n\nfunc getIPListEntriesForIPQueryPg() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE type = %s AND deleted_at = 0 AND %s::inet BETWEEN first AND last`,\n\t\tselectIPListEntryFields, sqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getIPListEntriesForIPQueryNoPg() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE type = %s AND deleted_at = 0 AND ip_type = %s AND %s BETWEEN first AND last`,\n\t\tselectIPListEntryFields, sqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getRecentlyUpdatedIPListQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE updated_at >= %s OR deleted_at > 0`,\n\t\tselectIPListEntryFields, sqlTableIPLists, sqlPlaceholders[0])\n}\n\nfunc getDumpListEntriesQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0`, selectIPListEntryFields, sqlTableIPLists)\n}\n\nfunc getAddIPListEntryQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (type,ipornet,first,last,ip_type,protocols,description,mode,created_at,updated_at,deleted_at)\n\t\tVALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0)`, sqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1],\n\t\tsqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5],\n\t\tsqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9])\n}\n\nfunc getUpdateIPListEntryQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET mode=%s,protocols=%s,description=%s,updated_at=%s WHERE type = %s AND ipornet = %s`,\n\t\tsqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3],\n\t\tsqlPlaceholders[4], sqlPlaceholders[5])\n}\n\nfunc getDeleteIPListEntryQuery(softDelete bool) string {\n\tif softDelete {\n\t\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s,deleted_at=%s WHERE type = %s AND ipornet = %s`,\n\t\t\tsqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n\t}\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE type = %s AND ipornet = %s`,\n\t\tsqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getRemoveSoftDeletedIPListEntryQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE type = %s AND ipornet = %s AND deleted_at > 0`,\n\t\tsqlTableIPLists, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getConfigsQuery() string {\n\treturn fmt.Sprintf(`SELECT configs FROM %s LIMIT 1`, sqlTableConfigs)\n}\n\nfunc getUpdateConfigsQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET configs = %s`, sqlTableConfigs, sqlPlaceholders[0])\n}\n\nfunc getRoleByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectRoleFields, sqlTableRoles,\n\t\tsqlPlaceholders[0])\n}\n\nfunc getRolesQuery(order string, minimal bool) string {\n\tvar fieldSelection string\n\tif minimal {\n\t\tfieldSelection = selectMinimalFields\n\t} else {\n\t\tfieldSelection = selectRoleFields\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s ORDER BY name %s LIMIT %s OFFSET %s`, fieldSelection,\n\t\tsqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUsersWithRolesQuery(roles []Role) string {\n\tvar sb strings.Builder\n\tfor _, r := range roles {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(r.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT r.id, u.username FROM %s u INNER JOIN %s r ON u.role_id = r.id WHERE u.role_id IN %s`,\n\t\tsqlTableUsers, sqlTableRoles, sb.String())\n}\n\nfunc getAdminsWithRolesQuery(roles []Role) string {\n\tvar sb strings.Builder\n\tfor _, r := range roles {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(r.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT r.id, a.username FROM %s a INNER JOIN %s r ON a.role_id = r.id WHERE a.role_id IN %s`,\n\t\tsqlTableAdmins, sqlTableRoles, sb.String())\n}\n\nfunc getDumpRolesQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s`, selectRoleFields, sqlTableRoles)\n}\n\nfunc getAddRoleQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (name,description,created_at,updated_at)\n\t\tVALUES (%s,%s,%s,%s)`, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1],\n\t\tsqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getUpdateRoleQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET description=%s,updated_at=%s\n\t\tWHERE name = %s`, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getDeleteRoleQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableRoles, sqlPlaceholders[0])\n}\n\nfunc getGroupByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectGroupFields, getSQLQuotedName(sqlTableGroups),\n\t\tsqlPlaceholders[0])\n}\n\nfunc getGroupsQuery(order string, minimal bool) string {\n\tvar fieldSelection string\n\tif minimal {\n\t\tfieldSelection = selectMinimalFields\n\t} else {\n\t\tfieldSelection = selectGroupFields\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s ORDER BY name %s LIMIT %s OFFSET %s`, fieldSelection,\n\t\tgetSQLQuotedName(sqlTableGroups), order, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getGroupsWithNamesQuery(numArgs int) string {\n\tvar sb strings.Builder\n\tfor idx := 0; idx < numArgs; idx++ {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(sqlPlaceholders[idx])\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t} else {\n\t\tsb.WriteString(\"('')\")\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE name in %s`, selectGroupFields, getSQLQuotedName(sqlTableGroups), sb.String())\n}\n\nfunc getUsersInGroupsQuery(numArgs int) string {\n\tvar sb strings.Builder\n\tfor idx := 0; idx < numArgs; idx++ {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(sqlPlaceholders[idx])\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t} else {\n\t\tsb.WriteString(\"('')\")\n\t}\n\treturn fmt.Sprintf(`SELECT username FROM %s WHERE id IN (SELECT user_id from %s WHERE group_id IN (SELECT id FROM %s WHERE name IN %s))`,\n\t\tsqlTableUsers, sqlTableUsersGroupsMapping, getSQLQuotedName(sqlTableGroups), sb.String())\n}\n\nfunc getDumpGroupsQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s`, selectGroupFields, getSQLQuotedName(sqlTableGroups))\n}\n\nfunc getAddGroupQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (name,description,created_at,updated_at,user_settings)\n\t\tVALUES (%s,%s,%s,%s,%s)`, getSQLQuotedName(sqlTableGroups), sqlPlaceholders[0], sqlPlaceholders[1],\n\t\tsqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4])\n}\n\nfunc getUpdateGroupQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET description=%s,user_settings=%s,updated_at=%s\n\t\tWHERE name = %s`, getSQLQuotedName(sqlTableGroups), sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2],\n\t\tsqlPlaceholders[3])\n}\n\nfunc getDeleteGroupQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, getSQLQuotedName(sqlTableGroups), sqlPlaceholders[0])\n}\n\nfunc getAdminByUsernameQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id WHERE a.username = %s`,\n\t\tselectAdminFields, sqlTableAdmins, sqlTableRoles, sqlPlaceholders[0])\n}\n\nfunc getAdminsQuery(order string) string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id ORDER BY a.username %s LIMIT %s OFFSET %s`,\n\t\tselectAdminFields, sqlTableAdmins, sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDumpAdminsQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id`,\n\t\tselectAdminFields, sqlTableAdmins, sqlTableRoles)\n}\n\nfunc getAddAdminQuery(role string) string {\n\treturn fmt.Sprintf(`INSERT INTO %s (username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login,role_id)\n\t\tVALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,COALESCE((SELECT id from %s WHERE name = %s),%s))`,\n\t\tsqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],\n\t\tsqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],\n\t\tsqlTableRoles, sqlPlaceholders[10], getCoalesceDefaultForRole(role))\n}\n\nfunc getUpdateAdminQuery(role string) string {\n\treturn fmt.Sprintf(`UPDATE %s SET password=%s,status=%s,email=%s,permissions=%s,filters=%s,additional_info=%s,description=%s,updated_at=%s,\n\t\trole_id=COALESCE((SELECT id from %s WHERE name = %s),%s) WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0],\n\t\tsqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6],\n\t\tsqlPlaceholders[7], sqlTableRoles, sqlPlaceholders[8], getCoalesceDefaultForRole(role), sqlPlaceholders[9])\n}\n\nfunc getDeleteAdminQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0])\n}\n\nfunc getShareByIDQuery(filterUser bool) string {\n\tif filterUser {\n\t\treturn fmt.Sprintf(`SELECT %s FROM %s s INNER JOIN %s u ON s.user_id = u.id WHERE s.share_id = %s AND u.username = %s`,\n\t\t\tselectShareFields, sqlTableShares, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1])\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s s INNER JOIN %s u ON s.user_id = u.id WHERE s.share_id = %s`,\n\t\tselectShareFields, sqlTableShares, sqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getSharesQuery(order string) string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s s INNER JOIN %s u ON s.user_id = u.id WHERE u.username = %s ORDER BY s.share_id %s LIMIT %s OFFSET %s`,\n\t\tselectShareFields, sqlTableShares, sqlTableUsers, sqlPlaceholders[0], order, sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getDumpSharesQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s s INNER JOIN %s u ON s.user_id = u.id`,\n\t\tselectShareFields, sqlTableShares, sqlTableUsers)\n}\n\nfunc getAddShareQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (share_id,name,description,scope,paths,created_at,updated_at,last_use_at,\n\t\texpires_at,password,max_tokens,used_tokens,allow_from,user_id) VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s)`,\n\t\tsqlTableShares, sqlPlaceholders[0], sqlPlaceholders[1],\n\t\tsqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6],\n\t\tsqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9], sqlPlaceholders[10], sqlPlaceholders[11],\n\t\tsqlPlaceholders[12], sqlPlaceholders[13])\n}\n\nfunc getUpdateShareRestoreQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET name=%s,description=%s,scope=%s,paths=%s,created_at=%s,updated_at=%s,\n\t\tlast_use_at=%s,expires_at=%s,password=%s,max_tokens=%s,used_tokens=%s,allow_from=%s,user_id=%s WHERE share_id = %s`, sqlTableShares,\n\t\tsqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],\n\t\tsqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],\n\t\tsqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13])\n}\n\nfunc getUpdateShareQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET name=%s,description=%s,scope=%s,paths=%s,updated_at=%s,expires_at=%s,\n\t\tpassword=%s,max_tokens=%s,allow_from=%s,user_id=%s WHERE share_id = %s`, sqlTableShares,\n\t\tsqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],\n\t\tsqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],\n\t\tsqlPlaceholders[10])\n}\n\nfunc getDeleteShareQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE share_id = %s`, sqlTableShares, sqlPlaceholders[0])\n}\n\nfunc getAPIKeyByIDQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE key_id = %s`, selectAPIKeyFields, sqlTableAPIKeys, sqlPlaceholders[0])\n}\n\nfunc getAPIKeysQuery(order string) string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s ORDER BY key_id %s LIMIT %s OFFSET %s`, selectAPIKeyFields, sqlTableAPIKeys,\n\t\torder, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDumpAPIKeysQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s`, selectAPIKeyFields, sqlTableAPIKeys)\n}\n\nfunc getAddAPIKeyQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (key_id,name,api_key,scope,created_at,updated_at,last_use_at,expires_at,description,user_id,admin_id)\n\t\tVALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s)`, sqlTableAPIKeys, sqlPlaceholders[0], sqlPlaceholders[1],\n\t\tsqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6],\n\t\tsqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9], sqlPlaceholders[10])\n}\n\nfunc getUpdateAPIKeyQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET name=%s,scope=%s,expires_at=%s,user_id=%s,admin_id=%s,description=%s,updated_at=%s\n\t\tWHERE key_id = %s`, sqlTableAPIKeys, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2],\n\t\tsqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7])\n}\n\nfunc getDeleteAPIKeyQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE key_id = %s`, sqlTableAPIKeys, sqlPlaceholders[0])\n}\n\nfunc getRelatedUsersForAPIKeysQuery(apiKeys []APIKey) string {\n\tvar sb strings.Builder\n\tfor _, k := range apiKeys {\n\t\tif k.userID == 0 {\n\t\t\tcontinue\n\t\t}\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(k.userID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t} else {\n\t\tsb.WriteString(\"(0)\")\n\t}\n\treturn fmt.Sprintf(`SELECT id,username FROM %s WHERE id IN %s ORDER BY username`, sqlTableUsers, sb.String())\n}\n\nfunc getRelatedAdminsForAPIKeysQuery(apiKeys []APIKey) string {\n\tvar sb strings.Builder\n\tfor _, k := range apiKeys {\n\t\tif k.adminID == 0 {\n\t\t\tcontinue\n\t\t}\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(k.adminID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t} else {\n\t\tsb.WriteString(\"(0)\")\n\t}\n\treturn fmt.Sprintf(`SELECT id,username FROM %s WHERE id IN %s ORDER BY username`, sqlTableAdmins, sb.String())\n}\n\nfunc getUserByUsernameQuery(role string) string {\n\tif role == \"\" {\n\t\treturn fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.username = %s AND u.deleted_at = 0`,\n\t\t\tselectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0])\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.username = %s AND u.deleted_at = 0\n\t\tAND u.role_id is NOT NULL AND r.name = %s`,\n\t\tselectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUsersQuery(order, role string) string {\n\tif role == \"\" {\n\t\treturn fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE\n\t\t\tu.deleted_at = 0 ORDER BY u.username %s LIMIT %s OFFSET %s`,\n\t\t\tselectUserFields, sqlTableUsers, sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1])\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE\n\t\tu.deleted_at = 0 AND u.role_id is NOT NULL AND r.name = %s ORDER BY u.username %s LIMIT %s OFFSET %s`,\n\t\tselectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0], order, sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getUsersForQuotaCheckQuery(numArgs int) string {\n\tvar sb strings.Builder\n\tfor idx := 0; idx < numArgs; idx++ {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(sqlPlaceholders[idx])\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT id,username,quota_size,used_quota_size,total_data_transfer,upload_data_transfer,\n\t\tdownload_data_transfer,used_upload_data_transfer,used_download_data_transfer,filters FROM %s WHERE username IN %s`,\n\t\tsqlTableUsers, sb.String())\n}\n\nfunc getRecentlyUpdatedUsersQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.updated_at >= %s OR u.deleted_at > 0`,\n\t\tselectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0])\n}\n\nfunc getDumpUsersQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.deleted_at = 0`,\n\t\tselectUserFields, sqlTableUsers, sqlTableRoles)\n}\n\nfunc getDumpFoldersQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s`, selectFolderFields, sqlTableFolders)\n}\n\nfunc getUpdateTransferQuotaQuery(reset bool) string {\n\tif reset {\n\t\treturn fmt.Sprintf(`UPDATE %s SET used_upload_data_transfer = %s,used_download_data_transfer = %s,last_quota_update = %s\n\t\t\tWHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n\t}\n\treturn fmt.Sprintf(`UPDATE %s SET used_upload_data_transfer = used_upload_data_transfer + %s,\n\t\tused_download_data_transfer = used_download_data_transfer + %s,last_quota_update = %s\n\t\tWHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getUpdateQuotaQuery(reset bool) string {\n\tif reset {\n\t\treturn fmt.Sprintf(`UPDATE %s SET used_quota_size = %s,used_quota_files = %s,last_quota_update = %s\n\t\t\tWHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n\t}\n\treturn fmt.Sprintf(`UPDATE %s SET used_quota_size = used_quota_size + %s,used_quota_files = used_quota_files + %s,last_quota_update = %s\n\t\tWHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getAdminSignatureQuery() string {\n\treturn fmt.Sprintf(`SELECT updated_at FROM %s WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0])\n}\n\nfunc getUserSignatureQuery() string {\n\treturn fmt.Sprintf(`SELECT updated_at FROM %s WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getSetUpdateAtQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET updated_at = %s WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getSetFirstUploadQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET first_upload = %s WHERE username = %s AND first_upload = 0`,\n\t\tsqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getSetFirstDownloadQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET first_download = %s WHERE username = %s AND first_download = 0`,\n\t\tsqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUpdateLastLoginQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET last_login = %s WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUpdateAdminLastLoginQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET last_login = %s WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUpdateAPIKeyLastUseQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET last_use_at = %s WHERE key_id = %s`, sqlTableAPIKeys, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUpdateShareLastUseQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET last_use_at = %s, used_tokens = used_tokens +%s WHERE share_id = %s`,\n\t\tsqlTableShares, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getQuotaQuery() string {\n\treturn fmt.Sprintf(`SELECT used_quota_size,used_quota_files,used_upload_data_transfer,\n\t\tused_download_data_transfer FROM %s WHERE username = %s`,\n\t\tsqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getAddUserQuery(role string) string {\n\treturn fmt.Sprintf(`INSERT INTO %s (username,password,public_keys,home_dir,uid,gid,max_sessions,quota_size,quota_files,permissions,\n\t\tused_quota_size,used_quota_files,last_quota_update,upload_bandwidth,download_bandwidth,status,last_login,expiration_date,filters,\n\t\tfilesystem,additional_info,description,email,created_at,updated_at,upload_data_transfer,download_data_transfer,total_data_transfer,\n\t\tused_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload,role_id,last_password_change)\n\t\tVALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,%s,%s,%s,0,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,0,0,\n\t\tCOALESCE((SELECT id from %s WHERE name=%s),%s),%s)`,\n\t\tsqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],\n\t\tsqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],\n\t\tsqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13], sqlPlaceholders[14],\n\t\tsqlPlaceholders[15], sqlPlaceholders[16], sqlPlaceholders[17], sqlPlaceholders[18], sqlPlaceholders[19],\n\t\tsqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22], sqlPlaceholders[23], sqlTableRoles,\n\t\tsqlPlaceholders[24], getCoalesceDefaultForRole(role), sqlPlaceholders[25])\n}\n\nfunc getUpdateUserQuery(role string) string {\n\treturn fmt.Sprintf(`UPDATE %s SET password=%s,public_keys=%s,home_dir=%s,uid=%s,gid=%s,max_sessions=%s,quota_size=%s,\n\t\tquota_files=%s,permissions=%s,upload_bandwidth=%s,download_bandwidth=%s,status=%s,expiration_date=%s,filters=%s,filesystem=%s,\n\t\tadditional_info=%s,description=%s,email=%s,updated_at=%s,upload_data_transfer=%s,download_data_transfer=%s,\n\t\ttotal_data_transfer=%s,role_id=COALESCE((SELECT id from %s WHERE name=%s),%s),last_password_change=%s WHERE username = %s`,\n\t\tsqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],\n\t\tsqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],\n\t\tsqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13], sqlPlaceholders[14],\n\t\tsqlPlaceholders[15], sqlPlaceholders[16], sqlPlaceholders[17], sqlPlaceholders[18], sqlPlaceholders[19],\n\t\tsqlPlaceholders[20], sqlPlaceholders[21], sqlTableRoles, sqlPlaceholders[22], getCoalesceDefaultForRole(role),\n\t\tsqlPlaceholders[23], sqlPlaceholders[24])\n}\n\nfunc getUpdateUserPasswordQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET password=%s,updated_at=%s WHERE username = %s`,\n\t\tsqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getDeleteUserQuery(softDelete bool) string {\n\tif softDelete {\n\t\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s,deleted_at=%s WHERE username = %s`,\n\t\t\tsqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n\t}\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getRemoveSoftDeletedUserQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE username = %s AND deleted_at > 0`, sqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getFolderByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectFolderFields, sqlTableFolders, sqlPlaceholders[0])\n}\n\nfunc getAddFolderQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (path,used_quota_size,used_quota_files,last_quota_update,name,description,filesystem)\n\t\tVALUES (%s,%s,%s,%s,%s,%s,%s)`, sqlTableFolders, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2],\n\t\tsqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6])\n}\n\nfunc getUpdateFolderQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET path=%s,description=%s,filesystem=%s WHERE name = %s`, sqlTableFolders, sqlPlaceholders[0],\n\t\tsqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getDeleteFolderQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableFolders, sqlPlaceholders[0])\n}\n\nfunc getClearUserGroupMappingQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE user_id = (SELECT id FROM %s WHERE username = %s)`, sqlTableUsersGroupsMapping,\n\t\tsqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getAddUserGroupMappingQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (user_id,group_id,group_type,sort_order) VALUES ((SELECT id FROM %s WHERE username = %s),\n\t\t(SELECT id FROM %s WHERE name = %s),%s,%s)`,\n\t\tsqlTableUsersGroupsMapping, sqlTableUsers, sqlPlaceholders[0], getSQLQuotedName(sqlTableGroups),\n\t\tsqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getClearAdminGroupMappingQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE admin_id = (SELECT id FROM %s WHERE username = %s)`, sqlTableAdminsGroupsMapping,\n\t\tsqlTableAdmins, sqlPlaceholders[0])\n}\n\nfunc getAddAdminGroupMappingQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (admin_id,group_id,options,sort_order) VALUES ((SELECT id FROM %s WHERE username = %s),\n\t\t(SELECT id FROM %s WHERE name = %s),%s,%s)`,\n\t\tsqlTableAdminsGroupsMapping, sqlTableAdmins, sqlPlaceholders[0], getSQLQuotedName(sqlTableGroups),\n\t\tsqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getClearGroupFolderMappingQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE group_id = (SELECT id FROM %s WHERE name = %s)`, sqlTableGroupsFoldersMapping,\n\t\tgetSQLQuotedName(sqlTableGroups), sqlPlaceholders[0])\n}\n\nfunc getAddGroupFolderMappingQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (virtual_path,quota_size,quota_files,folder_id,group_id,sort_order)\n\t\tVALUES (%s,%s,%s,(SELECT id FROM %s WHERE name = %s),(SELECT id FROM %s WHERE name = %s),%s)`,\n\t\tsqlTableGroupsFoldersMapping, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlTableFolders,\n\t\tsqlPlaceholders[3], getSQLQuotedName(sqlTableGroups), sqlPlaceholders[4], sqlPlaceholders[5])\n}\n\nfunc getClearUserFolderMappingQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE user_id = (SELECT id FROM %s WHERE username = %s)`, sqlTableUsersFoldersMapping,\n\t\tsqlTableUsers, sqlPlaceholders[0])\n}\n\nfunc getAddUserFolderMappingQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (virtual_path,quota_size,quota_files,folder_id,user_id,sort_order)\n\t\tVALUES (%s,%s,%s,(SELECT id FROM %s WHERE name = %s),(SELECT id FROM %s WHERE username = %s),%s)`,\n\t\tsqlTableUsersFoldersMapping, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlTableFolders,\n\t\tsqlPlaceholders[3], sqlTableUsers, sqlPlaceholders[4], sqlPlaceholders[5])\n}\n\nfunc getFoldersQuery(order string, minimal bool) string {\n\tvar fieldSelection string\n\tif minimal {\n\t\tfieldSelection = selectMinimalFields\n\t} else {\n\t\tfieldSelection = selectFolderFields\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s ORDER BY name %s LIMIT %s OFFSET %s`, fieldSelection, sqlTableFolders,\n\t\torder, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUpdateFolderQuotaQuery(reset bool) string {\n\tif reset {\n\t\treturn fmt.Sprintf(`UPDATE %s SET used_quota_size = %s,used_quota_files = %s,last_quota_update = %s\n\t\t\tWHERE name = %s`, sqlTableFolders, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n\t}\n\treturn fmt.Sprintf(`UPDATE %s SET used_quota_size = used_quota_size + %s,used_quota_files = used_quota_files + %s,last_quota_update = %s\n\t\tWHERE name = %s`, sqlTableFolders, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getQuotaFolderQuery() string {\n\treturn fmt.Sprintf(`SELECT used_quota_size,used_quota_files FROM %s WHERE name = %s`, sqlTableFolders,\n\t\tsqlPlaceholders[0])\n}\n\nfunc getRelatedGroupsForUsersQuery(users []User) string {\n\tvar sb strings.Builder\n\tfor _, u := range users {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(u.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT g.name,ug.group_type,ug.user_id FROM %s g INNER JOIN %s ug ON g.id = ug.group_id WHERE\n\t\tug.user_id IN %s ORDER BY ug.sort_order`, getSQLQuotedName(sqlTableGroups), sqlTableUsersGroupsMapping, sb.String())\n}\n\nfunc getRelatedGroupsForAdminsQuery(admins []Admin) string {\n\tvar sb strings.Builder\n\tfor _, a := range admins {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(a.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT g.name,ag.options,ag.admin_id FROM %s g INNER JOIN %s ag ON g.id = ag.group_id WHERE\n\t\tag.admin_id IN %s ORDER BY ag.sort_order`, getSQLQuotedName(sqlTableGroups), sqlTableAdminsGroupsMapping, sb.String())\n}\n\nfunc getRelatedFoldersForUsersQuery(users []User) string {\n\tvar sb strings.Builder\n\tfor _, u := range users {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(u.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT f.id,f.name,f.path,f.used_quota_size,f.used_quota_files,f.last_quota_update,fm.virtual_path,\n\t\tfm.quota_size,fm.quota_files,fm.user_id,f.filesystem,f.description FROM %s f INNER JOIN %s fm ON f.id = fm.folder_id WHERE\n\t\tfm.user_id IN %s ORDER BY fm.sort_order`, sqlTableFolders, sqlTableUsersFoldersMapping, sb.String())\n}\n\nfunc getRelatedUsersForFoldersQuery(folders []vfs.BaseVirtualFolder) string {\n\tvar sb strings.Builder\n\tfor _, f := range folders {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(f.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT fm.folder_id,u.username FROM %s fm INNER JOIN %s u ON fm.user_id = u.id\n\t\tWHERE fm.folder_id IN %s ORDER BY u.username`, sqlTableUsersFoldersMapping, sqlTableUsers, sb.String())\n}\n\nfunc getRelatedGroupsForFoldersQuery(folders []vfs.BaseVirtualFolder) string {\n\tvar sb strings.Builder\n\tfor _, f := range folders {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(f.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT fm.folder_id,g.name FROM %s fm INNER JOIN %s g ON fm.group_id = g.id\n\t\tWHERE fm.folder_id IN %s ORDER BY g.name`, sqlTableGroupsFoldersMapping, getSQLQuotedName(sqlTableGroups),\n\t\tsb.String())\n}\n\nfunc getRelatedUsersForGroupsQuery(groups []Group) string {\n\tvar sb strings.Builder\n\tfor _, g := range groups {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(g.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT um.group_id,u.username FROM %s um INNER JOIN %s u ON um.user_id = u.id\n\t\tWHERE um.group_id IN %s ORDER BY u.username`, sqlTableUsersGroupsMapping, sqlTableUsers, sb.String())\n}\n\nfunc getRelatedAdminsForGroupsQuery(groups []Group) string {\n\tvar sb strings.Builder\n\tfor _, g := range groups {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(g.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT am.group_id,a.username FROM %s am INNER JOIN %s a ON am.admin_id = a.id\n\t\tWHERE am.group_id IN %s ORDER BY a.username`, sqlTableAdminsGroupsMapping, sqlTableAdmins, sb.String())\n}\n\nfunc getRelatedFoldersForGroupsQuery(groups []Group) string {\n\tvar sb strings.Builder\n\tfor _, g := range groups {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(g.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT f.id,f.name,f.path,f.used_quota_size,f.used_quota_files,f.last_quota_update,fm.virtual_path,\n\t\tfm.quota_size,fm.quota_files,fm.group_id,f.filesystem,f.description FROM %s f INNER JOIN %s fm ON f.id = fm.folder_id WHERE\n\t\tfm.group_id IN %s ORDER BY fm.sort_order`, sqlTableFolders, sqlTableGroupsFoldersMapping, sb.String())\n}\n\nfunc getActiveTransfersQuery() string {\n\treturn fmt.Sprintf(`SELECT transfer_id,connection_id,transfer_type,username,folder_name,ip,truncated_size,\n\t\tcurrent_ul_size,current_dl_size,created_at,updated_at FROM %s WHERE updated_at > %s`,\n\t\tsqlTableActiveTransfers, sqlPlaceholders[0])\n}\n\nfunc getAddActiveTransferQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (transfer_id,connection_id,transfer_type,username,folder_name,ip,truncated_size,\n\t\tcurrent_ul_size,current_dl_size,created_at,updated_at) VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s)`,\n\t\tsqlTableActiveTransfers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3],\n\t\tsqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8],\n\t\tsqlPlaceholders[9], sqlPlaceholders[10])\n}\n\nfunc getUpdateActiveTransferSizesQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET current_ul_size=%s,current_dl_size=%s,updated_at=%s WHERE connection_id = %s AND transfer_id = %s`,\n\t\tsqlTableActiveTransfers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4])\n}\n\nfunc getRemoveActiveTransferQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE connection_id = %s AND transfer_id = %s`,\n\t\tsqlTableActiveTransfers, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getCleanupActiveTransfersQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE updated_at < %s`, sqlTableActiveTransfers, sqlPlaceholders[0])\n}\n\nfunc getRelatedRulesForActionsQuery(actions []BaseEventAction) string {\n\tvar sb strings.Builder\n\tfor _, a := range actions {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(a.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT am.action_id,r.name FROM %s am INNER JOIN %s r ON am.rule_id = r.id\n\t\tWHERE am.action_id IN %s ORDER BY r.name ASC`, sqlTableRulesActionsMapping, sqlTableEventsRules, sb.String())\n}\n\nfunc getEventsActionsQuery(order string, minimal bool) string {\n\tvar fieldSelection string\n\tif minimal {\n\t\tfieldSelection = selectMinimalFields\n\t} else {\n\t\tfieldSelection = selectEventActionFields\n\t}\n\treturn fmt.Sprintf(`SELECT %s FROM %s ORDER BY name %s LIMIT %s OFFSET %s`, fieldSelection,\n\t\tsqlTableEventsActions, order, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDumpEventActionsQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s`, selectEventActionFields, sqlTableEventsActions)\n}\n\nfunc getEventActionByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectEventActionFields, sqlTableEventsActions,\n\t\tsqlPlaceholders[0])\n}\n\nfunc getAddEventActionQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (name,description,type,options) VALUES (%s,%s,%s,%s)`,\n\t\tsqlTableEventsActions, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getUpdateEventActionQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET description=%s,type=%s,options=%s WHERE name = %s`, sqlTableEventsActions,\n\t\tsqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getDeleteEventActionQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableEventsActions, sqlPlaceholders[0])\n}\n\nfunc getEventRulesQuery(order string) string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0 ORDER BY name %s LIMIT %s OFFSET %s`,\n\t\tgetSelectEventRuleFields(), sqlTableEventsRules, order, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDumpEventRulesQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0`, getSelectEventRuleFields(), sqlTableEventsRules)\n}\n\nfunc getRecentlyUpdatedRulesQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE updated_at >= %s OR deleted_at > 0`, getSelectEventRuleFields(),\n\t\tsqlTableEventsRules, sqlPlaceholders[0])\n}\n\nfunc getEventRulesByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s AND deleted_at = 0`, getSelectEventRuleFields(), sqlTableEventsRules,\n\t\tsqlPlaceholders[0])\n}\n\nfunc getAddEventRuleQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (name,description,created_at,updated_at,%s,conditions,deleted_at,status)\n\t\tVALUES (%s,%s,%s,%s,%s,%s,0,%s)`,\n\t\tsqlTableEventsRules, getSQLQuotedName(\"trigger\"), sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2],\n\t\tsqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6])\n}\n\nfunc getUpdateEventRuleQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET description=%s,updated_at=%s,%s=%s,conditions=%s,status=%s WHERE name = %s`,\n\t\tsqlTableEventsRules, sqlPlaceholders[0], sqlPlaceholders[1], getSQLQuotedName(\"trigger\"), sqlPlaceholders[2],\n\t\tsqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5])\n}\n\nfunc getDeleteEventRuleQuery(softDelete bool) string {\n\tif softDelete {\n\t\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s,deleted_at=%s WHERE name = %s`,\n\t\t\tsqlTableEventsRules, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n\t}\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableEventsRules, sqlPlaceholders[0])\n}\n\nfunc getRemoveSoftDeletedRuleQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s AND deleted_at > 0`, sqlTableEventsRules, sqlPlaceholders[0])\n}\n\nfunc getClearRuleActionMappingQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE rule_id = (SELECT id FROM %s WHERE name = %s)`, sqlTableRulesActionsMapping,\n\t\tsqlTableEventsRules, sqlPlaceholders[0])\n}\n\nfunc getUpdateRulesTimestampQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s WHERE id IN (SELECT rule_id FROM %s WHERE action_id = (SELECT id from %s WHERE name = %s))`,\n\t\tsqlTableEventsRules, sqlPlaceholders[0], sqlTableRulesActionsMapping, sqlTableEventsActions, sqlPlaceholders[1])\n}\n\nfunc getRelatedActionsForRulesQuery(rules []EventRule) string {\n\tvar sb strings.Builder\n\tfor _, r := range rules {\n\t\tif sb.Len() == 0 {\n\t\t\tsb.WriteString(\"(\")\n\t\t} else {\n\t\t\tsb.WriteString(\",\")\n\t\t}\n\t\tsb.WriteString(strconv.FormatInt(r.ID, 10))\n\t}\n\tif sb.Len() > 0 {\n\t\tsb.WriteString(\")\")\n\t}\n\treturn fmt.Sprintf(`SELECT a.id,a.name,a.description,a.type,a.options,am.options,am.%s,\n\t\tam.rule_id FROM %s a INNER JOIN %s am ON a.id = am.action_id WHERE am.rule_id IN %s ORDER BY am.%s ASC`,\n\t\tgetSQLQuotedName(\"order\"), sqlTableEventsActions, sqlTableRulesActionsMapping, sb.String(),\n\t\tgetSQLQuotedName(\"order\"))\n}\n\nfunc getAddRuleActionMappingQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (rule_id,action_id,%s,options) VALUES ((SELECT id FROM %s WHERE name = %s),\n\t\t(SELECT id FROM %s WHERE name = %s),%s,%s)`,\n\t\tsqlTableRulesActionsMapping, getSQLQuotedName(\"order\"), sqlTableEventsRules, sqlPlaceholders[0],\n\t\tsqlTableEventsActions, sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getTaskByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT updated_at,version FROM %s WHERE name = %s`, sqlTableTasks, sqlPlaceholders[0])\n}\n\nfunc getAddTaskQuery() string {\n\treturn fmt.Sprintf(`INSERT INTO %s (name,updated_at,version) VALUES (%s,%s,0)`,\n\t\tsqlTableTasks, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getUpdateTaskQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s,version = version + 1 WHERE name = %s AND version = %s`,\n\t\tsqlTableTasks, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])\n}\n\nfunc getUpdateTaskTimestampQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s WHERE name = %s`,\n\t\tsqlTableTasks, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getDeleteTaskQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableTasks, sqlPlaceholders[0])\n}\n\nfunc getAddNodeQuery() string {\n\tif config.Driver == MySQLDataProviderName {\n\t\treturn fmt.Sprintf(\"INSERT INTO %s (`name`,`data`,created_at,`updated_at`) VALUES (%s,%s,%s,%s) ON DUPLICATE KEY UPDATE \"+\n\t\t\t\"`data`=VALUES(`data`), `created_at`=VALUES(`created_at`), `updated_at`=VALUES(`updated_at`)\",\n\t\t\tsqlTableNodes, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n\t}\n\treturn fmt.Sprintf(`INSERT INTO %s (name,data,created_at,updated_at) VALUES (%s,%s,%s,%s) ON CONFLICT(name)\n\t\tDO UPDATE SET data=EXCLUDED.data, created_at=EXCLUDED.created_at, updated_at=EXCLUDED.updated_at`,\n\t\tsqlTableNodes, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])\n}\n\nfunc getUpdateNodeTimestampQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET updated_at=%s WHERE name = %s`,\n\t\tsqlTableNodes, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getNodeByNameQuery() string {\n\treturn fmt.Sprintf(`SELECT name,data,created_at,updated_at FROM %s WHERE name = %s AND updated_at > %s`,\n\t\tsqlTableNodes, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getNodesQuery() string {\n\treturn fmt.Sprintf(`SELECT name,data,created_at,updated_at FROM %s WHERE name != %s AND updated_at > %s`,\n\t\tsqlTableNodes, sqlPlaceholders[0], sqlPlaceholders[1])\n}\n\nfunc getCleanupNodesQuery() string {\n\treturn fmt.Sprintf(`DELETE FROM %s WHERE updated_at < %s`, sqlTableNodes, sqlPlaceholders[0])\n}\n\nfunc getDatabaseVersionQuery() string {\n\treturn fmt.Sprintf(\"SELECT version from %s LIMIT 1\", sqlTableSchemaVersion)\n}\n\nfunc getUpdateDBVersionQuery() string {\n\treturn fmt.Sprintf(`UPDATE %s SET version=%s`, sqlTableSchemaVersion, sqlPlaceholders[0])\n}\n" }, { "path": "internal/dataprovider/unixcrypt.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build unixcrypt && cgo\n\npackage dataprovider\n\nimport (\n\t\"strings\"\n\n\t\"github.com/amoghe/go-crypt\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"+unixcrypt\")\n}\n\nfunc compareYescryptPassword(hashedPwd, plainPwd string) (bool, error) {\n\tlastIdx := strings.LastIndex(hashedPwd, \"$\")\n\tpwd, err := crypt.Crypt(plainPwd, hashedPwd[:lastIdx+1])\n\tif err != nil {\n\t\treturn false, err\n\t}\n\treturn pwd == hashedPwd, nil\n}\n" }, { "path": "internal/dataprovider/unixcrypt_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !unixcrypt || !cgo\n\npackage dataprovider\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-unixcrypt\")\n}\n\nfunc compareYescryptPassword(_, _ string) (bool, error) {\n\treturn false, errors.New(\"yescrypt hash format is not supported or disabled\")\n}\n" }, { "path": "internal/dataprovider/user.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage dataprovider\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math\"\n\t\"net\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// Available permissions for SFTPGo users\nconst (\n\t// All permissions are granted\n\tPermAny = \"*\"\n\t// List items such as files and directories is allowed\n\tPermListItems = \"list\"\n\t// download files is allowed\n\tPermDownload = \"download\"\n\t// upload files is allowed\n\tPermUpload = \"upload\"\n\t// overwrite an existing file, while uploading, is allowed\n\t// upload permission is required to allow file overwrite\n\tPermOverwrite = \"overwrite\"\n\t// delete files or directories is allowed\n\tPermDelete = \"delete\"\n\t// delete files is allowed\n\tPermDeleteFiles = \"delete_files\"\n\t// delete directories is allowed\n\tPermDeleteDirs = \"delete_dirs\"\n\t// rename files or directories is allowed\n\tPermRename = \"rename\"\n\t// rename files is allowed\n\tPermRenameFiles = \"rename_files\"\n\t// rename directories is allowed\n\tPermRenameDirs = \"rename_dirs\"\n\t// create directories is allowed\n\tPermCreateDirs = \"create_dirs\"\n\t// create symbolic links is allowed\n\tPermCreateSymlinks = \"create_symlinks\"\n\t// changing file or directory permissions is allowed\n\tPermChmod = \"chmod\"\n\t// changing file or directory owner and group is allowed\n\tPermChown = \"chown\"\n\t// changing file or directory access and modification time is allowed\n\tPermChtimes = \"chtimes\"\n\t// copying files or directories is allowed\n\tPermCopy = \"copy\"\n)\n\n// Available login methods\nconst (\n\tLoginMethodNoAuthTried = \"no_auth_tried\"\n\tLoginMethodPassword = \"password\"\n\tSSHLoginMethodPassword = \"password-over-SSH\"\n\tSSHLoginMethodPublicKey = \"publickey\"\n\tSSHLoginMethodKeyboardInteractive = \"keyboard-interactive\"\n\tSSHLoginMethodKeyAndPassword = \"publickey+password\"\n\tSSHLoginMethodKeyAndKeyboardInt = \"publickey+keyboard-interactive\"\n\tLoginMethodTLSCertificate = \"TLSCertificate\"\n\tLoginMethodTLSCertificateAndPwd = \"TLSCertificate+password\"\n\tLoginMethodIDP = \"IDP\"\n)\n\nvar (\n\terrNoMatchingVirtualFolder = errors.New(\"no matching virtual folder found\")\n\tpermsRenameAny = []string{PermRename, PermRenameDirs, PermRenameFiles}\n\tpermsDeleteAny = []string{PermDelete, PermDeleteDirs, PermDeleteFiles}\n)\n\n// RecoveryCode defines a 2FA recovery code\ntype RecoveryCode struct {\n\tSecret *kms.Secret `json:\"secret\"`\n\tUsed bool `json:\"used,omitempty\"`\n}\n\n// UserTOTPConfig defines the time-based one time password configuration\ntype UserTOTPConfig struct {\n\tEnabled bool `json:\"enabled,omitempty\"`\n\tConfigName string `json:\"config_name,omitempty\"`\n\tSecret *kms.Secret `json:\"secret,omitempty\"`\n\t// TOTP will be required for the specified protocols.\n\t// SSH protocol (SFTP/SCP/SSH commands) will ask for the TOTP passcode if the client uses keyboard interactive\n\t// authentication.\n\t// FTP have no standard way to support two factor authentication, if you\n\t// enable the support for this protocol you have to add the TOTP passcode after the password.\n\t// For example if your password is \"password\" and your one time passcode is\n\t// \"123456\" you have to use \"password123456\" as password.\n\tProtocols []string `json:\"protocols,omitempty\"`\n}\n\n// UserFilters defines additional restrictions for a user\n// TODO: rename to UserOptions in v3\ntype UserFilters struct {\n\tsdk.BaseUserFilters\n\t// User must change password from WebClient/REST API at next login.\n\tRequirePasswordChange bool `json:\"require_password_change,omitempty\"`\n\t// AdditionalEmails defines additional email addresses\n\tAdditionalEmails []string `json:\"additional_emails,omitempty\"`\n\t// Time-based one time passwords configuration\n\tTOTPConfig UserTOTPConfig `json:\"totp_config,omitempty\"`\n\t// Recovery codes to use if the user loses access to their second factor auth device.\n\t// Each code can only be used once, you should use these codes to login and disable or\n\t// reset 2FA for your account\n\tRecoveryCodes []RecoveryCode `json:\"recovery_codes,omitempty\"`\n}\n\n// User defines a SFTPGo user\ntype User struct {\n\tsdk.BaseUser\n\t// Additional restrictions\n\tFilters UserFilters `json:\"filters\"`\n\t// Mapping between virtual paths and virtual folders\n\tVirtualFolders []vfs.VirtualFolder `json:\"virtual_folders,omitempty\"`\n\t// Filesystem configuration details\n\tFsConfig vfs.Filesystem `json:\"filesystem\"`\n\t// groups associated with this user\n\tGroups []sdk.GroupMapping `json:\"groups,omitempty\"`\n\t// we store the filesystem here using the base path as key.\n\tfsCache map[string]vfs.Fs `json:\"-\"`\n\t// true if group settings are already applied for this user\n\tgroupSettingsApplied bool `json:\"-\"`\n\t// in multi node setups we mark the user as deleted to be able to update the webdav cache\n\tDeletedAt int64 `json:\"-\"`\n}\n\n// GetFilesystem returns the base filesystem for this user\nfunc (u *User) GetFilesystem(connectionID string) (fs vfs.Fs, err error) {\n\treturn u.GetFilesystemForPath(\"/\", connectionID)\n}\n\nfunc (u *User) getRootFs(connectionID string) (fs vfs.Fs, err error) {\n\tswitch u.FsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\treturn vfs.NewS3Fs(connectionID, u.GetHomeDir(), \"\", u.FsConfig.S3Config)\n\tcase sdk.GCSFilesystemProvider:\n\t\treturn vfs.NewGCSFs(connectionID, u.GetHomeDir(), \"\", u.FsConfig.GCSConfig)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\treturn vfs.NewAzBlobFs(connectionID, u.GetHomeDir(), \"\", u.FsConfig.AzBlobConfig)\n\tcase sdk.CryptedFilesystemProvider:\n\t\treturn vfs.NewCryptFs(connectionID, u.GetHomeDir(), \"\", u.FsConfig.CryptConfig)\n\tcase sdk.SFTPFilesystemProvider:\n\t\tforbiddenSelfUsers, err := u.getForbiddenSFTPSelfUsers(u.FsConfig.SFTPConfig.Username)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tforbiddenSelfUsers = append(forbiddenSelfUsers, u.Username)\n\t\treturn vfs.NewSFTPFs(connectionID, \"\", u.GetHomeDir(), forbiddenSelfUsers, u.FsConfig.SFTPConfig)\n\tcase sdk.HTTPFilesystemProvider:\n\t\treturn vfs.NewHTTPFs(connectionID, u.GetHomeDir(), \"\", u.FsConfig.HTTPConfig)\n\tdefault:\n\t\treturn vfs.NewOsFs(connectionID, u.GetHomeDir(), \"\", &u.FsConfig.OSConfig), nil\n\t}\n}\n\nfunc (u *User) checkDirWithParents(virtualDirPath, connectionID string) error {\n\tdirs := util.GetDirsForVirtualPath(virtualDirPath)\n\tfor idx := len(dirs) - 1; idx >= 0; idx-- {\n\t\tvPath := dirs[idx]\n\t\tif vPath == \"/\" {\n\t\t\tcontinue\n\t\t}\n\t\tfs, err := u.GetFilesystemForPath(vPath, connectionID)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to get fs for path %q: %w\", vPath, err)\n\t\t}\n\t\tif fs.HasVirtualFolders() {\n\t\t\tcontinue\n\t\t}\n\t\tfsPath, err := fs.ResolvePath(vPath)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to resolve path %q: %w\", vPath, err)\n\t\t}\n\t\t_, err = fs.Stat(fsPath)\n\t\tif err == nil {\n\t\t\tcontinue\n\t\t}\n\t\tif fs.IsNotExist(err) {\n\t\t\terr = fs.Mkdir(fsPath)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tvfs.SetPathPermissions(fs, fsPath, u.GetUID(), u.GetGID())\n\t\t} else {\n\t\t\treturn fmt.Errorf(\"unable to stat path %q: %w\", vPath, err)\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (u *User) checkLocalHomeDir(connectionID string) {\n\tswitch u.FsConfig.Provider {\n\tcase sdk.LocalFilesystemProvider, sdk.CryptedFilesystemProvider:\n\t\treturn\n\tdefault:\n\t\tosFs := vfs.NewOsFs(connectionID, u.GetHomeDir(), \"\", nil)\n\t\tosFs.CheckRootPath(u.Username, u.GetUID(), u.GetGID())\n\t}\n}\n\nfunc (u *User) checkRootPath(connectionID string) error {\n\tfs, err := u.GetFilesystemForPath(\"/\", connectionID)\n\tif err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"could not create main filesystem for user %q err: %v\", u.Username, err)\n\t\treturn fmt.Errorf(\"could not create root filesystem: %w\", err)\n\t}\n\tfs.CheckRootPath(u.Username, u.GetUID(), u.GetGID())\n\treturn nil\n}\n\n// CheckFsRoot check the root directory for the main fs and the virtual folders.\n// It returns an error if the main filesystem cannot be created\nfunc (u *User) CheckFsRoot(connectionID string) error {\n\tif u.Filters.DisableFsChecks {\n\t\treturn nil\n\t}\n\tdelay := lastLoginMinDelay\n\tif u.Filters.ExternalAuthCacheTime > 0 {\n\t\tcacheTime := time.Duration(u.Filters.ExternalAuthCacheTime) * time.Second\n\t\tif cacheTime > delay {\n\t\t\tdelay = cacheTime\n\t\t}\n\t}\n\tif isLastActivityRecent(u.LastLogin, delay) {\n\t\tif u.LastLogin > u.UpdatedAt {\n\t\t\tif config.IsShared == 1 {\n\t\t\t\tu.checkLocalHomeDir(connectionID)\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\terr := u.checkRootPath(connectionID)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif u.Filters.StartDirectory != \"\" {\n\t\terr = u.checkDirWithParents(u.Filters.StartDirectory, connectionID)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, connectionID, \"could not create start directory %q, err: %v\",\n\t\t\t\tu.Filters.StartDirectory, err)\n\t\t}\n\t}\n\tfor idx := range u.VirtualFolders {\n\t\tv := &u.VirtualFolders[idx]\n\t\tfs, err := u.GetFilesystemForPath(v.VirtualPath, connectionID)\n\t\tif err == nil {\n\t\t\tfs.CheckRootPath(u.Username, u.GetUID(), u.GetGID())\n\t\t}\n\t\t// now check intermediary folders\n\t\terr = u.checkDirWithParents(path.Dir(v.VirtualPath), connectionID)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, connectionID, \"could not create intermediary dir to %q, err: %v\", v.VirtualPath, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// GetCleanedPath returns a clean POSIX absolute path using the user start directory as base\n// if the provided rawVirtualPath is relative\nfunc (u *User) GetCleanedPath(rawVirtualPath string) string {\n\tif u.Filters.StartDirectory != \"\" {\n\t\tif !path.IsAbs(rawVirtualPath) {\n\t\t\tvar b strings.Builder\n\n\t\t\tb.Grow(len(u.Filters.StartDirectory) + 1 + len(rawVirtualPath))\n\t\t\tb.WriteString(u.Filters.StartDirectory)\n\t\t\tb.WriteString(\"/\")\n\t\t\tb.WriteString(rawVirtualPath)\n\t\t\treturn util.CleanPath(b.String())\n\t\t}\n\t}\n\treturn util.CleanPath(rawVirtualPath)\n}\n\n// isFsEqual returns true if the filesystem configurations are the same\nfunc (u *User) isFsEqual(other *User) bool {\n\tif u.FsConfig.Provider == sdk.LocalFilesystemProvider && u.GetHomeDir() != other.GetHomeDir() {\n\t\treturn false\n\t}\n\tif !u.FsConfig.IsEqual(other.FsConfig) {\n\t\treturn false\n\t}\n\tif u.Filters.StartDirectory != other.Filters.StartDirectory {\n\t\treturn false\n\t}\n\tif len(u.VirtualFolders) != len(other.VirtualFolders) {\n\t\treturn false\n\t}\n\tfor idx := range u.VirtualFolders {\n\t\tf := &u.VirtualFolders[idx]\n\t\tfound := false\n\t\tfor idx1 := range other.VirtualFolders {\n\t\t\tf1 := &other.VirtualFolders[idx1]\n\t\t\tif f.VirtualPath == f1.VirtualPath {\n\t\t\t\tfound = true\n\t\t\t\tif f.FsConfig.Provider == sdk.LocalFilesystemProvider && f.MappedPath != f1.MappedPath {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\t\t\t\tif !f.FsConfig.IsEqual(f1.FsConfig) {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\nfunc (u *User) isTimeBasedAccessAllowed(when time.Time) bool {\n\tif len(u.Filters.AccessTime) == 0 {\n\t\treturn true\n\t}\n\tif when.IsZero() {\n\t\twhen = time.Now()\n\t}\n\tif UseLocalTime() {\n\t\twhen = when.Local()\n\t} else {\n\t\twhen = when.UTC()\n\t}\n\tweekDay := when.Weekday()\n\thhMM := when.Format(\"15:04\")\n\tfor _, p := range u.Filters.AccessTime {\n\t\tif p.DayOfWeek == int(weekDay) {\n\t\t\tif hhMM >= p.From && hhMM <= p.To {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// CheckLoginConditions checks user access restrictions\nfunc (u *User) CheckLoginConditions() error {\n\tif u.Status < 1 {\n\t\treturn fmt.Errorf(\"user %q is disabled\", u.Username)\n\t}\n\tif u.ExpirationDate > 0 && u.ExpirationDate < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\treturn fmt.Errorf(\"user %q is expired, expiration timestamp: %v current timestamp: %v\", u.Username,\n\t\t\tu.ExpirationDate, util.GetTimeAsMsSinceEpoch(time.Now()))\n\t}\n\tif u.isTimeBasedAccessAllowed(time.Now()) {\n\t\treturn nil\n\t}\n\treturn errors.New(\"access is not allowed at this time\")\n}\n\n// hideConfidentialData hides user confidential data\nfunc (u *User) hideConfidentialData() {\n\tu.Password = \"\"\n\tu.FsConfig.HideConfidentialData()\n\tif u.Filters.TOTPConfig.Secret != nil {\n\t\tu.Filters.TOTPConfig.Secret.Hide()\n\t}\n\tfor _, code := range u.Filters.RecoveryCodes {\n\t\tif code.Secret != nil {\n\t\t\tcode.Secret.Hide()\n\t\t}\n\t}\n}\n\n// CheckMaxShareExpiration returns an error if the share expiration exceed the\n// maximum allowed date.\nfunc (u *User) CheckMaxShareExpiration(expiresAt time.Time) error {\n\tif u.Filters.MaxSharesExpiration == 0 {\n\t\treturn nil\n\t}\n\tmaxAllowedExpiration := time.Now().Add(24 * time.Hour * time.Duration(u.Filters.MaxSharesExpiration+1))\n\tmaxAllowedExpiration = time.Date(maxAllowedExpiration.Year(), maxAllowedExpiration.Month(),\n\t\tmaxAllowedExpiration.Day(), 0, 0, 0, 0, maxAllowedExpiration.Location())\n\tif util.GetTimeAsMsSinceEpoch(expiresAt) == 0 || expiresAt.After(maxAllowedExpiration) {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"the share must expire before %s\", maxAllowedExpiration.Format(time.DateOnly)))\n\t}\n\treturn nil\n}\n\n// GetEmailAddresses returns all the email addresses.\nfunc (u *User) GetEmailAddresses() []string {\n\tvar res []string\n\tif u.Email != \"\" {\n\t\tres = append(res, u.Email)\n\t}\n\treturn slices.Concat(res, u.Filters.AdditionalEmails)\n}\n\n// GetSubDirPermissions returns permissions for sub directories\nfunc (u *User) GetSubDirPermissions() []sdk.DirectoryPermissions {\n\tvar result []sdk.DirectoryPermissions\n\tfor k, v := range u.Permissions {\n\t\tif k == \"/\" {\n\t\t\tcontinue\n\t\t}\n\t\tdirPerms := sdk.DirectoryPermissions{\n\t\t\tPath: k,\n\t\t\tPermissions: v,\n\t\t}\n\t\tresult = append(result, dirPerms)\n\t}\n\treturn result\n}\n\nfunc (u *User) setAnonymousSettings() {\n\tfor k := range u.Permissions {\n\t\tu.Permissions[k] = []string{PermListItems, PermDownload}\n\t}\n\tu.Filters.DeniedProtocols = append(u.Filters.DeniedProtocols, protocolSSH, protocolHTTP)\n\tu.Filters.DeniedProtocols = util.RemoveDuplicates(u.Filters.DeniedProtocols, false)\n\tfor _, method := range ValidLoginMethods {\n\t\tif method != LoginMethodPassword {\n\t\t\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, method)\n\t\t}\n\t}\n\tu.Filters.DeniedLoginMethods = util.RemoveDuplicates(u.Filters.DeniedLoginMethods, false)\n}\n\n// RenderAsJSON implements the renderer interface used within plugins\nfunc (u *User) RenderAsJSON(reload bool) ([]byte, error) {\n\tif reload {\n\t\tuser, err := provider.userExists(u.Username, \"\")\n\t\tif err != nil {\n\t\t\tproviderLog(logger.LevelError, \"unable to reload user before rendering as json: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tuser.PrepareForRendering()\n\t\treturn json.Marshal(user)\n\t}\n\tu.PrepareForRendering()\n\treturn json.Marshal(u)\n}\n\n// PrepareForRendering prepares a user for rendering.\n// It hides confidential data and set to nil the empty secrets\n// so they are not serialized\nfunc (u *User) PrepareForRendering() {\n\tu.hideConfidentialData()\n\tu.FsConfig.SetNilSecretsIfEmpty()\n\tfor idx := range u.VirtualFolders {\n\t\tfolder := &u.VirtualFolders[idx]\n\t\tfolder.PrepareForRendering()\n\t}\n}\n\n// HasRedactedSecret returns true if the user has a redacted secret\nfunc (u *User) hasRedactedSecret() bool {\n\tif u.FsConfig.HasRedactedSecret() {\n\t\treturn true\n\t}\n\n\tfor idx := range u.VirtualFolders {\n\t\tfolder := &u.VirtualFolders[idx]\n\t\tif folder.HasRedactedSecret() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn u.Filters.TOTPConfig.Secret.IsRedacted()\n}\n\n// CloseFs closes the underlying filesystems\nfunc (u *User) CloseFs() error {\n\tif u.fsCache == nil {\n\t\treturn nil\n\t}\n\n\tvar err error\n\tfor _, fs := range u.fsCache {\n\t\terrClose := fs.Close()\n\t\tif err == nil {\n\t\t\terr = errClose\n\t\t}\n\t}\n\treturn err\n}\n\n// IsPasswordHashed returns true if the password is hashed\nfunc (u *User) IsPasswordHashed() bool {\n\treturn util.IsStringPrefixInSlice(u.Password, hashPwdPrefixes)\n}\n\n// IsTLSVerificationEnabled returns true if we need to check the TLS authentication\nfunc (u *User) IsTLSVerificationEnabled() bool {\n\tif len(u.Filters.TLSCerts) > 0 {\n\t\treturn true\n\t}\n\tif u.Filters.TLSUsername != \"\" {\n\t\treturn u.Filters.TLSUsername != sdk.TLSUsernameNone\n\t}\n\treturn false\n}\n\n// SetEmptySecrets sets to empty any user secret\nfunc (u *User) SetEmptySecrets() {\n\tu.FsConfig.SetEmptySecrets()\n\tfor idx := range u.VirtualFolders {\n\t\tfolder := &u.VirtualFolders[idx]\n\t\tfolder.FsConfig.SetEmptySecrets()\n\t}\n\tu.Filters.TOTPConfig.Secret = kms.NewEmptySecret()\n}\n\n// GetPermissionsForPath returns the permissions for the given path.\n// The path must be a SFTPGo virtual path\nfunc (u *User) GetPermissionsForPath(p string) []string {\n\tpermissions := []string{}\n\tif perms, ok := u.Permissions[\"/\"]; ok {\n\t\t// if only root permissions are defined returns them unconditionally\n\t\tif len(u.Permissions) == 1 {\n\t\t\treturn perms\n\t\t}\n\t\t// fallback permissions\n\t\tpermissions = perms\n\t}\n\tdirsForPath := util.GetDirsForVirtualPath(p)\n\t// dirsForPath contains all the dirs for a given path in reverse order\n\t// for example if the path is: /1/2/3/4 it contains:\n\t// [ \"/1/2/3/4\", \"/1/2/3\", \"/1/2\", \"/1\", \"/\" ]\n\t// so the first match is the one we are interested to\n\tfor idx := range dirsForPath {\n\t\tif perms, ok := u.Permissions[dirsForPath[idx]]; ok {\n\t\t\treturn perms\n\t\t}\n\t\tfor dir, perms := range u.Permissions {\n\t\t\tif match, err := path.Match(dir, dirsForPath[idx]); err == nil && match {\n\t\t\t\treturn perms\n\t\t\t}\n\t\t}\n\t}\n\treturn permissions\n}\n\nfunc (u *User) getForbiddenSFTPSelfUsers(username string) ([]string, error) {\n\tif allowSelfConnections == 0 {\n\t\treturn nil, nil\n\t}\n\tsftpUser, err := UserExists(username, \"\")\n\tif err == nil {\n\t\terr = sftpUser.LoadAndApplyGroupSettings()\n\t}\n\tif err == nil {\n\t\t// we don't allow local nested SFTP folders\n\t\tvar forbiddens []string\n\t\tif sftpUser.FsConfig.Provider == sdk.SFTPFilesystemProvider {\n\t\t\tforbiddens = append(forbiddens, sftpUser.Username)\n\t\t\treturn forbiddens, nil\n\t\t}\n\t\tfor idx := range sftpUser.VirtualFolders {\n\t\t\tv := &sftpUser.VirtualFolders[idx]\n\t\t\tif v.FsConfig.Provider == sdk.SFTPFilesystemProvider {\n\t\t\t\tforbiddens = append(forbiddens, sftpUser.Username)\n\t\t\t\treturn forbiddens, nil\n\t\t\t}\n\t\t}\n\t\treturn forbiddens, nil\n\t}\n\tif !errors.Is(err, util.ErrNotFound) {\n\t\treturn nil, err\n\t}\n\n\treturn nil, nil\n}\n\n// GetFsConfigForPath returns the file system configuration for the specified virtual path\nfunc (u *User) GetFsConfigForPath(virtualPath string) vfs.Filesystem {\n\tif virtualPath != \"\" && virtualPath != \"/\" && len(u.VirtualFolders) > 0 {\n\t\tfolder, err := u.GetVirtualFolderForPath(virtualPath)\n\t\tif err == nil {\n\t\t\treturn folder.FsConfig\n\t\t}\n\t}\n\n\treturn u.FsConfig\n}\n\n// GetFilesystemForPath returns the filesystem for the given path\nfunc (u *User) GetFilesystemForPath(virtualPath, connectionID string) (vfs.Fs, error) {\n\tif u.fsCache == nil {\n\t\tu.fsCache = make(map[string]vfs.Fs)\n\t}\n\t// allow to override the `/` path with a virtual folder\n\tif len(u.VirtualFolders) > 0 {\n\t\tfolder, err := u.GetVirtualFolderForPath(virtualPath)\n\t\tif err == nil {\n\t\t\tif fs, ok := u.fsCache[folder.VirtualPath]; ok {\n\t\t\t\treturn fs, nil\n\t\t\t}\n\t\t\tforbiddenSelfUsers := []string{u.Username}\n\t\t\tif folder.FsConfig.Provider == sdk.SFTPFilesystemProvider {\n\t\t\t\tforbiddens, err := u.getForbiddenSFTPSelfUsers(folder.FsConfig.SFTPConfig.Username)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t\tforbiddenSelfUsers = append(forbiddenSelfUsers, forbiddens...)\n\t\t\t}\n\t\t\tfs, err := folder.GetFilesystem(connectionID, forbiddenSelfUsers)\n\t\t\tif err == nil {\n\t\t\t\tu.fsCache[folder.VirtualPath] = fs\n\t\t\t}\n\t\t\treturn fs, err\n\t\t}\n\t}\n\n\tif val, ok := u.fsCache[\"/\"]; ok {\n\t\treturn val, nil\n\t}\n\tfs, err := u.getRootFs(connectionID)\n\tif err != nil {\n\t\treturn fs, err\n\t}\n\tu.fsCache[\"/\"] = fs\n\treturn fs, err\n}\n\n// GetVirtualFolderForPath returns the virtual folder containing the specified virtual path.\n// If the path is not inside a virtual folder an error is returned\nfunc (u *User) GetVirtualFolderForPath(virtualPath string) (vfs.VirtualFolder, error) {\n\tvar folder vfs.VirtualFolder\n\tif len(u.VirtualFolders) == 0 {\n\t\treturn folder, errNoMatchingVirtualFolder\n\t}\n\tdirsForPath := util.GetDirsForVirtualPath(virtualPath)\n\tfor index := range dirsForPath {\n\t\tfor idx := range u.VirtualFolders {\n\t\t\tv := &u.VirtualFolders[idx]\n\t\t\tif v.VirtualPath == dirsForPath[index] {\n\t\t\t\treturn *v, nil\n\t\t\t}\n\t\t}\n\t}\n\treturn folder, errNoMatchingVirtualFolder\n}\n\n// ScanQuota scans the user home dir and virtual folders, included in its quota,\n// and returns the number of files and their size\nfunc (u *User) ScanQuota() (int, int64, error) {\n\tfs, err := u.getRootFs(xid.New().String())\n\tif err != nil {\n\t\treturn 0, 0, err\n\t}\n\tdefer fs.Close()\n\n\tnumFiles, size, err := fs.ScanRootDirContents()\n\tif err != nil {\n\t\treturn numFiles, size, err\n\t}\n\tfor idx := range u.VirtualFolders {\n\t\tv := &u.VirtualFolders[idx]\n\t\tif !v.IsIncludedInUserQuota() {\n\t\t\tcontinue\n\t\t}\n\t\tnum, s, err := v.ScanQuota()\n\t\tif err != nil {\n\t\t\treturn numFiles, size, err\n\t\t}\n\t\tnumFiles += num\n\t\tsize += s\n\t}\n\n\treturn numFiles, size, nil\n}\n\n// GetVirtualFoldersInPath returns the virtual folders inside virtualPath including\n// any parents\nfunc (u *User) GetVirtualFoldersInPath(virtualPath string) map[string]bool {\n\tresult := make(map[string]bool)\n\n\tfor idx := range u.VirtualFolders {\n\t\tdirsForPath := util.GetDirsForVirtualPath(u.VirtualFolders[idx].VirtualPath)\n\t\tfor index := range dirsForPath {\n\t\t\td := dirsForPath[index]\n\t\t\tif d == \"/\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif path.Dir(d) == virtualPath {\n\t\t\t\tresult[d] = true\n\t\t\t}\n\t\t}\n\t}\n\n\tif u.Filters.StartDirectory != \"\" {\n\t\tdirsForPath := util.GetDirsForVirtualPath(u.Filters.StartDirectory)\n\t\tfor index := range dirsForPath {\n\t\t\td := dirsForPath[index]\n\t\t\tif d == \"/\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif path.Dir(d) == virtualPath {\n\t\t\t\tresult[d] = true\n\t\t\t}\n\t\t}\n\t}\n\n\treturn result\n}\n\nfunc (u *User) hasVirtualDirs() bool {\n\tif u.Filters.StartDirectory != \"\" {\n\t\treturn true\n\t}\n\tnumFolders := len(u.VirtualFolders)\n\tif numFolders == 1 {\n\t\treturn u.VirtualFolders[0].VirtualPath != \"/\"\n\t}\n\treturn numFolders > 0\n}\n\n// GetVirtualFoldersInfo returns []os.FileInfo for virtual folders\nfunc (u *User) GetVirtualFoldersInfo(virtualPath string) []os.FileInfo {\n\tfilter := u.getPatternsFilterForPath(virtualPath)\n\tif !u.hasVirtualDirs() && filter.DenyPolicy != sdk.DenyPolicyHide {\n\t\treturn nil\n\t}\n\tvdirs := u.GetVirtualFoldersInPath(virtualPath)\n\tresult := make([]os.FileInfo, 0, len(vdirs))\n\n\tfor dir := range u.GetVirtualFoldersInPath(virtualPath) {\n\t\tdirName := path.Base(dir)\n\t\tif filter.DenyPolicy == sdk.DenyPolicyHide {\n\t\t\tif !filter.CheckAllowed(dirName) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tresult = append(result, vfs.NewFileInfo(dirName, true, 0, time.Unix(0, 0), false))\n\t}\n\n\treturn result\n}\n\n// FilterListDir removes hidden items from the given files list\nfunc (u *User) FilterListDir(dirContents []os.FileInfo, virtualPath string) []os.FileInfo {\n\tfilter := u.getPatternsFilterForPath(virtualPath)\n\tif !u.hasVirtualDirs() && filter.DenyPolicy != sdk.DenyPolicyHide {\n\t\treturn dirContents\n\t}\n\tvdirs := make(map[string]bool)\n\tfor dir := range u.GetVirtualFoldersInPath(virtualPath) {\n\t\tdirName := path.Base(dir)\n\t\tif filter.DenyPolicy == sdk.DenyPolicyHide {\n\t\t\tif !filter.CheckAllowed(dirName) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tvdirs[dirName] = true\n\t}\n\n\tvalidIdx := 0\n\tfor idx := range dirContents {\n\t\tfi := dirContents[idx]\n\n\t\tif fi.Name() != \".\" && fi.Name() != \"..\" {\n\t\t\tif _, ok := vdirs[fi.Name()]; ok {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif filter.DenyPolicy == sdk.DenyPolicyHide {\n\t\t\t\tif !filter.CheckAllowed(fi.Name()) {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tdirContents[validIdx] = fi\n\t\tvalidIdx++\n\t}\n\n\treturn dirContents[:validIdx]\n}\n\n// IsMappedPath returns true if the specified filesystem path has a virtual folder mapping.\n// The filesystem path must be cleaned before calling this method\nfunc (u *User) IsMappedPath(fsPath string) bool {\n\tfor idx := range u.VirtualFolders {\n\t\tv := &u.VirtualFolders[idx]\n\t\tif fsPath == v.MappedPath {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// IsVirtualFolder returns true if the specified virtual path is a virtual folder\nfunc (u *User) IsVirtualFolder(virtualPath string) bool {\n\tfor idx := range u.VirtualFolders {\n\t\tv := &u.VirtualFolders[idx]\n\t\tif virtualPath == v.VirtualPath {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// HasVirtualFoldersInside returns true if there are virtual folders inside the\n// specified virtual path. We assume that path are cleaned\nfunc (u *User) HasVirtualFoldersInside(virtualPath string) bool {\n\tif virtualPath == \"/\" && len(u.VirtualFolders) > 0 {\n\t\treturn true\n\t}\n\tfor idx := range u.VirtualFolders {\n\t\tv := &u.VirtualFolders[idx]\n\t\tif len(v.VirtualPath) > len(virtualPath) {\n\t\t\tif strings.HasPrefix(v.VirtualPath, virtualPath+\"/\") {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// HasPermissionsInside returns true if the specified virtualPath has no permissions itself and\n// no subdirs with defined permissions\nfunc (u *User) HasPermissionsInside(virtualPath string) bool {\n\tfor dir, perms := range u.Permissions {\n\t\tif len(perms) == 1 && perms[0] == PermAny {\n\t\t\tcontinue\n\t\t}\n\t\tif dir == virtualPath {\n\t\t\treturn true\n\t\t} else if len(dir) > len(virtualPath) {\n\t\t\tif strings.HasPrefix(dir, virtualPath+\"/\") {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// HasPerm returns true if the user has the given permission or any permission\nfunc (u *User) HasPerm(permission, path string) bool {\n\tperms := u.GetPermissionsForPath(path)\n\tif slices.Contains(perms, PermAny) {\n\t\treturn true\n\t}\n\treturn slices.Contains(perms, permission)\n}\n\n// HasAnyPerm returns true if the user has at least one of the given permissions\nfunc (u *User) HasAnyPerm(permissions []string, path string) bool {\n\tperms := u.GetPermissionsForPath(path)\n\tif slices.Contains(perms, PermAny) {\n\t\treturn true\n\t}\n\tfor _, permission := range permissions {\n\t\tif slices.Contains(perms, permission) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// HasPerms returns true if the user has all the given permissions\nfunc (u *User) HasPerms(permissions []string, path string) bool {\n\tperms := u.GetPermissionsForPath(path)\n\tif slices.Contains(perms, PermAny) {\n\t\treturn true\n\t}\n\tfor _, permission := range permissions {\n\t\tif !slices.Contains(perms, permission) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// HasPermsDeleteAll returns true if the user can delete both files and directories\n// for the given path\nfunc (u *User) HasPermsDeleteAll(path string) bool {\n\tperms := u.GetPermissionsForPath(path)\n\tcanDeleteFiles := false\n\tcanDeleteDirs := false\n\tfor _, permission := range perms {\n\t\tif permission == PermAny || permission == PermDelete {\n\t\t\treturn true\n\t\t}\n\t\tif permission == PermDeleteFiles {\n\t\t\tcanDeleteFiles = true\n\t\t}\n\t\tif permission == PermDeleteDirs {\n\t\t\tcanDeleteDirs = true\n\t\t}\n\t}\n\treturn canDeleteFiles && canDeleteDirs\n}\n\n// HasPermsRenameAll returns true if the user can rename both files and directories\n// for the given path\nfunc (u *User) HasPermsRenameAll(path string) bool {\n\tperms := u.GetPermissionsForPath(path)\n\tcanRenameFiles := false\n\tcanRenameDirs := false\n\tfor _, permission := range perms {\n\t\tif permission == PermAny || permission == PermRename {\n\t\t\treturn true\n\t\t}\n\t\tif permission == PermRenameFiles {\n\t\t\tcanRenameFiles = true\n\t\t}\n\t\tif permission == PermRenameDirs {\n\t\t\tcanRenameDirs = true\n\t\t}\n\t}\n\treturn canRenameFiles && canRenameDirs\n}\n\n// HasNoQuotaRestrictions returns true if no quota restrictions need to be applyed\nfunc (u *User) HasNoQuotaRestrictions(checkFiles bool) bool {\n\tif u.QuotaSize == 0 && (!checkFiles || u.QuotaFiles == 0) {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// IsLoginMethodAllowed returns true if the specified login method is allowed\nfunc (u *User) IsLoginMethodAllowed(loginMethod, protocol string) bool {\n\tif len(u.Filters.DeniedLoginMethods) == 0 {\n\t\treturn true\n\t}\n\tif slices.Contains(u.Filters.DeniedLoginMethods, loginMethod) {\n\t\treturn false\n\t}\n\tif protocol == protocolSSH && loginMethod == LoginMethodPassword {\n\t\tif slices.Contains(u.Filters.DeniedLoginMethods, SSHLoginMethodPassword) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// GetNextAuthMethods returns the list of authentications methods that can\n// continue for multi-step authentication. We call this method after a\n// successful public key authentication.\nfunc (u *User) GetNextAuthMethods() []string {\n\tvar methods []string\n\tfor _, method := range u.GetAllowedLoginMethods() {\n\t\tif method == SSHLoginMethodKeyAndPassword {\n\t\t\tmethods = append(methods, LoginMethodPassword)\n\t\t}\n\t\tif method == SSHLoginMethodKeyAndKeyboardInt {\n\t\t\tmethods = append(methods, SSHLoginMethodKeyboardInteractive)\n\t\t}\n\t}\n\treturn methods\n}\n\n// IsPartialAuth returns true if the specified login method is a step for\n// a multi-step Authentication.\n// We support publickey+password and publickey+keyboard-interactive, so\n// only publickey can returns partial success.\n// We can have partial success if only multi-step Auth methods are enabled\nfunc (u *User) IsPartialAuth() bool {\n\tfor _, method := range u.GetAllowedLoginMethods() {\n\t\tif method == LoginMethodTLSCertificate || method == LoginMethodTLSCertificateAndPwd ||\n\t\t\tmethod == SSHLoginMethodPassword {\n\t\t\tcontinue\n\t\t}\n\t\tif method == LoginMethodPassword && slices.Contains(u.Filters.DeniedLoginMethods, SSHLoginMethodPassword) {\n\t\t\tcontinue\n\t\t}\n\t\tif !slices.Contains(SSHMultiStepsLoginMethods, method) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// GetAllowedLoginMethods returns the allowed login methods\nfunc (u *User) GetAllowedLoginMethods() []string {\n\tvar allowedMethods []string\n\tfor _, method := range ValidLoginMethods {\n\t\tif method == SSHLoginMethodPassword {\n\t\t\tcontinue\n\t\t}\n\t\tif !slices.Contains(u.Filters.DeniedLoginMethods, method) {\n\t\t\tallowedMethods = append(allowedMethods, method)\n\t\t}\n\t}\n\treturn allowedMethods\n}\n\nfunc (u *User) getPatternsFilterForPath(virtualPath string) sdk.PatternsFilter {\n\tvar filter sdk.PatternsFilter\n\tif len(u.Filters.FilePatterns) == 0 {\n\t\treturn filter\n\t}\n\tdirsForPath := util.GetDirsForVirtualPath(virtualPath)\n\tfor idx, dir := range dirsForPath {\n\t\tfor _, f := range u.Filters.FilePatterns {\n\t\t\tif f.Path == dir {\n\t\t\t\tif idx > 0 && len(f.AllowedPatterns) > 0 && len(f.DeniedPatterns) > 0 && f.DeniedPatterns[0] == \"*\" {\n\t\t\t\t\tif f.CheckAllowed(path.Base(dirsForPath[idx-1])) {\n\t\t\t\t\t\treturn filter\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tfilter = f\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif filter.Path != \"\" {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn filter\n}\n\nfunc (u *User) isDirHidden(virtualPath string) bool {\n\tif len(u.Filters.FilePatterns) == 0 {\n\t\treturn false\n\t}\n\tfor _, dirPath := range util.GetDirsForVirtualPath(virtualPath) {\n\t\tif dirPath == \"/\" {\n\t\t\treturn false\n\t\t}\n\t\tfilter := u.getPatternsFilterForPath(dirPath)\n\t\tif filter.DenyPolicy == sdk.DenyPolicyHide && filter.Path != dirPath {\n\t\t\tif !filter.CheckAllowed(path.Base(dirPath)) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (u *User) getMinPasswordEntropy() float64 {\n\tif u.Filters.PasswordStrength > 0 {\n\t\treturn float64(u.Filters.PasswordStrength)\n\t}\n\treturn config.PasswordValidation.Users.MinEntropy\n}\n\n// IsFileAllowed returns true if the specified file is allowed by the file restrictions filters.\n// The second parameter returned is the deny policy\nfunc (u *User) IsFileAllowed(virtualPath string) (bool, int) {\n\tdirPath := path.Dir(virtualPath)\n\tif u.isDirHidden(dirPath) {\n\t\treturn false, sdk.DenyPolicyHide\n\t}\n\tfilter := u.getPatternsFilterForPath(dirPath)\n\treturn filter.CheckAllowed(path.Base(virtualPath)), filter.DenyPolicy\n}\n\n// CanManageMFA returns true if the user can add a multi-factor authentication configuration\nfunc (u *User) CanManageMFA() bool {\n\tif slices.Contains(u.Filters.WebClient, sdk.WebClientMFADisabled) {\n\t\treturn false\n\t}\n\treturn len(mfa.GetAvailableTOTPConfigs()) > 0\n}\n\nfunc (u *User) skipExternalAuth() bool {\n\tif u.Filters.Hooks.ExternalAuthDisabled {\n\t\treturn true\n\t}\n\tif u.ID <= 0 {\n\t\treturn false\n\t}\n\tif u.Filters.ExternalAuthCacheTime <= 0 {\n\t\treturn false\n\t}\n\treturn isLastActivityRecent(u.LastLogin, time.Duration(u.Filters.ExternalAuthCacheTime)*time.Second)\n}\n\n// CanManageShares returns true if the user can add, update and list shares\nfunc (u *User) CanManageShares() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientSharesDisabled)\n}\n\n// CanResetPassword returns true if this user is allowed to reset its password\nfunc (u *User) CanResetPassword() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientPasswordResetDisabled)\n}\n\n// CanChangePassword returns true if this user is allowed to change its password\nfunc (u *User) CanChangePassword() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientPasswordChangeDisabled)\n}\n\n// CanChangeAPIKeyAuth returns true if this user is allowed to enable/disable API key authentication\nfunc (u *User) CanChangeAPIKeyAuth() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientAPIKeyAuthChangeDisabled)\n}\n\n// CanChangeInfo returns true if this user is allowed to change its info such as email and description\nfunc (u *User) CanChangeInfo() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientInfoChangeDisabled)\n}\n\n// CanManagePublicKeys returns true if this user is allowed to manage public keys\n// from the WebClient. Used in WebClient UI\nfunc (u *User) CanManagePublicKeys() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientPubKeyChangeDisabled)\n}\n\n// CanManageTLSCerts returns true if this user is allowed to manage TLS certificates\n// from the WebClient. Used in WebClient UI\nfunc (u *User) CanManageTLSCerts() bool {\n\treturn !slices.Contains(u.Filters.WebClient, sdk.WebClientTLSCertChangeDisabled)\n}\n\n// CanUpdateProfile returns true if the user is allowed to update the profile.\n// Used in WebClient UI\nfunc (u *User) CanUpdateProfile() bool {\n\treturn u.CanManagePublicKeys() || u.CanChangeAPIKeyAuth() || u.CanChangeInfo() || u.CanManageTLSCerts()\n}\n\n// CanAddFilesFromWeb returns true if the client can add files from the web UI.\n// The specified target is the directory where the files must be uploaded\nfunc (u *User) CanAddFilesFromWeb(target string) bool {\n\tif slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {\n\t\treturn false\n\t}\n\treturn u.HasPerm(PermUpload, target) || u.HasPerm(PermOverwrite, target)\n}\n\n// CanAddDirsFromWeb returns true if the client can add directories from the web UI.\n// The specified target is the directory where the new directory must be created\nfunc (u *User) CanAddDirsFromWeb(target string) bool {\n\tif slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {\n\t\treturn false\n\t}\n\treturn u.HasPerm(PermCreateDirs, target)\n}\n\n// CanRenameFromWeb returns true if the client can rename objects from the web UI.\n// The specified src and dest are the source and target directories for the rename.\nfunc (u *User) CanRenameFromWeb(src, dest string) bool {\n\tif slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {\n\t\treturn false\n\t}\n\treturn u.HasAnyPerm(permsRenameAny, src) && u.HasAnyPerm(permsRenameAny, dest)\n}\n\n// CanDeleteFromWeb returns true if the client can delete objects from the web UI.\n// The specified target is the parent directory for the object to delete\nfunc (u *User) CanDeleteFromWeb(target string) bool {\n\tif slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {\n\t\treturn false\n\t}\n\treturn u.HasAnyPerm(permsDeleteAny, target)\n}\n\n// CanCopyFromWeb returns true if the client can copy objects from the web UI.\n// The specified src and dest are the source and target directories for the copy.\nfunc (u *User) CanCopyFromWeb(src, dest string) bool {\n\tif slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {\n\t\treturn false\n\t}\n\tif !u.HasPerm(PermListItems, src) {\n\t\treturn false\n\t}\n\tif !u.HasPerm(PermDownload, src) {\n\t\treturn false\n\t}\n\treturn u.HasPerm(PermCopy, src) && u.HasPerm(PermCopy, dest)\n}\n\n// InactivityDays returns the number of days of inactivity\nfunc (u *User) InactivityDays(when time.Time) int {\n\tif when.IsZero() {\n\t\twhen = time.Now()\n\t}\n\tlastActivity := u.LastLogin\n\tif lastActivity == 0 {\n\t\tlastActivity = u.CreatedAt\n\t}\n\tif lastActivity == 0 {\n\t\t// unable to determine inactivity\n\t\treturn 0\n\t}\n\treturn int(float64(when.Sub(util.GetTimeFromMsecSinceEpoch(lastActivity))) / float64(24*time.Hour))\n}\n\n// PasswordExpiresIn returns the number of days before the password expires.\n// The returned value is negative if the password is expired.\n// The caller must ensure that a PasswordExpiration is set\nfunc (u *User) PasswordExpiresIn() int {\n\tlastPwdChange := util.GetTimeFromMsecSinceEpoch(u.LastPasswordChange)\n\tpwdExpiration := lastPwdChange.Add(time.Duration(u.Filters.PasswordExpiration) * 24 * time.Hour)\n\tres := int(math.Round(float64(time.Until(pwdExpiration)) / float64(24*time.Hour)))\n\tif res == 0 && pwdExpiration.After(time.Now()) {\n\t\tres = 1\n\t}\n\treturn res\n}\n\n// MustChangePassword returns true if the user must change the password\nfunc (u *User) MustChangePassword() bool {\n\tif u.Filters.RequirePasswordChange {\n\t\treturn true\n\t}\n\tif u.Filters.PasswordExpiration == 0 {\n\t\treturn false\n\t}\n\tlastPwdChange := util.GetTimeFromMsecSinceEpoch(u.LastPasswordChange)\n\treturn lastPwdChange.Add(time.Duration(u.Filters.PasswordExpiration) * 24 * time.Hour).Before(time.Now())\n}\n\n// MustSetSecondFactor returns true if the user must set a second factor authentication\nfunc (u *User) MustSetSecondFactor() bool {\n\tif len(u.Filters.TwoFactorAuthProtocols) > 0 {\n\t\tif !u.Filters.TOTPConfig.Enabled {\n\t\t\treturn true\n\t\t}\n\t\tfor _, p := range u.Filters.TwoFactorAuthProtocols {\n\t\t\tif !slices.Contains(u.Filters.TOTPConfig.Protocols, p) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// MustSetSecondFactorForProtocol returns true if the user must set a second factor authentication\n// for the specified protocol\nfunc (u *User) MustSetSecondFactorForProtocol(protocol string) bool {\n\tif slices.Contains(u.Filters.TwoFactorAuthProtocols, protocol) {\n\t\tif !u.Filters.TOTPConfig.Enabled {\n\t\t\treturn true\n\t\t}\n\t\tif !slices.Contains(u.Filters.TOTPConfig.Protocols, protocol) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// GetSignature returns a signature for this user.\n// It will change after an update\nfunc (u *User) GetSignature() string {\n\treturn strconv.FormatInt(u.UpdatedAt, 10)\n}\n\n// GetBandwidthForIP returns the upload and download bandwidth for the specified IP\nfunc (u *User) GetBandwidthForIP(clientIP, connectionID string) (int64, int64) {\n\tif len(u.Filters.BandwidthLimits) > 0 {\n\t\tip := net.ParseIP(clientIP)\n\t\tif ip != nil {\n\t\t\tfor _, bwLimit := range u.Filters.BandwidthLimits {\n\t\t\t\tfor _, source := range bwLimit.Sources {\n\t\t\t\t\t_, ipNet, err := net.ParseCIDR(source)\n\t\t\t\t\tif err == nil {\n\t\t\t\t\t\tif ipNet.Contains(ip) {\n\t\t\t\t\t\t\tlogger.Debug(logSender, connectionID, \"override bandwidth limit for ip %q, upload limit: %v KB/s, download limit: %v KB/s\",\n\t\t\t\t\t\t\t\tclientIP, bwLimit.UploadBandwidth, bwLimit.DownloadBandwidth)\n\t\t\t\t\t\t\treturn bwLimit.UploadBandwidth, bwLimit.DownloadBandwidth\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn u.UploadBandwidth, u.DownloadBandwidth\n}\n\n// IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr.\n// If AllowedIP is defined only the specified IP/Mask can login.\n// If DeniedIP is defined the specified IP/Mask cannot login.\n// If an IP is both allowed and denied then login will be allowed\nfunc (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {\n\tif len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 {\n\t\treturn true\n\t}\n\tremoteIP := net.ParseIP(util.GetIPFromRemoteAddress(remoteAddr))\n\t// if remoteIP is invalid we allow login, this should never happen\n\tif remoteIP == nil {\n\t\tlogger.Warn(logSender, \"\", \"login allowed for invalid IP. remote address: %q\", remoteAddr)\n\t\treturn true\n\t}\n\tfor _, IPMask := range u.Filters.AllowedIP {\n\t\t_, IPNet, err := net.ParseCIDR(IPMask)\n\t\tif err != nil {\n\t\t\treturn false\n\t\t}\n\t\tif IPNet.Contains(remoteIP) {\n\t\t\treturn true\n\t\t}\n\t}\n\tfor _, IPMask := range u.Filters.DeniedIP {\n\t\t_, IPNet, err := net.ParseCIDR(IPMask)\n\t\tif err != nil {\n\t\t\treturn false\n\t\t}\n\t\tif IPNet.Contains(remoteIP) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn len(u.Filters.AllowedIP) == 0\n}\n\n// GetPermissionsAsJSON returns the permissions as json byte array\nfunc (u *User) GetPermissionsAsJSON() ([]byte, error) {\n\treturn json.Marshal(u.Permissions)\n}\n\n// GetPublicKeysAsJSON returns the public keys as json byte array\nfunc (u *User) GetPublicKeysAsJSON() ([]byte, error) {\n\treturn json.Marshal(u.PublicKeys)\n}\n\n// GetFiltersAsJSON returns the filters as json byte array\nfunc (u *User) GetFiltersAsJSON() ([]byte, error) {\n\treturn json.Marshal(u.Filters)\n}\n\n// GetFsConfigAsJSON returns the filesystem config as json byte array\nfunc (u *User) GetFsConfigAsJSON() ([]byte, error) {\n\treturn json.Marshal(u.FsConfig)\n}\n\n// GetUID returns a validate uid, suitable for use with os.Chown\nfunc (u *User) GetUID() int {\n\tif u.UID <= 0 || u.UID > math.MaxInt32 {\n\t\treturn -1\n\t}\n\treturn u.UID\n}\n\n// GetGID returns a validate gid, suitable for use with os.Chown\nfunc (u *User) GetGID() int {\n\tif u.GID <= 0 || u.GID > math.MaxInt32 {\n\t\treturn -1\n\t}\n\treturn u.GID\n}\n\n// GetHomeDir returns the shortest path name equivalent to the user's home directory\nfunc (u *User) GetHomeDir() string {\n\treturn u.HomeDir\n}\n\n// HasRecentActivity returns true if the last user login is recent and so we can skip some expensive checks\nfunc (u *User) HasRecentActivity() bool {\n\treturn isLastActivityRecent(u.LastLogin, lastLoginMinDelay)\n}\n\n// HasQuotaRestrictions returns true if there are any disk quota restrictions\nfunc (u *User) HasQuotaRestrictions() bool {\n\treturn u.QuotaFiles > 0 || u.QuotaSize > 0\n}\n\n// HasTransferQuotaRestrictions returns true if there are any data transfer restrictions\nfunc (u *User) HasTransferQuotaRestrictions() bool {\n\treturn u.UploadDataTransfer > 0 || u.TotalDataTransfer > 0 || u.DownloadDataTransfer > 0\n}\n\n// GetDataTransferLimits returns upload, download and total data transfer limits\nfunc (u *User) GetDataTransferLimits() (int64, int64, int64) {\n\tvar total, ul, dl int64\n\tif u.TotalDataTransfer > 0 {\n\t\ttotal = u.TotalDataTransfer * 1048576\n\t}\n\tif u.DownloadDataTransfer > 0 {\n\t\tdl = u.DownloadDataTransfer * 1048576\n\t}\n\tif u.UploadDataTransfer > 0 {\n\t\tul = u.UploadDataTransfer * 1048576\n\t}\n\treturn ul, dl, total\n}\n\n// GetAllowedIPAsString returns the allowed IP as comma separated string\nfunc (u *User) GetAllowedIPAsString() string {\n\treturn strings.Join(u.Filters.AllowedIP, \",\")\n}\n\n// GetDeniedIPAsString returns the denied IP as comma separated string\nfunc (u *User) GetDeniedIPAsString() string {\n\treturn strings.Join(u.Filters.DeniedIP, \",\")\n}\n\n// HasExternalAuth returns true if the external authentication is globally enabled\n// and it is not disabled for this user\nfunc (u *User) HasExternalAuth() bool {\n\tif u.Filters.Hooks.ExternalAuthDisabled {\n\t\treturn false\n\t}\n\tif config.ExternalAuthHook != \"\" {\n\t\treturn true\n\t}\n\treturn plugin.Handler.HasAuthenticators()\n}\n\n// CountUnusedRecoveryCodes returns the number of unused recovery codes\nfunc (u *User) CountUnusedRecoveryCodes() int {\n\tunused := 0\n\tfor _, code := range u.Filters.RecoveryCodes {\n\t\tif !code.Used {\n\t\t\tunused++\n\t\t}\n\t}\n\treturn unused\n}\n\n// SetEmptySecretsIfNil sets the secrets to empty if nil\nfunc (u *User) SetEmptySecretsIfNil() {\n\tu.HasPassword = u.Password != \"\"\n\tu.FsConfig.SetEmptySecretsIfNil()\n\tfor idx := range u.VirtualFolders {\n\t\tvfolder := &u.VirtualFolders[idx]\n\t\tvfolder.FsConfig.SetEmptySecretsIfNil()\n\t}\n\tif u.Filters.TOTPConfig.Secret == nil {\n\t\tu.Filters.TOTPConfig.Secret = kms.NewEmptySecret()\n\t}\n}\n\nfunc (u *User) hasMainDataTransferLimits() bool {\n\treturn u.UploadDataTransfer > 0 || u.DownloadDataTransfer > 0 || u.TotalDataTransfer > 0\n}\n\n// HasPrimaryGroup returns true if the user has the specified primary group\nfunc (u *User) HasPrimaryGroup(name string) bool {\n\tfor _, g := range u.Groups {\n\t\tif g.Name == name {\n\t\t\treturn g.Type == sdk.GroupTypePrimary\n\t\t}\n\t}\n\treturn false\n}\n\n// HasSecondaryGroup returns true if the user has the specified secondary group\nfunc (u *User) HasSecondaryGroup(name string) bool {\n\tfor _, g := range u.Groups {\n\t\tif g.Name == name {\n\t\t\treturn g.Type == sdk.GroupTypeSecondary\n\t\t}\n\t}\n\treturn false\n}\n\n// HasMembershipGroup returns true if the user has the specified membership group\nfunc (u *User) HasMembershipGroup(name string) bool {\n\tfor _, g := range u.Groups {\n\t\tif g.Name == name {\n\t\t\treturn g.Type == sdk.GroupTypeMembership\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (u *User) hasSettingsFromGroups() bool {\n\tfor _, g := range u.Groups {\n\t\tif g.Type != sdk.GroupTypeMembership {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (u *User) applyGroupSettings(groupsMapping map[string]Group) {\n\tif !u.hasSettingsFromGroups() {\n\t\treturn\n\t}\n\tif u.groupSettingsApplied {\n\t\treturn\n\t}\n\treplacer := u.getGroupPlacehodersReplacer()\n\tfor _, g := range u.Groups {\n\t\tif g.Type == sdk.GroupTypePrimary {\n\t\t\tif group, ok := groupsMapping[g.Name]; ok {\n\t\t\t\tu.mergeWithPrimaryGroup(&group, replacer)\n\t\t\t} else {\n\t\t\t\tproviderLog(logger.LevelError, \"mapping not found for user %s, group %s\", u.Username, g.Name)\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t}\n\tfor _, g := range u.Groups {\n\t\tif g.Type == sdk.GroupTypeSecondary {\n\t\t\tif group, ok := groupsMapping[g.Name]; ok {\n\t\t\t\tu.mergeAdditiveProperties(&group, sdk.GroupTypeSecondary, replacer)\n\t\t\t} else {\n\t\t\t\tproviderLog(logger.LevelError, \"mapping not found for user %s, group %s\", u.Username, g.Name)\n\t\t\t}\n\t\t}\n\t}\n\tu.removeDuplicatesAfterGroupMerge()\n}\n\n// LoadAndApplyGroupSettings update the user by loading and applying the group settings\nfunc (u *User) LoadAndApplyGroupSettings() error {\n\tif !u.hasSettingsFromGroups() {\n\t\treturn nil\n\t}\n\tif u.groupSettingsApplied {\n\t\treturn nil\n\t}\n\tnames := make([]string, 0, len(u.Groups))\n\tvar primaryGroupName string\n\tfor _, g := range u.Groups {\n\t\tif g.Type == sdk.GroupTypePrimary {\n\t\t\tprimaryGroupName = g.Name\n\t\t}\n\t\tif g.Type != sdk.GroupTypeMembership {\n\t\t\tnames = append(names, g.Name)\n\t\t}\n\t}\n\tgroups, err := provider.getGroupsWithNames(names)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to get groups: %w\", err)\n\t}\n\treplacer := u.getGroupPlacehodersReplacer()\n\t// make sure to always merge with the primary group first\n\tfor idx := range groups {\n\t\tg := groups[idx]\n\t\tif g.Name == primaryGroupName {\n\t\t\tu.mergeWithPrimaryGroup(&g, replacer)\n\t\t\tlastIdx := len(groups) - 1\n\t\t\tgroups[idx] = groups[lastIdx]\n\t\t\tgroups = groups[:lastIdx]\n\t\t\tbreak\n\t\t}\n\t}\n\tfor idx := range groups {\n\t\tg := groups[idx]\n\t\tu.mergeAdditiveProperties(&g, sdk.GroupTypeSecondary, replacer)\n\t}\n\tu.removeDuplicatesAfterGroupMerge()\n\treturn nil\n}\n\nfunc (u *User) getGroupPlacehodersReplacer() *strings.Replacer {\n\treturn strings.NewReplacer(\"%username%\", u.Username, \"%role%\", u.Role)\n}\n\nfunc (u *User) replacePlaceholder(value string, replacer *strings.Replacer) string {\n\tif value == \"\" {\n\t\treturn value\n\t}\n\treturn replacer.Replace(value)\n}\n\nfunc (u *User) replaceFsConfigPlaceholders(fsConfig vfs.Filesystem, replacer *strings.Replacer) vfs.Filesystem {\n\tswitch fsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tfsConfig.S3Config.KeyPrefix = u.replacePlaceholder(fsConfig.S3Config.KeyPrefix, replacer)\n\tcase sdk.GCSFilesystemProvider:\n\t\tfsConfig.GCSConfig.KeyPrefix = u.replacePlaceholder(fsConfig.GCSConfig.KeyPrefix, replacer)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tfsConfig.AzBlobConfig.KeyPrefix = u.replacePlaceholder(fsConfig.AzBlobConfig.KeyPrefix, replacer)\n\tcase sdk.SFTPFilesystemProvider:\n\t\tfsConfig.SFTPConfig.Username = u.replacePlaceholder(fsConfig.SFTPConfig.Username, replacer)\n\t\tfsConfig.SFTPConfig.Prefix = u.replacePlaceholder(fsConfig.SFTPConfig.Prefix, replacer)\n\tcase sdk.HTTPFilesystemProvider:\n\t\tfsConfig.HTTPConfig.Username = u.replacePlaceholder(fsConfig.HTTPConfig.Username, replacer)\n\t}\n\treturn fsConfig\n}\n\nfunc (u *User) mergeCryptFsConfig(group *Group) {\n\tif group.UserSettings.FsConfig.Provider == sdk.CryptedFilesystemProvider {\n\t\tif u.FsConfig.CryptConfig.ReadBufferSize == 0 {\n\t\t\tu.FsConfig.CryptConfig.ReadBufferSize = group.UserSettings.FsConfig.CryptConfig.ReadBufferSize\n\t\t}\n\t\tif u.FsConfig.CryptConfig.WriteBufferSize == 0 {\n\t\t\tu.FsConfig.CryptConfig.WriteBufferSize = group.UserSettings.FsConfig.CryptConfig.WriteBufferSize\n\t\t}\n\t}\n}\n\nfunc (u *User) mergeWithPrimaryGroup(group *Group, replacer *strings.Replacer) {\n\tif group.UserSettings.HomeDir != \"\" {\n\t\tu.HomeDir = filepath.Clean(u.replacePlaceholder(group.UserSettings.HomeDir, replacer))\n\t}\n\tif group.UserSettings.FsConfig.Provider != 0 {\n\t\tu.FsConfig = u.replaceFsConfigPlaceholders(group.UserSettings.FsConfig, replacer)\n\t\tu.mergeCryptFsConfig(group)\n\t} else {\n\t\tif u.FsConfig.OSConfig.ReadBufferSize == 0 {\n\t\t\tu.FsConfig.OSConfig.ReadBufferSize = group.UserSettings.FsConfig.OSConfig.ReadBufferSize\n\t\t}\n\t\tif u.FsConfig.OSConfig.WriteBufferSize == 0 {\n\t\t\tu.FsConfig.OSConfig.WriteBufferSize = group.UserSettings.FsConfig.OSConfig.WriteBufferSize\n\t\t}\n\t}\n\tif u.MaxSessions == 0 {\n\t\tu.MaxSessions = group.UserSettings.MaxSessions\n\t}\n\tif u.QuotaSize == 0 {\n\t\tu.QuotaSize = group.UserSettings.QuotaSize\n\t}\n\tif u.QuotaFiles == 0 {\n\t\tu.QuotaFiles = group.UserSettings.QuotaFiles\n\t}\n\tif u.UploadBandwidth == 0 {\n\t\tu.UploadBandwidth = group.UserSettings.UploadBandwidth\n\t}\n\tif u.DownloadBandwidth == 0 {\n\t\tu.DownloadBandwidth = group.UserSettings.DownloadBandwidth\n\t}\n\tif !u.hasMainDataTransferLimits() {\n\t\tu.UploadDataTransfer = group.UserSettings.UploadDataTransfer\n\t\tu.DownloadDataTransfer = group.UserSettings.DownloadDataTransfer\n\t\tu.TotalDataTransfer = group.UserSettings.TotalDataTransfer\n\t}\n\tif u.ExpirationDate == 0 && group.UserSettings.ExpiresIn > 0 {\n\t\tu.ExpirationDate = u.CreatedAt + int64(group.UserSettings.ExpiresIn)*86400000\n\t}\n\tu.mergePrimaryGroupFilters(&group.UserSettings.Filters, replacer)\n\tu.mergeAdditiveProperties(group, sdk.GroupTypePrimary, replacer)\n}\n\nfunc (u *User) mergePrimaryGroupFilters(filters *sdk.BaseUserFilters, replacer *strings.Replacer) { //nolint:gocyclo\n\tif u.Filters.MaxUploadFileSize == 0 {\n\t\tu.Filters.MaxUploadFileSize = filters.MaxUploadFileSize\n\t}\n\tif !u.IsTLSVerificationEnabled() {\n\t\tu.Filters.TLSUsername = filters.TLSUsername\n\t}\n\tif !u.Filters.Hooks.CheckPasswordDisabled {\n\t\tu.Filters.Hooks.CheckPasswordDisabled = filters.Hooks.CheckPasswordDisabled\n\t}\n\tif !u.Filters.Hooks.PreLoginDisabled {\n\t\tu.Filters.Hooks.PreLoginDisabled = filters.Hooks.PreLoginDisabled\n\t}\n\tif !u.Filters.Hooks.ExternalAuthDisabled {\n\t\tu.Filters.Hooks.ExternalAuthDisabled = filters.Hooks.ExternalAuthDisabled\n\t}\n\tif !u.Filters.DisableFsChecks {\n\t\tu.Filters.DisableFsChecks = filters.DisableFsChecks\n\t}\n\tif !u.Filters.AllowAPIKeyAuth {\n\t\tu.Filters.AllowAPIKeyAuth = filters.AllowAPIKeyAuth\n\t}\n\tif !u.Filters.IsAnonymous {\n\t\tu.Filters.IsAnonymous = filters.IsAnonymous\n\t}\n\tif u.Filters.ExternalAuthCacheTime == 0 {\n\t\tu.Filters.ExternalAuthCacheTime = filters.ExternalAuthCacheTime\n\t}\n\tif u.Filters.FTPSecurity == 0 {\n\t\tu.Filters.FTPSecurity = filters.FTPSecurity\n\t}\n\tif u.Filters.StartDirectory == \"\" {\n\t\tu.Filters.StartDirectory = u.replacePlaceholder(filters.StartDirectory, replacer)\n\t}\n\tif u.Filters.DefaultSharesExpiration == 0 {\n\t\tu.Filters.DefaultSharesExpiration = filters.DefaultSharesExpiration\n\t}\n\tif u.Filters.MaxSharesExpiration == 0 {\n\t\tu.Filters.MaxSharesExpiration = filters.MaxSharesExpiration\n\t}\n\tif u.Filters.PasswordExpiration == 0 {\n\t\tu.Filters.PasswordExpiration = filters.PasswordExpiration\n\t}\n\tif u.Filters.PasswordStrength == 0 {\n\t\tu.Filters.PasswordStrength = filters.PasswordStrength\n\t}\n}\n\nfunc (u *User) mergeAdditiveProperties(group *Group, groupType int, replacer *strings.Replacer) {\n\tu.mergeVirtualFolders(group, groupType, replacer)\n\tu.mergePermissions(group, groupType, replacer)\n\tu.mergeFilePatterns(group, groupType, replacer)\n\tu.Filters.BandwidthLimits = append(u.Filters.BandwidthLimits, group.UserSettings.Filters.BandwidthLimits...)\n\tu.Filters.AllowedIP = append(u.Filters.AllowedIP, group.UserSettings.Filters.AllowedIP...)\n\tu.Filters.DeniedIP = append(u.Filters.DeniedIP, group.UserSettings.Filters.DeniedIP...)\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, group.UserSettings.Filters.DeniedLoginMethods...)\n\tu.Filters.DeniedProtocols = append(u.Filters.DeniedProtocols, group.UserSettings.Filters.DeniedProtocols...)\n\tu.Filters.WebClient = append(u.Filters.WebClient, group.UserSettings.Filters.WebClient...)\n\tu.Filters.TwoFactorAuthProtocols = append(u.Filters.TwoFactorAuthProtocols, group.UserSettings.Filters.TwoFactorAuthProtocols...)\n\tu.Filters.AccessTime = append(u.Filters.AccessTime, group.UserSettings.Filters.AccessTime...)\n}\n\nfunc (u *User) mergeVirtualFolders(group *Group, groupType int, replacer *strings.Replacer) {\n\tif len(group.VirtualFolders) > 0 {\n\t\tfolderPaths := make(map[string]bool)\n\t\tfor _, folder := range u.VirtualFolders {\n\t\t\tfolderPaths[folder.VirtualPath] = true\n\t\t}\n\t\tfor _, folder := range group.VirtualFolders {\n\t\t\tif folder.VirtualPath == \"/\" && groupType != sdk.GroupTypePrimary {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfolder.VirtualPath = u.replacePlaceholder(folder.VirtualPath, replacer)\n\t\t\tif _, ok := folderPaths[folder.VirtualPath]; !ok {\n\t\t\t\tfolder.MappedPath = u.replacePlaceholder(folder.MappedPath, replacer)\n\t\t\t\tfolder.FsConfig = u.replaceFsConfigPlaceholders(folder.FsConfig, replacer)\n\t\t\t\tu.VirtualFolders = append(u.VirtualFolders, folder)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc (u *User) mergePermissions(group *Group, groupType int, replacer *strings.Replacer) {\n\tif u.Permissions == nil {\n\t\tu.Permissions = make(map[string][]string)\n\t}\n\tfor k, v := range group.UserSettings.Permissions {\n\t\tif k == \"/\" {\n\t\t\tif groupType == sdk.GroupTypePrimary {\n\t\t\t\tu.Permissions[k] = v\n\t\t\t} else {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tk = u.replacePlaceholder(k, replacer)\n\t\tif _, ok := u.Permissions[k]; !ok {\n\t\t\tu.Permissions[k] = v\n\t\t}\n\t}\n}\n\nfunc (u *User) mergeFilePatterns(group *Group, groupType int, replacer *strings.Replacer) {\n\tif len(group.UserSettings.Filters.FilePatterns) > 0 {\n\t\tpatternPaths := make(map[string]bool)\n\t\tfor _, pattern := range u.Filters.FilePatterns {\n\t\t\tpatternPaths[pattern.Path] = true\n\t\t}\n\t\tfor _, pattern := range group.UserSettings.Filters.FilePatterns {\n\t\t\tif pattern.Path == \"/\" && groupType != sdk.GroupTypePrimary {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tpattern.Path = u.replacePlaceholder(pattern.Path, replacer)\n\t\t\tif _, ok := patternPaths[pattern.Path]; !ok {\n\t\t\t\tu.Filters.FilePatterns = append(u.Filters.FilePatterns, pattern)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc (u *User) removeDuplicatesAfterGroupMerge() {\n\tu.Filters.AllowedIP = util.RemoveDuplicates(u.Filters.AllowedIP, false)\n\tu.Filters.DeniedIP = util.RemoveDuplicates(u.Filters.DeniedIP, false)\n\tu.Filters.DeniedLoginMethods = util.RemoveDuplicates(u.Filters.DeniedLoginMethods, false)\n\tu.Filters.DeniedProtocols = util.RemoveDuplicates(u.Filters.DeniedProtocols, false)\n\tu.Filters.WebClient = util.RemoveDuplicates(u.Filters.WebClient, false)\n\tu.Filters.TwoFactorAuthProtocols = util.RemoveDuplicates(u.Filters.TwoFactorAuthProtocols, false)\n\tu.SetEmptySecretsIfNil()\n\tu.groupSettingsApplied = true\n}\n\nfunc (u *User) hasRole(role string) bool {\n\tif role == \"\" {\n\t\treturn true\n\t}\n\treturn role == u.Role\n}\n\nfunc (u *User) applyNamingRules() {\n\tu.Username = config.convertName(u.Username)\n\tu.Role = config.convertName(u.Role)\n\tfor idx := range u.Groups {\n\t\tu.Groups[idx].Name = config.convertName(u.Groups[idx].Name)\n\t}\n\tfor idx := range u.VirtualFolders {\n\t\tu.VirtualFolders[idx].Name = config.convertName(u.VirtualFolders[idx].Name)\n\t}\n}\n\nfunc (u *User) getACopy() User {\n\tu.SetEmptySecretsIfNil()\n\tpubKeys := make([]string, len(u.PublicKeys))\n\tcopy(pubKeys, u.PublicKeys)\n\tvirtualFolders := make([]vfs.VirtualFolder, 0, len(u.VirtualFolders))\n\tfor idx := range u.VirtualFolders {\n\t\tvfolder := u.VirtualFolders[idx].GetACopy()\n\t\tvirtualFolders = append(virtualFolders, vfolder)\n\t}\n\tgroups := make([]sdk.GroupMapping, 0, len(u.Groups))\n\tfor _, g := range u.Groups {\n\t\tgroups = append(groups, sdk.GroupMapping{\n\t\t\tName: g.Name,\n\t\t\tType: g.Type,\n\t\t})\n\t}\n\tpermissions := make(map[string][]string)\n\tfor k, v := range u.Permissions {\n\t\tperms := make([]string, len(v))\n\t\tcopy(perms, v)\n\t\tpermissions[k] = perms\n\t}\n\tfilters := UserFilters{\n\t\tBaseUserFilters: copyBaseUserFilters(u.Filters.BaseUserFilters),\n\t}\n\tfilters.RequirePasswordChange = u.Filters.RequirePasswordChange\n\tfilters.TOTPConfig.Enabled = u.Filters.TOTPConfig.Enabled\n\tfilters.TOTPConfig.ConfigName = u.Filters.TOTPConfig.ConfigName\n\tfilters.TOTPConfig.Secret = u.Filters.TOTPConfig.Secret.Clone()\n\tfilters.TOTPConfig.Protocols = make([]string, len(u.Filters.TOTPConfig.Protocols))\n\tcopy(filters.TOTPConfig.Protocols, u.Filters.TOTPConfig.Protocols)\n\tfilters.AdditionalEmails = make([]string, len(u.Filters.AdditionalEmails))\n\tcopy(filters.AdditionalEmails, u.Filters.AdditionalEmails)\n\tfilters.RecoveryCodes = make([]RecoveryCode, 0, len(u.Filters.RecoveryCodes))\n\tfor _, code := range u.Filters.RecoveryCodes {\n\t\tif code.Secret == nil {\n\t\t\tcode.Secret = kms.NewEmptySecret()\n\t\t}\n\t\tfilters.RecoveryCodes = append(filters.RecoveryCodes, RecoveryCode{\n\t\t\tSecret: code.Secret.Clone(),\n\t\t\tUsed: code.Used,\n\t\t})\n\t}\n\n\treturn User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tID: u.ID,\n\t\t\tUsername: u.Username,\n\t\t\tEmail: u.Email,\n\t\t\tPassword: u.Password,\n\t\t\tPublicKeys: pubKeys,\n\t\t\tHasPassword: u.HasPassword,\n\t\t\tHomeDir: u.HomeDir,\n\t\t\tUID: u.UID,\n\t\t\tGID: u.GID,\n\t\t\tMaxSessions: u.MaxSessions,\n\t\t\tQuotaSize: u.QuotaSize,\n\t\t\tQuotaFiles: u.QuotaFiles,\n\t\t\tPermissions: permissions,\n\t\t\tUsedQuotaSize: u.UsedQuotaSize,\n\t\t\tUsedQuotaFiles: u.UsedQuotaFiles,\n\t\t\tLastQuotaUpdate: u.LastQuotaUpdate,\n\t\t\tUploadBandwidth: u.UploadBandwidth,\n\t\t\tDownloadBandwidth: u.DownloadBandwidth,\n\t\t\tUploadDataTransfer: u.UploadDataTransfer,\n\t\t\tDownloadDataTransfer: u.DownloadDataTransfer,\n\t\t\tTotalDataTransfer: u.TotalDataTransfer,\n\t\t\tUsedUploadDataTransfer: u.UsedUploadDataTransfer,\n\t\t\tUsedDownloadDataTransfer: u.UsedDownloadDataTransfer,\n\t\t\tStatus: u.Status,\n\t\t\tExpirationDate: u.ExpirationDate,\n\t\t\tLastLogin: u.LastLogin,\n\t\t\tFirstDownload: u.FirstDownload,\n\t\t\tFirstUpload: u.FirstUpload,\n\t\t\tLastPasswordChange: u.LastPasswordChange,\n\t\t\tAdditionalInfo: u.AdditionalInfo,\n\t\t\tDescription: u.Description,\n\t\t\tCreatedAt: u.CreatedAt,\n\t\t\tUpdatedAt: u.UpdatedAt,\n\t\t\tRole: u.Role,\n\t\t},\n\t\tFilters: filters,\n\t\tVirtualFolders: virtualFolders,\n\t\tGroups: groups,\n\t\tFsConfig: u.FsConfig.GetACopy(),\n\t\tgroupSettingsApplied: u.groupSettingsApplied,\n\t}\n}\n\n// GetEncryptionAdditionalData returns the additional data to use for AEAD\nfunc (u *User) GetEncryptionAdditionalData() string {\n\treturn u.Username\n}\n" }, { "path": "internal/ftpd/cryptfs_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage ftpd_test\n\nimport (\n\t\"crypto/sha256\"\n\t\"fmt\"\n\t\"hash\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/minio/sio\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n)\n\nfunc TestBasicFTPHandlingCryptFs(t *testing.T) {\n\tu := getTestUserWithCryptFs()\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\tassert.Len(t, common.Connections.GetStats(\"\"), 1)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\tencryptedFileSize, err := getEncryptedFileSize(testFileSize)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize := encryptedFileSize\n\t\texpectedQuotaFiles := 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(\"/missing_dir\", testFileName), testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\t// overwrite an existing file\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := os.Stat(localDownloadPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t}\n\t\tlist, err := client.List(\".\")\n\t\tif assert.NoError(t, err) {\n\t\t\tif assert.Len(t, list, 1) {\n\t\t\t\tassert.Equal(t, testFileSize, int64(list[0].Size))\n\t\t\t}\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\terr = client.Rename(testFileName, testFileName+\"1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Delete(testFileName)\n\t\tassert.Error(t, err)\n\t\terr = client.Delete(testFileName + \"1\")\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize-encryptedFileSize, user.UsedQuotaSize)\n\t\tcurDir, err := client.CurrentDir()\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"/\", curDir)\n\t\t}\n\t\ttestDir := \"testDir\"\n\t\terr = client.MakeDir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.ChangeDir(testDir)\n\t\tassert.NoError(t, err)\n\t\tcurDir, err = client.CurrentDir()\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, path.Join(\"/\", testDir), curDir)\n\t\t}\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tsize, err := client.FileSize(path.Join(\"/\", testDir, testFileName))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, size)\n\t\terr = client.ChangeDirToParent()\n\t\tassert.NoError(t, err)\n\t\tcurDir, err = client.CurrentDir()\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"/\", curDir)\n\t\t}\n\t\terr = client.Delete(path.Join(\"/\", testDir, testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = client.Delete(testDir)\n\t\tassert.Error(t, err)\n\t\terr = client.RemoveDir(testDir)\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 1*time.Second, 50*time.Millisecond)\n\tassert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,\n\t\t50*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestBufferedCryptFs(t *testing.T) {\n\tu := getTestUserWithCryptFs()\n\tu.FsConfig.CryptConfig.OSFsConfig = sdk.OSFsConfig{\n\t\tReadBufferSize: 1,\n\t\tWriteBufferSize: 1,\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\t// overwrite an existing file\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := os.Stat(localDownloadPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t}\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 1*time.Second, 50*time.Millisecond)\n\tassert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,\n\t\t50*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestZeroBytesTransfersCryptFs(t *testing.T) {\n\tu := getTestUserWithCryptFs()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFileName := \"testfilename\"\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, \"emptydownload\")\n\t\terr = os.WriteFile(localDownloadPath, []byte(\"\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(localDownloadPath, testFileName, 0, client, 0)\n\t\tassert.NoError(t, err)\n\t\tsize, err := client.FileSize(testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), size)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.NoFileExists(t, localDownloadPath)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, 0, client, 0)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := os.Stat(localDownloadPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, int64(0), info.Size())\n\t\t}\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestResumeCryptFs(t *testing.T) {\n\tu := getTestUserWithCryptFs()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\tdata := []byte(\"test data\")\n\t\terr = os.WriteFile(testFilePath, data, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)), client, 0)\n\t\tassert.NoError(t, err)\n\t\t// resuming uploads is not supported\n\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)+5), client, 5)\n\t\tassert.Error(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(4), client, 5)\n\t\tassert.NoError(t, err)\n\t\treaded, err := os.ReadFile(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, data[5:], readed)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(8), client, 1)\n\t\tassert.NoError(t, err)\n\t\treaded, err = os.ReadFile(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, data[1:], readed)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(0), client, 9)\n\t\tassert.NoError(t, err)\n\t\terr = client.Delete(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)), client, 0)\n\t\tassert.NoError(t, err)\n\t\t// now append to a file\n\t\tsrcFile, err := os.Open(testFilePath)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = client.Append(testFileName, srcFile)\n\t\t\tassert.Error(t, err)\n\t\t\terr = srcFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tsize, err := client.FileSize(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, int64(len(data)), size)\n\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(len(data)), client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\treaded, err = os.ReadFile(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, data, readed)\n\t\t}\n\t\t// now test a download resume using a bigger file\n\t\ttestFileSize := int64(655352)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tinitialHash, err := computeHashForFile(sha256.New(), testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tdownloadHash, err := computeHashForFile(sha256.New(), localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, initialHash, downloadHash)\n\t\terr = os.Truncate(localDownloadPath, 32767)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath+\"_partial\", testFileSize-32767, client, 32767) //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\tfile, err := os.OpenFile(localDownloadPath, os.O_APPEND|os.O_WRONLY, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tfile1, err := os.Open(localDownloadPath + \"_partial\") //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\t_, err = io.Copy(file, file1)\n\t\tassert.NoError(t, err)\n\t\terr = file.Close()\n\t\tassert.NoError(t, err)\n\t\terr = file1.Close()\n\t\tassert.NoError(t, err)\n\t\tdownloadHash, err = computeHashForFile(sha256.New(), localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, initialHash, downloadHash)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath + \"_partial\")\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc getTestUserWithCryptFs() dataprovider.User {\n\tuser := getTestUser()\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"testPassphrase\")\n\treturn user\n}\n\nfunc getEncryptedFileSize(size int64) (int64, error) {\n\tencSize, err := sio.EncryptedSize(uint64(size))\n\treturn int64(encSize) + 33, err\n}\n\nfunc computeHashForFile(hasher hash.Hash, path string) (string, error) {\n\thash := \"\"\n\tf, err := os.Open(path)\n\tif err != nil {\n\t\treturn hash, err\n\t}\n\tdefer f.Close()\n\t_, err = io.Copy(hasher, f)\n\tif err == nil {\n\t\thash = fmt.Sprintf(\"%x\", hasher.Sum(nil))\n\t}\n\treturn hash, err\n}\n" }, { "path": "internal/ftpd/ftpd.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package ftpd implements the FTP protocol\npackage ftpd\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"net\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\tftpserver \"github.com/fclairamb/ftpserverlib\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tlogSender = \"ftpd\"\n)\n\nvar (\n\tcertMgr *common.CertManager\n\tserviceStatus ServiceStatus\n)\n\n// PassiveIPOverride defines an exception for the configured passive IP\ntype PassiveIPOverride struct {\n\tNetworks []string `json:\"networks\" mapstructure:\"networks\"`\n\t// if empty the local address will be returned\n\tIP string `json:\"ip\" mapstructure:\"ip\"`\n\tparsedNetworks []func(net.IP) bool\n}\n\n// GetNetworksAsString returns the configured networks as string\nfunc (p *PassiveIPOverride) GetNetworksAsString() string {\n\treturn strings.Join(p.Networks, \", \")\n}\n\n// Binding defines the configuration for a network listener\ntype Binding struct {\n\t// The address to listen on. A blank value means listen on all available network interfaces.\n\tAddress string `json:\"address\" mapstructure:\"address\"`\n\t// The port used for serving requests\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\t// Apply the proxy configuration, if any, for this binding\n\tApplyProxyConfig bool `json:\"apply_proxy_config\" mapstructure:\"apply_proxy_config\"`\n\t// Set to 1 to require TLS for both data and control connection.\n\t// Set to 2 to enable implicit TLS\n\tTLSMode int `json:\"tls_mode\" mapstructure:\"tls_mode\"`\n\t// Certificate and matching private key for this specific binding, if empty the global\n\t// ones will be used, if any\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2\n\tMinTLSVersion int `json:\"min_tls_version\" mapstructure:\"min_tls_version\"`\n\t// External IP address for passive connections.\n\tForcePassiveIP string `json:\"force_passive_ip\" mapstructure:\"force_passive_ip\"`\n\t// PassiveIPOverrides allows to define different IP addresses for passive connections\n\t// based on the client IP address\n\tPassiveIPOverrides []PassiveIPOverride `json:\"passive_ip_overrides\" mapstructure:\"passive_ip_overrides\"`\n\t// Hostname for passive connections. This hostname will be resolved each time a passive\n\t// connection is requested and this can, depending on the DNS configuration, take a noticeable\n\t// amount of time. Enable this setting only if you have a dynamic IP address\n\tPassiveHost string `json:\"passive_host\" mapstructure:\"passive_host\"`\n\t// Set to 1 to require client certificate authentication.\n\t// Set to 2 to require a client certificate and verfify it if given. In this mode\n\t// the client is allowed not to send a certificate.\n\t// You need to define at least a certificate authority for this to work\n\tClientAuthType int `json:\"client_auth_type\" mapstructure:\"client_auth_type\"`\n\t// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.\n\t// If CipherSuites is nil/empty, a default list of secure cipher suites\n\t// is used, with a preference order based on hardware performance.\n\t// Note that TLS 1.3 ciphersuites are not configurable.\n\t// The supported ciphersuites names are defined here:\n\t//\n\t// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53\n\t//\n\t// any invalid name will be silently ignored.\n\t// The order matters, the ciphers listed first will be the preferred ones.\n\tTLSCipherSuites []string `json:\"tls_cipher_suites\" mapstructure:\"tls_cipher_suites\"`\n\t// PassiveConnectionsSecurity defines the security checks for passive data connections.\n\t// Supported values:\n\t// - 0 require matching peer IP addresses of control and data connection. This is the default\n\t// - 1 disable any checks\n\tPassiveConnectionsSecurity int `json:\"passive_connections_security\" mapstructure:\"passive_connections_security\"`\n\t// ActiveConnectionsSecurity defines the security checks for active data connections.\n\t// The supported values are the same as described for PassiveConnectionsSecurity.\n\t// Please note that disabling the security checks you will make the FTP service vulnerable to bounce attacks\n\t// on active data connections, so change the default value only if you are on a trusted/internal network\n\tActiveConnectionsSecurity int `json:\"active_connections_security\" mapstructure:\"active_connections_security\"`\n\t// Debug enables the FTP debug mode. In debug mode, every FTP command will be logged\n\tDebug bool `json:\"debug\" mapstructure:\"debug\"`\n\tciphers []uint16\n}\n\nfunc (b *Binding) setCiphers() {\n\tb.ciphers = util.GetTLSCiphersFromNames(b.TLSCipherSuites)\n}\n\nfunc (b *Binding) isMutualTLSEnabled() bool {\n\treturn b.ClientAuthType == 1 || b.ClientAuthType == 2\n}\n\n// GetAddress returns the binding address\nfunc (b *Binding) GetAddress() string {\n\treturn fmt.Sprintf(\"%s:%d\", b.Address, b.Port)\n}\n\n// IsValid returns true if the binding port is > 0\nfunc (b *Binding) IsValid() bool {\n\treturn b.Port > 0\n}\n\nfunc (b *Binding) isTLSModeValid() bool {\n\treturn b.TLSMode >= 0 && b.TLSMode <= 2\n}\n\nfunc (b *Binding) checkSecuritySettings() error {\n\tif b.PassiveConnectionsSecurity < 0 || b.PassiveConnectionsSecurity > 1 {\n\t\treturn fmt.Errorf(\"invalid passive_connections_security: %v\", b.PassiveConnectionsSecurity)\n\t}\n\tif b.ActiveConnectionsSecurity < 0 || b.ActiveConnectionsSecurity > 1 {\n\t\treturn fmt.Errorf(\"invalid active_connections_security: %v\", b.ActiveConnectionsSecurity)\n\t}\n\treturn nil\n}\n\nfunc (b *Binding) checkPassiveIP() error {\n\tif b.ForcePassiveIP != \"\" {\n\t\tip, err := parsePassiveIP(b.ForcePassiveIP)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tb.ForcePassiveIP = ip\n\t}\n\tfor idx, passiveOverride := range b.PassiveIPOverrides {\n\t\tvar ip string\n\n\t\tif passiveOverride.IP != \"\" {\n\t\t\tvar err error\n\t\t\tip, err = parsePassiveIP(passiveOverride.IP)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif len(passiveOverride.Networks) == 0 {\n\t\t\treturn errors.New(\"passive IP networks override cannot be empty\")\n\t\t}\n\t\tcheckFuncs, err := util.ParseAllowedIPAndRanges(passiveOverride.Networks)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"invalid passive IP networks override %+v: %w\", passiveOverride.Networks, err)\n\t\t}\n\t\tb.PassiveIPOverrides[idx].IP = ip\n\t\tb.PassiveIPOverrides[idx].parsedNetworks = checkFuncs\n\t}\n\treturn nil\n}\n\nfunc (b *Binding) getPassiveIP(cc ftpserver.ClientContext) (string, error) {\n\tif b.ForcePassiveIP != \"\" {\n\t\treturn b.ForcePassiveIP, nil\n\t}\n\tif b.PassiveHost != \"\" {\n\t\tctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)\n\t\tdefer cancel()\n\n\t\taddrs, err := net.DefaultResolver.LookupIP(ctx, \"ip4\", b.PassiveHost)\n\t\tif err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to resolve hostname %q: %v\", b.PassiveHost, err)\n\t\t\treturn \"\", fmt.Errorf(\"unable to resolve hostname %q: %w\", b.PassiveHost, err)\n\t\t}\n\t\tif len(addrs) > 0 {\n\t\t\treturn addrs[0].String(), nil\n\t\t}\n\t}\n\treturn strings.Split(cc.LocalAddr().String(), \":\")[0], nil\n}\n\nfunc (b *Binding) passiveIPResolver(cc ftpserver.ClientContext) (string, error) {\n\tif len(b.PassiveIPOverrides) > 0 {\n\t\tclientIP := net.ParseIP(util.GetIPFromRemoteAddress(cc.RemoteAddr().String()))\n\t\tif clientIP != nil {\n\t\t\tfor _, override := range b.PassiveIPOverrides {\n\t\t\t\tfor _, fn := range override.parsedNetworks {\n\t\t\t\t\tif fn(clientIP) {\n\t\t\t\t\t\tif override.IP == \"\" {\n\t\t\t\t\t\t\treturn strings.Split(cc.LocalAddr().String(), \":\")[0], nil\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn override.IP, nil\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn b.getPassiveIP(cc)\n}\n\n// HasProxy returns true if the proxy protocol is active for this binding\nfunc (b *Binding) HasProxy() bool {\n\treturn b.ApplyProxyConfig && common.Config.ProxyProtocol > 0\n}\n\n// GetTLSDescription returns the TLS mode as string\nfunc (b *Binding) GetTLSDescription() string {\n\tif certMgr == nil {\n\t\treturn util.I18nFTPTLSDisabled\n\t}\n\tswitch b.TLSMode {\n\tcase 1:\n\t\treturn util.I18nFTPTLSExplicit\n\tcase 2:\n\t\treturn util.I18nFTPTLSImplicit\n\t}\n\n\tif certMgr.HasCertificate(common.DefaultTLSKeyPaidID) || certMgr.HasCertificate(b.GetAddress()) {\n\t\treturn util.I18nFTPTLSMixed\n\t}\n\treturn util.I18nFTPTLSDisabled\n}\n\n// PortRange defines a port range\ntype PortRange struct {\n\t// Range start\n\tStart int `json:\"start\" mapstructure:\"start\"`\n\t// Range end\n\tEnd int `json:\"end\" mapstructure:\"end\"`\n}\n\n// ServiceStatus defines the service status\ntype ServiceStatus struct {\n\tIsActive bool `json:\"is_active\"`\n\tBindings []Binding `json:\"bindings\"`\n\tPassivePortRange PortRange `json:\"passive_port_range\"`\n}\n\n// Configuration defines the configuration for the ftp server\ntype Configuration struct {\n\t// Addresses and ports to bind to\n\tBindings []Binding `json:\"bindings\" mapstructure:\"bindings\"`\n\t// The contents of the specified file, if any, are diplayed when someone connects to the server.\n\tBannerFile string `json:\"banner_file\" mapstructure:\"banner_file\"`\n\t// If files containing a certificate and matching private key for the server are provided the server will accept\n\t// both plain FTP an explicit FTP over TLS.\n\t// Certificate and key files can be reloaded on demand sending a \"SIGHUP\" signal on Unix based systems and a\n\t// \"paramchange\" request to the running service on Windows.\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// CACertificates defines the set of root certificate authorities to be used to verify client certificates.\n\tCACertificates []string `json:\"ca_certificates\" mapstructure:\"ca_certificates\"`\n\t// CARevocationLists defines a set a revocation lists, one for each root CA, to be used to check\n\t// if a client certificate has been revoked\n\tCARevocationLists []string `json:\"ca_revocation_lists\" mapstructure:\"ca_revocation_lists\"`\n\t// Do not impose the port 20 for active data transfer. Enabling this option allows to run SFTPGo with less privilege\n\tActiveTransfersPortNon20 bool `json:\"active_transfers_port_non_20\" mapstructure:\"active_transfers_port_non_20\"`\n\t// Set to true to disable active FTP\n\tDisableActiveMode bool `json:\"disable_active_mode\" mapstructure:\"disable_active_mode\"`\n\t// Set to true to enable the FTP SITE command.\n\t// We support chmod and symlink if SITE support is enabled\n\tEnableSite bool `json:\"enable_site\" mapstructure:\"enable_site\"`\n\t// Set to 1 to enable FTP commands that allow to calculate the hash value of files.\n\t// These FTP commands will be enabled: HASH, XCRC, MD5/XMD5, XSHA/XSHA1, XSHA256, XSHA512.\n\t// Please keep in mind that to calculate the hash we need to read the whole file, for\n\t// remote backends this means downloading the file, for the encrypted backend this means\n\t// decrypting the file\n\tHASHSupport int `json:\"hash_support\" mapstructure:\"hash_support\"`\n\t// Set to 1 to enable support for the non standard \"COMB\" FTP command.\n\t// Combine is only supported for local filesystem, for cloud backends it has\n\t// no advantage as it will download the partial files and will upload the\n\t// combined one. Cloud backends natively support multipart uploads.\n\tCombineSupport int `json:\"combine_support\" mapstructure:\"combine_support\"`\n\t// Port Range for data connections. Random if not specified\n\tPassivePortRange PortRange `json:\"passive_port_range\" mapstructure:\"passive_port_range\"`\n\tacmeDomain string\n}\n\n// ShouldBind returns true if there is at least a valid binding\nfunc (c *Configuration) ShouldBind() bool {\n\tfor _, binding := range c.Bindings {\n\t\tif binding.IsValid() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (c *Configuration) getKeyPairs(configDir string) []common.TLSKeyPair {\n\tvar keyPairs []common.TLSKeyPair\n\n\tfor _, binding := range c.Bindings {\n\t\tcertificateFile := getConfigPath(binding.CertificateFile, configDir)\n\t\tcertificateKeyFile := getConfigPath(binding.CertificateKeyFile, configDir)\n\t\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\t\tkeyPairs = append(keyPairs, common.TLSKeyPair{\n\t\t\t\tCert: certificateFile,\n\t\t\t\tKey: certificateKeyFile,\n\t\t\t\tID: binding.GetAddress(),\n\t\t\t})\n\t\t}\n\t}\n\tvar certificateFile, certificateKeyFile string\n\tif c.acmeDomain != \"\" {\n\t\tcertificateFile, certificateKeyFile = util.GetACMECertificateKeyPair(c.acmeDomain)\n\t} else {\n\t\tcertificateFile = getConfigPath(c.CertificateFile, configDir)\n\t\tcertificateKeyFile = getConfigPath(c.CertificateKeyFile, configDir)\n\t}\n\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\tkeyPairs = append(keyPairs, common.TLSKeyPair{\n\t\t\tCert: certificateFile,\n\t\t\tKey: certificateKeyFile,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t})\n\t}\n\treturn keyPairs\n}\n\nfunc (c *Configuration) loadFromProvider() error {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to load config from provider: %w\", err)\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif configs.ACME.Domain == \"\" || !configs.ACME.HasProtocol(common.ProtocolFTP) {\n\t\treturn nil\n\t}\n\tcrt, key := util.GetACMECertificateKeyPair(configs.ACME.Domain)\n\tif crt != \"\" && key != \"\" {\n\t\tif _, err := os.Stat(crt); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to load acme cert file %q: %v\", crt, err)\n\t\t\treturn nil\n\t\t}\n\t\tif _, err := os.Stat(key); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to load acme key file %q: %v\", key, err)\n\t\t\treturn nil\n\t\t}\n\t\tc.acmeDomain = configs.ACME.Domain\n\t\tlogger.Info(logSender, \"\", \"acme domain set to %q\", c.acmeDomain)\n\t\treturn nil\n\t}\n\treturn nil\n}\n\n// Initialize configures and starts the FTP server\nfunc (c *Configuration) Initialize(configDir string) error {\n\tif err := c.loadFromProvider(); err != nil {\n\t\treturn err\n\t}\n\tlogger.Info(logSender, \"\", \"initializing FTP server with config %+v\", *c)\n\tif !c.ShouldBind() {\n\t\treturn common.ErrNoBinding\n\t}\n\n\tkeyPairs := c.getKeyPairs(configDir)\n\tif len(keyPairs) > 0 {\n\t\tmgr, err := common.NewCertManager(keyPairs, configDir, logSender)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmgr.SetCACertificates(c.CACertificates)\n\t\tif err := mgr.LoadRootCAs(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmgr.SetCARevocationLists(c.CARevocationLists)\n\t\tif err := mgr.LoadCRLs(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcertMgr = mgr\n\t}\n\tserviceStatus = ServiceStatus{\n\t\tBindings: nil,\n\t\tPassivePortRange: c.PassivePortRange,\n\t}\n\n\texitChannel := make(chan error, 1)\n\n\tfor idx, binding := range c.Bindings {\n\t\tif !binding.IsValid() {\n\t\t\tcontinue\n\t\t}\n\n\t\tserver := NewServer(c, configDir, binding, idx)\n\n\t\tgo func(s *Server) {\n\t\t\tftpLogger := logger.NewSlogAdapter(\"ftpserverlib\", []slog.Attr{\n\t\t\t\t{\n\t\t\t\t\tKey: \"server_id\",\n\t\t\t\t\tValue: slog.StringValue(fmt.Sprintf(\"FTP_%d\", s.ID)),\n\t\t\t\t},\n\t\t\t})\n\t\t\tftpServer := ftpserver.NewFtpServer(s)\n\t\t\tftpServer.Logger = slog.New(ftpLogger)\n\t\t\tlogger.Info(logSender, \"\", \"starting FTP serving, binding: %v\", s.binding.GetAddress())\n\t\t\tutil.CheckTCP4Port(s.binding.Port)\n\t\t\texitChannel <- ftpServer.ListenAndServe()\n\t\t}(server)\n\n\t\tserviceStatus.Bindings = append(serviceStatus.Bindings, binding)\n\t}\n\n\tserviceStatus.IsActive = true\n\n\treturn <-exitChannel\n}\n\n// ReloadCertificateMgr reloads the certificate manager\nfunc ReloadCertificateMgr() error {\n\tif certMgr != nil {\n\t\treturn certMgr.Reload()\n\t}\n\treturn nil\n}\n\n// GetStatus returns the server status\nfunc GetStatus() ServiceStatus {\n\treturn serviceStatus\n}\n\nfunc parsePassiveIP(passiveIP string) (string, error) {\n\tip := net.ParseIP(passiveIP)\n\tif ip == nil {\n\t\treturn \"\", fmt.Errorf(\"the provided passive IP %q is not valid\", passiveIP)\n\t}\n\tip = ip.To4()\n\tif ip == nil {\n\t\treturn \"\", fmt.Errorf(\"the provided passive IP %q is not a valid IPv4 address\", passiveIP)\n\t}\n\treturn ip.String(), nil\n}\n\nfunc getConfigPath(name, configDir string) string {\n\tif !util.IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif name != \"\" && !filepath.IsAbs(name) {\n\t\treturn filepath.Join(configDir, name)\n\t}\n\treturn name\n}\n" }, { "path": "internal/ftpd/ftpd_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage ftpd_test\n\nimport (\n\t\"crypto/rand\"\n\t\"crypto/sha256\"\n\t\"crypto/tls\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"testing\"\n\t\"time\"\n\n\tftpserver \"github.com/fclairamb/ftpserverlib\"\n\t\"github.com/jlaffaye/ftp\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/pquerna/otp\"\n\t\"github.com/pquerna/otp/totp\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tlogSender = \"ftpdTesting\"\n\tftpServerAddr = \"127.0.0.1:2121\"\n\tsftpServerAddr = \"127.0.0.1:2122\"\n\tftpSrvAddrTLS = \"127.0.0.1:2124\" // ftp server with implicit tls\n\tftpSrvAddrTLSResumption = \"127.0.0.1:2126\" // ftp server with implicit tls\n\tdefaultUsername = \"test_user_ftp\"\n\tdefaultPassword = \"test_password\"\n\tosWindows = \"windows\"\n\tftpsCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\tftpsKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n\tcaCRT = `-----BEGIN CERTIFICATE-----\nMIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0\nQXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT\nCENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m\nfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1\nv03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh\nyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL\nCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U\n4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb\nKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo\nNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb\nS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i\nM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY\n/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy\nOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD\nAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu\nXgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F\nsYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki\npAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE\njbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX\ny2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy\nWFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV\noUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV\nL/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5\nDvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E\neL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli\nSXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w\nkK8u1YiiVenmoQ==\n-----END CERTIFICATE-----`\n\tcaCRL = `-----BEGIN X509 CRL-----\nMIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN\nMjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg\nZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r\nrl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV\n+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199\nXSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE\njF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF\nDouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD\nMSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4\niYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE\nypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4\nhVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94\ncp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67\nsn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn\nw7bXJGfJcIMrrKs=\n-----END X509 CRL-----`\n\tclient1Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6\nHUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE\nOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7\nQie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf\nXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO\nc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo\nGzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU\nOrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC\nsDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I\nl59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb\nBbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz\nMYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7\nQPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz\nJ20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+\noffI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX\nG8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr\nkvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au\nMU3Bo0A=\n-----END CERTIFICATE-----`\n\tclient1Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki\nJ3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi\n85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW\neYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4\nZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy\nbbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO\nhHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw\neezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl\nX3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ\nCFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL\nj+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU\nNhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf\nsXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB\nZ29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB\nLGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g\nmCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67\nT8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn\nRunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa\nItjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW\nasmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+\nDYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59\n0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls\nujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY\nnXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe\nyEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==\n-----END RSA PRIVATE KEY-----`\n\t// client 2 crt is revoked\n\tclient2Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b\nQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua\neq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ\ncr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT\nA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0\n6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f\nZjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz\nPQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY\nxcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D\nEP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB\n4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO\n78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925\n7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e\nqc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N\nf5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv\n/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S\nANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR\nE0+r2+4=\n-----END CERTIFICATE-----`\n\tclient2Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV\njm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP\nkZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK\nh4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P\nQAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu\n4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq\nop4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM\nqLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt\nRvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL\nVBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO\nqkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy\nVILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl\nNiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7\n4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl\n/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd\naoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu\nkhrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz\n3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/\neMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i\nvG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB\nGcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb\nAp157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D\n8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl\nRKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA\nubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl\n-----END RSA PRIVATE KEY-----`\n\ttestFileName = \"test_file_ftp.dat\"\n\ttestDLFileName = \"test_download_ftp.dat\"\n\ttlsClient1Username = \"client1\"\n\ttlsClient2Username = \"client2\"\n\thttpFsPort = 23456\n\tdefaultHTTPFsUsername = \"httpfs_ftp_user\"\n\temptyPwdPlaceholder = \"empty\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n\tallPerms = []string{dataprovider.PermAny}\n\thomeBasePath string\n\thookCmdPath string\n\textAuthPath string\n\tpreLoginPath string\n\tpostConnectPath string\n\tpreDownloadPath string\n\tpreUploadPath string\n\tlogFilePath string\n\tcaCrtPath string\n\tcaCRLPath string\n)\n\nfunc TestMain(m *testing.M) { //nolint:gocyclo\n\tlogFilePath = filepath.Join(configDir, \"sftpgo_ftpd_test.log\")\n\tbannerFileName := \"banner_file\"\n\tbannerFile := filepath.Join(configDir, bannerFileName)\n\tlogger.InitLogger(logFilePath, 5, 1, 28, false, false, zerolog.DebugLevel)\n\terr := os.WriteFile(bannerFile, []byte(\"SFTPGo test ready\\nsimple banner line\\n\"), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error creating banner file: %v\", err)\n\t\tos.Exit(1)\n\t}\n\t// we run the test cases with UploadMode atomic and resume support. The non atomic code path\n\t// simply does not execute some code so if it works in atomic mode will\n\t// work in non atomic mode too\n\tos.Setenv(\"SFTPGO_COMMON__UPLOAD_MODE\", \"2\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"1\")\n\tos.Setenv(\"SFTPGO_COMMON__ALLOW_SELF_CONNECTIONS\", \"1\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_USERNAME\", \"admin\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_PASSWORD\", \"password\")\n\terr = config.LoadConfig(configDir, \"\")\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error loading configuration: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tproviderConf := config.GetProviderConf()\n\tlogger.InfoToConsole(\"Starting FTPD tests, provider: %v\", providerConf.Driver)\n\n\tcommonConf := config.GetCommonConfig()\n\thomeBasePath = os.TempDir()\n\tif runtime.GOOS != osWindows {\n\t\tcommonConf.Actions.ExecuteOn = []string{\"download\", \"upload\", \"rename\", \"delete\"}\n\t\tcommonConf.Actions.Hook = hookCmdPath\n\t\thookCmdPath, err = exec.LookPath(\"true\")\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to get hook command: %v\", err)\n\t\t\tlogger.WarnToConsole(\"unable to get hook command: %v\", err)\n\t\t}\n\t}\n\n\tcertPath := filepath.Join(os.TempDir(), \"test_ftpd.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test_ftpd.key\")\n\tcaCrtPath = filepath.Join(os.TempDir(), \"test_ftpd_ca.crt\")\n\tcaCRLPath = filepath.Join(os.TempDir(), \"test_ftpd_crl.crt\")\n\terr = writeCerts(certPath, keyPath, caCrtPath, caCRLPath)\n\tif err != nil {\n\t\tos.Exit(1)\n\t}\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\tos.Exit(1)\n\t}\n\terr = common.Initialize(commonConf, 0)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error initializing common: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\thttpConfig := config.GetHTTPConfig()\n\thttpConfig.Initialize(configDir) //nolint:errcheck\n\n\tkmsConfig := config.GetKMSConfig()\n\terr = kmsConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing kms: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tmfaConfig := config.GetMFAConfig()\n\terr = mfaConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing MFA: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\thttpdConf := config.GetHTTPDConfig()\n\thttpdConf.Bindings[0].Port = 8079\n\thttpdtest.SetBaseURL(\"http://127.0.0.1:8079\")\n\n\tftpdConf := config.GetFTPDConfig()\n\tftpdConf.Bindings = []ftpd.Binding{\n\t\t{\n\t\t\tPort: 2121,\n\t\t\tClientAuthType: 2,\n\t\t\tCertificateFile: certPath,\n\t\t\tCertificateKeyFile: keyPath,\n\t\t},\n\t}\n\tftpdConf.PassivePortRange.Start = 0\n\tftpdConf.PassivePortRange.End = 0\n\tftpdConf.BannerFile = bannerFileName\n\tftpdConf.CACertificates = []string{caCrtPath}\n\tftpdConf.CARevocationLists = []string{caCRLPath}\n\tftpdConf.EnableSite = true\n\n\t// required to test sftpfs\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 2122,\n\t\t},\n\t}\n\thostKeyPath := filepath.Join(os.TempDir(), \"id_ed25519\")\n\tsftpdConf.HostKeys = []string{hostKeyPath}\n\n\textAuthPath = filepath.Join(homeBasePath, \"extauth.sh\")\n\tpreLoginPath = filepath.Join(homeBasePath, \"prelogin.sh\")\n\tpostConnectPath = filepath.Join(homeBasePath, \"postconnect.sh\")\n\tpreDownloadPath = filepath.Join(homeBasePath, \"predownload.sh\")\n\tpreUploadPath = filepath.Join(homeBasePath, \"preupload.sh\")\n\n\tstatus := ftpd.GetStatus()\n\tif status.IsActive {\n\t\tlogger.ErrorToConsole(\"ftpd is already active\")\n\t\tos.Exit(1)\n\t}\n\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing FTP server with config %+v\", ftpdConf)\n\t\tif err := ftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start FTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing SFTP server with config %+v\", sftpdConf)\n\t\tif err := sftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tif err := httpdConf.Initialize(configDir, 0); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(ftpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(httpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\tftpd.ReloadCertificateMgr() //nolint:errcheck\n\n\tftpdConf = config.GetFTPDConfig()\n\tftpdConf.Bindings = []ftpd.Binding{\n\t\t{\n\t\t\tPort: 2124,\n\t\t\tTLSMode: 2,\n\t\t},\n\t}\n\tftpdConf.CertificateFile = certPath\n\tftpdConf.CertificateKeyFile = keyPath\n\tftpdConf.CACertificates = []string{caCrtPath}\n\tftpdConf.CARevocationLists = []string{caCRLPath}\n\tftpdConf.EnableSite = false\n\tftpdConf.DisableActiveMode = true\n\tftpdConf.CombineSupport = 1\n\tftpdConf.HASHSupport = 1\n\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing FTP server with config %+v\", ftpdConf)\n\t\tif err := ftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start FTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(ftpdConf.Bindings[0].GetAddress())\n\n\tftpdConf = config.GetFTPDConfig()\n\tftpdConf.Bindings = []ftpd.Binding{\n\t\t{\n\t\t\tPort: 2126,\n\t\t\tCertificateFile: certPath,\n\t\t\tCertificateKeyFile: keyPath,\n\t\t\tTLSMode: 1,\n\t\t\tClientAuthType: 2,\n\t\t},\n\t}\n\tftpdConf.CACertificates = []string{caCrtPath}\n\tftpdConf.CARevocationLists = []string{caCRLPath}\n\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing FTP server with config %+v\", ftpdConf)\n\t\tif err := ftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start FTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(ftpdConf.Bindings[0].GetAddress())\n\n\twaitNoConnections()\n\tstartHTTPFs()\n\n\texitCode := m.Run()\n\tos.Remove(logFilePath)\n\tos.Remove(bannerFile)\n\tos.Remove(extAuthPath)\n\tos.Remove(preLoginPath)\n\tos.Remove(postConnectPath)\n\tos.Remove(preDownloadPath)\n\tos.Remove(preUploadPath)\n\tos.Remove(certPath)\n\tos.Remove(keyPath)\n\tos.Remove(caCrtPath)\n\tos.Remove(caCRLPath)\n\tos.Remove(hostKeyPath)\n\tos.Remove(hostKeyPath + \".pub\")\n\tos.Exit(exitCode)\n}\n\nfunc TestInitializationFailure(t *testing.T) {\n\tftpdConf := config.GetFTPDConfig()\n\tftpdConf.Bindings = []ftpd.Binding{}\n\tftpdConf.CertificateFile = filepath.Join(os.TempDir(), \"test_ftpd.crt\")\n\tftpdConf.CertificateKeyFile = filepath.Join(os.TempDir(), \"test_ftpd.key\")\n\terr := ftpdConf.Initialize(configDir)\n\trequire.EqualError(t, err, common.ErrNoBinding.Error())\n\tftpdConf.Bindings = []ftpd.Binding{\n\t\t{\n\t\t\tPort: 0,\n\t\t},\n\t\t{\n\t\t\tPort: 2121,\n\t\t},\n\t}\n\tftpdConf.BannerFile = \"a-missing-file\"\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\n\tftpdConf.BannerFile = \"\"\n\tftpdConf.Bindings[1].TLSMode = 10\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\n\tftpdConf.CertificateFile = \"\"\n\tftpdConf.CertificateKeyFile = \"\"\n\tftpdConf.Bindings[1].TLSMode = 1\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\n\tcertPath := filepath.Join(os.TempDir(), \"test_ftpd.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test_ftpd.key\")\n\tftpdConf.CertificateFile = certPath\n\tftpdConf.CertificateKeyFile = keyPath\n\tftpdConf.CACertificates = []string{\"invalid ca cert\"}\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\n\tftpdConf.CACertificates = nil\n\tftpdConf.CARevocationLists = []string{\"\"}\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\n\tftpdConf.CACertificates = []string{caCrtPath}\n\tftpdConf.CARevocationLists = []string{caCRLPath}\n\tftpdConf.Bindings[1].ForcePassiveIP = \"127001\"\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\trequire.Contains(t, err.Error(), \"the provided passive IP \\\"127001\\\" is not valid\")\n\tftpdConf.Bindings[1].ForcePassiveIP = \"\"\n\terr = ftpdConf.Initialize(configDir)\n\trequire.Error(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = ftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to load config from provider\")\n\t}\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicFTPHandling(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 6553600\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaSize = 6553600\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, true, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\tassert.Len(t, common.Connections.GetStats(\"\"), 1)\n\t\t\t} else {\n\t\t\t\tassert.Len(t, common.Connections.GetStats(\"\"), 2)\n\t\t\t}\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\texpectedQuotaSize := testFileSize\n\t\t\texpectedQuotaFiles := 1\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, path.Join(\"/missing_dir\", testFileName), testFileSize, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, int64(0), user.FirstUpload)\n\t\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\t\t// overwrite an existing file\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\t\tassert.Greater(t, user.FirstDownload, int64(0))\n\t\t\terr = client.Rename(testFileName, testFileName+\"1\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Delete(testFileName)\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Delete(testFileName + \"1\")\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize-testFileSize, user.UsedQuotaSize)\n\t\t\tcurDir, err := client.CurrentDir()\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, \"/\", curDir)\n\t\t\t}\n\t\t\ttestDir := \"testDir\"\n\t\t\terr = client.MakeDir(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.ChangeDir(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\tcurDir, err = client.CurrentDir()\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, path.Join(\"/\", testDir), curDir)\n\t\t\t}\n\t\t\tres, err := client.List(path.Join(\"/\", testDir))\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Len(t, res, 0)\n\t\t\tres, err = client.List(path.Join(\"/\"))\n\t\t\tassert.NoError(t, err)\n\t\t\tif assert.Len(t, res, 1) {\n\t\t\t\tassert.Equal(t, testDir, res[0].Name)\n\t\t\t}\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = client.FileSize(path.Join(\"/\", testDir))\n\t\t\tassert.Error(t, err)\n\t\t\tsize, err := client.FileSize(path.Join(\"/\", testDir, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testFileSize, size)\n\t\t\terr = client.ChangeDirToParent()\n\t\t\tassert.NoError(t, err)\n\t\t\tcurDir, err = client.CurrentDir()\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, \"/\", curDir)\n\t\t\t}\n\t\t\terr = client.Delete(path.Join(\"/\", testDir, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Delete(testDir)\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.RemoveDir(testDir)\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 1*time.Second, 50*time.Millisecond)\n\tassert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,\n\t\t50*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestHTTPFs(t *testing.T) {\n\tu := getTestUserWithHTTPFs()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\t// test a download resume\n\t\tdata := []byte(\"test data\")\n\t\terr = os.WriteFile(testFilePath, data, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)), client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(len(data)-5), client, 5)\n\t\tassert.NoError(t, err)\n\t\treaded, err := os.ReadFile(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, []byte(\"data\"), readed, \"readed data mismatch: %q\", string(readed))\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 1*time.Second, 50*time.Millisecond)\n\tassert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,\n\t\t50*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestListDirWithWildcards(t *testing.T) {\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tdefer func() {\n\t\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(localUser.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}()\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, true, nil, ftp.DialWithDisabledMLSD(true))\n\t\tif assert.NoError(t, err) {\n\t\t\tdir1 := \"test.dir\"\n\t\t\tdir2 := \"test.dir1\"\n\t\t\terr = client.MakeDir(dir1)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.MakeDir(dir2)\n\t\t\tassert.NoError(t, err)\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\tfileName := \"file[a-z]e.dat\"\n\t\t\terr = ftpUploadFile(testFilePath, fileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\t\terr = ftpDownloadFile(fileName, localDownloadPath, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tentries, err := client.List(fileName)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Equal(t, fileName, entries[0].Name)\n\t\t\tnListEntries, err := client.NameList(fileName)\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, nListEntries, fileName)\n\t\t\tentries, err = client.List(\".\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 3)\n\t\t\tnListEntries, err = client.NameList(\".\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, nListEntries, 3)\n\t\t\tentries, err = client.List(\"/test.*\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 2)\n\t\t\tfound := 0\n\t\t\tfor _, e := range entries {\n\t\t\t\tswitch e.Name {\n\t\t\t\tcase dir1, dir2:\n\t\t\t\t\tfound++\n\t\t\t\t}\n\t\t\t}\n\t\t\tassert.Equal(t, 2, found)\n\t\t\tnListEntries, err = client.NameList(\"/test.*\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 2)\n\t\t\tassert.Contains(t, nListEntries, dir1)\n\t\t\tassert.Contains(t, nListEntries, dir2)\n\t\t\tentries, err = client.List(\"/*.dir?\")\n\t\t\trequire.NoError(t, err)\n\t\t\tassert.Len(t, entries, 1)\n\t\t\tassert.Equal(t, dir2, entries[0].Name)\n\t\t\tnListEntries, err = client.NameList(\"/*.dir?\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, nListEntries, dir2)\n\t\t\tentries, err = client.List(\"/test.???\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Equal(t, dir1, entries[0].Name)\n\t\t\tnListEntries, err = client.NameList(\"/test.???\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, nListEntries, dir1)\n\t\t\t_, err = client.NameList(\"/missingdir/test.*\")\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.List(\"/missingdir/test.*\")\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.NameList(\"test[-]\")\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), path.ErrBadPattern.Error())\n\t\t\t}\n\t\t\t_, err = client.List(\"test[-]\")\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), path.ErrBadPattern.Error())\n\t\t\t}\n\t\t\tsubDir := path.Join(dir1, \"sub.d\")\n\t\t\terr = client.MakeDir(subDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.ChangeDir(path.Dir(subDir))\n\t\t\tassert.NoError(t, err)\n\t\t\tentries, err = client.List(\"sub.?\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, path.Base(subDir), entries[0].Name)\n\t\t\tnListEntries, err = client.NameList(\"sub.?\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, nListEntries, path.Base(subDir))\n\t\t\tentries, err = client.List(\"../*.dir?\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Equal(t, path.Join(\"../\", dir2), entries[0].Name)\n\t\t\tnListEntries, err = client.NameList(\"../*.dir?\")\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, nListEntries, path.Join(\"../\", dir2))\n\n\t\t\terr = client.ChangeDir(\"/\")\n\t\t\tassert.NoError(t, err)\n\t\t\tentries, err = client.List(path.Join(dir1, \"sub.*\"))\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Equal(t, path.Join(dir1, \"sub.d\"), entries[0].Name)\n\t\t\tnListEntries, err = client.NameList(path.Join(dir1, \"sub.*\"))\n\t\t\trequire.NoError(t, err)\n\t\t\trequire.Len(t, entries, 1)\n\t\t\tassert.Contains(t, nListEntries, path.Join(dir1, \"sub.d\"))\n\t\t\terr = client.RemoveDir(subDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.RemoveDir(dir1)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.RemoveDir(dir2)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n}\n\nfunc TestStartDirectory(t *testing.T) {\n\tstartDir := \"/start/dir\"\n\tu := getTestUser()\n\tu.Filters.StartDirectory = startDir\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.Filters.StartDirectory = startDir\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, true, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\tcurrentDir, err := client.CurrentDir()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, startDir, currentDir)\n\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tentries, err := client.List(\".\")\n\t\t\tassert.NoError(t, err)\n\t\t\tif assert.Len(t, entries, 1) {\n\t\t\t\tassert.Equal(t, testFileName, entries[0].Name)\n\t\t\t}\n\t\t\tentries, err = client.List(\"/\")\n\t\t\tassert.NoError(t, err)\n\t\t\tif assert.Len(t, entries, 1) {\n\t\t\t\tassert.Equal(t, \"start\", entries[0].Name)\n\t\t\t}\n\t\t\terr = client.ChangeDirToParent()\n\t\t\tassert.NoError(t, err)\n\t\t\tcurrentDir, err = client.CurrentDir()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, path.Dir(startDir), currentDir)\n\t\t\terr = client.ChangeDirToParent()\n\t\t\tassert.NoError(t, err)\n\t\t\tcurrentDir, err = client.CurrentDir()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"/\", currentDir)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginEmptyPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Password = emptyPwdPlaceholder\n\n\t_, err = getFTPClient(user, true, nil)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAnonymousUser(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tu.Filters.IsAnonymous = true\n\t_, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser, _, err := httpdtest.GetUserByUsername(u.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.IsAnonymous)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermDownload}, user.Permissions[\"/\"])\n\tassert.Equal(t, []string{common.ProtocolSSH, common.ProtocolHTTP}, user.Filters.DeniedProtocols)\n\tassert.Equal(t, []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd}, user.Filters.DeniedLoginMethods)\n\n\tuser.Password = emptyPwdPlaceholder\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = os.Rename(testFilePath, filepath.Join(user.GetHomeDir(), testFileName))\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = client.MakeDir(\"adir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAnonymousGroupInheritance(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.IsAnonymous = true\n\tg.UserSettings.Permissions = make(map[string][]string)\n\tg.UserSettings.Permissions[\"/\"] = allPerms\n\tg.UserSettings.Permissions[\"/testsub\"] = allPerms\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser.Password = emptyPwdPlaceholder\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = client.MakeDir(\"adir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = client.MakeDir(\"/testsub/adir\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = os.Rename(testFilePath, filepath.Join(user.GetHomeDir(), testFileName))\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\tuser.Password = defaultPassword\n\tclient, err = getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestMultiFactorAuth(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolFTP},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tuser.Password = defaultPassword\n\t_, err = getFTPClient(user, true, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), dataprovider.ErrInvalidCredentials.Error())\n\t}\n\tpasscode, err := generateTOTPPasscode(key.Secret(), otp.AlgorithmSHA1)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword + passcode\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t// reusing the same passcode should not work\n\t_, err = getFTPClient(user, true, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), dataprovider.ErrInvalidCredentials.Error())\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMustChangePasswordRequirement(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.RequirePasswordChange = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user, true, nil)\n\tassert.Error(t, err)\n\n\terr = dataprovider.UpdateUserPassword(user.Username, defaultPassword, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSecondFactorRequirement(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.TwoFactorAuthProtocols = []string{common.ProtocolFTP}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user, true, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"second factor authentication is not set\")\n\t}\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolFTP},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tpasscode, err := generateTOTPPasscode(key.Secret(), otp.AlgorithmSHA1)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword + passcode\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginInvalidCredentials(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Username = \"wrong username\"\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), dataprovider.ErrInvalidCredentials.Error())\n\t}\n\tuser.Username = u.Username\n\tuser.Password = \"wrong pwd\"\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), dataprovider.ErrInvalidCredentials.Error())\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginNonExistentUser(t *testing.T) {\n\tuser := getTestUser()\n\t_, err := getFTPClient(user, false, nil)\n\tassert.Error(t, err)\n}\n\nfunc TestFTPSecurity(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.FTPSecurity = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"TLS is required\")\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestGroupFTPSecurity(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.FTPSecurity = 1\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"TLS is required\")\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginExternalAuth(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tg := getTestGroup()\n\tg.UserSettings.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(u, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u), os.ModePerm)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(u, true, nil)\n\tif !assert.Error(t, err) {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t} else {\n\t\tassert.Contains(t, err.Error(), \"protocol FTP is not allowed\")\n\t}\n\n\tu.Groups = nil\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u), os.ModePerm)\n\tassert.NoError(t, err)\n\tu.Username = defaultUsername + \"1\"\n\tclient, err = getFTPClient(u, true, nil)\n\tif !assert.Error(t, err) {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t} else {\n\t\tassert.Contains(t, err.Error(), \"invalid credentials\")\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultUsername, user.Username)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusNotFound)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(u, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t// test login with an existing user\n\tclient, err = getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, true), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(u, false, nil)\n\tif !assert.Error(t, err) {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\tuser.Status = 0\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(u, false, nil)\n\tif !assert.Error(t, err, \"pre-login script returned a disabled user, login must fail\") {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\tuser.Status = 0\n\tuser.Filters.FTPSecurity = 1\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(u, true, nil)\n\tif !assert.Error(t, err) {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"TLS is required\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginHookReturningAnonymousUser(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\tu.Filters.IsAnonymous = true\n\tu.Filters.DeniedProtocols = []string{common.ProtocolSSH}\n\tu.Password = \"\"\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t// the pre-login hook create the anonymous user\n\tclient, err := getFTPClient(u, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.MakeDir(\"tdiranonymous\")\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = os.Rename(testFilePath, filepath.Join(u.GetHomeDir(), testFileName))\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.IsAnonymous)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermDownload}, user.Permissions[\"/\"])\n\tassert.Equal(t, []string{common.ProtocolSSH, common.ProtocolHTTP}, user.Filters.DeniedProtocols)\n\tassert.Equal(t, []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd}, user.Filters.DeniedLoginMethods)\n\t// now the same with an existing user\n\tclient, err = getFTPClient(u, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission\")\n\t\t}\n\t\terr = os.Rename(testFilePath, filepath.Join(u.GetHomeDir(), testFileName))\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreDownloadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreDownload}\n\tcommon.Config.Actions.Hook = preDownloadPath\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preDownloadPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t// now return an error from the pre-download hook\n\terr = os.WriteFile(preDownloadPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"permission denied\")\n\t\t}\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPreUploadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreUpload}\n\tcommon.Config.Actions.Hook = preUploadPath\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preUploadPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t// now return an error from the pre-upload hook\n\terr = os.WriteFile(preUploadPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), ftpserver.ErrFileNameNotAllowed.Error())\n\t\t}\n\t\terr = ftpUploadFile(testFilePath, testFileName+\"1\", testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), ftpserver.ErrFileNameNotAllowed.Error())\n\t\t}\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPostConnectHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tcommon.Config.PostConnectHook = postConnectPath\n\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, true, nil)\n\tif !assert.Error(t, err) {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tcommon.Config.PostConnectHook = \"http://127.0.0.1:8079/healthz\"\n\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tcommon.Config.PostConnectHook = \"http://127.0.0.1:8079/notfound\"\n\n\tclient, err = getFTPClient(user, true, nil)\n\tif !assert.Error(t, err) {\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.PostConnectHook = \"\"\n}\n\n//nolint:dupl\nfunc TestMaxConnections(t *testing.T) {\n\toldValue := common.Config.MaxTotalConnections\n\tcommon.Config.MaxTotalConnections = 1\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tuser := getTestUser()\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\t_, err = getFTPClient(user, false, nil)\n\t\tassert.Error(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxTotalConnections = oldValue\n}\n\n//nolint:dupl\nfunc TestMaxPerHostConnections(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 1\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tuser := getTestUser()\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\t_, err = getFTPClient(user, false, nil)\n\t\tassert.Error(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestMaxTransfers(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 2\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tuser := getTestUser()\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tconn, sftpClient, err := getSftpClient(user)\n\tassert.NoError(t, err)\n\tdefer conn.Close()\n\tdefer sftpClient.Close()\n\n\tf1, err := sftpClient.Create(\"file1\")\n\tassert.NoError(t, err)\n\tf2, err := sftpClient.Create(\"file2\")\n\tassert.NoError(t, err)\n\t_, err = f1.Write([]byte(\" \"))\n\tassert.NoError(t, err)\n\t_, err = f2.Write([]byte(\" \"))\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\terr = f1.Close()\n\tassert.NoError(t, err)\n\terr = f2.Close()\n\tassert.NoError(t, err)\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestRateLimiter(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.DefenderConfig.Enabled = true\n\tcfg.DefenderConfig.Threshold = 5\n\tcfg.DefenderConfig.ScoreLimitExceeded = 3\n\tcfg.RateLimitersConfig = []common.RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 1,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 1,\n\t\t\tType: 2,\n\t\t\tProtocols: []string{common.ProtocolFTP},\n\t\t\tGenerateDefenderEvents: true,\n\t\t\tEntriesSoftLimit: 100,\n\t\t\tEntriesHardLimit: 150,\n\t\t},\n\t}\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = getFTPClient(user, true, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"rate limit exceed\")\n\t}\n\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"rate limit exceed\")\n\t}\n\n\t_, err = getFTPClient(user, true, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"banned client IP\")\n\t}\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestDefender(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.DefenderConfig.Enabled = true\n\tcfg.DefenderConfig.Threshold = 4\n\tcfg.DefenderConfig.ScoreLimitExceeded = 2\n\tcfg.DefenderConfig.ScoreNoAuth = 1\n\tcfg.DefenderConfig.ScoreValid = 1\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t// just dial without login\n\tftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}\n\tclient, err = ftp.Dial(ftpServerAddr, ftpOptions...)\n\tassert.NoError(t, err)\n\terr = client.Quit()\n\tassert.NoError(t, err)\n\thosts, _, err := httpdtest.GetDefenderHosts(http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\thost := hosts[0]\n\t\tassert.Empty(t, host.GetBanTime())\n\t\tassert.Equal(t, 1, host.Score)\n\t}\n\tuser.Password = \"wrong_pwd\"\n\t_, err = getFTPClient(user, false, nil)\n\tassert.Error(t, err)\n\thosts, _, err = httpdtest.GetDefenderHosts(http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\thost := hosts[0]\n\t\tassert.Empty(t, host.GetBanTime())\n\t\tassert.Equal(t, 2, host.Score)\n\t}\n\n\tfor i := 0; i < 2; i++ {\n\t\t_, err = getFTPClient(user, false, nil)\n\t\tassert.Error(t, err)\n\t}\n\n\tuser.Password = defaultPassword\n\t_, err = getFTPClient(user, false, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"banned client IP\")\n\t}\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestMaxSessions(t *testing.T) {\n\tu := getTestUser()\n\tu.MaxSessions = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\t_, err = getFTPClient(user, false, nil)\n\t\tassert.Error(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestZeroBytesTransfers(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, useTLS := range []bool{true, false} {\n\t\tclient, err := getFTPClient(user, useTLS, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestFileName := \"testfilename\"\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, \"empty_download\")\n\t\t\terr = os.WriteFile(localDownloadPath, []byte(\"\"), os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(localDownloadPath, testFileName, 0, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tsize, err := client.FileSize(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, int64(0), size)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.NoFileExists(t, localDownloadPath)\n\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, 0, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.FileExists(t, localDownloadPath)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDownloadErrors(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1\n\tsubDir1 := \"sub1\"\n\tsubDir2 := \"sub2\"\n\tu.Permissions[path.Join(\"/\", subDir1)] = []string{dataprovider.PermListItems}\n\tu.Permissions[path.Join(\"/\", subDir2)] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermDelete, dataprovider.PermDownload}\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/sub2\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{\"*.jpg\", \"*.zip\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath1 := filepath.Join(user.HomeDir, subDir1, \"file.zip\")\n\t\ttestFilePath2 := filepath.Join(user.HomeDir, subDir2, \"file.zip\")\n\t\ttestFilePath3 := filepath.Join(user.HomeDir, subDir2, \"file.jpg\")\n\t\terr = os.MkdirAll(filepath.Dir(testFilePath1), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.MkdirAll(filepath.Dir(testFilePath2), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(testFilePath1, []byte(\"file1\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(testFilePath2, []byte(\"file2\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(testFilePath3, []byte(\"file3\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(path.Join(\"/\", subDir1, \"file.zip\"), localDownloadPath, 5, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = ftpDownloadFile(path.Join(\"/\", subDir2, \"file.zip\"), localDownloadPath, 5, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = ftpDownloadFile(path.Join(\"/\", subDir2, \"file.jpg\"), localDownloadPath, 5, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = ftpDownloadFile(\"/missing.zip\", localDownloadPath, 5, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadErrors(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 65535\n\tsubDir1 := \"sub1\"\n\tsubDir2 := \"sub2\"\n\tu.Permissions[path.Join(\"/\", subDir1)] = []string{dataprovider.PermListItems}\n\tu.Permissions[path.Join(\"/\", subDir2)] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermDelete}\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/sub2\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{\"*.zip\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := user.QuotaSize\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = client.MakeDir(subDir1)\n\t\tassert.NoError(t, err)\n\t\terr = client.MakeDir(subDir2)\n\t\tassert.NoError(t, err)\n\t\terr = client.ChangeDir(subDir1)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = client.ChangeDirToParent()\n\t\tassert.NoError(t, err)\n\t\terr = client.ChangeDir(subDir2)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName+\".zip\", testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = client.ChangeDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, subDir1, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\t// overquota\n\t\terr = ftpUploadFile(testFilePath, testFileName+\"1\", testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = client.Delete(path.Join(\"/\", subDir2, testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPBuffered(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 100\n\tu.FsConfig.SFTPConfig.BufferSize = 2\n\tu.HomeDir = filepath.Join(os.TempDir(), u.Username)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(sftpUser, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\texpectedQuotaSize := testFileSize\n\t\texpectedQuotaFiles := 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\t// overwrite an existing file\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err := httpdtest.GetUserByUsername(sftpUser.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\n\t\tdata := []byte(\"test data\")\n\t\terr = os.WriteFile(testFilePath, data, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)), client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)+5), client, 5)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"operation unsupported\")\n\t\t}\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(4), client, 5)\n\t\tassert.NoError(t, err)\n\t\treaded, err := os.ReadFile(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, []byte(\"data\"), readed)\n\t\t// try to append to a file, it should fail\n\t\t// now append to a file\n\t\tsrcFile, err := os.Open(testFilePath)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = client.Append(testFileName, srcFile)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"operation unsupported\")\n\t\t\t}\n\t\t\terr = srcFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tsize, err := client.FileSize(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, int64(len(data)), size)\n\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(len(data)), client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(sftpUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestResume(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestUser()\n\tu.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tReadBufferSize: 1,\n\t\tWriteBufferSize: 1,\n\t}\n\tu.Username += \"_buf\"\n\tu.HomeDir += \"_buf\"\n\tbufferedUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, bufferedUser} {\n\t\tclient, err := getFTPClient(user, true, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\tdata := []byte(\"test data\")\n\t\t\terr = os.WriteFile(testFilePath, data, os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)), client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)+5), client, 5)\n\t\t\tassert.NoError(t, err)\n\t\t\treaded, err := os.ReadFile(filepath.Join(user.GetHomeDir(), testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"test test data\", string(readed))\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(len(data)), client, 5)\n\t\t\tassert.NoError(t, err)\n\t\t\treaded, err = os.ReadFile(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, data, readed)\n\t\t\terr = client.Delete(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, int64(len(data)), client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\t// now append to a file\n\t\t\tsrcFile, err := os.Open(testFilePath)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = client.Append(testFileName, srcFile)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\terr = srcFile.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tsize, err := client.FileSize(testFileName)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, int64(2*len(data)), size)\n\t\t\t\terr = ftpDownloadFile(testFileName, localDownloadPath, int64(2*len(data)), client, 0)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\treaded, err = os.ReadFile(localDownloadPath)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpected := append(data, data...)\n\t\t\t\tassert.Equal(t, expected, readed)\n\t\t\t}\n\t\t\t// append to a new file\n\t\t\tsrcFile, err = os.Open(testFilePath)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tnewFileName := testFileName + \"_new\"\n\t\t\t\terr = client.Append(newFileName, srcFile)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\terr = srcFile.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tsize, err := client.FileSize(newFileName)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, int64(len(data)), size)\n\t\t\t\terr = ftpDownloadFile(newFileName, localDownloadPath, int64(len(data)), client, 0)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\treaded, err = os.ReadFile(localDownloadPath)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, data, readed)\n\t\t\t}\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(bufferedUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(bufferedUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestDeniedLoginMethod(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user, false, nil)\n\tassert.Error(t, err)\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodKeyAndPassword}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\tassert.NoError(t, checkBasicFTP(client))\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestDeniedProtocols(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user, false, nil)\n\tassert.Error(t, err)\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolSSH, common.ProtocolWebDAV}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\tassert.NoError(t, checkBasicFTP(client))\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 1\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\ttestFileSize := int64(65535)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize1 := int64(131072)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize2 := int64(32768)\n\t\ttestFileName2 := \"test_file2.dat\"\n\t\ttestFilePath2 := filepath.Join(homeBasePath, testFileName2)\n\t\terr = createTestFile(testFilePath2, testFileSize2)\n\t\tassert.NoError(t, err)\n\t\t// test quota files\n\t\tclient, err := getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = ftpUploadFile(testFilePath, testFileName+\".quota\", testFileSize, client, 0) //nolint:goconst\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName+\".quota1\", testFileSize, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(testFileName+\".quota\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\t// test quota size\n\t\tuser.QuotaSize = testFileSize - 1\n\t\tuser.QuotaFiles = 0\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tclient, err = getFTPClient(user, true, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = ftpUploadFile(testFilePath, testFileName+\".quota\", testFileSize, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(testFileName, testFileName+\".quota\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\t// now test quota limits while uploading the current file, we have 1 bytes remaining\n\t\tuser.QuotaSize = testFileSize + 1\n\t\tuser.QuotaFiles = 0\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tclient, err = getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = ftpUploadFile(testFilePath1, testFileName1, testFileSize1, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.FileSize(testFileName1)\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(testFileName+\".quota\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\t// overwriting an existing file will work if the resulting size is lesser or equal than the current one\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath2, testFileName, testFileSize2, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath1, testFileName, testFileSize1, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\terr = ftpUploadFile(testFilePath1, testFileName, testFileSize1, client, 10)\n\t\t\tassert.Error(t, err)\n\t\t\terr = ftpUploadFile(testFilePath2, testFileName, testFileSize2, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath2)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.QuotaFiles = 0\n\t\t\tuser.QuotaSize = 0\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.QuotaSize = 0\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadMaxSize(t *testing.T) {\n\ttestFileSize := int64(65535)\n\tu := getTestUser()\n\tu.Filters.MaxUploadFileSize = testFileSize + 1\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.Filters.MaxUploadFileSize = testFileSize + 1\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize1 := int64(131072)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\tclient, err := getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = ftpUploadFile(testFilePath1, testFileName1, testFileSize1, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\t// now test overwrite an existing file with a size bigger than the allowed one\n\t\t\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFileName1), testFileSize1)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath1, testFileName1, testFileSize1, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.Filters.MaxUploadFileSize = 65536000\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginWithIPilters(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.DeniedIP = []string{\"192.167.0.0/24\", \"172.18.0.0/16\"}\n\tu.Filters.AllowedIP = []string{\"172.19.0.0/16\"}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif !assert.Error(t, err) {\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginWithDatabaseCredentials(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(`{ \"type\": \"service_account\", \"private_key\": \" \", \"client_email\": \"example@iam.gserviceaccount.com\" }`)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.GCSConfig.Credentials.GetPayload())\n\tassert.Empty(t, user.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.GCSConfig.Credentials.GetKey())\n\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginInvalidFs(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"invalid JSON for credentials\")\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient, err := getFTPClient(user, false, nil)\n\tif !assert.Error(t, err) {\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientClose(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\tstats := common.Connections.GetStats(\"\")\n\t\tif assert.Len(t, stats, 1) {\n\t\t\tcommon.Connections.Close(stats[0].ConnectionID, \"\")\n\t\t\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t\t\t1*time.Second, 50*time.Millisecond)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRename(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\ttestDir := \"adir\"\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tclient, err := getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.MakeDir(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(testFileName, path.Join(\"missing\", testFileName))\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(testFileName, path.Join(testDir, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\tsize, err := client.FileSize(path.Join(testDir, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testFileSize, size)\n\t\t\tif runtime.GOOS != osWindows {\n\t\t\t\totherDir := \"dir\"\n\t\t\t\terr = client.MakeDir(otherDir)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\terr = client.MakeDir(path.Join(otherDir, testDir))\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tcode, response, err := client.SendCommand(\"SITE CHMOD 0001 %v\", otherDir)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\t\t\tassert.Equal(t, \"SITE CHMOD command successful\", response)\n\t\t\t\terr = client.Rename(testDir, path.Join(otherDir, testDir))\n\t\t\t\tassert.Error(t, err)\n\n\t\t\t\tcode, response, err = client.SendCommand(\"SITE CHMOD 755 %v\", otherDir)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\t\t\tassert.Equal(t, \"SITE CHMOD command successful\", response)\n\t\t\t}\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tuser.Permissions[path.Join(\"/\", testDir)] = []string{dataprovider.PermListItems}\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tclient, err = getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = client.Rename(path.Join(testDir, testFileName), testFileName)\n\t\t\tassert.Error(t, err)\n\t\t\terr := client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Permissions = make(map[string][]string)\n\t\t\tuser.Permissions[\"/\"] = allPerms\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSymlink(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tclient, err := getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tcode, _, err := client.SendCommand(\"SITE SYMLINK %v %v\", testFileName, testFileName+\".link\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\n\t\t\tif runtime.GOOS != osWindows {\n\t\t\t\ttestDir := \"adir\"\n\t\t\t\totherDir := \"dir\"\n\t\t\t\terr = client.MakeDir(otherDir)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\terr = client.MakeDir(path.Join(otherDir, testDir))\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tcode, response, err := client.SendCommand(\"SITE CHMOD 0001 %v\", otherDir)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\t\t\tassert.Equal(t, \"SITE CHMOD command successful\", response)\n\t\t\t\tcode, _, err = client.SendCommand(\"SITE SYMLINK %v %v\", testDir, path.Join(otherDir, testDir))\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, ftp.StatusFileUnavailable, code)\n\n\t\t\t\tcode, response, err = client.SendCommand(\"SITE CHMOD 755 %v\", otherDir)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\t\t\tassert.Equal(t, \"SITE CHMOD command successful\", response)\n\t\t\t}\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestStat(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermUpload}\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\tsubDir := \"subdir\"\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.MakeDir(subDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, path.Join(\"/\", subDir, testFileName), testFileSize, client, 0)\n\t\t\tassert.Error(t, err)\n\t\t\tsize, err := client.FileSize(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testFileSize, size)\n\t\t\t_, err = client.FileSize(path.Join(\"/\", subDir, testFileName))\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.FileSize(\"missing file\")\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadOverwriteVfolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tvdir := \"/vdir\"\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdir,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\terr = os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(vdir, testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\t\tassert.Equal(t, 0, folder.UsedQuotaFiles)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\t\terr = ftpUploadFile(testFilePath, path.Join(vdir, testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tfolder, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\t\tassert.Equal(t, 0, folder.UsedQuotaFiles)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferQuotaLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.DownloadDataTransfer = 1\n\tu.UploadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(524288)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), ftpserver.ErrStorageExceeded.Error())\n\t\t}\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrReadQuotaExceeded.Error())\n\t\t}\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\ttestFileSize = int64(600000)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tuser.DownloadDataTransfer = 2\n\tuser.UploadDataTransfer = 2\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.Error(t, err)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAllocateAvailable(t *testing.T) {\n\tu := getTestUser()\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t\tQuotaSize: 110,\n\t})\n\terr = os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"allo 2000000\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\tassert.Equal(t, \"Done !\", response)\n\n\t\tcode, response, err = client.SendCommand(\"AVBL /vdir\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"110\", response)\n\n\t\tcode, _, err = client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\tuser.QuotaSize = 100\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := user.QuotaSize - 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tcode, response, err := client.SendCommand(\"allo 1000\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\tassert.Equal(t, \"Done !\", response)\n\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\n\t\tcode, response, err = client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"1\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\tuser.TotalDataTransfer = 1\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"1\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser.TotalDataTransfer = 0\n\tuser.UploadDataTransfer = 5\n\tuser.QuotaSize = 6 * 1024 * 1024\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"5242880\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser.TotalDataTransfer = 0\n\tuser.UploadDataTransfer = 5\n\tuser.QuotaSize = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"5242880\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser.Filters.MaxUploadFileSize = 100\n\tuser.QuotaSize = 0\n\tuser.TotalDataTransfer = 0\n\tuser.UploadDataTransfer = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"allo 10000\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\tassert.Equal(t, \"Done !\", response)\n\n\t\tcode, response, err = client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"100\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser.QuotaSize = 50\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"0\", response)\n\t}\n\n\tuser.QuotaSize = 1000\n\tuser.Filters.MaxUploadFileSize = 1\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"AVBL\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tassert.Equal(t, \"1\", response)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestAvailableSFTPFs(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(sftpUser, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"AVBL /\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\tavblSize, err := strconv.ParseInt(response, 10, 64)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, avblSize, int64(0))\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestChtimes(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, false, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\n\t\t\tmtime := time.Now().Format(\"20060102150405\")\n\t\t\tcode, response, err := client.SendCommand(\"MFMT %v %v\", mtime, testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\t\tassert.Equal(t, fmt.Sprintf(\"Modify=%v; %v\", mtime, testFileName), response)\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMODEType(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"MODE s\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusNotImplementedParameter, code)\n\t\tassert.Equal(t, \"Unsupported mode\", response)\n\t\tcode, response, err = client.SendCommand(\"MODE S\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\tassert.Equal(t, \"Using stream mode\", response)\n\n\t\tcode, _, err = client.SendCommand(\"MODE Z\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusNotImplementedParameter, code)\n\n\t\tcode, _, err = client.SendCommand(\"MODE SS\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusNotImplementedParameter, code)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSTAT(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(131072)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\ttestDir := \"testdir\"\n\t\terr = client.MakeDir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(testDir, testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(testDir, testFileName+\"_1\"), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tcode, response, err := client.SendCommand(\"STAT %s\", testDir)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusDirectory, code)\n\t\tassert.Contains(t, response, fmt.Sprintf(\"STAT %s\", testDir))\n\t\tassert.Contains(t, response, testFileName)\n\t\tassert.Contains(t, response, testFileName+\"_1\")\n\t\tassert.Contains(t, response, \"End\")\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestChown(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"chown is not supported on Windows\")\n\t}\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, nil)\n\tif assert.NoError(t, err) {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(131072)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\tcode, response, err := client.SendCommand(\"SITE CHOWN 1000:1000 %v\", testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusFileUnavailable, code)\n\t\tassert.Equal(t, \"Couldn't chown: operation unsupported\", response)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestChmod(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"chmod is partially supported on Windows\")\n\t}\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, true, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(131072)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\n\t\t\tcode, response, err := client.SendCommand(\"SITE CHMOD 600 %v\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, ftp.StatusCommandOK, code)\n\t\t\tassert.Equal(t, \"SITE CHMOD command successful\", response)\n\n\t\t\tfi, err := os.Stat(filepath.Join(user.HomeDir, testFileName))\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, os.FileMode(0600), fi.Mode().Perm())\n\t\t\t}\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCombineDisabled(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClient(user, true, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\n\t\t\tcode, response, err := client.SendCommand(\"COMB file file.1 file.2\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, ftp.StatusNotImplemented, code)\n\t\t\tassert.Equal(t, \"COMB support is disabled\", response)\n\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestActiveModeDisabled(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClientImplicitTLS(user)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\tcode, response, err := client.SendCommand(\"PORT 10,2,0,2,4,31\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusNotAvailable, code)\n\t\tassert.Equal(t, \"PORT command is disabled\", response)\n\n\t\tcode, response, err = client.SendCommand(\"EPRT |1|132.235.1.2|6275|\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusNotAvailable, code)\n\t\tassert.Equal(t, \"EPRT command is disabled\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tclient, err = getFTPClient(user, false, nil)\n\tif assert.NoError(t, err) {\n\t\tcode, response, err := client.SendCommand(\"PORT 10,2,0,2,4,31\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusBadArguments, code)\n\t\tassert.Equal(t, \"Your request does not meet the configured security requirements\", response)\n\n\t\tcode, response, err = client.SendCommand(\"EPRT |1|132.235.1.2|6275|\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusBadArguments, code)\n\t\tassert.Equal(t, \"Your request does not meet the configured security requirements\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSITEDisabled(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClientImplicitTLS(user)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\n\t\tcode, response, err := client.SendCommand(\"SITE CHMOD 600 afile.txt\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, ftp.StatusBadCommand, code)\n\t\tassert.Equal(t, \"SITE support is disabled\", response)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHASH(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestUserWithCryptFs()\n\tu.Username += \"_crypt\"\n\tcryptUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, cryptUser} {\n\t\tclient, err := getFTPClientImplicitTLS(user)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(131072)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\n\t\t\th := sha256.New()\n\t\t\tf, err := os.Open(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = io.Copy(h, f)\n\t\t\tassert.NoError(t, err)\n\t\t\thash := hex.EncodeToString(h.Sum(nil))\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\n\t\t\tcode, response, err := client.SendCommand(\"XSHA256 %v\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, ftp.StatusRequestedFileActionOK, code)\n\t\t\tassert.Contains(t, response, hash)\n\n\t\t\tcode, response, err = client.SendCommand(\"HASH %v\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, ftp.StatusFile, code)\n\t\t\tassert.Contains(t, response, hash)\n\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(cryptUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(cryptUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCombine(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient, err := getFTPClientImplicitTLS(user)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(131072)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = checkBasicFTP(client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName+\".1\", testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = ftpUploadFile(testFilePath, testFileName+\".2\", testFileSize, client, 0)\n\t\t\tassert.NoError(t, err)\n\n\t\t\tcode, response, err := client.SendCommand(\"COMB %v %v %v\", testFileName, testFileName+\".1\", testFileName+\".2\")\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\tassert.Equal(t, ftp.StatusRequestedFileActionOK, code)\n\t\t\t\tassert.Equal(t, \"COMB succeeded!\", response)\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, ftp.StatusFileUnavailable, code)\n\t\t\t\tassert.Contains(t, response, \"COMB is not supported for this filesystem\")\n\t\t\t}\n\n\t\t\terr = client.Quit()\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientCertificateAuthRevokedCert(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient2Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t\tClientSessionCache: tls.NewLRUClientSessionCache(0),\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\t_, err = getFTPClientWithSessionReuse(user, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"bad certificate\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientCertificateAuth(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\t// TLS username is not enabled, mutual TLS should fail\n\t_, err = getFTPClient(user, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"login method password is not allowed\")\n\t}\n\n\tuser.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(user, true, tlsConfig)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t// now use a valid certificate with a CN different from username\n\tu = getTestUser()\n\tu.Username = tlsClient2Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tuser2, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user2, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"does not match username\")\n\t}\n\t// add the certs to the user\n\tuser2.Filters.TLSUsername = sdk.TLSUsernameNone\n\tuser2.Filters.TLSCerts = []string{client2Crt, client1Crt}\n\tuser2, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient, err = getFTPClient(user2, true, tlsConfig)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\tuser2.Filters.TLSCerts = []string{client2Crt}\n\tuser2, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user2, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"TLS certificate is not valid\")\n\t}\n\n\t// now disable certificate authentication\n\tuser.Filters.DeniedLoginMethods = append(user.Filters.DeniedLoginMethods, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"login method TLSCertificate+password is not allowed\")\n\t}\n\n\t// disable FTP protocol\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tuser.Filters.DeniedProtocols = append(user.Filters.DeniedProtocols, common.ProtocolFTP)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(user, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"protocol FTP is not allowed\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, err = getFTPClient(user, true, tlsConfig)\n\tassert.Error(t, err)\n}\n\nfunc TestClientCertificateAndPwdAuth(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword, dataprovider.LoginMethodTLSCertificate}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient, err := getFTPClient(user, true, tlsConfig)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = getFTPClient(user, true, nil)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"login method password is not allowed\")\n\t}\n\tuser.Password = defaultPassword + \"1\"\n\t_, err = getFTPClient(user, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid credentials\")\n\t}\n\n\ttlsCert, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = []tls.Certificate{tlsCert}\n\t_, err = getFTPClient(user, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"bad certificate\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthWithClientCert(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, dataprovider.LoginMethodPassword)\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 8\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\t// external auth not called, auth scope is 8\n\t_, err = getFTPClient(u, true, nil)\n\tassert.Error(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(u.Username, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient, err := getFTPClient(u, true, tlsConfig)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(u.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, u.Username, user.Username)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tu.Username = tlsClient2Username\n\t_, err = getFTPClient(u, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid credentials\")\n\t}\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginHookWithClientCert(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, dataprovider.LoginMethodPassword)\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(tlsClient1Username, http.StatusNotFound)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient, err := getFTPClient(u, true, tlsConfig)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(tlsClient1Username, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t// test login with an existing user\n\tclient, err = getFTPClient(user, true, tlsConfig)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\terr := client.Quit()\n\t\tassert.NoError(t, err)\n\t}\n\n\tu.Username = tlsClient2Username\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\t_, err = getFTPClient(u, true, tlsConfig)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"does not match username\")\n\t}\n\n\tuser2, _, err := httpdtest.GetUserByUsername(tlsClient2Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestNestedVirtualFolders(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tmappedPathCrypt := filepath.Join(os.TempDir(), \"crypt\")\n\tfolderNameCrypt := filepath.Base(mappedPathCrypt)\n\tvdirCryptPath := \"/vdir/crypt\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameCrypt,\n\t\t},\n\t\tVirtualPath: vdirCryptPath,\n\t})\n\tmappedPath := filepath.Join(os.TempDir(), \"local\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/vdir/local\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tmappedPathNested := filepath.Join(os.TempDir(), \"nested\")\n\tfolderNameNested := filepath.Base(mappedPathNested)\n\tvdirNestedPath := \"/vdir/crypt/nested\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameNested,\n\t\t},\n\t\tVirtualPath: vdirNestedPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderNameCrypt,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t\tMappedPath: mappedPathCrypt,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderNameNested,\n\t\tMappedPath: mappedPathNested,\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient, err := getFTPClient(sftpUser, false, nil)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicFTP(client)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\n\t\terr = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(\"/vdir\", testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(path.Join(\"/vdir\", testFileName), localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(vdirPath, testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(path.Join(vdirPath, testFileName), localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(vdirCryptPath, testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(path.Join(vdirCryptPath, testFileName), localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpUploadFile(testFilePath, path.Join(vdirNestedPath, testFileName), testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\t\terr = ftpDownloadFile(path.Join(vdirNestedPath, testFileName), localDownloadPath, testFileSize, client, 0)\n\t\tassert.NoError(t, err)\n\n\t\terr = client.Quit()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameNested}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathCrypt)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathNested)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 1*time.Second, 50*time.Millisecond)\n\tassert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,\n\t\t50*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc checkBasicFTP(client *ftp.ServerConn) error {\n\t_, err := client.CurrentDir()\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = client.NoOp()\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = client.List(\".\")\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc ftpUploadFile(localSourcePath string, remoteDestPath string, expectedSize int64, client *ftp.ServerConn, offset uint64) error {\n\tsrcFile, err := os.Open(localSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer srcFile.Close()\n\tif offset > 0 {\n\t\terr = client.StorFrom(remoteDestPath, srcFile, offset)\n\t} else {\n\t\terr = client.Stor(remoteDestPath, srcFile)\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\tif expectedSize > 0 {\n\t\tsize, err := client.FileSize(remoteDestPath)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif size != expectedSize {\n\t\t\treturn fmt.Errorf(\"uploaded file size does not match, actual: %v, expected: %v\", size, expectedSize)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc ftpDownloadFile(remoteSourcePath string, localDestPath string, expectedSize int64, client *ftp.ServerConn, offset uint64) error {\n\tdownloadDest, err := os.Create(localDestPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer downloadDest.Close()\n\tvar r *ftp.Response\n\tif offset > 0 {\n\t\tr, err = client.RetrFrom(remoteSourcePath, offset)\n\t} else {\n\t\tr, err = client.Retr(remoteSourcePath)\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer r.Close()\n\n\twritten, err := io.Copy(downloadDest, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif written != expectedSize {\n\t\treturn fmt.Errorf(\"downloaded file size does not match, actual: %v, expected: %v\", written, expectedSize)\n\t}\n\treturn nil\n}\n\nfunc getFTPClientImplicitTLS(user dataprovider.User) (*ftp.ServerConn, error) {\n\tftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\tftpOptions = append(ftpOptions, ftp.DialWithTLS(tlsConfig))\n\tftpOptions = append(ftpOptions, ftp.DialWithDisabledEPSV(true))\n\tclient, err := ftp.Dial(ftpSrvAddrTLS, ftpOptions...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tpwd := defaultPassword\n\tif user.Password != \"\" {\n\t\tpwd = user.Password\n\t}\n\terr = client.Login(user.Username, pwd)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client, err\n}\n\nfunc getFTPClientWithSessionReuse(user dataprovider.User, tlsConfig *tls.Config, dialOptions ...ftp.DialOption,\n) (*ftp.ServerConn, error) {\n\tftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}\n\tftpOptions = append(ftpOptions, dialOptions...)\n\tif tlsConfig == nil {\n\t\ttlsConfig = &tls.Config{\n\t\t\tServerName: \"localhost\",\n\t\t\tInsecureSkipVerify: true, // use this for tests only\n\t\t\tMinVersion: tls.VersionTLS12,\n\t\t\tClientSessionCache: tls.NewLRUClientSessionCache(0),\n\t\t}\n\t}\n\tftpOptions = append(ftpOptions, ftp.DialWithExplicitTLS(tlsConfig))\n\tclient, err := ftp.Dial(ftpSrvAddrTLSResumption, ftpOptions...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tpwd := defaultPassword\n\tif user.Password != \"\" {\n\t\tif user.Password == emptyPwdPlaceholder {\n\t\t\tpwd = \"\"\n\t\t} else {\n\t\t\tpwd = user.Password\n\t\t}\n\t}\n\terr = client.Login(user.Username, pwd)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client, err\n}\n\nfunc getFTPClient(user dataprovider.User, useTLS bool, tlsConfig *tls.Config, dialOptions ...ftp.DialOption,\n) (*ftp.ServerConn, error) {\n\tftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}\n\tftpOptions = append(ftpOptions, dialOptions...)\n\tif useTLS {\n\t\tif tlsConfig == nil {\n\t\t\ttlsConfig = &tls.Config{\n\t\t\t\tServerName: \"localhost\",\n\t\t\t\tInsecureSkipVerify: true, // use this for tests only\n\t\t\t\tMinVersion: tls.VersionTLS12,\n\t\t\t}\n\t\t}\n\t\tftpOptions = append(ftpOptions, ftp.DialWithExplicitTLS(tlsConfig))\n\t}\n\tclient, err := ftp.Dial(ftpServerAddr, ftpOptions...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tpwd := defaultPassword\n\tif user.Password != \"\" {\n\t\tif user.Password == emptyPwdPlaceholder {\n\t\t\tpwd = \"\"\n\t\t} else {\n\t\t\tpwd = user.Password\n\t\t}\n\t}\n\terr = client.Login(user.Username, pwd)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client, err\n}\n\nfunc waitTCPListening(address string) {\n\tfor {\n\t\tconn, err := net.Dial(\"tcp\", address)\n\t\tif err != nil {\n\t\t\tlogger.WarnToConsole(\"tcp server %v not listening: %v\", address, err)\n\t\t\ttime.Sleep(100 * time.Millisecond)\n\t\t\tcontinue\n\t\t}\n\t\tlogger.InfoToConsole(\"tcp server %v now listening\", address)\n\t\tconn.Close()\n\t\tbreak\n\t}\n}\n\nfunc waitNoConnections() {\n\ttime.Sleep(50 * time.Millisecond)\n\tfor len(common.Connections.GetStats(\"\")) > 0 {\n\t\ttime.Sleep(50 * time.Millisecond)\n\t}\n}\n\nfunc getTestGroup() dataprovider.Group {\n\treturn dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"test_group\",\n\t\t\tDescription: \"test group description\",\n\t\t},\n\t}\n}\n\nfunc getTestUser() dataprovider.User {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: defaultUsername,\n\t\t\tPassword: defaultPassword,\n\t\t\tHomeDir: filepath.Join(homeBasePath, defaultUsername),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = allPerms\n\treturn user\n}\n\nfunc getTestSFTPUser() dataprovider.User {\n\tu := getTestUser()\n\tu.Username = u.Username + \"_sftp\"\n\tu.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tu.FsConfig.SFTPConfig.Endpoint = sftpServerAddr\n\tu.FsConfig.SFTPConfig.Username = defaultUsername\n\tu.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\treturn u\n}\n\nfunc getTestUserWithHTTPFs() dataprovider.User {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tu.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: fmt.Sprintf(\"http://127.0.0.1:%d/api/v1\", httpFsPort),\n\t\t\tUsername: defaultHTTPFsUsername,\n\t\t},\n\t}\n\treturn u\n}\n\nfunc getExtAuthScriptContent(user dataprovider.User) []byte {\n\textAuthContent := []byte(\"#!/bin/sh\\n\\n\")\n\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"if test \\\"$SFTPGO_AUTHD_USERNAME\\\" = \\\"%v\\\"; then\\n\", user.Username))...)\n\tu, _ := json.Marshal(user)\n\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"echo '%v'\\n\", string(u)))...)\n\textAuthContent = append(extAuthContent, []byte(\"else\\n\")...)\n\textAuthContent = append(extAuthContent, []byte(\"echo '{\\\"username\\\":\\\"\\\"}'\\n\")...)\n\textAuthContent = append(extAuthContent, []byte(\"fi\\n\")...)\n\treturn extAuthContent\n}\n\nfunc getPreLoginScriptContent(user dataprovider.User, nonJSONResponse bool) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tif nonJSONResponse {\n\t\tcontent = append(content, []byte(\"echo 'text response'\\n\")...)\n\t\treturn content\n\t}\n\tif len(user.Username) > 0 {\n\t\tu, _ := json.Marshal(user)\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo '%v'\\n\", string(u)))...)\n\t}\n\treturn content\n}\n\nfunc getSftpClient(user dataprovider.User) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif user.Password != \"\" {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}\n\t} else {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t}\n\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc getExitCodeScriptContent(exitCode int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"exit %v\", exitCode))...)\n\treturn content\n}\n\nfunc createTestFile(path string, size int64) error {\n\tbaseDir := filepath.Dir(path)\n\tif _, err := os.Stat(baseDir); errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(baseDir, os.ModePerm)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tcontent := make([]byte, size)\n\t_, err := rand.Read(content)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn os.WriteFile(path, content, os.ModePerm)\n}\n\nfunc writeCerts(certPath, keyPath, caCrtPath, caCRLPath string) error {\n\terr := os.WriteFile(certPath, []byte(ftpsCert), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing FTPS certificate: %v\", err)\n\t\treturn err\n\t}\n\terr = os.WriteFile(keyPath, []byte(ftpsKey), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing FTPS private key: %v\", err)\n\t\treturn err\n\t}\n\terr = os.WriteFile(caCrtPath, []byte(caCRT), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing FTPS CA crt: %v\", err)\n\t\treturn err\n\t}\n\terr = os.WriteFile(caCRLPath, []byte(caCRL), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing FTPS CRL: %v\", err)\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc generateTOTPPasscode(secret string, algo otp.Algorithm) (string, error) {\n\treturn totp.GenerateCodeCustom(secret, time.Now(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: algo,\n\t})\n}\n\nfunc startHTTPFs() {\n\tgo func() {\n\t\tif err := httpdtest.StartTestHTTPFs(httpFsPort, nil); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTPfs test server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\twaitTCPListening(fmt.Sprintf(\":%d\", httpFsPort))\n}\n" }, { "path": "internal/ftpd/handler.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage ftpd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path\"\n\t\"strings\"\n\t\"time\"\n\n\tftpserver \"github.com/fclairamb/ftpserverlib\"\n\t\"github.com/spf13/afero\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\terrNotImplemented = errors.New(\"not implemented\")\n\terrCOMBNotSupported = errors.New(\"COMB is not supported for this filesystem\")\n)\n\n// Connection details for an FTP connection.\n// It implements common.ActiveConnection and ftpserver.ClientDriver interfaces\ntype Connection struct {\n\t*common.BaseConnection\n\tclientContext ftpserver.ClientContext\n\tdoWildcardListDir bool\n}\n\nfunc (c *Connection) getFTPMode() string {\n\tif c.clientContext == nil {\n\t\treturn \"\"\n\t}\n\tswitch c.clientContext.GetLastDataChannel() {\n\tcase ftpserver.DataChannelActive:\n\t\treturn \"active\"\n\tcase ftpserver.DataChannelPassive:\n\t\treturn \"passive\"\n\t}\n\treturn \"\"\n}\n\n// GetClientVersion returns the connected client's version.\n// It returns \"Unknown\" if the client does not advertise its\n// version\nfunc (c *Connection) GetClientVersion() string {\n\tversion := c.clientContext.GetClientVersion()\n\tif len(version) > 0 {\n\t\treturn version\n\t}\n\treturn \"Unknown\"\n}\n\n// GetLocalAddress returns local connection address\nfunc (c *Connection) GetLocalAddress() string {\n\treturn c.clientContext.LocalAddr().String()\n}\n\n// GetRemoteAddress returns the connected client's address\nfunc (c *Connection) GetRemoteAddress() string {\n\treturn c.clientContext.RemoteAddr().String()\n}\n\n// Disconnect disconnects the client\nfunc (c *Connection) Disconnect() error {\n\treturn c.clientContext.Close()\n}\n\n// GetCommand returns the last received FTP command\nfunc (c *Connection) GetCommand() string {\n\treturn c.clientContext.GetLastCommand()\n}\n\n// Create is not implemented we use ClientDriverExtentionFileTransfer\nfunc (c *Connection) Create(_ string) (afero.File, error) {\n\treturn nil, errNotImplemented\n}\n\n// Mkdir creates a directory using the connection filesystem\nfunc (c *Connection) Mkdir(name string, _ os.FileMode) error {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\treturn c.CreateDir(name, true)\n}\n\n// MkdirAll is not implemented, we don't need it\nfunc (c *Connection) MkdirAll(_ string, _ os.FileMode) error {\n\treturn errNotImplemented\n}\n\n// Open is not implemented we use ClientDriverExtentionFileTransfer and ClientDriverExtensionFileList\nfunc (c *Connection) Open(_ string) (afero.File, error) {\n\treturn nil, errNotImplemented\n}\n\n// OpenFile is not implemented we use ClientDriverExtentionFileTransfer\nfunc (c *Connection) OpenFile(_ string, _ int, _ os.FileMode) (afero.File, error) {\n\treturn nil, errNotImplemented\n}\n\n// Remove removes a file.\n// We implements ClientDriverExtensionRemoveDir for directories\nfunc (c *Connection) Remove(name string) error {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\tfs, p, err := c.GetFsAndResolvedPath(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar fi os.FileInfo\n\tif fi, err = fs.Lstat(p); err != nil {\n\t\tc.Log(logger.LevelError, \"failed to remove file %q: stat error: %+v\", p, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\n\tif fi.IsDir() && fi.Mode()&os.ModeSymlink == 0 {\n\t\tc.Log(logger.LevelError, \"cannot remove %q is not a file/symlink\", p)\n\t\treturn c.GetGenericError(nil)\n\t}\n\treturn c.RemoveFile(fs, p, name, fi)\n}\n\n// RemoveAll is not implemented, we don't need it\nfunc (c *Connection) RemoveAll(_ string) error {\n\treturn errNotImplemented\n}\n\n// Rename renames a file or a directory\nfunc (c *Connection) Rename(oldname, newname string) error {\n\tc.UpdateLastActivity()\n\toldname = util.CleanPath(oldname)\n\tnewname = util.CleanPath(newname)\n\n\treturn c.BaseConnection.Rename(oldname, newname)\n}\n\n// Stat returns a FileInfo describing the named file/directory, or an error,\n// if any happens\nfunc (c *Connection) Stat(name string) (os.FileInfo, error) {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\tc.doWildcardListDir = false\n\n\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(name)) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfi, err := c.DoStat(name, 0, true)\n\tif err != nil {\n\t\tif c.isListDirWithWildcards(path.Base(name)) {\n\t\t\tc.doWildcardListDir = true\n\t\t\treturn vfs.NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t\t}\n\t\treturn nil, err\n\t}\n\treturn fi, nil\n}\n\n// Name returns the name of this connection\nfunc (c *Connection) Name() string {\n\treturn c.GetID()\n}\n\n// Chown changes the uid and gid of the named file\nfunc (c *Connection) Chown(_ string, _, _ int) error {\n\tc.UpdateLastActivity()\n\n\treturn common.ErrOpUnsupported\n\t/*p, err := c.Fs.ResolvePath(name)\n\tif err != nil {\n\t\treturn c.GetFsError(err)\n\t}\n\tattrs := common.StatAttributes{\n\t\tFlags: common.StatAttrUIDGID,\n\t\tUID: uid,\n\t\tGID: gid,\n\t}\n\n\treturn c.SetStat(p, name, &attrs)*/\n}\n\n// Chmod changes the mode of the named file/directory\nfunc (c *Connection) Chmod(name string, mode os.FileMode) error {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\tattrs := common.StatAttributes{\n\t\tFlags: common.StatAttrPerms,\n\t\tMode: mode,\n\t}\n\treturn c.SetStat(name, &attrs)\n}\n\n// Chtimes changes the access and modification times of the named file\nfunc (c *Connection) Chtimes(name string, atime time.Time, mtime time.Time) error {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\tattrs := common.StatAttributes{\n\t\tFlags: common.StatAttrTimes,\n\t\tAtime: atime,\n\t\tMtime: mtime,\n\t}\n\treturn c.SetStat(name, &attrs)\n}\n\n// GetAvailableSpace implements ClientDriverExtensionAvailableSpace interface\nfunc (c *Connection) GetAvailableSpace(dirName string) (int64, error) {\n\tc.UpdateLastActivity()\n\tdirName = util.CleanPath(dirName)\n\n\tdiskQuota, transferQuota := c.HasSpace(false, false, path.Join(dirName, \"fakefile.txt\"))\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\treturn 0, nil\n\t}\n\n\tif diskQuota.AllowedSize == 0 && transferQuota.AllowedULSize == 0 && transferQuota.AllowedTotalSize == 0 {\n\t\t// no quota restrictions\n\t\tif c.User.Filters.MaxUploadFileSize > 0 {\n\t\t\treturn c.User.Filters.MaxUploadFileSize, nil\n\t\t}\n\n\t\tfs, p, err := c.GetFsAndResolvedPath(dirName)\n\t\tif err != nil {\n\t\t\treturn 0, err\n\t\t}\n\n\t\tstatVFS, err := fs.GetAvailableDiskSize(p)\n\t\tif err != nil {\n\t\t\treturn 0, c.GetFsError(fs, err)\n\t\t}\n\t\treturn int64(statVFS.FreeSpace()), nil\n\t}\n\n\tallowedDiskSize := diskQuota.AllowedSize\n\tallowedUploadSize := transferQuota.AllowedULSize\n\tif transferQuota.AllowedTotalSize > 0 {\n\t\tallowedUploadSize = transferQuota.AllowedTotalSize\n\t}\n\tallowedSize := allowedDiskSize\n\tif allowedSize == 0 {\n\t\tallowedSize = allowedUploadSize\n\t} else {\n\t\tif allowedUploadSize > 0 && allowedUploadSize < allowedSize {\n\t\t\tallowedSize = allowedUploadSize\n\t\t}\n\t}\n\t// the available space is the minimum between MaxUploadFileSize, if setted,\n\t// and quota allowed size\n\tif c.User.Filters.MaxUploadFileSize > 0 {\n\t\tif c.User.Filters.MaxUploadFileSize < allowedSize {\n\t\t\treturn c.User.Filters.MaxUploadFileSize, nil\n\t\t}\n\t}\n\n\treturn allowedSize, nil\n}\n\n// AllocateSpace implements ClientDriverExtensionAllocate interface\nfunc (c *Connection) AllocateSpace(_ int) error {\n\tc.UpdateLastActivity()\n\t// we treat ALLO as NOOP see RFC 959\n\treturn nil\n}\n\n// RemoveDir implements ClientDriverExtensionRemoveDir\nfunc (c *Connection) RemoveDir(name string) error {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\treturn c.BaseConnection.RemoveDir(name)\n}\n\n// Symlink implements ClientDriverExtensionSymlink\nfunc (c *Connection) Symlink(oldname, newname string) error {\n\tc.UpdateLastActivity()\n\toldname = util.CleanPath(oldname)\n\tnewname = util.CleanPath(newname)\n\n\treturn c.CreateSymlink(oldname, newname)\n}\n\n// ReadDir implements ClientDriverExtensionFilelist\nfunc (c *Connection) ReadDir(name string) ([]os.FileInfo, error) {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\tif c.doWildcardListDir {\n\t\tc.doWildcardListDir = false\n\t\tbaseName := path.Base(name)\n\t\t// we only support wildcards for the last path level, for example:\n\t\t// - *.xml is supported\n\t\t// - dir*/*.xml is not supported\n\t\tname = path.Dir(name)\n\t\tc.clientContext.SetListPath(name)\n\t\tlister, err := c.ListDir(name)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tpatternLister := &patternDirLister{\n\t\t\tDirLister: lister,\n\t\t\tpattern: baseName,\n\t\t\tlastCommand: c.clientContext.GetLastCommand(),\n\t\t\tdirName: name,\n\t\t\tconnectionPath: util.CleanPath(c.clientContext.Path()),\n\t\t}\n\t\treturn consumeDirLister(patternLister)\n\t}\n\n\tlister, err := c.ListDir(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn consumeDirLister(lister)\n}\n\n// GetHandle implements ClientDriverExtentionFileTransfer\nfunc (c *Connection) GetHandle(name string, flags int, offset int64) (ftpserver.FileTransfer, error) {\n\tc.UpdateLastActivity()\n\tname = util.CleanPath(name)\n\n\tfs, p, err := c.GetFsAndResolvedPath(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif c.GetCommand() == \"COMB\" && !vfs.IsLocalOsFs(fs) {\n\t\treturn nil, errCOMBNotSupported\n\t}\n\n\tif err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {\n\t\tc.Log(logger.LevelInfo, \"denying transfer due to count limits\")\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tif flags&os.O_WRONLY != 0 {\n\t\treturn c.uploadFile(fs, p, name, flags)\n\t}\n\treturn c.downloadFile(fs, p, name, offset)\n}\n\nfunc (c *Connection) downloadFile(fs vfs.Fs, fsPath, ftpPath string, offset int64) (ftpserver.FileTransfer, error) {\n\tif !c.User.HasPerm(dataprovider.PermDownload, path.Dir(ftpPath)) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\ttransferQuota := c.GetTransferQuota()\n\tif !transferQuota.HasDownloadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file read due to quota limits\")\n\t\treturn nil, c.GetReadQuotaExceededError()\n\t}\n\n\tif ok, policy := c.User.IsFileAllowed(ftpPath); !ok {\n\t\tc.Log(logger.LevelWarn, \"reading file %q is not allowed\", ftpPath)\n\t\treturn nil, c.GetErrorForDeniedFile(policy)\n\t}\n\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreDownload, fsPath, ftpPath, 0, 0); err != nil {\n\t\tc.Log(logger.LevelDebug, \"download for file %q denied by pre action: %v\", ftpPath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfile, r, cancelFn, err := fs.Open(fsPath, offset)\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"could not open file %q for reading: %+v\", fsPath, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, fsPath, fsPath, ftpPath,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, transferQuota)\n\tbaseTransfer.SetFtpMode(c.getFTPMode())\n\tt := newTransfer(baseTransfer, nil, r, offset)\n\n\treturn t, nil\n}\n\nfunc (c *Connection) uploadFile(fs vfs.Fs, fsPath, ftpPath string, flags int) (ftpserver.FileTransfer, error) {\n\tif ok, _ := c.User.IsFileAllowed(ftpPath); !ok {\n\t\tc.Log(logger.LevelWarn, \"writing file %q is not allowed\", ftpPath)\n\t\treturn nil, ftpserver.ErrFileNameNotAllowed\n\t}\n\n\tfilePath := fsPath\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\tfilePath = fs.GetAtomicUploadPath(fsPath)\n\t}\n\n\tstat, statErr := fs.Lstat(fsPath)\n\tif (statErr == nil && stat.Mode()&os.ModeSymlink != 0) || fs.IsNotExist(statErr) {\n\t\tif !c.User.HasPerm(dataprovider.PermUpload, path.Dir(ftpPath)) {\n\t\t\treturn nil, fmt.Errorf(\"%w, no upload permission\", ftpserver.ErrFileNameNotAllowed)\n\t\t}\n\t\treturn c.handleFTPUploadToNewFile(fs, flags, fsPath, filePath, ftpPath)\n\t}\n\n\tif statErr != nil {\n\t\tc.Log(logger.LevelError, \"error performing file stat %q: %+v\", fsPath, statErr)\n\t\treturn nil, c.GetFsError(fs, statErr)\n\t}\n\n\t// This happen if we upload a file that has the same name of an existing directory\n\tif stat.IsDir() {\n\t\tc.Log(logger.LevelError, \"attempted to open a directory for writing to: %q\", fsPath)\n\t\treturn nil, c.GetOpUnsupportedError()\n\t}\n\n\tif !c.User.HasPerm(dataprovider.PermOverwrite, path.Dir(ftpPath)) {\n\t\treturn nil, fmt.Errorf(\"%w, no overwrite permission\", ftpserver.ErrFileNameNotAllowed)\n\t}\n\n\treturn c.handleFTPUploadToExistingFile(fs, flags, fsPath, filePath, stat.Size(), ftpPath)\n}\n\nfunc (c *Connection) handleFTPUploadToNewFile(fs vfs.Fs, flags int, resolvedPath, filePath, requestPath string) (ftpserver.FileTransfer, error) {\n\tdiskQuota, transferQuota := c.HasSpace(true, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, ftpserver.ErrStorageExceeded\n\t}\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath, 0, 0); err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, ftpserver.ErrFileNameNotAllowed\n\t}\n\tfile, w, cancelFn, err := fs.Create(filePath, flags, c.GetCreateChecks(requestPath, true, false))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error creating file %q, flags %v: %+v\", resolvedPath, flags, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\t// we can get an error only for resume\n\tmaxWriteSize, _ := c.GetMaxWriteSize(diskQuota, false, 0, fs.IsUploadResumeSupported())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, 0, 0, maxWriteSize, 0, true, fs, transferQuota)\n\tbaseTransfer.SetFtpMode(c.getFTPMode())\n\tt := newTransfer(baseTransfer, w, nil, 0)\n\n\treturn t, nil\n}\n\nfunc (c *Connection) handleFTPUploadToExistingFile(fs vfs.Fs, flags int, resolvedPath, filePath string, fileSize int64,\n\trequestPath string) (ftpserver.FileTransfer, error) {\n\tvar err error\n\tdiskQuota, transferQuota := c.HasSpace(false, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, ftpserver.ErrStorageExceeded\n\t}\n\tminWriteOffset := int64(0)\n\t// ftpserverlib sets:\n\t// - os.O_WRONLY | os.O_APPEND for APPE and COMB\n\t// - os.O_WRONLY | os.O_CREATE for REST.\n\t// - os.O_WRONLY | os.O_CREATE | os.O_TRUNC if the command is not APPE and REST = 0\n\t// so if we don't have O_TRUNC is a resume.\n\tisResume := flags&os.O_TRUNC == 0\n\t// if there is a size limit remaining size cannot be 0 here, since quotaResult.HasSpace\n\t// will return false in this case and we deny the upload before\n\tmaxWriteSize, err := c.GetMaxWriteSize(diskQuota, isResume, fileSize, vfs.IsUploadResumeSupported(fs, fileSize))\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"unable to get max write size: %v\", err)\n\t\treturn nil, err\n\t}\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath, fileSize, flags); err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, ftpserver.ErrFileNameNotAllowed\n\t}\n\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\t_, _, err = fs.Rename(resolvedPath, filePath, 0)\n\t\tif err != nil {\n\t\t\tc.Log(logger.LevelError, \"error renaming existing file for atomic upload, source: %q, dest: %q, err: %+v\",\n\t\t\t\tresolvedPath, filePath, err)\n\t\t\treturn nil, c.GetFsError(fs, err)\n\t\t}\n\t}\n\n\tfile, w, cancelFn, err := fs.Create(filePath, flags, c.GetCreateChecks(requestPath, false, isResume))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error opening existing file, flags: %v, source: %q, err: %+v\", flags, filePath, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tinitialSize := int64(0)\n\ttruncatedSize := int64(0) // bytes truncated and not included in quota\n\tif isResume {\n\t\tc.Log(logger.LevelDebug, \"resuming upload requested, file path: %q initial size: %v\", filePath, fileSize)\n\t\tminWriteOffset = fileSize\n\t\tinitialSize = fileSize\n\t\tif vfs.IsSFTPFs(fs) && fs.IsUploadResumeSupported() {\n\t\t\t// we need this since we don't allow resume with wrong offset, we should fix this in pkg/sftp\n\t\t\tfile.Seek(initialSize, io.SeekStart) //nolint:errcheck // for sftp seek simply set the offset\n\t\t}\n\t} else {\n\t\tif vfs.HasTruncateSupport(fs) {\n\t\t\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(requestPath))\n\t\t\tif err == nil {\n\t\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -fileSize, false)\n\t\t\t} else {\n\t\t\t\tdataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck\n\t\t\t}\n\t\t} else {\n\t\t\tinitialSize = fileSize\n\t\t\ttruncatedSize = fileSize\n\t\t}\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, minWriteOffset, initialSize, maxWriteSize, truncatedSize, false, fs, transferQuota)\n\tbaseTransfer.SetFtpMode(c.getFTPMode())\n\tt := newTransfer(baseTransfer, w, nil, minWriteOffset)\n\n\treturn t, nil\n}\n\nfunc (c *Connection) isListDirWithWildcards(name string) bool {\n\tif strings.ContainsAny(name, \"*?[]^\") {\n\t\tlastCommand := c.clientContext.GetLastCommand()\n\t\treturn lastCommand == \"LIST\" || lastCommand == \"NLST\"\n\t}\n\treturn false\n}\n\nfunc getPathRelativeTo(base, target string) string {\n\tvar sb strings.Builder\n\tfor {\n\t\tif base == target {\n\t\t\treturn sb.String()\n\t\t}\n\t\tif !strings.HasSuffix(base, \"/\") {\n\t\t\tbase += \"/\"\n\t\t}\n\t\tif strings.HasPrefix(target, base) {\n\t\t\tsb.WriteString(strings.TrimPrefix(target, base))\n\t\t\treturn sb.String()\n\t\t}\n\t\tif base == \"/\" || base == \"./\" {\n\t\t\treturn target\n\t\t}\n\t\tsb.WriteString(\"../\")\n\t\tbase = path.Dir(path.Clean(base))\n\t}\n}\n\ntype patternDirLister struct {\n\tvfs.DirLister\n\tpattern string\n\tlastCommand string\n\tdirName string\n\tconnectionPath string\n}\n\nfunc (l *patternDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tfor {\n\t\tfiles, err := l.DirLister.Next(limit)\n\t\tif len(files) == 0 {\n\t\t\treturn files, err\n\t\t}\n\t\tvalidIdx := 0\n\t\tvar relativeBase string\n\t\tif l.lastCommand != \"NLST\" {\n\t\t\trelativeBase = getPathRelativeTo(l.connectionPath, l.dirName)\n\t\t}\n\t\tfor _, fi := range files {\n\t\t\tmatch, errMatch := path.Match(l.pattern, fi.Name())\n\t\t\tif errMatch != nil {\n\t\t\t\treturn nil, errMatch\n\t\t\t}\n\t\t\tif match {\n\t\t\t\tfiles[validIdx] = vfs.NewFileInfo(path.Join(relativeBase, fi.Name()), fi.IsDir(), fi.Size(),\n\t\t\t\t\tfi.ModTime(), true)\n\t\t\t\tvalidIdx++\n\t\t\t}\n\t\t}\n\t\tfiles = files[:validIdx]\n\t\tif err != nil || len(files) > 0 {\n\t\t\treturn files, err\n\t\t}\n\t}\n}\n\nfunc consumeDirLister(lister vfs.DirLister) ([]os.FileInfo, error) {\n\tdefer lister.Close()\n\n\tvar results []os.FileInfo\n\n\tfor {\n\t\tfiles, err := lister.Next(vfs.ListerBatchSize)\n\t\tfinished := errors.Is(err, io.EOF)\n\t\tresults = append(results, files...)\n\t\tif err != nil && !finished {\n\t\t\treturn results, err\n\t\t}\n\t\tif finished {\n\t\t\tlister.Close()\n\t\t\tbreak\n\t\t}\n\t}\n\n\treturn results, nil\n}\n" }, { "path": "internal/ftpd/internal_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage ftpd\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"net\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/eikenb/pipeat\"\n\tftpserver \"github.com/fclairamb/ftpserverlib\"\n\t\"github.com/pires/go-proxyproto\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tftpsCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\tftpsKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n\tcaCRT = `-----BEGIN CERTIFICATE-----\nMIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0\nQXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT\nCENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m\nfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1\nv03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh\nyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL\nCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U\n4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb\nKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo\nNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb\nS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i\nM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY\n/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy\nOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD\nAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu\nXgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F\nsYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki\npAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE\njbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX\ny2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy\nWFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV\noUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV\nL/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5\nDvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E\neL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli\nSXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w\nkK8u1YiiVenmoQ==\n-----END CERTIFICATE-----`\n\tcaKey = `-----BEGIN RSA PRIVATE KEY-----\nMIIJKgIBAAKCAgEA7WHW216mfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7x\nb64rkpdzx1aWetSiCrEyc3D1v03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvD\nOBUYZgtMqHZzpE6xRrqQ84zhyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKz\nn/2uEVt33qmO85WtN3RzbSqLCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj\n7B5P5MeamkkogwbExUjdHp3U4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZ\nDe67V/Q8iB2May1k7zBz1ZtbKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmOb\ncn8AIfH6smLQrn0C3cs7CYfoNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLq\nR/BJTbbyXUB0imne1u00fuzbS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb7\n8x7ivdyXSF5LVQJ1JvhhWu6iM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpB\nP8d2jcRZVUVrSXGc2mAGuGOY/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2Z\nxugCXULtRWJ9p4C9zUl40HEyOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEA\nAQKCAgEA4x0OoceG54ZrVxifqVaQd8qw3uRmUKUMIMdfuMlsdideeLO97ynmSlRY\n00kGo/I4Lp6mNEjI9gUie9+uBrcUhri4YLcujHCH+YlNnCBDbGjwbe0ds9SLCWaa\nKztZHMSlW5Q4Bqytgu+MpOnxSgqjlOk+vz9TcGFKVnUkHIkAcqKFJX8gOFxPZA/t\nOb1kJaz4kuv5W2Kur/ISKvQtvFvOtQeV0aJyZm8LqXnvS4cPI7yN4329NDU0HyDR\ny/deqS2aqV4zII3FFqbz8zix/m1xtVQzWCugZGMKrz0iuJMfNeCABb8rRGc6GsZz\n+465v/kobqgeyyneJ1s5rMFrLp2o+dwmnIVMNsFDUiN1lIZDHLvlgonaUO3IdTZc\n9asamFWKFKUMgWqM4zB1vmUO12CKowLNIIKb0L+kf1ixaLLDRGf/f9vLtSHE+oyx\nlATiS18VNA8+CGsHF6uXMRwf2auZdRI9+s6AAeyRISSbO1khyWKHo+bpOvmPAkDR\nnknTjbYgkoZOV+mrsU5oxV8s6vMkuvA3rwFhT2gie8pokuACFcCRrZi9MVs4LmUQ\nu0GYTHvp2WJUjMWBm6XX7Hk3g2HV842qpk/mdtTjNsXws81djtJPn4I/soIXSgXz\npY3SvKTuOckP9OZVF0yqKGeZXKpD288PKpC+MAg3GvEJaednagECggEBAPsfLwuP\nL1kiDjXyMcRoKlrQ6Q/zBGyBmJbZ5uVGa02+XtYtDAzLoVupPESXL0E7+r8ZpZ39\n0dV4CEJKpbVS/BBtTEkPpTK5kz778Ib04TAyj+YLhsZjsnuja3T5bIBZXFDeDVDM\n0ZaoFoKpIjTu2aO6pzngsgXs6EYbo2MTuJD3h0nkGZsICL7xvT9Mw0P1p2Ftt/hN\n+jKk3vN220wTWUsq43AePi45VwK+PNP12ZXv9HpWDxlPo3j0nXtgYXittYNAT92u\nBZbFAzldEIX9WKKZgsWtIzLaASjVRntpxDCTby/nlzQ5dw3DHU1DV3PIqxZS2+Oe\nKV+7XFWgZ44YjYECggEBAPH+VDu3QSrqSahkZLkgBtGRkiZPkZFXYvU6kL8qf5wO\nZ/uXMeqHtznAupLea8I4YZLfQim/NfC0v1cAcFa9Ckt9g3GwTSirVcN0AC1iOyv3\n/hMZCA1zIyIcuUplNr8qewoX71uPOvCNH0dix77423mKFkJmNwzy4Q+rV+qkRdLn\nv+AAgh7g5N91pxNd6LQJjoyfi1Ka6rRP2yGXM5v7QOwD16eN4JmExUxX1YQ7uNuX\npVS+HRxnBquA+3/DB1LtBX6pa2cUa+LRUmE/NCPHMvJcyuNkYpJKlNTd9vnbfo0H\nRNSJSWm+aGxDFMjuPjV3JLj2OdKMPwpnXdh2vBZCPpMCggEAM+yTvrEhmi2HgLIO\nhkz/jP2rYyfdn04ArhhqPLgd0dpuI5z24+Jq/9fzZT9ZfwSW6VK1QwDLlXcXRhXH\nQ8Hf6smev3CjuORURO61IkKaGWwrAucZPAY7ToNQ4cP9ImDXzMTNPgrLv3oMBYJR\nV16X09nxX+9NABqnQG/QjdjzDc6Qw7+NZ9f2bvzvI5qMuY2eyW91XbtJ45ThoLfP\nymAp03gPxQwL0WT7z85kJ3OrROxzwaPvxU0JQSZbNbqNDPXmFTiECxNDhpRAAWlz\n1DC5Vg2l05fkMkyPdtD6nOQWs/CYSfB5/EtxiX/xnBszhvZUIe6KFvuKFIhaJD5h\niykagQKCAQEAoBRm8k3KbTIo4ZzvyEq4V/+dF3zBRczx6FkCkYLygXBCNvsQiR2Y\nBjtI8Ijz7bnQShEoOmeDriRTAqGGrspEuiVgQ1+l2wZkKHRe/aaij/Zv+4AuhH8q\nuZEYvW7w5Uqbs9SbgQzhp2kjTNy6V8lVnjPLf8cQGZ+9Y9krwktC6T5m/i435WdN\n38h7amNP4XEE/F86Eb3rDrZYtgLIoCF4E+iCyxMehU+AGH1uABhls9XAB6vvo+8/\nSUp8lEqWWLP0U5KNOtYWfCeOAEiIHDbUq+DYUc4BKtbtV1cx3pzlPTOWw6XBi5Lq\njttdL4HyYvnasAQpwe8GcMJqIRyCVZMiwwKCAQEAhQTTS3CC8PwcoYrpBdTjW1ck\nvVFeF1YbfqPZfYxASCOtdx6wRnnEJ+bjqntagns9e88muxj9UhxSL6q9XaXQBD8+\n2AmKUxphCZQiYFZcTucjQEQEI2nN+nAKgRrUSMMGiR8Ekc2iFrcxBU0dnSohw+aB\nPbMKVypQCREu9PcDFIp9rXQTeElbaNsIg1C1w/SQjODbmN/QFHTVbRODYqLeX1J/\nVcGsykSIq7hv6bjn7JGkr2JTdANbjk9LnMjMdJFsKRYxPKkOQfYred6Hiojp5Sor\nPW5am8ejnNSPhIfqQp3uV3KhwPDKIeIpzvrB4uPfTjQWhekHCb8cKSWux3flqw==\n-----END RSA PRIVATE KEY-----`\n\tcaCRL = `-----BEGIN X509 CRL-----\nMIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN\nMjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg\nZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r\nrl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV\n+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199\nXSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE\njF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF\nDouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD\nMSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4\niYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE\nypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4\nhVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94\ncp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67\nsn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn\nw7bXJGfJcIMrrKs=\n-----END X509 CRL-----`\n\tclient1Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6\nHUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE\nOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7\nQie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf\nXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO\nc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo\nGzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU\nOrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC\nsDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I\nl59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb\nBbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz\nMYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7\nQPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz\nJ20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+\noffI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX\nG8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr\nkvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au\nMU3Bo0A=\n-----END CERTIFICATE-----`\n\tclient1Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki\nJ3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi\n85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW\neYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4\nZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy\nbbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO\nhHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw\neezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl\nX3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ\nCFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL\nj+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU\nNhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf\nsXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB\nZ29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB\nLGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g\nmCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67\nT8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn\nRunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa\nItjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW\nasmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+\nDYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59\n0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls\nujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY\nnXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe\nyEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==\n-----END RSA PRIVATE KEY-----`\n\t// client 2 crt is revoked\n\tclient2Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b\nQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua\neq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ\ncr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT\nA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0\n6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f\nZjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz\nPQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY\nxcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D\nEP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB\n4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO\n78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925\n7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e\nqc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N\nf5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv\n/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S\nANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR\nE0+r2+4=\n-----END CERTIFICATE-----`\n\tclient2Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV\njm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP\nkZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK\nh4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P\nQAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu\n4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq\nop4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM\nqLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt\nRvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL\nVBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO\nqkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy\nVILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl\nNiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7\n4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl\n/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd\naoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu\nkhrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz\n3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/\neMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i\nvG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB\nGcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb\nAp157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D\n8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl\nRKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA\nubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl\n-----END RSA PRIVATE KEY-----`\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n)\n\ntype mockFTPClientContext struct {\n\tlastDataChannel ftpserver.DataChannel\n\tremoteIP string\n\tlocalIP string\n\textra any\n}\n\nfunc (cc *mockFTPClientContext) Path() string {\n\treturn \"\"\n}\n\nfunc (cc *mockFTPClientContext) SetPath(_ string) {}\n\nfunc (cc *mockFTPClientContext) SetListPath(_ string) {}\n\nfunc (cc *mockFTPClientContext) SetDebug(_ bool) {}\n\nfunc (cc *mockFTPClientContext) Debug() bool {\n\treturn false\n}\n\nfunc (cc *mockFTPClientContext) ID() uint32 {\n\treturn 1\n}\n\nfunc (cc *mockFTPClientContext) RemoteAddr() net.Addr {\n\tip := \"127.0.0.1\"\n\tif cc.remoteIP != \"\" {\n\t\tip = cc.remoteIP\n\t}\n\treturn &net.IPAddr{IP: net.ParseIP(ip)}\n}\n\nfunc (cc *mockFTPClientContext) LocalAddr() net.Addr {\n\tip := \"127.0.0.1\"\n\tif cc.localIP != \"\" {\n\t\tip = cc.localIP\n\t}\n\treturn &net.IPAddr{IP: net.ParseIP(ip)}\n}\n\nfunc (cc *mockFTPClientContext) GetClientVersion() string {\n\treturn \"mock version\"\n}\n\nfunc (cc *mockFTPClientContext) Close() error {\n\treturn nil\n}\n\nfunc (cc *mockFTPClientContext) HasTLSForControl() bool {\n\treturn false\n}\n\nfunc (cc *mockFTPClientContext) HasTLSForTransfers() bool {\n\treturn false\n}\n\nfunc (cc *mockFTPClientContext) SetTLSRequirement(_ ftpserver.TLSRequirement) error {\n\treturn nil\n}\n\nfunc (cc *mockFTPClientContext) GetLastCommand() string {\n\treturn \"\"\n}\n\nfunc (cc *mockFTPClientContext) GetLastDataChannel() ftpserver.DataChannel {\n\treturn cc.lastDataChannel\n}\n\nfunc (cc *mockFTPClientContext) SetExtra(extra any) {\n\tcc.extra = extra\n}\n\nfunc (cc *mockFTPClientContext) Extra() any {\n\treturn cc.extra\n}\n\n// MockOsFs mockable OsFs\ntype MockOsFs struct {\n\tvfs.Fs\n\terr error\n\tstatErr error\n\tisAtomicUploadSupported bool\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs MockOsFs) Name() string {\n\treturn \"mockOsFs\"\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported\nfunc (MockOsFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (MockOsFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn false\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported\nfunc (fs MockOsFs) IsAtomicUploadSupported() bool {\n\treturn fs.isAtomicUploadSupported\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs MockOsFs) Stat(name string) (os.FileInfo, error) {\n\tif fs.statErr != nil {\n\t\treturn nil, fs.statErr\n\t}\n\treturn os.Stat(name)\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs MockOsFs) Lstat(name string) (os.FileInfo, error) {\n\tif fs.statErr != nil {\n\t\treturn nil, fs.statErr\n\t}\n\treturn os.Lstat(name)\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs MockOsFs) Remove(name string, _ bool) error {\n\tif fs.err != nil {\n\t\treturn fs.err\n\t}\n\treturn os.Remove(name)\n}\n\n// Rename renames (moves) source to target\nfunc (fs MockOsFs) Rename(source, target string, _ int) (int, int64, error) {\n\tif fs.err != nil {\n\t\treturn -1, -1, fs.err\n\t}\n\terr := os.Rename(source, target)\n\treturn -1, -1, err\n}\n\nfunc newMockOsFs(err, statErr error, atomicUpload bool, connectionID, rootDir string) vfs.Fs {\n\treturn &MockOsFs{\n\t\tFs: vfs.NewOsFs(connectionID, rootDir, \"\", nil),\n\t\terr: err,\n\t\tstatErr: statErr,\n\t\tisAtomicUploadSupported: atomicUpload,\n\t}\n}\n\nfunc TestInitialization(t *testing.T) {\n\toldMgr := certMgr\n\tcertMgr = nil\n\n\tbinding := Binding{\n\t\tPort: 2121,\n\t}\n\tc := &Configuration{\n\t\tBindings: []Binding{binding},\n\t\tCertificateFile: \"acert\",\n\t\tCertificateKeyFile: \"akey\",\n\t}\n\tassert.False(t, binding.HasProxy())\n\tassert.Equal(t, util.I18nFTPTLSDisabled, binding.GetTLSDescription())\n\terr := c.Initialize(configDir)\n\tassert.Error(t, err)\n\tc.CertificateFile = \"\"\n\tc.CertificateKeyFile = \"\"\n\tc.BannerFile = \"afile\"\n\tserver := NewServer(c, configDir, binding, 0)\n\tassert.Equal(t, version.GetServerVersion(\"_\", false), server.initialMsg)\n\t_, err = server.GetTLSConfig()\n\tassert.Error(t, err)\n\n\tbinding.TLSMode = 1\n\tserver = NewServer(c, configDir, binding, 0)\n\t_, err = server.GetSettings()\n\tassert.Error(t, err)\n\n\tbinding.PassiveConnectionsSecurity = 100\n\tbinding.ActiveConnectionsSecurity = 100\n\tserver = NewServer(c, configDir, binding, 0)\n\t_, err = server.GetSettings()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid passive_connections_security\")\n\t}\n\tbinding.PassiveConnectionsSecurity = 1\n\tserver = NewServer(c, configDir, binding, 0)\n\t_, err = server.GetSettings()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid active_connections_security\")\n\t}\n\tbinding = Binding{\n\t\tPort: 2121,\n\t\tForcePassiveIP: \"192.168.1\",\n\t}\n\tserver = NewServer(c, configDir, binding, 0)\n\t_, err = server.GetSettings()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is not valid\")\n\t}\n\n\tbinding.ForcePassiveIP = \"::ffff:192.168.89.9\"\n\terr = binding.checkPassiveIP()\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"192.168.89.9\", binding.ForcePassiveIP)\n\n\tbinding.ForcePassiveIP = \"::1\"\n\terr = binding.checkPassiveIP()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is not a valid IPv4 address\")\n\t}\n\n\terr = ReloadCertificateMgr()\n\tassert.NoError(t, err)\n\n\tbinding = Binding{\n\t\tPort: 2121,\n\t\tClientAuthType: 1,\n\t}\n\tassert.Equal(t, util.I18nFTPTLSDisabled, binding.GetTLSDescription())\n\tcertPath := filepath.Join(os.TempDir(), \"test_ftpd.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test_ftpd.key\")\n\tbinding.CertificateFile = certPath\n\tbinding.CertificateKeyFile = keyPath\n\tkeyPairs := []common.TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: binding.GetAddress(),\n\t\t},\n\t}\n\tcertMgr, err = common.NewCertManager(keyPairs, configDir, \"\")\n\trequire.NoError(t, err)\n\n\tassert.Equal(t, util.I18nFTPTLSMixed, binding.GetTLSDescription())\n\tserver = NewServer(c, configDir, binding, 0)\n\tcfg, err := server.GetTLSConfig()\n\trequire.NoError(t, err)\n\tassert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth)\n\n\tcertMgr = oldMgr\n}\n\nfunc TestServerGetSettings(t *testing.T) {\n\toldConfig := common.Config\n\toldMgr := certMgr\n\n\tbinding := Binding{\n\t\tPort: 2121,\n\t\tApplyProxyConfig: true,\n\t}\n\tc := &Configuration{\n\t\tBindings: []Binding{binding},\n\t\tPassivePortRange: PortRange{\n\t\t\tStart: 10000,\n\t\t\tEnd: 10000,\n\t\t},\n\t}\n\tassert.False(t, binding.HasProxy())\n\tserver := NewServer(c, configDir, binding, 0)\n\tsettings, err := server.GetSettings()\n\tassert.NoError(t, err)\n\tif ranger, ok := settings.PassiveTransferPortRange.(*ftpserver.PortRange); ok {\n\t\tassert.Equal(t, 10000, ranger.Start)\n\t\tassert.Equal(t, 10000, ranger.End)\n\t}\n\tc.PassivePortRange.End = 11000\n\tsettings, err = server.GetSettings()\n\tassert.NoError(t, err)\n\tif ranger, ok := settings.PassiveTransferPortRange.(*ftpserver.PortRange); ok {\n\t\tassert.Equal(t, 10000, ranger.Start)\n\t\tassert.Equal(t, 11000, ranger.End)\n\t}\n\n\tcommon.Config.ProxyProtocol = 1\n\t_, err = server.GetSettings()\n\tassert.Error(t, err)\n\tserver.binding.Port = 8021\n\n\tassert.Equal(t, util.I18nFTPTLSDisabled, binding.GetTLSDescription())\n\t_, err = server.GetTLSConfig()\n\tassert.Error(t, err) // TLS configured but cert manager has no certificate\n\n\tbinding.TLSMode = 1\n\tassert.Equal(t, util.I18nFTPTLSExplicit, binding.GetTLSDescription())\n\n\tbinding.TLSMode = 2\n\tassert.Equal(t, util.I18nFTPTLSImplicit, binding.GetTLSDescription())\n\n\tcertPath := filepath.Join(os.TempDir(), \"test_ftpd.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test_ftpd.key\")\n\terr = os.WriteFile(certPath, []byte(ftpsCert), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(ftpsKey), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tkeyPairs := []common.TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertMgr, err = common.NewCertManager(keyPairs, configDir, \"\")\n\trequire.NoError(t, err)\n\tcommon.Config.ProxyAllowed = nil\n\tc.CertificateFile = certPath\n\tc.CertificateKeyFile = keyPath\n\tserver = NewServer(c, configDir, binding, 0)\n\tserver.binding.Port = 9021\n\tsettings, err = server.GetSettings()\n\tassert.NoError(t, err)\n\tassert.NotNil(t, settings.Listener)\n\n\tlistener, err := net.Listen(\"tcp\", \":0\")\n\tassert.NoError(t, err)\n\tlistener, err = server.WrapPassiveListener(listener)\n\tassert.NoError(t, err)\n\n\t_, ok := listener.(*proxyproto.Listener)\n\tassert.True(t, ok)\n\n\tcommon.Config = oldConfig\n\tcertMgr = oldMgr\n}\n\nfunc TestUserInvalidParams(t *testing.T) {\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: \"invalid\",\n\t\t},\n\t}\n\tbinding := Binding{\n\t\tPort: 2121,\n\t}\n\tc := &Configuration{\n\t\tBindings: []Binding{binding},\n\t\tPassivePortRange: PortRange{\n\t\t\tStart: 10000,\n\t\t\tEnd: 11000,\n\t\t},\n\t}\n\tserver := NewServer(c, configDir, binding, 3)\n\t_, err := server.validateUser(u, &mockFTPClientContext{}, dataprovider.LoginMethodPassword)\n\tassert.Error(t, err)\n\n\tu.Username = \"a\"\n\tu.HomeDir = filepath.Clean(os.TempDir())\n\tsubDir := \"subdir\"\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir1\", subDir)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t})\n\t_, err = server.validateUser(u, &mockFTPClientContext{}, dataprovider.LoginMethodPassword)\n\tassert.Error(t, err)\n\tu.VirtualFolders = nil\n\t_, err = server.validateUser(u, &mockFTPClientContext{}, dataprovider.LoginMethodPassword)\n\tassert.Error(t, err)\n}\n\nfunc TestFTPMode(t *testing.T) {\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolFTP, \"\", \"\", dataprovider.User{}),\n\t}\n\tassert.Empty(t, connection.getFTPMode())\n\tconnection.clientContext = &mockFTPClientContext{lastDataChannel: ftpserver.DataChannelActive}\n\tassert.Equal(t, \"active\", connection.getFTPMode())\n\tconnection.clientContext = &mockFTPClientContext{lastDataChannel: ftpserver.DataChannelPassive}\n\tassert.Equal(t, \"passive\", connection.getFTPMode())\n\tconnection.clientContext = &mockFTPClientContext{lastDataChannel: 0}\n\tassert.Empty(t, connection.getFTPMode())\n}\n\nfunc TestClientVersion(t *testing.T) {\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"2_%v\", mockCC.ID())\n\tuser := dataprovider.User{}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t\tclientContext: mockCC,\n\t}\n\terr := common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\tstats := common.Connections.GetStats(\"\")\n\tif assert.Len(t, stats, 1) {\n\t\tassert.Equal(t, \"mock version\", stats[0].ClientVersion)\n\t\tcommon.Connections.Remove(connection.GetID())\n\t}\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestDriverMethodsNotImplemented(t *testing.T) {\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"2_%v\", mockCC.ID())\n\tuser := dataprovider.User{}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t\tclientContext: mockCC,\n\t}\n\t_, err := connection.Create(\"\")\n\tassert.EqualError(t, err, errNotImplemented.Error())\n\terr = connection.MkdirAll(\"\", os.ModePerm)\n\tassert.EqualError(t, err, errNotImplemented.Error())\n\t_, err = connection.Open(\"\")\n\tassert.EqualError(t, err, errNotImplemented.Error())\n\t_, err = connection.OpenFile(\"\", 0, os.ModePerm)\n\tassert.EqualError(t, err, errNotImplemented.Error())\n\terr = connection.RemoveAll(\"\")\n\tassert.EqualError(t, err, errNotImplemented.Error())\n\tassert.Equal(t, connection.GetID(), connection.Name())\n}\n\nfunc TestExtraData(t *testing.T) {\n\tmockCC := mockFTPClientContext{}\n\t_, ok := mockCC.Extra().(*tlsState)\n\trequire.False(t, ok)\n\tmockCC.SetExtra(&tlsState{\n\t\tLoginWithMutualTLS: false,\n\t\tVersion: tls.VersionName(tls.VersionTLS13),\n\t\tCipher: tls.CipherSuiteName(tls.TLS_AES_128_GCM_SHA256),\n\t\tKEX: tls.X25519MLKEM768.String(),\n\t})\n\tstate, ok := mockCC.Extra().(*tlsState)\n\trequire.True(t, ok)\n\trequire.False(t, state.LoginWithMutualTLS)\n\trequire.Equal(t, tls.VersionName(tls.VersionTLS13), state.Version)\n\trequire.Equal(t, tls.CipherSuiteName(tls.TLS_AES_128_GCM_SHA256), state.Cipher)\n\trequire.Equal(t, tls.X25519MLKEM768.String(), state.KEX)\n\tmockCC.SetExtra(&tlsState{\n\t\tLoginWithMutualTLS: true,\n\t})\n\tstate, ok = mockCC.Extra().(*tlsState)\n\trequire.True(t, ok)\n\trequire.True(t, state.LoginWithMutualTLS)\n}\n\nfunc TestResolvePathErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: \"invalid\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"%v\", mockCC.ID())\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t\tclientContext: mockCC,\n\t}\n\terr := connection.Mkdir(\"\", os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\terr = connection.Remove(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\terr = connection.RemoveDir(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\terr = connection.Rename(\"\", \"\")\n\tassert.ErrorIs(t, err, common.ErrOpUnsupported)\n\terr = connection.Symlink(\"\", \"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\t_, err = connection.Stat(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\terr = connection.Chmod(\"\", os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\terr = connection.Chtimes(\"\", time.Now(), time.Now())\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\t_, err = connection.ReadDir(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\t_, err = connection.GetHandle(\"\", 0, 0)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\t_, err = connection.GetAvailableSpace(\"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n}\n\nfunc TestUploadFileStatError(t *testing.T) {\n\tif runtime.GOOS == \"windows\" {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user\",\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"%v\", mockCC.ID())\n\tfs := vfs.NewOsFs(connID, user.HomeDir, \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t\tclientContext: mockCC,\n\t}\n\ttestFile := filepath.Join(user.HomeDir, \"test\", \"testfile\")\n\terr := os.MkdirAll(filepath.Dir(testFile), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFile, []byte(\"data\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.Chmod(filepath.Dir(testFile), 0001)\n\tassert.NoError(t, err)\n\t_, err = connection.uploadFile(fs, testFile, \"test\", 0)\n\tassert.Error(t, err)\n\terr = os.Chmod(filepath.Dir(testFile), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(filepath.Dir(testFile))\n\tassert.NoError(t, err)\n}\n\nfunc TestAVBLErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user\",\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"%v\", mockCC.ID())\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t\tclientContext: mockCC,\n\t}\n\t_, err := connection.GetAvailableSpace(\"/\")\n\tassert.NoError(t, err)\n\t_, err = connection.GetAvailableSpace(\"/missing-path\")\n\tassert.Error(t, err)\n\tassert.True(t, errors.Is(err, fs.ErrNotExist))\n}\n\nfunc TestUploadOverwriteErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user\",\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"%v\", mockCC.ID())\n\tfs := newMockOsFs(nil, nil, false, connID, user.GetHomeDir())\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t\tclientContext: mockCC,\n\t}\n\tflags := 0\n\tflags |= os.O_APPEND\n\t_, err := connection.handleFTPUploadToExistingFile(fs, flags, \"\", \"\", 0, \"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrOpUnsupported.Error())\n\t}\n\n\tf, err := os.CreateTemp(\"\", \"temp\")\n\tassert.NoError(t, err)\n\terr = f.Close()\n\tassert.NoError(t, err)\n\tflags = 0\n\tflags |= os.O_CREATE\n\tflags |= os.O_TRUNC\n\ttr, err := connection.handleFTPUploadToExistingFile(fs, flags, f.Name(), f.Name(), 123, f.Name())\n\tif assert.NoError(t, err) {\n\t\ttransfer := tr.(*transfer)\n\t\ttransfers := connection.GetTransfers()\n\t\tif assert.Equal(t, 1, len(transfers)) {\n\t\t\tassert.Equal(t, transfers[0].ID, transfer.GetID())\n\t\t\tassert.Equal(t, int64(123), transfer.InitialSize)\n\t\t\terr = transfer.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 0, len(connection.GetTransfers()))\n\t\t}\n\t}\n\terr = os.Remove(f.Name())\n\tassert.NoError(t, err)\n\n\t_, err = connection.handleFTPUploadToExistingFile(fs, os.O_TRUNC, filepath.Join(os.TempDir(), \"sub\", \"file\"),\n\t\tfilepath.Join(os.TempDir(), \"sub\", \"file1\"), 0, \"/sub/file1\")\n\tassert.Error(t, err)\n\tfs = vfs.NewOsFs(connID, user.GetHomeDir(), \"\", nil)\n\t_, err = connection.handleFTPUploadToExistingFile(fs, 0, \"missing1\", \"missing2\", 0, \"missing\")\n\tassert.Error(t, err)\n}\n\nfunc TestTransferErrors(t *testing.T) {\n\ttestfile := \"testfile\"\n\tfile, err := os.Create(testfile)\n\tassert.NoError(t, err)\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"user\",\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tmockCC := &mockFTPClientContext{}\n\tconnID := fmt.Sprintf(\"%v\", mockCC.ID())\n\tfs := newMockOsFs(nil, nil, false, connID, user.GetHomeDir())\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, \"\", \"\", user),\n\t}\n\tbaseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, file.Name(), file.Name(), testfile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttr := newTransfer(baseTransfer, nil, nil, 0)\n\terr = tr.Close()\n\tassert.NoError(t, err)\n\t_, err = tr.Seek(10, 0)\n\tassert.Error(t, err)\n\tbuf := make([]byte, 64)\n\t_, err = tr.Read(buf)\n\tassert.Error(t, err)\n\terr = tr.Close()\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrTransferClosed.Error())\n\t}\n\tassert.Len(t, connection.GetTransfers(), 0)\n\n\tr, _, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testfile, testfile, testfile,\n\t\tcommon.TransferUpload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttr = newTransfer(baseTransfer, nil, vfs.NewPipeReader(r), 10)\n\tpos, err := tr.Seek(10, 0)\n\tassert.NoError(t, err)\n\tassert.Equal(t, pos, tr.expectedOffset)\n\terr = tr.closeIO()\n\tassert.NoError(t, err)\n\n\tr, w, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tpipeWriter := vfs.NewPipeWriter(w)\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testfile, testfile, testfile,\n\t\tcommon.TransferUpload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttr.Connection.RemoveTransfer(tr)\n\ttr = newTransfer(baseTransfer, pipeWriter, nil, 0)\n\n\terr = r.Close()\n\tassert.NoError(t, err)\n\terrFake := fmt.Errorf(\"fake upload error\")\n\tgo func() {\n\t\ttime.Sleep(100 * time.Millisecond)\n\t\tpipeWriter.Done(errFake)\n\t}()\n\terr = tr.closeIO()\n\tassert.EqualError(t, err, errFake.Error())\n\t_, err = tr.Seek(1, 0)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrOpUnsupported.Error())\n\t}\n\ttr.Connection.RemoveTransfer(tr)\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n}\n\nfunc TestVerifyTLSConnection(t *testing.T) {\n\toldCertMgr := certMgr\n\n\tcaCrlPath := filepath.Join(os.TempDir(), \"testcrl.crt\")\n\tcertPath := filepath.Join(os.TempDir(), \"test.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test.key\")\n\terr := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(certPath, []byte(ftpsCert), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(ftpsKey), os.ModePerm)\n\tassert.NoError(t, err)\n\tkeyPairs := []common.TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertMgr, err = common.NewCertManager(keyPairs, \"\", \"ftp_test\")\n\tassert.NoError(t, err)\n\n\tcertMgr.SetCARevocationLists([]string{caCrlPath})\n\terr = certMgr.LoadCRLs()\n\tassert.NoError(t, err)\n\n\tcrt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\tx509crt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tserver := Server{}\n\tstate := tls.ConnectionState{\n\t\tPeerCertificates: []*x509.Certificate{x509crt},\n\t}\n\n\terr = server.verifyTLSConnection(state)\n\tassert.Error(t, err) // no verified certification chain\n\terr = server.VerifyTLSConnectionState(nil, state)\n\tassert.NoError(t, err)\n\tserver.binding.ClientAuthType = 1\n\terr = server.VerifyTLSConnectionState(nil, state)\n\tassert.Error(t, err)\n\n\tcrt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey))\n\tassert.NoError(t, err)\n\n\tx509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tstate.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt})\n\terr = server.verifyTLSConnection(state)\n\tassert.NoError(t, err)\n\n\tcrt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\tx509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tstate.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt})\n\tstate.PeerCertificates = []*x509.Certificate{x509crtRevoked}\n\terr = server.verifyTLSConnection(state)\n\tassert.EqualError(t, err, common.ErrCrtRevoked.Error())\n\n\terr = os.Remove(caCrlPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(certPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\n\tcertMgr = oldCertMgr\n}\n\nfunc TestCiphers(t *testing.T) {\n\tb := Binding{\n\t\tTLSCipherSuites: []string{},\n\t}\n\tb.setCiphers()\n\trequire.Equal(t, util.GetTLSCiphersFromNames(nil), b.ciphers)\n\tb.TLSCipherSuites = []string{\"TLS_AES_128_GCM_SHA256\", \"TLS_AES_256_GCM_SHA384\"}\n\tb.setCiphers()\n\trequire.Len(t, b.ciphers, 2)\n\trequire.Equal(t, []uint16{tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384}, b.ciphers)\n}\n\nfunc TestPassiveIPResolver(t *testing.T) {\n\tb := Binding{\n\t\tPassiveIPOverrides: []PassiveIPOverride{\n\t\t\t{},\n\t\t},\n\t}\n\terr := b.checkPassiveIP()\n\tassert.Error(t, err)\n\tassert.Contains(t, err.Error(), \"passive IP networks override cannot be empty\")\n\tb = Binding{\n\t\tPassiveIPOverrides: []PassiveIPOverride{\n\t\t\t{\n\t\t\t\tIP: \"invalid ip\",\n\t\t\t},\n\t\t},\n\t}\n\terr = b.checkPassiveIP()\n\tassert.Error(t, err)\n\tassert.Contains(t, err.Error(), \"is not valid\")\n\n\tb = Binding{\n\t\tPassiveIPOverrides: []PassiveIPOverride{\n\t\t\t{\n\t\t\t\tIP: \"192.168.1.1\",\n\t\t\t\tNetworks: []string{\"192.168.1.0/24\", \"invalid cidr\"},\n\t\t\t},\n\t\t},\n\t}\n\terr = b.checkPassiveIP()\n\tassert.Error(t, err)\n\tassert.Contains(t, err.Error(), \"invalid passive IP networks override\")\n\tb = Binding{\n\t\tForcePassiveIP: \"192.168.2.1\",\n\t\tPassiveIPOverrides: []PassiveIPOverride{\n\t\t\t{\n\t\t\t\tIP: \"::ffff:192.168.1.1\",\n\t\t\t\tNetworks: []string{\"192.168.1.0/24\"},\n\t\t\t},\n\t\t},\n\t}\n\terr = b.checkPassiveIP()\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, b.PassiveIPOverrides[0].GetNetworksAsString())\n\tassert.Equal(t, \"192.168.1.1\", b.PassiveIPOverrides[0].IP)\n\trequire.Len(t, b.PassiveIPOverrides[0].parsedNetworks, 1)\n\tip := net.ParseIP(\"192.168.1.2\")\n\tassert.True(t, b.PassiveIPOverrides[0].parsedNetworks[0](ip))\n\tip = net.ParseIP(\"192.168.0.2\")\n\tassert.False(t, b.PassiveIPOverrides[0].parsedNetworks[0](ip))\n\n\tmockCC := &mockFTPClientContext{\n\t\tremoteIP: \"192.168.1.10\",\n\t\tlocalIP: \"192.168.1.3\",\n\t}\n\tpassiveIP, err := b.passiveIPResolver(mockCC)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"192.168.1.1\", passiveIP)\n\tb.PassiveIPOverrides[0].IP = \"\"\n\tpassiveIP, err = b.passiveIPResolver(mockCC)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"192.168.1.3\", passiveIP)\n\tmockCC.remoteIP = \"172.16.2.3\"\n\tpassiveIP, err = b.passiveIPResolver(mockCC)\n\tassert.NoError(t, err)\n\tassert.Equal(t, b.ForcePassiveIP, passiveIP)\n}\n\nfunc TestRelativePath(t *testing.T) {\n\trel := getPathRelativeTo(\"/testpath\", \"/testpath\")\n\tassert.Empty(t, rel)\n\trel = getPathRelativeTo(\"/\", \"/\")\n\tassert.Empty(t, rel)\n\trel = getPathRelativeTo(\"/\", \"/dir/sub\")\n\tassert.Equal(t, \"dir/sub\", rel)\n\trel = getPathRelativeTo(\"./\", \"/dir/sub\")\n\tassert.Equal(t, \"/dir/sub\", rel)\n\trel = getPathRelativeTo(\"/sub\", \"/dir/sub\")\n\tassert.Equal(t, \"../dir/sub\", rel)\n\trel = getPathRelativeTo(\"/dir\", \"/dir/sub\")\n\tassert.Equal(t, \"sub\", rel)\n\trel = getPathRelativeTo(\"/dir/sub\", \"/dir\")\n\tassert.Equal(t, \"../\", rel)\n\trel = getPathRelativeTo(\"dir\", \"/dir1\")\n\tassert.Equal(t, \"/dir1\", rel)\n\trel = getPathRelativeTo(\"\", \"/dir2\")\n\tassert.Equal(t, \"dir2\", rel)\n\trel = getPathRelativeTo(\".\", \"/dir2\")\n\tassert.Equal(t, \"/dir2\", rel)\n\trel = getPathRelativeTo(\"/dir3\", \"dir3\")\n\tassert.Equal(t, \"dir3\", rel)\n}\n\nfunc TestConfigsFromProvider(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc := Configuration{}\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tconfigs := dataprovider.Configs{\n\t\tACME: &dataprovider.ACMEConfigs{\n\t\t\tDomain: \"domain.com\",\n\t\t\tEmail: \"info@domain.com\",\n\t\t\tHTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: 80},\n\t\t\tProtocols: 2,\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tutil.CertsBasePath = \"\"\n\t// crt and key empty\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tutil.CertsBasePath = filepath.Clean(os.TempDir())\n\t// crt not found\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs := c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\tcrtPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+\".crt\")\n\terr = os.WriteFile(crtPath, nil, 0666)\n\tassert.NoError(t, err)\n\t// key not found\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\tkeyPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+\".key\")\n\terr = os.WriteFile(keyPath, nil, 0666)\n\tassert.NoError(t, err)\n\t// acme cert used\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Equal(t, configs.ACME.Domain, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 1)\n\t// protocols does not match\n\tconfigs.ACME.Protocols = 5\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc.acmeDomain = \"\"\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\n\terr = os.Remove(crtPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\tutil.CertsBasePath = \"\"\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestPassiveHost(t *testing.T) {\n\tb := Binding{\n\t\tPassiveHost: \"invalid hostname\",\n\t}\n\t_, err := b.getPassiveIP(nil)\n\tassert.Error(t, err)\n\tb.PassiveHost = \"localhost\"\n\tip, err := b.getPassiveIP(nil)\n\tassert.NoError(t, err, ip)\n\tassert.Equal(t, \"127.0.0.1\", ip)\n}\n" }, { "path": "internal/ftpd/server.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage ftpd\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\n\tftpserver \"github.com/fclairamb/ftpserverlib\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\n// tlsState tracks TLS connection state for a client\ntype tlsState struct {\n\t// LoginWithMutualTLS indicates whether the user logged in using TLS certificate authentication\n\tLoginWithMutualTLS bool\n\tVersion string\n\tCipher string\n\tKEX string\n}\n\n// Server implements the ftpserverlib MainDriver interface\ntype Server struct {\n\tID int\n\tconfig *Configuration\n\tinitialMsg string\n\tstatusBanner string\n\tbinding Binding\n\ttlsConfig *tls.Config\n}\n\n// NewServer returns a new FTP server driver\nfunc NewServer(config *Configuration, configDir string, binding Binding, id int) *Server {\n\tbinding.setCiphers()\n\tvers := version.GetServerVersion(\"_\", false)\n\tserver := &Server{\n\t\tconfig: config,\n\t\tinitialMsg: vers,\n\t\tstatusBanner: fmt.Sprintf(\"%s FTP Server\", vers),\n\t\tbinding: binding,\n\t\tID: id,\n\t}\n\tif config.BannerFile != \"\" {\n\t\tbannerFilePath := config.BannerFile\n\t\tif !filepath.IsAbs(bannerFilePath) {\n\t\t\tbannerFilePath = filepath.Join(configDir, bannerFilePath)\n\t\t}\n\t\tbannerContent, err := os.ReadFile(bannerFilePath)\n\t\tif err == nil {\n\t\t\tserver.initialMsg = util.BytesToString(bannerContent)\n\t\t} else {\n\t\t\tlogger.WarnToConsole(\"unable to read FTPD banner file: %v\", err)\n\t\t\tlogger.Warn(logSender, \"\", \"unable to read banner file: %v\", err)\n\t\t}\n\t}\n\tserver.buildTLSConfig()\n\treturn server\n}\n\n// GetSettings returns FTP server settings\nfunc (s *Server) GetSettings() (*ftpserver.Settings, error) {\n\tif err := s.binding.checkPassiveIP(); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := s.binding.checkSecuritySettings(); err != nil {\n\t\treturn nil, err\n\t}\n\tvar portRange *ftpserver.PortRange\n\tif s.config.PassivePortRange.Start > 0 && s.config.PassivePortRange.End >= s.config.PassivePortRange.Start {\n\t\tportRange = &ftpserver.PortRange{\n\t\t\tStart: s.config.PassivePortRange.Start,\n\t\t\tEnd: s.config.PassivePortRange.End,\n\t\t}\n\t}\n\tvar ftpListener net.Listener\n\tif s.binding.HasProxy() {\n\t\tlistener, err := net.Listen(\"tcp\", s.binding.GetAddress())\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"error starting listener on address %v: %v\", s.binding.GetAddress(), err)\n\t\t\treturn nil, err\n\t\t}\n\t\tftpListener, err = common.Config.GetProxyListener(listener)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"error enabling proxy listener: %v\", err)\n\t\t\treturn nil, err\n\t\t}\n\t\tif s.binding.TLSMode == 2 && s.tlsConfig != nil {\n\t\t\tftpListener = tls.NewListener(ftpListener, s.tlsConfig)\n\t\t}\n\t}\n\n\tif !s.binding.isTLSModeValid() {\n\t\treturn nil, fmt.Errorf(\"unsupported TLS mode: %d\", s.binding.TLSMode)\n\t}\n\n\tif s.binding.TLSMode > 0 && certMgr == nil {\n\t\treturn nil, errors.New(\"to enable TLS you need to provide a certificate\")\n\t}\n\n\tsettings := &ftpserver.Settings{\n\t\tListener: ftpListener,\n\t\tListenAddr: s.binding.GetAddress(),\n\t\tPublicIPResolver: s.binding.passiveIPResolver,\n\t\tActiveTransferPortNon20: s.config.ActiveTransfersPortNon20,\n\t\tIdleTimeout: -1,\n\t\tConnectionTimeout: 20,\n\t\tBanner: s.statusBanner,\n\t\tTLSRequired: ftpserver.TLSRequirement(s.binding.TLSMode),\n\t\tDisableSite: !s.config.EnableSite,\n\t\tDisableActiveMode: s.config.DisableActiveMode,\n\t\tEnableHASH: s.config.HASHSupport > 0,\n\t\tEnableCOMB: s.config.CombineSupport > 0,\n\t\tDefaultTransferType: ftpserver.TransferTypeBinary,\n\t\tActiveConnectionsCheck: ftpserver.DataConnectionRequirement(s.binding.ActiveConnectionsSecurity),\n\t\tPasvConnectionsCheck: ftpserver.DataConnectionRequirement(s.binding.PassiveConnectionsSecurity),\n\t}\n\tif portRange != nil {\n\t\tsettings.PassiveTransferPortRange = portRange\n\t}\n\treturn settings, nil\n}\n\n// ClientConnected is called to send the very first welcome message\nfunc (s *Server) ClientConnected(cc ftpserver.ClientContext) (string, error) {\n\tcc.SetDebug(s.binding.Debug)\n\tipAddr := util.GetIPFromRemoteAddress(cc.RemoteAddr().String())\n\tcommon.Connections.AddClientConnection(ipAddr)\n\tif common.IsBanned(ipAddr, common.ProtocolFTP) {\n\t\tlogger.Log(logger.LevelDebug, common.ProtocolFTP, \"\", \"connection refused, ip %q is banned\", ipAddr)\n\t\treturn \"Access denied: banned client IP\", common.ErrConnectionDenied\n\t}\n\tif err := common.Connections.IsNewConnectionAllowed(ipAddr, common.ProtocolFTP); err != nil {\n\t\tlogger.Log(logger.LevelDebug, common.ProtocolFTP, \"\", \"connection not allowed from ip %q: %v\", ipAddr, err)\n\t\treturn \"Access denied\", err\n\t}\n\t_, err := common.LimitRate(common.ProtocolFTP, ipAddr)\n\tif err != nil {\n\t\treturn fmt.Sprintf(\"Access denied: %v\", err.Error()), err\n\t}\n\tif err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolFTP); err != nil {\n\t\treturn \"Access denied\", err\n\t}\n\tconnID := fmt.Sprintf(\"%v_%v\", s.ID, cc.ID())\n\tuser := dataprovider.User{}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, cc.LocalAddr().String(),\n\t\t\tcc.RemoteAddr().String(), user),\n\t\tclientContext: cc,\n\t}\n\terr = common.Connections.Add(connection)\n\treturn s.initialMsg, err\n}\n\n// ClientDisconnected is called when the user disconnects, even if he never authenticated\nfunc (s *Server) ClientDisconnected(cc ftpserver.ClientContext) {\n\tconnID := fmt.Sprintf(\"%v_%v_%v\", common.ProtocolFTP, s.ID, cc.ID())\n\tcommon.Connections.Remove(connID)\n\tcommon.Connections.RemoveClientConnection(util.GetIPFromRemoteAddress(cc.RemoteAddr().String()))\n}\n\n// AuthUser authenticates the user and selects an handling driver\nfunc (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string) (ftpserver.ClientDriver, error) {\n\tloginMethod := dataprovider.LoginMethodPassword\n\ttlsState, ok := cc.Extra().(*tlsState)\n\tif ok && tlsState != nil && tlsState.LoginWithMutualTLS {\n\t\tloginMethod = dataprovider.LoginMethodTLSCertificateAndPwd\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(cc.RemoteAddr().String())\n\tuser, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolFTP)\n\tif err != nil {\n\t\tuser.Username = username\n\t\tupdateLoginMetrics(&user, ipAddr, loginMethod, err, nil)\n\t\treturn nil, dataprovider.ErrInvalidCredentials\n\t}\n\n\tconnection, err := s.validateUser(user, cc, loginMethod)\n\n\tdefer updateLoginMetrics(&user, ipAddr, loginMethod, err, connection)\n\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tsetStartDirectory(user.Filters.StartDirectory, cc)\n\tdataprovider.UpdateLastLogin(&user)\n\treturn connection, nil\n}\n\n// PreAuthUser implements the MainDriverExtensionUserVerifier interface\nfunc (s *Server) PreAuthUser(cc ftpserver.ClientContext, username string) error {\n\tif s.binding.TLSMode == 0 && s.tlsConfig != nil {\n\t\tuser, err := dataprovider.GetFTPPreAuthUser(username, util.GetIPFromRemoteAddress(cc.RemoteAddr().String()))\n\t\tif err == nil {\n\t\t\tif user.Filters.FTPSecurity == 1 {\n\t\t\t\treturn cc.SetTLSRequirement(ftpserver.MandatoryEncryption)\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t\tif !errors.Is(err, util.ErrNotFound) {\n\t\t\tlogger.Error(logSender, fmt.Sprintf(\"%v_%v_%v\", common.ProtocolFTP, s.ID, cc.ID()),\n\t\t\t\t\"unable to get user on pre auth: %v\", err)\n\t\t\treturn common.ErrInternalFailure\n\t\t}\n\t}\n\treturn nil\n}\n\n// WrapPassiveListener implements the MainDriverExtensionPassiveWrapper interface\nfunc (s *Server) WrapPassiveListener(listener net.Listener) (net.Listener, error) {\n\tif s.binding.HasProxy() {\n\t\treturn common.Config.GetProxyListener(listener)\n\t}\n\treturn listener, nil\n}\n\n// VerifyConnection checks whether a user should be authenticated using a client certificate without prompting for a password\nfunc (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsConn *tls.Conn) (ftpserver.ClientDriver, error) {\n\tif tlsConn == nil {\n\t\treturn nil, nil\n\t}\n\tstate := tlsConn.ConnectionState()\n\tcc.SetExtra(&tlsState{\n\t\tLoginWithMutualTLS: false,\n\t\tCipher: tls.CipherSuiteName(state.CipherSuite),\n\t\tVersion: tls.VersionName(state.Version),\n\t\tKEX: state.CurveID.String(),\n\t})\n\tif !s.binding.isMutualTLSEnabled() {\n\t\treturn nil, nil\n\t}\n\n\tif len(state.PeerCertificates) > 0 {\n\t\tipAddr := util.GetIPFromRemoteAddress(cc.RemoteAddr().String())\n\t\tdbUser, err := dataprovider.CheckUserBeforeTLSAuth(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0])\n\t\tif err != nil {\n\t\t\tdbUser.Username = user\n\t\t\tupdateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, nil)\n\t\t\treturn nil, dataprovider.ErrInvalidCredentials\n\t\t}\n\t\tif dbUser.IsTLSVerificationEnabled() {\n\t\t\tdbUser, err = dataprovider.CheckUserAndTLSCert(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0])\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tcc.SetExtra(&tlsState{\n\t\t\t\tLoginWithMutualTLS: true,\n\t\t\t\tCipher: tls.CipherSuiteName(state.CipherSuite),\n\t\t\t\tVersion: tls.VersionName(state.Version),\n\t\t\t\tKEX: state.CurveID.String(),\n\t\t\t})\n\n\t\t\tif dbUser.IsLoginMethodAllowed(dataprovider.LoginMethodTLSCertificate, common.ProtocolFTP) {\n\t\t\t\tconnection, err := s.validateUser(dbUser, cc, dataprovider.LoginMethodTLSCertificate)\n\n\t\t\t\tdefer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, connection)\n\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t\tsetStartDirectory(dbUser.Filters.StartDirectory, cc)\n\t\t\t\tdataprovider.UpdateLastLogin(&dbUser)\n\t\t\t\treturn connection, nil\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil, nil\n}\n\nfunc (s *Server) buildTLSConfig() {\n\tif certMgr != nil {\n\t\tcertID := common.DefaultTLSKeyPaidID\n\t\tif getConfigPath(s.binding.CertificateFile, \"\") != \"\" && getConfigPath(s.binding.CertificateKeyFile, \"\") != \"\" {\n\t\t\tcertID = s.binding.GetAddress()\n\t\t}\n\t\tif !certMgr.HasCertificate(certID) {\n\t\t\treturn\n\t\t}\n\t\ts.tlsConfig = &tls.Config{\n\t\t\tGetCertificate: certMgr.GetCertificateFunc(certID),\n\t\t\tMinVersion: util.GetTLSVersion(s.binding.MinTLSVersion),\n\t\t\tCipherSuites: s.binding.ciphers,\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"configured TLS cipher suites for binding %q: %v, certID: %v\",\n\t\t\ts.binding.GetAddress(), s.binding.ciphers, certID)\n\t\tif s.binding.isMutualTLSEnabled() {\n\t\t\ts.tlsConfig.ClientCAs = certMgr.GetRootCAs()\n\t\t\ts.tlsConfig.VerifyConnection = s.verifyTLSConnection\n\t\t\tswitch s.binding.ClientAuthType {\n\t\t\tcase 1:\n\t\t\t\ts.tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert\n\t\t\tcase 2:\n\t\t\t\ts.tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven\n\t\t\t}\n\t\t}\n\t}\n}\n\n// GetTLSConfig returns the TLS configuration for this server\nfunc (s *Server) GetTLSConfig() (*tls.Config, error) {\n\tif s.tlsConfig != nil {\n\t\treturn s.tlsConfig, nil\n\t}\n\treturn nil, errors.New(\"no TLS certificate configured\")\n}\n\n// VerifyTLSConnectionState implements the MainDriverExtensionTLSConnectionStateVerifier extension\nfunc (s *Server) VerifyTLSConnectionState(_ ftpserver.ClientContext, cs tls.ConnectionState) error {\n\tif !s.binding.isMutualTLSEnabled() {\n\t\treturn nil\n\t}\n\treturn s.verifyTLSConnection(cs)\n}\n\nfunc (s *Server) verifyTLSConnection(state tls.ConnectionState) error {\n\tif certMgr != nil {\n\t\tvar clientCrt *x509.Certificate\n\t\tvar clientCrtName string\n\t\tif len(state.PeerCertificates) > 0 {\n\t\t\tclientCrt = state.PeerCertificates[0]\n\t\t\tclientCrtName = clientCrt.Subject.String()\n\t\t}\n\t\tif len(state.VerifiedChains) == 0 {\n\t\t\tif s.binding.ClientAuthType == 2 {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\tlogger.Warn(logSender, \"\", \"TLS connection cannot be verified: unable to get verification chain\")\n\t\t\treturn errors.New(\"TLS connection cannot be verified: unable to get verification chain\")\n\t\t}\n\t\tfor _, verifiedChain := range state.VerifiedChains {\n\t\t\tvar caCrt *x509.Certificate\n\t\t\tif len(verifiedChain) > 0 {\n\t\t\t\tcaCrt = verifiedChain[len(verifiedChain)-1]\n\t\t\t}\n\t\t\tif certMgr.IsRevoked(clientCrt, caCrt) {\n\t\t\t\tlogger.Debug(logSender, \"\", \"tls handshake error, client certificate %q has beed revoked\", clientCrtName)\n\t\t\t\treturn common.ErrCrtRevoked\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (s *Server) validateUser(user dataprovider.User, cc ftpserver.ClientContext, loginMethod string) (*Connection, error) {\n\tconnectionID := fmt.Sprintf(\"%v_%v_%v\", common.ProtocolFTP, s.ID, cc.ID())\n\tif !filepath.IsAbs(user.HomeDir) {\n\t\tlogger.Warn(logSender, connectionID, \"user %q has an invalid home dir: %q. Home dir must be an absolute path, login not allowed\",\n\t\t\tuser.Username, user.HomeDir)\n\t\treturn nil, fmt.Errorf(\"cannot login user with invalid home dir: %q\", user.HomeDir)\n\t}\n\tif slices.Contains(user.Filters.DeniedProtocols, common.ProtocolFTP) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, protocol FTP is not allowed\", user.Username)\n\t\treturn nil, fmt.Errorf(\"protocol FTP is not allowed for user %q\", user.Username)\n\t}\n\tif !user.IsLoginMethodAllowed(loginMethod, common.ProtocolFTP) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, %v login method is not allowed\",\n\t\t\tuser.Username, loginMethod)\n\t\treturn nil, fmt.Errorf(\"login method %v is not allowed for user %q\", loginMethod, user.Username)\n\t}\n\tif user.MustSetSecondFactorForProtocol(common.ProtocolFTP) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, second factor authentication is not set\",\n\t\t\tuser.Username)\n\t\treturn nil, fmt.Errorf(\"second factor authentication is not set for user %q\", user.Username)\n\t}\n\tif user.MaxSessions > 0 {\n\t\tactiveSessions := common.Connections.GetActiveSessions(user.Username)\n\t\tif activeSessions >= user.MaxSessions {\n\t\t\tlogger.Info(logSender, connectionID, \"authentication refused for user: %q, too many open sessions: %v/%v\",\n\t\t\t\tuser.Username, activeSessions, user.MaxSessions)\n\t\t\treturn nil, fmt.Errorf(\"too many open sessions: %v\", activeSessions)\n\t\t}\n\t}\n\tremoteAddr := cc.RemoteAddr().String()\n\tif !user.IsLoginFromAddrAllowed(remoteAddr) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, remote address is not allowed: %v\",\n\t\t\tuser.Username, remoteAddr)\n\t\treturn nil, fmt.Errorf(\"login for user %q is not allowed from this address: %v\", user.Username, remoteAddr)\n\t}\n\terr := user.CheckFsRoot(connectionID)\n\tif err != nil {\n\t\terrClose := user.CloseFs()\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root: %v close fs error: %v\", err, errClose)\n\t\treturn nil, common.ErrInternalFailure\n\t}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fmt.Sprintf(\"%v_%v\", s.ID, cc.ID()), common.ProtocolFTP,\n\t\t\tcc.LocalAddr().String(), remoteAddr, user),\n\t\tclientContext: cc,\n\t}\n\terr = common.Connections.Swap(connection)\n\tif err != nil {\n\t\terrClose := user.CloseFs()\n\t\tlogger.Warn(logSender, connectionID, \"unable to swap connection: %v, close fs error: %v\", err, errClose)\n\t\treturn nil, err\n\t}\n\treturn connection, nil\n}\n\nfunc setStartDirectory(startDirectory string, cc ftpserver.ClientContext) {\n\tif startDirectory == \"\" {\n\t\treturn\n\t}\n\tcc.SetPath(startDirectory)\n}\n\nfunc updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, c *Connection) {\n\tmetric.AddLoginAttempt(loginMethod)\n\tif err == nil {\n\t\tinfo := \"\"\n\t\tif tlsState, ok := c.clientContext.Extra().(*tlsState); ok && tlsState != nil {\n\t\t\tinfo = fmt.Sprintf(\"%s - %s - %s\", tlsState.Version, tlsState.Cipher, tlsState.KEX)\n\t\t}\n\t\tlogger.LoginLog(user.Username, ip, loginMethod, common.ProtocolFTP, c.ID, c.GetClientVersion(),\n\t\t\tc.clientContext.HasTLSForControl(), info)\n\t\tplugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolFTP, user.Username, ip, \"\", nil)\n\t\tcommon.DelayLogin(nil)\n\t} else if err != common.ErrInternalFailure {\n\t\tlogger.ConnectionFailedLog(user.Username, ip, loginMethod, common.ProtocolFTP, err.Error())\n\t\tevent := common.HostEventLoginFailed\n\t\tlogEv := notifier.LogEventTypeLoginFailed\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\tevent = common.HostEventUserNotFound\n\t\t\tlogEv = notifier.LogEventTypeLoginNoUser\n\t\t}\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolFTP, event)\n\t\tplugin.Handler.NotifyLogEvent(logEv, common.ProtocolFTP, user.Username, ip, \"\", err)\n\t\tif loginMethod != dataprovider.LoginMethodTLSCertificate {\n\t\t\tcommon.DelayLogin(err)\n\t\t}\n\t}\n\tmetric.AddLoginResult(loginMethod, err)\n\tdataprovider.ExecutePostLoginHook(user, loginMethod, ip, common.ProtocolFTP, err)\n}\n" }, { "path": "internal/ftpd/transfer.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage ftpd\n\nimport (\n\t\"errors\"\n\t\"io\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// transfer contains the transfer details for an upload or a download.\n// It implements the ftpserver.FileTransfer interface to handle files downloads and uploads\ntype transfer struct {\n\t*common.BaseTransfer\n\twriter io.WriteCloser\n\treader io.ReadCloser\n\tisFinished bool\n\texpectedOffset int64\n}\n\nfunc newTransfer(baseTransfer *common.BaseTransfer, pipeWriter vfs.PipeWriter, pipeReader vfs.PipeReader,\n\texpectedOffset int64) *transfer {\n\tvar writer io.WriteCloser\n\tvar reader io.ReadCloser\n\tif baseTransfer.File != nil {\n\t\twriter = baseTransfer.File\n\t\treader = baseTransfer.File\n\t} else if pipeWriter != nil {\n\t\twriter = pipeWriter\n\t} else if pipeReader != nil {\n\t\treader = pipeReader\n\t}\n\treturn &transfer{\n\t\tBaseTransfer: baseTransfer,\n\t\twriter: writer,\n\t\treader: reader,\n\t\tisFinished: false,\n\t\texpectedOffset: expectedOffset,\n\t}\n}\n\n// Read reads the contents to downloads.\nfunc (t *transfer) Read(p []byte) (n int, err error) {\n\tt.Connection.UpdateLastActivity()\n\n\tn, err = t.reader.Read(p)\n\tt.BytesSent.Add(int64(n))\n\n\tif err == nil {\n\t\terr = t.CheckRead()\n\t}\n\tif err != nil && err != io.EOF {\n\t\tt.TransferError(err)\n\t\terr = t.ConvertError(err)\n\t\treturn\n\t}\n\tt.HandleThrottle()\n\treturn\n}\n\n// Write writes the uploaded contents.\nfunc (t *transfer) Write(p []byte) (n int, err error) {\n\tt.Connection.UpdateLastActivity()\n\n\tn, err = t.writer.Write(p)\n\tt.BytesReceived.Add(int64(n))\n\n\tif err == nil {\n\t\terr = t.CheckWrite()\n\t}\n\tif err != nil {\n\t\tt.TransferError(err)\n\t\terr = t.ConvertError(err)\n\t\treturn\n\t}\n\tt.HandleThrottle()\n\treturn\n}\n\n// Seek sets the offset to resume an upload or a download\nfunc (t *transfer) Seek(offset int64, whence int) (int64, error) {\n\tt.Connection.UpdateLastActivity()\n\tif t.File != nil {\n\t\tret, err := t.File.Seek(offset, whence)\n\t\tif err != nil {\n\t\t\tt.TransferError(err)\n\t\t}\n\t\treturn ret, err\n\t}\n\tif (t.reader != nil || t.writer != nil) && t.expectedOffset == offset && whence == io.SeekStart {\n\t\treturn offset, nil\n\t}\n\tt.TransferError(errors.New(\"seek is unsupported for this transfer\"))\n\treturn 0, common.ErrOpUnsupported\n}\n\n// Close it is called when the transfer is completed.\nfunc (t *transfer) Close() error {\n\tif err := t.setFinished(); err != nil {\n\t\treturn err\n\t}\n\terr := t.closeIO()\n\terrBaseClose := t.BaseTransfer.Close()\n\tif errBaseClose != nil {\n\t\terr = errBaseClose\n\t}\n\treturn t.Connection.GetFsError(t.Fs, err)\n}\n\nfunc (t *transfer) closeIO() error {\n\tvar err error\n\tif t.File != nil {\n\t\terr = t.File.Close()\n\t} else if t.writer != nil {\n\t\terr = t.writer.Close()\n\t\tt.Lock()\n\t\t// we set ErrTransfer here so quota is not updated, in this case the uploads are atomic\n\t\tif err != nil && t.ErrTransfer == nil {\n\t\t\tt.ErrTransfer = err\n\t\t}\n\t\tt.Unlock()\n\t} else if t.reader != nil {\n\t\terr = t.reader.Close()\n\t\tif metadater, ok := t.reader.(vfs.Metadater); ok {\n\t\t\tt.SetMetadata(metadater.Metadata())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc (t *transfer) setFinished() error {\n\tt.Lock()\n\tdefer t.Unlock()\n\tif t.isFinished {\n\t\treturn common.ErrTransferClosed\n\t}\n\tt.isFinished = true\n\treturn nil\n}\n" }, { "path": "internal/httpclient/httpclient.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package httpclient provides HTTP client configuration for SFTPGo hooks\npackage httpclient\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/hashicorp/go-retryablehttp\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// TLSKeyPair defines the paths for a TLS key pair\ntype TLSKeyPair struct {\n\tCert string `json:\"cert\" mapstructure:\"cert\"`\n\tKey string `json:\"key\" mapstructure:\"key\"`\n}\n\n// Header defines an HTTP header.\n// If the URL is not empty, the header is added only if the\n// requested URL starts with the one specified\ntype Header struct {\n\tKey string `json:\"key\" mapstructure:\"key\"`\n\tValue string `json:\"value\" mapstructure:\"value\"`\n\tURL string `json:\"url\" mapstructure:\"url\"`\n}\n\n// Config defines the configuration for HTTP clients.\n// HTTP clients are used for executing hooks such as the ones used for\n// custom actions, external authentication and pre-login user modifications\ntype Config struct {\n\t// Timeout specifies a time limit, in seconds, for a request\n\tTimeout float64 `json:\"timeout\" mapstructure:\"timeout\"`\n\t// RetryWaitMin defines the minimum waiting time between attempts in seconds\n\tRetryWaitMin int `json:\"retry_wait_min\" mapstructure:\"retry_wait_min\"`\n\t// RetryWaitMax defines the minimum waiting time between attempts in seconds\n\tRetryWaitMax int `json:\"retry_wait_max\" mapstructure:\"retry_wait_max\"`\n\t// RetryMax defines the maximum number of attempts\n\tRetryMax int `json:\"retry_max\" mapstructure:\"retry_max\"`\n\t// CACertificates defines extra CA certificates to trust.\n\t// The paths can be absolute or relative to the config dir.\n\t// Adding trusted CA certificates is a convenient way to use self-signed\n\t// certificates without defeating the purpose of using TLS\n\tCACertificates []string `json:\"ca_certificates\" mapstructure:\"ca_certificates\"`\n\t// Certificates defines the certificates to use for mutual TLS\n\tCertificates []TLSKeyPair `json:\"certificates\" mapstructure:\"certificates\"`\n\t// if enabled the HTTP client accepts any TLS certificate presented by\n\t// the server and any host name in that certificate.\n\t// In this mode, TLS is susceptible to man-in-the-middle attacks.\n\t// This should be used only for testing.\n\tSkipTLSVerify bool `json:\"skip_tls_verify\" mapstructure:\"skip_tls_verify\"`\n\t// Headers defines a list of http headers to add to each request\n\tHeaders []Header `json:\"headers\" mapstructure:\"headers\"`\n\tcustomTransport *http.Transport\n}\n\nconst logSender = \"httpclient\"\n\nvar httpConfig Config\n\n// Initialize configures HTTP clients\nfunc (c *Config) Initialize(configDir string) error {\n\tif c.Timeout <= 0 {\n\t\treturn fmt.Errorf(\"invalid timeout: %v\", c.Timeout)\n\t}\n\trootCAs, err := c.loadCACerts(configDir)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcustomTransport := http.DefaultTransport.(*http.Transport).Clone()\n\tif customTransport.TLSClientConfig != nil {\n\t\tcustomTransport.TLSClientConfig.RootCAs = rootCAs\n\t} else {\n\t\tcustomTransport.TLSClientConfig = &tls.Config{\n\t\t\tRootCAs: rootCAs,\n\t\t}\n\t}\n\tcustomTransport.TLSClientConfig.InsecureSkipVerify = c.SkipTLSVerify\n\tc.customTransport = customTransport\n\n\terr = c.loadCertificates(configDir)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar headers []Header\n\tfor _, h := range c.Headers {\n\t\tif h.Key != \"\" && h.Value != \"\" {\n\t\t\theaders = append(headers, h)\n\t\t}\n\t}\n\tc.Headers = headers\n\thttpConfig = *c\n\treturn nil\n}\n\n// loadCACerts returns system cert pools and try to add the configured\n// CA certificates to it\nfunc (c *Config) loadCACerts(configDir string) (*x509.CertPool, error) {\n\tif len(c.CACertificates) == 0 {\n\t\treturn nil, nil\n\t}\n\trootCAs, err := x509.SystemCertPool()\n\tif err != nil {\n\t\trootCAs = x509.NewCertPool()\n\t}\n\n\tfor _, ca := range c.CACertificates {\n\t\tif !util.IsFileInputValid(ca) {\n\t\t\treturn nil, fmt.Errorf(\"unable to load invalid CA certificate: %q\", ca)\n\t\t}\n\t\tif !filepath.IsAbs(ca) {\n\t\t\tca = filepath.Join(configDir, ca)\n\t\t}\n\t\tcerts, err := os.ReadFile(ca)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"unable to load CA certificate: %v\", err)\n\t\t}\n\t\tif rootCAs.AppendCertsFromPEM(certs) {\n\t\t\tlogger.Debug(logSender, \"\", \"CA certificate %q added to the trusted certificates\", ca)\n\t\t} else {\n\t\t\treturn nil, fmt.Errorf(\"unable to add CA certificate %q to the trusted cetificates\", ca)\n\t\t}\n\t}\n\treturn rootCAs, nil\n}\n\nfunc (c *Config) loadCertificates(configDir string) error {\n\tif len(c.Certificates) == 0 {\n\t\treturn nil\n\t}\n\n\tfor _, keyPair := range c.Certificates {\n\t\tcert := keyPair.Cert\n\t\tkey := keyPair.Key\n\t\tif !util.IsFileInputValid(cert) {\n\t\t\treturn fmt.Errorf(\"unable to load invalid certificate: %q\", cert)\n\t\t}\n\t\tif !util.IsFileInputValid(key) {\n\t\t\treturn fmt.Errorf(\"unable to load invalid key: %q\", key)\n\t\t}\n\t\tif !filepath.IsAbs(cert) {\n\t\t\tcert = filepath.Join(configDir, cert)\n\t\t}\n\t\tif !filepath.IsAbs(key) {\n\t\t\tkey = filepath.Join(configDir, key)\n\t\t}\n\t\ttlsCert, err := tls.LoadX509KeyPair(cert, key)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to load key pair %q, %q: %v\", cert, key, err)\n\t\t}\n\t\tx509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])\n\t\tif err == nil {\n\t\t\tlogger.Debug(logSender, \"\", \"adding leaf certificate for key pair %q, %q\", cert, key)\n\t\t\ttlsCert.Leaf = x509Cert\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"client certificate %q and key %q successfully loaded\", cert, key)\n\t\tc.customTransport.TLSClientConfig.Certificates = append(c.customTransport.TLSClientConfig.Certificates, tlsCert)\n\t}\n\treturn nil\n}\n\n// GetHTTPClient returns a new HTTP client with the configured parameters\nfunc GetHTTPClient() *http.Client {\n\treturn &http.Client{\n\t\tTimeout: time.Duration(httpConfig.Timeout * float64(time.Second)),\n\t\tTransport: httpConfig.customTransport,\n\t}\n}\n\n// GetRetraybleHTTPClient returns an HTTP client that retry a request on error.\n// It uses the configured retry parameters\nfunc GetRetraybleHTTPClient() *retryablehttp.Client {\n\tclient := retryablehttp.NewClient()\n\tclient.HTTPClient.Timeout = time.Duration(httpConfig.Timeout * float64(time.Second))\n\tclient.HTTPClient.Transport.(*http.Transport).TLSClientConfig = httpConfig.customTransport.TLSClientConfig\n\tclient.Logger = &logger.LeveledLogger{Sender: \"RetryableHTTPClient\"}\n\tclient.RetryWaitMin = time.Duration(httpConfig.RetryWaitMin) * time.Second\n\tclient.RetryWaitMax = time.Duration(httpConfig.RetryWaitMax) * time.Second\n\tclient.RetryMax = httpConfig.RetryMax\n\n\treturn client\n}\n\n// Get issues a GET to the specified URL\nfunc Get(url string) (*http.Response, error) {\n\treq, err := http.NewRequest(http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\taddHeaders(req, url)\n\tclient := GetHTTPClient()\n\tdefer client.CloseIdleConnections()\n\n\treturn client.Do(req)\n}\n\n// Post issues a POST to the specified URL\nfunc Post(url string, contentType string, body io.Reader) (*http.Response, error) {\n\treq, err := http.NewRequest(http.MethodPost, url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq.Header.Set(\"Content-Type\", contentType)\n\taddHeaders(req, url)\n\tclient := GetHTTPClient()\n\tdefer client.CloseIdleConnections()\n\n\treturn client.Do(req)\n}\n\n// RetryableGet issues a GET to the specified URL using the retryable client\nfunc RetryableGet(url string) (*http.Response, error) {\n\treq, err := retryablehttp.NewRequest(http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\taddHeadersToRetryableReq(req, url)\n\tclient := GetRetraybleHTTPClient()\n\tdefer client.HTTPClient.CloseIdleConnections()\n\n\treturn client.Do(req)\n}\n\n// RetryablePost issues a POST to the specified URL using the retryable client\nfunc RetryablePost(url string, contentType string, body io.Reader) (*http.Response, error) {\n\treq, err := retryablehttp.NewRequest(http.MethodPost, url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treq.Header.Set(\"Content-Type\", contentType)\n\taddHeadersToRetryableReq(req, url)\n\tclient := GetRetraybleHTTPClient()\n\tdefer client.HTTPClient.CloseIdleConnections()\n\n\treturn client.Do(req)\n}\n\nfunc addHeaders(req *http.Request, url string) {\n\tfor idx := range httpConfig.Headers {\n\t\th := &httpConfig.Headers[idx]\n\t\tif h.URL == \"\" || strings.HasPrefix(url, h.URL) {\n\t\t\treq.Header.Set(h.Key, h.Value)\n\t\t}\n\t}\n}\n\nfunc addHeadersToRetryableReq(req *retryablehttp.Request, url string) {\n\tfor idx := range httpConfig.Headers {\n\t\th := &httpConfig.Headers[idx]\n\t\tif h.URL == \"\" || strings.HasPrefix(url, h.URL) {\n\t\t\treq.Header.Set(h.Key, h.Value)\n\t\t}\n\t}\n}\n" }, { "path": "internal/httpd/api_admin.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getAdmins(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tadmins, err := dataprovider.GetAdmins(limit, offset, order)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, admins)\n}\n\nfunc getAdminByUsername(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tusername := getURLParam(r, \"username\")\n\trenderAdmin(w, r, username, http.StatusOK)\n}\n\nfunc renderAdmin(w http.ResponseWriter, r *http.Request, username string, status int) {\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tadmin.HideConfidentialData()\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, http.StatusCreated)\n\t\trender.JSON(w, r.WithContext(ctx), admin)\n\t} else {\n\t\trender.JSON(w, r, admin)\n\t}\n}\n\nfunc addAdmin(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tadmin := dataprovider.Admin{}\n\terr = render.DecodeJSON(r.Body, &admin)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = dataprovider.AddAdmin(&admin, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", adminPath, url.PathEscape(admin.Username)))\n\trenderAdmin(w, r, admin.Username, http.StatusCreated)\n}\n\nfunc disableAdmin2FA(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(getURLParam(r, \"username\"))\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif !admin.Filters.TOTPConfig.Enabled {\n\t\tsendAPIResponse(w, r, nil, \"two-factor authentication is not enabled\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif admin.Username == claims.Username {\n\t\tif admin.Filters.RequireTwoFactor {\n\t\t\terr := util.NewValidationError(\"two-factor authentication must be enabled\")\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t}\n\tadmin.Filters.RecoveryCodes = nil\n\tadmin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: false,\n\t}\n\tif err := dataprovider.UpdateAdmin(&admin, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"2FA disabled\", http.StatusOK)\n}\n\nfunc updateAdmin(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tusername := getURLParam(r, \"username\")\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedAdmin dataprovider.Admin\n\terr = render.DecodeJSON(r.Body, &updatedAdmin)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif username == claims.Username {\n\t\tif claims.APIKeyID != \"\" {\n\t\t\tsendAPIResponse(w, r, errors.New(\"updating the admin impersonated with an API key is not allowed\"), \"\",\n\t\t\t\thttp.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t\tif !util.SlicesEqual(admin.Permissions, updatedAdmin.Permissions) {\n\t\t\tsendAPIResponse(w, r, errors.New(\"you cannot change your permissions\"), \"\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t\tif updatedAdmin.Status == 0 {\n\t\t\tsendAPIResponse(w, r, errors.New(\"you cannot disable yourself\"), \"\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t\tif updatedAdmin.Role != claims.Role {\n\t\t\tsendAPIResponse(w, r, errors.New(\"you cannot add/change your role\"), \"\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t\tupdatedAdmin.Filters.RequirePasswordChange = admin.Filters.RequirePasswordChange\n\t\tupdatedAdmin.Filters.RequireTwoFactor = admin.Filters.RequireTwoFactor\n\t}\n\tupdatedAdmin.ID = admin.ID\n\tupdatedAdmin.Username = admin.Username\n\tif updatedAdmin.Password == \"\" {\n\t\tupdatedAdmin.Password = admin.Password\n\t}\n\tupdatedAdmin.Filters.TOTPConfig = admin.Filters.TOTPConfig\n\tupdatedAdmin.Filters.RecoveryCodes = admin.Filters.RecoveryCodes\n\terr = dataprovider.UpdateAdmin(&updatedAdmin, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Admin updated\", http.StatusOK)\n}\n\nfunc deleteAdmin(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tusername := getURLParam(r, \"username\")\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif username == claims.Username {\n\t\tsendAPIResponse(w, r, errors.New(\"you cannot delete yourself\"), \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\terr = dataprovider.DeleteAdmin(username, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Admin deleted\", http.StatusOK)\n}\n\nfunc getAdminProfile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(claims.Username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tresp := adminProfile{\n\t\tbaseProfile: baseProfile{\n\t\t\tEmail: admin.Email,\n\t\t\tDescription: admin.Description,\n\t\t\tAllowAPIKeyAuth: admin.Filters.AllowAPIKeyAuth,\n\t\t},\n\t}\n\trender.JSON(w, r, resp)\n}\n\nfunc updateAdminProfile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(claims.Username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tvar req adminProfile\n\terr = render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tadmin.Email = req.Email\n\tadmin.Description = req.Description\n\tadmin.Filters.AllowAPIKeyAuth = req.AllowAPIKeyAuth\n\tif err := dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Profile updated\", http.StatusOK)\n}\n\nfunc forgotAdminPassword(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tif !smtp.IsEnabled() {\n\t\tsendAPIResponse(w, r, nil, \"No SMTP configuration\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\terr := handleForgotPassword(r, getURLParam(r, \"username\"), true)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tsendAPIResponse(w, r, err, \"Check your email for the confirmation code\", http.StatusOK)\n}\n\nfunc resetAdminPassword(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tvar req pwdReset\n\terr := render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\t_, _, err = handleResetPassword(r, req.Code, req.Password, req.Password, true)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Password reset successful\", http.StatusOK)\n}\n\nfunc changeAdminPassword(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tvar pwd pwdChange\n\terr := render.DecodeJSON(r.Body, &pwd)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = doChangeAdminPassword(r, pwd.CurrentPassword, pwd.NewPassword, pwd.NewPassword)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tinvalidateToken(r)\n\tsendAPIResponse(w, r, err, \"Password updated\", http.StatusOK)\n}\n\nfunc doChangeAdminPassword(r *http.Request, currentPassword, newPassword, confirmNewPassword string) error {\n\tif currentPassword == \"\" || newPassword == \"\" || confirmNewPassword == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"please provide the current password and the new one two times\"),\n\t\t\tutil.I18nErrorChangePwdRequiredFields,\n\t\t)\n\t}\n\tif newPassword != confirmNewPassword {\n\t\treturn util.NewI18nError(util.NewValidationError(\"the two password fields do not match\"), util.I18nErrorChangePwdNoMatch)\n\t}\n\tif currentPassword == newPassword {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"the new password must be different from the current one\"),\n\t\t\tutil.I18nErrorChangePwdNoDifferent,\n\t\t)\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\treturn util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken)\n\t}\n\tadmin, err := dataprovider.AdminExists(claims.Username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tmatch, err := admin.CheckPassword(currentPassword)\n\tif !match || err != nil {\n\t\treturn util.NewI18nError(util.NewValidationError(\"current password does not match\"), util.I18nErrorChangePwdCurrentNoMatch)\n\t}\n\n\tadmin.Password = newPassword\n\tadmin.Filters.RequirePasswordChange = false\n\n\treturn dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n}\n" }, { "path": "internal/httpd/api_configs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/rs/xid\"\n\t\"golang.org/x/oauth2\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype smtpTestRequest struct {\n\tsmtp.Config\n\tRecipient string `json:\"recipient\"`\n}\n\nfunc (r *smtpTestRequest) hasRedactedSecret() bool {\n\treturn r.Password == redactedSecret || r.OAuth2.ClientSecret == redactedSecret || r.OAuth2.RefreshToken == redactedSecret\n}\n\nfunc testSMTPConfig(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tvar req smtpTestRequest\n\terr := render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif req.hasRedactedSecret() {\n\t\tconfigs, err := dataprovider.GetConfigs()\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\t\treturn\n\t\t}\n\t\tconfigs.SetNilsToEmpty()\n\t\tif err := configs.SMTP.TryDecrypt(); err == nil {\n\t\t\tif req.Password == redactedSecret {\n\t\t\t\treq.Password = configs.SMTP.Password.GetPayload()\n\t\t\t}\n\t\t\tif req.OAuth2.ClientSecret == redactedSecret {\n\t\t\t\treq.OAuth2.ClientSecret = configs.SMTP.OAuth2.ClientSecret.GetPayload()\n\t\t\t}\n\t\t\tif req.OAuth2.RefreshToken == redactedSecret {\n\t\t\t\treq.OAuth2.RefreshToken = configs.SMTP.OAuth2.RefreshToken.GetPayload()\n\t\t\t}\n\t\t}\n\t}\n\tif req.AuthType == 3 {\n\t\tif err := req.OAuth2.Validate(); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t}\n\tif err := req.SendEmail([]string{req.Recipient}, nil, \"SFTPGo - Testing Email Settings\",\n\t\t\"It appears your SFTPGo email is setup correctly!\", smtp.EmailContentTypeTextPlain); err != nil {\n\t\tlogger.Info(logSender, \"\", \"unable to send test email: %v\", err)\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"SMTP connection OK\", http.StatusOK)\n}\n\ntype oauth2TokenRequest struct {\n\tsmtp.OAuth2Config\n\tBaseRedirectURL string `json:\"base_redirect_url\"`\n}\n\nfunc (s *httpdServer) handleSMTPOAuth2TokenRequestPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tvar req oauth2TokenRequest\n\terr := render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif req.BaseRedirectURL == \"\" {\n\t\tsendAPIResponse(w, r, nil, \"base redirect url is required\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif req.ClientSecret == redactedSecret {\n\t\tconfigs, err := dataprovider.GetConfigs()\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\t\treturn\n\t\t}\n\t\tconfigs.SetNilsToEmpty()\n\t\tif err := configs.SMTP.TryDecrypt(); err == nil {\n\t\t\treq.ClientSecret = configs.SMTP.OAuth2.ClientSecret.GetPayload()\n\t\t}\n\t}\n\tcfg := req.GetOAuth2()\n\tcfg.RedirectURL = req.BaseRedirectURL + webOAuth2RedirectPath\n\tclientSecret := kms.NewPlainSecret(cfg.ClientSecret)\n\tclientSecret.SetAdditionalData(xid.New().String())\n\tpendingAuth := newOAuth2PendingAuth(req.Provider, cfg.RedirectURL, cfg.ClientID, clientSecret)\n\toauth2Mgr.addPendingAuth(pendingAuth)\n\tstateToken := createOAuth2Token(s.csrfTokenAuth, pendingAuth.State, util.GetIPFromRemoteAddress(r.RemoteAddr))\n\tif stateToken == \"\" {\n\t\tsendAPIResponse(w, r, nil, \"unable to create state token\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\tu := cfg.AuthCodeURL(stateToken, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(pendingAuth.Verifier))\n\tsendAPIResponse(w, r, nil, u, http.StatusOK)\n}\n" }, { "path": "internal/httpd/api_defender.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getDefenderHosts(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\thosts, err := common.GetDefenderHosts()\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif hosts == nil {\n\t\trender.JSON(w, r, make([]dataprovider.DefenderEntry, 0))\n\t\treturn\n\t}\n\trender.JSON(w, r, hosts)\n}\n\nfunc getDefenderHostByID(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tip, err := getIPFromID(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\thost, err := common.GetDefenderHost(ip)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, host)\n}\n\nfunc deleteDefenderHostByID(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tip, err := getIPFromID(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif !common.DeleteDefenderHost(ip) {\n\t\tsendAPIResponse(w, r, nil, \"Not found\", http.StatusNotFound)\n\t\treturn\n\t}\n\n\tsendAPIResponse(w, r, nil, \"OK\", http.StatusOK)\n}\n\nfunc getIPFromID(r *http.Request) (string, error) {\n\tdecoded, err := hex.DecodeString(getURLParam(r, \"id\"))\n\tif err != nil {\n\t\treturn \"\", errors.New(\"invalid host id\")\n\t}\n\tip := util.BytesToString(decoded)\n\terr = validateIPAddress(ip)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn ip, nil\n}\n\nfunc validateIPAddress(ip string) error {\n\tif net.ParseIP(ip) == nil {\n\t\treturn fmt.Errorf(\"ip address %q is not valid\", ip)\n\t}\n\treturn nil\n}\n" }, { "path": "internal/httpd/api_eventrule.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getEventActions(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tactions, err := dataprovider.GetEventActions(limit, offset, order, false)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\trender.JSON(w, r, actions)\n}\n\nfunc renderEventAction(w http.ResponseWriter, r *http.Request, name string, claims *jwt.Claims, status int) {\n\taction, err := dataprovider.EventActionExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif hideConfidentialData(claims, r) {\n\t\taction.PrepareForRendering()\n\t}\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, status)\n\t\trender.JSON(w, r.WithContext(ctx), action)\n\t} else {\n\t\trender.JSON(w, r, action)\n\t}\n}\n\nfunc getEventActionByName(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\trenderEventAction(w, r, name, claims, http.StatusOK)\n}\n\nfunc addEventAction(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar action dataprovider.BaseEventAction\n\terr = render.DecodeJSON(r.Body, &action)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\terr = dataprovider.AddEventAction(&action, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", eventActionsPath, url.PathEscape(action.Name)))\n\trenderEventAction(w, r, action.Name, claims, http.StatusCreated)\n}\n\nfunc updateEventAction(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tname := getURLParam(r, \"name\")\n\taction, err := dataprovider.EventActionExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedAction dataprovider.BaseEventAction\n\terr = render.DecodeJSON(r.Body, &updatedAction)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tupdatedAction.ID = action.ID\n\tupdatedAction.Name = action.Name\n\tupdatedAction.Options.SetEmptySecretsIfNil()\n\n\tswitch updatedAction.Type {\n\tcase dataprovider.ActionTypeHTTP:\n\t\tif updatedAction.Options.HTTPConfig.Password.IsNotPlainAndNotEmpty() {\n\t\t\tupdatedAction.Options.HTTPConfig.Password = action.Options.HTTPConfig.Password\n\t\t}\n\t}\n\n\terr = dataprovider.UpdateEventAction(&updatedAction, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Event action updated\", http.StatusOK)\n}\n\nfunc deleteEventAction(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\terr = dataprovider.DeleteEventAction(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Event action deleted\", http.StatusOK)\n}\n\nfunc getEventRules(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\trules, err := dataprovider.GetEventRules(limit, offset, order)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\trender.JSON(w, r, rules)\n}\n\nfunc renderEventRule(w http.ResponseWriter, r *http.Request, name string, claims *jwt.Claims, status int) {\n\trule, err := dataprovider.EventRuleExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif hideConfidentialData(claims, r) {\n\t\trule.PrepareForRendering()\n\t}\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, status)\n\t\trender.JSON(w, r.WithContext(ctx), rule)\n\t} else {\n\t\trender.JSON(w, r, rule)\n\t}\n}\n\nfunc getEventRuleByName(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\trenderEventRule(w, r, name, claims, http.StatusOK)\n}\n\nfunc addEventRule(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar rule dataprovider.EventRule\n\terr = render.DecodeJSON(r.Body, &rule)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := dataprovider.AddEventRule(&rule, claims.Username, ipAddr, claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", eventRulesPath, url.PathEscape(rule.Name)))\n\trenderEventRule(w, r, rule.Name, claims, http.StatusCreated)\n}\n\nfunc updateEventRule(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\trule, err := dataprovider.EventRuleExists(getURLParam(r, \"name\"))\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedRule dataprovider.EventRule\n\terr = render.DecodeJSON(r.Body, &updatedRule)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tupdatedRule.ID = rule.ID\n\tupdatedRule.Name = rule.Name\n\n\terr = dataprovider.UpdateEventRule(&updatedRule, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Event rules updated\", http.StatusOK)\n}\n\nfunc deleteEventRule(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\terr = dataprovider.DeleteEventRule(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Event rule deleted\", http.StatusOK)\n}\n\nfunc runOnDemandRule(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tname := getURLParam(r, \"name\")\n\tif err := common.RunOnDemandRule(name); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Event rule started\", http.StatusAccepted)\n}\n" }, { "path": "internal/httpd/api_events.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/csv\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/sftpgo/sdk/plugin/eventsearcher\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getCommonSearchParamsFromRequest(r *http.Request) (eventsearcher.CommonSearchParams, error) {\n\tc := eventsearcher.CommonSearchParams{}\n\tc.Limit = 100\n\n\tif _, ok := r.URL.Query()[\"limit\"]; ok {\n\t\tlimit, err := strconv.Atoi(r.URL.Query().Get(\"limit\"))\n\t\tif err != nil {\n\t\t\treturn c, util.NewValidationError(fmt.Sprintf(\"invalid limit: %v\", err))\n\t\t}\n\t\tif limit < 1 || limit > 1000 {\n\t\t\treturn c, util.NewValidationError(fmt.Sprintf(\"limit is out of the 1-1000 range: %v\", limit))\n\t\t}\n\t\tc.Limit = limit\n\t}\n\tif _, ok := r.URL.Query()[\"order\"]; ok {\n\t\torder := r.URL.Query().Get(\"order\")\n\t\tif order != dataprovider.OrderASC && order != dataprovider.OrderDESC {\n\t\t\treturn c, util.NewValidationError(fmt.Sprintf(\"invalid order %q\", order))\n\t\t}\n\t\tif order == dataprovider.OrderASC {\n\t\t\tc.Order = 1\n\t\t}\n\t}\n\tif _, ok := r.URL.Query()[\"start_timestamp\"]; ok {\n\t\tts, err := strconv.ParseInt(r.URL.Query().Get(\"start_timestamp\"), 10, 64)\n\t\tif err != nil {\n\t\t\treturn c, util.NewValidationError(fmt.Sprintf(\"invalid start_timestamp: %v\", err))\n\t\t}\n\t\tc.StartTimestamp = ts\n\t}\n\tif _, ok := r.URL.Query()[\"end_timestamp\"]; ok {\n\t\tts, err := strconv.ParseInt(r.URL.Query().Get(\"end_timestamp\"), 10, 64)\n\t\tif err != nil {\n\t\t\treturn c, util.NewValidationError(fmt.Sprintf(\"invalid end_timestamp: %v\", err))\n\t\t}\n\t\tc.EndTimestamp = ts\n\t}\n\tc.Username = strings.TrimSpace(r.URL.Query().Get(\"username\"))\n\tc.IP = strings.TrimSpace(r.URL.Query().Get(\"ip\"))\n\tc.InstanceIDs = getCommaSeparatedQueryParam(r, \"instance_ids\")\n\tc.FromID = r.URL.Query().Get(\"from_id\")\n\n\treturn c, nil\n}\n\nfunc getFsSearchParamsFromRequest(r *http.Request) (eventsearcher.FsEventSearch, error) {\n\tvar err error\n\ts := eventsearcher.FsEventSearch{}\n\ts.CommonSearchParams, err = getCommonSearchParamsFromRequest(r)\n\tif err != nil {\n\t\treturn s, err\n\t}\n\ts.FsProvider = -1\n\tif _, ok := r.URL.Query()[\"fs_provider\"]; ok {\n\t\tprovider := r.URL.Query().Get(\"fs_provider\")\n\t\tval, err := strconv.Atoi(provider)\n\t\tif err != nil {\n\t\t\treturn s, util.NewValidationError(fmt.Sprintf(\"invalid fs_provider: %v\", provider))\n\t\t}\n\t\ts.FsProvider = val\n\t}\n\ts.Actions = getCommaSeparatedQueryParam(r, \"actions\")\n\ts.SSHCmd = strings.TrimSpace(r.URL.Query().Get(\"ssh_cmd\"))\n\ts.Bucket = strings.TrimSpace(r.URL.Query().Get(\"bucket\"))\n\ts.Endpoint = strings.TrimSpace(r.URL.Query().Get(\"endpoint\"))\n\ts.Protocols = getCommaSeparatedQueryParam(r, \"protocols\")\n\tstatuses := getCommaSeparatedQueryParam(r, \"statuses\")\n\tfor _, status := range statuses {\n\t\tval, err := strconv.ParseInt(status, 10, 32)\n\t\tif err != nil {\n\t\t\treturn s, util.NewValidationError(fmt.Sprintf(\"invalid status: %v\", status))\n\t\t}\n\t\ts.Statuses = append(s.Statuses, int32(val))\n\t}\n\n\treturn s, nil\n}\n\nfunc getProviderSearchParamsFromRequest(r *http.Request) (eventsearcher.ProviderEventSearch, error) {\n\tvar err error\n\ts := eventsearcher.ProviderEventSearch{}\n\ts.CommonSearchParams, err = getCommonSearchParamsFromRequest(r)\n\tif err != nil {\n\t\treturn s, err\n\t}\n\ts.Actions = getCommaSeparatedQueryParam(r, \"actions\")\n\ts.ObjectName = strings.TrimSpace(r.URL.Query().Get(\"object_name\"))\n\ts.ObjectTypes = getCommaSeparatedQueryParam(r, \"object_types\")\n\treturn s, nil\n}\n\nfunc getLogSearchParamsFromRequest(r *http.Request) (eventsearcher.LogEventSearch, error) {\n\tvar err error\n\ts := eventsearcher.LogEventSearch{}\n\ts.CommonSearchParams, err = getCommonSearchParamsFromRequest(r)\n\tif err != nil {\n\t\treturn s, err\n\t}\n\ts.Protocols = getCommaSeparatedQueryParam(r, \"protocols\")\n\tevents := getCommaSeparatedQueryParam(r, \"events\")\n\tfor _, ev := range events {\n\t\tevType, err := strconv.ParseInt(ev, 10, 32)\n\t\tif err == nil {\n\t\t\ts.Events = append(s.Events, int32(evType))\n\t\t}\n\t}\n\n\treturn s, nil\n}\n\nfunc searchFsEvents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tfilters, err := getFsSearchParamsFromRequest(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tfilters.Role = getRoleFilterForEventSearch(r, claims.Role)\n\n\tif getBoolQueryParam(r, \"csv_export\") {\n\t\tfilters.Limit = 100\n\t\tif err := exportFsEvents(w, &filters); err != nil {\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t\treturn\n\t}\n\n\tdata, err := plugin.Handler.SearchFsEvents(&filters)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.Write(data) //nolint:errcheck\n}\n\nfunc searchProviderEvents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tvar filters eventsearcher.ProviderEventSearch\n\tif filters, err = getProviderSearchParamsFromRequest(r); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tfilters.Role = getRoleFilterForEventSearch(r, claims.Role)\n\tfilters.OmitObjectData = getBoolQueryParam(r, \"omit_object_data\")\n\n\tif getBoolQueryParam(r, \"csv_export\") {\n\t\tfilters.Limit = 100\n\t\tfilters.OmitObjectData = true\n\t\tif err := exportProviderEvents(w, &filters); err != nil {\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t\treturn\n\t}\n\n\tdata, err := plugin.Handler.SearchProviderEvents(&filters)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.Write(data) //nolint:errcheck\n}\n\nfunc searchLogEvents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tvar filters eventsearcher.LogEventSearch\n\tif filters, err = getLogSearchParamsFromRequest(r); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tfilters.Role = getRoleFilterForEventSearch(r, claims.Role)\n\n\tif getBoolQueryParam(r, \"csv_export\") {\n\t\tfilters.Limit = 100\n\t\tif err := exportLogEvents(w, &filters); err != nil {\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t\treturn\n\t}\n\n\tdata, err := plugin.Handler.SearchLogEvents(&filters)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.Write(data) //nolint:errcheck\n}\n\nfunc exportFsEvents(w http.ResponseWriter, filters *eventsearcher.FsEventSearch) error {\n\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=fslogs-%s.csv\", time.Now().Format(\"2006-01-02T15-04-05\")))\n\tw.Header().Set(\"Content-Type\", \"text/csv\")\n\tw.Header().Set(\"Accept-Ranges\", \"none\")\n\tw.WriteHeader(http.StatusOK)\n\n\tcsvWriter := csv.NewWriter(w)\n\tev := fsEvent{}\n\terr := csvWriter.Write(ev.getCSVHeader())\n\tif err != nil {\n\t\treturn err\n\t}\n\tresults := make([]fsEvent, 0, filters.Limit)\n\tfor {\n\t\tdata, err := plugin.Handler.SearchFsEvents(filters)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := json.Unmarshal(data, &results); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor _, event := range results {\n\t\t\tif err := csvWriter.Write(event.getCSVData()); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif len(results) == 0 || len(results) < filters.Limit {\n\t\t\tbreak\n\t\t}\n\t\tfilters.StartTimestamp = results[len(results)-1].Timestamp\n\t\tfilters.FromID = results[len(results)-1].ID\n\t\tresults = nil\n\t}\n\tcsvWriter.Flush()\n\treturn csvWriter.Error()\n}\n\nfunc exportProviderEvents(w http.ResponseWriter, filters *eventsearcher.ProviderEventSearch) error {\n\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=providerlogs-%s.csv\", time.Now().Format(\"2006-01-02T15-04-05\")))\n\tw.Header().Set(\"Content-Type\", \"text/csv\")\n\tw.Header().Set(\"Accept-Ranges\", \"none\")\n\tw.WriteHeader(http.StatusOK)\n\n\tev := providerEvent{}\n\tcsvWriter := csv.NewWriter(w)\n\terr := csvWriter.Write(ev.getCSVHeader())\n\tif err != nil {\n\t\treturn err\n\t}\n\tresults := make([]providerEvent, 0, filters.Limit)\n\tfor {\n\t\tdata, err := plugin.Handler.SearchProviderEvents(filters)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := json.Unmarshal(data, &results); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor _, event := range results {\n\t\t\tif err := csvWriter.Write(event.getCSVData()); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif len(results) < filters.Limit || len(results) == 0 {\n\t\t\tbreak\n\t\t}\n\t\tfilters.FromID = results[len(results)-1].ID\n\t\tfilters.StartTimestamp = results[len(results)-1].Timestamp\n\t\tresults = nil\n\t}\n\tcsvWriter.Flush()\n\treturn csvWriter.Error()\n}\n\nfunc exportLogEvents(w http.ResponseWriter, filters *eventsearcher.LogEventSearch) error {\n\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=logs-%s.csv\", time.Now().Format(\"2006-01-02T15-04-05\")))\n\tw.Header().Set(\"Content-Type\", \"text/csv\")\n\tw.Header().Set(\"Accept-Ranges\", \"none\")\n\tw.WriteHeader(http.StatusOK)\n\n\tev := logEvent{}\n\tcsvWriter := csv.NewWriter(w)\n\terr := csvWriter.Write(ev.getCSVHeader())\n\tif err != nil {\n\t\treturn err\n\t}\n\tresults := make([]logEvent, 0, filters.Limit)\n\tfor {\n\t\tdata, err := plugin.Handler.SearchLogEvents(filters)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := json.Unmarshal(data, &results); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tfor _, event := range results {\n\t\t\tif err := csvWriter.Write(event.getCSVData()); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif len(results) == 0 || len(results) < filters.Limit {\n\t\t\tbreak\n\t\t}\n\t\tfilters.StartTimestamp = results[len(results)-1].Timestamp\n\t\tfilters.FromID = results[len(results)-1].ID\n\t\tresults = nil\n\t}\n\tcsvWriter.Flush()\n\treturn csvWriter.Error()\n}\n\nfunc getRoleFilterForEventSearch(r *http.Request, defaultValue string) string {\n\tif defaultValue != \"\" {\n\t\treturn defaultValue\n\t}\n\treturn r.URL.Query().Get(\"role\")\n}\n\ntype fsEvent struct {\n\tID string `json:\"id\"`\n\tTimestamp int64 `json:\"timestamp\"`\n\tAction string `json:\"action\"`\n\tUsername string `json:\"username\"`\n\tFsPath string `json:\"fs_path\"`\n\tFsTargetPath string `json:\"fs_target_path,omitempty\"`\n\tVirtualPath string `json:\"virtual_path\"`\n\tVirtualTargetPath string `json:\"virtual_target_path,omitempty\"`\n\tSSHCmd string `json:\"ssh_cmd,omitempty\"`\n\tFileSize int64 `json:\"file_size,omitempty\"`\n\tElapsed int64 `json:\"elapsed,omitempty\"`\n\tStatus int `json:\"status\"`\n\tProtocol string `json:\"protocol\"`\n\tIP string `json:\"ip,omitempty\"`\n\tSessionID string `json:\"session_id\"`\n\tFsProvider int `json:\"fs_provider\"`\n\tBucket string `json:\"bucket,omitempty\"`\n\tEndpoint string `json:\"endpoint,omitempty\"`\n\tOpenFlags int `json:\"open_flags,omitempty\"`\n\tRole string `json:\"role,omitempty\"`\n\tInstanceID string `json:\"instance_id,omitempty\"`\n}\n\nfunc (e *fsEvent) getCSVHeader() []string {\n\treturn []string{\"Time\", \"Action\", \"Path\", \"Size\", \"Elapsed\", \"Status\", \"User\", \"Protocol\",\n\t\t\"IP\", \"SSH command\"}\n}\n\nfunc (e *fsEvent) getCSVData() []string {\n\ttimestamp := time.Unix(0, e.Timestamp).UTC()\n\tvar pathInfo strings.Builder\n\tpathInfo.Write([]byte(e.VirtualPath))\n\tif e.VirtualTargetPath != \"\" {\n\t\tpathInfo.WriteString(\" => \")\n\t\tpathInfo.WriteString(e.VirtualTargetPath)\n\t}\n\tvar status string\n\tswitch e.Status {\n\tcase 1:\n\t\tstatus = \"OK\"\n\tcase 2:\n\t\tstatus = \"KO\"\n\tcase 3:\n\t\tstatus = \"Quota exceeded\"\n\t}\n\tvar fileSize string\n\tif e.FileSize > 0 {\n\t\tfileSize = util.ByteCountIEC(e.FileSize)\n\t}\n\tvar elapsed string\n\tif e.Elapsed > 0 {\n\t\telapsed = (time.Duration(e.Elapsed) * time.Millisecond).String()\n\t}\n\treturn []string{timestamp.Format(time.RFC3339Nano), e.Action, pathInfo.String(),\n\t\tfileSize, elapsed, status, e.Username, e.Protocol, e.IP, e.SSHCmd}\n}\n\ntype providerEvent struct {\n\tID string `json:\"id\"`\n\tTimestamp int64 `json:\"timestamp\"`\n\tAction string `json:\"action\"`\n\tUsername string `json:\"username\"`\n\tIP string `json:\"ip,omitempty\"`\n\tObjectType string `json:\"object_type\"`\n\tObjectName string `json:\"object_name\"`\n\tObjectData []byte `json:\"object_data\"`\n\tRole string `json:\"role,omitempty\"`\n\tInstanceID string `json:\"instance_id,omitempty\"`\n}\n\nfunc (e *providerEvent) getCSVHeader() []string {\n\treturn []string{\"Time\", \"Action\", \"Object Type\", \"Object Name\", \"User\", \"IP\"}\n}\n\nfunc (e *providerEvent) getCSVData() []string {\n\ttimestamp := time.Unix(0, e.Timestamp).UTC()\n\treturn []string{timestamp.Format(time.RFC3339Nano), e.Action, e.ObjectType, e.ObjectName,\n\t\te.Username, e.IP}\n}\n\ntype logEvent struct {\n\tID string `json:\"id\"`\n\tTimestamp int64 `json:\"timestamp\"`\n\tEvent int `json:\"event\"`\n\tProtocol string `json:\"protocol\"`\n\tUsername string `json:\"username,omitempty\"`\n\tIP string `json:\"ip,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n\tRole string `json:\"role,omitempty\"`\n}\n\nfunc (e *logEvent) getCSVHeader() []string {\n\treturn []string{\"Time\", \"Event\", \"Protocol\", \"User\", \"IP\", \"Message\"}\n}\n\nfunc (e *logEvent) getCSVData() []string {\n\ttimestamp := time.Unix(0, e.Timestamp).UTC()\n\treturn []string{timestamp.Format(time.RFC3339Nano), getLogEventString(notifier.LogEventType(e.Event)),\n\t\te.Protocol, e.Username, e.IP, e.Message}\n}\n\nfunc getLogEventString(event notifier.LogEventType) string {\n\tswitch event {\n\tcase notifier.LogEventTypeLoginFailed:\n\t\treturn \"Login failed\"\n\tcase notifier.LogEventTypeLoginNoUser:\n\t\treturn \"Login with non-existent user\"\n\tcase notifier.LogEventTypeNoLoginTried:\n\t\treturn \"No login tried\"\n\tcase notifier.LogEventTypeNotNegotiated:\n\t\treturn \"Algorithm negotiation failed\"\n\tcase notifier.LogEventTypeLoginOK:\n\t\treturn \"Login succeeded\"\n\tdefault:\n\t\treturn \"\"\n\t}\n}\n" }, { "path": "internal/httpd/api_folder.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc getFolders(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tfolders, err := dataprovider.GetFolders(limit, offset, order, false)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\trender.JSON(w, r, folders)\n}\n\nfunc addFolder(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tvar folder vfs.BaseVirtualFolder\n\terr = render.DecodeJSON(r.Body, &folder)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif err := dataprovider.AddFolder(&folder, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", folderPath, url.PathEscape(folder.Name)))\n\trenderFolder(w, r, folder.Name, claims, http.StatusCreated)\n}\n\nfunc updateFolder(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tname := getURLParam(r, \"name\")\n\tfolder, err := dataprovider.GetFolderByName(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedFolder vfs.BaseVirtualFolder\n\terr = render.DecodeJSON(r.Body, &updatedFolder)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tupdatedFolder.ID = folder.ID\n\tupdatedFolder.Name = folder.Name\n\tupdatedFolder.FsConfig.SetEmptySecretsIfNil()\n\tupdateEncryptedSecrets(&updatedFolder.FsConfig, &folder.FsConfig)\n\n\terr = dataprovider.UpdateFolder(&updatedFolder, folder.Users, folder.Groups, claims.Username,\n\t\tutil.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Folder updated\", http.StatusOK)\n}\n\nfunc renderFolder(w http.ResponseWriter, r *http.Request, name string, claims *jwt.Claims, status int) {\n\tfolder, err := dataprovider.GetFolderByName(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif hideConfidentialData(claims, r) {\n\t\tfolder.PrepareForRendering()\n\t}\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, status)\n\t\trender.JSON(w, r.WithContext(ctx), folder)\n\t} else {\n\t\trender.JSON(w, r, folder)\n\t}\n}\n\nfunc getFolderByName(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\trenderFolder(w, r, name, claims, http.StatusOK)\n}\n\nfunc deleteFolder(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\terr = dataprovider.DeleteFolder(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Folder deleted\", http.StatusOK)\n}\n" }, { "path": "internal/httpd/api_group.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getGroups(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tgroups, err := dataprovider.GetGroups(limit, offset, order, false)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\trender.JSON(w, r, groups)\n}\n\nfunc addGroup(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar group dataprovider.Group\n\terr = render.DecodeJSON(r.Body, &group)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = dataprovider.AddGroup(&group, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", groupPath, url.PathEscape(group.Name)))\n\trenderGroup(w, r, group.Name, claims, http.StatusCreated)\n}\n\nfunc updateGroup(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tname := getURLParam(r, \"name\")\n\tgroup, err := dataprovider.GroupExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedGroup dataprovider.Group\n\terr = render.DecodeJSON(r.Body, &updatedGroup)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tupdatedGroup.ID = group.ID\n\tupdatedGroup.Name = group.Name\n\tupdatedGroup.UserSettings.FsConfig.SetEmptySecretsIfNil()\n\tupdateEncryptedSecrets(&updatedGroup.UserSettings.FsConfig, &group.UserSettings.FsConfig)\n\terr = dataprovider.UpdateGroup(&updatedGroup, group.Users, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr),\n\t\tclaims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Group updated\", http.StatusOK)\n}\n\nfunc renderGroup(w http.ResponseWriter, r *http.Request, name string, claims *jwt.Claims, status int) {\n\tgroup, err := dataprovider.GroupExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif hideConfidentialData(claims, r) {\n\t\tgroup.PrepareForRendering()\n\t}\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, status)\n\t\trender.JSON(w, r.WithContext(ctx), group)\n\t} else {\n\t\trender.JSON(w, r, group)\n\t}\n}\n\nfunc getGroupByName(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\trenderGroup(w, r, name, claims, http.StatusOK)\n}\n\nfunc deleteGroup(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\terr = dataprovider.DeleteGroup(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Group deleted\", http.StatusOK)\n}\n" }, { "path": "internal/httpd/api_http_user.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"mime/multipart\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/rs/xid\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getUserConnection(w http.ResponseWriter, r *http.Request) (*Connection, error) {\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn nil, fmt.Errorf(\"invalid token claims %w\", err)\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\tsendAPIResponse(w, r, nil, \"Unable to retrieve your user\", getRespStatus(err))\n\t\treturn nil, err\n\t}\n\tconnID := xid.New().String()\n\tprotocol := getProtocolFromRequest(r)\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, connID)\n\tif err := checkHTTPClientUser(&user, r, connectionID, false, false); err != nil {\n\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden)\n\t\treturn nil, err\n\t}\n\tbaseConn := common.NewBaseConnection(connID, protocol, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn connection, err\n\t}\n\treturn connection, nil\n}\n\nfunc readUserFolder(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tlister, err := connection.ReadDir(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to get directory lister\", getMappedStatusCode(err))\n\t\treturn\n\t}\n\trenderAPIDirContents(w, lister, false)\n}\n\nfunc createUserDir(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tif getBoolQueryParam(r, \"mkdir_parents\") {\n\t\tif err = connection.CheckParentDirs(path.Dir(name)); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"Error checking parent directories\", getMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t}\n\terr = connection.CreateDir(name, true)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to create directory %q\", name), getMappedStatusCode(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"Directory %q created\", name), http.StatusCreated)\n}\n\nfunc deleteUserDir(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\terr = connection.RemoveAll(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to delete directory %q\", name), getMappedStatusCode(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"Directory %q deleted\", name), http.StatusOK)\n}\n\nfunc renameUserFsEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\toldName := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tnewName := connection.User.GetCleanedPath(r.URL.Query().Get(\"target\"))\n\tif !connection.IsSameResource(oldName, newName) {\n\t\tif err := connection.Copy(oldName, newName); err != nil {\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Cannot perform copy step to rename %q -> %q\", oldName, newName),\n\t\t\t\tgetMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t\tif err := connection.RemoveAll(oldName); err != nil {\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Cannot perform remove step to rename %q -> %q\", oldName, newName),\n\t\t\t\tgetMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t} else {\n\t\tif err := connection.Rename(oldName, newName); err != nil {\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to rename %q => %q\", oldName, newName),\n\t\t\t\tgetMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t}\n\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"%q renamed to %q\", oldName, newName), http.StatusOK)\n}\n\nfunc copyUserFsEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tsource := r.URL.Query().Get(\"path\")\n\ttarget := r.URL.Query().Get(\"target\")\n\tcopyFromSource := strings.HasSuffix(source, \"/\")\n\tcopyInTarget := strings.HasSuffix(target, \"/\")\n\tsource = connection.User.GetCleanedPath(source)\n\ttarget = connection.User.GetCleanedPath(target)\n\tif copyFromSource {\n\t\tsource += \"/\"\n\t}\n\tif copyInTarget {\n\t\ttarget += \"/\"\n\t}\n\terr = connection.Copy(source, target)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to copy %q => %q\", source, target),\n\t\t\tgetMappedStatusCode(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"%q copied to %q\", source, target), http.StatusOK)\n}\n\nfunc getUserFile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tif name == \"/\" {\n\t\tsendAPIResponse(w, r, nil, \"Please set the path to a valid file\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tinfo, err := connection.Stat(name, 0)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to stat the requested file\", getMappedStatusCode(err))\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"Please set the path to a valid file, %q is a directory\", name), http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tinline := r.URL.Query().Get(\"inline\") != \"\"\n\tif status, err := downloadFile(w, r, connection, name, info, inline, nil); err != nil {\n\t\tresp := apiResponse{\n\t\t\tError: err.Error(),\n\t\t\tMessage: http.StatusText(status),\n\t\t}\n\t\tctx := r.Context()\n\t\tif status != 0 {\n\t\t\tctx = context.WithValue(ctx, render.StatusCtxKey, status)\n\t\t}\n\t\trender.JSON(w, r.WithContext(ctx), resp)\n\t}\n}\n\nfunc setFileDirMetadata(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tmetadata := make(map[string]int64)\n\terr := render.DecodeJSON(r.Body, &metadata)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tmTime, ok := metadata[\"modification_time\"]\n\tif !ok || !r.URL.Query().Has(\"path\") {\n\t\tsendAPIResponse(w, r, errors.New(\"please set a modification_time and a path\"), \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tattrs := common.StatAttributes{\n\t\tFlags: common.StatAttrTimes,\n\t\tAtime: util.GetTimeFromMsecSinceEpoch(mTime),\n\t\tMtime: util.GetTimeFromMsecSinceEpoch(mTime),\n\t}\n\terr = connection.SetStat(name, &attrs)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to set metadata for path %q\", name), getMappedStatusCode(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"OK\", http.StatusOK)\n}\n\nfunc uploadUserFile(w http.ResponseWriter, r *http.Request) {\n\tif maxUploadFileSize > 0 {\n\t\tr.Body = http.MaxBytesReader(w, r.Body, maxUploadFileSize)\n\t}\n\n\tif !r.URL.Query().Has(\"path\") {\n\t\tsendAPIResponse(w, r, errors.New(\"please set a file path\"), \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tfilePath := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tif getBoolQueryParam(r, \"mkdir_parents\") {\n\t\tif err = connection.CheckParentDirs(path.Dir(filePath)); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"Error checking parent directories\", getMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t}\n\tdoUploadFile(w, r, connection, filePath) //nolint:errcheck\n}\n\nfunc doUploadFile(w http.ResponseWriter, r *http.Request, connection *Connection, filePath string) error {\n\twriter, err := connection.getFileWriter(filePath)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to write file %q\", filePath), getMappedStatusCode(err))\n\t\treturn err\n\t}\n\t_, err = io.Copy(writer, r.Body)\n\tif err != nil {\n\t\twriter.Close() //nolint:errcheck\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Error saving file %q\", filePath), getMappedStatusCode(err))\n\t\treturn err\n\t}\n\terr = writer.Close()\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Error closing file %q\", filePath), getMappedStatusCode(err))\n\t\treturn err\n\t}\n\tsetModificationTimeFromHeader(r, connection, filePath)\n\tsendAPIResponse(w, r, nil, \"Upload completed\", http.StatusCreated)\n\treturn nil\n}\n\nfunc uploadUserFiles(w http.ResponseWriter, r *http.Request) {\n\tif maxUploadFileSize > 0 {\n\t\tr.Body = http.MaxBytesReader(w, r.Body, maxUploadFileSize)\n\t}\n\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tif err := common.Connections.IsNewTransferAllowed(connection.User.Username); err != nil {\n\t\tconnection.Log(logger.LevelInfo, \"denying file write due to number of transfer limits\")\n\t\tsendAPIResponse(w, r, err, \"Denying file write due to transfer count limits\",\n\t\t\thttp.StatusConflict)\n\t\treturn\n\t}\n\n\ttransferQuota := connection.GetTransferQuota()\n\tif !transferQuota.HasUploadSpace() {\n\t\tconnection.Log(logger.LevelInfo, \"denying file write due to transfer quota limits\")\n\t\tsendAPIResponse(w, r, common.ErrQuotaExceeded, \"Denying file write due to transfer quota limits\",\n\t\t\thttp.StatusRequestEntityTooLarge)\n\t\treturn\n\t}\n\n\tt := newThrottledReader(r.Body, connection.User.UploadBandwidth, connection)\n\tr.Body = t\n\terr = r.ParseMultipartForm(maxMultipartMem)\n\tif err != nil {\n\t\tconnection.RemoveTransfer(t)\n\t\tsendAPIResponse(w, r, err, \"Unable to parse multipart form\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tconnection.RemoveTransfer(t)\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tparentDir := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tfiles := r.MultipartForm.File[\"filenames\"]\n\tif len(files) == 0 {\n\t\tsendAPIResponse(w, r, nil, \"No files uploaded!\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tif getBoolQueryParam(r, \"mkdir_parents\") {\n\t\tif err = connection.CheckParentDirs(parentDir); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"Error checking parent directories\", getMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t}\n\tdoUploadFiles(w, r, connection, parentDir, files)\n}\n\nfunc doUploadFiles(w http.ResponseWriter, r *http.Request, connection *Connection, parentDir string,\n\tfiles []*multipart.FileHeader,\n) int {\n\tuploaded := 0\n\tconnection.User.UploadBandwidth = 0\n\tfor _, f := range files {\n\t\tfile, err := f.Open()\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to read uploaded file %q\", f.Filename), getMappedStatusCode(err))\n\t\t\treturn uploaded\n\t\t}\n\t\tdefer file.Close()\n\n\t\tfilePath := path.Join(parentDir, path.Base(util.CleanPath(f.Filename)))\n\t\twriter, err := connection.getFileWriter(filePath)\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to write file %q\", f.Filename), getMappedStatusCode(err))\n\t\t\treturn uploaded\n\t\t}\n\t\t_, err = io.Copy(writer, file)\n\t\tif err != nil {\n\t\t\twriter.Close() //nolint:errcheck\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Error saving file %q\", f.Filename), getMappedStatusCode(err))\n\t\t\treturn uploaded\n\t\t}\n\t\terr = writer.Close()\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Error closing file %q\", f.Filename), getMappedStatusCode(err))\n\t\t\treturn uploaded\n\t\t}\n\t\tuploaded++\n\t}\n\tsendAPIResponse(w, r, nil, \"Upload completed\", http.StatusCreated)\n\treturn uploaded\n}\n\nfunc deleteUserFile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tfs, p, err := connection.GetFsAndResolvedPath(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to delete file %q\", name), getMappedStatusCode(err))\n\t\treturn\n\t}\n\n\tvar fi os.FileInfo\n\tif fi, err = fs.Lstat(p); err != nil {\n\t\tconnection.Log(logger.LevelError, \"failed to remove file %q: stat error: %+v\", p, err)\n\t\terr = connection.GetFsError(fs, err)\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to delete file %q\", name), getMappedStatusCode(err))\n\t\treturn\n\t}\n\n\tif fi.IsDir() && fi.Mode()&os.ModeSymlink == 0 {\n\t\tconnection.Log(logger.LevelDebug, \"cannot remove %q is not a file/symlink\", p)\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable delete %q, it is not a file/symlink\", name), http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = connection.RemoveFile(fs, p, name, fi)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to delete file %q\", name), getMappedStatusCode(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"File %q deleted\", name), http.StatusOK)\n}\n\nfunc getUserFilesAsZipStream(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tvar filesList []string\n\terr = render.DecodeJSON(r.Body, &filesList)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tbaseDir := \"/\"\n\tfor idx := range filesList {\n\t\tfilesList[idx] = util.CleanPath(filesList[idx])\n\t}\n\n\tfilesList = util.RemoveDuplicates(filesList, false)\n\n\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=\\\"%s\\\"\",\n\t\tgetCompressedFileName(connection.GetUsername(), filesList)))\n\trenderCompressedFiles(w, connection, baseDir, filesList, nil)\n}\n\nfunc getUserProfile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, err := dataprovider.UserExists(claims.Username, \"\")\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tresp := userProfile{\n\t\tbaseProfile: baseProfile{\n\t\t\tEmail: user.Email,\n\t\t\tDescription: user.Description,\n\t\t\tAllowAPIKeyAuth: user.Filters.AllowAPIKeyAuth,\n\t\t},\n\t\tAdditionalEmails: user.Filters.AdditionalEmails,\n\t\tPublicKeys: user.PublicKeys,\n\t\tTLSCerts: user.Filters.TLSCerts,\n\t}\n\trender.JSON(w, r, resp)\n}\n\nfunc updateUserProfile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar req userProfile\n\terr = render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, userMerged, err := dataprovider.GetUserVariants(claims.Username, \"\")\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif !userMerged.CanUpdateProfile() {\n\t\tsendAPIResponse(w, r, nil, \"You are not allowed to change anything\", http.StatusForbidden)\n\t\treturn\n\t}\n\tif userMerged.CanManagePublicKeys() {\n\t\tuser.PublicKeys = req.PublicKeys\n\t}\n\tif userMerged.CanManageTLSCerts() {\n\t\tuser.Filters.TLSCerts = req.TLSCerts\n\t}\n\tif userMerged.CanChangeAPIKeyAuth() {\n\t\tuser.Filters.AllowAPIKeyAuth = req.AllowAPIKeyAuth\n\t}\n\tif userMerged.CanChangeInfo() {\n\t\tuser.Email = req.Email\n\t\tuser.Filters.AdditionalEmails = req.AdditionalEmails\n\t\tuser.Description = req.Description\n\t}\n\tif err := dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), user.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Profile updated\", http.StatusOK)\n}\n\nfunc changeUserPassword(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tvar pwd pwdChange\n\terr := render.DecodeJSON(r.Body, &pwd)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = doChangeUserPassword(r, pwd.CurrentPassword, pwd.NewPassword, pwd.NewPassword)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tinvalidateToken(r)\n\tsendAPIResponse(w, r, err, \"Password updated\", http.StatusOK)\n}\n\nfunc doChangeUserPassword(r *http.Request, currentPassword, newPassword, confirmNewPassword string) error {\n\tif currentPassword == \"\" || newPassword == \"\" || confirmNewPassword == \"\" {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"please provide the current password and the new one two times\"),\n\t\t\tutil.I18nErrorChangePwdRequiredFields,\n\t\t)\n\t}\n\tif newPassword != confirmNewPassword {\n\t\treturn util.NewI18nError(util.NewValidationError(\"the two password fields do not match\"), util.I18nErrorChangePwdNoMatch)\n\t}\n\tif currentPassword == newPassword {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"the new password must be different from the current one\"),\n\t\t\tutil.I18nErrorChangePwdNoDifferent,\n\t\t)\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\treturn util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken)\n\t}\n\t_, err = dataprovider.CheckUserAndPass(claims.Username, currentPassword, util.GetIPFromRemoteAddress(r.RemoteAddr),\n\t\tgetProtocolFromRequest(r))\n\tif err != nil {\n\t\treturn util.NewI18nError(util.NewValidationError(\"current password does not match\"), util.I18nErrorChangePwdCurrentNoMatch)\n\t}\n\n\treturn dataprovider.UpdateUserPassword(claims.Username, newPassword, dataprovider.ActionExecutorSelf,\n\t\tutil.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n}\n\nfunc setModificationTimeFromHeader(r *http.Request, c *Connection, filePath string) {\n\tmTimeString := r.Header.Get(mTimeHeader)\n\tif mTimeString != \"\" {\n\t\t// we don't return an error here if we fail to set the modification time\n\t\tmTime, err := strconv.ParseInt(mTimeString, 10, 64)\n\t\tif err == nil {\n\t\t\tattrs := common.StatAttributes{\n\t\t\t\tFlags: common.StatAttrTimes,\n\t\t\t\tAtime: util.GetTimeFromMsecSinceEpoch(mTime),\n\t\t\t\tMtime: util.GetTimeFromMsecSinceEpoch(mTime),\n\t\t\t}\n\t\t\terr = c.SetStat(filePath, &attrs)\n\t\t\tc.Log(logger.LevelDebug, \"requested modification time %v for file %q, error: %v\",\n\t\t\t\tattrs.Mtime, filePath, err)\n\t\t} else {\n\t\t\tc.Log(logger.LevelInfo, \"invalid modification time header was ignored: %v\", mTimeString)\n\t\t}\n\t}\n}\n" }, { "path": "internal/httpd/api_iplist.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strconv\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getIPListEntries(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, _, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tlistType, _, err := getIPListPathParams(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tentries, err := dataprovider.GetIPListEntries(listType, r.URL.Query().Get(\"filter\"), r.URL.Query().Get(\"from\"),\n\t\torder, limit)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, entries)\n}\n\nfunc getIPListEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tlistType, ipOrNet, err := getIPListPathParams(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tentry, err := dataprovider.IPListEntryExists(ipOrNet, listType)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, entry)\n}\n\nfunc addIPListEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar entry dataprovider.IPListEntry\n\terr = render.DecodeJSON(r.Body, &entry)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = dataprovider.AddIPListEntry(&entry, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%d/%s\", ipListsPath, entry.Type, url.PathEscape(entry.IPOrNet)))\n\tsendAPIResponse(w, r, nil, \"Entry added\", http.StatusCreated)\n}\n\nfunc updateIPListEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tlistType, ipOrNet, err := getIPListPathParams(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tentry, err := dataprovider.IPListEntryExists(ipOrNet, listType)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tvar updatedEntry dataprovider.IPListEntry\n\terr = render.DecodeJSON(r.Body, &updatedEntry)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tupdatedEntry.Type = entry.Type\n\tupdatedEntry.IPOrNet = entry.IPOrNet\n\terr = dataprovider.UpdateIPListEntry(&updatedEntry, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Entry updated\", http.StatusOK)\n}\n\nfunc deleteIPListEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tlistType, ipOrNet, err := getIPListPathParams(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = dataprovider.DeleteIPListEntry(ipOrNet, listType, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr),\n\t\tclaims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Entry deleted\", http.StatusOK)\n}\n\nfunc getIPListPathParams(r *http.Request) (dataprovider.IPListType, string, error) {\n\tlistTypeString := chi.URLParam(r, \"type\")\n\tlistType, err := strconv.Atoi(listTypeString)\n\tif err != nil {\n\t\treturn dataprovider.IPListType(listType), \"\", errors.New(\"invalid list type\")\n\t}\n\tif err := dataprovider.CheckIPListType(dataprovider.IPListType(listType)); err != nil {\n\t\treturn dataprovider.IPListType(listType), \"\", err\n\t}\n\treturn dataprovider.IPListType(listType), getURLParam(r, \"ipornet\"), nil\n}\n" }, { "path": "internal/httpd/api_keys.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getAPIKeys(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tapiKeys, err := dataprovider.GetAPIKeys(limit, offset, order)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, apiKeys)\n}\n\nfunc getAPIKeyByID(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tkeyID := getURLParam(r, \"id\")\n\tapiKey, err := dataprovider.APIKeyExists(keyID)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tapiKey.HideConfidentialData()\n\n\trender.JSON(w, r, apiKey)\n}\n\nfunc addAPIKey(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar apiKey dataprovider.APIKey\n\terr = render.DecodeJSON(r.Body, &apiKey)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tapiKey.ID = 0\n\tapiKey.KeyID = \"\"\n\tapiKey.Key = \"\"\n\tapiKey.LastUseAt = 0\n\terr = dataprovider.AddAPIKey(&apiKey, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tresponse := make(map[string]string)\n\tresponse[\"message\"] = \"API key created. This is the only time the API key is visible, please save it.\"\n\tresponse[\"key\"] = apiKey.DisplayKey()\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", apiKeysPath, url.PathEscape(apiKey.KeyID)))\n\tw.Header().Add(\"X-Object-ID\", apiKey.KeyID)\n\tctx := context.WithValue(r.Context(), render.StatusCtxKey, http.StatusCreated)\n\trender.JSON(w, r.WithContext(ctx), response)\n}\n\nfunc updateAPIKey(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tkeyID := getURLParam(r, \"id\")\n\tapiKey, err := dataprovider.APIKeyExists(keyID)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedAPIKey dataprovider.APIKey\n\terr = render.DecodeJSON(r.Body, &updatedAPIKey)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tupdatedAPIKey.KeyID = keyID\n\tupdatedAPIKey.Key = apiKey.Key\n\terr = dataprovider.UpdateAPIKey(&updatedAPIKey, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"API key updated\", http.StatusOK)\n}\n\nfunc deleteAPIKey(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tkeyID := getURLParam(r, \"id\")\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\terr = dataprovider.DeleteAPIKey(keyID, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"API key deleted\", http.StatusOK)\n}\n" }, { "path": "internal/httpd/api_maintenance.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc validateBackupFile(outputFile string) (string, error) {\n\tif outputFile == \"\" {\n\t\treturn \"\", errors.New(\"invalid or missing output-file\")\n\t}\n\tif filepath.IsAbs(outputFile) {\n\t\treturn \"\", fmt.Errorf(\"invalid output-file %q: it must be a relative path\", outputFile)\n\t}\n\tif strings.Contains(outputFile, \"..\") {\n\t\treturn \"\", fmt.Errorf(\"invalid output-file %q\", outputFile)\n\t}\n\toutputFile = filepath.Join(dataprovider.GetBackupsPath(), outputFile)\n\treturn outputFile, nil\n}\n\nfunc dumpData(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvar outputFile, outputData, indent string\n\tvar scopes []string\n\tif _, ok := r.URL.Query()[\"output-file\"]; ok {\n\t\toutputFile = strings.TrimSpace(r.URL.Query().Get(\"output-file\"))\n\t}\n\tif _, ok := r.URL.Query()[\"output-data\"]; ok {\n\t\toutputData = strings.TrimSpace(r.URL.Query().Get(\"output-data\"))\n\t}\n\tif _, ok := r.URL.Query()[\"indent\"]; ok {\n\t\tindent = strings.TrimSpace(r.URL.Query().Get(\"indent\"))\n\t}\n\tif _, ok := r.URL.Query()[\"scopes\"]; ok {\n\t\tscopes = getCommaSeparatedQueryParam(r, \"scopes\")\n\t}\n\n\tif outputData != \"1\" {\n\t\tvar err error\n\t\toutputFile, err = validateBackupFile(outputFile)\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\n\t\terr = os.MkdirAll(filepath.Dir(outputFile), 0700)\n\t\tif err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"dumping data error: %v, output file: %q\", err, outputFile)\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"dumping data to: %q\", outputFile)\n\t}\n\n\tbackup, err := dataprovider.DumpData(scopes)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"dumping data error: %v, output file: %q\", err, outputFile)\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tif outputData == \"1\" {\n\t\tw.Header().Set(\"Content-Disposition\", \"attachment; filename=\\\"sftpgo-backup.json\\\"\")\n\t\trender.JSON(w, r, backup)\n\t\treturn\n\t}\n\n\tvar dump []byte\n\tif indent == \"1\" {\n\t\tdump, err = json.MarshalIndent(backup, \"\", \" \")\n\t} else {\n\t\tdump, err = json.Marshal(backup)\n\t}\n\tif err == nil {\n\t\terr = os.WriteFile(outputFile, dump, 0600)\n\t}\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"dumping data error: %v, output file: %q\", err, outputFile)\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tlogger.Debug(logSender, \"\", \"dumping data completed, output file: %q, error: %v\", outputFile, err)\n\tsendAPIResponse(w, r, err, \"Data saved\", http.StatusOK)\n}\n\nfunc loadDataFromRequest(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, MaxRestoreSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\t_, scanQuota, mode, err := getLoaddataOptions(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tcontent, err := io.ReadAll(r.Body)\n\tif err != nil || len(content) == 0 {\n\t\tif len(content) == 0 {\n\t\t\terr = util.NewValidationError(\"request body is required\")\n\t\t}\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif err := restoreBackup(content, \"\", scanQuota, mode, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Data restored\", http.StatusOK)\n}\n\nfunc loadData(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tinputFile, scanQuota, mode, err := getLoaddataOptions(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif !filepath.IsAbs(inputFile) {\n\t\tsendAPIResponse(w, r, fmt.Errorf(\"invalid input_file %q: it must be an absolute path\", inputFile), \"\",\n\t\t\thttp.StatusBadRequest)\n\t\treturn\n\t}\n\tfi, err := os.Stat(inputFile)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, fmt.Errorf(\"invalid input_file %q\", inputFile), \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif fi.Size() > MaxRestoreSize {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Unable to restore input file: %q size too big: %d/%d bytes\",\n\t\t\tinputFile, fi.Size(), MaxRestoreSize), http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tcontent, err := os.ReadFile(inputFile)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, fmt.Errorf(\"invalid input_file %q\", inputFile), \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif err := restoreBackup(content, inputFile, scanQuota, mode, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Data restored\", http.StatusOK)\n}\n\nfunc restoreBackup(content []byte, inputFile string, scanQuota, mode int, executor, ipAddress, role string) error {\n\tdump, err := dataprovider.ParseDumpData(content)\n\tif err != nil {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"invalid input_file %q\", inputFile)),\n\t\t\tutil.I18nErrorBackupFile,\n\t\t)\n\t}\n\n\tif err = RestoreConfigs(dump.Configs, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreIPListEntries(dump.IPLists, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreRoles(dump.Roles, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreFolders(dump.Folders, inputFile, mode, scanQuota, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreGroups(dump.Groups, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreUsers(dump.Users, inputFile, mode, scanQuota, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreAdmins(dump.Admins, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreAPIKeys(dump.APIKeys, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreShares(dump.Shares, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreEventActions(dump.EventActions, inputFile, mode, executor, ipAddress, role); err != nil {\n\t\treturn err\n\t}\n\n\tif err = RestoreEventRules(dump.EventRules, inputFile, mode, executor, ipAddress, role, dump.Version); err != nil {\n\t\treturn err\n\t}\n\tlogger.Debug(logSender, \"\", \"backup restored\")\n\n\treturn nil\n}\n\nfunc getLoaddataOptions(r *http.Request) (string, int, int, error) {\n\tvar inputFile string\n\tvar err error\n\tscanQuota := 0\n\trestoreMode := 0\n\tif _, ok := r.URL.Query()[\"input-file\"]; ok {\n\t\tinputFile = strings.TrimSpace(r.URL.Query().Get(\"input-file\"))\n\t}\n\tif _, ok := r.URL.Query()[\"scan-quota\"]; ok {\n\t\tscanQuota, err = strconv.Atoi(r.URL.Query().Get(\"scan-quota\"))\n\t\tif err != nil {\n\t\t\terr = fmt.Errorf(\"invalid scan_quota: %v\", err)\n\t\t\treturn inputFile, scanQuota, restoreMode, err\n\t\t}\n\t}\n\tif _, ok := r.URL.Query()[\"mode\"]; ok {\n\t\trestoreMode, err = strconv.Atoi(r.URL.Query().Get(\"mode\"))\n\t\tif err != nil {\n\t\t\terr = fmt.Errorf(\"invalid mode: %v\", err)\n\t\t\treturn inputFile, scanQuota, restoreMode, err\n\t\t}\n\t}\n\treturn inputFile, scanQuota, restoreMode, err\n}\n\n// RestoreFolders restores the specified folders\nfunc RestoreFolders(folders []vfs.BaseVirtualFolder, inputFile string, mode, scanQuota int, executor, ipAddress, role string) error {\n\tfor idx := range folders {\n\t\tfolder := folders[idx]\n\t\tf, err := dataprovider.GetFolderByName(folder.Name)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing folder %q not updated\", folder.Name)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfolder.ID = f.ID\n\t\t\tfolder.Name = f.Name\n\t\t\terr = dataprovider.UpdateFolder(&folder, f.Users, f.Groups, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing folder %q, dump file: %q, error: %v\", folder.Name, inputFile, err)\n\t\t} else {\n\t\t\tfolder.Users = nil\n\t\t\terr = dataprovider.AddFolder(&folder, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new folder %q, dump file: %q, error: %v\", folder.Name, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore folder %q: %w\", folder.Name, err)\n\t\t}\n\t\tif scanQuota >= 1 {\n\t\t\tif common.QuotaScans.AddVFolderQuotaScan(folder.Name) {\n\t\t\t\tlogger.Debug(logSender, \"\", \"starting quota scan for restored folder: %q\", folder.Name)\n\t\t\t\tgo doFolderQuotaScan(folder) //nolint:errcheck\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreShares restores the specified shares\nfunc RestoreShares(shares []dataprovider.Share, inputFile string, mode int, executor,\n\tipAddress, role string,\n) error {\n\tfor idx := range shares {\n\t\tshare := shares[idx]\n\t\tshare.IsRestore = true\n\t\ts, err := dataprovider.ShareExists(share.ShareID, \"\")\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing share %q not updated\", share.ShareID)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tshare.ID = s.ID\n\t\t\terr = dataprovider.UpdateShare(&share, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing share %q, dump file: %q, error: %v\", share.ShareID, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddShare(&share, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new share %q, dump file: %q, error: %v\", share.ShareID, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore share %q: %w\", share.ShareID, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreEventActions restores the specified event actions\nfunc RestoreEventActions(actions []dataprovider.BaseEventAction, inputFile string, mode int, executor, ipAddress, role string) error {\n\tfor idx := range actions {\n\t\taction := actions[idx]\n\t\ta, err := dataprovider.EventActionExists(action.Name)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing event action %q not updated\", a.Name)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\taction.ID = a.ID\n\t\t\terr = dataprovider.UpdateEventAction(&action, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring event action %q, dump file: %q, error: %v\", action.Name, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddEventAction(&action, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new event action %q, dump file: %q, error: %v\", action.Name, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore event action %q: %w\", action.Name, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreEventRules restores the specified event rules\nfunc RestoreEventRules(rules []dataprovider.EventRule, inputFile string, mode int, executor, ipAddress,\n\trole string, dumpVersion int,\n) error {\n\tfor idx := range rules {\n\t\trule := rules[idx]\n\t\tif dumpVersion < 15 {\n\t\t\trule.Status = 1\n\t\t}\n\t\tr, err := dataprovider.EventRuleExists(rule.Name)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing event rule %q not updated\", r.Name)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\trule.ID = r.ID\n\t\t\terr = dataprovider.UpdateEventRule(&rule, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring event rule %q, dump file: %q, error: %v\", rule.Name, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddEventRule(&rule, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new event rule %q, dump file: %q, error: %v\", rule.Name, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore event rule %q: %w\", rule.Name, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreAPIKeys restores the specified API keys\nfunc RestoreAPIKeys(apiKeys []dataprovider.APIKey, inputFile string, mode int, executor, ipAddress, role string) error {\n\tfor idx := range apiKeys {\n\t\tapiKey := apiKeys[idx]\n\t\tif apiKey.Key == \"\" {\n\t\t\tlogger.Warn(logSender, \"\", \"cannot restore empty API key\")\n\t\t\treturn fmt.Errorf(\"cannot restore an empty API key: %+v\", apiKey)\n\t\t}\n\t\tk, err := dataprovider.APIKeyExists(apiKey.KeyID)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing API key %q not updated\", apiKey.KeyID)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tapiKey.ID = k.ID\n\t\t\terr = dataprovider.UpdateAPIKey(&apiKey, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing API key %q, dump file: %q, error: %v\", apiKey.KeyID, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddAPIKey(&apiKey, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new API key %q, dump file: %q, error: %v\", apiKey.KeyID, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore API key %q: %w\", apiKey.KeyID, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreAdmins restores the specified admins\nfunc RestoreAdmins(admins []dataprovider.Admin, inputFile string, mode int, executor, ipAddress, role string) error {\n\tfor idx := range admins {\n\t\tadmin := admins[idx]\n\t\ta, err := dataprovider.AdminExists(admin.Username)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing admin %q not updated\", a.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tadmin.ID = a.ID\n\t\t\tadmin.Username = a.Username\n\t\t\terr = dataprovider.UpdateAdmin(&admin, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing admin %q, dump file: %q, error: %v\", admin.Username, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddAdmin(&admin, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new admin %q, dump file: %q, error: %v\", admin.Username, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore admin %q: %w\", admin.Username, err)\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// RestoreConfigs restores the specified provider configs\nfunc RestoreConfigs(configs *dataprovider.Configs, mode int, executor, ipAddress,\n\texecutorRole string,\n) error {\n\tif configs == nil {\n\t\treturn nil\n\t}\n\tc, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore configs, error loading existing from db: %w\", err)\n\t}\n\tif c.UpdatedAt > 0 {\n\t\tif mode == 1 {\n\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing configs not updated\")\n\t\t\treturn nil\n\t\t}\n\t}\n\treturn dataprovider.UpdateConfigs(configs, executor, ipAddress, executorRole)\n}\n\n// RestoreIPListEntries restores the specified IP list entries\nfunc RestoreIPListEntries(entries []dataprovider.IPListEntry, inputFile string, mode int, executor, ipAddress,\n\texecutorRole string,\n) error {\n\tfor idx := range entries {\n\t\tentry := entries[idx]\n\t\te, err := dataprovider.IPListEntryExists(entry.IPOrNet, entry.Type)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing IP list entry %s-%s not updated\",\n\t\t\t\t\te.Type.AsString(), e.IPOrNet)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\terr = dataprovider.UpdateIPListEntry(&entry, executor, ipAddress, executorRole)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing IP list entry: %s-%s, dump file: %q, error: %v\",\n\t\t\t\tentry.Type.AsString(), entry.IPOrNet, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddIPListEntry(&entry, executor, ipAddress, executorRole)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new IP list entry %s-%s, dump file: %q, error: %v\",\n\t\t\t\tentry.Type.AsString(), entry.IPOrNet, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore IP list entry %s-%s: %w\", entry.Type.AsString(), entry.IPOrNet, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreRoles restores the specified roles\nfunc RestoreRoles(roles []dataprovider.Role, inputFile string, mode int, executor, ipAddress, executorRole string) error {\n\tfor idx := range roles {\n\t\trole := roles[idx]\n\t\tr, err := dataprovider.RoleExists(role.Name)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing role %q not updated\", r.Name)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\trole.ID = r.ID\n\t\t\terr = dataprovider.UpdateRole(&role, executor, ipAddress, executorRole)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing role: %q, dump file: %q, error: %v\", role.Name, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddRole(&role, executor, ipAddress, executorRole)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new role: %q, dump file: %q, error: %v\", role.Name, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore role %q: %w\", role.Name, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreGroups restores the specified groups\nfunc RestoreGroups(groups []dataprovider.Group, inputFile string, mode int, executor, ipAddress, role string) error {\n\tfor idx := range groups {\n\t\tgroup := groups[idx]\n\t\tg, err := dataprovider.GroupExists(group.Name)\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing group %q not updated\", g.Name)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tgroup.ID = g.ID\n\t\t\tgroup.Name = g.Name\n\t\t\terr = dataprovider.UpdateGroup(&group, g.Users, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing group: %q, dump file: %q, error: %v\", group.Name, inputFile, err)\n\t\t} else {\n\t\t\terr = dataprovider.AddGroup(&group, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new group: %q, dump file: %q, error: %v\", group.Name, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore group %q: %w\", group.Name, err)\n\t\t}\n\t}\n\treturn nil\n}\n\n// RestoreUsers restores the specified users\nfunc RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota int, executor, ipAddress, role string) error {\n\tfor idx := range users {\n\t\tuser := users[idx]\n\t\tu, err := dataprovider.UserExists(user.Username, \"\")\n\t\tif err == nil {\n\t\t\tif mode == 1 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"loaddata mode 1, existing user %q not updated\", u.Username)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tuser.ID = u.ID\n\t\t\tuser.Username = u.Username\n\t\t\terr = dataprovider.UpdateUser(&user, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"restoring existing user: %q, dump file: %q, error: %v\", user.Username, inputFile, err)\n\t\t\tif mode == 2 && err == nil {\n\t\t\t\tdisconnectUser(user.Username, executor, role)\n\t\t\t}\n\t\t} else {\n\t\t\terr = dataprovider.AddUser(&user, executor, ipAddress, role)\n\t\t\tlogger.Debug(logSender, \"\", \"adding new user: %q, dump file: %q, error: %v\", user.Username, inputFile, err)\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"unable to restore user %q: %w\", user.Username, err)\n\t\t}\n\t\tif scanQuota == 1 || (scanQuota == 2 && user.HasQuotaRestrictions()) {\n\t\t\tuser, err = dataprovider.GetUserWithGroupSettings(user.Username, \"\")\n\t\t\tif err == nil && common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {\n\t\t\t\tlogger.Debug(logSender, \"\", \"starting quota scan for restored user: %q\", user.Username)\n\t\t\t\tgo doUserQuotaScan(&user) //nolint:errcheck\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n" }, { "path": "internal/httpd/api_mfa.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\terrRecoveryCodeForbidden = errors.New(\"recovery codes are not available with two-factor authentication disabled\")\n)\n\ntype generateTOTPRequest struct {\n\tConfigName string `json:\"config_name\"`\n}\n\ntype generateTOTPResponse struct {\n\tConfigName string `json:\"config_name\"`\n\tIssuer string `json:\"issuer\"`\n\tSecret string `json:\"secret\"`\n\tURL string `json:\"url\"`\n\tQRCode []byte `json:\"qr_code\"`\n}\n\ntype validateTOTPRequest struct {\n\tConfigName string `json:\"config_name\"`\n\tPasscode string `json:\"passcode\"`\n\tSecret string `json:\"secret\"`\n}\n\ntype recoveryCode struct {\n\tCode string `json:\"code\"`\n\tUsed bool `json:\"used\"`\n}\n\nfunc getTOTPConfigs(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trender.JSON(w, r, mfa.GetAvailableTOTPConfigs())\n}\n\nfunc generateTOTPSecret(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar accountName string\n\tif hasUserAudience(claims) {\n\t\taccountName = fmt.Sprintf(\"User %q\", claims.Username)\n\t} else {\n\t\taccountName = fmt.Sprintf(\"Admin %q\", claims.Username)\n\t}\n\n\tvar req generateTOTPRequest\n\terr = render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tconfigName, key, qrCode, err := mfa.GenerateTOTPSecret(req.ConfigName, accountName)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\trender.JSON(w, r, generateTOTPResponse{\n\t\tConfigName: configName,\n\t\tIssuer: key.Issuer(),\n\t\tSecret: key.Secret(),\n\t\tURL: key.URL(),\n\t\tQRCode: qrCode,\n\t})\n}\n\nfunc getQRCode(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\timg, err := mfa.GenerateQRCodeFromURL(r.URL.Query().Get(\"url\"), 400, 400)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, nil, \"unable to generate qr code\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\timgSize := int64(len(img))\n\tw.Header().Set(\"Content-Length\", strconv.FormatInt(imgSize, 10))\n\tw.Header().Set(\"Content-Type\", \"image/png\")\n\tio.CopyN(w, bytes.NewBuffer(img), imgSize) //nolint:errcheck\n}\n\nfunc saveTOTPConfig(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\trecoveryCodes := make([]dataprovider.RecoveryCode, 0, 12)\n\tfor i := 0; i < 12; i++ {\n\t\tcode := getNewRecoveryCode()\n\t\trecoveryCodes = append(recoveryCodes, dataprovider.RecoveryCode{Secret: kms.NewPlainSecret(code)})\n\t}\n\tbaseURL := webBaseClientPath\n\tif hasUserAudience(claims) {\n\t\tif err := saveUserTOTPConfig(claims.Username, r, recoveryCodes); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t} else {\n\t\tif err := saveAdminTOTPConfig(claims.Username, r, recoveryCodes); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tbaseURL = webBasePath\n\t}\n\tif claims.MustSetTwoFactorAuth {\n\t\t// force logout\n\t\tdefer func() {\n\t\t\tremoveCookie(w, r, baseURL)\n\t\t}()\n\t}\n\n\tsendAPIResponse(w, r, nil, \"TOTP configuration saved\", http.StatusOK)\n}\n\nfunc validateTOTPPasscode(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvar req validateTOTPRequest\n\terr := render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tmatch, err := mfa.ValidateTOTPPasscode(req.ConfigName, req.Passcode, req.Secret)\n\tif !match || err != nil {\n\t\tsendAPIResponse(w, r, err, \"Invalid passcode\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Passcode successfully validated\", http.StatusOK)\n}\n\nfunc getRecoveryCodes(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\trecoveryCodes := make([]recoveryCode, 0, 12)\n\tvar accountRecoveryCodes []dataprovider.RecoveryCode\n\tif hasUserAudience(claims) {\n\t\tuser, err := dataprovider.UserExists(claims.Username, \"\")\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tif !user.Filters.TOTPConfig.Enabled {\n\t\t\tsendAPIResponse(w, r, errRecoveryCodeForbidden, \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t\taccountRecoveryCodes = user.Filters.RecoveryCodes\n\t} else {\n\t\tadmin, err := dataprovider.AdminExists(claims.Username)\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tif !admin.Filters.TOTPConfig.Enabled {\n\t\t\tsendAPIResponse(w, r, errRecoveryCodeForbidden, \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t\taccountRecoveryCodes = admin.Filters.RecoveryCodes\n\t}\n\n\tfor _, code := range accountRecoveryCodes {\n\t\tif err := code.Secret.Decrypt(); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"Unable to decrypt recovery codes\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\trecoveryCodes = append(recoveryCodes, recoveryCode{\n\t\t\tCode: code.Secret.GetPayload(),\n\t\t\tUsed: code.Used,\n\t\t})\n\t}\n\trender.JSON(w, r, recoveryCodes)\n}\n\nfunc generateRecoveryCodes(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\trecoveryCodes := make([]string, 0, 12)\n\taccountRecoveryCodes := make([]dataprovider.RecoveryCode, 0, 12)\n\tfor i := 0; i < 12; i++ {\n\t\tcode := getNewRecoveryCode()\n\t\trecoveryCodes = append(recoveryCodes, code)\n\t\taccountRecoveryCodes = append(accountRecoveryCodes, dataprovider.RecoveryCode{Secret: kms.NewPlainSecret(code)})\n\t}\n\tif hasUserAudience(claims) {\n\t\tuser, err := dataprovider.UserExists(claims.Username, \"\")\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tif !user.Filters.TOTPConfig.Enabled {\n\t\t\tsendAPIResponse(w, r, errRecoveryCodeForbidden, \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t\tuser.Filters.RecoveryCodes = accountRecoveryCodes\n\t\tif err := dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), user.Role); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t} else {\n\t\tadmin, err := dataprovider.AdminExists(claims.Username)\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tif !admin.Filters.TOTPConfig.Enabled {\n\t\t\tsendAPIResponse(w, r, errRecoveryCodeForbidden, \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t\tadmin.Filters.RecoveryCodes = accountRecoveryCodes\n\t\tif err := dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), admin.Role); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t}\n\n\trender.JSON(w, r, recoveryCodes)\n}\n\nfunc getNewRecoveryCode() string {\n\treturn fmt.Sprintf(\"RC-%v\", strings.ToUpper(util.GenerateUniqueID()))\n}\n\nfunc saveUserTOTPConfig(username string, r *http.Request, recoveryCodes []dataprovider.RecoveryCode) error {\n\tuser, userMerged, err := dataprovider.GetUserVariants(username, \"\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tcurrentTOTPSecret := user.Filters.TOTPConfig.Secret\n\tuser.Filters.TOTPConfig.Secret = nil\n\terr = render.DecodeJSON(r.Body, &user.Filters.TOTPConfig)\n\tif err != nil {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"unable to decode JSON body: %v\", err))\n\t}\n\tif !user.Filters.TOTPConfig.Enabled && len(userMerged.Filters.TwoFactorAuthProtocols) > 0 {\n\t\treturn util.NewValidationError(\"two-factor authentication must be enabled\")\n\t}\n\tfor _, p := range userMerged.Filters.TwoFactorAuthProtocols {\n\t\tif !slices.Contains(user.Filters.TOTPConfig.Protocols, p) {\n\t\t\treturn util.NewValidationError(fmt.Sprintf(\"totp: the following protocols are required: %q\",\n\t\t\t\tstrings.Join(userMerged.Filters.TwoFactorAuthProtocols, \", \")))\n\t\t}\n\t}\n\tif user.Filters.TOTPConfig.Secret == nil || !user.Filters.TOTPConfig.Secret.IsPlain() {\n\t\tuser.Filters.TOTPConfig.Secret = currentTOTPSecret\n\t}\n\tif user.Filters.TOTPConfig.Enabled {\n\t\tif user.CountUnusedRecoveryCodes() < 5 && user.Filters.TOTPConfig.Enabled {\n\t\t\tuser.Filters.RecoveryCodes = recoveryCodes\n\t\t}\n\t} else {\n\t\tuser.Filters.RecoveryCodes = nil\n\t}\n\treturn dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), user.Role)\n}\n\nfunc saveAdminTOTPConfig(username string, r *http.Request, recoveryCodes []dataprovider.RecoveryCode) error {\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcurrentTOTPSecret := admin.Filters.TOTPConfig.Secret\n\tadmin.Filters.TOTPConfig.Secret = nil\n\terr = render.DecodeJSON(r.Body, &admin.Filters.TOTPConfig)\n\tif err != nil {\n\t\treturn util.NewValidationError(fmt.Sprintf(\"unable to decode JSON body: %v\", err))\n\t}\n\tif !admin.Filters.TOTPConfig.Enabled && admin.Filters.RequireTwoFactor {\n\t\treturn util.NewValidationError(\"two-factor authentication must be enabled\")\n\t}\n\tif admin.Filters.TOTPConfig.Enabled {\n\t\tif admin.CountUnusedRecoveryCodes() < 5 && admin.Filters.TOTPConfig.Enabled {\n\t\t\tadmin.Filters.RecoveryCodes = recoveryCodes\n\t\t}\n\t} else {\n\t\tadmin.Filters.RecoveryCodes = nil\n\t}\n\tif admin.Filters.TOTPConfig.Secret == nil || !admin.Filters.TOTPConfig.Secret.IsPlain() {\n\t\tadmin.Filters.TOTPConfig.Secret = currentTOTPSecret\n\t}\n\treturn dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), admin.Role)\n}\n" }, { "path": "internal/httpd/api_quota.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tquotaUpdateModeAdd = \"add\"\n\tquotaUpdateModeReset = \"reset\"\n)\n\ntype quotaUsage struct {\n\tUsedQuotaSize int64 `json:\"used_quota_size\"`\n\tUsedQuotaFiles int `json:\"used_quota_files\"`\n}\n\ntype transferQuotaUsage struct {\n\tUsedUploadDataTransfer int64 `json:\"used_upload_data_transfer\"`\n\tUsedDownloadDataTransfer int64 `json:\"used_download_data_transfer\"`\n}\n\nfunc getUsersQuotaScans(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\trender.JSON(w, r, common.QuotaScans.GetUsersQuotaScans(claims.Role))\n}\n\nfunc getFoldersQuotaScans(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trender.JSON(w, r, common.QuotaScans.GetVFoldersQuotaScans())\n}\n\nfunc updateUserQuotaUsage(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvar usage quotaUsage\n\terr := render.DecodeJSON(r.Body, &usage)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tdoUpdateUserQuotaUsage(w, r, getURLParam(r, \"username\"), usage)\n}\n\nfunc updateFolderQuotaUsage(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvar usage quotaUsage\n\terr := render.DecodeJSON(r.Body, &usage)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tdoUpdateFolderQuotaUsage(w, r, getURLParam(r, \"name\"), usage)\n}\n\nfunc startUserQuotaScan(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tdoStartUserQuotaScan(w, r, getURLParam(r, \"username\"))\n}\n\nfunc startFolderQuotaScan(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tdoStartFolderQuotaScan(w, r, getURLParam(r, \"name\"))\n}\n\nfunc updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tvar usage transferQuotaUsage\n\terr = render.DecodeJSON(r.Body, &usage)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif usage.UsedUploadDataTransfer < 0 || usage.UsedDownloadDataTransfer < 0 {\n\t\tsendAPIResponse(w, r, errors.New(\"invalid used transfer quota parameters, negative values are not allowed\"),\n\t\t\t\"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tmode, err := getQuotaUpdateMode(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, \"username\"), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif mode == quotaUpdateModeAdd && !user.HasTransferQuotaRestrictions() && dataprovider.GetQuotaTracking() == 2 {\n\t\tsendAPIResponse(w, r, errors.New(\"this user has no transfer quota restrictions, only reset mode is supported\"),\n\t\t\t\"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = dataprovider.UpdateUserTransferQuota(&user, usage.UsedUploadDataTransfer, usage.UsedDownloadDataTransfer,\n\t\tmode == quotaUpdateModeReset)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Quota updated\", http.StatusOK)\n}\n\nfunc doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username string, usage quotaUsage) {\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif usage.UsedQuotaFiles < 0 || usage.UsedQuotaSize < 0 {\n\t\tsendAPIResponse(w, r, errors.New(\"invalid used quota parameters, negative values are not allowed\"),\n\t\t\t\"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tmode, err := getQuotaUpdateMode(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(username, claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif mode == quotaUpdateModeAdd && !user.HasQuotaRestrictions() && dataprovider.GetQuotaTracking() == 2 {\n\t\tsendAPIResponse(w, r, errors.New(\"this user has no quota restrictions, only reset mode is supported\"),\n\t\t\t\"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif !common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {\n\t\tsendAPIResponse(w, r, err, \"A quota scan is in progress for this user\", http.StatusConflict)\n\t\treturn\n\t}\n\tdefer common.QuotaScans.RemoveUserQuotaScan(user.Username)\n\terr = dataprovider.UpdateUserQuota(&user, usage.UsedQuotaFiles, usage.UsedQuotaSize, mode == quotaUpdateModeReset)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Quota updated\", http.StatusOK)\n}\n\nfunc doUpdateFolderQuotaUsage(w http.ResponseWriter, r *http.Request, name string, usage quotaUsage) {\n\tif usage.UsedQuotaFiles < 0 || usage.UsedQuotaSize < 0 {\n\t\tsendAPIResponse(w, r, errors.New(\"invalid used quota parameters, negative values are not allowed\"),\n\t\t\t\"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tmode, err := getQuotaUpdateMode(r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tfolder, err := dataprovider.GetFolderByName(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif !common.QuotaScans.AddVFolderQuotaScan(folder.Name) {\n\t\tsendAPIResponse(w, r, err, \"A quota scan is in progress for this folder\", http.StatusConflict)\n\t\treturn\n\t}\n\tdefer common.QuotaScans.RemoveVFolderQuotaScan(folder.Name)\n\terr = dataprovider.UpdateVirtualFolderQuota(&folder, usage.UsedQuotaFiles, usage.UsedQuotaSize, mode == quotaUpdateModeReset)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t} else {\n\t\tsendAPIResponse(w, r, err, \"Quota updated\", http.StatusOK)\n\t}\n}\n\nfunc doStartUserQuotaScan(w http.ResponseWriter, r *http.Request, username string) {\n\tif dataprovider.GetQuotaTracking() == 0 {\n\t\tsendAPIResponse(w, r, nil, \"Quota tracking is disabled!\", http.StatusForbidden)\n\t\treturn\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(username, claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif !common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {\n\t\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"Another scan is already in progress for user %q\", username),\n\t\t\thttp.StatusConflict)\n\t\treturn\n\t}\n\tgo doUserQuotaScan(&user) //nolint:errcheck\n\tsendAPIResponse(w, r, err, \"Scan started\", http.StatusAccepted)\n}\n\nfunc doStartFolderQuotaScan(w http.ResponseWriter, r *http.Request, name string) {\n\tif dataprovider.GetQuotaTracking() == 0 {\n\t\tsendAPIResponse(w, r, nil, \"Quota tracking is disabled!\", http.StatusForbidden)\n\t\treturn\n\t}\n\tfolder, err := dataprovider.GetFolderByName(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif !common.QuotaScans.AddVFolderQuotaScan(folder.Name) {\n\t\tsendAPIResponse(w, r, err, fmt.Sprintf(\"Another scan is already in progress for folder %q\", name),\n\t\t\thttp.StatusConflict)\n\t\treturn\n\t}\n\tgo doFolderQuotaScan(folder) //nolint:errcheck\n\tsendAPIResponse(w, r, err, \"Scan started\", http.StatusAccepted)\n}\n\nfunc doUserQuotaScan(user *dataprovider.User) error {\n\tdefer common.QuotaScans.RemoveUserQuotaScan(user.Username)\n\tnumFiles, size, err := user.ScanQuota()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error scanning user quota %q: %v\", user.Username, err)\n\t\treturn err\n\t}\n\terr = dataprovider.UpdateUserQuota(user, numFiles, size, true)\n\tlogger.Debug(logSender, \"\", \"user quota scanned, user: %q, error: %v\", user.Username, err)\n\treturn err\n}\n\nfunc doFolderQuotaScan(folder vfs.BaseVirtualFolder) error {\n\tdefer common.QuotaScans.RemoveVFolderQuotaScan(folder.Name)\n\tf := vfs.VirtualFolder{\n\t\tBaseVirtualFolder: folder,\n\t\tVirtualPath: \"/\",\n\t}\n\tnumFiles, size, err := f.ScanQuota()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error scanning folder %q: %v\", folder.Name, err)\n\t\treturn err\n\t}\n\terr = dataprovider.UpdateVirtualFolderQuota(&folder, numFiles, size, true)\n\tlogger.Debug(logSender, \"\", \"virtual folder %q scanned, error: %v\", folder.Name, err)\n\treturn err\n}\n\nfunc getQuotaUpdateMode(r *http.Request) (string, error) {\n\tmode := quotaUpdateModeReset\n\tif _, ok := r.URL.Query()[\"mode\"]; ok {\n\t\tmode = r.URL.Query().Get(\"mode\")\n\t\tif mode != quotaUpdateModeReset && mode != quotaUpdateModeAdd {\n\t\t\treturn \"\", errors.New(\"invalid mode\")\n\t\t}\n\t}\n\treturn mode, nil\n}\n" }, { "path": "internal/httpd/api_retention.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n)\n\nfunc getRetentionChecks(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\trender.JSON(w, r, common.RetentionChecks.Get(claims.Role))\n}\n" }, { "path": "internal/httpd/api_role.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getRoles(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\troles, err := dataprovider.GetRoles(limit, offset, order, false)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\trender.JSON(w, r, roles)\n}\n\nfunc addRole(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tvar role dataprovider.Role\n\terr = render.DecodeJSON(r.Body, &role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\terr = dataprovider.AddRole(&role, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t} else {\n\t\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", rolesPath, url.PathEscape(role.Name)))\n\t\trenderRole(w, r, role.Name, http.StatusCreated)\n\t}\n}\n\nfunc updateRole(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tname := getURLParam(r, \"name\")\n\trole, err := dataprovider.RoleExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedRole dataprovider.Role\n\terr = render.DecodeJSON(r.Body, &updatedRole)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tupdatedRole.ID = role.ID\n\tupdatedRole.Name = role.Name\n\terr = dataprovider.UpdateRole(&updatedRole, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Role updated\", http.StatusOK)\n}\n\nfunc renderRole(w http.ResponseWriter, r *http.Request, name string, status int) {\n\trole, err := dataprovider.RoleExists(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, status)\n\t\trender.JSON(w, r.WithContext(ctx), role)\n\t} else {\n\t\trender.JSON(w, r, role)\n\t}\n}\n\nfunc getRoleByName(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tname := getURLParam(r, \"name\")\n\trenderRole(w, r, name, http.StatusOK)\n}\n\nfunc deleteRole(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\terr = dataprovider.DeleteRole(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Role deleted\", http.StatusOK)\n}\n" }, { "path": "internal/httpd/api_shares.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc getShares(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tshares, err := dataprovider.GetShares(limit, offset, order, claims.Username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, shares)\n}\n\nfunc getShareByID(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tshareID := getURLParam(r, \"id\")\n\tshare, err := dataprovider.ShareExists(shareID, claims.Username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tshare.HideConfidentialData()\n\n\trender.JSON(w, r, share)\n}\n\nfunc addShare(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to retrieve your user\", getRespStatus(err))\n\t\treturn\n\t}\n\tvar share dataprovider.Share\n\tif user.Filters.DefaultSharesExpiration > 0 {\n\t\tshare.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(user.Filters.DefaultSharesExpiration)))\n\t}\n\terr = render.DecodeJSON(r.Body, &share)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif err := user.CheckMaxShareExpiration(util.GetTimeFromMsecSinceEpoch(share.ExpiresAt)); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tshare.ID = 0\n\tshare.ShareID = util.GenerateUniqueID()\n\tshare.LastUseAt = 0\n\tshare.Username = claims.Username\n\tif share.Name == \"\" {\n\t\tshare.Name = share.ShareID\n\t}\n\tif share.Password == \"\" {\n\t\tif slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {\n\t\t\tsendAPIResponse(w, r, nil, \"You are not authorized to share files/folders without a password\",\n\t\t\t\thttp.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t}\n\terr = dataprovider.AddShare(&share, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", userSharesPath, url.PathEscape(share.ShareID)))\n\tw.Header().Add(\"X-Object-ID\", share.ShareID)\n\tsendAPIResponse(w, r, nil, \"Share created\", http.StatusCreated)\n}\n\nfunc updateShare(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to retrieve your user\", getRespStatus(err))\n\t\treturn\n\t}\n\tshareID := getURLParam(r, \"id\")\n\tshare, err := dataprovider.ShareExists(shareID, claims.Username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedShare dataprovider.Share\n\terr = render.DecodeJSON(r.Body, &updatedShare)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tupdatedShare.ShareID = shareID\n\tupdatedShare.Username = claims.Username\n\tif updatedShare.Password == redactedSecret {\n\t\tupdatedShare.Password = share.Password\n\t}\n\tif updatedShare.Password == \"\" {\n\t\tif slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {\n\t\t\tsendAPIResponse(w, r, nil, \"You are not authorized to share files/folders without a password\",\n\t\t\t\thttp.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t}\n\tif err := user.CheckMaxShareExpiration(util.GetTimeFromMsecSinceEpoch(updatedShare.ExpiresAt)); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\terr = dataprovider.UpdateShare(&updatedShare, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Share updated\", http.StatusOK)\n}\n\nfunc deleteShare(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tshareID := getURLParam(r, \"id\")\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\terr = dataprovider.DeleteShare(shareID, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Share deleted\", http.StatusOK)\n}\n\nfunc (s *httpdServer) readBrowsableShareContents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tlister, err := connection.ReadDir(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to get directory lister\", getMappedStatusCode(err))\n\t\treturn\n\t}\n\trenderAPIDirContents(w, lister, true)\n}\n\nfunc (s *httpdServer) downloadBrowsableSharedFile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tinfo, err := connection.Stat(name, 1)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to stat the requested file\", getMappedStatusCode(err))\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\tsendAPIResponse(w, r, nil, fmt.Sprintf(\"Please set the path to a valid file, %q is a directory\", name),\n\t\t\thttp.StatusBadRequest)\n\t\treturn\n\t}\n\n\tinline := r.URL.Query().Get(\"inline\") != \"\"\n\tdataprovider.UpdateShareLastUse(&share, 1) //nolint:errcheck\n\tif status, err := downloadFile(w, r, connection, name, info, inline, &share); err != nil {\n\t\tdataprovider.UpdateShareLastUse(&share, -1) //nolint:errcheck\n\t\tresp := apiResponse{\n\t\t\tError: err.Error(),\n\t\t\tMessage: http.StatusText(status),\n\t\t}\n\t\tctx := r.Context()\n\t\tif status != 0 {\n\t\t\tctx = context.WithValue(ctx, render.StatusCtxKey, status)\n\t\t}\n\t\trender.JSON(w, r.WithContext(ctx), resp)\n\t}\n}\n\nfunc (s *httpdServer) downloadFromShare(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tcompress := true\n\tvar info os.FileInfo\n\tif len(share.Paths) == 1 {\n\t\tinfo, err = connection.Stat(share.Paths[0], 1)\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tif info.Mode().IsRegular() && r.URL.Query().Get(\"compress\") == \"false\" {\n\t\t\tcompress = false\n\t\t}\n\t}\n\n\tdataprovider.UpdateShareLastUse(&share, 1) //nolint:errcheck\n\tif compress {\n\t\ttransferQuota := connection.GetTransferQuota()\n\t\tif !transferQuota.HasDownloadSpace() {\n\t\t\terr = connection.GetReadQuotaExceededError()\n\t\t\tconnection.Log(logger.LevelInfo, \"denying share read due to quota limits\")\n\t\t\tsendAPIResponse(w, r, err, \"\", getMappedStatusCode(err))\n\t\t\tdataprovider.UpdateShareLastUse(&share, -1) //nolint:errcheck\n\t\t\treturn\n\t\t}\n\t\tbaseDir := \"/\"\n\t\tif info != nil && info.IsDir() {\n\t\t\tbaseDir = share.Paths[0]\n\t\t\tshare.Paths[0] = \"/\"\n\t\t}\n\t\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=\\\"share-%v.zip\\\"\", share.Name))\n\t\trenderCompressedFiles(w, connection, baseDir, share.Paths, &share)\n\t\treturn\n\t}\n\tif status, err := downloadFile(w, r, connection, share.Paths[0], info, false, &share); err != nil {\n\t\tdataprovider.UpdateShareLastUse(&share, -1) //nolint:errcheck\n\t\tresp := apiResponse{\n\t\t\tError: err.Error(),\n\t\t\tMessage: http.StatusText(status),\n\t\t}\n\t\tctx := r.Context()\n\t\tif status != 0 {\n\t\t\tctx = context.WithValue(ctx, render.StatusCtxKey, status)\n\t\t}\n\t\trender.JSON(w, r.WithContext(ctx), resp)\n\t}\n}\n\nfunc (s *httpdServer) uploadFileToShare(w http.ResponseWriter, r *http.Request) {\n\tif maxUploadFileSize > 0 {\n\t\tr.Body = http.MaxBytesReader(w, r.Body, maxUploadFileSize)\n\t}\n\tname := getURLParam(r, \"name\")\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeWrite, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tfilePath := util.CleanPath(path.Join(share.Paths[0], name))\n\texpectedPrefix := share.Paths[0]\n\tif !strings.HasSuffix(expectedPrefix, \"/\") {\n\t\texpectedPrefix += \"/\"\n\t}\n\tif !strings.HasPrefix(filePath, expectedPrefix) {\n\t\tsendAPIResponse(w, r, err, \"Uploading outside the share is not allowed\", http.StatusForbidden)\n\t\treturn\n\t}\n\tdataprovider.UpdateShareLastUse(&share, 1) //nolint:errcheck\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tif getBoolQueryParam(r, \"mkdir_parents\") {\n\t\tif err = connection.CheckParentDirs(path.Dir(filePath)); err != nil {\n\t\t\tsendAPIResponse(w, r, err, \"Error checking parent directories\", getMappedStatusCode(err))\n\t\t\treturn\n\t\t}\n\t}\n\tif err := doUploadFile(w, r, connection, filePath); err != nil {\n\t\tdataprovider.UpdateShareLastUse(&share, -1) //nolint:errcheck\n\t}\n}\n\nfunc (s *httpdServer) uploadFilesToShare(w http.ResponseWriter, r *http.Request) {\n\tif maxUploadFileSize > 0 {\n\t\tr.Body = http.MaxBytesReader(w, r.Body, maxUploadFileSize)\n\t}\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeWrite, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := common.Connections.IsNewTransferAllowed(connection.User.Username); err != nil {\n\t\tconnection.Log(logger.LevelInfo, \"denying file write due to number of transfer limits\")\n\t\tsendAPIResponse(w, r, err, \"Denying file write due to transfer count limits\",\n\t\t\thttp.StatusConflict)\n\t\treturn\n\t}\n\n\ttransferQuota := connection.GetTransferQuota()\n\tif !transferQuota.HasUploadSpace() {\n\t\tconnection.Log(logger.LevelInfo, \"denying file write due to transfer quota limits\")\n\t\tsendAPIResponse(w, r, common.ErrQuotaExceeded, \"Denying file write due to transfer quota limits\",\n\t\t\thttp.StatusRequestEntityTooLarge)\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tt := newThrottledReader(r.Body, connection.User.UploadBandwidth, connection)\n\tr.Body = t\n\terr = r.ParseMultipartForm(maxMultipartMem)\n\tif err != nil {\n\t\tconnection.RemoveTransfer(t)\n\t\tsendAPIResponse(w, r, err, \"Unable to parse multipart form\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tconnection.RemoveTransfer(t)\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tfiles := r.MultipartForm.File[\"filenames\"]\n\tif len(files) == 0 {\n\t\tsendAPIResponse(w, r, nil, \"No files uploaded!\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif share.MaxTokens > 0 {\n\t\tif len(files) > (share.MaxTokens - share.UsedTokens) {\n\t\t\tsendAPIResponse(w, r, nil, \"Allowed usage exceeded\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t}\n\tdataprovider.UpdateShareLastUse(&share, len(files)) //nolint:errcheck\n\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tnumUploads := doUploadFiles(w, r, connection, share.Paths[0], files)\n\tif numUploads != len(files) {\n\t\tdataprovider.UpdateShareLastUse(&share, numUploads-len(files)) //nolint:errcheck\n\t}\n}\n\nfunc (s *httpdServer) getShareClaims(r *http.Request, shareID string) (context.Context, *jwt.Claims, error) {\n\ttoken, err := jwt.VerifyRequest(s.tokenAuth, r, jwt.TokenFromCookie)\n\tif err != nil || token == nil {\n\t\treturn nil, nil, errInvalidToken\n\t}\n\ttokenString := jwt.TokenFromCookie(r)\n\tif tokenString == \"\" || invalidatedJWTTokens.Get(tokenString) {\n\t\treturn nil, nil, errInvalidToken\n\t}\n\tif !token.Audience.Contains(tokenAudienceWebShare) {\n\t\tlogger.Debug(logSender, \"\", \"invalid token audience for share %q\", shareID)\n\t\treturn nil, nil, errInvalidToken\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := validateIPForToken(token, ipAddr); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"token for share %q is not valid for the ip address %q\", shareID, ipAddr)\n\t\treturn nil, nil, err\n\t}\n\tif token.Username != shareID {\n\t\tlogger.Debug(logSender, \"\", \"token not valid for share %q\", shareID)\n\t\treturn nil, nil, errInvalidToken\n\t}\n\tctx := jwt.NewContext(r.Context(), token, nil)\n\treturn ctx, token, nil\n}\n\nfunc (s *httpdServer) checkWebClientShareCredentials(w http.ResponseWriter, r *http.Request, share *dataprovider.Share) error {\n\tdoRedirect := func() {\n\t\tredirectURL := path.Join(webClientPubSharesPath, share.ShareID, fmt.Sprintf(\"login?next=%s\", url.QueryEscape(r.RequestURI)))\n\t\thttp.Redirect(w, r, redirectURL, http.StatusFound)\n\t}\n\n\tif _, _, err := s.getShareClaims(r, share.ShareID); err != nil {\n\t\tdoRedirect()\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (s *httpdServer) checkPublicShare(w http.ResponseWriter, r *http.Request, validScopes []dataprovider.ShareScope,\n) (dataprovider.Share, *Connection, error) {\n\tisWebClient := isWebClientRequest(r)\n\trenderError := func(err error, message string, statusCode int) {\n\t\tif isWebClient {\n\t\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, statusCode, err, message)\n\t\t} else {\n\t\t\tsendAPIResponse(w, r, err, message, statusCode)\n\t\t}\n\t}\n\n\tshareID := getURLParam(r, \"id\")\n\tshare, err := dataprovider.ShareExists(shareID, \"\")\n\tif err != nil {\n\t\tstatusCode := getRespStatus(err)\n\t\tif statusCode == http.StatusNotFound {\n\t\t\terr = util.NewI18nError(errors.New(\"share does not exist\"), util.I18nError404Message)\n\t\t}\n\t\trenderError(err, \"\", statusCode)\n\t\treturn share, nil, err\n\t}\n\tif !slices.Contains(validScopes, share.Scope) {\n\t\terr := errors.New(\"invalid share scope\")\n\t\trenderError(util.NewI18nError(err, util.I18nErrorShareScope), \"\", http.StatusForbidden)\n\t\treturn share, nil, err\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tok, err := share.IsUsable(ipAddr)\n\tif !ok || err != nil {\n\t\trenderError(err, \"\", getRespStatus(err))\n\t\treturn share, nil, err\n\t}\n\tif share.Password != \"\" {\n\t\tif isWebClient {\n\t\t\tif err := s.checkWebClientShareCredentials(w, r, &share); err != nil {\n\t\t\t\treturn share, nil, dataprovider.ErrInvalidCredentials\n\t\t\t}\n\t\t} else {\n\t\t\t_, password, ok := r.BasicAuth()\n\t\t\tif !ok {\n\t\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\t\t\trenderError(dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\t\t\treturn share, nil, dataprovider.ErrInvalidCredentials\n\t\t\t}\n\t\t\tmatch, err := share.CheckCredentials(password)\n\t\t\tif !match || err != nil {\n\t\t\t\thandleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\t\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\t\t\trenderError(dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\t\t\treturn share, nil, dataprovider.ErrInvalidCredentials\n\t\t\t}\n\t\t}\n\t\tcommon.DelayLogin(nil)\n\t}\n\tuser, err := getUserForShare(share)\n\tif err != nil {\n\t\trenderError(err, \"\", getRespStatus(err))\n\t\treturn share, nil, err\n\t}\n\tconnID := xid.New().String()\n\tbaseConn := common.NewBaseConnection(connID, common.ProtocolHTTPShare, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\n\treturn share, connection, nil\n}\n\nfunc getUserForShare(share dataprovider.Share) (dataprovider.User, error) {\n\tuser, err := dataprovider.GetUserWithGroupSettings(share.Username, \"\")\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tif !user.CanManageShares() {\n\t\treturn user, util.NewI18nError(util.NewRecordNotFoundError(\"this share does not exist\"), util.I18nError404Message)\n\t}\n\tif share.Password == \"\" && slices.Contains(user.Filters.WebClient, sdk.WebClientShareNoPasswordDisabled) {\n\t\treturn user, util.NewI18nError(\n\t\t\tfmt.Errorf(\"sharing without a password was disabled: %w\", os.ErrPermission),\n\t\t\tutil.I18nError403Message,\n\t\t)\n\t}\n\tif user.MustSetSecondFactorForProtocol(common.ProtocolHTTP) {\n\t\treturn user, util.NewI18nError(\n\t\t\tutil.NewMethodDisabledError(\"two-factor authentication requirements not met\"),\n\t\t\tutil.I18nError403Message,\n\t\t)\n\t}\n\treturn user, nil\n}\n\nfunc validateBrowsableShare(share dataprovider.Share, connection *Connection) error {\n\tif len(share.Paths) != 1 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"a share with multiple paths is not browsable\"),\n\t\t\tutil.I18nErrorShareBrowsePaths,\n\t\t)\n\t}\n\tbasePath := share.Paths[0]\n\tinfo, err := connection.Stat(basePath, 0)\n\tif err != nil {\n\t\tconnection.CloseFS() //nolint:errcheck\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"unable to check the share directory: %w\", err),\n\t\t\tutil.I18nErrorShareInvalidPath,\n\t\t)\n\t}\n\tif !info.IsDir() {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"the shared object is not a directory and so it is not browsable\"),\n\t\t\tutil.I18nErrorShareBrowseNoDir,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc getBrowsableSharedPath(shareBasePath string, r *http.Request) (string, error) {\n\tname := util.CleanPath(path.Join(shareBasePath, r.URL.Query().Get(\"path\")))\n\tif shareBasePath == \"/\" {\n\t\treturn name, nil\n\t}\n\tif name != shareBasePath && !strings.HasPrefix(name, shareBasePath+\"/\") {\n\t\treturn \"\", util.NewI18nError(\n\t\t\tutil.NewValidationError(fmt.Sprintf(\"Invalid path %q\", r.URL.Query().Get(\"path\"))),\n\t\t\tutil.I18nErrorPathInvalid,\n\t\t)\n\t}\n\treturn name, nil\n}\n" }, { "path": "internal/httpd/api_user.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nfunc getUsers(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlimit, offset, order, err := getSearchFilters(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tusers, err := dataprovider.GetUsers(limit, offset, order, claims.Role)\n\tif err == nil {\n\t\trender.JSON(w, r, users)\n\t} else {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusInternalServerError)\n\t}\n}\n\nfunc getUserByUsername(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tusername := getURLParam(r, \"username\")\n\trenderUser(w, r, username, claims, http.StatusOK)\n}\n\nfunc renderUser(w http.ResponseWriter, r *http.Request, username string, claims *jwt.Claims, status int) {\n\tuser, err := dataprovider.UserExists(username, claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif hideConfidentialData(claims, r) {\n\t\tuser.PrepareForRendering()\n\t}\n\tif status != http.StatusOK {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, status)\n\t\trender.JSON(w, r.WithContext(ctx), user)\n\t} else {\n\t\trender.JSON(w, r, user)\n\t}\n}\n\nfunc addUser(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(claims.Username)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tvar user dataprovider.User\n\tif admin.Filters.Preferences.DefaultUsersExpiration > 0 {\n\t\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(admin.Filters.Preferences.DefaultUsersExpiration)))\n\t}\n\terr = render.DecodeJSON(r.Body, &user)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif claims.Role != \"\" {\n\t\tuser.Role = claims.Role\n\t}\n\tuser.LastPasswordChange = 0\n\tuser.Filters.RecoveryCodes = nil\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: false,\n\t}\n\terr = dataprovider.AddUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tw.Header().Add(\"Location\", fmt.Sprintf(\"%s/%s\", userPath, url.PathEscape(user.Username)))\n\trenderUser(w, r, user.Username, claims, http.StatusCreated)\n}\n\nfunc disableUser2FA(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tusername := getURLParam(r, \"username\")\n\tuser, err := dataprovider.UserExists(username, claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tif !user.Filters.TOTPConfig.Enabled {\n\t\tsendAPIResponse(w, r, nil, \"two-factor authentication is not enabled\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tuser.Filters.RecoveryCodes = nil\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: false,\n\t}\n\tif err := dataprovider.UpdateUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"2FA disabled\", http.StatusOK)\n}\n\nfunc updateUser(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tusername := getURLParam(r, \"username\")\n\tdisconnect := 0\n\tif _, ok := r.URL.Query()[\"disconnect\"]; ok {\n\t\tdisconnect, err = strconv.Atoi(r.URL.Query().Get(\"disconnect\"))\n\t\tif err != nil {\n\t\t\terr = fmt.Errorf(\"invalid disconnect parameter: %v\", err)\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t}\n\tuser, err := dataprovider.UserExists(username, claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tvar updatedUser dataprovider.User\n\tupdatedUser.Password = user.Password\n\terr = render.DecodeJSON(r.Body, &updatedUser)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tupdatedUser.ID = user.ID\n\tupdatedUser.Username = user.Username\n\tupdatedUser.Filters.RecoveryCodes = user.Filters.RecoveryCodes\n\tupdatedUser.Filters.TOTPConfig = user.Filters.TOTPConfig\n\tupdatedUser.LastPasswordChange = user.LastPasswordChange\n\tupdatedUser.SetEmptySecretsIfNil()\n\tupdateEncryptedSecrets(&updatedUser.FsConfig, &user.FsConfig)\n\tif claims.Role != \"\" {\n\t\tupdatedUser.Role = claims.Role\n\t}\n\terr = dataprovider.UpdateUser(&updatedUser, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"User updated\", http.StatusOK)\n\tif disconnect == 1 {\n\t\tdisconnectUser(user.Username, claims.Username, claims.Role)\n\t}\n}\n\nfunc deleteUser(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tusername := getURLParam(r, \"username\")\n\terr = dataprovider.DeleteUser(username, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"User deleted\", http.StatusOK)\n\tdisconnectUser(dataprovider.ConvertName(username), claims.Username, claims.Role)\n}\n\nfunc forgotUserPassword(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tif !smtp.IsEnabled() {\n\t\tsendAPIResponse(w, r, nil, \"No SMTP configuration\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\terr := handleForgotPassword(r, getURLParam(r, \"username\"), false)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\n\tsendAPIResponse(w, r, err, \"Check your email for the confirmation code\", http.StatusOK)\n}\n\nfunc resetUserPassword(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tvar req pwdReset\n\terr := render.DecodeJSON(r.Body, &req)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\t_, _, err = handleResetPassword(r, req.Code, req.Password, req.Password, false)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"Password reset successful\", http.StatusOK)\n}\n\nfunc disconnectUser(username, admin, role string) {\n\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\tif stat.Username == username {\n\t\t\tcommon.Connections.Close(stat.ConnectionID, \"\")\n\t\t}\n\t}\n\tfor _, stat := range getNodesConnections(admin, role) {\n\t\tif stat.Username == username {\n\t\t\tn, err := dataprovider.GetNodeByName(stat.Node)\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"unable to disconnect user %q, error getting node %q: %v\", username, stat.Node, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tperms := []string{dataprovider.PermAdminCloseConnections}\n\t\t\turi := fmt.Sprintf(\"%s/%s\", activeConnectionsPath, stat.ConnectionID)\n\t\t\tif err := n.SendDeleteRequest(admin, role, uri, perms); err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"unable to disconnect user %q from node %q, error: %v\", username, n.Name, err)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc updateEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Filesystem) {\n\t// we use the new access secret if plain or empty, otherwise the old value\n\tswitch fsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tif fsConfig.S3Config.AccessSecret.IsNotPlainAndNotEmpty() {\n\t\t\tfsConfig.S3Config.AccessSecret = currentFsConfig.S3Config.AccessSecret\n\t\t}\n\t\tif fsConfig.S3Config.SSECustomerKey.IsNotPlainAndNotEmpty() {\n\t\t\tfsConfig.S3Config.SSECustomerKey = currentFsConfig.S3Config.SSECustomerKey\n\t\t}\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tif fsConfig.AzBlobConfig.AccountKey.IsNotPlainAndNotEmpty() {\n\t\t\tfsConfig.AzBlobConfig.AccountKey = currentFsConfig.AzBlobConfig.AccountKey\n\t\t}\n\t\tif fsConfig.AzBlobConfig.SASURL.IsNotPlainAndNotEmpty() {\n\t\t\tfsConfig.AzBlobConfig.SASURL = currentFsConfig.AzBlobConfig.SASURL\n\t\t}\n\tcase sdk.GCSFilesystemProvider:\n\t\t// for GCS credentials will be cleared if we enable automatic credentials\n\t\t// so keep the old credentials here if no new credentials are provided\n\t\tif !fsConfig.GCSConfig.Credentials.IsPlain() {\n\t\t\tfsConfig.GCSConfig.Credentials = currentFsConfig.GCSConfig.Credentials\n\t\t}\n\tcase sdk.CryptedFilesystemProvider:\n\t\tif fsConfig.CryptConfig.Passphrase.IsNotPlainAndNotEmpty() {\n\t\t\tfsConfig.CryptConfig.Passphrase = currentFsConfig.CryptConfig.Passphrase\n\t\t}\n\tcase sdk.SFTPFilesystemProvider:\n\t\tupdateSFTPFsEncryptedSecrets(fsConfig, currentFsConfig)\n\tcase sdk.HTTPFilesystemProvider:\n\t\tupdateHTTPFsEncryptedSecrets(fsConfig, currentFsConfig)\n\t}\n}\n\nfunc updateSFTPFsEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Filesystem) {\n\tif fsConfig.SFTPConfig.Password.IsNotPlainAndNotEmpty() {\n\t\tfsConfig.SFTPConfig.Password = currentFsConfig.SFTPConfig.Password\n\t}\n\tif fsConfig.SFTPConfig.PrivateKey.IsNotPlainAndNotEmpty() {\n\t\tfsConfig.SFTPConfig.PrivateKey = currentFsConfig.SFTPConfig.PrivateKey\n\t}\n\tif fsConfig.SFTPConfig.KeyPassphrase.IsNotPlainAndNotEmpty() {\n\t\tfsConfig.SFTPConfig.KeyPassphrase = currentFsConfig.SFTPConfig.KeyPassphrase\n\t}\n}\n\nfunc updateHTTPFsEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Filesystem) {\n\tif fsConfig.HTTPConfig.Password.IsNotPlainAndNotEmpty() {\n\t\tfsConfig.HTTPConfig.Password = currentFsConfig.HTTPConfig.Password\n\t}\n\tif fsConfig.HTTPConfig.APIKey.IsNotPlainAndNotEmpty() {\n\t\tfsConfig.HTTPConfig.APIKey = currentFsConfig.HTTPConfig.APIKey\n\t}\n}\n" }, { "path": "internal/httpd/api_utils.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"mime\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-chi/render\"\n\t\"github.com/klauspost/compress/zip\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\ntype pwdChange struct {\n\tCurrentPassword string `json:\"current_password\"`\n\tNewPassword string `json:\"new_password\"`\n}\n\ntype pwdReset struct {\n\tCode string `json:\"code\"`\n\tPassword string `json:\"password\"`\n}\n\ntype baseProfile struct {\n\tEmail string `json:\"email,omitempty\"`\n\tDescription string `json:\"description,omitempty\"`\n\tAllowAPIKeyAuth bool `json:\"allow_api_key_auth\"`\n}\n\ntype adminProfile struct {\n\tbaseProfile\n}\n\ntype userProfile struct {\n\tbaseProfile\n\tAdditionalEmails []string `json:\"additional_emails,omitempty\"`\n\tPublicKeys []string `json:\"public_keys,omitempty\"`\n\tTLSCerts []string `json:\"tls_certs,omitempty\"`\n}\n\nfunc sendAPIResponse(w http.ResponseWriter, r *http.Request, err error, message string, code int) {\n\tvar errorString string\n\tif errors.Is(err, util.ErrNotFound) {\n\t\terrorString = http.StatusText(http.StatusNotFound)\n\t} else if err != nil {\n\t\terrorString = err.Error()\n\t}\n\tresp := apiResponse{\n\t\tError: errorString,\n\t\tMessage: message,\n\t}\n\tctx := context.WithValue(r.Context(), render.StatusCtxKey, code)\n\trender.JSON(w, r.WithContext(ctx), resp)\n}\n\nfunc getRespStatus(err error) int {\n\tif errors.Is(err, util.ErrValidation) {\n\t\treturn http.StatusBadRequest\n\t}\n\tif errors.Is(err, util.ErrMethodDisabled) {\n\t\treturn http.StatusForbidden\n\t}\n\tif errors.Is(err, util.ErrNotFound) {\n\t\treturn http.StatusNotFound\n\t}\n\tif errors.Is(err, fs.ErrNotExist) {\n\t\treturn http.StatusBadRequest\n\t}\n\tif errors.Is(err, fs.ErrPermission) || errors.Is(err, dataprovider.ErrLoginNotAllowedFromIP) {\n\t\treturn http.StatusForbidden\n\t}\n\tif errors.Is(err, plugin.ErrNoSearcher) || errors.Is(err, dataprovider.ErrNotImplemented) {\n\t\treturn http.StatusNotImplemented\n\t}\n\tif errors.Is(err, dataprovider.ErrDuplicatedKey) || errors.Is(err, dataprovider.ErrForeignKeyViolated) {\n\t\treturn http.StatusConflict\n\t}\n\treturn http.StatusInternalServerError\n}\n\n// mappig between fs errors for HTTP protocol and HTTP response status codes\nfunc getMappedStatusCode(err error) int {\n\tvar statusCode int\n\tswitch {\n\tcase errors.Is(err, fs.ErrPermission):\n\t\tstatusCode = http.StatusForbidden\n\tcase errors.Is(err, common.ErrReadQuotaExceeded):\n\t\tstatusCode = http.StatusForbidden\n\tcase errors.Is(err, fs.ErrNotExist):\n\t\tstatusCode = http.StatusNotFound\n\tcase errors.Is(err, common.ErrQuotaExceeded):\n\t\tstatusCode = http.StatusRequestEntityTooLarge\n\tcase errors.Is(err, common.ErrOpUnsupported):\n\t\tstatusCode = http.StatusBadRequest\n\tdefault:\n\t\tif _, ok := err.(*http.MaxBytesError); ok {\n\t\t\tstatusCode = http.StatusRequestEntityTooLarge\n\t\t} else {\n\t\t\tstatusCode = http.StatusInternalServerError\n\t\t}\n\t}\n\treturn statusCode\n}\n\nfunc getURLParam(r *http.Request, key string) string {\n\tv := chi.URLParam(r, key)\n\tunescaped, err := url.PathUnescape(v)\n\tif err != nil {\n\t\treturn v\n\t}\n\treturn unescaped\n}\n\nfunc getURLPath(r *http.Request) string {\n\trctx := chi.RouteContext(r.Context())\n\tif rctx != nil && rctx.RoutePath != \"\" {\n\t\treturn rctx.RoutePath\n\t}\n\treturn r.URL.Path\n}\n\nfunc getCommaSeparatedQueryParam(r *http.Request, key string) []string {\n\tvar result []string\n\n\tfor val := range strings.SplitSeq(r.URL.Query().Get(key), \",\") {\n\t\tval = strings.TrimSpace(val)\n\t\tif val != \"\" {\n\t\t\tresult = append(result, val)\n\t\t}\n\t}\n\n\treturn util.RemoveDuplicates(result, false)\n}\n\nfunc getBoolQueryParam(r *http.Request, param string) bool {\n\treturn r.URL.Query().Get(param) == \"true\"\n}\n\nfunc getActiveConnections(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tstats := common.Connections.GetStats(claims.Role)\n\tif claims.NodeID == \"\" {\n\t\tstats = append(stats, getNodesConnections(claims.Username, claims.Role)...)\n\t}\n\trender.JSON(w, r, stats)\n}\n\nfunc handleCloseConnection(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tconnectionID := getURLParam(r, \"connectionID\")\n\tif connectionID == \"\" {\n\t\tsendAPIResponse(w, r, nil, \"connectionID is mandatory\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tnode := r.URL.Query().Get(\"node\")\n\tif node == \"\" || node == dataprovider.GetNodeName() {\n\t\tif common.Connections.Close(connectionID, claims.Role) {\n\t\t\tsendAPIResponse(w, r, nil, \"Connection closed\", http.StatusOK)\n\t\t} else {\n\t\t\tsendAPIResponse(w, r, nil, \"Not Found\", http.StatusNotFound)\n\t\t}\n\t\treturn\n\t}\n\tn, err := dataprovider.GetNodeByName(node)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to get node with name %q: %v\", node, err)\n\t\tstatus := getRespStatus(err)\n\t\tsendAPIResponse(w, r, nil, http.StatusText(status), status)\n\t\treturn\n\t}\n\tperms := []string{dataprovider.PermAdminCloseConnections}\n\turi := fmt.Sprintf(\"%s/%s\", activeConnectionsPath, connectionID)\n\tif err := n.SendDeleteRequest(claims.Username, claims.Role, uri, perms); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to delete connection id %q from node %q: %v\", connectionID, n.Name, err)\n\t\tsendAPIResponse(w, r, nil, \"Not Found\", http.StatusNotFound)\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, \"Connection closed\", http.StatusOK)\n}\n\n// getNodesConnections returns the active connections from other nodes.\n// Errors are silently ignored\nfunc getNodesConnections(admin, role string) []common.ConnectionStatus {\n\tnodes, err := dataprovider.GetNodes()\n\tif err != nil || len(nodes) == 0 {\n\t\treturn nil\n\t}\n\tvar results []common.ConnectionStatus\n\tvar mu sync.Mutex\n\tvar wg sync.WaitGroup\n\n\tfor _, n := range nodes {\n\t\twg.Add(1)\n\n\t\tgo func(node dataprovider.Node) {\n\t\t\tdefer wg.Done()\n\n\t\t\tvar stats []common.ConnectionStatus\n\t\t\tperms := []string{dataprovider.PermAdminViewConnections}\n\t\t\tif err := node.SendGetRequest(admin, role, activeConnectionsPath, perms, &stats); err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"unable to get connections from node %s: %v\", node.Name, err)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tmu.Lock()\n\t\t\tresults = append(results, stats...)\n\t\t\tmu.Unlock()\n\t\t}(n)\n\t}\n\twg.Wait()\n\n\treturn results\n}\n\nfunc getSearchFilters(w http.ResponseWriter, r *http.Request) (int, int, string, error) {\n\tvar err error\n\tlimit := 100\n\toffset := 0\n\torder := dataprovider.OrderASC\n\tif _, ok := r.URL.Query()[\"limit\"]; ok {\n\t\tlimit, err = strconv.Atoi(r.URL.Query().Get(\"limit\"))\n\t\tif err != nil {\n\t\t\terr = errors.New(\"invalid limit\")\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\t\treturn limit, offset, order, err\n\t\t}\n\t\tif limit > 500 {\n\t\t\tlimit = 500\n\t\t}\n\t}\n\tif _, ok := r.URL.Query()[\"offset\"]; ok {\n\t\toffset, err = strconv.Atoi(r.URL.Query().Get(\"offset\"))\n\t\tif err != nil {\n\t\t\terr = errors.New(\"invalid offset\")\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\t\treturn limit, offset, order, err\n\t\t}\n\t}\n\tif _, ok := r.URL.Query()[\"order\"]; ok {\n\t\torder = r.URL.Query().Get(\"order\")\n\t\tif order != dataprovider.OrderASC && order != dataprovider.OrderDESC {\n\t\t\terr = errors.New(\"invalid order\")\n\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\t\treturn limit, offset, order, err\n\t\t}\n\t}\n\n\treturn limit, offset, order, err\n}\n\nfunc renderAPIDirContents(w http.ResponseWriter, lister vfs.DirLister, omitNonRegularFiles bool) {\n\tdefer lister.Close()\n\n\tdataGetter := func(limit, _ int) ([]byte, int, error) {\n\t\tcontents, err := lister.Next(limit)\n\t\tif errors.Is(err, io.EOF) {\n\t\t\terr = nil\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tresults := make([]map[string]any, 0, len(contents))\n\t\tfor _, info := range contents {\n\t\t\tif omitNonRegularFiles && !info.Mode().IsDir() && !info.Mode().IsRegular() {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tres := make(map[string]any)\n\t\t\tres[\"name\"] = info.Name()\n\t\t\tif info.Mode().IsRegular() {\n\t\t\t\tres[\"size\"] = info.Size()\n\t\t\t}\n\t\t\tres[\"mode\"] = info.Mode()\n\t\t\tres[\"last_modified\"] = info.ModTime().UTC().Format(time.RFC3339)\n\t\t\tresults = append(results, res)\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\tcount := limit\n\t\tif len(results) == 0 {\n\t\t\tcount = 0\n\t\t}\n\t\treturn data, count, err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc streamData(w io.Writer, data []byte) {\n\tb := bytes.NewBuffer(data)\n\t_, err := io.CopyN(w, b, int64(len(data)))\n\tif err != nil {\n\t\tpanic(http.ErrAbortHandler)\n\t}\n}\n\nfunc streamJSONArray(w http.ResponseWriter, chunkSize int, dataGetter func(limit, offset int) ([]byte, int, error)) {\n\tw.Header().Set(\"Content-Type\", \"application/json\")\n\tw.Header().Set(\"Accept-Ranges\", \"none\")\n\tw.WriteHeader(http.StatusOK)\n\n\tstreamData(w, []byte(\"[\"))\n\toffset := 0\n\tfor {\n\t\tdata, count, err := dataGetter(chunkSize, offset)\n\t\tif err != nil {\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t\tif count == 0 {\n\t\t\tbreak\n\t\t}\n\t\tif offset > 0 {\n\t\t\tstreamData(w, []byte(\",\"))\n\t\t}\n\t\tstreamData(w, data[1:len(data)-1])\n\t\tif count < chunkSize {\n\t\t\tbreak\n\t\t}\n\t\toffset += count\n\t}\n\tstreamData(w, []byte(\"]\"))\n}\n\nfunc renderPNGImage(w http.ResponseWriter, r *http.Request, b []byte) {\n\tif len(b) == 0 {\n\t\tctx := context.WithValue(r.Context(), render.StatusCtxKey, http.StatusNotFound)\n\t\trender.PlainText(w, r.WithContext(ctx), http.StatusText(http.StatusNotFound))\n\t\treturn\n\t}\n\tw.Header().Set(\"Content-Type\", \"image/png\")\n\tstreamData(w, b)\n}\n\nfunc getCompressedFileName(username string, files []string) string {\n\tif len(files) == 1 {\n\t\tname := path.Base(files[0])\n\t\treturn fmt.Sprintf(\"%s-%s.zip\", username, strings.TrimSuffix(name, path.Ext(name)))\n\t}\n\treturn fmt.Sprintf(\"%s-download.zip\", username)\n}\n\nfunc renderCompressedFiles(w http.ResponseWriter, conn *Connection, baseDir string, files []string,\n\tshare *dataprovider.Share,\n) {\n\tconn.User.CheckFsRoot(conn.ID) //nolint:errcheck\n\tw.Header().Set(\"Content-Type\", \"application/zip\")\n\tw.Header().Set(\"Accept-Ranges\", \"none\")\n\tw.Header().Set(\"Content-Transfer-Encoding\", \"binary\")\n\tw.WriteHeader(http.StatusOK)\n\n\twr := zip.NewWriter(w)\n\n\tfor _, file := range files {\n\t\tfullPath := util.CleanPath(path.Join(baseDir, file))\n\t\tif err := addZipEntry(wr, conn, fullPath, baseDir, nil, 0); err != nil {\n\t\t\tif share != nil {\n\t\t\t\tdataprovider.UpdateShareLastUse(share, -1) //nolint:errcheck\n\t\t\t}\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t}\n\tif err := wr.Close(); err != nil {\n\t\tconn.Log(logger.LevelError, \"unable to close zip file: %v\", err)\n\t\tif share != nil {\n\t\t\tdataprovider.UpdateShareLastUse(share, -1) //nolint:errcheck\n\t\t}\n\t\tpanic(http.ErrAbortHandler)\n\t}\n}\n\nfunc addZipEntry(wr *zip.Writer, conn *Connection, entryPath, baseDir string, info os.FileInfo, recursion int) error {\n\tif recursion >= util.MaxRecursion {\n\t\tconn.Log(logger.LevelDebug, \"unable to add zip entry %q, recursion too depth: %d\", entryPath, recursion)\n\t\treturn util.ErrRecursionTooDeep\n\t}\n\trecursion++\n\tvar err error\n\tif info == nil {\n\t\tinfo, err = conn.Stat(entryPath, 1)\n\t\tif err != nil {\n\t\t\tconn.Log(logger.LevelDebug, \"unable to add zip entry %q, stat error: %v\", entryPath, err)\n\t\t\treturn err\n\t\t}\n\t}\n\tentryName, err := getZipEntryName(entryPath, baseDir)\n\tif err != nil {\n\t\tconn.Log(logger.LevelError, \"unable to get zip entry name: %v\", err)\n\t\treturn err\n\t}\n\tif info.IsDir() {\n\t\t_, err = wr.CreateHeader(&zip.FileHeader{\n\t\t\tName: entryName + \"/\",\n\t\t\tMethod: zip.Deflate,\n\t\t\tModified: info.ModTime(),\n\t\t})\n\t\tif err != nil {\n\t\t\tconn.Log(logger.LevelError, \"unable to create zip entry %q: %v\", entryPath, err)\n\t\t\treturn err\n\t\t}\n\t\tlister, err := conn.ReadDir(entryPath)\n\t\tif err != nil {\n\t\t\tconn.Log(logger.LevelDebug, \"unable to add zip entry %q, get list dir error: %v\", entryPath, err)\n\t\t\treturn err\n\t\t}\n\t\tdefer lister.Close()\n\n\t\tfor {\n\t\t\tcontents, err := lister.Next(vfs.ListerBatchSize)\n\t\t\tfinished := errors.Is(err, io.EOF)\n\t\t\tif err != nil && !finished {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfor _, info := range contents {\n\t\t\t\tfullPath := util.CleanPath(path.Join(entryPath, info.Name()))\n\t\t\t\tif err := addZipEntry(wr, conn, fullPath, baseDir, info, recursion); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t\tif finished {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t}\n\t}\n\tif !info.Mode().IsRegular() {\n\t\t// we only allow regular files\n\t\tconn.Log(logger.LevelInfo, \"skipping zip entry for non regular file %q\", entryPath)\n\t\treturn nil\n\t}\n\treturn addFileToZipEntry(wr, conn, entryPath, entryName, info)\n}\n\nfunc addFileToZipEntry(wr *zip.Writer, conn *Connection, entryPath, entryName string, info os.FileInfo) error {\n\treader, err := conn.getFileReader(entryPath, 0, http.MethodGet)\n\tif err != nil {\n\t\tconn.Log(logger.LevelDebug, \"unable to add zip entry %q, cannot open file: %v\", entryPath, err)\n\t\treturn err\n\t}\n\tdefer reader.Close()\n\n\tf, err := wr.CreateHeader(&zip.FileHeader{\n\t\tName: entryName,\n\t\tMethod: zip.Deflate,\n\t\tModified: info.ModTime(),\n\t})\n\tif err != nil {\n\t\tconn.Log(logger.LevelError, \"unable to create zip entry %q: %v\", entryPath, err)\n\t\treturn err\n\t}\n\t_, err = io.Copy(f, reader)\n\treturn err\n}\n\nfunc getZipEntryName(entryPath, baseDir string) (string, error) {\n\tif !strings.HasPrefix(entryPath, baseDir) {\n\t\treturn \"\", fmt.Errorf(\"entry path %q is outside base dir %q\", entryPath, baseDir)\n\t}\n\tentryPath = strings.TrimPrefix(entryPath, baseDir)\n\treturn strings.TrimPrefix(entryPath, \"/\"), nil\n}\n\nfunc checkDownloadFileFromShare(share *dataprovider.Share, info os.FileInfo) error {\n\tif share != nil && !info.Mode().IsRegular() {\n\t\treturn util.NewValidationError(\"non regular files are not supported for shares\")\n\t}\n\treturn nil\n}\n\nfunc downloadFile(w http.ResponseWriter, r *http.Request, connection *Connection, name string,\n\tinfo os.FileInfo, inline bool, share *dataprovider.Share,\n) (int, error) {\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\terr := checkDownloadFileFromShare(share, info)\n\tif err != nil {\n\t\treturn http.StatusBadRequest, err\n\t}\n\trangeHeader := r.Header.Get(\"Range\")\n\tif rangeHeader != \"\" && checkIfRange(r, info.ModTime()) == condFalse {\n\t\trangeHeader = \"\"\n\t}\n\toffset := int64(0)\n\tsize := info.Size()\n\tresponseStatus := http.StatusOK\n\tif strings.HasPrefix(rangeHeader, \"bytes=\") {\n\t\tif strings.Contains(rangeHeader, \",\") {\n\t\t\treturn http.StatusRequestedRangeNotSatisfiable, fmt.Errorf(\"unsupported range %q\", rangeHeader)\n\t\t}\n\t\toffset, size, err = parseRangeRequest(rangeHeader[6:], size)\n\t\tif err != nil {\n\t\t\treturn http.StatusRequestedRangeNotSatisfiable, err\n\t\t}\n\t\tresponseStatus = http.StatusPartialContent\n\t}\n\treader, err := connection.getFileReader(name, offset, r.Method)\n\tif err != nil {\n\t\treturn getMappedStatusCode(err), fmt.Errorf(\"unable to read file %q: %v\", name, err)\n\t}\n\tdefer reader.Close()\n\n\tw.Header().Set(\"Last-Modified\", info.ModTime().UTC().Format(http.TimeFormat))\n\tif checkPreconditions(w, r, info.ModTime()) {\n\t\treturn 0, fmt.Errorf(\"%v\", http.StatusText(http.StatusPreconditionFailed))\n\t}\n\tctype := mime.TypeByExtension(path.Ext(name))\n\tif ctype == \"\" {\n\t\tctype = \"application/octet-stream\"\n\t}\n\tif responseStatus == http.StatusPartialContent {\n\t\tw.Header().Set(\"Content-Range\", fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, info.Size()))\n\t}\n\tw.Header().Set(\"Content-Length\", strconv.FormatInt(size, 10))\n\tw.Header().Set(\"Content-Type\", ctype)\n\tif !inline {\n\t\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=%q\", path.Base(name)))\n\t}\n\tw.Header().Set(\"Accept-Ranges\", \"bytes\")\n\tw.WriteHeader(responseStatus)\n\tif r.Method != http.MethodHead {\n\t\t_, err = io.CopyN(w, reader, size)\n\t\tif err != nil {\n\t\t\tif share != nil {\n\t\t\t\tdataprovider.UpdateShareLastUse(share, -1) //nolint:errcheck\n\t\t\t}\n\t\t\tconnection.Log(logger.LevelDebug, \"error reading file to download: %v\", err)\n\t\t\tpanic(http.ErrAbortHandler)\n\t\t}\n\t}\n\treturn http.StatusOK, nil\n}\n\nfunc checkPreconditions(w http.ResponseWriter, r *http.Request, modtime time.Time) bool {\n\tif checkIfUnmodifiedSince(r, modtime) == condFalse {\n\t\tw.WriteHeader(http.StatusPreconditionFailed)\n\t\treturn true\n\t}\n\tif checkIfModifiedSince(r, modtime) == condFalse {\n\t\tw.WriteHeader(http.StatusNotModified)\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc checkIfUnmodifiedSince(r *http.Request, modtime time.Time) condResult {\n\tius := r.Header.Get(\"If-Unmodified-Since\")\n\tif ius == \"\" || isZeroTime(modtime) {\n\t\treturn condNone\n\t}\n\tt, err := http.ParseTime(ius)\n\tif err != nil {\n\t\treturn condNone\n\t}\n\n\t// The Last-Modified header truncates sub-second precision so\n\t// the modtime needs to be truncated too.\n\tmodtime = modtime.Truncate(time.Second)\n\tif modtime.Before(t) || modtime.Equal(t) {\n\t\treturn condTrue\n\t}\n\treturn condFalse\n}\n\nfunc checkIfModifiedSince(r *http.Request, modtime time.Time) condResult {\n\tif r.Method != http.MethodGet && r.Method != http.MethodHead {\n\t\treturn condNone\n\t}\n\tims := r.Header.Get(\"If-Modified-Since\")\n\tif ims == \"\" || isZeroTime(modtime) {\n\t\treturn condNone\n\t}\n\tt, err := http.ParseTime(ims)\n\tif err != nil {\n\t\treturn condNone\n\t}\n\t// The Last-Modified header truncates sub-second precision so\n\t// the modtime needs to be truncated too.\n\tmodtime = modtime.Truncate(time.Second)\n\tif modtime.Before(t) || modtime.Equal(t) {\n\t\treturn condFalse\n\t}\n\treturn condTrue\n}\n\nfunc checkIfRange(r *http.Request, modtime time.Time) condResult {\n\tif r.Method != http.MethodGet && r.Method != http.MethodHead {\n\t\treturn condNone\n\t}\n\tir := r.Header.Get(\"If-Range\")\n\tif ir == \"\" {\n\t\treturn condNone\n\t}\n\tif modtime.IsZero() {\n\t\treturn condFalse\n\t}\n\tt, err := http.ParseTime(ir)\n\tif err != nil {\n\t\treturn condFalse\n\t}\n\tif modtime.Unix() == t.Unix() {\n\t\treturn condTrue\n\t}\n\treturn condFalse\n}\n\nfunc parseRangeRequest(bytesRange string, size int64) (int64, int64, error) {\n\tvar start, end int64\n\tvar err error\n\n\tvalues := strings.Split(bytesRange, \"-\")\n\tif values[0] == \"\" {\n\t\tstart = -1\n\t} else {\n\t\tstart, err = strconv.ParseInt(values[0], 10, 64)\n\t\tif err != nil {\n\t\t\treturn start, size, err\n\t\t}\n\t}\n\tif len(values) >= 2 {\n\t\tif values[1] != \"\" {\n\t\t\tend, err = strconv.ParseInt(values[1], 10, 64)\n\t\t\tif err != nil {\n\t\t\t\treturn start, size, err\n\t\t\t}\n\t\t\tif end >= size {\n\t\t\t\tend = size - 1\n\t\t\t}\n\t\t}\n\t}\n\tif start == -1 && end == 0 {\n\t\treturn 0, 0, fmt.Errorf(\"unsupported range %q\", bytesRange)\n\t}\n\n\tif end > 0 {\n\t\tif start == -1 {\n\t\t\t// we have something like -500\n\t\t\tstart = size - end\n\t\t\tsize = end\n\t\t\t// start cannot be < 0 here, we did end = size -1 above\n\t\t} else {\n\t\t\t// we have something like 500-600\n\t\t\tsize = end - start + 1\n\t\t\tif size < 0 {\n\t\t\t\treturn 0, 0, fmt.Errorf(\"unacceptable range %q\", bytesRange)\n\t\t\t}\n\t\t}\n\t\treturn start, size, nil\n\t}\n\t// we have something like 500-\n\tsize -= start\n\tif size < 0 {\n\t\treturn 0, 0, fmt.Errorf(\"unacceptable range %q\", bytesRange)\n\t}\n\treturn start, size, err\n}\n\nfunc handleDefenderEventLoginFailed(ipAddr string, err error) error {\n\tevent := common.HostEventLoginFailed\n\tif errors.Is(err, util.ErrNotFound) {\n\t\tevent = common.HostEventUserNotFound\n\t\terr = dataprovider.ErrInvalidCredentials\n\t}\n\tcommon.AddDefenderEvent(ipAddr, common.ProtocolHTTP, event)\n\tcommon.DelayLogin(err)\n\treturn err\n}\n\nfunc updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error, r *http.Request) {\n\tmetric.AddLoginAttempt(loginMethod)\n\tvar protocol string\n\tswitch loginMethod {\n\tcase dataprovider.LoginMethodIDP:\n\t\tprotocol = common.ProtocolOIDC\n\tdefault:\n\t\tprotocol = common.ProtocolHTTP\n\t}\n\tif err == nil {\n\t\tlogger.LoginLog(user.Username, ip, loginMethod, protocol, \"\", r.UserAgent(), r.TLS != nil, \"\")\n\t\tplugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, protocol, user.Username, ip, \"\", nil)\n\t\tcommon.DelayLogin(nil)\n\t} else if err != common.ErrInternalFailure && err != common.ErrNoCredentials {\n\t\tlogger.ConnectionFailedLog(user.Username, ip, loginMethod, protocol, err.Error())\n\t\terr = handleDefenderEventLoginFailed(ip, err)\n\t\tlogEv := notifier.LogEventTypeLoginFailed\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\tlogEv = notifier.LogEventTypeLoginNoUser\n\t\t}\n\t\tplugin.Handler.NotifyLogEvent(logEv, protocol, user.Username, ip, \"\", err)\n\t}\n\tmetric.AddLoginResult(loginMethod, err)\n\tdataprovider.ExecutePostLoginHook(user, loginMethod, ip, protocol, err)\n}\n\nfunc checkHTTPClientUser(user *dataprovider.User, r *http.Request, connectionID string, checkSessions, isOIDCLogin bool) error {\n\tif slices.Contains(user.Filters.DeniedProtocols, common.ProtocolHTTP) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, protocol HTTP is not allowed\", user.Username)\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"protocol HTTP is not allowed for user %q\", user.Username),\n\t\t\tutil.I18nErrorProtocolForbidden,\n\t\t)\n\t}\n\tif !isLoggedInWithOIDC(r) && !isOIDCLogin && !user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolHTTP) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, password login method is not allowed\", user.Username)\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"login method password is not allowed for user %q\", user.Username),\n\t\t\tutil.I18nErrorPwdLoginForbidden,\n\t\t)\n\t}\n\tif checkSessions && user.MaxSessions > 0 {\n\t\tactiveSessions := common.Connections.GetActiveSessions(user.Username)\n\t\tif activeSessions >= user.MaxSessions {\n\t\t\tlogger.Info(logSender, connectionID, \"authentication refused for user: %q, too many open sessions: %v/%v\", user.Username,\n\t\t\t\tactiveSessions, user.MaxSessions)\n\t\t\treturn util.NewI18nError(fmt.Errorf(\"too many open sessions: %v\", activeSessions), util.I18nError429Message)\n\t\t}\n\t}\n\tif !user.IsLoginFromAddrAllowed(r.RemoteAddr) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, remote address is not allowed: %v\", user.Username, r.RemoteAddr)\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"login for user %q is not allowed from this address: %v\", user.Username, r.RemoteAddr),\n\t\t\tutil.I18nErrorIPForbidden,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc getActiveAdmin(username, ipAddr string) (dataprovider.Admin, error) {\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\treturn admin, err\n\t}\n\tif err := admin.CanLogin(ipAddr); err != nil {\n\t\treturn admin, util.NewRecordNotFoundError(fmt.Sprintf(\"admin %q cannot login: %v\", username, err))\n\t}\n\treturn admin, nil\n}\n\nfunc getActiveUser(username string, r *http.Request) (dataprovider.User, error) {\n\tuser, err := dataprovider.GetUserWithGroupSettings(username, \"\")\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tif err := user.CheckLoginConditions(); err != nil {\n\t\treturn user, util.NewRecordNotFoundError(fmt.Sprintf(\"user %q cannot login: %v\", username, err))\n\t}\n\tif err := checkHTTPClientUser(&user, r, xid.New().String(), false, false); err != nil {\n\t\treturn user, util.NewRecordNotFoundError(fmt.Sprintf(\"user %q cannot login: %v\", username, err))\n\t}\n\treturn user, nil\n}\n\nfunc handleForgotPassword(r *http.Request, username string, isAdmin bool) error {\n\tvar emails []string\n\tvar subject string\n\tvar err error\n\tvar admin dataprovider.Admin\n\tvar user dataprovider.User\n\n\tif username == \"\" {\n\t\treturn util.NewI18nError(util.NewValidationError(\"username is mandatory\"), util.I18nErrorUsernameRequired)\n\t}\n\tif isAdmin {\n\t\tadmin, err = getActiveAdmin(username, util.GetIPFromRemoteAddress(r.RemoteAddr))\n\t\tif admin.Email != \"\" {\n\t\t\temails = []string{admin.Email}\n\t\t}\n\t\tsubject = fmt.Sprintf(\"Email Verification Code for admin %q\", username)\n\t} else {\n\t\tuser, err = getActiveUser(username, r)\n\t\temails = user.GetEmailAddresses()\n\t\tsubject = fmt.Sprintf(\"Email Verification Code for user %q\", username)\n\t\tif err == nil {\n\t\t\tif !isUserAllowedToResetPassword(r, &user) {\n\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\tutil.NewValidationError(\"you are not allowed to reset your password\"),\n\t\t\t\t\tutil.I18nErrorPwdResetForbidded,\n\t\t\t\t)\n\t\t\t}\n\t\t}\n\t}\n\tif err != nil {\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\thandleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), err) //nolint:errcheck\n\t\t\tlogger.Debug(logSender, middleware.GetReqID(r.Context()),\n\t\t\t\t\"username %q does not exists or cannot login, reset password request silently ignored, is admin? %t, err: %v\",\n\t\t\t\tusername, isAdmin, err)\n\t\t\treturn nil\n\t\t}\n\t\treturn util.NewI18nError(util.NewGenericError(\"Error retrieving your account, please try again later\"), util.I18nErrorGetUser)\n\t}\n\tif len(emails) == 0 {\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"Your account does not have an email address, it is not possible to reset your password by sending an email verification code\"),\n\t\t\tutil.I18nErrorPwdResetNoEmail,\n\t\t)\n\t}\n\tc := newResetCode(username, isAdmin)\n\tbody := new(bytes.Buffer)\n\tdata := make(map[string]string)\n\tdata[\"Code\"] = c.Code\n\tif err := smtp.RenderPasswordResetTemplate(body, data); err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"unable to render password reset template: %v\", err)\n\t\treturn util.NewGenericError(\"Unable to render password reset template\")\n\t}\n\tstartTime := time.Now()\n\tif err := smtp.SendEmail(emails, nil, subject, body.String(), smtp.EmailContentTypeTextHTML); err != nil {\n\t\tlogger.Warn(logSender, middleware.GetReqID(r.Context()), \"unable to send password reset code via email: %v, elapsed: %v\",\n\t\t\terr, time.Since(startTime))\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewGenericError(fmt.Sprintf(\"Error sending confirmation code via email: %v\", err)),\n\t\t\tutil.I18nErrorPwdResetSendEmail,\n\t\t)\n\t}\n\tlogger.Debug(logSender, middleware.GetReqID(r.Context()), \"reset code sent via email to %q, emails: %+v, is admin? %v, elapsed: %v\",\n\t\tusername, emails, isAdmin, time.Since(startTime))\n\treturn resetCodesMgr.Add(c)\n}\n\nfunc handleResetPassword(r *http.Request, code, newPassword, confirmPassword string, isAdmin bool) (\n\t*dataprovider.Admin, *dataprovider.User, error,\n) {\n\tvar admin dataprovider.Admin\n\tvar user dataprovider.User\n\tvar err error\n\n\tif newPassword == \"\" {\n\t\treturn &admin, &user, util.NewValidationError(\"please set a password\")\n\t}\n\tif code == \"\" {\n\t\treturn &admin, &user, util.NewValidationError(\"please set a confirmation code\")\n\t}\n\tif newPassword != confirmPassword {\n\t\treturn &admin, &user, util.NewI18nError(errors.New(\"the two password fields do not match\"), util.I18nErrorChangePwdNoMatch)\n\t}\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tresetCode, err := resetCodesMgr.Get(code)\n\tif err != nil {\n\t\thandleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\t\treturn &admin, &user, util.NewValidationError(\"confirmation code not found\")\n\t}\n\tif resetCode.IsAdmin != isAdmin {\n\t\treturn &admin, &user, util.NewValidationError(\"invalid confirmation code\")\n\t}\n\tif isAdmin {\n\t\tadmin, err = getActiveAdmin(resetCode.Username, ipAddr)\n\t\tif err != nil {\n\t\t\treturn &admin, &user, util.NewValidationError(\"unable to associate the confirmation code with an existing admin\")\n\t\t}\n\t\tadmin.Password = newPassword\n\t\tadmin.Filters.RequirePasswordChange = false\n\t\terr = dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, ipAddr, admin.Role)\n\t\tif err != nil {\n\t\t\treturn &admin, &user, util.NewGenericError(fmt.Sprintf(\"unable to set the new password: %v\", err))\n\t\t}\n\t\terr = resetCodesMgr.Delete(code)\n\t\treturn &admin, &user, err\n\t}\n\tuser, err = getActiveUser(resetCode.Username, r)\n\tif err != nil {\n\t\treturn &admin, &user, util.NewValidationError(\"Unable to associate the confirmation code with an existing user\")\n\t}\n\tif !isUserAllowedToResetPassword(r, &user) {\n\t\treturn &admin, &user, util.NewI18nError(\n\t\t\tutil.NewValidationError(\"you are not allowed to reset your password\"),\n\t\t\tutil.I18nErrorPwdResetForbidded,\n\t\t)\n\t}\n\terr = dataprovider.UpdateUserPassword(user.Username, newPassword, dataprovider.ActionExecutorSelf,\n\t\tutil.GetIPFromRemoteAddress(r.RemoteAddr), user.Role)\n\tif err == nil {\n\t\terr = resetCodesMgr.Delete(code)\n\t}\n\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now())\n\tuser.Filters.RequirePasswordChange = false\n\treturn &admin, &user, err\n}\n\nfunc isUserAllowedToResetPassword(r *http.Request, user *dataprovider.User) bool {\n\tif !user.CanResetPassword() {\n\t\treturn false\n\t}\n\tif slices.Contains(user.Filters.DeniedProtocols, common.ProtocolHTTP) {\n\t\treturn false\n\t}\n\tif !user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolHTTP) {\n\t\treturn false\n\t}\n\tif !user.IsLoginFromAddrAllowed(r.RemoteAddr) {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc getProtocolFromRequest(r *http.Request) string {\n\tif isLoggedInWithOIDC(r) {\n\t\treturn common.ProtocolOIDC\n\t}\n\treturn common.ProtocolHTTP\n}\n\nfunc hideConfidentialData(claims *jwt.Claims, r *http.Request) bool {\n\tif !claims.HasPerm(dataprovider.PermAdminAny) {\n\t\treturn true\n\t}\n\treturn r.URL.Query().Get(\"confidential_data\") != \"1\"\n}\n\nfunc responseControllerDeadlines(rc *http.ResponseController, read, write time.Time) {\n\tif err := rc.SetReadDeadline(read); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to set read timeout to %s: %v\", read, err)\n\t}\n\tif err := rc.SetWriteDeadline(write); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to set write timeout to %s: %v\", write, err)\n\t}\n}\n" }, { "path": "internal/httpd/auth_utils.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"crypto/rand\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype tokenAudience = string\n\nconst (\n\ttokenAudienceWebAdmin tokenAudience = \"WebAdmin\"\n\ttokenAudienceWebClient tokenAudience = \"WebClient\"\n\ttokenAudienceWebShare tokenAudience = \"WebShare\"\n\ttokenAudienceWebAdminPartial tokenAudience = \"WebAdminPartial\"\n\ttokenAudienceWebClientPartial tokenAudience = \"WebClientPartial\"\n\ttokenAudienceAPI tokenAudience = \"API\"\n\ttokenAudienceAPIUser tokenAudience = \"APIUser\"\n\ttokenAudienceCSRF tokenAudience = \"CSRF\"\n\ttokenAudienceOAuth2 tokenAudience = \"OAuth2\"\n\ttokenAudienceWebLogin tokenAudience = \"WebLogin\"\n)\n\nconst (\n\ttokenValidationModeDefault = 0\n\ttokenValidationModeNoIPMatch = 1\n\ttokenValidationModeUserSignature = 2\n)\n\nconst (\n\tbasicRealm = \"Basic realm=\\\"SFTPGo\\\"\"\n)\n\nvar (\n\tapiTokenDuration = 20 * time.Minute\n\tcookieTokenDuration = 20 * time.Minute\n\tshareTokenDuration = 2 * time.Hour\n\t// csrf token duration is greater than normal token duration to reduce issues\n\t// with the login form\n\tcsrfTokenDuration = 4 * time.Hour\n\tcookieRefreshThreshold = 10 * time.Minute\n\tmaxTokenDuration = 12 * time.Hour\n\ttokenValidationMode = tokenValidationModeDefault\n)\n\nfunc isTokenDurationValid(minutes int) bool {\n\treturn minutes >= 1 && minutes <= 720\n}\n\nfunc updateTokensDuration(api, cookie, share int) {\n\tif isTokenDurationValid(api) {\n\t\tapiTokenDuration = time.Duration(api) * time.Minute\n\t}\n\tif isTokenDurationValid(cookie) {\n\t\tcookieTokenDuration = time.Duration(cookie) * time.Minute\n\t\tcookieRefreshThreshold = cookieTokenDuration / 2\n\t\tif cookieTokenDuration > csrfTokenDuration {\n\t\t\tcsrfTokenDuration = cookieTokenDuration\n\t\t}\n\t}\n\tif isTokenDurationValid(share) {\n\t\tshareTokenDuration = time.Duration(share) * time.Minute\n\t}\n\tlogger.Debug(logSender, \"\", \"API token duration %s, cookie token duration %s, cookie refresh threshold %s, share token duration %s, csrf token duration %s\",\n\t\tapiTokenDuration, cookieTokenDuration, cookieRefreshThreshold, shareTokenDuration, csrfTokenDuration)\n}\n\nfunc getTokenDuration(audience tokenAudience) time.Duration {\n\tswitch audience {\n\tcase tokenAudienceWebShare:\n\t\treturn shareTokenDuration\n\tcase tokenAudienceWebLogin, tokenAudienceCSRF:\n\t\treturn csrfTokenDuration\n\tcase tokenAudienceAPI, tokenAudienceAPIUser:\n\t\treturn apiTokenDuration\n\tcase tokenAudienceWebAdmin, tokenAudienceWebClient:\n\t\treturn cookieTokenDuration\n\tcase tokenAudienceWebAdminPartial, tokenAudienceWebClientPartial, tokenAudienceOAuth2:\n\t\treturn 5 * time.Minute\n\tdefault:\n\t\tlogger.Error(logSender, \"\", \"token duration not handled for audience: %q\", audience)\n\t\treturn 20 * time.Minute\n\t}\n}\n\nfunc getMaxCookieDuration() time.Duration {\n\tresult := csrfTokenDuration\n\tif shareTokenDuration > result {\n\t\tresult = shareTokenDuration\n\t}\n\tif cookieTokenDuration > result {\n\t\tresult = cookieTokenDuration\n\t}\n\treturn result\n}\n\nfunc hasUserAudience(claims *jwt.Claims) bool {\n\treturn claims.HasAnyAudience([]string{tokenAudienceWebClient, tokenAudienceAPIUser})\n}\n\nfunc createAndSetCookie(w http.ResponseWriter, r *http.Request, claims *jwt.Claims, tokenAuth *jwt.Signer,\n\taudience tokenAudience, ip string,\n) error {\n\tduration := getTokenDuration(audience)\n\ttoken, err := tokenAuth.SignWithParams(claims, audience, ip, duration)\n\tif err != nil {\n\t\treturn err\n\t}\n\tresp := claims.BuildTokenResponse(token)\n\tvar basePath string\n\tif audience == tokenAudienceWebAdmin || audience == tokenAudienceWebAdminPartial {\n\t\tbasePath = webBaseAdminPath\n\t} else {\n\t\tbasePath = webBaseClientPath\n\t}\n\tsetCookie(w, r, basePath, resp.Token, duration)\n\n\treturn nil\n}\n\nfunc setCookie(w http.ResponseWriter, r *http.Request, cookiePath, cookieValue string, duration time.Duration) {\n\thttp.SetCookie(w, &http.Cookie{\n\t\tName: jwt.CookieKey,\n\t\tValue: cookieValue,\n\t\tPath: cookiePath,\n\t\tExpires: time.Now().Add(duration),\n\t\tMaxAge: int(duration / time.Second),\n\t\tHttpOnly: true,\n\t\tSecure: isTLS(r),\n\t\tSameSite: http.SameSiteStrictMode,\n\t})\n}\n\nfunc removeCookie(w http.ResponseWriter, r *http.Request, cookiePath string) {\n\tinvalidateToken(r)\n\thttp.SetCookie(w, &http.Cookie{\n\t\tName: jwt.CookieKey,\n\t\tValue: \"\",\n\t\tPath: cookiePath,\n\t\tExpires: time.Unix(0, 0),\n\t\tMaxAge: -1,\n\t\tHttpOnly: true,\n\t\tSecure: isTLS(r),\n\t\tSameSite: http.SameSiteStrictMode,\n\t})\n\tw.Header().Add(\"Cache-Control\", `no-cache=\"Set-Cookie\"`)\n}\n\nfunc oidcTokenFromContext(r *http.Request) string {\n\tif token, ok := r.Context().Value(oidcGeneratedToken).(string); ok {\n\t\treturn token\n\t}\n\treturn \"\"\n}\n\nfunc isTLS(r *http.Request) bool {\n\tif r.TLS != nil {\n\t\treturn true\n\t}\n\tif proto, ok := r.Context().Value(forwardedProtoKey).(string); ok {\n\t\treturn proto == \"https\" //nolint:goconst\n\t}\n\treturn false\n}\n\nfunc isTokenInvalidated(r *http.Request) bool {\n\tvar findTokenFns []func(r *http.Request) string\n\tfindTokenFns = append(findTokenFns, jwt.TokenFromHeader)\n\tfindTokenFns = append(findTokenFns, jwt.TokenFromCookie)\n\tfindTokenFns = append(findTokenFns, oidcTokenFromContext)\n\n\tisTokenFound := false\n\tfor _, fn := range findTokenFns {\n\t\ttoken := fn(r)\n\t\tif token != \"\" {\n\t\t\tisTokenFound = true\n\t\t\tif invalidatedJWTTokens.Get(token) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\n\treturn !isTokenFound\n}\n\nfunc invalidateToken(r *http.Request) {\n\ttokenString := jwt.TokenFromHeader(r)\n\tif tokenString != \"\" {\n\t\tinvalidateTokenString(r, tokenString, apiTokenDuration)\n\t}\n\ttokenString = jwt.TokenFromCookie(r)\n\tif tokenString != \"\" {\n\t\tinvalidateTokenString(r, tokenString, getMaxCookieDuration())\n\t}\n}\n\nfunc invalidateTokenString(r *http.Request, tokenString string, fallbackDuration time.Duration) {\n\ttoken, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\tinvalidatedJWTTokens.Add(tokenString, time.Now().Add(fallbackDuration).UTC())\n\t\treturn\n\t}\n\tinvalidatedJWTTokens.Add(tokenString, token.Expiry.Time().Add(1*time.Minute).UTC())\n}\n\nfunc getUserFromToken(r *http.Request) *dataprovider.User {\n\tuser := &dataprovider.User{}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\treturn user\n\t}\n\tuser.Username = claims.Username\n\tuser.Filters.WebClient = claims.Permissions\n\tuser.Role = claims.Role\n\treturn user\n}\n\nfunc getAdminFromToken(r *http.Request) *dataprovider.Admin {\n\tadmin := &dataprovider.Admin{}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\treturn admin\n\t}\n\tadmin.Username = claims.Username\n\tadmin.Permissions = claims.Permissions\n\tadmin.Filters.Preferences.HideUserPageSections = claims.HideUserPageSections\n\tadmin.Role = claims.Role\n\treturn admin\n}\n\nfunc createLoginCookie(w http.ResponseWriter, r *http.Request, csrfTokenAuth *jwt.Signer, tokenID, basePath, ip string,\n) {\n\tc := jwt.NewClaims(tokenAudienceWebLogin, ip, getTokenDuration(tokenAudienceWebLogin))\n\tc.ID = tokenID\n\tresp, err := c.GenerateTokenResponse(csrfTokenAuth)\n\tif err != nil {\n\t\treturn\n\t}\n\tsetCookie(w, r, basePath, resp.Token, csrfTokenDuration)\n}\n\nfunc createCSRFToken(w http.ResponseWriter, r *http.Request, csrfTokenAuth *jwt.Signer, tokenID,\n\tbasePath string,\n) string {\n\tip := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tclaims := jwt.NewClaims(tokenAudienceCSRF, ip, csrfTokenDuration)\n\tclaims.ID = rand.Text()\n\tif tokenID != \"\" {\n\t\tcreateLoginCookie(w, r, csrfTokenAuth, tokenID, basePath, ip)\n\t\tclaims.Ref = tokenID\n\t} else {\n\t\tif c, err := jwt.FromContext(r.Context()); err == nil {\n\t\t\tclaims.Ref = c.ID\n\t\t} else {\n\t\t\tlogger.Error(logSender, \"\", \"unable to add reference to CSRF token: %v\", err)\n\t\t}\n\t}\n\ttokenString, err := csrfTokenAuth.Sign(claims)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to create CSRF token: %v\", err)\n\t\treturn \"\"\n\t}\n\treturn tokenString\n}\n\nfunc verifyCSRFToken(r *http.Request, csrfTokenAuth *jwt.Signer) error {\n\ttokenString := r.Form.Get(csrfFormToken)\n\ttoken, err := jwt.VerifyToken(csrfTokenAuth, tokenString)\n\tif err != nil || token == nil {\n\t\tlogger.Debug(logSender, \"\", \"error validating CSRF token %q: %v\", tokenString, err)\n\t\treturn fmt.Errorf(\"unable to verify form token: %v\", err)\n\t}\n\n\tif !token.Audience.Contains(tokenAudienceCSRF) {\n\t\tlogger.Debug(logSender, \"\", \"error validating CSRF token audience\")\n\t\treturn errors.New(\"the form token is not valid\")\n\t}\n\n\tif err := validateIPForToken(token, util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"error validating CSRF token IP audience\")\n\t\treturn errors.New(\"the form token is not valid\")\n\t}\n\treturn checkCSRFTokenRef(r, token)\n}\n\nfunc checkCSRFTokenRef(r *http.Request, token *jwt.Claims) error {\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"error getting token claims for CSRF validation: %v\", err)\n\t\treturn err\n\t}\n\tif token.ID == \"\" {\n\t\tlogger.Debug(logSender, \"\", \"error validating CSRF token, missing reference\")\n\t\treturn errors.New(\"the form token is not valid\")\n\t}\n\tif claims.ID != token.Ref {\n\t\tlogger.Debug(logSender, \"\", \"error validating CSRF reference, id %q, reference %q\", claims.ID, token.ID)\n\t\treturn errors.New(\"unexpected form token\")\n\t}\n\n\treturn nil\n}\n\nfunc verifyLoginCookie(r *http.Request) error {\n\ttoken, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"error getting login token: %v\", err)\n\t\treturn errInvalidToken\n\t}\n\tif isTokenInvalidated(r) {\n\t\tlogger.Debug(logSender, \"\", \"the login token has been invalidated\")\n\t\treturn errInvalidToken\n\t}\n\tif !token.Audience.Contains(tokenAudienceWebLogin) {\n\t\tlogger.Debug(logSender, \"\", \"the token with id %q is not valid for audience %q\", token.ID, tokenAudienceWebLogin)\n\t\treturn errInvalidToken\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := validateIPForToken(token, ipAddr); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc verifyLoginCookieAndCSRFToken(r *http.Request, csrfTokenAuth *jwt.Signer) error {\n\tif err := verifyLoginCookie(r); err != nil {\n\t\treturn err\n\t}\n\tif err := verifyCSRFToken(r, csrfTokenAuth); err != nil {\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc createOAuth2Token(csrfTokenAuth *jwt.Signer, state, ip string) string {\n\tclaims := jwt.NewClaims(tokenAudienceOAuth2, ip, getTokenDuration(tokenAudienceOAuth2))\n\tclaims.ID = state\n\n\ttokenString, err := csrfTokenAuth.Sign(claims)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to create OAuth2 token: %v\", err)\n\t\treturn \"\"\n\t}\n\treturn tokenString\n}\n\nfunc verifyOAuth2Token(csrfTokenAuth *jwt.Signer, tokenString, ip string) (string, error) {\n\ttoken, err := jwt.VerifyToken(csrfTokenAuth, tokenString)\n\tif err != nil || token == nil {\n\t\tlogger.Debug(logSender, \"\", \"error validating OAuth2 token %q: %v\", tokenString, err)\n\t\treturn \"\", util.NewI18nError(\n\t\t\tfmt.Errorf(\"unable to verify OAuth2 state: %v\", err),\n\t\t\tutil.I18nOAuth2ErrorVerifyState,\n\t\t)\n\t}\n\n\tif !token.Audience.Contains(tokenAudienceOAuth2) {\n\t\tlogger.Debug(logSender, \"\", \"error validating OAuth2 token audience\")\n\t\treturn \"\", util.NewI18nError(errors.New(\"invalid OAuth2 state\"), util.I18nOAuth2InvalidState)\n\t}\n\n\tif err := validateIPForToken(token, ip); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"error validating OAuth2 token IP audience\")\n\t\treturn \"\", util.NewI18nError(errors.New(\"invalid OAuth2 state\"), util.I18nOAuth2InvalidState)\n\t}\n\tif token.ID != \"\" {\n\t\treturn token.ID, nil\n\t}\n\tlogger.Debug(logSender, \"\", \"jti not found in OAuth2 token\")\n\treturn \"\", util.NewI18nError(errors.New(\"invalid OAuth2 state\"), util.I18nOAuth2InvalidState)\n}\n\nfunc validateIPForToken(token *jwt.Claims, ip string) error {\n\tif tokenValidationMode&tokenValidationModeNoIPMatch == 0 {\n\t\tif !token.Audience.Contains(ip) {\n\t\t\treturn errInvalidToken\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc checkTokenSignature(r *http.Request, token *jwt.Claims) error {\n\tif _, ok := r.Context().Value(oidcTokenKey).(string); ok {\n\t\treturn nil\n\t}\n\tvar err error\n\tif tokenValidationMode&tokenValidationModeUserSignature != 0 {\n\t\tfor _, audience := range token.Audience {\n\t\t\tswitch audience {\n\t\t\tcase tokenAudienceAPI, tokenAudienceWebAdmin:\n\t\t\t\terr = validateSignatureForToken(token, dataprovider.GetAdminSignature)\n\t\t\tcase tokenAudienceAPIUser, tokenAudienceWebClient:\n\t\t\t\terr = validateSignatureForToken(token, dataprovider.GetUserSignature)\n\t\t\t}\n\t\t}\n\t}\n\tif err != nil {\n\t\tinvalidateToken(r)\n\t}\n\treturn err\n}\n\nfunc validateSignatureForToken(token *jwt.Claims, getter func(string) (string, error)) error {\n\tsignature, err := getter(token.Username)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get signature for username %q: %v\", token.Username, err)\n\t\treturn errInvalidToken\n\t}\n\tif signature != \"\" && signature == token.Subject {\n\t\treturn nil\n\t}\n\tlogger.Debug(logSender, \"\", \"signature mismatch for username %q, signature %q, token signature %q\",\n\t\ttoken.Username, signature, token.Subject)\n\treturn errInvalidToken\n}\n" }, { "path": "internal/httpd/file.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"io\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\ntype httpdFile struct {\n\t*common.BaseTransfer\n\twriter io.WriteCloser\n\treader io.ReadCloser\n\tisFinished bool\n}\n\nfunc newHTTPDFile(baseTransfer *common.BaseTransfer, pipeWriter vfs.PipeWriter, pipeReader vfs.PipeReader) *httpdFile {\n\tvar writer io.WriteCloser\n\tvar reader io.ReadCloser\n\tif baseTransfer.File != nil {\n\t\twriter = baseTransfer.File\n\t\treader = baseTransfer.File\n\t} else if pipeWriter != nil {\n\t\twriter = pipeWriter\n\t} else if pipeReader != nil {\n\t\treader = pipeReader\n\t}\n\treturn &httpdFile{\n\t\tBaseTransfer: baseTransfer,\n\t\twriter: writer,\n\t\treader: reader,\n\t\tisFinished: false,\n\t}\n}\n\n// Read reads the contents to downloads.\nfunc (f *httpdFile) Read(p []byte) (n int, err error) {\n\tif f.AbortTransfer.Load() {\n\t\terr := f.GetAbortError()\n\t\tf.TransferError(err)\n\t\treturn 0, err\n\t}\n\n\tf.Connection.UpdateLastActivity()\n\n\tn, err = f.reader.Read(p)\n\tf.BytesSent.Add(int64(n))\n\n\tif err == nil {\n\t\terr = f.CheckRead()\n\t}\n\tif err != nil && err != io.EOF {\n\t\tf.TransferError(err)\n\t\terr = f.ConvertError(err)\n\t\treturn\n\t}\n\tf.HandleThrottle()\n\treturn\n}\n\n// Write writes the contents to upload\nfunc (f *httpdFile) Write(p []byte) (n int, err error) {\n\tif f.AbortTransfer.Load() {\n\t\terr := f.GetAbortError()\n\t\tf.TransferError(err)\n\t\treturn 0, err\n\t}\n\n\tf.Connection.UpdateLastActivity()\n\n\tn, err = f.writer.Write(p)\n\tf.BytesReceived.Add(int64(n))\n\n\tif err == nil {\n\t\terr = f.CheckWrite()\n\t}\n\tif err != nil {\n\t\tf.TransferError(err)\n\t\terr = f.ConvertError(err)\n\t\treturn\n\t}\n\tf.HandleThrottle()\n\treturn\n}\n\n// Close closes the current transfer\nfunc (f *httpdFile) Close() error {\n\tif err := f.setFinished(); err != nil {\n\t\treturn err\n\t}\n\terr := f.closeIO()\n\terrBaseClose := f.BaseTransfer.Close()\n\tif errBaseClose != nil {\n\t\terr = errBaseClose\n\t}\n\n\treturn f.Connection.GetFsError(f.Fs, err)\n}\n\nfunc (f *httpdFile) closeIO() error {\n\tvar err error\n\tif f.File != nil {\n\t\terr = f.File.Close()\n\t} else if f.writer != nil {\n\t\terr = f.writer.Close()\n\t\tf.Lock()\n\t\t// we set ErrTransfer here so quota is not updated, in this case the uploads are atomic\n\t\tif err != nil && f.ErrTransfer == nil {\n\t\t\tf.ErrTransfer = err\n\t\t}\n\t\tf.Unlock()\n\t} else if f.reader != nil {\n\t\terr = f.reader.Close()\n\t\tif metadater, ok := f.reader.(vfs.Metadater); ok {\n\t\t\tf.SetMetadata(metadater.Metadata())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc (f *httpdFile) setFinished() error {\n\tf.Lock()\n\tdefer f.Unlock()\n\n\tif f.isFinished {\n\t\treturn common.ErrTransferClosed\n\t}\n\tf.isFinished = true\n\treturn nil\n}\n" }, { "path": "internal/httpd/flash.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tflashCookieName = \"message\"\n)\n\nfunc newFlashMessage(errorStrig, i18nMessage string) flashMessage {\n\treturn flashMessage{\n\t\tErrorString: errorStrig,\n\t\tI18nMessage: i18nMessage,\n\t}\n}\n\ntype flashMessage struct {\n\tErrorString string `json:\"error\"`\n\tI18nMessage string `json:\"message\"`\n}\n\nfunc (m *flashMessage) getI18nError() *util.I18nError {\n\tif m.ErrorString == \"\" && m.I18nMessage == \"\" {\n\t\treturn nil\n\t}\n\treturn util.NewI18nError(\n\t\tutil.NewGenericError(m.ErrorString),\n\t\tm.I18nMessage,\n\t)\n}\n\nfunc setFlashMessage(w http.ResponseWriter, r *http.Request, message flashMessage) {\n\tvalue, err := json.Marshal(message)\n\tif err != nil {\n\t\treturn\n\t}\n\thttp.SetCookie(w, &http.Cookie{\n\t\tName: flashCookieName,\n\t\tValue: base64.URLEncoding.EncodeToString(value),\n\t\tPath: \"/\",\n\t\tExpires: time.Now().Add(60 * time.Second),\n\t\tMaxAge: 60,\n\t\tHttpOnly: true,\n\t\tSecure: isTLS(r),\n\t\tSameSite: http.SameSiteLaxMode,\n\t})\n\tw.Header().Add(\"Cache-Control\", `no-cache=\"Set-Cookie\"`)\n}\n\nfunc getFlashMessage(w http.ResponseWriter, r *http.Request) flashMessage {\n\tvar msg flashMessage\n\tcookie, err := r.Cookie(flashCookieName)\n\tif err != nil {\n\t\treturn msg\n\t}\n\thttp.SetCookie(w, &http.Cookie{\n\t\tName: flashCookieName,\n\t\tValue: \"\",\n\t\tPath: \"/\",\n\t\tExpires: time.Unix(0, 0),\n\t\tMaxAge: -1,\n\t\tHttpOnly: true,\n\t\tSecure: isTLS(r),\n\t\tSameSite: http.SameSiteLaxMode,\n\t})\n\tvalue, err := base64.URLEncoding.DecodeString(cookie.Value)\n\tif err != nil {\n\t\treturn msg\n\t}\n\terr = json.Unmarshal(value, &msg)\n\tif err != nil {\n\t\treturn flashMessage{}\n\t}\n\treturn msg\n}\n" }, { "path": "internal/httpd/flash_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc TestFlashMessages(t *testing.T) {\n\trr := httptest.NewRecorder()\n\treq, err := http.NewRequest(http.MethodGet, \"/url\", nil)\n\trequire.NoError(t, err)\n\tmessage := flashMessage{\n\t\tErrorString: \"error\",\n\t\tI18nMessage: util.I18nChangePwdTitle,\n\t}\n\tsetFlashMessage(rr, req, message)\n\tvalue, err := json.Marshal(message)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", flashCookieName, base64.URLEncoding.EncodeToString(value)))\n\tmsg := getFlashMessage(rr, req)\n\tassert.Equal(t, message, msg)\n\tassert.Equal(t, util.I18nChangePwdTitle, msg.getI18nError().Message)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", flashCookieName, \"a\"))\n\tmsg = getFlashMessage(rr, req)\n\tassert.Empty(t, msg)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", flashCookieName, \"YQ==\"))\n\tmsg = getFlashMessage(rr, req)\n\tassert.Empty(t, msg)\n}\n" }, { "path": "internal/httpd/handler.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// Connection details for a HTTP connection used to inteact with an SFTPGo filesystem\ntype Connection struct {\n\t*common.BaseConnection\n\trequest *http.Request\n\trc *http.ResponseController\n}\n\nfunc newConnection(conn *common.BaseConnection, w http.ResponseWriter, r *http.Request) *Connection {\n\trc := http.NewResponseController(w)\n\tresponseControllerDeadlines(rc, time.Time{}, time.Time{})\n\treturn &Connection{\n\t\tBaseConnection: conn,\n\t\trequest: r,\n\t\trc: rc,\n\t}\n}\n\n// GetClientVersion returns the connected client's version.\nfunc (c *Connection) GetClientVersion() string {\n\tif c.request != nil {\n\t\treturn c.request.UserAgent()\n\t}\n\treturn \"\"\n}\n\n// GetLocalAddress returns local connection address\nfunc (c *Connection) GetLocalAddress() string {\n\treturn util.GetHTTPLocalAddress(c.request)\n}\n\n// GetRemoteAddress returns the connected client's address\nfunc (c *Connection) GetRemoteAddress() string {\n\tif c.request != nil {\n\t\treturn c.request.RemoteAddr\n\t}\n\treturn \"\"\n}\n\n// Disconnect closes the active transfer\nfunc (c *Connection) Disconnect() (err error) {\n\tif c.rc != nil {\n\t\tresponseControllerDeadlines(c.rc, time.Now().Add(5*time.Second), time.Now().Add(5*time.Second))\n\t}\n\treturn c.SignalTransfersAbort()\n}\n\n// GetCommand returns the request method\nfunc (c *Connection) GetCommand() string {\n\tif c.request != nil {\n\t\treturn strings.ToUpper(c.request.Method)\n\t}\n\treturn \"\"\n}\n\n// Stat returns a FileInfo describing the named file/directory, or an error,\n// if any happens\nfunc (c *Connection) Stat(name string, mode int) (os.FileInfo, error) {\n\tc.UpdateLastActivity()\n\n\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(name)) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfi, err := c.DoStat(name, mode, true)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn fi, err\n}\n\n// ReadDir returns a list of directory entries\nfunc (c *Connection) ReadDir(name string) (vfs.DirLister, error) {\n\tc.UpdateLastActivity()\n\n\treturn c.ListDir(name)\n}\n\nfunc (c *Connection) getFileReader(name string, offset int64, method string) (io.ReadCloser, error) {\n\tc.UpdateLastActivity()\n\n\tif err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {\n\t\tc.Log(logger.LevelInfo, \"denying file read due to transfer count limits\")\n\t\treturn nil, util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)\n\t}\n\n\ttransferQuota := c.GetTransferQuota()\n\tif !transferQuota.HasDownloadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file read due to quota limits\")\n\t\treturn nil, util.NewI18nError(c.GetReadQuotaExceededError(), util.I18nErrorQuotaRead)\n\t}\n\n\tif !c.User.HasPerm(dataprovider.PermDownload, path.Dir(name)) {\n\t\treturn nil, util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)\n\t}\n\n\tif ok, policy := c.User.IsFileAllowed(name); !ok {\n\t\tc.Log(logger.LevelWarn, \"reading file %q is not allowed\", name)\n\t\treturn nil, util.NewI18nError(c.GetErrorForDeniedFile(policy), util.I18nError403Message)\n\t}\n\n\tfs, p, err := c.GetFsAndResolvedPath(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif method != http.MethodHead {\n\t\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreDownload, p, name, 0, 0); err != nil {\n\t\t\tc.Log(logger.LevelDebug, \"download for file %q denied by pre action: %v\", name, err)\n\t\t\treturn nil, util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)\n\t\t}\n\t}\n\n\tfile, r, cancelFn, err := fs.Open(p, offset)\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"could not open file %q for reading: %+v\", p, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, p, p, name, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, transferQuota)\n\treturn newHTTPDFile(baseTransfer, nil, r), nil\n}\n\nfunc (c *Connection) getFileWriter(name string) (io.WriteCloser, error) {\n\tc.UpdateLastActivity()\n\n\tif ok, _ := c.User.IsFileAllowed(name); !ok {\n\t\tc.Log(logger.LevelWarn, \"writing file %q is not allowed\", name)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfs, p, err := c.GetFsAndResolvedPath(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfilePath := p\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\tfilePath = fs.GetAtomicUploadPath(p)\n\t}\n\n\tstat, statErr := fs.Lstat(p)\n\tif (statErr == nil && stat.Mode()&os.ModeSymlink != 0) || fs.IsNotExist(statErr) {\n\t\tif !c.User.HasPerm(dataprovider.PermUpload, path.Dir(name)) {\n\t\t\treturn nil, c.GetPermissionDeniedError()\n\t\t}\n\t\treturn c.handleUploadFile(fs, p, filePath, name, true, 0)\n\t}\n\n\tif statErr != nil {\n\t\tc.Log(logger.LevelError, \"error performing file stat %q: %+v\", p, statErr)\n\t\treturn nil, c.GetFsError(fs, statErr)\n\t}\n\n\t// This happen if we upload a file that has the same name of an existing directory\n\tif stat.IsDir() {\n\t\tc.Log(logger.LevelError, \"attempted to open a directory for writing to: %q\", p)\n\t\treturn nil, c.GetOpUnsupportedError()\n\t}\n\n\tif !c.User.HasPerm(dataprovider.PermOverwrite, path.Dir(name)) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\t_, _, err = fs.Rename(p, filePath, 0)\n\t\tif err != nil {\n\t\t\tc.Log(logger.LevelError, \"error renaming existing file for atomic upload, source: %q, dest: %q, err: %+v\",\n\t\t\t\tp, filePath, err)\n\t\t\treturn nil, c.GetFsError(fs, err)\n\t\t}\n\t}\n\n\treturn c.handleUploadFile(fs, p, filePath, name, false, stat.Size())\n}\n\nfunc (c *Connection) handleUploadFile(fs vfs.Fs, resolvedPath, filePath, requestPath string, isNewFile bool, fileSize int64) (io.WriteCloser, error) {\n\tif err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to transfer count limits\")\n\t\treturn nil, util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)\n\t}\n\tdiskQuota, transferQuota := c.HasSpace(isNewFile, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, common.ErrQuotaExceeded\n\t}\n\t_, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath, fileSize, os.O_TRUNC)\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tmaxWriteSize, _ := c.GetMaxWriteSize(diskQuota, false, fileSize, fs.IsUploadResumeSupported())\n\n\tfile, w, cancelFn, err := fs.Create(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, c.GetCreateChecks(requestPath, isNewFile, false))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error opening existing file, source: %q, err: %+v\", filePath, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tinitialSize := int64(0)\n\ttruncatedSize := int64(0) // bytes truncated and not included in quota\n\tif !isNewFile {\n\t\tif vfs.HasTruncateSupport(fs) {\n\t\t\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(requestPath))\n\t\t\tif err == nil {\n\t\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -fileSize, false)\n\t\t\t} else {\n\t\t\t\tdataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck\n\t\t\t}\n\t\t} else {\n\t\t\tinitialSize = fileSize\n\t\t\ttruncatedSize = fileSize\n\t\t}\n\t\tif maxWriteSize > 0 {\n\t\t\tmaxWriteSize += fileSize\n\t\t}\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, 0, initialSize, maxWriteSize, truncatedSize, isNewFile, fs, transferQuota)\n\treturn newHTTPDFile(baseTransfer, w, nil), nil\n}\n\nfunc newThrottledReader(r io.ReadCloser, limit int64, conn *Connection) *throttledReader {\n\tt := &throttledReader{\n\t\tid: conn.GetTransferID(),\n\t\tlimit: limit,\n\t\tr: r,\n\t\tstart: time.Now(),\n\t\tconn: conn,\n\t}\n\tt.bytesRead.Store(0)\n\tt.abortTransfer.Store(false)\n\tconn.AddTransfer(t)\n\treturn t\n}\n\ntype throttledReader struct {\n\tbytesRead atomic.Int64\n\tid int64\n\tlimit int64\n\tr io.ReadCloser\n\tabortTransfer atomic.Bool\n\tstart time.Time\n\tconn *Connection\n\tmu sync.Mutex\n\terrAbort error\n}\n\nfunc (t *throttledReader) GetID() int64 {\n\treturn t.id\n}\n\nfunc (t *throttledReader) GetType() int {\n\treturn common.TransferUpload\n}\n\nfunc (t *throttledReader) GetSize() int64 {\n\treturn t.bytesRead.Load()\n}\n\nfunc (t *throttledReader) GetDownloadedSize() int64 {\n\treturn 0\n}\n\nfunc (t *throttledReader) GetUploadedSize() int64 {\n\treturn t.bytesRead.Load()\n}\n\nfunc (t *throttledReader) GetVirtualPath() string {\n\treturn \"**reading request body**\"\n}\n\nfunc (t *throttledReader) GetStartTime() time.Time {\n\treturn t.start\n}\n\nfunc (t *throttledReader) GetAbortError() error {\n\tt.mu.Lock()\n\tdefer t.mu.Unlock()\n\n\tif t.errAbort != nil {\n\t\treturn t.errAbort\n\t}\n\treturn common.ErrTransferAborted\n}\n\nfunc (t *throttledReader) SignalClose(err error) {\n\tt.mu.Lock()\n\tt.errAbort = err\n\tt.mu.Unlock()\n\tt.abortTransfer.Store(true)\n}\n\nfunc (t *throttledReader) GetTruncatedSize() int64 {\n\treturn 0\n}\n\nfunc (t *throttledReader) HasSizeLimit() bool {\n\treturn false\n}\n\nfunc (t *throttledReader) Truncate(_ string, _ int64) (int64, error) {\n\treturn 0, vfs.ErrVfsUnsupported\n}\n\nfunc (t *throttledReader) GetRealFsPath(_ string) string {\n\treturn \"\"\n}\n\nfunc (t *throttledReader) GetFsPath() string {\n\treturn \"\"\n}\n\nfunc (t *throttledReader) SetTimes(_ string, _ time.Time, _ time.Time) bool {\n\treturn false\n}\n\nfunc (t *throttledReader) Read(p []byte) (n int, err error) {\n\tif t.abortTransfer.Load() {\n\t\treturn 0, t.GetAbortError()\n\t}\n\n\tt.conn.UpdateLastActivity()\n\tn, err = t.r.Read(p)\n\tif t.limit > 0 {\n\t\tt.bytesRead.Add(int64(n))\n\t\ttrasferredBytes := t.bytesRead.Load()\n\t\telapsed := time.Since(t.start).Nanoseconds() / 1000000\n\t\twantedElapsed := 1000 * (trasferredBytes / 1024) / t.limit\n\t\tif wantedElapsed > elapsed {\n\t\t\ttoSleep := time.Duration(wantedElapsed - elapsed)\n\t\t\ttime.Sleep(toSleep * time.Millisecond)\n\t\t}\n\t}\n\treturn\n}\n\nfunc (t *throttledReader) Close() error {\n\treturn t.r.Close()\n}\n" }, { "path": "internal/httpd/httpd.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package httpd implements REST API and Web interface for SFTPGo.\n// The OpenAPI 3 schema for the supported API can be found inside the source tree:\n// https://github.com/drakkan/sftpgo/blob/main/openapi/openapi.yaml\npackage httpd\n\nimport (\n\t\"crypto/sha256\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\tlogSender = \"httpd\"\n\ttokenPath = \"/api/v2/token\"\n\tlogoutPath = \"/api/v2/logout\"\n\tuserTokenPath = \"/api/v2/user/token\"\n\tuserLogoutPath = \"/api/v2/user/logout\"\n\tactiveConnectionsPath = \"/api/v2/connections\"\n\tquotasBasePath = \"/api/v2/quotas\"\n\tuserPath = \"/api/v2/users\"\n\tversionPath = \"/api/v2/version\"\n\tfolderPath = \"/api/v2/folders\"\n\tgroupPath = \"/api/v2/groups\"\n\tserverStatusPath = \"/api/v2/status\"\n\tdumpDataPath = \"/api/v2/dumpdata\"\n\tloadDataPath = \"/api/v2/loaddata\"\n\tdefenderHosts = \"/api/v2/defender/hosts\"\n\tadminPath = \"/api/v2/admins\"\n\tadminPwdPath = \"/api/v2/admin/changepwd\"\n\tadminProfilePath = \"/api/v2/admin/profile\"\n\tuserPwdPath = \"/api/v2/user/changepwd\"\n\tuserDirsPath = \"/api/v2/user/dirs\"\n\tuserFilesPath = \"/api/v2/user/files\"\n\tuserFileActionsPath = \"/api/v2/user/file-actions\"\n\tuserStreamZipPath = \"/api/v2/user/streamzip\"\n\tuserUploadFilePath = \"/api/v2/user/files/upload\"\n\tuserFilesDirsMetadataPath = \"/api/v2/user/files/metadata\"\n\tapiKeysPath = \"/api/v2/apikeys\"\n\tadminTOTPConfigsPath = \"/api/v2/admin/totp/configs\"\n\tadminTOTPGeneratePath = \"/api/v2/admin/totp/generate\"\n\tadminTOTPValidatePath = \"/api/v2/admin/totp/validate\"\n\tadminTOTPSavePath = \"/api/v2/admin/totp/save\"\n\tadmin2FARecoveryCodesPath = \"/api/v2/admin/2fa/recoverycodes\"\n\tuserTOTPConfigsPath = \"/api/v2/user/totp/configs\"\n\tuserTOTPGeneratePath = \"/api/v2/user/totp/generate\"\n\tuserTOTPValidatePath = \"/api/v2/user/totp/validate\"\n\tuserTOTPSavePath = \"/api/v2/user/totp/save\"\n\tuser2FARecoveryCodesPath = \"/api/v2/user/2fa/recoverycodes\"\n\tuserProfilePath = \"/api/v2/user/profile\"\n\tuserSharesPath = \"/api/v2/user/shares\"\n\tretentionChecksPath = \"/api/v2/retention/users/checks\"\n\tfsEventsPath = \"/api/v2/events/fs\"\n\tproviderEventsPath = \"/api/v2/events/provider\"\n\tlogEventsPath = \"/api/v2/events/logs\"\n\tsharesPath = \"/api/v2/shares\"\n\teventActionsPath = \"/api/v2/eventactions\"\n\teventRulesPath = \"/api/v2/eventrules\"\n\trolesPath = \"/api/v2/roles\"\n\tipListsPath = \"/api/v2/iplists\"\n\thealthzPath = \"/healthz\"\n\twebRootPathDefault = \"/\"\n\twebBasePathDefault = \"/web\"\n\twebBasePathAdminDefault = \"/web/admin\"\n\twebBasePathClientDefault = \"/web/client\"\n\twebAdminSetupPathDefault = \"/web/admin/setup\"\n\twebAdminLoginPathDefault = \"/web/admin/login\"\n\twebAdminOIDCLoginPathDefault = \"/web/admin/oidclogin\"\n\twebOIDCRedirectPathDefault = \"/web/oidc/redirect\"\n\twebOAuth2RedirectPathDefault = \"/web/oauth2/redirect\"\n\twebOAuth2TokenPathDefault = \"/web/admin/oauth2/token\"\n\twebAdminTwoFactorPathDefault = \"/web/admin/twofactor\"\n\twebAdminTwoFactorRecoveryPathDefault = \"/web/admin/twofactor-recovery\"\n\twebLogoutPathDefault = \"/web/admin/logout\"\n\twebUsersPathDefault = \"/web/admin/users\"\n\twebUserPathDefault = \"/web/admin/user\"\n\twebConnectionsPathDefault = \"/web/admin/connections\"\n\twebFoldersPathDefault = \"/web/admin/folders\"\n\twebFolderPathDefault = \"/web/admin/folder\"\n\twebGroupsPathDefault = \"/web/admin/groups\"\n\twebGroupPathDefault = \"/web/admin/group\"\n\twebStatusPathDefault = \"/web/admin/status\"\n\twebAdminsPathDefault = \"/web/admin/managers\"\n\twebAdminPathDefault = \"/web/admin/manager\"\n\twebMaintenancePathDefault = \"/web/admin/maintenance\"\n\twebBackupPathDefault = \"/web/admin/backup\"\n\twebRestorePathDefault = \"/web/admin/restore\"\n\twebScanVFolderPathDefault = \"/web/admin/quotas/scanfolder\"\n\twebQuotaScanPathDefault = \"/web/admin/quotas/scanuser\"\n\twebChangeAdminPwdPathDefault = \"/web/admin/changepwd\"\n\twebAdminForgotPwdPathDefault = \"/web/admin/forgot-password\"\n\twebAdminResetPwdPathDefault = \"/web/admin/reset-password\"\n\twebAdminProfilePathDefault = \"/web/admin/profile\"\n\twebAdminMFAPathDefault = \"/web/admin/mfa\"\n\twebAdminEventRulesPathDefault = \"/web/admin/eventrules\"\n\twebAdminEventRulePathDefault = \"/web/admin/eventrule\"\n\twebAdminEventActionsPathDefault = \"/web/admin/eventactions\"\n\twebAdminEventActionPathDefault = \"/web/admin/eventaction\"\n\twebAdminRolesPathDefault = \"/web/admin/roles\"\n\twebAdminRolePathDefault = \"/web/admin/role\"\n\twebAdminTOTPGeneratePathDefault = \"/web/admin/totp/generate\"\n\twebAdminTOTPValidatePathDefault = \"/web/admin/totp/validate\"\n\twebAdminTOTPSavePathDefault = \"/web/admin/totp/save\"\n\twebAdminRecoveryCodesPathDefault = \"/web/admin/recoverycodes\"\n\twebTemplateUserDefault = \"/web/admin/template/user\"\n\twebTemplateFolderDefault = \"/web/admin/template/folder\"\n\twebDefenderPathDefault = \"/web/admin/defender\"\n\twebIPListsPathDefault = \"/web/admin/ip-lists\"\n\twebIPListPathDefault = \"/web/admin/ip-list\"\n\twebDefenderHostsPathDefault = \"/web/admin/defender/hosts\"\n\twebEventsPathDefault = \"/web/admin/events\"\n\twebEventsFsSearchPathDefault = \"/web/admin/events/fs\"\n\twebEventsProviderSearchPathDefault = \"/web/admin/events/provider\"\n\twebEventsLogSearchPathDefault = \"/web/admin/events/logs\"\n\twebConfigsPathDefault = \"/web/admin/configs\"\n\twebClientLoginPathDefault = \"/web/client/login\"\n\twebClientOIDCLoginPathDefault = \"/web/client/oidclogin\"\n\twebClientTwoFactorPathDefault = \"/web/client/twofactor\"\n\twebClientTwoFactorRecoveryPathDefault = \"/web/client/twofactor-recovery\"\n\twebClientFilesPathDefault = \"/web/client/files\"\n\twebClientFilePathDefault = \"/web/client/file\"\n\twebClientFileActionsPathDefault = \"/web/client/file-actions\"\n\twebClientSharesPathDefault = \"/web/client/shares\"\n\twebClientSharePathDefault = \"/web/client/share\"\n\twebClientEditFilePathDefault = \"/web/client/editfile\"\n\twebClientDirsPathDefault = \"/web/client/dirs\"\n\twebClientDownloadZipPathDefault = \"/web/client/downloadzip\"\n\twebClientProfilePathDefault = \"/web/client/profile\"\n\twebClientPingPathDefault = \"/web/client/ping\"\n\twebClientMFAPathDefault = \"/web/client/mfa\"\n\twebClientTOTPGeneratePathDefault = \"/web/client/totp/generate\"\n\twebClientTOTPValidatePathDefault = \"/web/client/totp/validate\"\n\twebClientTOTPSavePathDefault = \"/web/client/totp/save\"\n\twebClientRecoveryCodesPathDefault = \"/web/client/recoverycodes\"\n\twebChangeClientPwdPathDefault = \"/web/client/changepwd\"\n\twebClientLogoutPathDefault = \"/web/client/logout\"\n\twebClientPubSharesPathDefault = \"/web/client/pubshares\"\n\twebClientForgotPwdPathDefault = \"/web/client/forgot-password\"\n\twebClientResetPwdPathDefault = \"/web/client/reset-password\"\n\twebClientViewPDFPathDefault = \"/web/client/viewpdf\"\n\twebClientGetPDFPathDefault = \"/web/client/getpdf\"\n\twebClientExistPathDefault = \"/web/client/exist\"\n\twebClientTasksPathDefault = \"/web/client/tasks\"\n\twebStaticFilesPathDefault = \"/static\"\n\twebOpenAPIPathDefault = \"/openapi\"\n\t// MaxRestoreSize defines the max size for the loaddata input file\n\tMaxRestoreSize = 20 * 1048576 // 20 MB\n\tmaxRequestSize = 1048576 // 1MB\n\tmaxLoginBodySize = 262144 // 256 KB\n\thttpdMaxEditFileSize = 2 * 1048576 // 2 MB\n\tmaxMultipartMem = 10 * 1048576 // 10 MB\n\tosWindows = \"windows\"\n\totpHeaderCode = \"X-SFTPGO-OTP\"\n\tmTimeHeader = \"X-SFTPGO-MTIME\"\n\tacmeChallengeURI = \"/.well-known/acme-challenge/\"\n)\n\nvar (\n\tcertMgr *common.CertManager\n\tcleanupTicker *time.Ticker\n\tcleanupDone chan bool\n\tinvalidatedJWTTokens tokenManager\n\twebRootPath string\n\twebBasePath string\n\twebBaseAdminPath string\n\twebBaseClientPath string\n\twebOIDCRedirectPath string\n\twebOAuth2RedirectPath string\n\twebOAuth2TokenPath string\n\twebAdminSetupPath string\n\twebAdminOIDCLoginPath string\n\twebAdminLoginPath string\n\twebAdminTwoFactorPath string\n\twebAdminTwoFactorRecoveryPath string\n\twebLogoutPath string\n\twebUsersPath string\n\twebUserPath string\n\twebConnectionsPath string\n\twebFoldersPath string\n\twebFolderPath string\n\twebGroupsPath string\n\twebGroupPath string\n\twebStatusPath string\n\twebAdminsPath string\n\twebAdminPath string\n\twebMaintenancePath string\n\twebBackupPath string\n\twebRestorePath string\n\twebScanVFolderPath string\n\twebQuotaScanPath string\n\twebAdminProfilePath string\n\twebAdminMFAPath string\n\twebAdminEventRulesPath string\n\twebAdminEventRulePath string\n\twebAdminEventActionsPath string\n\twebAdminEventActionPath string\n\twebAdminRolesPath string\n\twebAdminRolePath string\n\twebAdminTOTPGeneratePath string\n\twebAdminTOTPValidatePath string\n\twebAdminTOTPSavePath string\n\twebAdminRecoveryCodesPath string\n\twebChangeAdminPwdPath string\n\twebAdminForgotPwdPath string\n\twebAdminResetPwdPath string\n\twebTemplateUser string\n\twebTemplateFolder string\n\twebDefenderPath string\n\twebIPListPath string\n\twebIPListsPath string\n\twebEventsPath string\n\twebEventsFsSearchPath string\n\twebEventsProviderSearchPath string\n\twebEventsLogSearchPath string\n\twebConfigsPath string\n\twebDefenderHostsPath string\n\twebClientLoginPath string\n\twebClientOIDCLoginPath string\n\twebClientTwoFactorPath string\n\twebClientTwoFactorRecoveryPath string\n\twebClientFilesPath string\n\twebClientFilePath string\n\twebClientFileActionsPath string\n\twebClientSharesPath string\n\twebClientSharePath string\n\twebClientEditFilePath string\n\twebClientDirsPath string\n\twebClientDownloadZipPath string\n\twebClientProfilePath string\n\twebClientPingPath string\n\twebChangeClientPwdPath string\n\twebClientMFAPath string\n\twebClientTOTPGeneratePath string\n\twebClientTOTPValidatePath string\n\twebClientTOTPSavePath string\n\twebClientRecoveryCodesPath string\n\twebClientPubSharesPath string\n\twebClientLogoutPath string\n\twebClientForgotPwdPath string\n\twebClientResetPwdPath string\n\twebClientViewPDFPath string\n\twebClientGetPDFPath string\n\twebClientExistPath string\n\twebClientTasksPath string\n\twebStaticFilesPath string\n\twebOpenAPIPath string\n\t// max upload size for http clients, 1GB by default\n\tmaxUploadFileSize = int64(1048576000)\n\thideSupportLink bool\n\tinstallationCode string\n\tinstallationCodeHint string\n\tfnInstallationCodeResolver FnInstallationCodeResolver\n\tconfigurationDir string\n\tdbBrandingConfig brandingCache\n)\n\nfunc init() {\n\tupdateWebAdminURLs(\"\")\n\tupdateWebClientURLs(\"\")\n\tacme.SetReloadHTTPDCertsFn(ReloadCertificateMgr)\n\tcommon.SetUpdateBrandingFn(dbBrandingConfig.Set)\n}\n\ntype brandingCache struct {\n\tmu sync.RWMutex\n\tconfigs *dataprovider.BrandingConfigs\n}\n\nfunc (b *brandingCache) Set(configs *dataprovider.BrandingConfigs) {\n\tb.mu.Lock()\n\tdefer b.mu.Unlock()\n\n\tb.configs = configs\n}\n\nfunc (b *brandingCache) getWebAdminLogo() []byte {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\treturn b.configs.WebAdmin.Logo\n}\n\nfunc (b *brandingCache) getWebAdminFavicon() []byte {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\treturn b.configs.WebAdmin.Favicon\n}\n\nfunc (b *brandingCache) getWebClientLogo() []byte {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\treturn b.configs.WebClient.Logo\n}\n\nfunc (b *brandingCache) getWebClientFavicon() []byte {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\treturn b.configs.WebClient.Favicon\n}\n\nfunc (b *brandingCache) mergeBrandingConfig(branding UIBranding, isWebClient bool) UIBranding {\n\tb.mu.RLock()\n\tdefer b.mu.RUnlock()\n\n\tvar urlPrefix string\n\tvar cfg dataprovider.BrandingConfig\n\tif isWebClient {\n\t\tcfg = b.configs.WebClient\n\t\turlPrefix = \"webclient\"\n\t} else {\n\t\tcfg = b.configs.WebAdmin\n\t\turlPrefix = \"webadmin\"\n\t}\n\tif cfg.Name != \"\" {\n\t\tbranding.Name = cfg.Name\n\t}\n\tif cfg.ShortName != \"\" {\n\t\tbranding.ShortName = cfg.ShortName\n\t}\n\tif cfg.DisclaimerName != \"\" {\n\t\tbranding.DisclaimerName = cfg.DisclaimerName\n\t}\n\tif cfg.DisclaimerURL != \"\" {\n\t\tbranding.DisclaimerPath = cfg.DisclaimerURL\n\t}\n\tif len(cfg.Logo) > 0 {\n\t\tbranding.LogoPath = path.Join(\"/\", \"branding\", urlPrefix, \"logo.png\")\n\t}\n\tif len(cfg.Favicon) > 0 {\n\t\tbranding.FaviconPath = path.Join(\"/\", \"branding\", urlPrefix, \"favicon.png\")\n\t}\n\treturn branding\n}\n\n// FnInstallationCodeResolver defines a method to get the installation code.\n// If the installation code cannot be resolved the provided default must be returned\ntype FnInstallationCodeResolver func(defaultInstallationCode string) string\n\n// HTTPSProxyHeader defines an HTTPS proxy header as key/value.\n// For example Key could be \"X-Forwarded-Proto\" and Value \"https\"\ntype HTTPSProxyHeader struct {\n\tKey string\n\tValue string\n}\n\n// SecurityConf allows to add some security related headers to HTTP responses and to restrict allowed hosts\ntype SecurityConf struct {\n\t// Set to true to enable the security configurations\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n\t// AllowedHosts is a list of fully qualified domain names that are allowed.\n\t// Default is empty list, which allows any and all host names.\n\tAllowedHosts []string `json:\"allowed_hosts\" mapstructure:\"allowed_hosts\"`\n\t// AllowedHostsAreRegex determines if the provided allowed hosts contains valid regular expressions\n\tAllowedHostsAreRegex bool `json:\"allowed_hosts_are_regex\" mapstructure:\"allowed_hosts_are_regex\"`\n\t// HostsProxyHeaders is a set of header keys that may hold a proxied hostname value for the request.\n\tHostsProxyHeaders []string `json:\"hosts_proxy_headers\" mapstructure:\"hosts_proxy_headers\"`\n\t// Set to true to redirect HTTP requests to HTTPS\n\tHTTPSRedirect bool `json:\"https_redirect\" mapstructure:\"https_redirect\"`\n\t// HTTPSHost defines the host name that is used to redirect HTTP requests to HTTPS.\n\t// Default is \"\", which indicates to use the same host.\n\tHTTPSHost string `json:\"https_host\" mapstructure:\"https_host\"`\n\t// HTTPSProxyHeaders is a list of header keys with associated values that would indicate a valid https request.\n\tHTTPSProxyHeaders []HTTPSProxyHeader `json:\"https_proxy_headers\" mapstructure:\"https_proxy_headers\"`\n\t// STSSeconds is the max-age of the Strict-Transport-Security header.\n\t// Default is 0, which would NOT include the header.\n\tSTSSeconds int64 `json:\"sts_seconds\" mapstructure:\"sts_seconds\"`\n\t// If STSIncludeSubdomains is set to true, the \"includeSubdomains\" will be appended to the\n\t// Strict-Transport-Security header. Default is false.\n\tSTSIncludeSubdomains bool `json:\"sts_include_subdomains\" mapstructure:\"sts_include_subdomains\"`\n\t// If STSPreload is set to true, the `preload` flag will be appended to the\n\t// Strict-Transport-Security header. Default is false.\n\tSTSPreload bool `json:\"sts_preload\" mapstructure:\"sts_preload\"`\n\t// If ContentTypeNosniff is true, adds the X-Content-Type-Options header with the value \"nosniff\". Default is false.\n\tContentTypeNosniff bool `json:\"content_type_nosniff\" mapstructure:\"content_type_nosniff\"`\n\t// ContentSecurityPolicy allows to set the Content-Security-Policy header value. Default is \"\".\n\tContentSecurityPolicy string `json:\"content_security_policy\" mapstructure:\"content_security_policy\"`\n\t// PermissionsPolicy allows to set the Permissions-Policy header value. Default is \"\".\n\tPermissionsPolicy string `json:\"permissions_policy\" mapstructure:\"permissions_policy\"`\n\t// CrossOriginOpenerPolicy allows to set the Cross-Origin-Opener-Policy header value. Default is \"\".\n\tCrossOriginOpenerPolicy string `json:\"cross_origin_opener_policy\" mapstructure:\"cross_origin_opener_policy\"`\n\t// CrossOriginResourcePolicy allows to set the Cross-Origin-Resource-Policy header value. Default is \"\".\n\tCrossOriginResourcePolicy string `json:\"cross_origin_resource_policy\" mapstructure:\"cross_origin_resource_policy\"`\n\t// CrossOriginEmbedderPolicy allows to set the Cross-Origin-Embedder-Policy header value. Default is \"\".\n\tCrossOriginEmbedderPolicy string `json:\"cross_origin_embedder_policy\" mapstructure:\"cross_origin_embedder_policy\"`\n\t// CacheControl allows to set the Cache-Control header value.\n\tCacheControl string `json:\"cache_control\" mapstructure:\"cache_control\"`\n\t// ReferrerPolicy allows to set the Referrer-Policy header values.\n\tReferrerPolicy string `json:\"referrer_policy\" mapstructure:\"referrer_policy\"`\n\tproxyHeaders []string\n}\n\nfunc (s *SecurityConf) updateProxyHeaders() {\n\tif !s.Enabled {\n\t\ts.proxyHeaders = nil\n\t\treturn\n\t}\n\ts.proxyHeaders = s.HostsProxyHeaders\n\tfor _, httpsProxyHeader := range s.HTTPSProxyHeaders {\n\t\ts.proxyHeaders = append(s.proxyHeaders, httpsProxyHeader.Key)\n\t}\n}\n\nfunc (s *SecurityConf) getHTTPSProxyHeaders() map[string]string {\n\theaders := make(map[string]string)\n\tfor _, httpsProxyHeader := range s.HTTPSProxyHeaders {\n\t\theaders[httpsProxyHeader.Key] = httpsProxyHeader.Value\n\t}\n\treturn headers\n}\n\nfunc (s *SecurityConf) redirectHandler(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif !isTLS(r) && !strings.HasPrefix(r.RequestURI, acmeChallengeURI) {\n\t\t\turl := r.URL\n\t\t\turl.Scheme = \"https\"\n\t\t\tif s.HTTPSHost != \"\" {\n\t\t\t\turl.Host = s.HTTPSHost\n\t\t\t} else {\n\t\t\t\thost := r.Host\n\t\t\t\tfor _, header := range s.HostsProxyHeaders {\n\t\t\t\t\tif h := r.Header.Get(header); h != \"\" {\n\t\t\t\t\t\thost = h\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\turl.Host = host\n\t\t\t}\n\t\t\thttp.Redirect(w, r, url.String(), http.StatusTemporaryRedirect)\n\t\t\treturn\n\t\t}\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\n// UIBranding defines the supported customizations for the web UIs\ntype UIBranding struct {\n\t// Name defines the text to show at the login page and as HTML title\n\tName string `json:\"name\" mapstructure:\"name\"`\n\t// ShortName defines the name to show next to the logo image\n\tShortName string `json:\"short_name\" mapstructure:\"short_name\"`\n\t// Path to your logo relative to \"static_files_path\".\n\t// For example, if you create a directory named \"branding\" inside the static dir and\n\t// put the \"mylogo.png\" file in it, you must set \"/branding/mylogo.png\" as logo path.\n\tLogoPath string `json:\"logo_path\" mapstructure:\"logo_path\"`\n\t// Path to your favicon relative to \"static_files_path\"\n\tFaviconPath string `json:\"favicon_path\" mapstructure:\"favicon_path\"`\n\t// DisclaimerName defines the name for the link to your optional disclaimer\n\tDisclaimerName string `json:\"disclaimer_name\" mapstructure:\"disclaimer_name\"`\n\t// Path to the HTML page for your disclaimer relative to \"static_files_path\"\n\t// or an absolute http/https URL.\n\tDisclaimerPath string `json:\"disclaimer_path\" mapstructure:\"disclaimer_path\"`\n\t// Path to custom CSS files, relative to \"static_files_path\", which replaces\n\t// the default CSS files\n\tDefaultCSS []string `json:\"default_css\" mapstructure:\"default_css\"`\n\t// Additional CSS file paths, relative to \"static_files_path\", to include\n\tExtraCSS []string `json:\"extra_css\" mapstructure:\"extra_css\"`\n\tDefaultLogoPath string `json:\"-\" mapstructure:\"-\"`\n\tDefaultFaviconPath string `json:\"-\" mapstructure:\"-\"`\n}\n\nfunc (b *UIBranding) check() {\n\tb.DefaultLogoPath = \"/img/logo.png\"\n\tb.DefaultFaviconPath = \"/favicon.png\"\n\tif b.LogoPath != \"\" {\n\t\tb.LogoPath = util.CleanPath(b.LogoPath)\n\t} else {\n\t\tb.LogoPath = b.DefaultLogoPath\n\t}\n\tif b.FaviconPath != \"\" {\n\t\tb.FaviconPath = util.CleanPath(b.FaviconPath)\n\t} else {\n\t\tb.FaviconPath = b.DefaultFaviconPath\n\t}\n\tif b.DisclaimerPath != \"\" {\n\t\tif !strings.HasPrefix(b.DisclaimerPath, \"https://\") && !strings.HasPrefix(b.DisclaimerPath, \"http://\") {\n\t\t\tb.DisclaimerPath = path.Join(webStaticFilesPath, util.CleanPath(b.DisclaimerPath))\n\t\t}\n\t}\n\tif len(b.DefaultCSS) > 0 {\n\t\tfor idx := range b.DefaultCSS {\n\t\t\tb.DefaultCSS[idx] = util.CleanPath(b.DefaultCSS[idx])\n\t\t}\n\t} else {\n\t\tb.DefaultCSS = []string{\n\t\t\t\"/assets/plugins/global/plugins.bundle.css\",\n\t\t\t\"/assets/css/style.bundle.css\",\n\t\t}\n\t}\n\tfor idx := range b.ExtraCSS {\n\t\tb.ExtraCSS[idx] = util.CleanPath(b.ExtraCSS[idx])\n\t}\n}\n\n// Branding defines the branding-related customizations supported\ntype Branding struct {\n\tWebAdmin UIBranding `json:\"web_admin\" mapstructure:\"web_admin\"`\n\tWebClient UIBranding `json:\"web_client\" mapstructure:\"web_client\"`\n}\n\n// WebClientIntegration defines the configuration for an external Web Client integration\ntype WebClientIntegration struct {\n\t// Files with these extensions can be sent to the configured URL\n\tFileExtensions []string `json:\"file_extensions\" mapstructure:\"file_extensions\"`\n\t// URL that will receive the files\n\tURL string `json:\"url\" mapstructure:\"url\"`\n}\n\n// Binding defines the configuration for a network listener\ntype Binding struct {\n\t// The address to listen on. A blank value means listen on all available network interfaces.\n\tAddress string `json:\"address\" mapstructure:\"address\"`\n\t// The port used for serving requests\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\t// Enable the built-in admin interface.\n\t// You have to define TemplatesPath and StaticFilesPath for this to work\n\tEnableWebAdmin bool `json:\"enable_web_admin\" mapstructure:\"enable_web_admin\"`\n\t// Enable the built-in client interface.\n\t// You have to define TemplatesPath and StaticFilesPath for this to work\n\tEnableWebClient bool `json:\"enable_web_client\" mapstructure:\"enable_web_client\"`\n\t// Enable REST API\n\tEnableRESTAPI bool `json:\"enable_rest_api\" mapstructure:\"enable_rest_api\"`\n\t// Defines the login methods available for the WebAdmin and WebClient UIs:\n\t//\n\t// - 0 means any configured method: username/password login form and OIDC, if enabled\n\t// - 1 means OIDC for the WebAdmin UI\n\t// - 2 means OIDC for the WebClient UI\n\t// - 4 means login form for the WebAdmin UI\n\t// - 8 means login form for the WebClient UI\n\t//\n\t// You can combine the values. For example 3 means that you can only login using OIDC on\n\t// both WebClient and WebAdmin UI.\n\t// Deprecated because it is not extensible, use DisabledLoginMethods\n\tEnabledLoginMethods int `json:\"enabled_login_methods\" mapstructure:\"enabled_login_methods\"`\n\t// Defines the login methods disabled for the WebAdmin and WebClient UIs:\n\t//\n\t// - 1 means OIDC for the WebAdmin UI\n\t// - 2 means OIDC for the WebClient UI\n\t// - 4 means login form for the WebAdmin UI\n\t// - 8 means login form for the WebClient UI\n\t// - 16 means basic auth for admin REST API\n\t// - 32 means basic auth for user REST API\n\t// - 64 means API key auth for admins\n\t// - 128 means API key auth for users\n\t// You can combine the values. For example 12 means that you can only login using OIDC on\n\t// both WebClient and WebAdmin UI.\n\tDisabledLoginMethods int `json:\"disabled_login_methods\" mapstructure:\"disabled_login_methods\"`\n\t// you also need to provide a certificate for enabling HTTPS\n\tEnableHTTPS bool `json:\"enable_https\" mapstructure:\"enable_https\"`\n\t// Certificate and matching private key for this specific binding, if empty the global\n\t// ones will be used, if any\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2\n\tMinTLSVersion int `json:\"min_tls_version\" mapstructure:\"min_tls_version\"`\n\t// set to 1 to require client certificate authentication in addition to basic auth.\n\t// You need to define at least a certificate authority for this to work\n\tClientAuthType int `json:\"client_auth_type\" mapstructure:\"client_auth_type\"`\n\t// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.\n\t// If CipherSuites is nil/empty, a default list of secure cipher suites\n\t// is used, with a preference order based on hardware performance.\n\t// Note that TLS 1.3 ciphersuites are not configurable.\n\t// The supported ciphersuites names are defined here:\n\t//\n\t// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53\n\t//\n\t// any invalid name will be silently ignored.\n\t// The order matters, the ciphers listed first will be the preferred ones.\n\tTLSCipherSuites []string `json:\"tls_cipher_suites\" mapstructure:\"tls_cipher_suites\"`\n\t// HTTP protocols in preference order. Supported values: http/1.1, h2\n\tProtocols []string `json:\"tls_protocols\" mapstructure:\"tls_protocols\"`\n\t// Defines whether to use the common proxy protocol configuration or the\n\t// binding-specific proxy header configuration.\n\tProxyMode int `json:\"proxy_mode\" mapstructure:\"proxy_mode\"`\n\t// List of IP addresses and IP ranges allowed to set client IP proxy headers and\n\t// X-Forwarded-Proto header.\n\tProxyAllowed []string `json:\"proxy_allowed\" mapstructure:\"proxy_allowed\"`\n\t// Allowed client IP proxy header such as \"X-Forwarded-For\", \"X-Real-IP\"\n\tClientIPProxyHeader string `json:\"client_ip_proxy_header\" mapstructure:\"client_ip_proxy_header\"`\n\t// Some client IP headers such as \"X-Forwarded-For\" can contain multiple IP address, this setting\n\t// define the position to trust starting from the right. For example if we have:\n\t// \"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1\" and the depth is 0, SFTPGo will use \"13.0.0.1\"\n\t// as client IP, if depth is 1, \"12.0.0.1\" will be used and so on\n\tClientIPHeaderDepth int `json:\"client_ip_header_depth\" mapstructure:\"client_ip_header_depth\"`\n\t// If both web admin and web client are enabled each login page will show a link\n\t// to the other one. This setting allows to hide this link:\n\t// - 0 login links are displayed on both admin and client login page. This is the default\n\t// - 1 the login link to the web client login page is hidden on admin login page\n\t// - 2 the login link to the web admin login page is hidden on client login page\n\t// The flags can be combined, for example 3 will disable both login links.\n\tHideLoginURL int `json:\"hide_login_url\" mapstructure:\"hide_login_url\"`\n\t// Enable the built-in OpenAPI renderer\n\tRenderOpenAPI bool `json:\"render_openapi\" mapstructure:\"render_openapi\"`\n\t// BaseURL defines the external base URL for generating public links\n\t// (currently share access link), bypassing the default browser-based\n\t// detection.\n\tBaseURL string `json:\"base_url\" mapstructure:\"base_url\"`\n\t// Languages defines the list of enabled translations for the WebAdmin and WebClient UI.\n\tLanguages []string `json:\"languages\" mapstructure:\"languages\"`\n\t// Defining an OIDC configuration the web admin and web client UI will use OpenID to authenticate users.\n\tOIDC OIDC `json:\"oidc\" mapstructure:\"oidc\"`\n\t// Security defines security headers to add to HTTP responses and allows to restrict allowed hosts\n\tSecurity SecurityConf `json:\"security\" mapstructure:\"security\"`\n\t// Branding defines customizations to suit your brand\n\tBranding Branding `json:\"branding\" mapstructure:\"branding\"`\n\tallowHeadersFrom []func(net.IP) bool\n}\n\nfunc (b *Binding) checkBranding() {\n\tb.Branding.WebAdmin.check()\n\tb.Branding.WebClient.check()\n\tif b.Branding.WebAdmin.Name == \"\" {\n\t\tb.Branding.WebAdmin.Name = \"SFTPGo WebAdmin\"\n\t}\n\tif b.Branding.WebAdmin.ShortName == \"\" {\n\t\tb.Branding.WebAdmin.ShortName = \"WebAdmin\"\n\t}\n\tif b.Branding.WebClient.Name == \"\" {\n\t\tb.Branding.WebClient.Name = \"SFTPGo WebClient\"\n\t}\n\tif b.Branding.WebClient.ShortName == \"\" {\n\t\tb.Branding.WebClient.ShortName = \"WebClient\"\n\t}\n}\n\nfunc (b *Binding) webAdminBranding() UIBranding {\n\treturn dbBrandingConfig.mergeBrandingConfig(b.Branding.WebAdmin, false)\n}\n\nfunc (b *Binding) webClientBranding() UIBranding {\n\treturn dbBrandingConfig.mergeBrandingConfig(b.Branding.WebClient, true)\n}\n\nfunc (b *Binding) languages() []string {\n\treturn b.Languages\n}\n\nfunc (b *Binding) validateBaseURL() error {\n\tif b.BaseURL == \"\" {\n\t\treturn nil\n\t}\n\tu, err := url.ParseRequestURI(b.BaseURL)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif u.Scheme != \"http\" && u.Scheme != \"https\" {\n\t\treturn fmt.Errorf(\"invalid base URL schema %s\", b.BaseURL)\n\t}\n\tif u.Host == \"\" {\n\t\treturn fmt.Errorf(\"invalid base URL host %s\", b.BaseURL)\n\t}\n\tb.BaseURL = strings.TrimRight(u.String(), \"/\")\n\treturn nil\n}\n\nfunc (b *Binding) parseAllowedProxy() error {\n\tif filepath.IsAbs(b.Address) && len(b.ProxyAllowed) > 0 {\n\t\t// unix domain socket\n\t\tb.allowHeadersFrom = []func(net.IP) bool{func(_ net.IP) bool { return true }}\n\t\treturn nil\n\t}\n\tallowedFuncs, err := util.ParseAllowedIPAndRanges(b.ProxyAllowed)\n\tif err != nil {\n\t\treturn err\n\t}\n\tb.allowHeadersFrom = allowedFuncs\n\treturn nil\n}\n\n// GetAddress returns the binding address\nfunc (b *Binding) GetAddress() string {\n\treturn fmt.Sprintf(\"%s:%d\", b.Address, b.Port)\n}\n\n// IsValid returns true if the binding is valid\nfunc (b *Binding) IsValid() bool {\n\tif !b.EnableRESTAPI && !b.EnableWebAdmin && !b.EnableWebClient {\n\t\treturn false\n\t}\n\tif b.Port > 0 {\n\t\treturn true\n\t}\n\tif filepath.IsAbs(b.Address) && runtime.GOOS != osWindows {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (b *Binding) check() error {\n\tif err := b.parseAllowedProxy(); err != nil {\n\t\treturn err\n\t}\n\tif err := b.validateBaseURL(); err != nil {\n\t\treturn err\n\t}\n\tb.checkBranding()\n\tb.Security.updateProxyHeaders()\n\treturn nil\n}\n\nfunc (b *Binding) isWebAdminOIDCLoginDisabled() bool {\n\tif b.EnableWebAdmin {\n\t\treturn b.DisabledLoginMethods&1 != 0\n\t}\n\treturn false\n}\n\nfunc (b *Binding) isWebClientOIDCLoginDisabled() bool {\n\tif b.EnableWebClient {\n\t\treturn b.DisabledLoginMethods&2 != 0\n\t}\n\treturn false\n}\n\nfunc (b *Binding) isWebAdminLoginFormDisabled() bool {\n\tif b.EnableWebAdmin {\n\t\treturn b.DisabledLoginMethods&4 != 0\n\t}\n\treturn false\n}\n\nfunc (b *Binding) isWebClientLoginFormDisabled() bool {\n\tif b.EnableWebClient {\n\t\treturn b.DisabledLoginMethods&8 != 0\n\t}\n\treturn false\n}\n\nfunc (b *Binding) isAdminTokenEndpointDisabled() bool {\n\treturn b.DisabledLoginMethods&16 != 0\n}\n\nfunc (b *Binding) isUserTokenEndpointDisabled() bool {\n\treturn b.DisabledLoginMethods&32 != 0\n}\n\nfunc (b *Binding) isAdminAPIKeyAuthDisabled() bool {\n\treturn b.DisabledLoginMethods&64 != 0\n}\n\nfunc (b *Binding) isUserAPIKeyAuthDisabled() bool {\n\treturn b.DisabledLoginMethods&128 != 0\n}\n\nfunc (b *Binding) hasLoginForAPI() bool {\n\treturn !b.isAdminTokenEndpointDisabled() || !b.isUserTokenEndpointDisabled() ||\n\t\t!b.isAdminAPIKeyAuthDisabled() || !b.isUserAPIKeyAuthDisabled()\n}\n\n// convertLoginMethods checks if the deprecated EnabledLoginMethods is set and\n// convert the value to DisabledLoginMethods.\nfunc (b *Binding) convertLoginMethods() {\n\tif b.DisabledLoginMethods > 0 || b.EnabledLoginMethods == 0 {\n\t\t// DisabledLoginMethods already in use or EnabledLoginMethods not set.\n\t\treturn\n\t}\n\tif b.EnabledLoginMethods&1 == 0 {\n\t\tb.DisabledLoginMethods++\n\t}\n\tif b.EnabledLoginMethods&2 == 0 {\n\t\tb.DisabledLoginMethods += 2\n\t}\n\tif b.EnabledLoginMethods&4 == 0 {\n\t\tb.DisabledLoginMethods += 4\n\t}\n\tif b.EnabledLoginMethods&8 == 0 {\n\t\tb.DisabledLoginMethods += 8\n\t}\n}\n\nfunc (b *Binding) checkLoginMethods() error {\n\tb.convertLoginMethods()\n\tif b.isWebAdminLoginFormDisabled() && b.isWebAdminOIDCLoginDisabled() {\n\t\treturn errors.New(\"no login method available for WebAdmin UI\")\n\t}\n\tif !b.isWebAdminOIDCLoginDisabled() {\n\t\tif b.isWebAdminLoginFormDisabled() && !b.OIDC.hasRoles() {\n\t\t\treturn errors.New(\"no login method available for WebAdmin UI\")\n\t\t}\n\t}\n\tif b.isWebClientLoginFormDisabled() && b.isWebClientOIDCLoginDisabled() {\n\t\treturn errors.New(\"no login method available for WebClient UI\")\n\t}\n\tif !b.isWebClientOIDCLoginDisabled() {\n\t\tif b.isWebClientLoginFormDisabled() && !b.OIDC.isEnabled() {\n\t\t\treturn errors.New(\"no login method available for WebClient UI\")\n\t\t}\n\t}\n\tif b.EnableRESTAPI && !b.hasLoginForAPI() {\n\t\treturn errors.New(\"no login method available for REST API\")\n\t}\n\treturn nil\n}\n\nfunc (b *Binding) showAdminLoginURL() bool {\n\tif !b.EnableWebAdmin {\n\t\treturn false\n\t}\n\tif b.HideLoginURL&2 != 0 {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (b *Binding) showClientLoginURL() bool {\n\tif !b.EnableWebClient {\n\t\treturn false\n\t}\n\tif b.HideLoginURL&1 != 0 {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (b *Binding) isMutualTLSEnabled() bool {\n\treturn b.ClientAuthType == 1\n}\n\nfunc (b *Binding) listenerWrapper() func(net.Listener) (net.Listener, error) {\n\tif b.ProxyMode == 1 {\n\t\treturn common.Config.GetProxyListener\n\t}\n\treturn nil\n}\n\ntype defenderStatus struct {\n\tIsActive bool `json:\"is_active\"`\n}\n\ntype allowListStatus struct {\n\tIsActive bool `json:\"is_active\"`\n}\n\ntype rateLimiters struct {\n\tIsActive bool `json:\"is_active\"`\n\tProtocols []string `json:\"protocols\"`\n}\n\n// GetProtocolsAsString returns the enabled protocols as comma separated string\nfunc (r *rateLimiters) GetProtocolsAsString() string {\n\treturn strings.Join(r.Protocols, \", \")\n}\n\n// ServicesStatus keep the state of the running services\ntype ServicesStatus struct {\n\tSSH sftpd.ServiceStatus `json:\"ssh\"`\n\tFTP ftpd.ServiceStatus `json:\"ftp\"`\n\tWebDAV webdavd.ServiceStatus `json:\"webdav\"`\n\tDataProvider dataprovider.ProviderStatus `json:\"data_provider\"`\n\tDefender defenderStatus `json:\"defender\"`\n\tMFA mfa.ServiceStatus `json:\"mfa\"`\n\tAllowList allowListStatus `json:\"allow_list\"`\n\tRateLimiters rateLimiters `json:\"rate_limiters\"`\n}\n\n// SetupConfig defines the configuration parameters for the initial web admin setup\ntype SetupConfig struct {\n\t// Installation code to require when creating the first admin account.\n\t// As for the other configurations, this value is read at SFTPGo startup and not at runtime\n\t// even if set using an environment variable.\n\t// This is not a license key or similar, the purpose here is to prevent anyone who can access\n\t// to the initial setup screen from creating an admin user\n\tInstallationCode string `json:\"installation_code\" mapstructure:\"installation_code\"`\n\t// Description for the installation code input field\n\tInstallationCodeHint string `json:\"installation_code_hint\" mapstructure:\"installation_code_hint\"`\n}\n\n// CorsConfig defines the CORS configuration\ntype CorsConfig struct {\n\tAllowedOrigins []string `json:\"allowed_origins\" mapstructure:\"allowed_origins\"`\n\tAllowedMethods []string `json:\"allowed_methods\" mapstructure:\"allowed_methods\"`\n\tAllowedHeaders []string `json:\"allowed_headers\" mapstructure:\"allowed_headers\"`\n\tExposedHeaders []string `json:\"exposed_headers\" mapstructure:\"exposed_headers\"`\n\tAllowCredentials bool `json:\"allow_credentials\" mapstructure:\"allow_credentials\"`\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n\tMaxAge int `json:\"max_age\" mapstructure:\"max_age\"`\n\tOptionsPassthrough bool `json:\"options_passthrough\" mapstructure:\"options_passthrough\"`\n\tOptionsSuccessStatus int `json:\"options_success_status\" mapstructure:\"options_success_status\"`\n\tAllowPrivateNetwork bool `json:\"allow_private_network\" mapstructure:\"allow_private_network\"`\n}\n\n// Conf httpd daemon configuration\ntype Conf struct {\n\t// Addresses and ports to bind to\n\tBindings []Binding `json:\"bindings\" mapstructure:\"bindings\"`\n\t// Path to the HTML web templates. This can be an absolute path or a path relative to the config dir\n\tTemplatesPath string `json:\"templates_path\" mapstructure:\"templates_path\"`\n\t// Path to the static files for the web interface. This can be an absolute path or a path relative to the config dir.\n\t// If both TemplatesPath and StaticFilesPath are empty the built-in web interface will be disabled\n\tStaticFilesPath string `json:\"static_files_path\" mapstructure:\"static_files_path\"`\n\t// Path to the backup directory. This can be an absolute path or a path relative to the config dir\n\t//BackupsPath string `json:\"backups_path\" mapstructure:\"backups_path\"`\n\t// Path to the directory that contains the OpenAPI schema and the default renderer.\n\t// This can be an absolute path or a path relative to the config dir\n\tOpenAPIPath string `json:\"openapi_path\" mapstructure:\"openapi_path\"`\n\t// Defines a base URL for the web admin and client interfaces. If empty web admin and client resources will\n\t// be available at the root (\"/\") URI. If defined it must be an absolute URI or it will be ignored.\n\tWebRoot string `json:\"web_root\" mapstructure:\"web_root\"`\n\t// If files containing a certificate and matching private key for the server are provided you can enable\n\t// HTTPS connections for the configured bindings.\n\t// Certificate and key files can be reloaded on demand sending a \"SIGHUP\" signal on Unix based systems and a\n\t// \"paramchange\" request to the running service on Windows.\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// CACertificates defines the set of root certificate authorities to be used to verify client certificates.\n\tCACertificates []string `json:\"ca_certificates\" mapstructure:\"ca_certificates\"`\n\t// CARevocationLists defines a set a revocation lists, one for each root CA, to be used to check\n\t// if a client certificate has been revoked\n\tCARevocationLists []string `json:\"ca_revocation_lists\" mapstructure:\"ca_revocation_lists\"`\n\t// SigningPassphrase defines the passphrase to use to derive the signing key for JWT and CSRF tokens.\n\t// If empty a random signing key will be generated each time SFTPGo starts. If you set a\n\t// signing passphrase you should consider rotating it periodically for added security\n\tSigningPassphrase string `json:\"signing_passphrase\" mapstructure:\"signing_passphrase\"`\n\tSigningPassphraseFile string `json:\"signing_passphrase_file\" mapstructure:\"signing_passphrase_file\"`\n\t// TokenValidation allows to define how to validate JWT tokens, cookies and CSRF tokens.\n\t// By default all the available security checks are enabled. Set to 1 to disable the requirement\n\t// that a token must be used by the same IP for which it was issued.\n\tTokenValidation int `json:\"token_validation\" mapstructure:\"token_validation\"`\n\t// CookieLifetime defines the duration of cookies for WebAdmin and WebClient\n\tCookieLifetime int `json:\"cookie_lifetime\" mapstructure:\"cookie_lifetime\"`\n\t// ShareCookieLifetime defines the duration of cookies for public shares\n\tShareCookieLifetime int `json:\"share_cookie_lifetime\" mapstructure:\"share_cookie_lifetime\"`\n\t// JWTLifetime defines the duration of JWT tokens used in REST API\n\tJWTLifetime int `json:\"jwt_lifetime\" mapstructure:\"jwt_lifetime\"`\n\t// MaxUploadFileSize Defines the maximum request body size, in bytes, for Web Client/API HTTP upload requests.\n\t// 0 means no limit\n\tMaxUploadFileSize int64 `json:\"max_upload_file_size\" mapstructure:\"max_upload_file_size\"`\n\t// CORS configuration\n\tCors CorsConfig `json:\"cors\" mapstructure:\"cors\"`\n\t// Initial setup configuration\n\tSetup SetupConfig `json:\"setup\" mapstructure:\"setup\"`\n\t// If enabled, the link to the sponsors section will not appear on the setup screen page\n\tHideSupportLink bool `json:\"hide_support_link\" mapstructure:\"hide_support_link\"`\n\tacmeDomain string\n}\n\ntype apiResponse struct {\n\tError string `json:\"error,omitempty\"`\n\tMessage string `json:\"message\"`\n}\n\n// ShouldBind returns true if there is at least a valid binding\nfunc (c *Conf) ShouldBind() bool {\n\tfor _, binding := range c.Bindings {\n\t\tif binding.IsValid() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (c *Conf) isWebAdminEnabled() bool {\n\tfor _, binding := range c.Bindings {\n\t\tif binding.EnableWebAdmin {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (c *Conf) isWebClientEnabled() bool {\n\tfor _, binding := range c.Bindings {\n\t\tif binding.EnableWebClient {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (c *Conf) checkRequiredDirs(staticFilesPath, templatesPath string) error {\n\tif (c.isWebAdminEnabled() || c.isWebClientEnabled()) && (staticFilesPath == \"\" || templatesPath == \"\") {\n\t\treturn fmt.Errorf(\"required directory is invalid, static file path: %q template path: %q\",\n\t\t\tstaticFilesPath, templatesPath)\n\t}\n\treturn nil\n}\n\nfunc (c *Conf) getRedacted() Conf {\n\tredacted := \"[redacted]\"\n\tconf := *c\n\tif conf.SigningPassphrase != \"\" {\n\t\tconf.SigningPassphrase = redacted\n\t}\n\tif conf.Setup.InstallationCode != \"\" {\n\t\tconf.Setup.InstallationCode = redacted\n\t}\n\tconf.Bindings = nil\n\tfor _, binding := range c.Bindings {\n\t\tif binding.OIDC.ClientID != \"\" {\n\t\t\tbinding.OIDC.ClientID = redacted\n\t\t}\n\t\tif binding.OIDC.ClientSecret != \"\" {\n\t\t\tbinding.OIDC.ClientSecret = redacted\n\t\t}\n\t\tconf.Bindings = append(conf.Bindings, binding)\n\t}\n\treturn conf\n}\n\nfunc (c *Conf) getKeyPairs(configDir string) []common.TLSKeyPair {\n\tvar keyPairs []common.TLSKeyPair\n\n\tfor _, binding := range c.Bindings {\n\t\tcertificateFile := getConfigPath(binding.CertificateFile, configDir)\n\t\tcertificateKeyFile := getConfigPath(binding.CertificateKeyFile, configDir)\n\t\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\t\tkeyPairs = append(keyPairs, common.TLSKeyPair{\n\t\t\t\tCert: certificateFile,\n\t\t\t\tKey: certificateKeyFile,\n\t\t\t\tID: binding.GetAddress(),\n\t\t\t})\n\t\t}\n\t}\n\tvar certificateFile, certificateKeyFile string\n\tif c.acmeDomain != \"\" {\n\t\tcertificateFile, certificateKeyFile = util.GetACMECertificateKeyPair(c.acmeDomain)\n\t} else {\n\t\tcertificateFile = getConfigPath(c.CertificateFile, configDir)\n\t\tcertificateKeyFile = getConfigPath(c.CertificateKeyFile, configDir)\n\t}\n\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\tkeyPairs = append(keyPairs, common.TLSKeyPair{\n\t\t\tCert: certificateFile,\n\t\t\tKey: certificateKeyFile,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t})\n\t}\n\treturn keyPairs\n}\n\nfunc (c *Conf) setTokenValidationMode() {\n\ttokenValidationMode = c.TokenValidation\n}\n\nfunc (c *Conf) loadFromProvider() error {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to load config from provider: %w\", err)\n\t}\n\tconfigs.SetNilsToEmpty()\n\tdbBrandingConfig.Set(configs.Branding)\n\tif configs.ACME.Domain == \"\" || !configs.ACME.HasProtocol(common.ProtocolHTTP) {\n\t\treturn nil\n\t}\n\tcrt, key := util.GetACMECertificateKeyPair(configs.ACME.Domain)\n\tif crt != \"\" && key != \"\" {\n\t\tif _, err := os.Stat(crt); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to load acme cert file %q: %v\", crt, err)\n\t\t\treturn nil\n\t\t}\n\t\tif _, err := os.Stat(key); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to load acme key file %q: %v\", key, err)\n\t\t\treturn nil\n\t\t}\n\t\tfor idx := range c.Bindings {\n\t\t\tif c.Bindings[idx].Security.Enabled && c.Bindings[idx].Security.HTTPSRedirect {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tc.Bindings[idx].EnableHTTPS = true\n\t\t}\n\t\tc.acmeDomain = configs.ACME.Domain\n\t\tlogger.Info(logSender, \"\", \"acme domain set to %q\", c.acmeDomain)\n\t\treturn nil\n\t}\n\treturn nil\n}\n\nfunc (c *Conf) loadTemplates(templatesPath string) {\n\tif c.isWebAdminEnabled() {\n\t\tupdateWebAdminURLs(c.WebRoot)\n\t\tloadAdminTemplates(templatesPath)\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"built-in web admin interface disabled\")\n\t}\n\tif c.isWebClientEnabled() {\n\t\tupdateWebClientURLs(c.WebRoot)\n\t\tloadClientTemplates(templatesPath)\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"built-in web client interface disabled\")\n\t}\n}\n\n// Initialize configures and starts the HTTP server\nfunc (c *Conf) Initialize(configDir string, isShared int) error {\n\tif err := c.loadFromProvider(); err != nil {\n\t\treturn err\n\t}\n\tlogger.Info(logSender, \"\", \"initializing HTTP server with config %+v\", c.getRedacted())\n\tconfigurationDir = configDir\n\tinvalidatedJWTTokens = newTokenManager(isShared)\n\tresetCodesMgr = newResetCodeManager(isShared)\n\toidcMgr = newOIDCManager(isShared)\n\toauth2Mgr = newOAuth2Manager(isShared)\n\twebTaskMgr = newWebTaskManager(isShared)\n\tstaticFilesPath := util.FindSharedDataPath(c.StaticFilesPath, configDir)\n\ttemplatesPath := util.FindSharedDataPath(c.TemplatesPath, configDir)\n\topenAPIPath := util.FindSharedDataPath(c.OpenAPIPath, configDir)\n\tif err := c.checkRequiredDirs(staticFilesPath, templatesPath); err != nil {\n\t\treturn err\n\t}\n\tc.loadTemplates(templatesPath)\n\tkeyPairs := c.getKeyPairs(configDir)\n\tif len(keyPairs) > 0 {\n\t\tmgr, err := common.NewCertManager(keyPairs, configDir, logSender)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmgr.SetCACertificates(c.CACertificates)\n\t\tif err := mgr.LoadRootCAs(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmgr.SetCARevocationLists(c.CARevocationLists)\n\t\tif err := mgr.LoadCRLs(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcertMgr = mgr\n\t}\n\n\tif c.SigningPassphraseFile != \"\" {\n\t\tpassphrase, err := util.ReadConfigFromFile(c.SigningPassphraseFile, configDir)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tc.SigningPassphrase = passphrase\n\t}\n\n\thideSupportLink = c.HideSupportLink\n\n\texitChannel := make(chan error, 1)\n\n\tfor _, binding := range c.Bindings {\n\t\tif !binding.IsValid() {\n\t\t\tcontinue\n\t\t}\n\t\tif err := binding.check(); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tgo func(b Binding) {\n\t\t\tif err := b.OIDC.initialize(); err != nil {\n\t\t\t\texitChannel <- err\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif err := b.checkLoginMethods(); err != nil {\n\t\t\t\texitChannel <- err\n\t\t\t\treturn\n\t\t\t}\n\t\t\tserver := newHttpdServer(b, staticFilesPath, c.SigningPassphrase, c.Cors, openAPIPath)\n\t\t\tserver.setShared(isShared)\n\n\t\t\texitChannel <- server.listenAndServe()\n\t\t}(binding)\n\t}\n\n\tmaxUploadFileSize = c.MaxUploadFileSize\n\tinstallationCode = c.Setup.InstallationCode\n\tinstallationCodeHint = c.Setup.InstallationCodeHint\n\tupdateTokensDuration(c.JWTLifetime, c.CookieLifetime, c.ShareCookieLifetime)\n\tstartCleanupTicker(10 * time.Minute)\n\tc.setTokenValidationMode()\n\treturn <-exitChannel\n}\n\nfunc isWebRequest(r *http.Request) bool {\n\treturn strings.HasPrefix(r.RequestURI, webBasePath+\"/\")\n}\n\nfunc isWebClientRequest(r *http.Request) bool {\n\treturn strings.HasPrefix(r.RequestURI, webBaseClientPath+\"/\")\n}\n\n// ReloadCertificateMgr reloads the certificate manager\nfunc ReloadCertificateMgr() error {\n\tif certMgr != nil {\n\t\treturn certMgr.Reload()\n\t}\n\treturn nil\n}\n\nfunc getConfigPath(name, configDir string) string {\n\tif !util.IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif name != \"\" && !filepath.IsAbs(name) {\n\t\treturn filepath.Join(configDir, name)\n\t}\n\treturn name\n}\n\nfunc getServicesStatus() *ServicesStatus {\n\trtlEnabled, rtlProtocols := common.Config.GetRateLimitersStatus()\n\tstatus := &ServicesStatus{\n\t\tSSH: sftpd.GetStatus(),\n\t\tFTP: ftpd.GetStatus(),\n\t\tWebDAV: webdavd.GetStatus(),\n\t\tDataProvider: dataprovider.GetProviderStatus(),\n\t\tDefender: defenderStatus{\n\t\t\tIsActive: common.Config.DefenderConfig.Enabled,\n\t\t},\n\t\tMFA: mfa.GetStatus(),\n\t\tAllowList: allowListStatus{\n\t\t\tIsActive: common.Config.IsAllowListEnabled(),\n\t\t},\n\t\tRateLimiters: rateLimiters{\n\t\t\tIsActive: rtlEnabled,\n\t\t\tProtocols: rtlProtocols,\n\t\t},\n\t}\n\treturn status\n}\n\nfunc fileServer(r chi.Router, path string, root http.FileSystem, disableDirectoryIndex bool) {\n\tif path != \"/\" && path[len(path)-1] != '/' {\n\t\tr.Get(path, http.RedirectHandler(path+\"/\", http.StatusMovedPermanently).ServeHTTP)\n\t\tpath += \"/\"\n\t}\n\tpath += \"*\"\n\n\tr.Get(path, func(w http.ResponseWriter, r *http.Request) {\n\t\trctx := chi.RouteContext(r.Context())\n\t\tpathPrefix := strings.TrimSuffix(rctx.RoutePattern(), \"/*\")\n\t\tif disableDirectoryIndex {\n\t\t\troot = neuteredFileSystem{root}\n\t\t}\n\t\tfs := http.StripPrefix(pathPrefix, http.FileServer(root))\n\t\tfs.ServeHTTP(w, r)\n\t})\n}\n\nfunc updateWebClientURLs(baseURL string) {\n\tif !path.IsAbs(baseURL) {\n\t\tbaseURL = \"/\"\n\t}\n\twebRootPath = path.Join(baseURL, webRootPathDefault)\n\twebBasePath = path.Join(baseURL, webBasePathDefault)\n\twebBaseClientPath = path.Join(baseURL, webBasePathClientDefault)\n\twebOIDCRedirectPath = path.Join(baseURL, webOIDCRedirectPathDefault)\n\twebClientLoginPath = path.Join(baseURL, webClientLoginPathDefault)\n\twebClientOIDCLoginPath = path.Join(baseURL, webClientOIDCLoginPathDefault)\n\twebClientTwoFactorPath = path.Join(baseURL, webClientTwoFactorPathDefault)\n\twebClientTwoFactorRecoveryPath = path.Join(baseURL, webClientTwoFactorRecoveryPathDefault)\n\twebClientFilesPath = path.Join(baseURL, webClientFilesPathDefault)\n\twebClientFilePath = path.Join(baseURL, webClientFilePathDefault)\n\twebClientFileActionsPath = path.Join(baseURL, webClientFileActionsPathDefault)\n\twebClientSharesPath = path.Join(baseURL, webClientSharesPathDefault)\n\twebClientPubSharesPath = path.Join(baseURL, webClientPubSharesPathDefault)\n\twebClientSharePath = path.Join(baseURL, webClientSharePathDefault)\n\twebClientEditFilePath = path.Join(baseURL, webClientEditFilePathDefault)\n\twebClientDirsPath = path.Join(baseURL, webClientDirsPathDefault)\n\twebClientDownloadZipPath = path.Join(baseURL, webClientDownloadZipPathDefault)\n\twebClientProfilePath = path.Join(baseURL, webClientProfilePathDefault)\n\twebClientPingPath = path.Join(baseURL, webClientPingPathDefault)\n\twebChangeClientPwdPath = path.Join(baseURL, webChangeClientPwdPathDefault)\n\twebClientLogoutPath = path.Join(baseURL, webClientLogoutPathDefault)\n\twebClientMFAPath = path.Join(baseURL, webClientMFAPathDefault)\n\twebClientTOTPGeneratePath = path.Join(baseURL, webClientTOTPGeneratePathDefault)\n\twebClientTOTPValidatePath = path.Join(baseURL, webClientTOTPValidatePathDefault)\n\twebClientTOTPSavePath = path.Join(baseURL, webClientTOTPSavePathDefault)\n\twebClientRecoveryCodesPath = path.Join(baseURL, webClientRecoveryCodesPathDefault)\n\twebClientForgotPwdPath = path.Join(baseURL, webClientForgotPwdPathDefault)\n\twebClientResetPwdPath = path.Join(baseURL, webClientResetPwdPathDefault)\n\twebClientViewPDFPath = path.Join(baseURL, webClientViewPDFPathDefault)\n\twebClientGetPDFPath = path.Join(baseURL, webClientGetPDFPathDefault)\n\twebClientExistPath = path.Join(baseURL, webClientExistPathDefault)\n\twebClientTasksPath = path.Join(baseURL, webClientTasksPathDefault)\n\twebStaticFilesPath = path.Join(baseURL, webStaticFilesPathDefault)\n\twebOpenAPIPath = path.Join(baseURL, webOpenAPIPathDefault)\n}\n\nfunc updateWebAdminURLs(baseURL string) {\n\tif !path.IsAbs(baseURL) {\n\t\tbaseURL = \"/\"\n\t}\n\twebRootPath = path.Join(baseURL, webRootPathDefault)\n\twebBasePath = path.Join(baseURL, webBasePathDefault)\n\twebBaseAdminPath = path.Join(baseURL, webBasePathAdminDefault)\n\twebOIDCRedirectPath = path.Join(baseURL, webOIDCRedirectPathDefault)\n\twebOAuth2RedirectPath = path.Join(baseURL, webOAuth2RedirectPathDefault)\n\twebOAuth2TokenPath = path.Join(baseURL, webOAuth2TokenPathDefault)\n\twebAdminSetupPath = path.Join(baseURL, webAdminSetupPathDefault)\n\twebAdminLoginPath = path.Join(baseURL, webAdminLoginPathDefault)\n\twebAdminOIDCLoginPath = path.Join(baseURL, webAdminOIDCLoginPathDefault)\n\twebAdminTwoFactorPath = path.Join(baseURL, webAdminTwoFactorPathDefault)\n\twebAdminTwoFactorRecoveryPath = path.Join(baseURL, webAdminTwoFactorRecoveryPathDefault)\n\twebLogoutPath = path.Join(baseURL, webLogoutPathDefault)\n\twebUsersPath = path.Join(baseURL, webUsersPathDefault)\n\twebUserPath = path.Join(baseURL, webUserPathDefault)\n\twebConnectionsPath = path.Join(baseURL, webConnectionsPathDefault)\n\twebFoldersPath = path.Join(baseURL, webFoldersPathDefault)\n\twebFolderPath = path.Join(baseURL, webFolderPathDefault)\n\twebGroupsPath = path.Join(baseURL, webGroupsPathDefault)\n\twebGroupPath = path.Join(baseURL, webGroupPathDefault)\n\twebStatusPath = path.Join(baseURL, webStatusPathDefault)\n\twebAdminsPath = path.Join(baseURL, webAdminsPathDefault)\n\twebAdminPath = path.Join(baseURL, webAdminPathDefault)\n\twebMaintenancePath = path.Join(baseURL, webMaintenancePathDefault)\n\twebBackupPath = path.Join(baseURL, webBackupPathDefault)\n\twebRestorePath = path.Join(baseURL, webRestorePathDefault)\n\twebScanVFolderPath = path.Join(baseURL, webScanVFolderPathDefault)\n\twebQuotaScanPath = path.Join(baseURL, webQuotaScanPathDefault)\n\twebChangeAdminPwdPath = path.Join(baseURL, webChangeAdminPwdPathDefault)\n\twebAdminForgotPwdPath = path.Join(baseURL, webAdminForgotPwdPathDefault)\n\twebAdminResetPwdPath = path.Join(baseURL, webAdminResetPwdPathDefault)\n\twebAdminProfilePath = path.Join(baseURL, webAdminProfilePathDefault)\n\twebAdminMFAPath = path.Join(baseURL, webAdminMFAPathDefault)\n\twebAdminEventRulesPath = path.Join(baseURL, webAdminEventRulesPathDefault)\n\twebAdminEventRulePath = path.Join(baseURL, webAdminEventRulePathDefault)\n\twebAdminEventActionsPath = path.Join(baseURL, webAdminEventActionsPathDefault)\n\twebAdminEventActionPath = path.Join(baseURL, webAdminEventActionPathDefault)\n\twebAdminRolesPath = path.Join(baseURL, webAdminRolesPathDefault)\n\twebAdminRolePath = path.Join(baseURL, webAdminRolePathDefault)\n\twebAdminTOTPGeneratePath = path.Join(baseURL, webAdminTOTPGeneratePathDefault)\n\twebAdminTOTPValidatePath = path.Join(baseURL, webAdminTOTPValidatePathDefault)\n\twebAdminTOTPSavePath = path.Join(baseURL, webAdminTOTPSavePathDefault)\n\twebAdminRecoveryCodesPath = path.Join(baseURL, webAdminRecoveryCodesPathDefault)\n\twebTemplateUser = path.Join(baseURL, webTemplateUserDefault)\n\twebTemplateFolder = path.Join(baseURL, webTemplateFolderDefault)\n\twebDefenderHostsPath = path.Join(baseURL, webDefenderHostsPathDefault)\n\twebDefenderPath = path.Join(baseURL, webDefenderPathDefault)\n\twebIPListPath = path.Join(baseURL, webIPListPathDefault)\n\twebIPListsPath = path.Join(baseURL, webIPListsPathDefault)\n\twebEventsPath = path.Join(baseURL, webEventsPathDefault)\n\twebEventsFsSearchPath = path.Join(baseURL, webEventsFsSearchPathDefault)\n\twebEventsProviderSearchPath = path.Join(baseURL, webEventsProviderSearchPathDefault)\n\twebEventsLogSearchPath = path.Join(baseURL, webEventsLogSearchPathDefault)\n\twebConfigsPath = path.Join(baseURL, webConfigsPathDefault)\n\twebStaticFilesPath = path.Join(baseURL, webStaticFilesPathDefault)\n\twebOpenAPIPath = path.Join(baseURL, webOpenAPIPathDefault)\n}\n\n// GetHTTPRouter returns an HTTP handler suitable to use for test cases\nfunc GetHTTPRouter(b Binding) (http.Handler, error) {\n\tserver := newHttpdServer(b, filepath.Join(\"..\", \"..\", \"static\"), \"\", CorsConfig{}, filepath.Join(\"..\", \"..\", \"openapi\"))\n\tif err := server.initializeRouter(); err != nil {\n\t\treturn nil, err\n\t}\n\treturn server.router, nil\n}\n\n// the ticker cannot be started/stopped from multiple goroutines\nfunc startCleanupTicker(duration time.Duration) {\n\tstopCleanupTicker()\n\tcleanupTicker = time.NewTicker(duration)\n\tcleanupDone = make(chan bool)\n\n\tgo func() {\n\t\tcounter := int64(0)\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-cleanupDone:\n\t\t\t\treturn\n\t\t\tcase <-cleanupTicker.C:\n\t\t\t\tcounter++\n\t\t\t\tinvalidatedJWTTokens.Cleanup()\n\t\t\t\tresetCodesMgr.Cleanup()\n\t\t\t\twebTaskMgr.Cleanup()\n\t\t\t\tif counter%2 == 0 {\n\t\t\t\t\toidcMgr.cleanup()\n\t\t\t\t\toauth2Mgr.cleanup()\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}()\n}\n\nfunc stopCleanupTicker() {\n\tif cleanupTicker != nil {\n\t\tcleanupTicker.Stop()\n\t\tcleanupDone <- true\n\t\tcleanupTicker = nil\n\t}\n}\n\nfunc getSigningKey(signingPassphrase string) []byte {\n\tvar key []byte\n\tif signingPassphrase != \"\" {\n\t\tkey = []byte(signingPassphrase)\n\t} else {\n\t\tkey = util.GenerateRandomBytes(32)\n\t}\n\tsk := sha256.Sum256(key)\n\treturn sk[:]\n}\n\n// SetInstallationCodeResolver sets a function to call to resolve the installation code\nfunc SetInstallationCodeResolver(fn FnInstallationCodeResolver) {\n\tfnInstallationCodeResolver = fn\n}\n\nfunc resolveInstallationCode() string {\n\tif fnInstallationCodeResolver != nil {\n\t\treturn fnInstallationCodeResolver(installationCode)\n\t}\n\treturn installationCode\n}\n\ntype neuteredFileSystem struct {\n\tfs http.FileSystem\n}\n\nfunc (nfs neuteredFileSystem) Open(name string) (http.File, error) {\n\tf, err := nfs.fs.Open(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\ts, err := f.Stat()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif s.IsDir() {\n\t\tindex := path.Join(name, \"index.html\")\n\t\tif _, err := nfs.fs.Open(index); err != nil {\n\t\t\tdefer f.Close()\n\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\treturn f, nil\n}\n" }, { "path": "internal/httpd/httpd_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd_test\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"image\"\n\t\"image/color\"\n\t\"image/png\"\n\t\"io\"\n\t\"io/fs\"\n\t\"math\"\n\t\"mime/multipart\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/go-chi/render\"\n\t_ \"github.com/go-sql-driver/mysql\"\n\t_ \"github.com/jackc/pgx/v5/stdlib\"\n\t\"github.com/lithammer/shortuuid/v4\"\n\t_ \"github.com/mattn/go-sqlite3\"\n\t\"github.com/mhale/smtpd\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/pquerna/otp\"\n\t\"github.com/pquerna/otp/totp\"\n\t\"github.com/rs/xid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/crypto/bcrypt\"\n\t\"golang.org/x/crypto/ssh\"\n\t\"golang.org/x/net/html\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tdefaultUsername = \"test_user\"\n\tdefaultPassword = \"test_password\"\n\ttestPubKey = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1\"\n\ttestPubKey1 = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd60+/j+y8f0tLftihWV1YN9RSahMI9btQMDIMqts/jeNbD8jgoogM3nhF7KxfcaMKURuD47KC4Ey6iAJUJ0sWkSNNxOcIYuvA+5MlspfZDsa8Ag76Fe1vyz72WeHMHMeh/hwFo2TeIeIXg480T1VI6mzfDrVp2GzUx0SS0dMsQBjftXkuVR8YOiOwMCAH2a//M1OrvV7d/NBk6kBN0WnuIBb2jKm15PAA7+jQQG7tzwk2HedNH3jeL5GH31xkSRwlBczRK0xsCQXehAlx6cT/e/s44iJcJTHfpPKoSk6UAhPJYe7Z1QnuoawY9P9jQaxpyeImBZxxUEowhjpj2avBxKdRGBVK8R7EL8tSOeLbhdyWe5Mwc1+foEbq9Zz5j5Kd+hn3Wm1UnsGCrXUUUoZp1jnlNl0NakCto+5KmqnT9cHxaY+ix2RLUWAZyVFlRq71OYux1UHJnEJPiEI1/tr4jFBSL46qhQZv/TfpkfVW8FLz0lErfqu0gQEZnNHr3Fc= nicola@p1\"\n\tdefaultTokenAuthUser = \"admin\"\n\tdefaultTokenAuthPass = \"password\"\n\taltAdminUsername = \"newTestAdmin\"\n\taltAdminPassword = \"password1\"\n\tcsrfFormToken = \"_form_token\"\n\ttokenPath = \"/api/v2/token\"\n\tuserTokenPath = \"/api/v2/user/token\"\n\tuserLogoutPath = \"/api/v2/user/logout\"\n\tuserPath = \"/api/v2/users\"\n\tadminPath = \"/api/v2/admins\"\n\tadminPwdPath = \"/api/v2/admin/changepwd\"\n\tfolderPath = \"/api/v2/folders\"\n\tgroupPath = \"/api/v2/groups\"\n\tactiveConnectionsPath = \"/api/v2/connections\"\n\tserverStatusPath = \"/api/v2/status\"\n\tquotasBasePath = \"/api/v2/quotas\"\n\tquotaScanPath = \"/api/v2/quotas/users/scans\"\n\tquotaScanVFolderPath = \"/api/v2/quotas/folders/scans\"\n\tdefenderHosts = \"/api/v2/defender/hosts\"\n\tversionPath = \"/api/v2/version\"\n\tlogoutPath = \"/api/v2/logout\"\n\tuserPwdPath = \"/api/v2/user/changepwd\"\n\tuserDirsPath = \"/api/v2/user/dirs\"\n\tuserFilesPath = \"/api/v2/user/files\"\n\tuserFileActionsPath = \"/api/v2/user/file-actions\"\n\tuserStreamZipPath = \"/api/v2/user/streamzip\"\n\tuserUploadFilePath = \"/api/v2/user/files/upload\"\n\tuserFilesDirsMetadataPath = \"/api/v2/user/files/metadata\"\n\tapiKeysPath = \"/api/v2/apikeys\"\n\tadminTOTPConfigsPath = \"/api/v2/admin/totp/configs\"\n\tadminTOTPGeneratePath = \"/api/v2/admin/totp/generate\"\n\tadminTOTPValidatePath = \"/api/v2/admin/totp/validate\"\n\tadminTOTPSavePath = \"/api/v2/admin/totp/save\"\n\tadmin2FARecoveryCodesPath = \"/api/v2/admin/2fa/recoverycodes\"\n\tadminProfilePath = \"/api/v2/admin/profile\"\n\tuserTOTPConfigsPath = \"/api/v2/user/totp/configs\"\n\tuserTOTPGeneratePath = \"/api/v2/user/totp/generate\"\n\tuserTOTPValidatePath = \"/api/v2/user/totp/validate\"\n\tuserTOTPSavePath = \"/api/v2/user/totp/save\"\n\tuser2FARecoveryCodesPath = \"/api/v2/user/2fa/recoverycodes\"\n\tuserProfilePath = \"/api/v2/user/profile\"\n\tuserSharesPath = \"/api/v2/user/shares\"\n\tfsEventsPath = \"/api/v2/events/fs\"\n\tproviderEventsPath = \"/api/v2/events/provider\"\n\tlogEventsPath = \"/api/v2/events/logs\"\n\tsharesPath = \"/api/v2/shares\"\n\teventActionsPath = \"/api/v2/eventactions\"\n\teventRulesPath = \"/api/v2/eventrules\"\n\trolesPath = \"/api/v2/roles\"\n\tipListsPath = \"/api/v2/iplists\"\n\thealthzPath = \"/healthz\"\n\twebBasePath = \"/web\"\n\twebBasePathAdmin = \"/web/admin\"\n\twebAdminSetupPath = \"/web/admin/setup\"\n\twebLoginPath = \"/web/admin/login\"\n\twebLogoutPath = \"/web/admin/logout\"\n\twebUsersPath = \"/web/admin/users\"\n\twebUserPath = \"/web/admin/user\"\n\twebGroupsPath = \"/web/admin/groups\"\n\twebGroupPath = \"/web/admin/group\"\n\twebFoldersPath = \"/web/admin/folders\"\n\twebFolderPath = \"/web/admin/folder\"\n\twebConnectionsPath = \"/web/admin/connections\"\n\twebStatusPath = \"/web/admin/status\"\n\twebAdminsPath = \"/web/admin/managers\"\n\twebAdminPath = \"/web/admin/manager\"\n\twebMaintenancePath = \"/web/admin/maintenance\"\n\twebRestorePath = \"/web/admin/restore\"\n\twebChangeAdminPwdPath = \"/web/admin/changepwd\"\n\twebAdminProfilePath = \"/web/admin/profile\"\n\twebTemplateUser = \"/web/admin/template/user\"\n\twebTemplateFolder = \"/web/admin/template/folder\"\n\twebDefenderPath = \"/web/admin/defender\"\n\twebIPListsPath = \"/web/admin/ip-lists\"\n\twebIPListPath = \"/web/admin/ip-list\"\n\twebAdminTwoFactorPath = \"/web/admin/twofactor\"\n\twebAdminTwoFactorRecoveryPath = \"/web/admin/twofactor-recovery\"\n\twebAdminMFAPath = \"/web/admin/mfa\"\n\twebAdminTOTPSavePath = \"/web/admin/totp/save\"\n\twebAdminForgotPwdPath = \"/web/admin/forgot-password\"\n\twebAdminResetPwdPath = \"/web/admin/reset-password\"\n\twebAdminEventRulesPath = \"/web/admin/eventrules\"\n\twebAdminEventRulePath = \"/web/admin/eventrule\"\n\twebAdminEventActionsPath = \"/web/admin/eventactions\"\n\twebAdminEventActionPath = \"/web/admin/eventaction\"\n\twebAdminRolesPath = \"/web/admin/roles\"\n\twebAdminRolePath = \"/web/admin/role\"\n\twebEventsPath = \"/web/admin/events\"\n\twebConfigsPath = \"/web/admin/configs\"\n\twebOAuth2TokenPath = \"/web/admin/oauth2/token\"\n\twebBasePathClient = \"/web/client\"\n\twebClientLoginPath = \"/web/client/login\"\n\twebClientFilesPath = \"/web/client/files\"\n\twebClientEditFilePath = \"/web/client/editfile\"\n\twebClientDirsPath = \"/web/client/dirs\"\n\twebClientDownloadZipPath = \"/web/client/downloadzip\"\n\twebChangeClientPwdPath = \"/web/client/changepwd\"\n\twebClientProfilePath = \"/web/client/profile\"\n\twebClientPingPath = \"/web/client/ping\"\n\twebClientTwoFactorPath = \"/web/client/twofactor\"\n\twebClientTwoFactorRecoveryPath = \"/web/client/twofactor-recovery\"\n\twebClientLogoutPath = \"/web/client/logout\"\n\twebClientMFAPath = \"/web/client/mfa\"\n\twebClientTOTPSavePath = \"/web/client/totp/save\"\n\twebClientSharesPath = \"/web/client/shares\"\n\twebClientSharePath = \"/web/client/share\"\n\twebClientPubSharesPath = \"/web/client/pubshares\"\n\twebClientForgotPwdPath = \"/web/client/forgot-password\"\n\twebClientResetPwdPath = \"/web/client/reset-password\"\n\twebClientViewPDFPath = \"/web/client/viewpdf\"\n\twebClientGetPDFPath = \"/web/client/getpdf\"\n\twebClientExistPath = \"/web/client/exist\"\n\twebClientTasksPath = \"/web/client/tasks\"\n\twebClientFileMovePath = \"/web/client/file-actions/move\"\n\twebClientFileCopyPath = \"/web/client/file-actions/copy\"\n\tjsonAPISuffix = \"/json\"\n\thttpBaseURL = \"http://127.0.0.1:8081\"\n\tdefaultRemoteAddr = \"127.0.0.1:1234\"\n\tsftpServerAddr = \"127.0.0.1:8022\"\n\tsmtpServerAddr = \"127.0.0.1:3525\"\n\thttpsCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\thttpsKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n\tsftpPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACB+RB4yNTZz9mHOkawwUibNdemijVV3ErMeLxWUBlCN/gAAAJA7DjpfOw46\nXwAAAAtzc2gtZWQyNTUxOQAAACB+RB4yNTZz9mHOkawwUibNdemijVV3ErMeLxWUBlCN/g\nAAAEA0E24gi8ab/XRSvJ85TGZJMe6HVmwxSG4ExPfTMwwe2n5EHjI1NnP2Yc6RrDBSJs11\n6aKNVXcSsx4vFZQGUI3+AAAACW5pY29sYUBwMQECAwQ=\n-----END OPENSSH PRIVATE KEY-----`\n\tsftpPkeyFingerprint = \"SHA256:QVQ06XHZZbYZzqfrsZcf3Yozy2WTnqQPeLOkcJCdbP0\"\n\t// password protected private key\n\ttestPrivateKeyPwd = `-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAvfwQQcs\n+PyMsCLTNFcKiQAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILqltfCL7IPuIQ2q\n+8w23flfgskjIlKViEwMfjJR4mrbAAAAkHp5xgG8J1XW90M/fT59ZUQht8sZzzP17rEKlX\nwaYKvLzDxkPK6LFIYs55W1EX1eVt/2Maq+zQ7k2SOUmhPNknsUOlPV2gytX3uIYvXF7u2F\nFTBIJuzZ+UQ14wFbraunliE9yye9DajVG1kz2cz2wVgXUbee+gp5NyFVvln+TcTxXwMsWD\nqwlk5iw/jQekxThg==\n-----END OPENSSH PRIVATE KEY-----\n`\n\ttestPubKeyPwd = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqltfCL7IPuIQ2q+8w23flfgskjIlKViEwMfjJR4mrb\"\n\tprivateKeyPwd = \"password\"\n\trsa1024PrivKey = `-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAIEAxgrZ84gJyU7Qz8JbYuYh0fgTN29h4qVkqDkEE0lWZe7L4QRcQHrB\nvycJO5vjfitY5JTojV3nbDNHN6XGVX8QNurwXmxv0EmEbqPoNO/rTf1t7qqwMBBAfSJJ5H\nTXsO37vqcWSOt1Ki5yjRm232UfPo3AYXaZdOKDWKpzI12FfqkAAAIAondFqKJ3RagAAAAH\nc3NoLXJzYQAAAIEAxgrZ84gJyU7Qz8JbYuYh0fgTN29h4qVkqDkEE0lWZe7L4QRcQHrBvy\ncJO5vjfitY5JTojV3nbDNHN6XGVX8QNurwXmxv0EmEbqPoNO/rTf1t7qqwMBBAfSJJ5HTX\nsO37vqcWSOt1Ki5yjRm232UfPo3AYXaZdOKDWKpzI12FfqkAAAADAQABAAAAgC7V5COG+a\nGFJTbtJQWnnTn17D2A9upN6RcrnL4e6vLiXY8So+qP3YAicDmLrWpqP/SXDsRX/+ID4oTT\njKstiJy5jTvXAozwBbFCvNDk1qifs8p/HKzel3t0172j6gLOa2h9+clJ4BYyCk6ue4f8fV\nyKTIc9chdJSpeINNY60CJxAAAAQQDhYpGXljD2Xy/CzqRXyoF+iMtOImLlbgQYswTXegk3\n7JoCNvwqg8xP+JxGpvUGpX23VWh0nBhzcAKHGlssiYQuAAAAQQDwB6s7s1WIRZ2Jsz8f6l\n7/ebpPrAMyKmWkXc7KyvR53zuMkMIdvujM5NkOWh1ON8jtNumArey2dWuGVh+pXbdVAAAA\nQQDTOAaMcyTfXMH/oSMsp+5obvT/RuewaRLHdBiCy0y1Jw0ykOcOCkswr/btDL26hImaHF\nSheorO+2We7dnFuUIFAAAACW5pY29sYUBwMQE=\n-----END OPENSSH PRIVATE KEY-----`\n\trsa1024PubKey = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDGCtnziAnJTtDPwlti5iHR+BM3b2HipWSoOQQTSVZl7svhBFxAesG/Jwk7m+N+K1jklOiNXedsM0c3pcZVfxA26vBebG/QSYRuo+g07+tN/W3uqrAwEEB9IknkdNew7fu+pxZI63UqLnKNGbbfZR8+jcBhdpl04oNYqnMjXYV+qQ==\"\n\tredactedSecret = \"[**redacted**]\"\n\tosWindows = \"windows\"\n\toidcMockAddr = \"127.0.0.1:11111\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n\tdefaultPerms = []string{dataprovider.PermAny}\n\thomeBasePath string\n\tbackupsPath string\n\ttestServer *httptest.Server\n\tpostConnectPath string\n\tpreActionPath string\n\tlastResetCode string\n)\n\ntype fakeConnection struct {\n\t*common.BaseConnection\n\tcommand string\n}\n\nfunc (c *fakeConnection) Disconnect() error {\n\tcommon.Connections.Remove(c.GetID())\n\treturn nil\n}\n\nfunc (c *fakeConnection) GetClientVersion() string {\n\treturn \"\"\n}\n\nfunc (c *fakeConnection) GetCommand() string {\n\treturn c.command\n}\n\nfunc (c *fakeConnection) GetLocalAddress() string {\n\treturn \"\"\n}\n\nfunc (c *fakeConnection) GetRemoteAddress() string {\n\treturn \"\"\n}\n\ntype generateTOTPRequest struct {\n\tConfigName string `json:\"config_name\"`\n}\n\ntype generateTOTPResponse struct {\n\tConfigName string `json:\"config_name\"`\n\tIssuer string `json:\"issuer\"`\n\tSecret string `json:\"secret\"`\n\tQRCode []byte `json:\"qr_code\"`\n}\n\ntype validateTOTPRequest struct {\n\tConfigName string `json:\"config_name\"`\n\tPasscode string `json:\"passcode\"`\n\tSecret string `json:\"secret\"`\n}\n\ntype recoveryCode struct {\n\tCode string `json:\"code\"`\n\tUsed bool `json:\"used\"`\n}\n\nfunc TestMain(m *testing.M) { //nolint:gocyclo\n\thomeBasePath = os.TempDir()\n\tlogfilePath := filepath.Join(configDir, \"sftpgo_api_test.log\")\n\tlogger.InitLogger(logfilePath, 5, 1, 28, false, false, zerolog.DebugLevel)\n\tos.Setenv(\"SFTPGO_COMMON__UPLOAD_MODE\", \"2\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"1\")\n\tos.Setenv(\"SFTPGO_COMMON__ALLOW_SELF_CONNECTIONS\", \"1\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__NAMING_RULES\", \"0\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_USERNAME\", \"admin\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_PASSWORD\", \"password\")\n\tos.Setenv(\"SFTPGO_HTTPD__MAX_UPLOAD_FILE_SIZE\", \"1048576000\")\n\terr := config.LoadConfig(configDir, \"\")\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error loading configuration: %v\", err)\n\t\tos.Exit(1)\n\t}\n\twdPath, err := os.Getwd()\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error getting exe path: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tpluginsConfig := []plugin.Config{\n\t\t{\n\t\t\tType: \"eventsearcher\",\n\t\t\tCmd: filepath.Join(wdPath, \"..\", \"..\", \"tests\", \"eventsearcher\", \"eventsearcher\"),\n\t\t\tAutoMTLS: true,\n\t\t},\n\t}\n\tif runtime.GOOS == osWindows {\n\t\tpluginsConfig[0].Cmd += \".exe\"\n\t}\n\tproviderConf := config.GetProviderConf()\n\tlogger.InfoToConsole(\"Starting HTTPD tests, provider: %v\", providerConf.Driver)\n\n\tbackupsPath = filepath.Join(os.TempDir(), \"test_backups\")\n\tproviderConf.BackupsPath = backupsPath\n\terr = os.MkdirAll(backupsPath, os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error creating backups path: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\tkmsConfig := config.GetKMSConfig()\n\terr = kmsConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing kms: %v\", err)\n\t\tos.Exit(1)\n\t}\n\terr = plugin.Initialize(pluginsConfig, \"debug\")\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing plugin: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tmfaConfig := config.GetMFAConfig()\n\terr = mfaConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing MFA: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error initializing data provider: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = common.Initialize(config.GetCommonConfig(), 0)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error initializing common: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\tpostConnectPath = filepath.Join(homeBasePath, \"postconnect.sh\")\n\tpreActionPath = filepath.Join(homeBasePath, \"preaction.sh\")\n\n\thttpConfig := config.GetHTTPConfig()\n\thttpConfig.RetryMax = 1\n\thttpConfig.Timeout = 5\n\thttpConfig.Initialize(configDir) //nolint:errcheck\n\n\thttpdConf := config.GetHTTPDConfig()\n\n\thttpdConf.Bindings[0].Port = 8081\n\thttpdConf.Bindings[0].Security = httpd.SecurityConf{\n\t\tEnabled: true,\n\t\tHTTPSProxyHeaders: []httpd.HTTPSProxyHeader{\n\t\t\t{\n\t\t\t\tKey: \"X-Forwarded-Proto\",\n\t\t\t\tValue: \"https\",\n\t\t\t},\n\t\t},\n\t\tCacheControl: \"private\",\n\t}\n\thttpdtest.SetBaseURL(httpBaseURL)\n\t// required to test sftpfs\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 8022,\n\t\t},\n\t}\n\thostKeyPath := filepath.Join(os.TempDir(), \"id_rsa\")\n\tsftpdConf.HostKeys = []string{hostKeyPath}\n\n\tgo func() {\n\t\tif err := httpdConf.Initialize(configDir, 0); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tif err := sftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tstartSMTPServer()\n\tstartOIDCMockServer()\n\n\twaitTCPListening(httpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\thttpd.ReloadCertificateMgr() //nolint:errcheck\n\t// now start an https server\n\tcertPath := filepath.Join(os.TempDir(), \"test.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test.key\")\n\terr = os.WriteFile(certPath, []byte(httpsCert), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing HTTPS certificate: %v\", err)\n\t\tos.Exit(1)\n\t}\n\terr = os.WriteFile(keyPath, []byte(httpsKey), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing HTTPS private key: %v\", err)\n\t\tos.Exit(1)\n\t}\n\thttpdConf.Bindings[0].Port = 8443\n\thttpdConf.Bindings[0].EnableHTTPS = true\n\thttpdConf.Bindings[0].CertificateFile = certPath\n\thttpdConf.Bindings[0].CertificateKeyFile = keyPath\n\thttpdConf.Bindings = append(httpdConf.Bindings, httpd.Binding{})\n\n\tgo func() {\n\t\tif err := httpdConf.Initialize(configDir, 0); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTPS server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\twaitTCPListening(httpdConf.Bindings[0].GetAddress())\n\thttpd.ReloadCertificateMgr() //nolint:errcheck\n\n\thandler, err := httpd.GetHTTPRouter(httpdConf.Bindings[0])\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"unable to get http test handler: %v\", err)\n\t\tos.Exit(1)\n\t}\n\ttestServer = httptest.NewServer(handler)\n\tdefer testServer.Close()\n\n\texitCode := m.Run()\n\tos.Remove(logfilePath)\n\tos.RemoveAll(backupsPath)\n\tos.Remove(certPath)\n\tos.Remove(keyPath)\n\tos.Remove(hostKeyPath)\n\tos.Remove(hostKeyPath + \".pub\")\n\tos.Remove(postConnectPath)\n\tos.Remove(preActionPath)\n\tos.Exit(exitCode)\n}\n\nfunc TestInitialization(t *testing.T) {\n\tisShared := 0\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tinvalidFile := \"invalid file\"\n\tpassphraseFile := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\terr = os.WriteFile(passphraseFile, []byte(\"my secret\"), 0600)\n\tassert.NoError(t, err)\n\tdefer os.Remove(passphraseFile)\n\thttpdConf := config.GetHTTPDConfig()\n\thttpdConf.SigningPassphraseFile = invalidFile\n\terr = httpdConf.Initialize(configDir, isShared)\n\tassert.ErrorIs(t, err, fs.ErrNotExist)\n\thttpdConf.SigningPassphraseFile = passphraseFile\n\tdefaultTemplatesPath := httpdConf.TemplatesPath\n\tdefaultStaticPath := httpdConf.StaticFilesPath\n\thttpdConf.CertificateFile = invalidFile\n\thttpdConf.CertificateKeyFile = invalidFile\n\terr = httpdConf.Initialize(configDir, isShared)\n\tassert.Error(t, err)\n\thttpdConf.CertificateFile = \"\"\n\thttpdConf.CertificateKeyFile = \"\"\n\thttpdConf.TemplatesPath = \".\"\n\terr = httpdConf.Initialize(configDir, isShared)\n\tassert.Error(t, err)\n\thttpdConf = config.GetHTTPDConfig()\n\thttpdConf.TemplatesPath = defaultTemplatesPath\n\thttpdConf.CertificateFile = invalidFile\n\thttpdConf.CertificateKeyFile = invalidFile\n\thttpdConf.StaticFilesPath = \"\"\n\thttpdConf.TemplatesPath = \"\"\n\terr = httpdConf.Initialize(configDir, isShared)\n\tassert.Error(t, err)\n\thttpdConf.StaticFilesPath = defaultStaticPath\n\thttpdConf.TemplatesPath = defaultTemplatesPath\n\thttpdConf.CertificateFile = filepath.Join(os.TempDir(), \"test.crt\")\n\thttpdConf.CertificateKeyFile = filepath.Join(os.TempDir(), \"test.key\")\n\thttpdConf.CACertificates = append(httpdConf.CACertificates, invalidFile)\n\terr = httpdConf.Initialize(configDir, isShared)\n\tassert.Error(t, err)\n\thttpdConf.CACertificates = nil\n\thttpdConf.CARevocationLists = append(httpdConf.CARevocationLists, invalidFile)\n\terr = httpdConf.Initialize(configDir, isShared)\n\tassert.Error(t, err)\n\thttpdConf.CARevocationLists = nil\n\thttpdConf.SigningPassphraseFile = passphraseFile\n\thttpdConf.Bindings[0].ProxyAllowed = []string{\"invalid ip/network\"}\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is not a valid IP range\")\n\t}\n\tassert.Equal(t, \"my secret\", httpdConf.SigningPassphrase)\n\thttpdConf.Bindings[0].ProxyAllowed = nil\n\thttpdConf.Bindings[0].EnableWebAdmin = false\n\thttpdConf.Bindings[0].EnableWebClient = false\n\thttpdConf.Bindings[0].Port = 8081\n\thttpdConf.Bindings[0].EnableHTTPS = true\n\thttpdConf.Bindings[0].ClientAuthType = 1\n\thttpdConf.TokenValidation = 1\n\terr = httpdConf.Initialize(configDir, 0)\n\tassert.Error(t, err)\n\thttpdConf.TokenValidation = 0\n\terr = httpdConf.Initialize(configDir, 0)\n\tassert.Error(t, err)\n\n\thttpdConf.Bindings[0].OIDC = httpd.OIDC{\n\t\tClientID: \"123\",\n\t\tClientSecret: \"secret\",\n\t\tConfigURL: \"http://127.0.0.1:11111\",\n\t}\n\terr = httpdConf.Initialize(configDir, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"oidc\")\n\t}\n\thttpdConf.Bindings[0].OIDC.UsernameField = \"preferred_username\"\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"oidc\")\n\t}\n\thttpdConf.Bindings[0].OIDC = httpd.OIDC{}\n\thttpdConf.Bindings[0].BaseURL = \"ftp://127.0.0.1\"\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"URL schema\")\n\t}\n\thttpdConf.Bindings[0].BaseURL = \"\"\n\thttpdConf.Bindings[0].EnableWebClient = true\n\thttpdConf.Bindings[0].EnableWebAdmin = true\n\thttpdConf.Bindings[0].EnableRESTAPI = true\n\thttpdConf.Bindings[0].DisabledLoginMethods = 14\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for WebAdmin UI\")\n\t}\n\thttpdConf.Bindings[0].DisabledLoginMethods = 13\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for WebAdmin UI\")\n\t}\n\thttpdConf.Bindings[0].DisabledLoginMethods = 9\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for WebClient UI\")\n\t}\n\thttpdConf.Bindings[0].DisabledLoginMethods = 11\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for WebClient UI\")\n\t}\n\thttpdConf.Bindings[0].DisabledLoginMethods = 12\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for WebAdmin UI\")\n\t}\n\thttpdConf.Bindings[0].EnableWebAdmin = false\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for WebClient UI\")\n\t}\n\thttpdConf.Bindings[0].EnableWebClient = false\n\thttpdConf.Bindings[0].DisabledLoginMethods = 240\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"no login method available for REST API\")\n\t}\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = httpdConf.Initialize(configDir, isShared)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to load config from provider\")\n\t}\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicUserHandling(t *testing.T) {\n\tu := getTestUser()\n\tu.Email = \"user@user.com\"\n\tu.Filters.AdditionalEmails = []string{\"email1@user.com\", \"email2@user.com\"}\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\t_, resp, err = httpdtest.AddUser(u, http.StatusConflict)\n\tassert.NoError(t, err, string(resp))\n\tlastPwdChange := user.LastPasswordChange\n\tassert.Greater(t, lastPwdChange, int64(0))\n\tuser.MaxSessions = 10\n\tuser.QuotaSize = 4096\n\tuser.QuotaFiles = 2\n\tuser.UploadBandwidth = 128\n\tuser.DownloadBandwidth = 64\n\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now())\n\tuser.AdditionalInfo = \"some free text\"\n\tuser.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser.Email = \"user@example.net\"\n\tuser.OIDCCustomFields = &map[string]any{\n\t\t\"field1\": \"value1\",\n\t}\n\tuser.Filters.WebClient = append(user.Filters.WebClient, sdk.WebClientPubKeyChangeDisabled,\n\t\tsdk.WebClientWriteDisabled)\n\toriginalUser := user\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, originalUser.ID, user.ID)\n\tassert.Equal(t, lastPwdChange, user.LastPasswordChange)\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Nil(t, user.OIDCCustomFields)\n\tassert.True(t, user.HasPassword)\n\n\tuser.Email = \"invalid@email\"\n\tuser.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tReadBufferSize: 1,\n\t\tWriteBufferSize: 2,\n\t}\n\t_, body, err := httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(body), \"Validation error: email\")\n\n\tuser.Email = \"\"\n\tuser.Filters.AdditionalEmails = []string{\"invalid@email\"}\n\t_, body, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(body), \"Validation error: email\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicRoleHandling(t *testing.T) {\n\tr := getTestRole()\n\trole, resp, err := httpdtest.AddRole(r, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Greater(t, role.CreatedAt, int64(0))\n\tassert.Greater(t, role.UpdatedAt, int64(0))\n\troleGet, _, err := httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role, roleGet)\n\n\troles, _, err := httpdtest.GetRoles(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.GreaterOrEqual(t, len(roles), 1) {\n\t\tfound := false\n\t\tfor _, ro := range roles {\n\t\t\tif ro.Name == r.Name {\n\t\t\t\tassert.Equal(t, role, ro)\n\t\t\t\tfound = true\n\t\t\t}\n\t\t}\n\t\tassert.True(t, found)\n\t}\n\troles, _, err = httpdtest.GetRoles(0, int64(len(roles)), http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, roles, 0)\n\n\trole.Description = \"updated desc\"\n\t_, _, err = httpdtest.UpdateRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\troleGet, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Description, roleGet.Description)\n\n\t_, _, err = httpdtest.GetRoleByName(role.Name+\"_\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\t// adding the same role again should fail\n\t_, _, err = httpdtest.AddRole(r, http.StatusConflict)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestRoleRelations(t *testing.T) {\n\tr := getTestRole()\n\trole, resp, err := httpdtest.AddRole(r, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Role = role.Name\n\t_, resp, err = httpdtest.AddAdmin(a, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"a role admin cannot be a super admin\")\n\n\ta.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers,\n\t\tdataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers}\n\ta.Role = \"missing admin role\"\n\t_, _, err = httpdtest.AddAdmin(a, http.StatusConflict)\n\tassert.NoError(t, err)\n\ta.Role = role.Name\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tadmin.Role = \"invalid role\"\n\t_, resp, err = httpdtest.UpdateAdmin(admin, http.StatusConflict)\n\tassert.NoError(t, err, string(resp))\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, admin.Role)\n\n\tresp, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.Error(t, err, \"removing a referenced role should fail\")\n\tassert.Contains(t, string(resp), \"is referenced\")\n\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, role.Admins, 1) {\n\t\tassert.Equal(t, admin.Username, role.Admins[0])\n\t}\n\n\tu1 := getTestUser()\n\tu1.Username = defaultUsername + \"1\"\n\tu1.Role = \"missing role\"\n\t_, _, err = httpdtest.AddUser(u1, http.StatusConflict)\n\tassert.NoError(t, err)\n\tu1.Role = role.Name\n\tuser1, _, err := httpdtest.AddUser(u1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user1.Role)\n\tuser1.Role = \"missing\"\n\t_, _, err = httpdtest.UpdateUser(user1, http.StatusConflict, \"\")\n\tassert.NoError(t, err)\n\tuser1, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user1.Role)\n\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, role.Admins, 1) {\n\t\tassert.Equal(t, admin.Username, role.Admins[0])\n\t}\n\tif assert.Len(t, role.Users, 1) {\n\t\tassert.Equal(t, user1.Username, role.Users[0])\n\t}\n\troles, _, err := httpdtest.GetRoles(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tfor _, r := range roles {\n\t\tif r.Name == role.Name {\n\t\t\tif assert.Len(t, role.Admins, 1) {\n\t\t\t\tassert.Equal(t, admin.Username, role.Admins[0])\n\t\t\t}\n\t\t\tif assert.Len(t, role.Users, 1) {\n\t\t\t\tassert.Equal(t, user1.Username, role.Users[0])\n\t\t\t}\n\t\t}\n\t}\n\n\tu2 := getTestUser()\n\tuser2, _, err := httpdtest.AddUser(u2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t// the global admin can list all users\n\tusers, _, err := httpdtest.GetUsers(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(users), 2)\n\t_, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t// the role admin can only list users with its role\n\ttoken, _, err := httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\tusers, _, err = httpdtest.GetUsers(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, users, 1)\n\t_, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t// the role admin can only update/delete users with its role\n\t_, _, err = httpdtest.UpdateUser(user1, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateUser(user2, http.StatusNotFound, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t// new users created by a role admin have the same role\n\tu3 := getTestUser()\n\tu3.Username = defaultUsername + \"3\"\n\t_, _, err = httpdtest.AddUser(u3, http.StatusCreated)\n\tif assert.Error(t, err) {\n\t\tassert.Equal(t, err.Error(), \"role mismatch\")\n\t}\n\n\tuser3, _, err := httpdtest.GetUserByUsername(u3.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user3.Role)\n\n\t_, err = httpdtest.RemoveUser(user3, http.StatusOK)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(\"\")\n\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Admins, []string{altAdminUsername})\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser1, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user1.Role)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestRSAKeyInvalidSize(t *testing.T) {\n\tu := getTestUser()\n\tu.PublicKeys = append(u.PublicKeys, rsa1024PubKey)\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"invalid size\")\n\tu = getTestSFTPUser()\n\tu.FsConfig.SFTPConfig.Password = nil\n\tu.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(rsa1024PrivKey)\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"rsa key with size 1024 not accepted\")\n}\n\nfunc TestTLSCert(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.TLSCerts = []string{\"not a cert\"}\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"invalid TLS certificate\")\n\n\tu.Filters.TLSCerts = []string{httpsCert}\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tif assert.Len(t, user.Filters.TLSCerts, 1) {\n\t\tassert.Equal(t, httpsCert, user.Filters.TLSCerts[0])\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSortRelatedFolders(t *testing.T) {\n\tfolder1 := util.GenerateUniqueID()\n\tfolder2 := util.GenerateUniqueID()\n\tfolder3 := util.GenerateUniqueID()\n\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folder1,\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t}\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folder2,\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t}\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folder3,\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: f1,\n\t\t\tVirtualPath: \"/\" + folder1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f2,\n\t\t\tVirtualPath: \"/\" + folder2,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f3,\n\t\t\tVirtualPath: \"/\" + folder3,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.VirtualFolders, 3) {\n\t\tassert.Equal(t, folder1, user.VirtualFolders[0].Name)\n\t\tassert.Equal(t, folder2, user.VirtualFolders[1].Name)\n\t\tassert.Equal(t, folder3, user.VirtualFolders[2].Name)\n\t}\n\t// Update\n\tuser.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: f2,\n\t\t\tVirtualPath: \"/\" + folder2,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f1,\n\t\t\tVirtualPath: \"/\" + folder1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f3,\n\t\t\tVirtualPath: \"/\" + folder3,\n\t\t},\n\t}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.VirtualFolders, 3) {\n\t\tassert.Equal(t, folder2, user.VirtualFolders[0].Name)\n\t\tassert.Equal(t, folder1, user.VirtualFolders[1].Name)\n\t\tassert.Equal(t, folder3, user.VirtualFolders[2].Name)\n\t}\n\n\tg := getTestGroup()\n\tg.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: f1,\n\t\t\tVirtualPath: \"/\" + folder1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f2,\n\t\t\tVirtualPath: \"/\" + folder2,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f3,\n\t\t\tVirtualPath: \"/\" + folder3,\n\t\t},\n\t}\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, group.VirtualFolders, 3) {\n\t\tassert.Equal(t, folder1, group.VirtualFolders[0].Name)\n\t\tassert.Equal(t, folder2, group.VirtualFolders[1].Name)\n\t\tassert.Equal(t, folder3, group.VirtualFolders[2].Name)\n\t}\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tgroup.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: f3,\n\t\t\tVirtualPath: \"/\" + folder3,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f1,\n\t\t\tVirtualPath: \"/\" + folder1,\n\t\t},\n\t\t{\n\t\t\tBaseVirtualFolder: f2,\n\t\t\tVirtualPath: \"/\" + folder2,\n\t\t},\n\t}\n\tgroup, _, err = httpdtest.UpdateGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, group.VirtualFolders, 3) {\n\t\tassert.Equal(t, folder3, group.VirtualFolders[0].Name)\n\t\tassert.Equal(t, folder1, group.VirtualFolders[1].Name)\n\t\tassert.Equal(t, folder2, group.VirtualFolders[2].Name)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveFolder(f1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(f2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(f3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSortRelatedGroups(t *testing.T) {\n\tname1 := util.GenerateUniqueID()\n\tname2 := util.GenerateUniqueID()\n\tname3 := util.GenerateUniqueID()\n\n\tg1 := getTestGroup()\n\tg1.Name = name1\n\tg2 := getTestGroup()\n\tg2.Name = name2\n\tg3 := getTestGroup()\n\tg3.Name = name3\n\n\tgroup1, _, err := httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup2, _, err := httpdtest.AddGroup(g2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup3, _, err := httpdtest.AddGroup(g3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: name1,\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: name1,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: name2,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t\t{\n\t\t\tName: name3,\n\t\t\tType: sdk.GroupTypeMembership,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.Groups, 3) {\n\t\tassert.Equal(t, name1, user.Groups[0].Name)\n\t\tassert.Equal(t, name2, user.Groups[1].Name)\n\t\tassert.Equal(t, name3, user.Groups[2].Name)\n\t}\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: name2,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t\t{\n\t\t\tName: name3,\n\t\t\tType: sdk.GroupTypeMembership,\n\t\t},\n\t\t{\n\t\t\tName: name1,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.Groups, 3) {\n\t\tassert.Equal(t, name2, user.Groups[0].Name)\n\t\tassert.Equal(t, name3, user.Groups[1].Name)\n\t\tassert.Equal(t, name1, user.Groups[2].Name)\n\t}\n\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Groups = []dataprovider.AdminGroupMapping{\n\t\t{\n\t\t\tName: name3,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsSecondary,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: name2,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsPrimary,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: name1,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsMembership,\n\t\t\t},\n\t\t},\n\t}\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, admin.Groups, 3) {\n\t\tassert.Equal(t, name3, admin.Groups[0].Name)\n\t\tassert.Equal(t, name2, admin.Groups[1].Name)\n\t\tassert.Equal(t, name1, admin.Groups[2].Name)\n\t}\n\tadmin.Groups = []dataprovider.AdminGroupMapping{\n\t\t{\n\t\t\tName: name1,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsPrimary,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: name3,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsMembership,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: name2,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsSecondary,\n\t\t\t},\n\t\t},\n\t}\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, admin.Groups, 3) {\n\t\tassert.Equal(t, name1, admin.Groups[0].Name)\n\t\tassert.Equal(t, name3, admin.Groups[1].Name)\n\t\tassert.Equal(t, name2, admin.Groups[2].Name)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicGroupHandling(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.TLSCerts = []string{\"invalid cert\"} // ignored for groups\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Greater(t, group.CreatedAt, int64(0))\n\tassert.Greater(t, group.UpdatedAt, int64(0))\n\tassert.Len(t, group.UserSettings.Filters.TLSCerts, 0)\n\tgroupGet, _, err := httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, group, groupGet)\n\tgroups, _, err := httpdtest.GetGroups(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, groups, 1) {\n\t\tassert.Equal(t, group, groups[0])\n\t}\n\tgroups, _, err = httpdtest.GetGroups(0, 1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, groups, 0)\n\t_, _, err = httpdtest.GetGroupByName(group.Name+\"_\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\t// adding the same group again should fail\n\t_, _, err = httpdtest.AddGroup(g, http.StatusConflict)\n\tassert.NoError(t, err)\n\n\tgroup.UserSettings.HomeDir = filepath.Join(os.TempDir(), \"%username%\")\n\tgroup.UserSettings.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tgroup.UserSettings.FsConfig.SFTPConfig.Endpoint = sftpServerAddr\n\tgroup.UserSettings.FsConfig.SFTPConfig.Username = defaultUsername\n\tgroup.UserSettings.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\tgroup.UserSettings.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermAny},\n\t}\n\tgroup.UserSettings.Filters.AllowedIP = []string{\"10.0.0.0/8\"}\n\tgroup, _, err = httpdtest.UpdateGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\tgroupGet, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, groupGet.UserSettings.Permissions, 1)\n\tassert.Len(t, groupGet.UserSettings.Filters.AllowedIP, 1)\n\n\t// update again and check that the password was preserved\n\tdbGroup, err := dataprovider.GroupExists(group.Name)\n\tassert.NoError(t, err)\n\tgroup.UserSettings.FsConfig.SFTPConfig.Password = kms.NewSecret(\n\t\tdbGroup.UserSettings.FsConfig.SFTPConfig.Password.GetStatus(),\n\t\tdbGroup.UserSettings.FsConfig.SFTPConfig.Password.GetPayload(), \"\", \"\")\n\tgroup.UserSettings.Permissions = nil\n\tgroup.UserSettings.Filters.AllowedIP = nil\n\tgroup, _, err = httpdtest.UpdateGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group.UserSettings.Permissions, 0)\n\tassert.Len(t, group.UserSettings.Filters.AllowedIP, 0)\n\tdbGroup, err = dataprovider.GroupExists(group.Name)\n\tassert.NoError(t, err)\n\terr = dbGroup.UserSettings.FsConfig.SFTPConfig.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultPassword, dbGroup.UserSettings.FsConfig.SFTPConfig.Password.GetPayload())\n\t// check the group permissions\n\tgroupGet, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, groupGet.UserSettings.Permissions, 0)\n\n\tgroup.UserSettings.HomeDir = \"relative path\"\n\t_, _, err = httpdtest.UpdateGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateGroup(group, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestGroupRelations(t *testing.T) {\n\tmappedPath1 := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName1 := filepath.Base(mappedPath1)\n\tmappedPath2 := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName2 := filepath.Base(mappedPath2)\n\t_, _, err := httpdtest.AddFolder(vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tOSConfig: sdk.OSFsConfig{\n\t\t\t\tReadBufferSize: 3,\n\t\t\t\tWriteBufferSize: 5,\n\t\t\t},\n\t\t},\n\t}, http.StatusCreated)\n\tassert.NoError(t, err)\n\tg1 := getTestGroup()\n\tg1.Name += \"_1\"\n\tg1.VirtualFolders = append(g1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t})\n\tg2 := getTestGroup()\n\tg2.Name += \"_2\"\n\tg2.VirtualFolders = append(g2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir2\",\n\t})\n\tg3 := getTestGroup()\n\tg3.Name += \"_3\"\n\tg3.VirtualFolders = append(g3.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir3\",\n\t})\n\t_, _, err = httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.Error(t, err, \"adding a group with a missing folder must fail\")\n\t_, _, err = httpdtest.AddFolder(vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tgroup1, resp, err := httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, group1.VirtualFolders, 1)\n\tgroup2, resp, err := httpdtest.AddGroup(g2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, group2.VirtualFolders, 1)\n\tgroup3, resp, err := httpdtest.AddGroup(g3, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, group3.VirtualFolders, 1)\n\n\tfolder1, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder1.Groups, 3)\n\tfolder2, _, err := httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder2.Groups, 0)\n\n\tgroup1.VirtualFolders = append(group1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: folder2,\n\t\tVirtualPath: \"/vfolder2\",\n\t})\n\tgroup1, _, err = httpdtest.UpdateGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.VirtualFolders, 2)\n\n\tfolder2, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder2.Groups, 1)\n\n\tgroup1.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folder1.Name,\n\t\t\t\tMappedPath: folder1.MappedPath,\n\t\t\t},\n\t\t\tVirtualPath: \"/vpathmod\",\n\t\t},\n\t}\n\tgroup1, _, err = httpdtest.UpdateGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.VirtualFolders, 1)\n\n\tfolder2, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder2.Groups, 0)\n\n\tgroup1.VirtualFolders = append(group1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: folder2,\n\t\tVirtualPath: \"/vfolder2mod\",\n\t})\n\tgroup1, _, err = httpdtest.UpdateGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.VirtualFolders, 2)\n\n\tfolder2, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder2.Groups, 1)\n\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t\t{\n\t\t\tName: group3.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.Groups, 3) {\n\t\tfor _, g := range user.Groups {\n\t\t\tif g.Name == group1.Name {\n\t\t\t\tassert.Equal(t, sdk.GroupTypePrimary, g.Type)\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, sdk.GroupTypeSecondary, g.Type)\n\t\t\t}\n\t\t}\n\t}\n\tgroup1, _, err = httpdtest.GetGroupByName(group1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.Users, 1)\n\tgroup2, _, err = httpdtest.GetGroupByName(group2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group2.Users, 1)\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Users, 1)\n\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group3.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Groups, 1)\n\n\tgroup1, _, err = httpdtest.GetGroupByName(group1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.Users, 0)\n\tgroup2, _, err = httpdtest.GetGroupByName(group2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group2.Users, 0)\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Users, 1)\n\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t\t{\n\t\t\tName: group3.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Groups, 3)\n\n\tgroup1, _, err = httpdtest.GetGroupByName(group1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.Users, 1)\n\tgroup2, _, err = httpdtest.GetGroupByName(group2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group2.Users, 1)\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Users, 1)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder1, http.StatusOK)\n\tassert.NoError(t, err)\n\tgroup1, _, err = httpdtest.GetGroupByName(group1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group1.Users, 0)\n\tassert.Len(t, group1.VirtualFolders, 1)\n\tgroup2, _, err = httpdtest.GetGroupByName(group2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group2.Users, 0)\n\tassert.Len(t, group2.VirtualFolders, 0)\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Users, 0)\n\tassert.Len(t, group3.VirtualFolders, 0)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group3, http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder2, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder2.Groups, 0)\n\t_, err = httpdtest.RemoveFolder(folder2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestGroupValidation(t *testing.T) {\n\tgroup := getTestGroup()\n\tgroup.VirtualFolders = []vfs.VirtualFolder{\n\t\t{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: util.GenerateUniqueID(),\n\t\t\t\tMappedPath: filepath.Join(os.TempDir(), util.GenerateUniqueID()),\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err := httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"virtual path is mandatory\")\n\tgroup.VirtualFolders = nil\n\tgroup.UserSettings.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\t_, resp, err = httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"endpoint cannot be empty\")\n\tgroup.UserSettings.FsConfig.Provider = sdk.LocalFilesystemProvider\n\tgroup.UserSettings.Permissions = map[string][]string{\n\t\t\"a\": nil,\n\t}\n\t_, resp, err = httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"cannot set permissions for non absolute path\")\n\tgroup.UserSettings.Permissions = map[string][]string{\n\t\t\"/\": nil,\n\t}\n\t_, resp, err = httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"no permissions granted\")\n\tgroup.UserSettings.Permissions = map[string][]string{\n\t\t\"/..\": nil,\n\t}\n\t_, resp, err = httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"cannot set permissions for invalid subdirectory\")\n\tgroup.UserSettings.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermAny},\n\t}\n\tgroup.UserSettings.HomeDir = \"relative\"\n\t_, resp, err = httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"home_dir must be an absolute path\")\n\tgroup.UserSettings.HomeDir = \"\"\n\tgroup.UserSettings.Filters.WebClient = []string{\"invalid permission\"}\n\t_, resp, err = httpdtest.AddGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid web client options\")\n}\n\nfunc TestGroupSettingsOverride(t *testing.T) {\n\tmappedPath1 := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName1 := filepath.Base(mappedPath1)\n\tmappedPath2 := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName2 := filepath.Base(mappedPath2)\n\tmappedPath3 := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName3 := filepath.Base(mappedPath3)\n\tg1 := getTestGroup()\n\tg1.Name += \"_1\"\n\tg1.VirtualFolders = append(g1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t})\n\tg1.UserSettings.Permissions = map[string][]string{\n\t\t\"/dir1\": {dataprovider.PermUpload},\n\t\t\"/dir2\": {dataprovider.PermDownload, dataprovider.PermListItems},\n\t}\n\tg1.UserSettings.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tReadBufferSize: 6,\n\t\tWriteBufferSize: 2,\n\t}\n\tg2 := getTestGroup()\n\tg2.Name += \"_2\"\n\tg2.UserSettings.Permissions = map[string][]string{\n\t\t\"/dir1\": {dataprovider.PermAny},\n\t\t\"/dir3\": {dataprovider.PermDownload, dataprovider.PermListItems, dataprovider.PermChtimes},\n\t}\n\tg2.VirtualFolders = append(g2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir2\",\n\t})\n\tg2.VirtualFolders = append(g2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: \"/vdir3\",\n\t})\n\tg2.VirtualFolders = append(g2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName3,\n\t\t},\n\t\tVirtualPath: \"/vdir4\",\n\t})\n\tg2.UserSettings.Filters.AccessTime = []sdk.TimePeriod{\n\t\t{\n\t\t\tDayOfWeek: int(time.Now().UTC().Weekday()),\n\t\t\tFrom: \"00:00\",\n\t\t\tTo: \"23:59\",\n\t\t},\n\t}\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tOSConfig: sdk.OSFsConfig{\n\t\t\t\tReadBufferSize: 3,\n\t\t\t\tWriteBufferSize: 5,\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderName3,\n\t\tMappedPath: mappedPath3,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tOSConfig: sdk.OSFsConfig{\n\t\t\t\tReadBufferSize: 1,\n\t\t\t\tWriteBufferSize: 2,\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tgroup1, resp, err := httpdtest.AddGroup(g1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tgroup2, resp, err := httpdtest.AddGroup(g2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t},\n\t}\n\n\tr := getTestRole()\n\trole, _, err := httpdtest.AddRole(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.Role = role.Name\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, user.VirtualFolders, 0)\n\tassert.Len(t, user.Permissions, 1)\n\n\tuser, err = dataprovider.CheckUserAndPass(defaultUsername, defaultPassword, \"\", common.ProtocolHTTP)\n\tassert.NoError(t, err)\n\n\tvar folderNames []string\n\tif assert.Len(t, user.VirtualFolders, 4) {\n\t\tfor _, f := range user.VirtualFolders {\n\t\t\tif !slices.Contains(folderNames, f.Name) {\n\t\t\t\tfolderNames = append(folderNames, f.Name)\n\t\t\t}\n\t\t\tswitch f.Name {\n\t\t\tcase folderName1:\n\t\t\t\tassert.Equal(t, mappedPath1, f.MappedPath)\n\t\t\t\tassert.Equal(t, 3, f.FsConfig.OSConfig.ReadBufferSize)\n\t\t\t\tassert.Equal(t, 5, f.FsConfig.OSConfig.WriteBufferSize)\n\t\t\t\tassert.True(t, slices.Contains([]string{\"/vdir1\", \"/vdir2\"}, f.VirtualPath))\n\t\t\tcase folderName2:\n\t\t\t\tassert.Equal(t, mappedPath2, f.MappedPath)\n\t\t\t\tassert.Equal(t, \"/vdir3\", f.VirtualPath)\n\t\t\t\tassert.Equal(t, 0, f.FsConfig.OSConfig.ReadBufferSize)\n\t\t\t\tassert.Equal(t, 0, f.FsConfig.OSConfig.WriteBufferSize)\n\t\t\tcase folderName3:\n\t\t\t\tassert.Equal(t, mappedPath3, f.MappedPath)\n\t\t\t\tassert.Equal(t, \"/vdir4\", f.VirtualPath)\n\t\t\t\tassert.Equal(t, 1, f.FsConfig.OSConfig.ReadBufferSize)\n\t\t\t\tassert.Equal(t, 2, f.FsConfig.OSConfig.WriteBufferSize)\n\t\t\t}\n\t\t}\n\t}\n\tassert.Len(t, folderNames, 3)\n\tassert.Contains(t, folderNames, folderName1)\n\tassert.Contains(t, folderNames, folderName2)\n\tassert.Contains(t, folderNames, folderName3)\n\tassert.Len(t, user.Permissions, 4)\n\tassert.Equal(t, g1.UserSettings.Permissions[\"/dir1\"], user.Permissions[\"/dir1\"])\n\tassert.Equal(t, g1.UserSettings.Permissions[\"/dir2\"], user.Permissions[\"/dir2\"])\n\tassert.Equal(t, g2.UserSettings.Permissions[\"/dir3\"], user.Permissions[\"/dir3\"])\n\tassert.Equal(t, g1.UserSettings.FsConfig.OSConfig.ReadBufferSize, user.FsConfig.OSConfig.ReadBufferSize)\n\tassert.Equal(t, g1.UserSettings.FsConfig.OSConfig.WriteBufferSize, user.FsConfig.OSConfig.WriteBufferSize)\n\tassert.Len(t, user.Filters.AccessTime, 1)\n\n\tuser, err = dataprovider.GetUserAfterIDPAuth(defaultUsername, \"\", common.ProtocolOIDC, nil)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.VirtualFolders, 4)\n\tassert.Len(t, user.Filters.AccessTime, 1)\n\n\tuser1, user2, err := dataprovider.GetUserVariants(defaultUsername, \"\")\n\tassert.NoError(t, err)\n\tassert.Len(t, user1.VirtualFolders, 0)\n\tassert.Len(t, user2.VirtualFolders, 4)\n\tassert.Equal(t, int64(0), user1.ExpirationDate)\n\tassert.Equal(t, int64(0), user2.ExpirationDate)\n\tassert.Len(t, user1.Filters.AccessTime, 0)\n\tassert.Len(t, user2.Filters.AccessTime, 1)\n\n\tgroup2.UserSettings.FsConfig = vfs.Filesystem{\n\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\tUsername: defaultUsername,\n\t\t\t},\n\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t},\n\t}\n\tgroup2.UserSettings.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermListItems, dataprovider.PermDownload},\n\t\t\"/%username%\": {dataprovider.PermListItems},\n\t}\n\tgroup2.UserSettings.DownloadBandwidth = 128\n\tgroup2.UserSettings.UploadBandwidth = 256\n\tgroup2.UserSettings.Filters.PasswordStrength = 70\n\tgroup2.UserSettings.Filters.WebClient = []string{sdk.WebClientInfoChangeDisabled, sdk.WebClientMFADisabled}\n\t_, _, err = httpdtest.UpdateGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, err = dataprovider.CheckUserAndPass(defaultUsername, defaultPassword, \"\", common.ProtocolHTTP)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.VirtualFolders, 4)\n\tassert.Equal(t, sdk.LocalFilesystemProvider, user.FsConfig.Provider)\n\tassert.Equal(t, int64(0), user.DownloadBandwidth)\n\tassert.Equal(t, int64(0), user.UploadBandwidth)\n\tassert.Equal(t, 0, user.Filters.PasswordStrength)\n\tassert.Equal(t, []string{dataprovider.PermAny}, user.GetPermissionsForPath(\"/\"))\n\tassert.Equal(t, []string{dataprovider.PermListItems}, user.GetPermissionsForPath(\"/\"+defaultUsername))\n\tassert.Len(t, user.Filters.WebClient, 2)\n\n\tgroup1.UserSettings.FsConfig = vfs.Filesystem{\n\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\tUsername: altAdminUsername,\n\t\t\t\tPrefix: \"/dirs/%role%/%username%\",\n\t\t\t},\n\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t},\n\t}\n\tgroup1.UserSettings.MaxSessions = 2\n\tgroup1.UserSettings.QuotaFiles = 1000\n\tgroup1.UserSettings.UploadBandwidth = 512\n\tgroup1.UserSettings.DownloadBandwidth = 1024\n\tgroup1.UserSettings.TotalDataTransfer = 2048\n\tgroup1.UserSettings.ExpiresIn = 15\n\tgroup1.UserSettings.Filters.MaxUploadFileSize = 1024 * 1024\n\tgroup1.UserSettings.Filters.StartDirectory = \"/startdir/%username%\"\n\tgroup1.UserSettings.Filters.PasswordStrength = 70\n\tgroup1.UserSettings.Filters.WebClient = []string{sdk.WebClientInfoChangeDisabled}\n\tgroup1.UserSettings.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermListItems, dataprovider.PermUpload},\n\t\t\"/sub/%username%\": {dataprovider.PermRename},\n\t\t\"/%role%/%username%\": {dataprovider.PermDelete},\n\t}\n\tgroup1.UserSettings.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/sub2/%role%/%username%test\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{\"*.jpg\", \"*.zip\"},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, err = dataprovider.CheckUserAndPass(defaultUsername, defaultPassword, \"\", common.ProtocolHTTP)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.VirtualFolders, 4)\n\tassert.Equal(t, user.CreatedAt+int64(group1.UserSettings.ExpiresIn)*86400000, user.ExpirationDate)\n\tassert.Equal(t, group1.UserSettings.Filters.PasswordStrength, user.Filters.PasswordStrength)\n\tassert.Equal(t, sdk.SFTPFilesystemProvider, user.FsConfig.Provider)\n\tassert.Equal(t, altAdminUsername, user.FsConfig.SFTPConfig.Username)\n\tassert.Equal(t, \"/dirs/\"+role.Name+\"/\"+defaultUsername, user.FsConfig.SFTPConfig.Prefix)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermUpload}, user.GetPermissionsForPath(\"/\"))\n\tassert.Equal(t, []string{dataprovider.PermDelete}, user.GetPermissionsForPath(path.Join(\"/\", role.Name, defaultUsername)))\n\tassert.Equal(t, []string{dataprovider.PermRename}, user.GetPermissionsForPath(path.Join(\"/sub\", defaultUsername)))\n\tassert.Equal(t, group1.UserSettings.MaxSessions, user.MaxSessions)\n\tassert.Equal(t, group1.UserSettings.QuotaFiles, user.QuotaFiles)\n\tassert.Equal(t, group1.UserSettings.UploadBandwidth, user.UploadBandwidth)\n\tassert.Equal(t, group1.UserSettings.TotalDataTransfer, user.TotalDataTransfer)\n\tassert.Equal(t, group1.UserSettings.Filters.MaxUploadFileSize, user.Filters.MaxUploadFileSize)\n\tassert.Equal(t, \"/startdir/\"+defaultUsername, user.Filters.StartDirectory)\n\tif assert.Len(t, user.Filters.FilePatterns, 1) {\n\t\tassert.Equal(t, \"/sub2/\"+role.Name+\"/\"+defaultUsername+\"test\", user.Filters.FilePatterns[0].Path) //nolint:goconst\n\t}\n\tif assert.Len(t, user.Filters.WebClient, 2) {\n\t\tassert.Contains(t, user.Filters.WebClient, sdk.WebClientInfoChangeDisabled)\n\t\tassert.Contains(t, user.Filters.WebClient, sdk.WebClientMFADisabled)\n\t}\n\t// Attempt to create a user with a weak password and group1 as the primary group: this should fail\n\tu = getTestUser()\n\tu.Username = rand.Text()\n\tu.Password = defaultPassword\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"insecure password\")\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName3}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestConfigs(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tconfigs, err := dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), configs.UpdatedAt)\n\tassert.Nil(t, configs.SFTPD)\n\tassert.Nil(t, configs.SMTP)\n\tconfigs = dataprovider.Configs{\n\t\tSFTPD: &dataprovider.SFTPDConfigs{},\n\t\tSMTP: &dataprovider.SMTPConfigs{},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Greater(t, configs.UpdatedAt, int64(0))\n\n\tconfigs = dataprovider.Configs{\n\t\tSFTPD: &dataprovider.SFTPDConfigs{\n\t\t\tCiphers: []string{\"unknown\"},\n\t\t},\n\t\tSMTP: &dataprovider.SMTPConfigs{},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\tconfigs = dataprovider.Configs{\n\t\tSFTPD: &dataprovider.SFTPDConfigs{},\n\t\tSMTP: &dataprovider.SMTPConfigs{\n\t\t\tHost: \"smtp.example.com\",\n\t\t\tPort: -1,\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.ErrorIs(t, err, util.ErrValidation)\n\n\tconfigs = dataprovider.Configs{\n\t\tSMTP: &dataprovider.SMTPConfigs{\n\t\t\tHost: \"mail.example.com\",\n\t\t\tPort: 587,\n\t\t\tUser: \"test@example.com\",\n\t\t\tAuthType: 3,\n\t\t\tEncryption: 2,\n\t\t\tOAuth2: dataprovider.SMTPOAuth2{\n\t\t\t\tProvider: 1,\n\t\t\t\tTenant: \"\",\n\t\t\t\tClientID: \"\",\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tif assert.ErrorIs(t, err, util.ErrValidation) {\n\t\tassert.Contains(t, err.Error(), \"smtp oauth2: client id is required\")\n\t}\n\tconfigs.SMTP.OAuth2 = dataprovider.SMTPOAuth2{\n\t\tProvider: 1,\n\t\tClientID: \"client id\",\n\t\tClientSecret: kms.NewPlainSecret(\"client secret\"),\n\t\tRefreshToken: kms.NewPlainSecret(\"refresh token\"),\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Equal(t, 3, configs.SMTP.AuthType)\n\tassert.Equal(t, 1, configs.SMTP.OAuth2.Provider)\n\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicIPListEntriesHandling(t *testing.T) {\n\tentry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"::ffff:12.34.56.78\",\n\t\tType: dataprovider.IPListTypeAllowList,\n\t\tMode: dataprovider.ListModeAllow,\n\t\tDescription: \"test desc\",\n\t}\n\t_, _, err := httpdtest.GetIPListEntry(entry.IPOrNet, -1, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateIPListEntry(entry, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusCreated)\n\tassert.Error(t, err)\n\t// IPv4 address in IPv6 will be converted to standard IPv4\n\tentry1, _, err := httpdtest.GetIPListEntry(\"12.34.56.78/32\", dataprovider.IPListTypeAllowList, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tentry = dataprovider.IPListEntry{\n\t\tIPOrNet: \"192.168.0.0/24\",\n\t\tType: dataprovider.IPListTypeDefender,\n\t\tMode: dataprovider.ListModeDeny,\n\t}\n\tentry2, _, err := httpdtest.AddIPListEntry(entry, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// adding the same entry again should fail\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusConflict)\n\tassert.NoError(t, err)\n\t// adding an entry with an invalid IP should fail\n\tentry.IPOrNet = \"not valid\"\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t// adding an entry with an incompatible mode should fail\n\tentry.IPOrNet = entry2.IPOrNet\n\tentry.Mode = -1\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tentry.Type = -1\n\t_, _, err = httpdtest.UpdateIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tentry = dataprovider.IPListEntry{\n\t\tIPOrNet: \"2001:4860:4860::8888/120\",\n\t\tType: dataprovider.IPListTypeRateLimiterSafeList,\n\t\tMode: dataprovider.ListModeDeny,\n\t}\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tentry.Mode = dataprovider.ListModeAllow\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusCreated)\n\tassert.NoError(t, err)\n\tentry.Protocols = 3\n\tentry3, _, err := httpdtest.UpdateIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n\tentry.Mode = dataprovider.ListModeDeny\n\t_, _, err = httpdtest.UpdateIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\n\tfor _, tt := range []dataprovider.IPListType{dataprovider.IPListTypeAllowList, dataprovider.IPListTypeDefender, dataprovider.IPListTypeRateLimiterSafeList} {\n\t\tentries, _, err := httpdtest.GetIPListEntries(tt, \"\", \"\", dataprovider.OrderASC, 0, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, entries, 1) {\n\t\t\tswitch tt {\n\t\t\tcase dataprovider.IPListTypeAllowList:\n\t\t\t\tassert.Equal(t, entry1, entries[0])\n\t\t\tcase dataprovider.IPListTypeDefender:\n\t\t\t\tassert.Equal(t, entry2, entries[0])\n\t\t\tcase dataprovider.IPListTypeRateLimiterSafeList:\n\t\t\t\tassert.Equal(t, entry3, entries[0])\n\t\t\t}\n\t\t}\n\t}\n\n\t_, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"\", \"\", \"invalid order\", 0, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetIPListEntries(-1, \"\", \"\", dataprovider.OrderASC, 0, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveIPListEntry(entry1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveIPListEntry(entry1, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveIPListEntry(entry2, http.StatusOK)\n\tassert.NoError(t, err)\n\tentry2.Type = -1\n\t_, err = httpdtest.RemoveIPListEntry(entry2, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveIPListEntry(entry3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSearchIPListEntries(t *testing.T) {\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"192.168.0.0/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.0.1/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.0.2/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 5,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.168.0.3/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 8,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.0.0/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 3,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.1.0/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 8,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"10.8.2.0/24\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 1,\n\t\t},\n\t}\n\n\tfor _, e := range entries {\n\t\t_, _, err := httpdtest.AddIPListEntry(e, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t}\n\n\tresults, _, err := httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"\", \"\", dataprovider.OrderASC, 20, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Equal(t, len(entries), len(results)) {\n\t\tassert.Equal(t, \"10.8.0.0/24\", results[0].IPOrNet)\n\t}\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"\", \"\", dataprovider.OrderDESC, 20, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Equal(t, len(entries), len(results)) {\n\t\tassert.Equal(t, \"192.168.0.3/24\", results[0].IPOrNet)\n\t}\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"\", \"192.168.0.1/24\", dataprovider.OrderASC, 1, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Equal(t, 1, len(results), results) {\n\t\tassert.Equal(t, \"192.168.0.2/24\", results[0].IPOrNet)\n\t}\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"\", \"10.8.2.0/24\", dataprovider.OrderDESC, 1, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Equal(t, 1, len(results), results) {\n\t\tassert.Equal(t, \"10.8.1.0/24\", results[0].IPOrNet)\n\t}\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"10.\", \"\", dataprovider.OrderASC, 20, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 3, len(results))\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"192\", \"\", dataprovider.OrderASC, 20, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 4, len(results))\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"1\", \"\", dataprovider.OrderASC, 20, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 7, len(results))\n\tresults, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeAllowList, \"108\", \"\", dataprovider.OrderASC, 20, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, len(results))\n\n\tfor _, e := range entries {\n\t\t_, err := httpdtest.RemoveIPListEntry(e, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestIPListEntriesValidation(t *testing.T) {\n\tentry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"::ffff:34.56.78.90/120\",\n\t\tType: -1,\n\t\tMode: dataprovider.ListModeDeny,\n\t}\n\t_, resp, err := httpdtest.AddIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid list type\")\n\tentry.Type = dataprovider.IPListTypeRateLimiterSafeList\n\t_, resp, err = httpdtest.AddIPListEntry(entry, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid list mode\")\n\tentry.Type = dataprovider.IPListTypeDefender\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusCreated)\n\tassert.Error(t, err)\n\tentry.IPOrNet = \"34.56.78.0/24\"\n\t_, err = httpdtest.RemoveIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicActionRulesHandling(t *testing.T) {\n\tactionName := \"test_action\"\n\ta := dataprovider.BaseEventAction{\n\t\tName: actionName,\n\t\tDescription: \"test description\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t\tOptions: dataprovider.BaseEventActionOptions{},\n\t}\n\taction, _, err := httpdtest.AddEventAction(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// adding the same action should fail\n\t_, _, err = httpdtest.AddEventAction(a, http.StatusConflict)\n\tassert.NoError(t, err)\n\tactionGet, _, err := httpdtest.GetEventActionByName(actionName, http.StatusOK)\n\tassert.NoError(t, err)\n\tactions, _, err := httpdtest.GetEventActions(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, len(actions), 0)\n\tfound := false\n\tfor _, ac := range actions {\n\t\tif ac.Name == actionName {\n\t\t\tassert.Equal(t, actionGet, ac)\n\t\t\tfound = true\n\t\t}\n\t}\n\tassert.True(t, found)\n\ta.Description = \"new description\"\n\ta.Type = dataprovider.ActionTypeDataRetentionCheck\n\ta.Options = dataprovider.BaseEventActionOptions{\n\t\tRetentionConfig: dataprovider.EventActionDataRetentionConfig{\n\t\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t\t{\n\t\t\t\t\tPath: \"/\",\n\t\t\t\t\tRetention: 144,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPath: \"/p1\",\n\t\t\t\t\tRetention: 0,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPath: \"/p2\",\n\t\t\t\t\tRetention: 12,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateEventAction(a, http.StatusOK)\n\tassert.NoError(t, err)\n\ta.Type = dataprovider.ActionTypeCommand\n\ta.Options = dataprovider.BaseEventActionOptions{\n\t\tCmdConfig: dataprovider.EventActionCommandConfig{\n\t\t\tCmd: filepath.Join(os.TempDir(), \"test_cmd\"),\n\t\t\tTimeout: 20,\n\t\t\tEnvVars: []dataprovider.KeyValue{\n\t\t\t\t{\n\t\t\t\t\tKey: \"NAME\",\n\t\t\t\t\tValue: \"VALUE\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tdataprovider.EnabledActionCommands = []string{a.Options.CmdConfig.Cmd}\n\tdefer func() {\n\t\tdataprovider.EnabledActionCommands = nil\n\t}()\n\t_, _, err = httpdtest.UpdateEventAction(a, http.StatusOK)\n\tassert.NoError(t, err)\n\t// invalid type\n\ta.Type = 1000\n\t_, _, err = httpdtest.UpdateEventAction(a, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\n\ta.Type = dataprovider.ActionTypeEmail\n\ta.Options = dataprovider.BaseEventActionOptions{\n\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\tRecipients: []string{\"email@example.com\"},\n\t\t\tBcc: []string{\"bcc@example.com\"},\n\t\t\tSubject: \"Event: {{.Event}}\",\n\t\t\tBody: \"test mail body\",\n\t\t\tAttachments: []string{\"/{{.VirtualPath}}\"},\n\t\t},\n\t}\n\n\t_, _, err = httpdtest.UpdateEventAction(a, http.StatusOK)\n\tassert.NoError(t, err)\n\n\ta.Type = dataprovider.ActionTypeUserInactivityCheck\n\ta.Options = dataprovider.BaseEventActionOptions{\n\t\tUserInactivityConfig: dataprovider.EventActionUserInactivity{\n\t\t\tDisableThreshold: 10,\n\t\t\tDeleteThreshold: 20,\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateEventAction(a, http.StatusOK)\n\tassert.NoError(t, err)\n\n\ta.Type = dataprovider.ActionTypeHTTP\n\ta.Options = dataprovider.BaseEventActionOptions{\n\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\tEndpoint: \"https://localhost:1234\",\n\t\t\tUsername: defaultUsername,\n\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\tHeaders: []dataprovider.KeyValue{\n\t\t\t\t{\n\t\t\t\t\tKey: \"Content-Type\",\n\t\t\t\t\tValue: \"application/json\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tTimeout: 10,\n\t\t\tSkipTLSVerify: true,\n\t\t\tMethod: http.MethodPost,\n\t\t\tQueryParameters: []dataprovider.KeyValue{\n\t\t\t\t{\n\t\t\t\t\tKey: \"a\",\n\t\t\t\t\tValue: \"b\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tBody: `{\"event\":\"{{.Event}}\",\"name\":\"{{.Name}}\"}`,\n\t\t},\n\t}\n\taction, _, err = httpdtest.UpdateEventAction(a, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, action.Options.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, action.Options.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, action.Options.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, action.Options.HTTPConfig.Password.GetAdditionalData())\n\t// update again and check that the password was preserved\n\tdbAction, err := dataprovider.EventActionExists(actionName)\n\tassert.NoError(t, err)\n\taction.Options.HTTPConfig.Password = kms.NewSecret(\n\t\tdbAction.Options.HTTPConfig.Password.GetStatus(),\n\t\tdbAction.Options.HTTPConfig.Password.GetPayload(), \"\", \"\")\n\taction, _, err = httpdtest.UpdateEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n\tdbAction, err = dataprovider.EventActionExists(actionName)\n\tassert.NoError(t, err)\n\terr = dbAction.Options.HTTPConfig.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultPassword, dbAction.Options.HTTPConfig.Password.GetPayload())\n\n\tr := dataprovider.EventRule{\n\t\tName: \"test_rule_name\",\n\t\tStatus: 1,\n\t\tDescription: \"\",\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"upload\"},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tEventStatuses: []int{2, 3},\n\t\t\t\tMinFileSize: 1024 * 1024,\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: actionName,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: false,\n\t\t\t\t\tStopOnFailure: true,\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule, _, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// adding the same rule should fail\n\t_, _, err = httpdtest.AddEventRule(r, http.StatusConflict)\n\tassert.NoError(t, err)\n\n\trule.Description = \"new rule desc\"\n\trule.Trigger = 1000\n\t_, _, err = httpdtest.UpdateEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\trule.Trigger = dataprovider.EventTriggerFsEvent\n\trule, _, err = httpdtest.UpdateEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\n\truleGet, _, err := httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, ruleGet.Actions, 1) {\n\t\tif assert.NotNil(t, ruleGet.Actions[0].BaseEventAction.Options.HTTPConfig.Password) {\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, ruleGet.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetStatus())\n\t\t\tassert.NotEmpty(t, ruleGet.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetPayload())\n\t\t\tassert.Empty(t, ruleGet.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetKey())\n\t\t\tassert.Empty(t, ruleGet.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetAdditionalData())\n\t\t}\n\t}\n\trules, _, err := httpdtest.GetEventRules(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, len(rules), 0)\n\tfound = false\n\tfor _, ru := range rules {\n\t\tif ru.Name == rule.Name {\n\t\t\tassert.Equal(t, ruleGet, ru)\n\t\t\tfound = true\n\t\t}\n\t}\n\tassert.True(t, found)\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateEventRule(rule, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateEventAction(action, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetEventActionByName(actionName, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestActionRuleRelations(t *testing.T) {\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: \"action1\",\n\t\tDescription: \"test description\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t\tOptions: dataprovider.BaseEventActionOptions{},\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: \"action2\",\n\t\tType: dataprovider.ActionTypeTransferQuotaReset,\n\t\tOptions: dataprovider.BaseEventActionOptions{},\n\t}\n\ta3 := dataprovider.BaseEventAction{\n\t\tName: \"action3\",\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"test@example.net\"},\n\t\t\t\tContentType: 1,\n\t\t\t\tSubject: \"test subject\",\n\t\t\t\tBody: \"test body\",\n\t\t\t},\n\t\t},\n\t}\n\taction1, _, err := httpdtest.AddEventAction(a1, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction2, _, err := httpdtest.AddEventAction(a2, http.StatusCreated)\n\tassert.NoError(t, err)\n\taction3, _, err := httpdtest.AddEventAction(a3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tr1 := dataprovider.EventRule{\n\t\tName: \"rule1\",\n\t\tDescription: \"\",\n\t\tTrigger: dataprovider.EventTriggerProviderEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tProviderEvents: []string{\"add\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action1.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule1, _, err := httpdtest.AddEventRule(r1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tif assert.Len(t, rule1.Actions, 2) {\n\t\tassert.Equal(t, action1.Name, rule1.Actions[0].Name)\n\t\tassert.Equal(t, 1, rule1.Actions[0].Order)\n\t\tassert.Equal(t, action3.Name, rule1.Actions[1].Name)\n\t\tassert.Equal(t, 2, rule1.Actions[1].Order)\n\t\tassert.True(t, rule1.Actions[1].Options.IsFailureAction)\n\t}\n\n\tr2 := dataprovider.EventRule{\n\t\tName: \"rule2\",\n\t\tDescription: \"\",\n\t\tTrigger: dataprovider.EventTriggerSchedule,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tSchedules: []dataprovider.Schedule{\n\t\t\t\t{\n\t\t\t\t\tHours: \"1\",\n\t\t\t\t\tDayOfWeek: \"*\",\n\t\t\t\t\tDayOfMonth: \"*\",\n\t\t\t\t\tMonth: \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"g*\",\n\t\t\t\t\t\tInverseMatch: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action3.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 2,\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tIsFailureAction: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action2.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule2, _, err := httpdtest.AddEventRule(r2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tif assert.Len(t, rule1.Actions, 2) {\n\t\tassert.Equal(t, action2.Name, rule2.Actions[0].Name)\n\t\tassert.Equal(t, 1, rule2.Actions[0].Order)\n\t\tassert.Equal(t, action3.Name, rule2.Actions[1].Name)\n\t\tassert.Equal(t, 2, rule2.Actions[1].Order)\n\t\tassert.True(t, rule2.Actions[1].Options.IsFailureAction)\n\t}\n\t// check the references\n\taction1, _, err = httpdtest.GetEventActionByName(action1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action1.Rules, 1)\n\tassert.True(t, slices.Contains(action1.Rules, rule1.Name))\n\taction2, _, err = httpdtest.GetEventActionByName(action2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action2.Rules, 1)\n\tassert.True(t, slices.Contains(action2.Rules, rule2.Name))\n\taction3, _, err = httpdtest.GetEventActionByName(action3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action3.Rules, 2)\n\tassert.True(t, slices.Contains(action3.Rules, rule1.Name))\n\tassert.True(t, slices.Contains(action3.Rules, rule2.Name))\n\t// referenced actions cannot be removed\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t// remove action3 from rule2\n\tr2.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: action2.Name,\n\t\t\t},\n\t\t\tOrder: 10,\n\t\t},\n\t}\n\trule2.Status = 1\n\trule2, _, err = httpdtest.UpdateEventRule(r2, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, rule2.Actions, 1) {\n\t\tassert.Equal(t, action2.Name, rule2.Actions[0].Name)\n\t\tassert.Equal(t, 10, rule2.Actions[0].Order)\n\t}\n\t// check the updated relation\n\taction3, _, err = httpdtest.GetEventActionByName(action3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action3.Rules, 1)\n\tassert.True(t, slices.Contains(action3.Rules, rule1.Name))\n\n\t_, err = httpdtest.RemoveEventRule(rule1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule2, http.StatusOK)\n\tassert.NoError(t, err)\n\t// no relations anymore\n\taction1, _, err = httpdtest.GetEventActionByName(action1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action1.Rules, 0)\n\taction2, _, err = httpdtest.GetEventActionByName(action2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action2.Rules, 0)\n\taction3, _, err = httpdtest.GetEventActionByName(action3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, action3.Rules, 0)\n\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestOnDemandEventRules(t *testing.T) {\n\truleName := \"test_on_demand_rule\"\n\ta := dataprovider.BaseEventAction{\n\t\tName: \"a\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t\tOptions: dataprovider.BaseEventActionOptions{},\n\t}\n\taction, _, err := httpdtest.AddEventAction(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tr := dataprovider.EventRule{\n\t\tName: ruleName,\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerOnDemand,\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: a.Name,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule, _, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RunOnDemandRule(ruleName, http.StatusAccepted)\n\tassert.NoError(t, err)\n\trule.Status = 0\n\t_, _, err = httpdtest.UpdateEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\tresp, err := httpdtest.RunOnDemandRule(ruleName, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"is inactive\")\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RunOnDemandRule(ruleName, http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestIDPLoginEventRule(t *testing.T) {\n\truleName := \"test_IDP_login_rule\"\n\ta := dataprovider.BaseEventAction{\n\t\tName: \"a\",\n\t\tType: dataprovider.ActionTypeIDPAccountCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tIDPConfig: dataprovider.EventActionIDPAccountCheck{\n\t\t\t\tMode: 1,\n\t\t\t\tTemplateUser: `{\"username\": \"user\"}`,\n\t\t\t\tTemplateAdmin: `{\"username\": \"admin\"}`,\n\t\t\t},\n\t\t},\n\t}\n\taction, resp, err := httpdtest.AddEventAction(a, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tr := dataprovider.EventRule{\n\t\tName: ruleName,\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIDPLogin,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tIDPLoginEvent: 1,\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"username\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: a.Name,\n\t\t\t\t},\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\trule, _, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule.Status = 0\n\t_, _, err = httpdtest.UpdateEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventActionValidation(t *testing.T) {\n\taction := dataprovider.BaseEventAction{\n\t\tName: \"\",\n\t}\n\t_, resp, err := httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"name is mandatory\")\n\taction = dataprovider.BaseEventAction{\n\t\tName: \"n\",\n\t\tType: -1,\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid action type\")\n\taction.Type = dataprovider.ActionTypeHTTP\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"HTTP endpoint is required\")\n\taction.Options.HTTPConfig.Endpoint = \"abc\"\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid HTTP endpoint schema\")\n\taction.Options.HTTPConfig.Endpoint = \"http://localhost\"\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid HTTP timeout\")\n\taction.Options.HTTPConfig.Timeout = 20\n\taction.Options.HTTPConfig.Headers = []dataprovider.KeyValue{\n\t\t{\n\t\t\tKey: \"\",\n\t\t\tValue: \"\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid HTTP headers\")\n\taction.Options.HTTPConfig.Headers = []dataprovider.KeyValue{\n\t\t{\n\t\t\tKey: \"Content-Type\",\n\t\t\tValue: \"application/json\",\n\t\t},\n\t}\n\taction.Options.HTTPConfig.Password = kms.NewSecret(sdkkms.SecretStatusRedacted, \"payload\", \"\", \"\")\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"cannot save HTTP configuration with a redacted secret\")\n\taction.Options.HTTPConfig.Password = nil\n\taction.Options.HTTPConfig.Method = http.MethodTrace\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"unsupported HTTP method\")\n\taction.Options.HTTPConfig.Method = http.MethodGet\n\taction.Options.HTTPConfig.QueryParameters = []dataprovider.KeyValue{\n\t\t{\n\t\t\tKey: \"a\",\n\t\t\tValue: \"\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid HTTP query parameters\")\n\taction.Options.HTTPConfig.QueryParameters = nil\n\taction.Options.HTTPConfig.Parts = []dataprovider.HTTPPart{\n\t\t{\n\t\t\tName: \"\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"HTTP part name is required\")\n\taction.Options.HTTPConfig.Parts = []dataprovider.HTTPPart{\n\t\t{\n\t\t\tName: \"p1\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"HTTP part body is required if no file path is provided\")\n\taction.Options.HTTPConfig.Parts = []dataprovider.HTTPPart{\n\t\t{\n\t\t\tName: \"p1\",\n\t\t\tFilepath: \"p\",\n\t\t},\n\t}\n\taction.Options.HTTPConfig.Body = \"b\"\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"multipart requests require no body\")\n\taction.Options.HTTPConfig.Body = \"\"\n\taction.Options.HTTPConfig.Headers = []dataprovider.KeyValue{\n\t\t{\n\t\t\tKey: \"Content-Type\",\n\t\t\tValue: \"application/json\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"content type is automatically set for multipart requests\")\n\n\taction.Type = dataprovider.ActionTypeCommand\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"command is required\")\n\taction.Options.CmdConfig.Cmd = \"relative\"\n\tdataprovider.EnabledActionCommands = []string{action.Options.CmdConfig.Cmd}\n\tdefer func() {\n\t\tdataprovider.EnabledActionCommands = nil\n\t}()\n\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid command, it must be an absolute path\")\n\taction.Options.CmdConfig.Cmd = filepath.Join(os.TempDir(), \"cmd\")\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"is not allowed\")\n\n\tdataprovider.EnabledActionCommands = []string{action.Options.CmdConfig.Cmd}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid command action timeout\")\n\n\taction.Options.CmdConfig.Timeout = 30\n\taction.Options.CmdConfig.EnvVars = []dataprovider.KeyValue{\n\t\t{\n\t\t\tKey: \"k\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid command env vars\")\n\taction.Options.CmdConfig.EnvVars = nil\n\taction.Options.CmdConfig.Args = []string{\"arg1\", \"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid command args\")\n\taction.Options.CmdConfig.Args = nil\n\t// restrict commands\n\tif runtime.GOOS == osWindows {\n\t\tdataprovider.EnabledActionCommands = []string{\"C:\\\\cmd.exe\"}\n\t} else {\n\t\tdataprovider.EnabledActionCommands = []string{\"/bin/sh\"}\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"is not allowed\")\n\tdataprovider.EnabledActionCommands = nil\n\n\taction.Type = dataprovider.ActionTypeEmail\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least one email recipient is required\")\n\taction.Options.EmailConfig.Recipients = []string{\"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid email recipients\")\n\taction.Options.EmailConfig.Recipients = []string{\"a@a.com\"}\n\taction.Options.EmailConfig.Bcc = []string{\"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid email bcc\")\n\taction.Options.EmailConfig.Bcc = nil\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"email subject is required\")\n\taction.Options.EmailConfig.Subject = \"subject\"\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"email body is required\")\n\n\taction.Type = dataprovider.ActionTypeDataRetentionCheck\n\taction.Options.RetentionConfig = dataprovider.EventActionDataRetentionConfig{\n\t\tFolders: nil,\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"nothing to delete\")\n\taction.Options.RetentionConfig = dataprovider.EventActionDataRetentionConfig{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"/\",\n\t\t\t\tRetention: 0,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"nothing to delete\")\n\taction.Options.RetentionConfig = dataprovider.EventActionDataRetentionConfig{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"../path\",\n\t\t\t\tRetention: 1,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPath: \"/path\",\n\t\t\t\tRetention: 10,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"duplicated folder path\")\n\taction.Options.RetentionConfig = dataprovider.EventActionDataRetentionConfig{\n\t\tFolders: []dataprovider.FolderRetention{\n\t\t\t{\n\t\t\t\tPath: \"p\",\n\t\t\t\tRetention: -1,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid folder retention\")\n\taction.Type = dataprovider.ActionTypeFilesystem\n\taction.Options.FsConfig = dataprovider.EventActionFilesystemConfig{\n\t\tType: dataprovider.FilesystemActionRename,\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"no path to rename specified\")\n\taction.Options.FsConfig.Renames = []dataprovider.RenameConfig{\n\t\t{\n\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\tKey: \"\",\n\t\t\t\tValue: \"/adir\",\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid paths to rename\")\n\taction.Options.FsConfig.Renames = []dataprovider.RenameConfig{\n\t\t{\n\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\tKey: \"adir\",\n\t\t\t\tValue: \"/adir\",\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"rename source and target cannot be equal\")\n\taction.Options.FsConfig.Renames = []dataprovider.RenameConfig{\n\t\t{\n\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\tKey: \"/\",\n\t\t\t\tValue: \"/dir\",\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"renaming the root directory is not allowed\")\n\taction.Options.FsConfig.Type = dataprovider.FilesystemActionMkdirs\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"no directory to create specified\")\n\taction.Options.FsConfig.MkDirs = []string{\"dir1\", \"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid directory to create\")\n\taction.Options.FsConfig.Type = dataprovider.FilesystemActionDelete\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"no path to delete specified\")\n\taction.Options.FsConfig.Deletes = []string{\"item1\", \"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid path to delete\")\n\taction.Options.FsConfig.Type = dataprovider.FilesystemActionExist\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"no path to check for existence specified\")\n\taction.Options.FsConfig.Exist = []string{\"item1\", \"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid path to check for existence\")\n\taction.Options.FsConfig.Type = dataprovider.FilesystemActionCompress\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"archive name is mandatory\")\n\taction.Options.FsConfig.Compress.Name = \"archive.zip\"\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"no path to compress specified\")\n\taction.Options.FsConfig.Compress.Paths = []string{\"item1\", \"\"}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid path to compress\")\n\taction.Type = dataprovider.ActionTypePasswordExpirationCheck\n\taction.Options.PwdExpirationConfig.Threshold = 0\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"threshold must be greater than 0\")\n\taction.Type = dataprovider.ActionTypeIDPAccountCheck\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least a template must be set\")\n\taction.Options.IDPConfig.TemplateAdmin = \"{}\"\n\taction.Options.IDPConfig.Mode = 100\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid account check mode\")\n\taction.Type = dataprovider.ActionTypeUserInactivityCheck\n\taction.Options = dataprovider.BaseEventActionOptions{\n\t\tUserInactivityConfig: dataprovider.EventActionUserInactivity{\n\t\t\tDisableThreshold: 0,\n\t\t\tDeleteThreshold: 0,\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least a threshold must be defined\")\n\taction.Options = dataprovider.BaseEventActionOptions{\n\t\tUserInactivityConfig: dataprovider.EventActionUserInactivity{\n\t\t\tDisableThreshold: 10,\n\t\t\tDeleteThreshold: 10,\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventAction(action, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"must be greater than deactivation threshold\")\n}\n\nfunc TestEventRuleValidation(t *testing.T) {\n\trule := dataprovider.EventRule{\n\t\tName: \"\",\n\t}\n\t_, resp, err := httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"name is mandatory\")\n\trule.Name = \"r\"\n\trule.Status = 100\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid event rule status\")\n\trule.Status = 1\n\trule.Trigger = 1000\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid event rule trigger\")\n\trule.Trigger = dataprovider.EventTriggerFsEvent\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least one filesystem event is required\")\n\trule.Conditions.FsEvents = []string{\"\"}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"unsupported fs event\")\n\trule.Conditions.FsEvents = []string{\"upload\"}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least one action is required\")\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action1\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"\",\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"name not specified\")\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action\",\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"duplicated action\")\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action11\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action12\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"duplicated order\")\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action111\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tIsFailureAction: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action112\",\n\t\t\t},\n\t\t\tOrder: 2,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tIsFailureAction: true,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least a non-failure action is required\")\n\trule.Conditions.FsEvents = []string{\"upload\", \"download\"}\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action111\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: true,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"sync execution is only supported for upload and pre-* events\")\n\trule.Conditions.FsEvents = []string{\"pre-upload\", \"download\"}\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: false,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"requires at least a sync action\")\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tExecuteSync: true,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"sync execution is only supported for upload and pre-* events\")\n\n\trule.Conditions.FsEvents = []string{\"download\"}\n\trule.Conditions.Options.EventStatuses = []int{3, 2, 8}\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid event_status\")\n\n\trule.Trigger = dataprovider.EventTriggerProviderEvent\n\trule.Actions = []dataprovider.EventAction{\n\t\t{\n\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\tName: \"action1234\",\n\t\t\t},\n\t\t\tOrder: 1,\n\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\tIsFailureAction: false,\n\t\t\t},\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least one provider event is required\")\n\trule.Conditions.ProviderEvents = []string{\"\"}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"unsupported provider event\")\n\trule.Conditions.ProviderEvents = []string{\"add\"}\n\trule.Conditions.Options.RoleNames = []dataprovider.ConditionPattern{\n\t\t{\n\t\t\tPattern: \"\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"empty condition pattern not allowed\")\n\trule.Conditions.Options.RoleNames = nil\n\trule.Trigger = dataprovider.EventTriggerSchedule\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"at least one schedule is required\")\n\trule.Conditions.Schedules = []dataprovider.Schedule{\n\t\t{},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid schedule\")\n\trule.Conditions.Schedules = []dataprovider.Schedule{\n\t\t{\n\t\t\tHours: \"3\",\n\t\t\tDayOfWeek: \"*\",\n\t\t\tDayOfMonth: \"*\",\n\t\t\tMonth: \"*\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusInternalServerError)\n\tassert.NoError(t, err, string(resp))\n\trule.Trigger = dataprovider.EventTriggerIDPLogin\n\trule.Conditions.IDPLoginEvent = 100\n\t_, resp, err = httpdtest.AddEventRule(rule, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid Identity Provider login event\")\n}\n\nfunc TestUserBandwidthLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.UploadBandwidth = 128\n\tu.DownloadBandwidth = 96\n\tu.Filters.BandwidthLimits = []sdk.BandwidthLimit{\n\t\t{\n\t\t\tSources: []string{\"1\"},\n\t\t},\n\t}\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"Validation error: could not parse bandwidth limit source\")\n\tu.Filters.BandwidthLimits = []sdk.BandwidthLimit{\n\t\t{\n\t\t\tSources: nil,\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"Validation error: no bandwidth limit source specified\")\n\tu.Filters.BandwidthLimits = []sdk.BandwidthLimit{\n\t\t{\n\t\t\tSources: []string{\"127.0.0.0/8\", \"::1/128\"},\n\t\t\tUploadBandwidth: 256,\n\t\t},\n\t\t{\n\t\t\tSources: []string{\"10.0.0.0/8\"},\n\t\t\tUploadBandwidth: 512,\n\t\t\tDownloadBandwidth: 256,\n\t\t},\n\t}\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, user.Filters.BandwidthLimits, 2)\n\tassert.Equal(t, u.Filters.BandwidthLimits, user.Filters.BandwidthLimits)\n\n\tconnID := xid.New().String()\n\tlocalAddr := \"127.0.0.1\"\n\tup, down := user.GetBandwidthForIP(\"127.0.1.1\", connID)\n\tassert.Equal(t, int64(256), up)\n\tassert.Equal(t, int64(0), down)\n\tconn := common.NewBaseConnection(connID, common.ProtocolHTTP, localAddr, \"127.0.1.1\", user)\n\tassert.Equal(t, int64(256), conn.User.UploadBandwidth)\n\tassert.Equal(t, int64(0), conn.User.DownloadBandwidth)\n\tup, down = user.GetBandwidthForIP(\"10.1.2.3\", connID)\n\tassert.Equal(t, int64(512), up)\n\tassert.Equal(t, int64(256), down)\n\tconn = common.NewBaseConnection(connID, common.ProtocolHTTP, localAddr, \"10.2.1.4:1234\", user)\n\tassert.Equal(t, int64(512), conn.User.UploadBandwidth)\n\tassert.Equal(t, int64(256), conn.User.DownloadBandwidth)\n\tup, down = user.GetBandwidthForIP(\"192.168.1.2\", connID)\n\tassert.Equal(t, int64(128), up)\n\tassert.Equal(t, int64(96), down)\n\tconn = common.NewBaseConnection(connID, common.ProtocolHTTP, localAddr, \"172.16.0.1\", user)\n\tassert.Equal(t, int64(128), conn.User.UploadBandwidth)\n\tassert.Equal(t, int64(96), conn.User.DownloadBandwidth)\n\tup, down = user.GetBandwidthForIP(\"invalid\", connID)\n\tassert.Equal(t, int64(128), up)\n\tassert.Equal(t, int64(96), down)\n\tconn = common.NewBaseConnection(connID, common.ProtocolHTTP, localAddr, \"172.16.0\", user)\n\tassert.Equal(t, int64(128), conn.User.UploadBandwidth)\n\tassert.Equal(t, int64(96), conn.User.DownloadBandwidth)\n\n\tuser.Filters.BandwidthLimits = []sdk.BandwidthLimit{\n\t\t{\n\t\t\tSources: []string{\"10.0.0.0/24\"},\n\t\t\tUploadBandwidth: 256,\n\t\t\tDownloadBandwidth: 512,\n\t\t},\n\t}\n\tuser, resp, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\tif assert.Len(t, user.Filters.BandwidthLimits, 1) {\n\t\tbwLimit := user.Filters.BandwidthLimits[0]\n\t\tassert.Equal(t, []string{\"10.0.0.0/24\"}, bwLimit.Sources)\n\t\tassert.Equal(t, int64(256), bwLimit.UploadBandwidth)\n\t\tassert.Equal(t, int64(512), bwLimit.DownloadBandwidth)\n\t}\n\tup, down = user.GetBandwidthForIP(\"10.1.2.3\", connID)\n\tassert.Equal(t, int64(128), up)\n\tassert.Equal(t, int64(96), down)\n\tconn = common.NewBaseConnection(connID, common.ProtocolHTTP, localAddr, \"172.16.0.2\", user)\n\tassert.Equal(t, int64(128), conn.User.UploadBandwidth)\n\tassert.Equal(t, int64(96), conn.User.DownloadBandwidth)\n\tup, down = user.GetBandwidthForIP(\"10.0.0.26\", connID)\n\tassert.Equal(t, int64(256), up)\n\tassert.Equal(t, int64(512), down)\n\tconn = common.NewBaseConnection(connID, common.ProtocolHTTP, localAddr, \"10.0.0.28\", user)\n\tassert.Equal(t, int64(256), conn.User.UploadBandwidth)\n\tassert.Equal(t, int64(512), conn.User.DownloadBandwidth)\n\n\t// this works if we remove the omitempty tag from BandwidthLimits\n\t/*user.Filters.BandwidthLimits = nil\n\tuser, resp, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, user.Filters.BandwidthLimits, 0)*/\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAccessTimeValidation(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.AccessTime = []sdk.TimePeriod{\n\t\t{\n\t\t\tDayOfWeek: 8,\n\t\t\tFrom: \"10:00\",\n\t\t\tTo: \"18:00\",\n\t\t},\n\t}\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"invalid day of week\")\n\tu.Filters.AccessTime = []sdk.TimePeriod{\n\t\t{\n\t\t\tDayOfWeek: 6,\n\t\t\tFrom: \"10:00\",\n\t\t\tTo: \"18\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"invalid time of day\")\n\tu.Filters.AccessTime = []sdk.TimePeriod{\n\t\t{\n\t\t\tDayOfWeek: 6,\n\t\t\tFrom: \"11:00\",\n\t\t\tTo: \"10:58\",\n\t\t},\n\t}\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"The end time cannot be earlier than the start time\")\n}\n\nfunc TestUserTimestamps(t *testing.T) {\n\tuser, resp, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tcreatedAt := user.CreatedAt\n\tupdatedAt := user.UpdatedAt\n\tassert.Equal(t, int64(0), user.LastLogin)\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\tassert.Equal(t, int64(0), user.FirstUpload)\n\tassert.Greater(t, createdAt, int64(0))\n\tassert.Greater(t, updatedAt, int64(0))\n\tmappedPath := filepath.Join(os.TempDir(), \"mapped_dir\")\n\tfolderName := filepath.Base(mappedPath)\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t\tMappedPath: mappedPath,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttime.Sleep(10 * time.Millisecond)\n\tuser, resp, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, int64(0), user.LastLogin)\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\tassert.Equal(t, int64(0), user.FirstUpload)\n\tassert.Equal(t, createdAt, user.CreatedAt)\n\tassert.Greater(t, user.UpdatedAt, updatedAt)\n\tupdatedAt = user.UpdatedAt\n\t// after a folder update or delete the user updated_at field should change\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\ttime.Sleep(10 * time.Millisecond)\n\t_, _, err = httpdtest.UpdateFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), user.LastLogin)\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\tassert.Equal(t, int64(0), user.FirstUpload)\n\tassert.Equal(t, createdAt, user.CreatedAt)\n\tassert.Greater(t, user.UpdatedAt, updatedAt)\n\tupdatedAt = user.UpdatedAt\n\ttime.Sleep(10 * time.Millisecond)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), user.LastLogin)\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\tassert.Equal(t, int64(0), user.FirstUpload)\n\tassert.Equal(t, createdAt, user.CreatedAt)\n\tassert.Greater(t, user.UpdatedAt, updatedAt)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminTimestamps(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\tcreatedAt := admin.CreatedAt\n\tupdatedAt := admin.UpdatedAt\n\tassert.Equal(t, int64(0), admin.LastLogin)\n\tassert.Greater(t, createdAt, int64(0))\n\tassert.Greater(t, updatedAt, int64(0))\n\ttime.Sleep(10 * time.Millisecond)\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), admin.LastLogin)\n\tassert.Equal(t, createdAt, admin.CreatedAt)\n\tassert.Greater(t, admin.UpdatedAt, updatedAt)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPUserAuthEmptyPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, \"\")\n\tc := httpclient.GetHTTPClient()\n\tresp, err := c.Do(req)\n\tc.CloseIdleConnections()\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unexpected status code 401\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPAnonymousUser(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.IsAnonymous = true\n\t_, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser, _, err := httpdtest.GetUserByUsername(u.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.IsAnonymous)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermDownload}, user.Permissions[\"/\"])\n\tassert.Equal(t, []string{common.ProtocolSSH, common.ProtocolHTTP}, user.Filters.DeniedProtocols)\n\tassert.Equal(t, []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd}, user.Filters.DeniedLoginMethods)\n\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tc := httpclient.GetHTTPClient()\n\tresp, err := c.Do(req)\n\tc.CloseIdleConnections()\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unexpected status code 403\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPUserAuthentication(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tc := httpclient.GetHTTPClient()\n\tresp, err := c.Do(req)\n\tc.CloseIdleConnections()\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tuserToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, userToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// login with wrong credentials\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, \"\")\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, \"wrong pwd\")\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\trespBody, err := io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(respBody), \"invalid credentials\")\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(\"wrong username\", defaultPassword)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\trespBody, err = io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(respBody), \"invalid credentials\")\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultTokenAuthUser, defaultTokenAuthPass)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder = make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tadminToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, adminToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, versionPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", adminToken))\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// using the user token should not work\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, versionPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", userToken))\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userLogoutPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", adminToken))\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userLogoutPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", userToken))\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermMFADisabled(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.WebClient = []string{sdk.WebClientMFADisabled}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Filters.TwoFactorAuthProtocols = []string{common.ProtocolSSH}\n\t_, resp, err := httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"you cannot require two-factor authentication and at the same time disallow it\")\n\tuser.Filters.TwoFactorAuthProtocols = nil\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr) // MFA is disabled for this user\n\n\tuser.Filters.WebClient = []string{sdk.WebClientWriteDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now we cannot disable MFA for this user\n\tuser.Filters.WebClient = []string{sdk.WebClientMFADisabled}\n\t_, resp, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"two-factor authentication cannot be disabled for a user with an active configuration\")\n\n\tsaveReq := make(map[string]bool)\n\tsaveReq[\"enabled\"] = false\n\tasJSON, err = json.Marshal(saveReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserPassword(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.PasswordStrength = 20\n\tg.UserSettings.MaxSessions = 10\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Filters.RequirePasswordChange = true\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlastPwdChange := user.LastPasswordChange\n\ttime.Sleep(100 * time.Millisecond)\n\tnewPwd := \"uaCooGh3pheiShooghah\"\n\terr = dataprovider.UpdateUserPassword(user.Username, newPwd, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, err = dataprovider.CheckUserAndPass(user.Username, newPwd, \"\", common.ProtocolHTTP)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.RequirePasswordChange)\n\tassert.NotEqual(t, lastPwdChange, user.LastPasswordChange)\n\t// check that we don't save group overrides\n\tassert.Equal(t, 0, user.MaxSessions)\n\tassert.Equal(t, 0, user.Filters.PasswordStrength)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginRedirectNext(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\turi := webClientFilesPath + \"?path=%2F\" //nolint:goconst\n\treq, err := http.NewRequest(http.MethodGet, uri, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tredirectURI := rr.Header().Get(\"Location\")\n\tassert.Equal(t, webClientLoginPath+\"?next=\"+url.QueryEscape(uri), redirectURI) //nolint:goconst\n\t// render the login page\n\treq, err = http.NewRequest(http.MethodGet, redirectURI, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), fmt.Sprintf(\"action=%q\", redirectURI))\n\t// now login the user and check the redirect\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, loginCookie)\n\tform := getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, redirectURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = redirectURI\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, uri, rr.Header().Get(\"Location\"))\n\t// unsafe URI\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, loginCookie)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\tunsafeURI := webClientLoginPath + \"?next=\" + url.QueryEscape(\"http://example.net\")\n\treq, err = http.NewRequest(http.MethodPost, unsafeURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = unsafeURI\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, loginCookie)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\tunsupportedURI := webClientLoginPath + \"?next=\" + url.QueryEscape(webClientProfilePath)\n\treq, err = http.NewRequest(http.MethodPost, unsupportedURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = unsupportedURI\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMustChangePasswordRequirement(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.RequirePasswordChange = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.RequirePasswordChange)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userFilesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Password change required. Please set a new password to continue to use your account\")\n\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdRequired)\n\t// change pwd\n\tpwd := make(map[string]string)\n\tpwd[\"current_password\"] = defaultPassword\n\tpwd[\"new_password\"] = altAdminPassword\n\tasJSON, err := json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check that the change pwd bool is changed\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.RequirePasswordChange)\n\t// get a new token\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\twebToken, err = getJWTWebClientTokenFromTestServer(defaultUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\t// the new token should work\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check the same as above but changing password from the WebClient UI\n\tuser.Filters.RequirePasswordChange = true\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\twebToken, err = getJWTWebClientTokenFromTestServer(defaultUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webChangeClientPwdPath, webToken)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"current_password\", altAdminPassword)\n\tform.Set(\"new_password1\", defaultPassword)\n\tform.Set(\"new_password2\", defaultPassword)\n\treq, err = http.NewRequest(http.MethodPost, webChangeClientPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestTwoFactorRequirements(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.TwoFactorAuthProtocols = []string{common.ProtocolHTTP, common.ProtocolFTP}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Two-factor authentication requirements not met, please configure two-factor authentication for the following protocols\")\n\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError2FARequired)\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolHTTP},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following protocols are required\")\n\n\tuserTOTPConfig.Protocols = []string{common.ProtocolHTTP, common.ProtocolFTP}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now get new tokens and check that the two factor requirements are now met\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tuserToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, userToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userDirsPath), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestTwoFactorRequirementsGroupLevel(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.TwoFactorAuthProtocols = []string{common.ProtocolHTTP, common.ProtocolFTP}\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError2FARequired)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Two-factor authentication requirements not met, please configure two-factor authentication for the following protocols\")\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolHTTP},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following protocols are required\")\n\n\tuserTOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolFTP, common.ProtocolHTTP},\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// now get new tokens and check that the two factor requirements are now met\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tuserToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, userToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userDirsPath), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminMustChangePasswordRequirement(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Filters.RequirePasswordChange = true\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, _, err := httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\n\t_, _, err = httpdtest.GetUsers(0, 0, http.StatusForbidden)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetStatus(http.StatusForbidden)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.ChangeAdminPassword(altAdminPassword, defaultTokenAuthPass, http.StatusOK)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(\"\")\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.RequirePasswordChange)\n\n\t// get a new token\n\ttoken, _, err = httpdtest.GetToken(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\n\t_, _, err = httpdtest.GetUsers(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tdesc := xid.New().String()\n\tadmin.Filters.RequirePasswordChange = true\n\tadmin.Filters.RequireTwoFactor = true\n\tadmin.Description = desc\n\t_, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tif assert.Error(t, err) {\n\t\tassert.ErrorContains(t, err, \"require password change mismatch\")\n\t}\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.RequirePasswordChange)\n\tassert.False(t, admin.Filters.RequireTwoFactor)\n\tassert.Equal(t, desc, admin.Description)\n\n\thttpdtest.SetJWTToken(\"\")\n\n\tadmin.Filters.RequirePasswordChange = true\n\t_, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t// test the same for the WebAdmin\n\twebToken, err := getJWTWebTokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webUsersPath\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// The change password page should be accessible, we get the CSRF from it.\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webChangeAdminPwdPath, webToken)\n\tassert.NoError(t, err)\n\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"current_password\", defaultTokenAuthPass)\n\tform.Set(\"new_password1\", altAdminPassword)\n\tform.Set(\"new_password2\", altAdminPassword)\n\treq, err = http.NewRequest(http.MethodPost, webChangeAdminPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.RequirePasswordChange)\n\n\twebToken, err = getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webUsersPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminTwoFactorRequirements(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Filters.RequireTwoFactor = true\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Two-factor authentication requirements not met\")\n\n\twebToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webFoldersPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webFoldersPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError2FARequiredGeneric)\n\t// add TOTP config\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], altAdminUsername)\n\tassert.NoError(t, err)\n\tadminTOTPConfig := dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t}\n\tasJSON, err := json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\treq.SetBasicAuth(altAdminUsername, altAdminPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\ttoken = responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, token)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, serverStatusPath), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// try to disable 2FA\n\tdisableReq := map[string]any{\n\t\t\"enabled\": false,\n\t}\n\tasJSON, err = json.Marshal(disableReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, fmt.Sprintf(\"%v%v\", httpBaseURL, adminTOTPSavePath), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusBadRequest, resp.StatusCode)\n\tbodyResp, err := io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(bodyResp), \"two-factor authentication must be enabled\")\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// try to disable 2FA using the dedicated API\n\treq, err = http.NewRequest(http.MethodPut, fmt.Sprintf(\"%v%v\", httpBaseURL, path.Join(adminPath, altAdminUsername, \"2fa\", \"disable\")), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusBadRequest, resp.StatusCode)\n\tbodyResp, err = io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(bodyResp), \"two-factor authentication must be enabled\")\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// disabling 2FA using another admin should work\n\ttoken, err = getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername, \"2fa\", \"disable\"), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.TOTPConfig.Enabled)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginUserAPITOTP(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolHTTP},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now require HTTP and SSH for TOTP\n\tuser.Filters.TwoFactorAuthProtocols = []string{common.ProtocolHTTP, common.ProtocolSSH}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// two factor auth cannot be disabled\n\tconfig := make(map[string]any)\n\tconfig[\"enabled\"] = false\n\tasJSON, err = json.Marshal(config)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"two-factor authentication must be enabled\")\n\t// all the required protocols must be enabled\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following protocols are required\")\n\t// setting all the required protocols should work\n\tuserTOTPConfig.Protocols = []string{common.ProtocolHTTP, common.ProtocolSSH}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tuserToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, userToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginAdminAPITOTP(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], admin.Username)\n\tassert.NoError(t, err)\n\taltToken, err := getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tadminTOTPConfig := dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t}\n\tasJSON, err := json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 12)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(altAdminUsername, altAdminPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", \"passcode\")\n\treq.SetBasicAuth(altAdminUsername, altAdminPassword)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\treq.SetBasicAuth(altAdminUsername, altAdminPassword)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tadminToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, adminToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, versionPath), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// get/set recovery codes\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// disable two-factor auth\n\tsaveReq := make(map[string]bool)\n\tsaveReq[\"enabled\"] = false\n\tasJSON, err = json.Marshal(saveReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 0)\n\t// get/set recovery codes will not work\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPStreamZipError(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\tuserToken := responseHolder[\"access_token\"].(string)\n\tassert.NotEmpty(t, userToken)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\tfilesList := []string{\"missing\"}\n\tasJSON, err := json.Marshal(filesList)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, fmt.Sprintf(\"%v%v\", httpBaseURL, userStreamZipPath), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", userToken))\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tif !assert.Error(t, err) { // the connection will be closed\n\t\terr = resp.Body.Close()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicAdminHandling(t *testing.T) {\n\t// we have one admin by default\n\tadmins, _, err := httpdtest.GetAdmins(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(admins), 1)\n\tadmin := getTestAdmin()\n\t// the default admin already exists\n\t_, _, err = httpdtest.AddAdmin(admin, http.StatusConflict)\n\tassert.NoError(t, err)\n\n\tadmin.Username = altAdminUsername\n\tadmin.Filters.Preferences.HideUserPageSections = 1 + 4 + 8\n\tadmin.Filters.Preferences.DefaultUsersExpiration = 30\n\tadmin, _, err = httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.Preferences.HideGroups())\n\tassert.False(t, admin.Filters.Preferences.HideFilesystem())\n\tassert.True(t, admin.Filters.Preferences.HideVirtualFolders())\n\tassert.True(t, admin.Filters.Preferences.HideProfile())\n\tassert.False(t, admin.Filters.Preferences.HideACLs())\n\tassert.False(t, admin.Filters.Preferences.HideDiskQuotaAndBandwidthLimits())\n\tassert.False(t, admin.Filters.Preferences.HideAdvancedSettings())\n\n\tadmin.AdditionalInfo = \"test info\"\n\tadmin.Filters.Preferences.HideUserPageSections = 16 + 32 + 64\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"test info\", admin.AdditionalInfo)\n\tassert.False(t, admin.Filters.Preferences.HideGroups())\n\tassert.False(t, admin.Filters.Preferences.HideFilesystem())\n\tassert.False(t, admin.Filters.Preferences.HideVirtualFolders())\n\tassert.False(t, admin.Filters.Preferences.HideProfile())\n\tassert.True(t, admin.Filters.Preferences.HideACLs())\n\tassert.True(t, admin.Filters.Preferences.HideDiskQuotaAndBandwidthLimits())\n\tassert.True(t, admin.Filters.Preferences.HideAdvancedSettings())\n\n\tadmins, _, err = httpdtest.GetAdmins(1, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, admins, 1)\n\tassert.NotEqual(t, admin.Username, admins[0].Username)\n\n\tadmins, _, err = httpdtest.GetAdmins(1, 1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, admins, 1)\n\tassert.Equal(t, admin.Username, admins[0].Username)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username+\"123\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\tadmin.Username = defaultTokenAuthUser\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminGroups(t *testing.T) {\n\tgroup1 := getTestGroup()\n\tgroup1.Name += \"_1\"\n\tgroup1, _, err := httpdtest.AddGroup(group1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup2 := getTestGroup()\n\tgroup2.Name += \"_2\"\n\tgroup2, _, err = httpdtest.AddGroup(group2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup3 := getTestGroup()\n\tgroup3.Name += \"_3\"\n\tgroup3, _, err = httpdtest.AddGroup(group3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Groups = []dataprovider.AdminGroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsPrimary,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsSecondary,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: group3.Name,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsMembership,\n\t\t\t},\n\t\t},\n\t}\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Len(t, admin.Groups, 3)\n\n\tgroups, _, err := httpdtest.GetGroups(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, groups, 3)\n\tfor _, g := range groups {\n\t\tif assert.Len(t, g.Admins, 1) {\n\t\t\tassert.Equal(t, admin.Username, g.Admins[0])\n\t\t}\n\t}\n\n\tadmin, _, err = httpdtest.UpdateAdmin(a, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, admin.Groups, 1)\n\n\t// try to add a missing group\n\tadmin.Groups = []dataprovider.AdminGroupMapping{\n\t\t{\n\t\t\tName: group1.Name,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsPrimary,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: group2.Name,\n\t\t\tOptions: dataprovider.AdminGroupMappingOptions{\n\t\t\t\tAddToUsersAs: dataprovider.GroupAddToUsersAsSecondary,\n\t\t\t},\n\t\t},\n\t}\n\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Admins, 1)\n\n\t_, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.Error(t, err)\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Admins, 1)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tgroup3, _, err = httpdtest.GetGroupByName(group3.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group3.Admins, 0)\n\n\t_, err = httpdtest.RemoveGroup(group3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestChangeAdminPassword(t *testing.T) {\n\t_, err := httpdtest.ChangeAdminPassword(\"wrong\", defaultTokenAuthPass, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.ChangeAdminPassword(defaultTokenAuthPass, defaultTokenAuthPass, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.ChangeAdminPassword(defaultTokenAuthPass, defaultTokenAuthPass+\"1\", http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.ChangeAdminPassword(defaultTokenAuthPass+\"1\", defaultTokenAuthPass, http.StatusUnauthorized)\n\tassert.NoError(t, err)\n\tadmin, err := dataprovider.AdminExists(defaultTokenAuthUser)\n\tassert.NoError(t, err)\n\tadmin.Password = defaultTokenAuthPass\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestPasswordValidations(t *testing.T) {\n\tif config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName {\n\t\tt.Skip(\"this test is not supported with the memory provider\")\n\t}\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tproviderConf := config.GetProviderConf()\n\tassert.NoError(t, err)\n\tproviderConf.PasswordValidation.Admins.MinEntropy = 50\n\tproviderConf.PasswordValidation.Users.MinEntropy = 70\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\n\t_, resp, err := httpdtest.AddAdmin(a, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"insecure password\")\n\n\t_, resp, err = httpdtest.AddUser(getTestUser(), http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"insecure password\")\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminPasswordHashing(t *testing.T) {\n\tif config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName {\n\t\tt.Skip(\"this test is not supported with the memory provider\")\n\t}\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tproviderConf := config.GetProviderConf()\n\tassert.NoError(t, err)\n\tproviderConf.PasswordHashing.Algo = dataprovider.HashingAlgoArgon2ID\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tcurrentAdmin, err := dataprovider.AdminExists(defaultTokenAuthUser)\n\tassert.NoError(t, err)\n\tassert.True(t, strings.HasPrefix(currentAdmin.Password, \"$2a$\"))\n\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tnewAdmin, err := dataprovider.AdminExists(altAdminUsername)\n\tassert.NoError(t, err)\n\tassert.True(t, strings.HasPrefix(newAdmin.Password, \"$argon2id$\"))\n\n\ttoken, _, err := httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\t_, _, err = httpdtest.GetStatus(http.StatusOK)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(\"\")\n\t_, _, err = httpdtest.GetStatus(http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestDefaultUsersExpiration(t *testing.T) {\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Filters.Preferences.DefaultUsersExpiration = 30\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, _, err := httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\n\t_, _, err = httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.Error(t, err)\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, user.ExpirationDate, int64(0))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Minute))\n\n\t_, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, u.ExpirationDate, user.ExpirationDate)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(\"\")\n\t_, _, err = httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t// render the user template page\n\twebToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webTemplateUser, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webTemplateUser+fmt.Sprintf(\"?from=%s\", user.Username), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(token)\n\t_, _, err = httpdtest.AddUser(u, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(\"\")\n}\n\nfunc TestAdminInvalidCredentials(t *testing.T) {\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultTokenAuthUser, defaultTokenAuthPass)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// wrong password\n\treq.SetBasicAuth(defaultTokenAuthUser, \"wrong pwd\")\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\tassert.Equal(t, dataprovider.ErrInvalidCredentials.Error(), responseHolder[\"error\"].(string))\n\t// wrong username\n\treq.SetBasicAuth(\"wrong username\", defaultTokenAuthPass)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode)\n\tresponseHolder = make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tassert.NoError(t, err)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\tassert.Equal(t, dataprovider.ErrInvalidCredentials.Error(), responseHolder[\"error\"].(string))\n}\n\nfunc TestAdminLastLogin(t *testing.T) {\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), admin.LastLogin)\n\n\t_, _, err = httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, admin.LastLogin, int64(0))\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminAllowList(t *testing.T) {\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, _, err := httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\t_, _, err = httpdtest.GetStatus(http.StatusOK)\n\tassert.NoError(t, err)\n\n\thttpdtest.SetJWTToken(\"\")\n\n\tadmin.Password = altAdminPassword\n\tadmin.Filters.AllowList = []string{\"10.6.6.0/32\"}\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, _, err = httpdtest.GetToken(altAdminUsername, altAdminPassword)\n\tassert.EqualError(t, err, \"wrong status code: got 401 want 200\")\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserStatus(t *testing.T) {\n\tu := getTestUser()\n\tu.Status = 3\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Status = 0\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Status = 2\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tuser.Status = 1\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUidGidLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.UID = math.MaxInt32\n\tu.GID = math.MaxInt32\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, math.MaxInt32, user.GetUID())\n\tassert.Equal(t, math.MaxInt32, user.GetGID())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserNoCredentials(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tu.PublicKeys = []string{}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// this user cannot login with an empty password but it still can use an SSH cert\n\t_, err = getJWTAPITokenFromTestServer(defaultTokenAuthUser, \"\")\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserNoUsername(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = \"\"\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserNoHomeDir(t *testing.T) {\n\tu := getTestUser()\n\tu.HomeDir = \"\"\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserInvalidHomeDir(t *testing.T) {\n\tu := getTestUser()\n\tu.HomeDir = \"relative_path\" //nolint:goconst\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserNoPerms(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions = make(map[string][]string)\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Permissions[\"/\"] = []string{}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserInvalidEmail(t *testing.T) {\n\tu := getTestUser()\n\tu.Email = \"invalid_email\"\n\t_, body, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(body), \"Validation error: email\")\n}\n\nfunc TestAddUserInvalidPerms(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions[\"/\"] = []string{\"invalidPerm\"}\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t// permissions for root dir are mandatory\n\tu.Permissions[\"/\"] = []string{}\n\tu.Permissions[\"/somedir\"] = []string{dataprovider.PermAny}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir/..\"] = []string{dataprovider.PermAny}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserInvalidFilters(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.AllowedIP = []string{\"192.168.1.0/24\", \"192.168.2.0\"}\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.AllowedIP = []string{}\n\tu.Filters.DeniedIP = []string{\"192.168.3.0/16\", \"invalid\"}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedIP = []string{}\n\tu.Filters.DeniedLoginMethods = []string{\"invalid\"}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedLoginMethods = dataprovider.ValidLoginMethods\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodTLSCertificateAndPwd}\n\tu.Filters.DeniedProtocols = dataprovider.ValidProtocols\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"relative\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\"*.zip\"},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\"*.rar\"},\n\t\t\tDeniedPatterns: []string{\"*.jpg\"},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"relative\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\"*.zip\"},\n\t\t},\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\"*.rar\"},\n\t\t\tDeniedPatterns: []string{\"*.jpg\"},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\"a\\\\\"},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\"*.*\"},\n\t\t\tDenyPolicy: 100,\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedProtocols = []string{\"invalid\"}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedProtocols = dataprovider.ValidProtocols\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.DeniedProtocols = nil\n\tu.Filters.TLSUsername = \"not a supported attribute\"\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.Filters.TLSUsername = \"\"\n\tu.Filters.WebClient = []string{\"not a valid web client options\"}\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserInvalidFsConfig(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.S3FilesystemProvider\n\tu.FsConfig.S3Config.Bucket = \"\"\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.S3Config.Bucket = \"testbucket\"\n\tu.FsConfig.S3Config.Region = \"eu-west-1\" //nolint:goconst\n\tu.FsConfig.S3Config.AccessKey = \"access-key\" //nolint:goconst\n\tu.FsConfig.S3Config.AccessSecret = kms.NewSecret(sdkkms.SecretStatusRedacted, \"access-secret\", \"\", \"\")\n\tu.FsConfig.S3Config.Endpoint = \"http://127.0.0.1:9000/path?a=b\"\n\tu.FsConfig.S3Config.StorageClass = \"Standard\" //nolint:goconst\n\tu.FsConfig.S3Config.KeyPrefix = \"/adir/subdir/\"\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.S3Config.AccessSecret.SetStatus(sdkkms.SecretStatusPlain)\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.S3Config.KeyPrefix = \"\"\n\tu.FsConfig.S3Config.UploadPartSize = 3\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.S3Config.UploadPartSize = 5001\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.S3Config.UploadPartSize = 0\n\tu.FsConfig.S3Config.UploadConcurrency = -1\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.S3Config.UploadConcurrency = 0\n\tu.FsConfig.S3Config.DownloadPartSize = -1\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"download_part_size cannot be\")\n\t}\n\tu.FsConfig.S3Config.DownloadPartSize = 5001\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"download_part_size cannot be\")\n\t}\n\tu.FsConfig.S3Config.DownloadPartSize = 0\n\tu.FsConfig.S3Config.DownloadConcurrency = 100\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid download concurrency\")\n\t}\n\tu.FsConfig.S3Config.DownloadConcurrency = -1\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid download concurrency\")\n\t}\n\tu.FsConfig.S3Config.DownloadConcurrency = 0\n\tu.FsConfig.S3Config.Endpoint = \"\"\n\tu.FsConfig.S3Config.Region = \"\"\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"region cannot be empty\")\n\t}\n\tu = getTestUser()\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"\"\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.GCSConfig.Bucket = \"abucket\"\n\tu.FsConfig.GCSConfig.StorageClass = \"Standard\"\n\tu.FsConfig.GCSConfig.KeyPrefix = \"/somedir/subdir/\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewSecret(sdkkms.SecretStatusRedacted, \"test\", \"\", \"\") //nolint:goconst\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.GCSConfig.Credentials.SetStatus(sdkkms.SecretStatusPlain)\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.GCSConfig.KeyPrefix = \"somedir/subdir/\" //nolint:goconst\n\tu.FsConfig.GCSConfig.Credentials = kms.NewEmptySecret()\n\tu.FsConfig.GCSConfig.AutomaticCredentials = 0\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.GCSConfig.Credentials = kms.NewSecret(sdkkms.SecretStatusSecretBox, \"invalid\", \"\", \"\")\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\n\tu = getTestUser()\n\tu.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tu.FsConfig.AzBlobConfig.SASURL = kms.NewPlainSecret(\"http://foo\\x7f.com/\")\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.AzBlobConfig.SASURL = kms.NewSecret(sdkkms.SecretStatusRedacted, \"key\", \"\", \"\")\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.AzBlobConfig.SASURL = kms.NewEmptySecret()\n\tu.FsConfig.AzBlobConfig.AccountName = \"name\"\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.AzBlobConfig.AccountKey = kms.NewSecret(sdkkms.SecretStatusRedacted, \"key\", \"\", \"\")\n\tu.FsConfig.AzBlobConfig.KeyPrefix = \"/amedir/subdir/\"\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.AzBlobConfig.AccountKey.SetStatus(sdkkms.SecretStatusPlain)\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.AzBlobConfig.KeyPrefix = \"amedir/subdir/\"\n\tu.FsConfig.AzBlobConfig.UploadPartSize = -1\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.AzBlobConfig.UploadPartSize = 101\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\n\tu = getTestUser()\n\tu.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.CryptConfig.Passphrase = kms.NewSecret(sdkkms.SecretStatusRedacted, \"akey\", \"\", \"\")\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu = getTestUser()\n\tu.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.SFTPConfig.Password = kms.NewSecret(sdkkms.SecretStatusRedacted, \"randompkey\", \"\", \"\")\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.SFTPConfig.Password = kms.NewEmptySecret()\n\tu.FsConfig.SFTPConfig.PrivateKey = kms.NewSecret(sdkkms.SecretStatusRedacted, \"keyforpkey\", \"\", \"\")\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(\"pk\")\n\tu.FsConfig.SFTPConfig.Endpoint = \"127.1.1.1:22\"\n\tu.FsConfig.SFTPConfig.Username = defaultUsername\n\tu.FsConfig.SFTPConfig.BufferSize = -1\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid buffer_size\")\n\t}\n\tu.FsConfig.SFTPConfig.BufferSize = 1000\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid buffer_size\")\n\t}\n\n\tu = getTestUser()\n\tu.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tu.FsConfig.HTTPConfig.Endpoint = \"http://foo\\x7f.com/\"\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid endpoint\")\n\t}\n\tu.FsConfig.HTTPConfig.Endpoint = \"http://127.0.0.1:9999/api/v1\"\n\tu.FsConfig.HTTPConfig.Password = kms.NewSecret(sdkkms.SecretStatusSecretBox, \"\", \"\", \"\")\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid encrypted password\")\n\t}\n\tu.FsConfig.HTTPConfig.Password = nil\n\tu.FsConfig.HTTPConfig.APIKey = kms.NewSecret(sdkkms.SecretStatusRedacted, redactedSecret, \"\", \"\")\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"cannot save a user with a redacted secret\")\n\t}\n\tu.FsConfig.HTTPConfig.APIKey = nil\n\tu.FsConfig.HTTPConfig.Endpoint = \"/api/v1\"\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid endpoint schema\")\n\t}\n\tu.FsConfig.HTTPConfig.Endpoint = \"http://unix?api_prefix=v1\"\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid unix domain socket path\")\n\t}\n\tu.FsConfig.HTTPConfig.Endpoint = \"http://unix?socket_path=test.sock\"\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tif assert.NoError(t, err) {\n\t\tassert.Contains(t, string(resp), \"invalid unix domain socket path\")\n\t}\n}\n\nfunc TestUserRedactedPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.S3FilesystemProvider\n\tu.FsConfig.S3Config.Bucket = \"b\"\n\tu.FsConfig.S3Config.Region = \"eu-west-1\"\n\tu.FsConfig.S3Config.AccessKey = \"access-key\"\n\tu.FsConfig.S3Config.RoleARN = \"myRoleARN\"\n\tu.FsConfig.S3Config.AccessSecret = kms.NewSecret(sdkkms.SecretStatusRedacted, \"access-secret\", \"\", \"\")\n\tu.FsConfig.S3Config.Endpoint = \"http://127.0.0.1:9000/path?k=m\"\n\tu.FsConfig.S3Config.StorageClass = \"Standard\"\n\tu.FsConfig.S3Config.ACL = \"bucket-owner-full-control\"\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"cannot save a user with a redacted secret\")\n\terr = dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"cannot save a user with a redacted secret\")\n\t}\n\tu.FsConfig.S3Config.AccessSecret = kms.NewPlainSecret(\"secret\")\n\tu.FsConfig.S3Config.SSECustomerKey = kms.NewSecret(sdkkms.SecretStatusRedacted, \"mysecretkey\", \"\", \"\")\n\t_, resp, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err, string(resp))\n\tassert.Contains(t, string(resp), \"cannot save a user with a redacted secret\")\n\n\tu.FsConfig.S3Config.SSECustomerKey = kms.NewPlainSecret(\"key\")\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfolderName := \"folderName\"\n\tvfolder := vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"crypted\"),\n\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\t\tPassphrase: kms.NewSecret(sdkkms.SecretStatusRedacted, \"crypted-secret\", \"\", \"\"),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tVirtualPath: \"/avpath\",\n\t}\n\n\tuser.Password = defaultPassword\n\tuser.VirtualFolders = append(user.VirtualFolders, vfolder)\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"cannot save a user with a redacted secret\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserType(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.UserType = string(sdk.UserTypeLDAP)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, string(sdk.UserTypeLDAP), user.Filters.UserType)\n\tuser.Filters.UserType = string(sdk.UserTypeOS)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, string(sdk.UserTypeOS), user.Filters.UserType)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestRetentionAPI(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tt.Cleanup(func() {\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t})\n\n\tchecks, _, err := httpdtest.GetRetentionChecks(http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, checks, 0)\n\n\tlocalFilePath := filepath.Join(user.HomeDir, \"testdir\", \"testfile\")\n\terr = os.MkdirAll(filepath.Dir(localFilePath), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(localFilePath, []byte(\"test data\"), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tfolderRetention := []dataprovider.FolderRetention{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tRetention: 24,\n\t\t\tDeleteEmptyDirs: true,\n\t\t},\n\t}\n\n\tcheck := common.RetentionCheck{\n\t\tFolders: folderRetention,\n\t}\n\tc := common.RetentionChecks.Add(check, &user)\n\trequire.NotNil(t, c)\n\n\terr = c.Start()\n\trequire.NoError(t, err)\n\n\tassert.Eventually(t, func() bool {\n\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tassert.FileExists(t, localFilePath)\n\n\terr = os.Chtimes(localFilePath, time.Now().Add(-48*time.Hour), time.Now().Add(-48*time.Hour))\n\tassert.NoError(t, err)\n\n\terr = c.Start()\n\trequire.NoError(t, err)\n\n\tassert.Eventually(t, func() bool {\n\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tassert.NoFileExists(t, localFilePath)\n\tassert.NoDirExists(t, filepath.Dir(localFilePath))\n\n\tc = common.RetentionChecks.Add(check, &user)\n\tassert.NotNil(t, c)\n\n\tassert.Nil(t, common.RetentionChecks.Add(check, &user)) // a check for this user is already in progress\n\n\tchecks, _, err = httpdtest.GetRetentionChecks(http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, checks, 1)\n\n\terr = c.Start()\n\tassert.NoError(t, err)\n\n\tassert.Eventually(t, func() bool {\n\t\treturn len(common.RetentionChecks.Get(\"\")) == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tchecks, _, err = httpdtest.GetRetentionChecks(http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, checks, 0)\n}\n\nfunc TestAddUserInvalidVirtualFolders(t *testing.T) {\n\tu := getTestUser()\n\tfolderName := \"fname\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir\"),\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir1\"),\n\t\t\tName: folderName + \"1\",\n\t\t},\n\t\tVirtualPath: \"/vdir\", // invalid, already defined\n\t})\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir\"),\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir\"),\n\t\t\tName: folderName, // invalid, unique constraint (user.id, folder.id) violated\n\t\t},\n\t\tVirtualPath: \"/vdir2\",\n\t})\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir1\"),\n\t\t\tName: folderName + \"1\",\n\t\t},\n\t\tVirtualPath: \"/vdir1/\",\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: 1, // invvalid, we cannot have -1 and > 0\n\t})\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir1\"),\n\t\t\tName: folderName + \"1\",\n\t\t},\n\t\tVirtualPath: \"/vdir1/\",\n\t\tQuotaSize: 1,\n\t\tQuotaFiles: -1,\n\t})\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir1\"),\n\t\t\tName: folderName + \"1\",\n\t\t},\n\t\tVirtualPath: \"/vdir1/\",\n\t\tQuotaSize: -2, // invalid\n\t\tQuotaFiles: 0,\n\t})\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir1\"),\n\t\t\tName: folderName + \"1\",\n\t\t},\n\t\tVirtualPath: \"/vdir1/\",\n\t\tQuotaSize: 0,\n\t\tQuotaFiles: -2, // invalid\n\t})\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped_dir\"),\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t})\n\t// folder name is mandatory\n\t_, _, err = httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserPublicKey(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tinvalidPubKey := \"invalid\"\n\tu.PublicKeys = []string{invalidPubKey}\n\t_, _, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.PublicKeys = []string{testPubKey}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tdbUser, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.Empty(t, dbUser.Password)\n\tassert.False(t, dbUser.IsPasswordHashed())\n\n\tuser.PublicKeys = []string{testPubKey, invalidPubKey}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tuser.PublicKeys = []string{testPubKey, testPubKey, testPubKey}\n\tuser.Password = defaultPassword\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tdbUser, err = dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t// DSA keys are not accepted\n\tu = getTestUser()\n\tu.Password = \"\"\n\tu.PublicKeys = []string{\"ssh-dss AAAAB3NzaC1kc3MAAACBAK+BKLZs1Vd0cWYOquKfp++0ml9hkzB7UDRozT3nhRcyHcuwASsXiVTqsg96oGjBcUUy076CXlsfJEXE2P0dF6tt1wvABPMwKpOn+kIrfJ0j93X2c2KIZNlD4YuNUJjLHu1DvgQHw8NMps6l5D0M5NFCRdD3NYhI5zFVJJ4CzikrAAAAFQCRBagw7gEbs0gd8So7OLMcSVzs/wAAAIBjuo7U9q8npchQ3otgCvj0xIwsQ+Fi9bH0SBceqbCcVzFYY6JXSQ0XmwHs+0AuvRCPIGaBdfcm+w+9YOxREtdEVjcmkYlfJpTaVljjWcWFWTQddbiamZhQ/xLU9CNLK4oYLwIGLZjCcG7nRDdLtLQdBFuzP/faEi3TD2BK114QmAAAAIEAj1n34pH2WKwbSZhzmz/OG0VzqJICFWboiM44LZl2AqcRBvEEycdHlGe2IKaj5lEtLgBKJt9NSFhBIzWh7gcEzSMlkiDecdYSFlDc4snmTiXaoiIehV59nTY6gc8GLWCzuem+WdHxvJ4yOSWF9k+a+Y+/v/35shNLkfokViOlN7k=\"}\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"DSA key format is insecure and it is not allowed\")\n}\n\nfunc TestUpdateUserEmptyPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.PublicKeys = []string{testPubKey}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t// the password is not empty\n\tdbUser, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\t// now update the user and set an empty password\n\tdata, err := json.Marshal(dbUser)\n\tassert.NoError(t, err)\n\tvar customUser map[string]any\n\terr = json.Unmarshal(data, &customUser)\n\tassert.NoError(t, err)\n\tcustomUser[\"password\"] = \"\"\n\tasJSON, err := json.Marshal(customUser)\n\tassert.NoError(t, err)\n\tuserNoPwd, _, err := httpdtest.UpdateUserWithJSON(user, http.StatusOK, \"\", asJSON)\n\tassert.NoError(t, err)\n\tassert.Equal(t, user.Password, userNoPwd.Password) // the password is hidden\n\t// check the password within the data provider\n\tdbUser, err = dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.Empty(t, dbUser.Password)\n\tassert.False(t, dbUser.IsPasswordHashed())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserNoPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.PublicKeys = []string{testPubKey}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// the password is not empty\n\tdbUser, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\t// now update the user and remove the password field, old password should be preserved\n\tuser.Password = \"\" // password has the omitempty tag\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// the password is preserved\n\tdbUser, err = dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUser(t *testing.T) {\n\tu := getTestUser()\n\tu.UsedQuotaFiles = 1\n\tu.UsedQuotaSize = 2\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tu.Filters.Hooks.CheckPasswordDisabled = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\tuser.HomeDir = filepath.Join(homeBasePath, \"testmod\")\n\tuser.UID = 33\n\tuser.GID = 101\n\tuser.MaxSessions = 10\n\tuser.QuotaSize = 4096\n\tuser.QuotaFiles = 2\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermCreateDirs, dataprovider.PermDelete, dataprovider.PermDownload}\n\tuser.Permissions[\"/subdir\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload}\n\tuser.Filters.AllowedIP = []string{\"192.168.1.0/24\", \"192.168.2.0/24\"}\n\tuser.Filters.DeniedIP = []string{\"192.168.3.0/24\", \"192.168.4.0/24\"}\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolWebDAV}\n\tuser.Filters.TLSUsername = sdk.TLSUsernameNone\n\tuser.Filters.Hooks.ExternalAuthDisabled = true\n\tuser.Filters.Hooks.PreLoginDisabled = true\n\tuser.Filters.Hooks.CheckPasswordDisabled = false\n\tuser.Filters.DisableFsChecks = true\n\tuser.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/subdir\",\n\t\tAllowedPatterns: []string{\"*.zip\", \"*.rar\"},\n\t\tDeniedPatterns: []string{\"*.jpg\", \"*.png\"},\n\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t})\n\tuser.Filters.MaxUploadFileSize = 4096\n\tuser.UploadBandwidth = 1024\n\tuser.DownloadBandwidth = 512\n\tuser.VirtualFolders = nil\n\tmappedPath1 := filepath.Join(os.TempDir(), \"mapped_dir1\")\n\tmappedPath2 := filepath.Join(os.TempDir(), \"mapped_dir2\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tfolderName2 := filepath.Base(mappedPath2)\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t})\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: \"/vdir12/subdir\",\n\t\tQuotaSize: 123,\n\t\tQuotaFiles: 2,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"invalid\")\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"0\")\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"1\")\n\tassert.NoError(t, err)\n\tuser.Permissions[\"/subdir\"] = []string{}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Permissions[\"/subdir\"], 0)\n\tassert.Len(t, user.VirtualFolders, 2)\n\tfor _, folder := range user.VirtualFolders {\n\t\tassert.Greater(t, folder.ID, int64(0))\n\t\tif folder.VirtualPath == \"/vdir12/subdir\" {\n\t\t\tassert.Equal(t, int64(123), folder.QuotaSize)\n\t\t\tassert.Equal(t, 2, folder.QuotaFiles)\n\t\t}\n\t}\n\tfolder, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user.Username)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t// removing the user must remove folder mapping\n\tfolder, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 0)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 0)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserTransferQuotaUsage(t *testing.T) {\n\tu := getTestUser()\n\tusedDownloadDataTransfer := int64(2 * 1024 * 1024)\n\tusedUploadDataTransfer := int64(1024 * 1024)\n\tu.UsedDownloadDataTransfer = usedDownloadDataTransfer\n\tu.UsedUploadDataTransfer = usedUploadDataTransfer\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), user.UsedUploadDataTransfer)\n\tassert.Equal(t, int64(0), user.UsedDownloadDataTransfer)\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"invalid_mode\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedUploadDataTransfer, user.UsedUploadDataTransfer)\n\tassert.Equal(t, usedDownloadDataTransfer, user.UsedDownloadDataTransfer)\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"add\", http.StatusBadRequest)\n\tassert.NoError(t, err, \"user has no transfer quota restrictions add mode should fail\")\n\tuser.TotalDataTransfer = 100\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"add\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2*usedUploadDataTransfer, user.UsedUploadDataTransfer)\n\tassert.Equal(t, 2*usedDownloadDataTransfer, user.UsedDownloadDataTransfer)\n\tu.UsedDownloadDataTransfer = -1\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"add\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.UsedDownloadDataTransfer = usedDownloadDataTransfer\n\tu.Username += \"1\"\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\tu.Username = defaultUsername\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedUploadDataTransfer, user.UsedUploadDataTransfer)\n\tassert.Equal(t, usedDownloadDataTransfer, user.UsedDownloadDataTransfer)\n\tu.UsedDownloadDataTransfer = 0\n\tu.UsedUploadDataTransfer = 1\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"add\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedUploadDataTransfer+1, user.UsedUploadDataTransfer)\n\tassert.Equal(t, usedDownloadDataTransfer, user.UsedDownloadDataTransfer)\n\tu.UsedDownloadDataTransfer = 1\n\tu.UsedUploadDataTransfer = 0\n\t_, err = httpdtest.UpdateTransferQuotaUsage(u, \"add\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedUploadDataTransfer+1, user.UsedUploadDataTransfer)\n\tassert.Equal(t, usedDownloadDataTransfer+1, user.UsedDownloadDataTransfer)\n\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"users\", u.Username, \"transfer-usage\"),\n\t\tbytes.NewBuffer([]byte(`not a json`)))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserQuotaUsage(t *testing.T) {\n\tu := getTestUser()\n\tusedQuotaFiles := 1\n\tusedQuotaSize := int64(65535)\n\tu.UsedQuotaFiles = usedQuotaFiles\n\tu.UsedQuotaSize = usedQuotaSize\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t_, err = httpdtest.UpdateQuotaUsage(u, \"invalid_mode\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateQuotaUsage(u, \"\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize, user.UsedQuotaSize)\n\t_, err = httpdtest.UpdateQuotaUsage(u, \"add\", http.StatusBadRequest)\n\tassert.NoError(t, err, \"user has no quota restrictions add mode should fail\")\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize, user.UsedQuotaSize)\n\tuser.QuotaFiles = 100\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateQuotaUsage(u, \"add\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2*usedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, 2*usedQuotaSize, user.UsedQuotaSize)\n\tu.UsedQuotaFiles = -1\n\t_, err = httpdtest.UpdateQuotaUsage(u, \"\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tu.UsedQuotaFiles = usedQuotaFiles\n\tu.Username = u.Username + \"1\"\n\t_, err = httpdtest.UpdateQuotaUsage(u, \"\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserFolderMapping(t *testing.T) {\n\tmappedPath1 := filepath.Join(os.TempDir(), \"mapped_dir1\")\n\tmappedPath2 := filepath.Join(os.TempDir(), \"mapped_dir2\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tfolderName2 := filepath.Base(mappedPath2)\n\tu1 := getTestUser()\n\tu1.VirtualFolders = append(u1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t\tUsedQuotaFiles: 2,\n\t\tUsedQuotaSize: 123,\n\t\tLastQuotaUpdate: 456,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser1, _, err := httpdtest.AddUser(u1, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// virtual folder must be auto created\n\tfolder, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user1.Username)\n\tassert.Equal(t, 2, folder.UsedQuotaFiles)\n\tassert.Equal(t, int64(123), folder.UsedQuotaSize)\n\tassert.Equal(t, int64(456), folder.LastQuotaUpdate)\n\tassert.Equal(t, 2, user1.VirtualFolders[0].UsedQuotaFiles)\n\tassert.Equal(t, int64(123), user1.VirtualFolders[0].UsedQuotaSize)\n\tassert.Equal(t, int64(456), user1.VirtualFolders[0].LastQuotaUpdate)\n\n\tu2 := getTestUser()\n\tu2.Username = defaultUsername + \"2\"\n\tu2.VirtualFolders = append(u2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t\tMappedPath: mappedPath1,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t\tQuotaSize: 0,\n\t\tQuotaFiles: 0,\n\t})\n\tu2.VirtualFolders = append(u2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t\tMappedPath: mappedPath2,\n\t\t},\n\t\tVirtualPath: \"/vdir2\",\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tuser2, _, err := httpdtest.AddUser(u2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user2.Username)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 2)\n\tassert.Contains(t, folder.Users, user1.Username)\n\tassert.Contains(t, folder.Users, user2.Username)\n\t// now update user2 removing mappedPath1\n\tuser2.VirtualFolders = nil\n\tuser2.VirtualFolders = append(user2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t\tMappedPath: mappedPath2,\n\t\t\tUsedQuotaFiles: 2,\n\t\t\tUsedQuotaSize: 123,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t\tQuotaSize: 0,\n\t\tQuotaFiles: 0,\n\t})\n\tuser2, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user2.Username)\n\tassert.Equal(t, 0, folder.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user1.Username)\n\t// add mappedPath1 again to user2\n\tuser2.VirtualFolders = append(user2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t\tMappedPath: mappedPath1,\n\t\t},\n\t\tVirtualPath: \"/vdir1\",\n\t})\n\tuser2, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user2.Username)\n\t// removing virtual folders should clear relations on both side\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser2, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user2.VirtualFolders, 1) {\n\t\tfolder := user2.VirtualFolders[0]\n\t\tassert.Equal(t, mappedPath1, folder.MappedPath)\n\t\tassert.Equal(t, folderName1, folder.Name)\n\t}\n\tuser1, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user2.VirtualFolders, 1) {\n\t\tfolder := user2.VirtualFolders[0]\n\t\tassert.Equal(t, mappedPath1, folder.MappedPath)\n\t}\n\n\tfolder, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 2)\n\t// removing a user should clear virtual folder mapping\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Contains(t, folder.Users, user2.Username)\n\t// removing a folder should clear mapping on the user side too\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser2, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user2.VirtualFolders, 0)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserS3Config(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\tuser.FsConfig.S3Config.Bucket = \"test\" //nolint:goconst\n\tuser.FsConfig.S3Config.AccessKey = \"Server-Access-Key\"\n\tuser.FsConfig.S3Config.AccessSecret = kms.NewPlainSecret(\"Server-Access-Secret\")\n\tuser.FsConfig.S3Config.SSECustomerKey = kms.NewPlainSecret(\"SSE-encryption-key\")\n\tuser.FsConfig.S3Config.RoleARN = \"myRoleARN\"\n\tuser.FsConfig.S3Config.Endpoint = \"http://127.0.0.1:9000\"\n\tuser.FsConfig.S3Config.UploadPartSize = 8\n\tuser.FsConfig.S3Config.DownloadPartMaxTime = 60\n\tuser.FsConfig.S3Config.UploadPartMaxTime = 40\n\tuser.FsConfig.S3Config.ForcePathStyle = true\n\tuser.FsConfig.S3Config.SkipTLSVerify = true\n\tuser.FsConfig.S3Config.DownloadPartSize = 6\n\tfolderName := \"vfolderName\"\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/folderPath\",\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: filepath.Join(os.TempDir(), \"folderName\"),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(\"Crypted-Secret\"),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, body, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(body))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.Empty(t, user.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.S3Config.AccessSecret.GetKey())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.S3Config.SSECustomerKey.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.S3Config.SSECustomerKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.S3Config.SSECustomerKey.GetKey())\n\tassert.Equal(t, 60, user.FsConfig.S3Config.DownloadPartMaxTime)\n\tassert.Equal(t, 40, user.FsConfig.S3Config.UploadPartMaxTime)\n\tassert.True(t, user.FsConfig.S3Config.SkipTLSVerify)\n\tif assert.Len(t, user.VirtualFolders, 1) {\n\t\tfolder := user.VirtualFolders[0]\n\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, folder.FsConfig.CryptConfig.Passphrase.GetStatus())\n\t\tassert.NotEmpty(t, folder.FsConfig.CryptConfig.Passphrase.GetPayload())\n\t\tassert.Empty(t, folder.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\t\tassert.Empty(t, folder.FsConfig.CryptConfig.Passphrase.GetKey())\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, folder.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, folder.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, folder.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, folder.FsConfig.CryptConfig.Passphrase.GetKey())\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\tuser.VirtualFolders = nil\n\tuser.FsConfig.S3Config.SSECustomerKey = kms.NewEmptySecret()\n\tsecret := kms.NewSecret(sdkkms.SecretStatusSecretBox, \"Server-Access-Secret\", \"\", \"\")\n\tuser.FsConfig.S3Config.AccessSecret = secret\n\t_, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser.FsConfig.S3Config.AccessSecret.SetStatus(sdkkms.SecretStatusPlain)\n\tuser, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tinitialSecretPayload := user.FsConfig.S3Config.AccessSecret.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.NotEmpty(t, initialSecretPayload)\n\tassert.Empty(t, user.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.S3Config.AccessSecret.GetKey())\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\tuser.FsConfig.S3Config.Bucket = \"test-bucket\"\n\tuser.FsConfig.S3Config.Region = \"us-east-1\" //nolint:goconst\n\tuser.FsConfig.S3Config.AccessKey = \"Server-Access-Key1\"\n\tuser.FsConfig.S3Config.Endpoint = \"http://localhost:9000\"\n\tuser.FsConfig.S3Config.KeyPrefix = \"somedir/subdir\" //nolint:goconst\n\tuser.FsConfig.S3Config.UploadConcurrency = 5\n\tuser.FsConfig.S3Config.DownloadConcurrency = 4\n\tuser, bb, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(bb))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.Equal(t, initialSecretPayload, user.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.Empty(t, user.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.S3Config.AccessSecret.GetKey())\n\t// test user without access key and access secret (shared config state)\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\tuser.FsConfig.S3Config.Bucket = \"testbucket\"\n\tuser.FsConfig.S3Config.Region = \"us-east-1\"\n\tuser.FsConfig.S3Config.AccessKey = \"\"\n\tuser.FsConfig.S3Config.AccessSecret = kms.NewEmptySecret()\n\tuser.FsConfig.S3Config.Endpoint = \"\"\n\tuser.FsConfig.S3Config.KeyPrefix = \"somedir/subdir\"\n\tuser.FsConfig.S3Config.UploadPartSize = 6\n\tuser.FsConfig.S3Config.UploadConcurrency = 4\n\tuser, body, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(body))\n\tassert.Nil(t, user.FsConfig.S3Config.AccessSecret)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\t// shared credential test for add instead of update\n\tuser, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Nil(t, user.FsConfig.S3Config.AccessSecret)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPFsConfig(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tuser.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: \"http://127.0.0.1/httpfs\",\n\t\t\tUsername: defaultUsername,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\tAPIKey: kms.NewPlainSecret(defaultTokenAuthUser),\n\t}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tinitialPwdPayload := user.FsConfig.HTTPConfig.Password.GetPayload()\n\tinitialAPIKeyPayload := user.FsConfig.HTTPConfig.APIKey.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, initialPwdPayload)\n\tassert.Empty(t, user.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.NotEmpty(t, initialAPIKeyPayload)\n\tassert.Empty(t, user.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.APIKey.GetKey())\n\tuser.FsConfig.HTTPConfig.Password.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.HTTPConfig.Password.SetAdditionalData(util.GenerateUniqueID())\n\tuser.FsConfig.HTTPConfig.Password.SetKey(util.GenerateUniqueID())\n\tuser.FsConfig.HTTPConfig.APIKey.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.HTTPConfig.APIKey.SetAdditionalData(util.GenerateUniqueID())\n\tuser.FsConfig.HTTPConfig.APIKey.SetKey(util.GenerateUniqueID())\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.Equal(t, initialPwdPayload, user.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.Equal(t, initialAPIKeyPayload, user.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.APIKey.GetKey())\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t// also test AddUser\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tu.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: \"http://127.0.0.1/httpfs\",\n\t\t\tUsername: defaultUsername,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\tAPIKey: kms.NewPlainSecret(defaultTokenAuthUser),\n\t}\n\tuser, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.HTTPConfig.APIKey.GetKey())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserAzureBlobConfig(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tuser.FsConfig.AzBlobConfig.Container = \"test\"\n\tuser.FsConfig.AzBlobConfig.AccountName = \"Server-Account-Name\"\n\tuser.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret(\"Server-Account-Key\")\n\tuser.FsConfig.AzBlobConfig.Endpoint = \"http://127.0.0.1:9000\"\n\tuser.FsConfig.AzBlobConfig.UploadPartSize = 8\n\tuser.FsConfig.AzBlobConfig.DownloadPartSize = 6\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tinitialPayload := user.FsConfig.AzBlobConfig.AccountKey.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tuser.FsConfig.AzBlobConfig.AccountKey.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.AzBlobConfig.AccountKey.SetAdditionalData(\"data\")\n\tuser.FsConfig.AzBlobConfig.AccountKey.SetKey(\"fake key\")\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.Equal(t, initialPayload, user.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\tsecret := kms.NewSecret(sdkkms.SecretStatusSecretBox, \"Server-Account-Key\", \"\", \"\")\n\tuser.FsConfig.AzBlobConfig.AccountKey = secret\n\t_, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret(\"Server-Account-Key-Test\")\n\tuser, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err)\n\tinitialPayload = user.FsConfig.AzBlobConfig.AccountKey.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tuser.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tuser.FsConfig.AzBlobConfig.Container = \"test-container\"\n\tuser.FsConfig.AzBlobConfig.Endpoint = \"http://localhost:9001\"\n\tuser.FsConfig.AzBlobConfig.KeyPrefix = \"somedir/subdir\"\n\tuser.FsConfig.AzBlobConfig.UploadConcurrency = 5\n\tuser.FsConfig.AzBlobConfig.DownloadConcurrency = 4\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Equal(t, initialPayload, user.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\t// test user without access key and access secret (SAS)\n\tuser.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tuser.FsConfig.AzBlobConfig.SASURL = kms.NewPlainSecret(\"https://myaccount.blob.core.windows.net/pictures/profile.jpg?sv=2012-02-12&st=2009-02-09&se=2009-02-10&sr=c&sp=r&si=YWJjZGVmZw%3d%3d&sig=dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d\")\n\tuser.FsConfig.AzBlobConfig.KeyPrefix = \"somedir/subdir\"\n\tuser.FsConfig.AzBlobConfig.AccountName = \"\"\n\tuser.FsConfig.AzBlobConfig.AccountKey = kms.NewEmptySecret()\n\tuser.FsConfig.AzBlobConfig.UploadPartSize = 6\n\tuser.FsConfig.AzBlobConfig.UploadConcurrency = 4\n\tuser.FsConfig.AzBlobConfig.DownloadPartSize = 3\n\tuser.FsConfig.AzBlobConfig.DownloadConcurrency = 5\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Nil(t, user.FsConfig.AzBlobConfig.AccountKey)\n\tassert.NotNil(t, user.FsConfig.AzBlobConfig.SASURL)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\t// sas test for add instead of update\n\tuser.FsConfig.AzBlobConfig = vfs.AzBlobFsConfig{\n\t\tBaseAzBlobFsConfig: sdk.BaseAzBlobFsConfig{\n\t\t\tContainer: user.FsConfig.AzBlobConfig.Container,\n\t\t},\n\t\tSASURL: kms.NewPlainSecret(\"http://127.0.0.1/fake/sass/url\"),\n\t}\n\tuser, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Nil(t, user.FsConfig.AzBlobConfig.AccountKey)\n\tinitialPayload = user.FsConfig.AzBlobConfig.SASURL.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.AzBlobConfig.SASURL.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.SASURL.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.SASURL.GetKey())\n\tuser.FsConfig.AzBlobConfig.SASURL.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.AzBlobConfig.SASURL.SetAdditionalData(\"data\")\n\tuser.FsConfig.AzBlobConfig.SASURL.SetKey(\"fake key\")\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.AzBlobConfig.SASURL.GetStatus())\n\tassert.Equal(t, initialPayload, user.FsConfig.AzBlobConfig.SASURL.GetPayload())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.SASURL.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.AzBlobConfig.SASURL.GetKey())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserCryptFs(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"crypt passphrase\")\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tinitialPayload := user.FsConfig.CryptConfig.Passphrase.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetKey())\n\tuser.FsConfig.CryptConfig.Passphrase.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.CryptConfig.Passphrase.SetAdditionalData(\"data\")\n\tuser.FsConfig.CryptConfig.Passphrase.SetKey(\"fake pass key\")\n\tuser, bb, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(bb))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.Equal(t, initialPayload, user.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetKey())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\tsecret := kms.NewSecret(sdkkms.SecretStatusSecretBox, \"invalid encrypted payload\", \"\", \"\")\n\tuser.FsConfig.CryptConfig.Passphrase = secret\n\t_, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"passphrase test\")\n\tuser, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err)\n\tinitialPayload = user.FsConfig.CryptConfig.Passphrase.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetKey())\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase.SetKey(\"pass\")\n\tuser, bb, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(bb))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, initialPayload)\n\tassert.Equal(t, initialPayload, user.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.CryptConfig.Passphrase.GetKey())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserSFTPFs(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser.FsConfig.SFTPConfig.Endpoint = \"[::1]:22:22\" // invalid endpoint\n\tuser.FsConfig.SFTPConfig.Username = \"sftp_user\"\n\tuser.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(\"sftp_pwd\")\n\tuser.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(sftpPrivateKey)\n\tuser.FsConfig.SFTPConfig.Fingerprints = []string{sftpPkeyFingerprint}\n\tuser.FsConfig.SFTPConfig.BufferSize = 2\n\tuser.FsConfig.SFTPConfig.EqualityCheckMode = 1\n\t_, resp, err := httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"invalid endpoint\")\n\n\tuser.FsConfig.SFTPConfig.Endpoint = \"127.0.0.1\"\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.Error(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"127.0.0.1:22\", user.FsConfig.SFTPConfig.Endpoint)\n\n\tuser.FsConfig.SFTPConfig.Endpoint = \"127.0.0.1:2022\"\n\tuser.FsConfig.SFTPConfig.DisableCouncurrentReads = true\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/\", user.FsConfig.SFTPConfig.Prefix)\n\tassert.True(t, user.FsConfig.SFTPConfig.DisableCouncurrentReads)\n\tassert.Equal(t, int64(2), user.FsConfig.SFTPConfig.BufferSize)\n\tinitialPwdPayload := user.FsConfig.SFTPConfig.Password.GetPayload()\n\tinitialPkeyPayload := user.FsConfig.SFTPConfig.PrivateKey.GetPayload()\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, initialPwdPayload)\n\tassert.Empty(t, user.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.NotEmpty(t, initialPkeyPayload)\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tuser.FsConfig.SFTPConfig.Password.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.SFTPConfig.Password.SetAdditionalData(\"adata\")\n\tuser.FsConfig.SFTPConfig.Password.SetKey(\"fake pwd key\")\n\tuser.FsConfig.SFTPConfig.PrivateKey.SetStatus(sdkkms.SecretStatusSecretBox)\n\tuser.FsConfig.SFTPConfig.PrivateKey.SetAdditionalData(\"adata\")\n\tuser.FsConfig.SFTPConfig.PrivateKey.SetKey(\"fake key\")\n\tuser.FsConfig.SFTPConfig.DisableCouncurrentReads = false\n\tuser, bb, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(bb))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.Equal(t, initialPwdPayload, user.FsConfig.SFTPConfig.Password.GetPayload())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.Equal(t, initialPkeyPayload, user.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tassert.False(t, user.FsConfig.SFTPConfig.DisableCouncurrentReads)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\tsecret := kms.NewSecret(sdkkms.SecretStatusSecretBox, \"invalid encrypted payload\", \"\", \"\")\n\tuser.FsConfig.SFTPConfig.Password = secret\n\t_, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser.FsConfig.SFTPConfig.Password = kms.NewEmptySecret()\n\tuser.FsConfig.SFTPConfig.PrivateKey = secret\n\t_, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.Error(t, err)\n\n\tuser.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(sftpPrivateKey)\n\tuser, _, err = httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err)\n\tinitialPkeyPayload = user.FsConfig.SFTPConfig.PrivateKey.GetPayload()\n\tassert.Nil(t, user.FsConfig.SFTPConfig.Password)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.NotEmpty(t, initialPkeyPayload)\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tuser.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser.FsConfig.SFTPConfig.PrivateKey.SetKey(\"k\")\n\tuser, bb, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(bb))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.NotEmpty(t, initialPkeyPayload)\n\tassert.Equal(t, initialPkeyPayload, user.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserHiddenFields(t *testing.T) {\n\t// sensitive data must be hidden but not deleted from the dataprovider\n\tusernames := []string{\"user1\", \"user2\", \"user3\", \"user4\", \"user5\", \"user6\"}\n\tu1 := getTestUser()\n\tu1.Username = usernames[0]\n\tu1.FsConfig.Provider = sdk.S3FilesystemProvider\n\tu1.FsConfig.S3Config.Bucket = \"test\"\n\tu1.FsConfig.S3Config.Region = \"us-east-1\"\n\tu1.FsConfig.S3Config.AccessKey = \"S3-Access-Key\"\n\tu1.FsConfig.S3Config.AccessSecret = kms.NewPlainSecret(\"S3-Access-Secret\")\n\tu1.FsConfig.S3Config.SSECustomerKey = kms.NewPlainSecret(\"SSE-secret-key\")\n\tuser1, _, err := httpdtest.AddUser(u1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu2 := getTestUser()\n\tu2.Username = usernames[1]\n\tu2.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu2.FsConfig.GCSConfig.Bucket = \"test\"\n\tu2.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"fake credentials\")\n\tu2.FsConfig.GCSConfig.ACL = \"bucketOwnerRead\"\n\tu2.FsConfig.GCSConfig.UploadPartSize = 5\n\tu2.FsConfig.GCSConfig.UploadPartMaxTime = 20\n\tuser2, _, err := httpdtest.AddUser(u2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu3 := getTestUser()\n\tu3.Username = usernames[2]\n\tu3.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tu3.FsConfig.AzBlobConfig.Container = \"test\"\n\tu3.FsConfig.AzBlobConfig.AccountName = \"Server-Account-Name\"\n\tu3.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret(\"Server-Account-Key\")\n\tuser3, _, err := httpdtest.AddUser(u3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu4 := getTestUser()\n\tu4.Username = usernames[3]\n\tu4.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tu4.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"test passphrase\")\n\tuser4, _, err := httpdtest.AddUser(u4, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu5 := getTestUser()\n\tu5.Username = usernames[4]\n\tu5.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tu5.FsConfig.SFTPConfig.Endpoint = \"127.0.0.1:2022\"\n\tu5.FsConfig.SFTPConfig.Username = \"sftp_user\"\n\tu5.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(\"apassword\")\n\tu5.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(sftpPrivateKey)\n\tu5.FsConfig.SFTPConfig.Fingerprints = []string{sftpPkeyFingerprint}\n\tu5.FsConfig.SFTPConfig.Prefix = \"/prefix\"\n\tuser5, _, err := httpdtest.AddUser(u5, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu6 := getTestUser()\n\tu6.Username = usernames[5]\n\tu6.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tu6.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: \"http://127.0.0.1/api/v1\",\n\t\t\tUsername: defaultUsername,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\tAPIKey: kms.NewPlainSecret(defaultTokenAuthUser),\n\t}\n\tuser6, _, err := httpdtest.AddUser(u6, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tusers, _, err := httpdtest.GetUsers(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(users), 6)\n\tfor _, username := range usernames {\n\t\tuser, _, err := httpdtest.GetUserByUsername(username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Empty(t, user.Password)\n\t\tassert.True(t, user.HasPassword)\n\t}\n\tuser1, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user1.Password)\n\tassert.Empty(t, user1.FsConfig.S3Config.AccessSecret.GetKey())\n\tassert.Empty(t, user1.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.Empty(t, user1.FsConfig.S3Config.SSECustomerKey.GetKey())\n\tassert.Empty(t, user1.FsConfig.S3Config.SSECustomerKey.GetAdditionalData())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.SSECustomerKey.GetStatus())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\n\tuser2, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user2.Password)\n\tassert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetKey())\n\tassert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetPayload())\n\n\tuser3, _, err = httpdtest.GetUserByUsername(user3.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user3.Password)\n\tassert.Empty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tassert.Empty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\tassert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\n\tuser4, _, err = httpdtest.GetUserByUsername(user4.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user4.Password)\n\tassert.Empty(t, user4.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.Empty(t, user4.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetPayload())\n\n\tuser5, _, err = httpdtest.GetUserByUsername(user5.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user5.Password)\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetPayload())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tassert.Equal(t, \"/prefix\", user5.FsConfig.SFTPConfig.Prefix)\n\n\tuser6, _, err = httpdtest.GetUserByUsername(user6.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user6.Password)\n\tassert.Empty(t, user6.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, user6.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.NotEmpty(t, user6.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.NotEmpty(t, user6.FsConfig.HTTPConfig.APIKey.GetPayload())\n\n\t// finally check that we have all the data inside the data provider\n\tuser1, err = dataprovider.UserExists(user1.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, user1.Password)\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetKey())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.SSECustomerKey.GetKey())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.SSECustomerKey.GetAdditionalData())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.SSECustomerKey.GetStatus())\n\tassert.NotEmpty(t, user1.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\terr = user1.FsConfig.S3Config.AccessSecret.Decrypt()\n\tassert.NoError(t, err)\n\terr = user1.FsConfig.S3Config.SSECustomerKey.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user1.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.Equal(t, u1.FsConfig.S3Config.AccessSecret.GetPayload(), user1.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.Empty(t, user1.FsConfig.S3Config.AccessSecret.GetKey())\n\tassert.Empty(t, user1.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user1.FsConfig.S3Config.SSECustomerKey.GetStatus())\n\tassert.Equal(t, u1.FsConfig.S3Config.SSECustomerKey.GetPayload(), user1.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tassert.Empty(t, user1.FsConfig.S3Config.SSECustomerKey.GetKey())\n\tassert.Empty(t, user1.FsConfig.S3Config.SSECustomerKey.GetAdditionalData())\n\n\tuser2, err = dataprovider.UserExists(user2.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, user2.Password)\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetKey())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetPayload())\n\terr = user2.FsConfig.GCSConfig.Credentials.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user2.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.Equal(t, u2.FsConfig.GCSConfig.Credentials.GetPayload(), user2.FsConfig.GCSConfig.Credentials.GetPayload())\n\tassert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetKey())\n\tassert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\n\tuser3, err = dataprovider.UserExists(user3.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, user3.Password)\n\tassert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tassert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\tassert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\terr = user3.FsConfig.AzBlobConfig.AccountKey.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user3.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.Equal(t, u3.FsConfig.AzBlobConfig.AccountKey.GetPayload(), user3.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\tassert.Empty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tassert.Empty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\n\tuser4, err = dataprovider.UserExists(user4.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, user4.Password)\n\tassert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetPayload())\n\terr = user4.FsConfig.CryptConfig.Passphrase.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user4.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.Equal(t, u4.FsConfig.CryptConfig.Passphrase.GetPayload(), user4.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, user4.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.Empty(t, user4.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\n\tuser5, err = dataprovider.UserExists(user5.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, user5.Password)\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetPayload())\n\terr = user5.FsConfig.SFTPConfig.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user5.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.Equal(t, u5.FsConfig.SFTPConfig.Password.GetPayload(), user5.FsConfig.SFTPConfig.Password.GetPayload())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.NotEmpty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\terr = user5.FsConfig.SFTPConfig.PrivateKey.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user5.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.Equal(t, u5.FsConfig.SFTPConfig.PrivateKey.GetPayload(), user5.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tassert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\n\tuser6, err = dataprovider.UserExists(user6.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, user6.Password)\n\tassert.NotEmpty(t, user6.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.NotEmpty(t, user6.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.NotEmpty(t, user6.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, user6.FsConfig.HTTPConfig.Password.GetPayload())\n\terr = user6.FsConfig.HTTPConfig.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, user6.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.Equal(t, u6.FsConfig.HTTPConfig.Password.GetPayload(), user6.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, user6.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, user6.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\n\t// update the GCS user and check that the credentials are preserved\n\tuser2.FsConfig.GCSConfig.Credentials = kms.NewEmptySecret()\n\tuser2.FsConfig.GCSConfig.ACL = \"private\"\n\t_, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tuser2, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Empty(t, user2.Password)\n\tassert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetKey())\n\tassert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetPayload())\n\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user3, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user4, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user5, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user6, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSecretObject(t *testing.T) {\n\ts := kms.NewPlainSecret(\"test data\")\n\ts.SetAdditionalData(\"username\")\n\trequire.True(t, s.IsValid())\n\terr := s.Encrypt()\n\trequire.NoError(t, err)\n\trequire.Equal(t, sdkkms.SecretStatusSecretBox, s.GetStatus())\n\trequire.NotEmpty(t, s.GetPayload())\n\trequire.NotEmpty(t, s.GetKey())\n\trequire.True(t, s.IsValid())\n\terr = s.Decrypt()\n\trequire.NoError(t, err)\n\trequire.Equal(t, sdkkms.SecretStatusPlain, s.GetStatus())\n\trequire.Equal(t, \"test data\", s.GetPayload())\n\trequire.Empty(t, s.GetKey())\n}\n\nfunc TestSecretObjectCompatibility(t *testing.T) {\n\t// this is manually tested against vault too\n\ttestPayload := \"test payload\"\n\ts := kms.NewPlainSecret(testPayload)\n\trequire.True(t, s.IsValid())\n\terr := s.Encrypt()\n\trequire.NoError(t, err)\n\tlocalAsJSON, err := json.Marshal(s)\n\tassert.NoError(t, err)\n\n\tfor _, secretStatus := range []string{sdkkms.SecretStatusSecretBox} {\n\t\tkmsConfig := config.GetKMSConfig()\n\t\tassert.Empty(t, kmsConfig.Secrets.MasterKeyPath)\n\t\tif secretStatus == sdkkms.SecretStatusVaultTransit {\n\t\t\tos.Setenv(\"VAULT_SERVER_URL\", \"http://127.0.0.1:8200\")\n\t\t\tos.Setenv(\"VAULT_SERVER_TOKEN\", \"s.9lYGq83MbgG5KR5kfebXVyhJ\")\n\t\t\tkmsConfig.Secrets.URL = \"hashivault://mykey\"\n\t\t}\n\t\terr := kmsConfig.Initialize()\n\t\tassert.NoError(t, err)\n\t\t// encrypt without a master key\n\t\tsecret := kms.NewPlainSecret(testPayload)\n\t\tsecret.SetAdditionalData(\"add data\")\n\t\terr = secret.Encrypt()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, secret.GetMode())\n\t\tsecretClone := secret.Clone()\n\t\terr = secretClone.Decrypt()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testPayload, secretClone.GetPayload())\n\t\tif secretStatus == sdkkms.SecretStatusVaultTransit {\n\t\t\t// decrypt the local secret now that the provider is vault\n\t\t\tsecretLocal := kms.NewEmptySecret()\n\t\t\terr = json.Unmarshal(localAsJSON, secretLocal)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, secretLocal.GetStatus())\n\t\t\tassert.Equal(t, 0, secretLocal.GetMode())\n\t\t\terr = secretLocal.Decrypt()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testPayload, secretLocal.GetPayload())\n\t\t\tassert.Equal(t, sdkkms.SecretStatusPlain, secretLocal.GetStatus())\n\t\t\terr = secretLocal.Encrypt()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, secretLocal.GetStatus())\n\t\t\tassert.Equal(t, 0, secretLocal.GetMode())\n\t\t}\n\n\t\tasJSON, err := json.Marshal(secret)\n\t\tassert.NoError(t, err)\n\n\t\tmasterKeyPath := filepath.Join(os.TempDir(), \"mkey\")\n\t\terr = os.WriteFile(masterKeyPath, []byte(\"test key\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tconfig := kms.Configuration{\n\t\t\tSecrets: kms.Secrets{\n\t\t\t\tMasterKeyPath: masterKeyPath,\n\t\t\t},\n\t\t}\n\t\tif secretStatus == sdkkms.SecretStatusVaultTransit {\n\t\t\tconfig.Secrets.URL = \"hashivault://mykey\"\n\t\t}\n\t\terr = config.Initialize()\n\t\tassert.NoError(t, err)\n\n\t\t// now build the secret from JSON\n\t\tsecret = kms.NewEmptySecret()\n\t\terr = json.Unmarshal(asJSON, secret)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, secret.GetMode())\n\t\terr = secret.Decrypt()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testPayload, secret.GetPayload())\n\t\terr = secret.Encrypt()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, secret.GetMode())\n\t\terr = secret.Decrypt()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testPayload, secret.GetPayload())\n\t\tif secretStatus == sdkkms.SecretStatusVaultTransit {\n\t\t\t// decrypt the local secret encryped without a master key now that\n\t\t\t// the provider is vault and a master key is set.\n\t\t\t// The provider will not change, the master key will be used\n\t\t\tsecretLocal := kms.NewEmptySecret()\n\t\t\terr = json.Unmarshal(localAsJSON, secretLocal)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, secretLocal.GetStatus())\n\t\t\tassert.Equal(t, 0, secretLocal.GetMode())\n\t\t\terr = secretLocal.Decrypt()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testPayload, secretLocal.GetPayload())\n\t\t\tassert.Equal(t, sdkkms.SecretStatusPlain, secretLocal.GetStatus())\n\t\t\terr = secretLocal.Encrypt()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, secretLocal.GetStatus())\n\t\t\tassert.Equal(t, 1, secretLocal.GetMode())\n\t\t}\n\n\t\terr = kmsConfig.Initialize()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(masterKeyPath)\n\t\tassert.NoError(t, err)\n\t\tif secretStatus == sdkkms.SecretStatusVaultTransit {\n\t\t\tos.Unsetenv(\"VAULT_SERVER_URL\")\n\t\t\tos.Unsetenv(\"VAULT_SERVER_TOKEN\")\n\t\t}\n\t}\n}\n\nfunc TestUpdateUserNoCredentials(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\tuser.PublicKeys = []string{}\n\t// password and public key will be omitted from json serialization if empty and so they will remain unchanged\n\t// and no validation error will be raised\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserEmptyHomeDir(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.HomeDir = \"\"\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserInvalidHomeDir(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.HomeDir = \"relative_path\"\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusBadRequest, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateNonExistentUser(t *testing.T) {\n\t_, _, err := httpdtest.UpdateUser(getTestUser(), http.StatusNotFound, \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestGetNonExistentUser(t *testing.T) {\n\t_, _, err := httpdtest.GetUserByUsername(\"na\", http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestDeleteNonExistentUser(t *testing.T) {\n\t_, err := httpdtest.RemoveUser(getTestUser(), http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddDuplicateUser(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.AddUser(getTestUser(), http.StatusConflict)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.Error(t, err, \"adding a duplicate user must fail\")\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestGetUsers(t *testing.T) {\n\tuser1, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Username = defaultUsername + \"1\"\n\tuser2, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tusers, _, err := httpdtest.GetUsers(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(users), 2)\n\tfor _, user := range users {\n\t\tif u.Username == user.Username {\n\t\t\tassert.True(t, user.HasPassword)\n\t\t}\n\t}\n\tusers, _, err = httpdtest.GetUsers(1, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, len(users))\n\tusers, _, err = httpdtest.GetUsers(1, 1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, len(users))\n\t_, _, err = httpdtest.GetUsers(1, 1, http.StatusInternalServerError)\n\tassert.Error(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestGetQuotaScans(t *testing.T) {\n\t_, _, err := httpdtest.GetQuotaScans(http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetQuotaScans(http.StatusInternalServerError)\n\tassert.Error(t, err)\n\t_, _, err = httpdtest.GetFoldersQuotaScans(http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetFoldersQuotaScans(http.StatusInternalServerError)\n\tassert.Error(t, err)\n}\n\nfunc TestStartQuotaScan(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.StartQuotaScan(user, http.StatusAccepted)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"vfolder\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"folder\"),\n\t\tDescription: \"virtual folder\",\n\t}\n\t_, _, err = httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.StartFolderQuotaScan(folder, http.StatusAccepted)\n\tassert.NoError(t, err)\n\tfor {\n\t\tquotaScan, _, err := httpdtest.GetFoldersQuotaScans(http.StatusOK)\n\t\tif !assert.NoError(t, err, \"Error getting active scans\") {\n\t\t\tbreak\n\t\t}\n\t\tif len(quotaScan) == 0 {\n\t\t\tbreak\n\t\t}\n\t\ttime.Sleep(100 * time.Millisecond)\n\t}\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateFolderQuotaUsage(t *testing.T) {\n\tf := vfs.BaseVirtualFolder{\n\t\tName: \"vdir\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"folder\"),\n\t}\n\tusedQuotaFiles := 1\n\tusedQuotaSize := int64(65535)\n\tf.UsedQuotaFiles = usedQuotaFiles\n\tf.UsedQuotaSize = usedQuotaSize\n\tfolder, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, usedQuotaFiles, folder.UsedQuotaFiles)\n\t\tassert.Equal(t, usedQuotaSize, folder.UsedQuotaSize)\n\t}\n\t_, err = httpdtest.UpdateFolderQuotaUsage(folder, \"invalid mode\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateFolderQuotaUsage(f, \"reset\", http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(f.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, folder.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize, folder.UsedQuotaSize)\n\t_, err = httpdtest.UpdateFolderQuotaUsage(f, \"add\", http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(f.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2*usedQuotaFiles, folder.UsedQuotaFiles)\n\tassert.Equal(t, 2*usedQuotaSize, folder.UsedQuotaSize)\n\tf.UsedQuotaSize = -1\n\t_, err = httpdtest.UpdateFolderQuotaUsage(f, \"\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tf.UsedQuotaSize = usedQuotaSize\n\tf.Name = f.Name + \"1\"\n\t_, err = httpdtest.UpdateFolderQuotaUsage(f, \"\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestGetVersion(t *testing.T) {\n\t_, _, err := httpdtest.GetVersion(http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetVersion(http.StatusInternalServerError)\n\tassert.Error(t, err, \"get version request must succeed, we requested to check a wrong status code\")\n}\n\nfunc TestGetStatus(t *testing.T) {\n\t_, _, err := httpdtest.GetStatus(http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetStatus(http.StatusBadRequest)\n\tassert.Error(t, err, \"get provider status request must succeed, we requested to check a wrong status code\")\n}\n\nfunc TestGetConnections(t *testing.T) {\n\t_, _, err := httpdtest.GetConnections(http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetConnections(http.StatusInternalServerError)\n\tassert.Error(t, err, \"get sftp connections request must succeed, we requested to check a wrong status code\")\n}\n\nfunc TestCloseActiveConnection(t *testing.T) {\n\t_, err := httpdtest.CloseConnection(\"non_existent_id\", http.StatusNotFound)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tc := common.NewBaseConnection(\"connID\", common.ProtocolSFTP, \"\", \"\", user)\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr = common.Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.CloseConnection(c.GetID(), http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestCloseConnectionAfterUserUpdateDelete(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tc := common.NewBaseConnection(\"connID\", common.ProtocolFTP, \"\", \"\", user)\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr = common.Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tc1 := common.NewBaseConnection(\"connID1\", common.ProtocolSFTP, \"\", \"\", user)\n\tfakeConn1 := &fakeConnection{\n\t\tBaseConnection: c1,\n\t}\n\terr = common.Connections.Add(fakeConn1)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"0\")\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 2)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"1\")\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\n\terr = common.Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\terr = common.Connections.Add(fakeConn1)\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 2)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestAdminGenerateRecoveryCodesSaveError(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.NamingRules = 7\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\ta := getTestAdmin()\n\ta.Username = \"adMiN@example.com \"\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], admin.Username)\n\tassert.NoError(t, err)\n\tadmin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t}\n\tadmin.Password = defaultTokenAuthPass\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(a.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\tadminAPIToken, err := getJWTAPITokenFromTestServerWithPasscode(a.Username, defaultTokenAuthPass, passcode)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, adminAPIToken)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tif config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName {\n\t\treturn\n\t}\n\treq, err := http.NewRequest(http.MethodPost, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following characters are allowed\")\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminCredentialsWithSpaces(t *testing.T) {\n\ta := getTestAdmin()\n\ta.Username = xid.New().String()\n\ta.Password = \" \" + xid.New().String() + \" \"\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// For admins the password is always trimmed.\n\t_, err = getJWTAPITokenFromTestServer(a.Username, a.Password)\n\tassert.Error(t, err)\n\t_, err = getJWTAPITokenFromTestServer(a.Username, strings.TrimSpace(a.Password))\n\tassert.NoError(t, err)\n\t// The password sent from the WebAdmin UI is automatically trimmed\n\t_, err = getJWTWebToken(a.Username, a.Password)\n\tassert.NoError(t, err)\n\t_, err = getJWTWebToken(a.Username, strings.TrimSpace(a.Password))\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserCredentialsWithSpaces(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \" \" + xid.New().String() + \" \"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// For users the password is not trimmed\n\t_, err = getJWTAPIUserTokenFromTestServer(u.Username, u.Password)\n\tassert.NoError(t, err)\n\t_, err = getJWTAPIUserTokenFromTestServer(u.Username, strings.TrimSpace(u.Password))\n\tassert.Error(t, err)\n\n\t_, err = getJWTWebClientTokenFromTestServer(u.Username, u.Password)\n\tassert.NoError(t, err)\n\t_, err = getJWTWebClientTokenFromTestServer(u.Username, strings.TrimSpace(u.Password))\n\tassert.Error(t, err)\n\n\tuser.Password = u.Password\n\tconn, sftpClient, err := getSftpClient(user)\n\tif assert.NoError(t, err) {\n\t\tconn.Close()\n\t\tsftpClient.Close()\n\t}\n\tuser.Password = strings.TrimSpace(u.Password)\n\t_, _, err = getSftpClient(user)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestNamingRules(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.NamingRules = 7\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Username = \" uSeR@user.me \"\n\tu.Email = dataprovider.ConvertName(u.Username)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"user@user.me\", user.Username)\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tuser.Password = u.Password\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Username = u.Username\n\tuser.AdditionalInfo = \"info\"\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(u.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\n\tr := getTestRole()\n\tr.Name = \"role@mycompany\"\n\trole, _, err := httpdtest.AddRole(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ta := getTestAdmin()\n\ta.Username = \"admiN@example.com \"\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"admin@example.com\", admin.Username)\n\tadmin.Email = dataprovider.ConvertName(a.Username)\n\tadmin.Username = a.Username\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(a.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tf := vfs.BaseVirtualFolder{\n\t\tName: \"文件夹AB\",\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t}\n\tfolder, resp, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, \"文件夹ab\", folder.Name)\n\tfolder.Name = f.Name\n\tfolder.Description = folder.Name\n\t_, resp, err = httpdtest.UpdateFolder(folder, http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\tfolder, resp, err = httpdtest.GetFolderByName(f.Name, http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, \"文件夹AB\", folder.Description)\n\t_, err = httpdtest.RemoveFolder(f, http.StatusOK)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTWebClientTokenFromTestServer(u.Username, defaultPassword)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, token)\n\tadminAPIToken, err := getJWTAPITokenFromTestServer(a.Username, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, adminAPIToken)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tif config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName {\n\t\treturn\n\t}\n\n\ttoken, err = getJWTWebClientTokenFromTestServer(user.Username, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err := http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidUser)\n\t// test user reset password. Setting the new password will fail because the username is not valid\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"username\", user.Username)\n\tform.Set(csrfFormToken, csrfToken)\n\tlastResetCode = \"\"\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"code\", lastResetCode)\n\tform.Set(\"password\", defaultPassword)\n\tform.Set(\"confirm_password\", defaultPassword)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidUser)\n\n\tadminAPIToken, err = getJWTAPITokenFromTestServer(admin.Username, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuserAPIToken, err := getJWTAPIUserTokenFromTestServer(user.Username, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userPath+\"/\"+user.Username+\"/2fa/disable\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following characters are allowed\")\n\n\treq, err = http.NewRequest(http.MethodPost, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following characters are allowed\")\n\n\tapiKeyAuthReq := make(map[string]bool)\n\tapiKeyAuthReq[\"allow_api_key_auth\"] = true\n\tasJSON, err := json.Marshal(apiKeyAuthReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following characters are allowed\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\ttoken, err = getJWTWebTokenFromTestServer(admin.Username, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminProfilePath, token)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidUser)\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidName)\n\n\tapiKeyAuthReq = make(map[string]bool)\n\tapiKeyAuthReq[\"allow_api_key_auth\"] = true\n\tasJSON, err = json.Marshal(apiKeyAuthReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, adminProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the following characters are allowed\")\n\t// test admin reset password\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"username\", admin.Username)\n\tform.Set(csrfFormToken, csrfToken)\n\tlastResetCode = \"\"\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"code\", lastResetCode)\n\tform.Set(\"password\", defaultPassword)\n\tform.Set(\"confirm_password\", defaultPassword)\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestUserPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.False(t, user.HasPassword)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.False(t, user.HasPassword)\n\n\tuser.Password = defaultPassword\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.True(t, user.HasPassword)\n\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\trawUser := map[string]any{\n\t\t\"username\": user.Username,\n\t\t\"home_dir\": filepath.Join(homeBasePath, defaultUsername),\n\t\t\"permissions\": map[string][]string{\n\t\t\t\"/\": {\"*\"},\n\t\t},\n\t}\n\tuserAsJSON, err := json.Marshal(rawUser)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// the previous password must be preserved\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.HasPassword)\n\t// update the user with an empty password field, the password will be unset\n\trawUser[\"password\"] = \"\"\n\tuserAsJSON, err = json.Marshal(rawUser)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, user.HasPassword)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSaveErrors(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.NamingRules = 1\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\trecCode := \"recovery code\"\n\trecoveryCodes := []dataprovider.RecoveryCode{\n\t\t{\n\t\t\tSecret: kms.NewPlainSecret(recCode),\n\t\t\tUsed: false,\n\t\t},\n\t}\n\n\tu := getTestUser()\n\tu.Username = \"user@example.com\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = u.Password\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH, common.ProtocolHTTP},\n\t}\n\tuser.Filters.RecoveryCodes = recoveryCodes\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, user.Filters.RecoveryCodes, 1)\n\n\ta := getTestAdmin()\n\ta.Username = \"admin@example.com\"\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\tadmin.Email = admin.Username\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tadmin.Password = a.Password\n\tadmin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t}\n\tadmin.Filters.RecoveryCodes = recoveryCodes\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 1)\n\n\tr := getTestRole()\n\tr.Name = \"role@mycompany\"\n\trole, _, err := httpdtest.AddRole(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tif config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName {\n\t\treturn\n\t}\n\n\t_, resp, err := httpdtest.UpdateRole(role, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"the following characters are allowed\")\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := getLoginForm(a.Username, a.Password, csrfToken)\n\treq, err := http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr := executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"recovery_code\", recCode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(u.Username, u.Password, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"recovery_code\", recCode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserBaseDir(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.UsersBaseDir = homeBasePath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.HomeDir = \"\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, \"home dir mismatch\")\n\t}\n\tassert.Equal(t, filepath.Join(providerConf.UsersBaseDir, u.Username), user.HomeDir)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaTrackingDisabled(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.TrackQuota = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t// user quota scan must fail\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.StartQuotaScan(user, http.StatusForbidden)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateQuotaUsage(user, \"\", http.StatusForbidden)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateTransferQuotaUsage(user, \"\", http.StatusForbidden)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t// folder quota scan must fail\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"folder_quota_test\",\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t}\n\tfolder, resp, err := httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\t_, err = httpdtest.StartFolderQuotaScan(folder, http.StatusForbidden)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.UpdateFolderQuotaUsage(folder, \"\", http.StatusForbidden)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestProviderErrors(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuserAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tuserWebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\ttoken, _, err := httpdtest.GetToken(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\ttestServerToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(token)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(\"na\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUsers(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetGroups(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetAdmins(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetAPIKeys(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetEventActions(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetEventRules(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetIPListEntries(dataprovider.IPListTypeDefender, \"\", \"\", dataprovider.OrderASC, 10, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetRoles(1, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateRole(getTestRole(), http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\t// password reset errors\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"username\", \"username\")\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorGetUser)\n\n\tgetJSONShares := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, err := http.NewRequest(http.MethodGet, webClientSharesPath+jsonAPISuffix, nil)\n\t\tassert.NoError(t, err)\n\t\tsetJWTCookieForReq(req, userWebToken)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONShares()\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, userWebToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath+\"/shareID\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, userWebToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/shareID\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, userWebToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\t_, _, err = httpdtest.UpdateUser(dataprovider.User{BaseUser: sdk.BaseUser{Username: \"auser\"}}, http.StatusInternalServerError, \"\")\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(dataprovider.User{BaseUser: sdk.BaseUser{Username: \"auser\"}}, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: \"aname\"}, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tstatus, _, err := httpdtest.GetStatus(http.StatusOK)\n\tif assert.NoError(t, err) {\n\t\tassert.False(t, status.DataProvider.IsActive)\n\t}\n\t_, _, err = httpdtest.Dumpdata(\"backup.json\", \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetFolders(0, 0, http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tuser = getTestUser()\n\tuser.ID = 1\n\tbackupData := dataprovider.BackupData{\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupData.Configs = &dataprovider.Configs{}\n\tbackupData.Users = append(backupData.Users, user)\n\tbackupContent, err := json.Marshal(backupData)\n\tassert.NoError(t, err)\n\tbackupFilePath := filepath.Join(backupsPath, \"backup.json\")\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData.Configs = nil\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData.Folders = append(backupData.Folders, vfs.BaseVirtualFolder{Name: \"testFolder\", MappedPath: filepath.Clean(os.TempDir())})\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData.Users = nil\n\tbackupData.Folders = nil\n\tbackupData.Groups = append(backupData.Groups, getTestGroup())\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData.Groups = nil\n\tbackupData.Admins = append(backupData.Admins, getTestAdmin())\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData.Users = nil\n\tbackupData.Folders = nil\n\tbackupData.Admins = nil\n\tbackupData.APIKeys = append(backupData.APIKeys, dataprovider.APIKey{\n\t\tName: \"name\",\n\t\tKeyID: util.GenerateUniqueID(),\n\t\tKey: fmt.Sprintf(\"%v.%v\", util.GenerateUniqueID(), util.GenerateUniqueID()),\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t})\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData.APIKeys = nil\n\tbackupData.Shares = append(backupData.Shares, dataprovider.Share{\n\t\tName: util.GenerateUniqueID(),\n\t\tShareID: util.GenerateUniqueID(),\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tUsername: defaultUsername,\n\t})\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, resp, err := httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err, string(resp))\n\tbackupData = dataprovider.BackupData{\n\t\tEventActions: []dataprovider.BaseEventAction{\n\t\t\t{\n\t\t\t\tName: \"quota_reset\",\n\t\t\t\tType: dataprovider.ActionTypeFolderQuotaReset,\n\t\t\t},\n\t\t},\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData = dataprovider.BackupData{\n\t\tEventRules: []dataprovider.EventRule{\n\t\t\t{\n\t\t\t\tName: \"quota_reset\",\n\t\t\t\tTrigger: dataprovider.EventTriggerSchedule,\n\t\t\t\tConditions: dataprovider.EventConditions{\n\t\t\t\t\tSchedules: []dataprovider.Schedule{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tHours: \"2\",\n\t\t\t\t\t\t\tDayOfWeek: \"1\",\n\t\t\t\t\t\t\tDayOfMonth: \"2\",\n\t\t\t\t\t\t\tMonth: \"3\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tActions: []dataprovider.EventAction{\n\t\t\t\t\t{\n\t\t\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\t\t\tName: \"unknown action\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tOrder: 1,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData = dataprovider.BackupData{\n\t\tRoles: []dataprovider.Role{\n\t\t\t{\n\t\t\t\tName: \"role1\",\n\t\t\t},\n\t\t},\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\tbackupData = dataprovider.BackupData{\n\t\tIPLists: []dataprovider.IPListEntry{\n\t\t\t{\n\t\t\t\tIPOrNet: \"192.168.1.1/24\",\n\t\t\t\tType: dataprovider.IPListTypeRateLimiterSafeList,\n\t\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\t},\n\t\t},\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\n\terr = os.Remove(backupFilePath)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webUserPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, webTemplateUser+\"?from=auser\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, webGroupPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, webAdminPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, webTemplateUser, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webGroupPath, \"groupname\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webGroupPath, \"grpname\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, webTemplateFolder+\"?from=afolder\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminEventActionPath, \"actionname\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, \"actionname\"), bytes.NewBuffer(nil))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\tgetJSONActions := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, err := http.NewRequest(http.MethodGet, webAdminEventActionsPath+jsonAPISuffix, nil)\n\t\tassert.NoError(t, err)\n\t\tsetJWTCookieForReq(req, testServerToken)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONActions()\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminEventRulePath, \"rulename\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, \"rulename\"), bytes.NewBuffer(nil))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\tgetJSONRules := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, err := http.NewRequest(http.MethodGet, webAdminEventRulesPath+jsonAPISuffix, nil)\n\t\tassert.NoError(t, err)\n\t\tsetJWTCookieForReq(req, testServerToken)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONRules()\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventRulePath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, testServerToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\thttpdtest.SetJWTToken(\"\")\n}\n\nfunc TestFolders(t *testing.T) {\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"name\",\n\t\tMappedPath: \"relative path\",\n\t\tUsers: []string{\"1\", \"2\", \"3\"},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(\"asecret\"),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(folder, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tfolder.MappedPath = filepath.Clean(os.TempDir())\n\tfolder1, resp, err := httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, folder.Name, folder1.Name)\n\tassert.Equal(t, folder.MappedPath, folder1.MappedPath)\n\tassert.Equal(t, 0, folder1.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), folder1.UsedQuotaSize)\n\tassert.Equal(t, int64(0), folder1.LastQuotaUpdate)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, folder1.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, folder1.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, folder1.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, folder1.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.Len(t, folder1.Users, 0)\n\t// adding a duplicate folder must fail\n\t_, _, err = httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.Error(t, err)\n\tfolder.MappedPath = filepath.Join(os.TempDir(), \"vfolder\")\n\tfolder.Name = filepath.Base(folder.MappedPath)\n\tfolder.UsedQuotaFiles = 1\n\tfolder.UsedQuotaSize = 345\n\tfolder.LastQuotaUpdate = 10\n\tfolder2, _, err := httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, 1, folder2.UsedQuotaFiles)\n\tassert.Equal(t, int64(345), folder2.UsedQuotaSize)\n\tassert.Equal(t, int64(10), folder2.LastQuotaUpdate)\n\tassert.Len(t, folder2.Users, 0)\n\tfolders, _, err := httpdtest.GetFolders(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tnumResults := len(folders)\n\tassert.GreaterOrEqual(t, numResults, 2)\n\tfound := false\n\tfor _, f := range folders {\n\t\tif f.Name == folder1.Name {\n\t\t\tfound = true\n\t\t\tassert.Equal(t, folder1.MappedPath, f.MappedPath)\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, f.FsConfig.CryptConfig.Passphrase.GetStatus())\n\t\t\tassert.NotEmpty(t, f.FsConfig.CryptConfig.Passphrase.GetPayload())\n\t\t\tassert.Empty(t, f.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\t\t\tassert.Empty(t, f.FsConfig.CryptConfig.Passphrase.GetKey())\n\t\t\tassert.Len(t, f.Users, 0)\n\t\t}\n\t}\n\tassert.True(t, found)\n\tfolders, _, err = httpdtest.GetFolders(0, 1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folders, numResults-1)\n\tfolders, _, err = httpdtest.GetFolders(1, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folders, 1)\n\tf, _, err := httpdtest.GetFolderByName(folder1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, folder1.Name, f.Name)\n\tassert.Equal(t, folder1.MappedPath, f.MappedPath)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, f.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, f.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, f.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Empty(t, f.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.Len(t, f.Users, 0)\n\tf, _, err = httpdtest.GetFolderByName(folder2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, folder2.Name, f.Name)\n\tassert.Equal(t, folder2.MappedPath, f.MappedPath)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{\n\t\tName: \"invalid\",\n\t}, http.StatusNotFound)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.UpdateFolder(vfs.BaseVirtualFolder{Name: \"notfound\"}, http.StatusNotFound)\n\tassert.NoError(t, err)\n\tfolder1.MappedPath = \"a/relative/path\"\n\t_, _, err = httpdtest.UpdateFolder(folder1, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tfolder1.MappedPath = filepath.Join(os.TempDir(), \"updated\")\n\tfolder1.Description = \"updated folder description\"\n\tf, resp, err = httpdtest.UpdateFolder(folder1, http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, folder1.MappedPath, f.MappedPath)\n\tassert.Equal(t, folder1.Description, f.Description)\n\n\t_, err = httpdtest.RemoveFolder(folder1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestFolderRelations(t *testing.T) {\n\tmappedPath := filepath.Join(os.TempDir(), \"mapped_path\")\n\tname := filepath.Base(mappedPath)\n\tu := getTestUser()\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: name,\n\t\t},\n\t\tVirtualPath: \"/mountu\",\n\t})\n\t_, resp, err := httpdtest.AddUser(u, http.StatusInternalServerError)\n\tassert.NoError(t, err, string(resp))\n\tg := getTestGroup()\n\tg.VirtualFolders = append(g.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: name,\n\t\t},\n\t\tVirtualPath: \"/mountg\",\n\t})\n\t_, resp, err = httpdtest.AddGroup(g, http.StatusInternalServerError)\n\tassert.NoError(t, err, string(resp))\n\tf := vfs.BaseVirtualFolder{\n\t\tName: name,\n\t\tMappedPath: mappedPath,\n\t}\n\tfolder, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 0)\n\tassert.Len(t, folder.Groups, 0)\n\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tgroup, resp, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tfolder, _, err = httpdtest.GetFolderByName(folder.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Len(t, folder.Groups, 1)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.VirtualFolders, 1) {\n\t\tassert.Equal(t, mappedPath, user.VirtualFolders[0].MappedPath)\n\t}\n\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, group.VirtualFolders, 1) {\n\t\tassert.Equal(t, mappedPath, group.VirtualFolders[0].MappedPath)\n\t}\n\t// update the folder and check the modified field on user and group\n\tmappedPath = filepath.Join(os.TempDir(), \"mapped_path\")\n\tfolder.MappedPath = mappedPath\n\t_, _, err = httpdtest.UpdateFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, user.VirtualFolders, 1) {\n\t\tassert.Equal(t, mappedPath, user.VirtualFolders[0].MappedPath)\n\t}\n\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, group.VirtualFolders, 1) {\n\t\tassert.Equal(t, mappedPath, group.VirtualFolders[0].MappedPath)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folder.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 0)\n\tassert.Len(t, folder.Groups, 0)\n\n\tuser, resp, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, user.VirtualFolders, 1)\n\tgroup, resp, err = httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Len(t, group.VirtualFolders, 1)\n\n\tfolder, _, err = httpdtest.GetFolderByName(folder.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, folder.Users, 1)\n\tassert.Len(t, folder.Groups, 1)\n\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.VirtualFolders, 0)\n\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group.VirtualFolders, 0)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestDumpdata(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t_, rawResp, err := httpdtest.Dumpdata(\"\", \"\", \"\", http.StatusBadRequest)\n\tassert.NoError(t, err, string(rawResp))\n\t_, _, err = httpdtest.Dumpdata(filepath.Join(backupsPath, \"backup.json\"), \"\", \"\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, rawResp, err = httpdtest.Dumpdata(\"../backup.json\", \"\", \"\", http.StatusBadRequest)\n\tassert.NoError(t, err, string(rawResp))\n\t_, rawResp, err = httpdtest.Dumpdata(\"backup.json\", \"\", \"0\", http.StatusOK)\n\tassert.NoError(t, err, string(rawResp))\n\tresponse, _, err := httpdtest.Dumpdata(\"\", \"1\", \"0\", http.StatusOK)\n\tassert.NoError(t, err)\n\t_, ok := response[\"admins\"]\n\tassert.True(t, ok)\n\t_, ok = response[\"users\"]\n\tassert.True(t, ok)\n\t_, ok = response[\"groups\"]\n\tassert.True(t, ok)\n\t_, ok = response[\"folders\"]\n\tassert.True(t, ok)\n\t_, ok = response[\"api_keys\"]\n\tassert.True(t, ok)\n\t_, ok = response[\"shares\"]\n\tassert.True(t, ok)\n\t_, ok = response[\"version\"]\n\tassert.True(t, ok)\n\t_, rawResp, err = httpdtest.Dumpdata(\"backup.json\", \"\", \"1\", http.StatusOK)\n\tassert.NoError(t, err, string(rawResp))\n\terr = os.Remove(filepath.Join(backupsPath, \"backup.json\"))\n\tassert.NoError(t, err)\n\tif runtime.GOOS != osWindows {\n\t\terr = os.Chmod(backupsPath, 0001)\n\t\tassert.NoError(t, err)\n\t\t_, _, err = httpdtest.Dumpdata(\"bck.json\", \"\", \"\", http.StatusForbidden)\n\t\tassert.NoError(t, err)\n\t\t// subdir cannot be created\n\t\t_, _, err = httpdtest.Dumpdata(filepath.Join(\"subdir\", \"bck.json\"), \"\", \"\", http.StatusForbidden)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(backupsPath, 0755)\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestDefenderAPI(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tdrivers := []string{common.DefenderDriverMemory}\n\tif isDbDefenderSupported() {\n\t\tdrivers = append(drivers, common.DefenderDriverProvider)\n\t}\n\n\tfor _, driver := range drivers {\n\t\tcfg := config.GetCommonConfig()\n\t\tcfg.DefenderConfig.Enabled = true\n\t\tcfg.DefenderConfig.Driver = driver\n\t\tcfg.DefenderConfig.Threshold = 3\n\t\tcfg.DefenderConfig.ScoreLimitExceeded = 2\n\t\tcfg.DefenderConfig.ScoreNoAuth = 0\n\n\t\terr := common.Initialize(cfg, 0)\n\t\tassert.NoError(t, err)\n\n\t\tip := \"::1\"\n\n\t\thosts, _, err := httpdtest.GetDefenderHosts(http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, hosts, 0)\n\n\t\t_, err = httpdtest.RemoveDefenderHostByIP(ip, http.StatusNotFound)\n\t\tassert.NoError(t, err)\n\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolHTTP, common.HostEventNoLoginTried)\n\t\thosts, _, err = httpdtest.GetDefenderHosts(http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, hosts, 0)\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolHTTP, common.HostEventUserNotFound)\n\t\thosts, _, err = httpdtest.GetDefenderHosts(http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, hosts, 1) {\n\t\t\thost := hosts[0]\n\t\t\tassert.Empty(t, host.GetBanTime())\n\t\t\tassert.Equal(t, 2, host.Score)\n\t\t\tassert.Equal(t, ip, host.IP)\n\t\t}\n\t\thost, _, err := httpdtest.GetDefenderHostByIP(ip, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Empty(t, host.GetBanTime())\n\t\tassert.Equal(t, 2, host.Score)\n\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolHTTP, common.HostEventUserNotFound)\n\t\thosts, _, err = httpdtest.GetDefenderHosts(http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, hosts, 1) {\n\t\t\thost := hosts[0]\n\t\t\tassert.NotEmpty(t, host.GetBanTime())\n\t\t\tassert.Equal(t, 0, host.Score)\n\t\t\tassert.Equal(t, ip, host.IP)\n\t\t}\n\t\thost, _, err = httpdtest.GetDefenderHostByIP(ip, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.NotEmpty(t, host.GetBanTime())\n\t\tassert.Equal(t, 0, host.Score)\n\n\t\t_, err = httpdtest.RemoveDefenderHostByIP(ip, http.StatusOK)\n\t\tassert.NoError(t, err)\n\n\t\t_, _, err = httpdtest.GetDefenderHostByIP(ip, http.StatusNotFound)\n\t\tassert.NoError(t, err)\n\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolHTTP, common.HostEventUserNotFound)\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolHTTP, common.HostEventUserNotFound)\n\t\thosts, _, err = httpdtest.GetDefenderHosts(http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, hosts, 1)\n\n\t\t_, err = httpdtest.RemoveDefenderHostByIP(ip, http.StatusOK)\n\t\tassert.NoError(t, err)\n\n\t\thost, _, err = httpdtest.GetDefenderHostByIP(ip, http.StatusNotFound)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveDefenderHostByIP(ip, http.StatusNotFound)\n\t\tassert.NoError(t, err)\n\n\t\thost, _, err = httpdtest.GetDefenderHostByIP(\"invalid_ip\", http.StatusBadRequest)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveDefenderHostByIP(\"invalid_ip\", http.StatusBadRequest)\n\t\tassert.NoError(t, err)\n\t\tif driver == common.DefenderDriverProvider {\n\t\t\terr = dataprovider.CleanupDefender(util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Hour)))\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\terr := common.Initialize(oldConfig, 0)\n\trequire.NoError(t, err)\n}\n\nfunc TestDefenderAPIErrors(t *testing.T) {\n\tif isDbDefenderSupported() {\n\t\toldConfig := config.GetCommonConfig()\n\n\t\tcfg := config.GetCommonConfig()\n\t\tcfg.DefenderConfig.Enabled = true\n\t\tcfg.DefenderConfig.Driver = common.DefenderDriverProvider\n\t\terr := common.Initialize(cfg, 0)\n\t\trequire.NoError(t, err)\n\n\t\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\t\tassert.NoError(t, err)\n\n\t\terr = dataprovider.Close()\n\t\tassert.NoError(t, err)\n\n\t\treq, err := http.NewRequest(http.MethodGet, defenderHosts, nil)\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, token)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\t\terr = config.LoadConfig(configDir, \"\")\n\t\tassert.NoError(t, err)\n\t\tproviderConf := config.GetProviderConf()\n\t\tproviderConf.BackupsPath = backupsPath\n\t\terr = dataprovider.Initialize(providerConf, configDir, true)\n\t\tassert.NoError(t, err)\n\n\t\terr = common.Initialize(oldConfig, 0)\n\t\trequire.NoError(t, err)\n\t}\n}\n\nfunc TestRestoreShares(t *testing.T) {\n\t// shares should be restored preserving the UsedTokens, CreatedAt, LastUseAt, UpdatedAt,\n\t// and ExpiresAt, so an expired share can be restored while we cannot create an already\n\t// expired share\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tshare := dataprovider.Share{\n\t\tShareID: shortuuid.New(),\n\t\tName: \"share name\",\n\t\tDescription: \"share description\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tUsername: user.Username,\n\t\tCreatedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-144 * time.Hour)),\n\t\tUpdatedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-96 * time.Hour)),\n\t\tLastUseAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-64 * time.Hour)),\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-48 * time.Hour)),\n\t\tMaxTokens: 10,\n\t\tUsedTokens: 8,\n\t\tAllowFrom: []string{\"127.0.0.0/8\"},\n\t}\n\tbackupData := dataprovider.BackupData{\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupData.Shares = append(backupData.Shares, share)\n\tbackupContent, err := json.Marshal(backupData)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.LoaddataFromPostBody(backupContent, \"0\", \"0\", http.StatusOK)\n\tassert.NoError(t, err)\n\tshareGet, err := dataprovider.ShareExists(share.ShareID, user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, share, shareGet)\n\n\tshare.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-142 * time.Hour))\n\tshare.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-92 * time.Hour))\n\tshare.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-62 * time.Hour))\n\tshare.UsedTokens = 6\n\tbackupData.Shares = []dataprovider.Share{share}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.LoaddataFromPostBody(backupContent, \"0\", \"0\", http.StatusOK)\n\tassert.NoError(t, err)\n\tshareGet, err = dataprovider.ShareExists(share.ShareID, user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, share, shareGet)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoaddataFromPostBody(t *testing.T) {\n\tmappedPath := filepath.Join(os.TempDir(), \"restored_folder\")\n\tfolderName := filepath.Base(mappedPath)\n\trole := getTestRole()\n\trole.ID = 1\n\trole.Name = \"test_restored_role\"\n\tgroup := getTestGroup()\n\tgroup.ID = 1\n\tgroup.Name = \"test_group_restored\"\n\tuser := getTestUser()\n\tuser.ID = 1\n\tuser.Username = \"test_user_restored\"\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser.Role = role.Name\n\tadmin := getTestAdmin()\n\tadmin.ID = 1\n\tadmin.Username = \"test_admin_restored\"\n\tadmin.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers,\n\t\tdataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers}\n\tadmin.Role = role.Name\n\tbackupData := dataprovider.BackupData{\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupData.Users = append(backupData.Users, user)\n\tbackupData.Groups = append(backupData.Groups, group)\n\tbackupData.Admins = append(backupData.Admins, admin)\n\tbackupData.Roles = append(backupData.Roles, role)\n\tbackupData.Folders = []vfs.BaseVirtualFolder{\n\t\t{\n\t\t\tName: folderName,\n\t\t\tMappedPath: mappedPath,\n\t\t\tUsedQuotaSize: 123,\n\t\t\tUsedQuotaFiles: 456,\n\t\t\tLastQuotaUpdate: 789,\n\t\t\tUsers: []string{\"user\"},\n\t\t},\n\t\t{\n\t\t\tName: folderName,\n\t\t\tMappedPath: mappedPath + \"1\",\n\t\t},\n\t}\n\tbackupData.APIKeys = append(backupData.APIKeys, dataprovider.APIKey{})\n\tbackupData.Shares = append(backupData.Shares, dataprovider.Share{})\n\tbackupContent, err := json.Marshal(backupData)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.LoaddataFromPostBody(nil, \"0\", \"0\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.LoaddataFromPostBody(backupContent, \"a\", \"0\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.LoaddataFromPostBody([]byte(\"invalid content\"), \"0\", \"0\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.LoaddataFromPostBody(backupContent, \"0\", \"0\", http.StatusInternalServerError)\n\tassert.NoError(t, err)\n\n\tkeyID := util.GenerateUniqueID()\n\tbackupData.APIKeys = []dataprovider.APIKey{\n\t\t{\n\t\t\tName: \"test key\",\n\t\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t\t\tKeyID: keyID,\n\t\t\tKey: fmt.Sprintf(\"%v.%v\", util.GenerateUniqueID(), util.GenerateUniqueID()),\n\t\t},\n\t}\n\tbackupData.Shares = []dataprovider.Share{\n\t\t{\n\t\t\tShareID: keyID,\n\t\t\tName: keyID,\n\t\t\tScope: dataprovider.ShareScopeWrite,\n\t\t\tPaths: []string{\"/\"},\n\t\t\tUsername: user.Username,\n\t\t},\n\t}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\t_, resp, err := httpdtest.LoaddataFromPostBody(backupContent, \"0\", \"0\", http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user.Role)\n\tif assert.Len(t, user.Groups, 1) {\n\t\tassert.Equal(t, sdk.GroupTypePrimary, user.Groups[0].Type)\n\t\tassert.Equal(t, group.Name, user.Groups[0].Name)\n\t}\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, role.Admins, 1)\n\tassert.Len(t, role.Users, 1)\n\t_, err = dataprovider.ShareExists(keyID, user.Username)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, admin.Role)\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, role.Admins, 0)\n\tassert.Len(t, role.Users, 0)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\tapiKey, _, err := httpdtest.GetAPIKeyByID(keyID, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath+\"1\", folder.MappedPath)\n\tassert.Equal(t, int64(123), folder.UsedQuotaSize)\n\tassert.Equal(t, 456, folder.UsedQuotaFiles)\n\tassert.Equal(t, int64(789), folder.LastQuotaUpdate)\n\tassert.Len(t, folder.Users, 0)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoaddata(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Join(os.TempDir(), \"restored_folder\")\n\tfolderName := filepath.Base(mappedPath)\n\tfolderDesc := \"restored folder desc\"\n\tuser := getTestUser()\n\tuser.ID = 1\n\tuser.Username = \"test_user_restore\"\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vuserpath\",\n\t})\n\tgroup := getTestGroup()\n\tgroup.ID = 1\n\tgroup.Name = \"test_group_restore\"\n\tgroup.VirtualFolders = append(group.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vgrouppath\",\n\t})\n\trole := getTestRole()\n\trole.ID = 1\n\trole.Name = \"test_role_restore\"\n\tuser.Groups = append(user.Groups, sdk.GroupMapping{\n\t\tName: group.Name,\n\t\tType: sdk.GroupTypePrimary,\n\t})\n\tadmin := getTestAdmin()\n\tadmin.ID = 1\n\tadmin.Username = \"test_admin_restore\"\n\tadmin.Groups = []dataprovider.AdminGroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t},\n\t}\n\tipListEntry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"172.16.2.4/32\",\n\t\tDescription: \"entry desc\",\n\t\tType: dataprovider.IPListTypeDefender,\n\t\tMode: dataprovider.ListModeDeny,\n\t\tProtocols: 3,\n\t}\n\tapiKey := dataprovider.APIKey{\n\t\tName: util.GenerateUniqueID(),\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t\tKeyID: util.GenerateUniqueID(),\n\t\tKey: fmt.Sprintf(\"%v.%v\", util.GenerateUniqueID(), util.GenerateUniqueID()),\n\t}\n\tshare := dataprovider.Share{\n\t\tShareID: util.GenerateUniqueID(),\n\t\tName: util.GenerateUniqueID(),\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tUsername: user.Username,\n\t}\n\taction := dataprovider.BaseEventAction{\n\t\tID: 81,\n\t\tName: \"test_restore_action\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: \"https://localhost:4567/action\",\n\t\t\t\tUsername: defaultUsername,\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t\tTimeout: 10,\n\t\t\t\tSkipTLSVerify: true,\n\t\t\t\tMethod: http.MethodPost,\n\t\t\t\tBody: `{\"event\":\"{{.Event}}\",\"name\":\"{{.Name}}\"}`,\n\t\t\t},\n\t\t},\n\t}\n\trule := dataprovider.EventRule{\n\t\tID: 100,\n\t\tName: \"test_rule_restore\",\n\t\tDescription: \"\",\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"download\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\tconfigs := dataprovider.Configs{\n\t\tSFTPD: &dataprovider.SFTPDConfigs{\n\t\t\tHostKeyAlgos: []string{ssh.KeyAlgoRSA, ssh.CertAlgoRSAv01},\n\t\t\tPublicKeyAlgos: []string{ssh.InsecureKeyAlgoDSA}, //nolint:staticcheck\n\t\t},\n\t\tSMTP: &dataprovider.SMTPConfigs{\n\t\t\tHost: \"mail.example.com\",\n\t\t\tPort: 587,\n\t\t\tFrom: \"from@example.net\",\n\t\t},\n\t}\n\tbackupData := dataprovider.BackupData{\n\t\tVersion: 14,\n\t}\n\tbackupData.Configs = &configs\n\tbackupData.Users = append(backupData.Users, user)\n\tbackupData.Roles = append(backupData.Roles, role)\n\tbackupData.Groups = append(backupData.Groups, group)\n\tbackupData.Admins = append(backupData.Admins, admin)\n\tbackupData.Folders = []vfs.BaseVirtualFolder{\n\t\t{\n\t\t\tName: folderName,\n\t\t\tMappedPath: mappedPath + \"1\",\n\t\t\tUsedQuotaSize: 123,\n\t\t\tUsedQuotaFiles: 456,\n\t\t\tLastQuotaUpdate: 789,\n\t\t\tUsers: []string{\"user\"},\n\t\t},\n\t\t{\n\t\t\tMappedPath: mappedPath,\n\t\t\tName: folderName,\n\t\t\tDescription: folderDesc,\n\t\t},\n\t}\n\tbackupData.APIKeys = append(backupData.APIKeys, apiKey)\n\tbackupData.Shares = append(backupData.Shares, share)\n\tbackupData.EventActions = append(backupData.EventActions, action)\n\tbackupData.EventRules = append(backupData.EventRules, rule)\n\tbackupData.IPLists = append(backupData.IPLists, ipListEntry)\n\tbackupContent, err := json.Marshal(backupData)\n\tassert.NoError(t, err)\n\tbackupFilePath := filepath.Join(backupsPath, \"backup.json\")\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"a\", \"\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"\", \"a\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(\"backup.json\", \"1\", \"\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath+\"a\", \"1\", \"\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tif runtime.GOOS != osWindows {\n\t\terr = os.Chmod(backupFilePath, 0111)\n\t\tassert.NoError(t, err)\n\t\t_, _, err = httpdtest.Loaddata(backupFilePath, \"1\", \"\", http.StatusBadRequest)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(backupFilePath, 0644)\n\t\tassert.NoError(t, err)\n\t}\n\t// add objects from backup\n\t_, resp, err := httpdtest.Loaddata(backupFilePath, \"1\", \"\", http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\t// update from backup\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"2\", \"\", http.StatusOK)\n\tassert.NoError(t, err)\n\tconfigsGet, err := dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Equal(t, configs.SMTP, configsGet.SMTP)\n\tassert.Equal(t, []string{ssh.KeyAlgoRSA}, configsGet.SFTPD.HostKeyAlgos)\n\tassert.Equal(t, []string{ssh.InsecureKeyAlgoDSA}, configsGet.SFTPD.PublicKeyAlgos) //nolint:staticcheck\n\tassert.Len(t, configsGet.SFTPD.KexAlgorithms, 0)\n\tassert.Len(t, configsGet.SFTPD.Ciphers, 0)\n\tassert.Len(t, configsGet.SFTPD.MACs, 0)\n\tassert.Greater(t, configsGet.UpdatedAt, int64(0))\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.VirtualFolders, 1)\n\tassert.Len(t, user.Groups, 1)\n\t_, err = dataprovider.ShareExists(share.ShareID, user.Username)\n\tassert.NoError(t, err)\n\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group.VirtualFolders, 1)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, admin.Groups, 1)\n\n\tapiKey, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK)\n\tassert.NoError(t, err)\n\n\taction, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tentry, _, err := httpdtest.GetIPListEntry(ipListEntry.IPOrNet, ipListEntry.Type, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, entry.CreatedAt, int64(0))\n\tassert.Greater(t, entry.UpdatedAt, int64(0))\n\tassert.Equal(t, ipListEntry.Description, entry.Description)\n\tassert.Equal(t, ipListEntry.Protocols, entry.Protocols)\n\tassert.Equal(t, ipListEntry.Mode, entry.Mode)\n\n\trule, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, rule.Status)\n\tif assert.Len(t, rule.Actions, 1) {\n\t\tif assert.NotNil(t, rule.Actions[0].BaseEventAction.Options.HTTPConfig.Password) {\n\t\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, rule.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetStatus())\n\t\t\tassert.NotEmpty(t, rule.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetPayload())\n\t\t\tassert.Empty(t, rule.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetKey())\n\t\t\tassert.Empty(t, rule.Actions[0].BaseEventAction.Options.HTTPConfig.Password.GetAdditionalData())\n\t\t}\n\t}\n\n\tresponse, _, err := httpdtest.Dumpdata(\"\", \"1\", \"0\", http.StatusOK)\n\tassert.NoError(t, err)\n\tvar dumpedData dataprovider.BackupData\n\tdata, err := json.Marshal(response)\n\tassert.NoError(t, err)\n\terr = json.Unmarshal(data, &dumpedData)\n\tassert.NoError(t, err)\n\tfound := false\n\tif assert.GreaterOrEqual(t, len(dumpedData.Users), 1) {\n\t\tfor _, u := range dumpedData.Users {\n\t\t\tif u.Username == user.Username {\n\t\t\t\tfound = true\n\t\t\t\tassert.Equal(t, len(user.VirtualFolders), len(u.VirtualFolders))\n\t\t\t\tassert.Equal(t, len(user.Groups), len(u.Groups))\n\t\t\t}\n\t\t}\n\t}\n\tassert.True(t, found)\n\tfound = false\n\tif assert.GreaterOrEqual(t, len(dumpedData.Admins), 1) {\n\t\tfor _, a := range dumpedData.Admins {\n\t\t\tif a.Username == admin.Username {\n\t\t\t\tfound = true\n\t\t\t\tassert.Equal(t, len(admin.Groups), len(a.Groups))\n\t\t\t}\n\t\t}\n\t}\n\tassert.True(t, found)\n\tif assert.Len(t, dumpedData.Groups, 1) {\n\t\tassert.Equal(t, len(group.VirtualFolders), len(dumpedData.Groups[0].VirtualFolders))\n\t}\n\tif assert.Len(t, dumpedData.EventActions, 1) {\n\t\tassert.Equal(t, action.Name, dumpedData.EventActions[0].Name)\n\t}\n\tif assert.Len(t, dumpedData.EventRules, 1) {\n\t\tassert.Equal(t, rule.Name, dumpedData.EventRules[0].Name)\n\t\tassert.Len(t, dumpedData.EventRules[0].Actions, 1)\n\t}\n\tfound = false\n\tfor _, r := range dumpedData.Roles {\n\t\tif r.Name == role.Name {\n\t\t\tfound = true\n\t\t}\n\t}\n\tassert.True(t, found)\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath, folder.MappedPath)\n\tassert.Equal(t, int64(123), folder.UsedQuotaSize)\n\tassert.Equal(t, 456, folder.UsedQuotaFiles)\n\tassert.Equal(t, int64(789), folder.LastQuotaUpdate)\n\tassert.Equal(t, folderDesc, folder.Description)\n\tassert.Len(t, folder.Users, 1)\n\tresponse, _, err = httpdtest.Dumpdata(\"\", \"1\", \"0\", http.StatusOK, dataprovider.DumpScopeUsers)\n\tassert.NoError(t, err)\n\tdumpedData = dataprovider.BackupData{}\n\tdata, err = json.Marshal(response)\n\tassert.NoError(t, err)\n\terr = json.Unmarshal(data, &dumpedData)\n\tassert.NoError(t, err)\n\tassert.Greater(t, len(dumpedData.Users), 0)\n\tassert.Len(t, dumpedData.Admins, 0)\n\tassert.Len(t, dumpedData.Folders, 0)\n\tassert.Len(t, dumpedData.Groups, 0)\n\tassert.Len(t, dumpedData.Roles, 0)\n\tassert.Len(t, dumpedData.EventRules, 0)\n\tassert.Len(t, dumpedData.EventActions, 0)\n\tassert.Len(t, dumpedData.IPLists, 0)\n\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = os.Remove(backupFilePath)\n\tassert.NoError(t, err)\n\terr = createTestFile(backupFilePath, 20*1048576+1)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"1\", \"0\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\terr = os.Remove(backupFilePath)\n\tassert.NoError(t, err)\n\terr = createTestFile(backupFilePath, 65535)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"1\", \"0\", http.StatusBadRequest)\n\tassert.NoError(t, err)\n\terr = os.Remove(backupFilePath)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestLoaddataConvertActions(t *testing.T) {\n\ta1 := dataprovider.BaseEventAction{\n\t\tName: xid.New().String(),\n\t\tType: dataprovider.ActionTypeEmail,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\t\tRecipients: []string{\"failure@example.com\"},\n\t\t\t\tSubject: `Failed \"{{Event}}\" from \"{{Name}}\"`,\n\t\t\t\tBody: \"Object name: {{ObjectName}} object type: {{ObjectType}}, IP: {{IP}}\",\n\t\t\t},\n\t\t},\n\t}\n\ta2 := dataprovider.BaseEventAction{\n\t\tName: xid.New().String(),\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionRename,\n\t\t\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t\t\t{\n\t\t\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: \"/{{VirtualDirPath}}/{{ObjectName}}\",\n\t\t\t\t\t\t\tValue: \"/{{ObjectName}}_renamed\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tbackupData := dataprovider.BackupData{\n\t\tEventActions: []dataprovider.BaseEventAction{a1, a2},\n\t\tVersion: 16,\n\t}\n\tbackupContent, err := json.Marshal(backupData)\n\tassert.NoError(t, err)\n\tbackupFilePath := filepath.Join(backupsPath, \"backup.json\")\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, resp, err := httpdtest.Loaddata(backupFilePath, \"1\", \"2\", http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\t// Check that actions are migrated.\n\taction1, _, err := httpdtest.GetEventActionByName(a1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\taction2, _, err := httpdtest.GetEventActionByName(a2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, `Failed \"{{.Event}}\" from \"{{.Name}}\"`, action1.Options.EmailConfig.Subject)\n\tassert.Equal(t, `Object name: {{.ObjectName}} object type: {{.ObjectType}}, IP: {{.IP}}`, action1.Options.EmailConfig.Body)\n\tassert.Equal(t, `/{{.VirtualDirPath}}/{{.ObjectName}}`, action2.Options.FsConfig.Renames[0].Key)\n\tassert.Equal(t, `/{{.ObjectName}}_renamed`, action2.Options.FsConfig.Renames[0].Value)\n\t// If we restore a backup from the current version actions are not migrated.\n\tbackupData = dataprovider.BackupData{\n\t\tEventActions: []dataprovider.BaseEventAction{a1, a2},\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupContent, err = json.Marshal(backupData)\n\tassert.NoError(t, err)\n\tbackupFilePath = filepath.Join(backupsPath, \"backup.json\")\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, resp, err = httpdtest.Loaddata(backupFilePath, \"1\", \"2\", http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\taction1, _, err = httpdtest.GetEventActionByName(a1.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\taction2, _, err = httpdtest.GetEventActionByName(a2.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, `Failed \"{{Event}}\" from \"{{Name}}\"`, action1.Options.EmailConfig.Subject)\n\tassert.Equal(t, `Object name: {{ObjectName}} object type: {{ObjectType}}, IP: {{IP}}`, action1.Options.EmailConfig.Body)\n\tassert.Equal(t, `/{{VirtualDirPath}}/{{ObjectName}}`, action2.Options.FsConfig.Renames[0].Key)\n\tassert.Equal(t, `/{{ObjectName}}_renamed`, action2.Options.FsConfig.Renames[0].Value)\n\t// Cleanup.\n\t_, err = httpdtest.RemoveEventAction(action1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action2, http.StatusOK)\n\tassert.NoError(t, err)\n\tactions, _, err := httpdtest.GetEventActions(0, 0, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, actions, 0)\n}\n\nfunc TestLoaddataMode(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Join(os.TempDir(), \"restored_fold\")\n\tfolderName := filepath.Base(mappedPath)\n\tconfigs := dataprovider.Configs{\n\t\tSFTPD: &dataprovider.SFTPDConfigs{\n\t\t\tPublicKeyAlgos: []string{ssh.KeyAlgoRSA},\n\t\t},\n\t}\n\trole := getTestRole()\n\trole.ID = 1\n\trole.Name = \"test_role_load\"\n\trole.Description = \"\"\n\tuser := getTestUser()\n\tuser.ID = 1\n\tuser.Username = \"test_user_restore\"\n\tuser.Role = role.Name\n\tgroup := getTestGroup()\n\tgroup.ID = 1\n\tgroup.Name = \"test_group_restore\"\n\tuser.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tadmin := getTestAdmin()\n\tadmin.ID = 1\n\tadmin.Username = \"test_admin_restore\"\n\tapiKey := dataprovider.APIKey{\n\t\tName: util.GenerateUniqueID(),\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t\tKeyID: util.GenerateUniqueID(),\n\t\tKey: fmt.Sprintf(\"%v.%v\", util.GenerateUniqueID(), util.GenerateUniqueID()),\n\t\tDescription: \"desc\",\n\t}\n\tshare := dataprovider.Share{\n\t\tShareID: util.GenerateUniqueID(),\n\t\tName: util.GenerateUniqueID(),\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tUsername: user.Username,\n\t}\n\taction := dataprovider.BaseEventAction{\n\t\tID: 81,\n\t\tName: \"test_restore_action_data_mode\",\n\t\tDescription: \"action desc\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: \"https://localhost:4567/mode\",\n\t\t\t\tUsername: defaultUsername,\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t\tTimeout: 10,\n\t\t\t\tSkipTLSVerify: true,\n\t\t\t\tMethod: http.MethodPost,\n\t\t\t\tBody: `{\"event\":\"{{.Event}}\",\"name\":\"{{.Name}}\"}`,\n\t\t\t},\n\t\t},\n\t}\n\trule := dataprovider.EventRule{\n\t\tID: 100,\n\t\tName: \"test_rule_restore_data_mode\",\n\t\tDescription: \"rule desc\",\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tFsEvents: []string{\"mkdir\"},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\tipListEntry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"10.8.3.9/32\",\n\t\tDescription: \"note\",\n\t\tType: dataprovider.IPListTypeDefender,\n\t\tMode: dataprovider.ListModeDeny,\n\t\tProtocols: 7,\n\t}\n\tbackupData := dataprovider.BackupData{\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupData.Configs = &configs\n\tbackupData.Users = append(backupData.Users, user)\n\tbackupData.Groups = append(backupData.Groups, group)\n\tbackupData.Admins = append(backupData.Admins, admin)\n\tbackupData.EventActions = append(backupData.EventActions, action)\n\tbackupData.EventRules = append(backupData.EventRules, rule)\n\tbackupData.Roles = append(backupData.Roles, role)\n\tbackupData.Folders = []vfs.BaseVirtualFolder{\n\t\t{\n\t\t\tName: folderName,\n\t\t\tMappedPath: mappedPath,\n\t\t\tUsedQuotaSize: 123,\n\t\t\tUsedQuotaFiles: 456,\n\t\t\tLastQuotaUpdate: 789,\n\t\t\tUsers: []string{\"user\"},\n\t\t},\n\t\t{\n\t\t\tMappedPath: mappedPath + \"1\",\n\t\t\tName: folderName,\n\t\t},\n\t}\n\tbackupData.APIKeys = append(backupData.APIKeys, apiKey)\n\tbackupData.Shares = append(backupData.Shares, share)\n\tbackupData.IPLists = append(backupData.IPLists, ipListEntry)\n\tbackupContent, _ := json.Marshal(backupData)\n\tbackupFilePath := filepath.Join(backupsPath, \"backup.json\")\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"0\", \"0\", http.StatusOK)\n\tassert.NoError(t, err)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 1)\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath+\"1\", folder.MappedPath)\n\tassert.Equal(t, int64(123), folder.UsedQuotaSize)\n\tassert.Equal(t, 456, folder.UsedQuotaFiles)\n\tassert.Equal(t, int64(789), folder.LastQuotaUpdate)\n\tassert.Len(t, folder.Users, 0)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user.Role)\n\toldUploadBandwidth := user.UploadBandwidth\n\tuser.UploadBandwidth = oldUploadBandwidth + 128\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, role.Users, 1)\n\tassert.Len(t, role.Admins, 0)\n\tassert.Empty(t, role.Description)\n\trole.Description = \"role desc\"\n\t_, _, err = httpdtest.UpdateRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\trole.Description = \"\"\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, group.Users, 1)\n\toldGroupDesc := group.Description\n\tgroup.Description = \"new group description\"\n\tgroup, _, err = httpdtest.UpdateGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\toldInfo := admin.AdditionalInfo\n\toldDesc := admin.Description\n\tadmin.AdditionalInfo = \"newInfo\"\n\tadmin.Description = \"newDesc\"\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tapiKey, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK)\n\tassert.NoError(t, err)\n\toldAPIKeyDesc := apiKey.Description\n\tapiKey.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tapiKey.Description = \"new desc\"\n\tapiKey, _, err = httpdtest.UpdateAPIKey(apiKey, http.StatusOK)\n\tassert.NoError(t, err)\n\tshare.Description = \"test desc\"\n\terr = dataprovider.UpdateShare(&share, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\taction, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\toldActionDesc := action.Description\n\taction.Description = \"new action description\"\n\taction, _, err = httpdtest.UpdateEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n\n\trule, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, rule.Status)\n\toldRuleDesc := rule.Description\n\trule.Description = \"new rule description\"\n\trule, _, err = httpdtest.UpdateEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tentry, _, err := httpdtest.GetIPListEntry(ipListEntry.IPOrNet, ipListEntry.Type, http.StatusOK)\n\tassert.NoError(t, err)\n\toldEntryDesc := entry.Description\n\tentry.Description = \"new note\"\n\tentry, _, err = httpdtest.UpdateIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tconfigs.SFTPD.PublicKeyAlgos = append(configs.SFTPD.PublicKeyAlgos, ssh.InsecureKeyAlgoDSA) //nolint:staticcheck\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tbackupData.Configs = &configs\n\tbackupData.Folders = []vfs.BaseVirtualFolder{\n\t\t{\n\t\t\tMappedPath: mappedPath,\n\t\t\tName: folderName,\n\t\t},\n\t}\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"0\", \"1\", http.StatusOK)\n\tassert.NoError(t, err)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 2)\n\tgroup, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, oldGroupDesc, group.Description)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath+\"1\", folder.MappedPath)\n\tassert.Equal(t, int64(123), folder.UsedQuotaSize)\n\tassert.Equal(t, 456, folder.UsedQuotaFiles)\n\tassert.Equal(t, int64(789), folder.LastQuotaUpdate)\n\tassert.Len(t, folder.Users, 0)\n\taction, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, oldActionDesc, action.Description)\n\trule, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, oldRuleDesc, rule.Description)\n\tentry, _, err = httpdtest.GetIPListEntry(ipListEntry.IPOrNet, ipListEntry.Type, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, oldEntryDesc, entry.Description)\n\n\tc := common.NewBaseConnection(\"connID\", common.ProtocolFTP, \"\", \"\", user)\n\tfakeConn := &fakeConnection{\n\t\tBaseConnection: c,\n\t}\n\terr = common.Connections.Add(fakeConn)\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 1)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, oldUploadBandwidth, user.UploadBandwidth)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, oldInfo, admin.AdditionalInfo)\n\tassert.NotEqual(t, oldDesc, admin.Description)\n\n\tapiKey, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, int64(0), apiKey.ExpiresAt)\n\tassert.NotEqual(t, oldAPIKeyDesc, apiKey.Description)\n\n\tshare, err = dataprovider.ShareExists(share.ShareID, user.Username)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, share.Description)\n\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, role.Users, 1)\n\tassert.Len(t, role.Admins, 0)\n\tassert.NotEmpty(t, role.Description)\n\n\t_, _, err = httpdtest.Loaddata(backupFilePath, \"0\", \"2\", http.StatusOK)\n\tassert.NoError(t, err)\n\t// mode 2 will update the user and close the previous connection\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, oldUploadBandwidth, user.UploadBandwidth)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 1)\n\t// the group is referenced\n\t_, err = httpdtest.RemoveGroup(group, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(backupFilePath)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestRateLimiter(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.RateLimitersConfig = []common.RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 1,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 1,\n\t\t\tType: 1,\n\t\t\tProtocols: []string{common.ProtocolHTTP},\n\t\t},\n\t}\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tclient := &http.Client{\n\t\tTimeout: 5 * time.Second,\n\t}\n\tresp, err := client.Get(httpBaseURL + healthzPath)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\tresp, err = client.Get(httpBaseURL + healthzPath)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusTooManyRequests, resp.StatusCode)\n\tassert.Equal(t, \"1\", resp.Header.Get(\"Retry-After\"))\n\tassert.NotEmpty(t, resp.Header.Get(\"X-Retry-In\"))\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\tresp, err = client.Get(httpBaseURL + webLoginPath)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusTooManyRequests, resp.StatusCode)\n\tassert.Equal(t, \"1\", resp.Header.Get(\"Retry-After\"))\n\tassert.NotEmpty(t, resp.Header.Get(\"X-Retry-In\"))\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\tresp, err = client.Get(httpBaseURL + webClientLoginPath)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusTooManyRequests, resp.StatusCode)\n\tassert.Equal(t, \"1\", resp.Header.Get(\"Retry-After\"))\n\tassert.NotEmpty(t, resp.Header.Get(\"X-Retry-In\"))\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPSConnection(t *testing.T) {\n\tclient := &http.Client{\n\t\tTimeout: 5 * time.Second,\n\t}\n\tresp, err := client.Get(\"https://localhost:8443\" + healthzPath)\n\tif assert.Error(t, err) {\n\t\tif !strings.Contains(err.Error(), \"certificate is not valid\") &&\n\t\t\t!strings.Contains(err.Error(), \"certificate signed by unknown authority\") &&\n\t\t\t!strings.Contains(err.Error(), \"certificate is not standards compliant\") {\n\t\t\tassert.Fail(t, err.Error())\n\t\t}\n\t} else {\n\t\tresp.Body.Close()\n\t}\n}\n\n// test using mock http server\n\nfunc TestBasicUserHandlingMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, err := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\tuser.MaxSessions = 10\n\tuser.UploadBandwidth = 128\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny, dataprovider.PermDelete, dataprovider.PermDownload}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, userPath+\"/\"+user.Username, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, userPath+\"/\"+user.Username, nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tvar updatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, user.MaxSessions, updatedUser.MaxSessions)\n\tassert.Equal(t, user.UploadBandwidth, updatedUser.UploadBandwidth)\n\tassert.Equal(t, 1, len(updatedUser.Permissions[\"/\"]))\n\tassert.True(t, slices.Contains(updatedUser.Permissions[\"/\"], dataprovider.PermAny))\n\treq, _ = http.NewRequest(http.MethodDelete, userPath+\"/\"+user.Username, nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestAddUserNoUsernameMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.Username = \"\"\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddUserInvalidHomeDirMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.HomeDir = \"relative_path\"\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddUserInvalidPermsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.Permissions[\"/\"] = []string{}\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddFolderInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, folderPath, bytes.NewBuffer([]byte(\"invalid json\")))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddEventRuleInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, eventActionsPath, bytes.NewBuffer([]byte(\"invalid json\")))\n\trequire.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, err = http.NewRequest(http.MethodPost, eventRulesPath, bytes.NewBuffer([]byte(\"invalid json\")))\n\trequire.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddRoleInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, rolesPath, bytes.NewBuffer([]byte(\"{\")))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestIPListEntriesErrorsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, ipListsPath+\"/a/b\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid list type\")\n\treq, err = http.NewRequest(http.MethodGet, ipListsPath+\"/invalid\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid list type\")\n\n\treqBody := bytes.NewBuffer([]byte(\"{\"))\n\treq, err = http.NewRequest(http.MethodPost, ipListsPath+\"/2\", reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tentry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"172.120.1.1/32\",\n\t\tType: dataprovider.IPListTypeAllowList,\n\t\tMode: dataprovider.ListModeAllow,\n\t\tProtocols: 0,\n\t}\n\t_, _, err = httpdtest.AddIPListEntry(entry, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(ipListsPath, \"1\", url.PathEscape(entry.IPOrNet)), reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t_, err = httpdtest.RemoveIPListEntry(entry, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestRoleErrorsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treqBody := bytes.NewBuffer([]byte(\"{\"))\n\treq, err := http.NewRequest(http.MethodGet, rolesPath+\"?limit=a\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\trole, _, err := httpdtest.AddRole(getTestRole(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(rolesPath, role.Name), reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(rolesPath, \"missing_role\"), reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestEventRuleErrorsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treqBody := bytes.NewBuffer([]byte(\"invalid json body\"))\n\n\treq, err := http.NewRequest(http.MethodGet, eventActionsPath+\"?limit=b\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, eventRulesPath+\"?limit=c\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\ta := dataprovider.BaseEventAction{\n\t\tName: \"action_name\",\n\t\tDescription: \"test description\",\n\t\tType: dataprovider.ActionTypeBackup,\n\t\tOptions: dataprovider.BaseEventActionOptions{},\n\t}\n\taction, _, err := httpdtest.AddEventAction(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(eventActionsPath, action.Name), reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tr := dataprovider.EventRule{\n\t\tName: \"test_event_rule\",\n\t\tTrigger: dataprovider.EventTriggerSchedule,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tSchedules: []dataprovider.Schedule{\n\t\t\t\t{\n\t\t\t\t\tHours: \"2\",\n\t\t\t\t\tDayOfWeek: \"*\",\n\t\t\t\t\tDayOfMonth: \"*\",\n\t\t\t\t\tMonth: \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\trule, _, err := httpdtest.AddEventRule(r, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(eventRulesPath, rule.Name), reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\trule.Actions[0].Name = \"misssing action name\"\n\tasJSON, err := json.Marshal(rule)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, path.Join(eventRulesPath, rule.Name), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\t_, err = httpdtest.RemoveEventRule(rule, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveEventAction(action, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestGroupErrorsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treqBody := bytes.NewBuffer([]byte(\"not a json string\"))\n\n\treq, err := http.NewRequest(http.MethodPost, groupPath, reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, groupPath+\"?limit=d\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tgroup, _, err := httpdtest.AddGroup(getTestGroup(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(groupPath, group.Name), reqBody)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateFolderInvalidJsonMock(t *testing.T) {\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"name\",\n\t\tMappedPath: filepath.Clean(os.TempDir()),\n\t}\n\tfolder, resp, err := httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPut, path.Join(folderPath, folder.Name), bytes.NewBuffer([]byte(\"not a json\")))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddUserInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer([]byte(\"invalid json\")))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddAdminInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer([]byte(\"...\")))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestAddAdminNoPasswordMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Password = \"\"\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"please set a password\")\n}\n\nfunc TestAdminTwoFactorLogin(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\tadmin1 := getTestAdmin()\n\tadmin1.Username = altAdminUsername + \"1\"\n\tadmin1.Password = altAdminPassword\n\tvar permissions []string\n\tfor _, p := range admin1.GetValidPerms() {\n\t\tif p != dataprovider.PermAdminAny && p != dataprovider.PermAdminDisableMFA {\n\t\t\tpermissions = append(permissions, p)\n\t\t}\n\t}\n\tadmin1.Permissions = permissions\n\tadmin1, _, err = httpdtest.AddAdmin(admin1, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// enable two factor authentication\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], admin.Username)\n\tassert.NoError(t, err)\n\taltToken, err := getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tadminTOTPConfig := dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t}\n\tasJSON, err := json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar recCodes []recoveryCode\n\terr = json.Unmarshal(rr.Body.Bytes(), &recCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, recCodes, 12)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 12)\n\tfor _, c := range admin.Filters.RecoveryCodes {\n\t\tassert.Empty(t, c.Secret.GetAdditionalData())\n\t\tassert.Empty(t, c.Secret.GetKey())\n\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, c.Secret.GetStatus())\n\t\tassert.NotEmpty(t, c.Secret.GetPayload())\n\t}\n\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webAdminTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\t// without a cookie\n\treq, err = http.NewRequest(http.MethodGet, webAdminTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// any other page will be redirected to the two factor auth page\n\treq, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\t// a partial token cannot be used for user pages\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"passcode\", passcode)\n\t// no csrf\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"passcode\", \"invalid_passcode\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"passcode\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"passcode\", passcode)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webUsersPath, rr.Header().Get(\"Location\"))\n\t// the same cookie cannot be reused\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\t// get a new cookie and login using a recovery code\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tform = make(url.Values)\n\trecoveryCode := recCodes[0].Code\n\tform.Set(\"recovery_code\", recoveryCode)\n\t// no csrf\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"recovery_code\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"recovery_code\", recoveryCode)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webUsersPath, rr.Header().Get(\"Location\"))\n\tauthenticatedCookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\t//render MFA page\n\treq, err = http.NewRequest(http.MethodGet, webAdminMFAPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, authenticatedCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check that the recovery code was marked as used\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\trecCodes = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &recCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, recCodes, 12)\n\tfound := false\n\tfor _, rc := range recCodes {\n\t\tif rc.Code == recoveryCode {\n\t\t\tfound = true\n\t\t\tassert.True(t, rc.Used)\n\t\t} else {\n\t\t\tassert.False(t, rc.Used)\n\t\t}\n\t}\n\tassert.True(t, found)\n\t// the same recovery code cannot be reused\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"recovery_code\", recoveryCode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"recovery_code\", \"invalid_recovery_code\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\treq, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\t// disable TOTP\n\taltToken1, err := getJWTAPITokenFromTestServer(admin1.Username, altAdminPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, adminPath+\"/\"+altAdminUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken1)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, adminPath+\"/\"+altAdminUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, adminPath+\"/\"+altAdminUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"two-factor authentication is not enabled\")\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"recovery_code\", recoveryCode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18n2FADisabled)\n\n\tform.Set(\"passcode\", passcode)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18n2FADisabled)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(admin1, http.StatusOK)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminMFAPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, authenticatedCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n}\n\nfunc TestAdminTOTP(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\t// TOTPConfig will be ignored on add\n\tadmin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: \"config\",\n\t\tSecret: kms.NewEmptySecret(),\n\t}\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 0)\n\n\taltToken, err := getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, adminTOTPConfigsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar configs []mfa.TOTPConfig\n\terr = json.Unmarshal(rr.Body.Bytes(), &configs)\n\tassert.NoError(t, err, rr.Body.String())\n\tassert.Len(t, configs, len(mfa.GetAvailableTOTPConfigs()))\n\ttotpConfig := configs[0]\n\ttotpReq := generateTOTPRequest{\n\t\tConfigName: totpConfig.Name,\n\t}\n\tasJSON, err = json.Marshal(totpReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPGeneratePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar totpGenResp generateTOTPResponse\n\terr = json.Unmarshal(rr.Body.Bytes(), &totpGenResp)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, totpGenResp.Secret)\n\tassert.NotEmpty(t, totpGenResp.QRCode)\n\n\tpasscode, err := generateTOTPPasscode(totpGenResp.Secret)\n\tassert.NoError(t, err)\n\tvalidateReq := validateTOTPRequest{\n\t\tConfigName: totpGenResp.ConfigName,\n\t\tPasscode: passcode,\n\t\tSecret: totpGenResp.Secret,\n\t}\n\tasJSON, err = json.Marshal(validateReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPValidatePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// the same passcode cannot be reused\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPValidatePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"this passcode was already used\")\n\n\tadminTOTPConfig := dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: totpGenResp.ConfigName,\n\t\tSecret: kms.NewPlainSecret(totpGenResp.Secret),\n\t}\n\tasJSON, err = json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, totpGenResp.ConfigName, admin.Filters.TOTPConfig.ConfigName)\n\tassert.Empty(t, admin.Filters.TOTPConfig.Secret.GetKey())\n\tassert.Empty(t, admin.Filters.TOTPConfig.Secret.GetAdditionalData())\n\tassert.NotEmpty(t, admin.Filters.TOTPConfig.Secret.GetPayload())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, admin.Filters.TOTPConfig.Secret.GetStatus())\n\tadmin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: false,\n\t\tConfigName: util.GenerateUniqueID(),\n\t\tSecret: kms.NewEmptySecret(),\n\t}\n\tadmin.Filters.RecoveryCodes = []dataprovider.RecoveryCode{\n\t\t{\n\t\t\tSecret: kms.NewEmptySecret(),\n\t\t},\n\t}\n\tadmin, resp, err := httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err, string(resp))\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 12)\n\t// if we use token we cannot get or generate recovery codes\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\treq, err = http.NewRequest(http.MethodPost, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// now the same but with altToken\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar recCodes []recoveryCode\n\terr = json.Unmarshal(rr.Body.Bytes(), &recCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, recCodes, 12)\n\t// regenerate recovery codes\n\treq, err = http.NewRequest(http.MethodPost, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check that recovery codes are different\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar newRecCodes []recoveryCode\n\terr = json.Unmarshal(rr.Body.Bytes(), &newRecCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, newRecCodes, 12)\n\tassert.NotEqual(t, recCodes, newRecCodes)\n\t// disable 2FA, the update admin API should not work\n\tadmin.Filters.TOTPConfig.Enabled = false\n\tadmin.Filters.RecoveryCodes = nil\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, altAdminUsername, admin.Username)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 12)\n\t// use the dedicated API\n\treq, err = http.NewRequest(http.MethodPut, adminPath+\"/\"+altAdminUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, admin.Filters.RecoveryCodes, 0)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(adminPath, altAdminUsername), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, adminPath+\"/\"+altAdminUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, admin2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestChangeAdminPwdInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPut, adminPwdPath, bytes.NewBuffer([]byte(\"{\")))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n}\n\nfunc TestSMTPConfig(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tsmtpTestURL := path.Join(webConfigsPath, \"smtp\", \"test\")\n\ttokenHeader := \"X-CSRF-TOKEN\"\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webConfigsPath, webToken)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, smtpTestURL, bytes.NewBuffer([]byte(\"{\")))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\ttestReq := make(map[string]any)\n\ttestReq[\"host\"] = smtpCfg.Host\n\ttestReq[\"port\"] = 3525\n\ttestReq[\"from\"] = \"from@example.com\"\n\tasJSON, err := json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, smtpTestURL, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\ttestReq[\"recipient\"] = \"example@example.com\"\n\tasJSON, err = json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, smtpTestURL, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tconfigs := dataprovider.Configs{\n\t\tSMTP: &dataprovider.SMTPConfigs{\n\t\t\tHost: \"127.0.0.1\",\n\t\t\tPort: 3535,\n\t\t\tUser: \"user@example.com\",\n\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\ttestReq[\"password\"] = redactedSecret\n\tasJSON, err = json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, smtpTestURL, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tassert.Contains(t, rr.Body.String(), \"server does not support SMTP AUTH\")\n\n\ttestReq[\"password\"] = \"\"\n\ttestReq[\"auth_type\"] = 3\n\ttestReq[\"oauth2\"] = smtp.OAuth2Config{\n\t\tClientSecret: redactedSecret,\n\t\tRefreshToken: redactedSecret,\n\t}\n\tasJSON, err = json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, smtpTestURL, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"smtp oauth2: client id is required\")\n\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n}\n\nfunc TestOAuth2TokenRequest(t *testing.T) {\n\ttokenHeader := \"X-CSRF-TOKEN\"\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webConfigsPath, webToken)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer([]byte(\"{\")))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\ttestReq := make(map[string]any)\n\ttestReq[\"client_secret\"] = redactedSecret\n\tasJSON, err := json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"base redirect url is required\")\n\n\ttestReq[\"base_redirect_url\"] = \"http://localhost:8081\"\n\tasJSON, err = json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(tokenHeader, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestMFAPermission(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientMFAPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientMFAPath\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser.Filters.WebClient = []string{sdk.WebClientMFADisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\twebToken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientMFAPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientMFAPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserTwoFactorLogin(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// enable two factor authentication\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tadminToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolHTTP},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar recCodes []recoveryCode\n\terr = json.Unmarshal(rr.Body.Bytes(), &recCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, recCodes, 12)\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 12)\n\tfor _, c := range user.Filters.RecoveryCodes {\n\t\tassert.Empty(t, c.Secret.GetAdditionalData())\n\t\tassert.Empty(t, c.Secret.GetKey())\n\t\tassert.Equal(t, sdkkms.SecretStatusSecretBox, c.Secret.GetStatus())\n\t\tassert.NotEmpty(t, c.Secret.GetPayload())\n\t}\n\n\treq, err = http.NewRequest(http.MethodGet, webClientTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\t// CSRF verification fails if there is no cookie\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// without a cookie\n\treq, err = http.NewRequest(http.MethodGet, webClientTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// invalid IP address\n\treq, err = http.NewRequest(http.MethodGet, webClientTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = \"6.7.8.9:4567\"\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientTwoFactorRecoveryPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// any other page will be redirected to the two factor auth page\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\t// a partial token cannot be used for admin pages\n\treq, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"passcode\", passcode)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorPath, cookie)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"passcode\", \"invalid_user_passcode\")\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"passcode\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"passcode\", passcode)\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\t// the same cookie cannot be reused\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\t// get a new cookie and login using a recovery code\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tform = make(url.Values)\n\trecoveryCode := recCodes[0].Code\n\tform.Set(\"recovery_code\", recoveryCode)\n\t// no csrf\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"recovery_code\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"recovery_code\", recoveryCode)\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\tauthenticatedCookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\t//render MFA page\n\treq, err = http.NewRequest(http.MethodGet, webClientMFAPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, authenticatedCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// get MFA qrcode\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientMFAPath, \"qrcode?url=\"+url.QueryEscape(key.URL())), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, authenticatedCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"image/png\", rr.Header().Get(\"Content-Type\"))\n\t// invalid MFA url\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientMFAPath, \"qrcode?url=\"+url.QueryEscape(\"http://foo\\x7f.eu\")), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, authenticatedCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\t// check that the recovery code was marked as used\n\treq, err = http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\trecCodes = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &recCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, recCodes, 12)\n\tfound := false\n\tfor _, rc := range recCodes {\n\t\tif rc.Code == recoveryCode {\n\t\t\tfound = true\n\t\t\tassert.True(t, rc.Used)\n\t\t} else {\n\t\t\tassert.False(t, rc.Used)\n\t\t}\n\t}\n\tassert.True(t, found)\n\t// the same recovery code cannot be reused\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"recovery_code\", recoveryCode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform.Set(\"recovery_code\", \"invalid_user_recovery_code\")\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\t// disable TOTP\n\treq, err = http.NewRequest(http.MethodPut, userPath+\"/\"+user.Username+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, userPath+\"/\"+user.Username+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"two-factor authentication is not enabled\")\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"recovery_code\", recoveryCode)\n\tform.Set(\"passcode\", passcode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18n2FADisabled)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18n2FADisabled)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientMFAPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, authenticatedCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n}\n\nfunc TestWebUserTwoFactoryLoginRedirect(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolHTTP},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\turi := webClientFilesPath + \"?path=%2F\"\n\tloginURI := webClientLoginPath + \"?next=\" + url.QueryEscape(uri)\n\texpectedURI := webClientTwoFactorPath + \"?next=\" + url.QueryEscape(uri)\n\treq, err = http.NewRequest(http.MethodPost, loginURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = loginURI\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, expectedURI, rr.Header().Get(\"Location\"))\n\tcookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\t// test unsafe redirects\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\texternalURI := webClientLoginPath + \"?next=\" + url.QueryEscape(\"https://example.com\")\n\treq, err = http.NewRequest(http.MethodPost, externalURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = externalURI\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\tinternalURI := webClientLoginPath + \"?next=\" + url.QueryEscape(webClientMFAPath)\n\treq, err = http.NewRequest(http.MethodPost, internalURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = internalURI\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\t// render two factor page\n\treq, err = http.NewRequest(http.MethodGet, expectedURI, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = expectedURI\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), fmt.Sprintf(\"action=%q\", expectedURI))\n\t// login with the passcode\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(expectedURI, cookie)\n\tassert.NoError(t, err)\n\tpasscode, err := generateTOTPPasscode(key.Secret())\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(\"passcode\", passcode)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, expectedURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.RequestURI = expectedURI\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, uri, rr.Header().Get(\"Location\"))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSearchEvents(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, fsEventsPath+\"?limit=10&order=ASC&fs_provider=0\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tevents := make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &events)\n\tassert.NoError(t, err)\n\tif assert.Len(t, events, 1) {\n\t\tev := events[0]\n\t\tfor _, field := range []string{\"id\", \"timestamp\", \"action\", \"username\", \"fs_path\", \"status\", \"protocol\",\n\t\t\t\"ip\", \"session_id\", \"fs_provider\", \"bucket\", \"endpoint\", \"open_flags\", \"role\", \"instance_id\"} {\n\t\t\t_, ok := ev[field]\n\t\t\tassert.True(t, ok, field)\n\t\t}\n\t}\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?limit=10&order=ASC&role=role1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tevents = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &events)\n\tassert.NoError(t, err)\n\tassert.Len(t, events, 1)\n\t// CSV export\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?limit=10&order=ASC&csv_export=true\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"text/csv\", rr.Header().Get(\"Content-Type\"))\n\t// the test eventsearcher plugin returns error if start_timestamp < 0\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?start_timestamp=-1&end_timestamp=123456&statuses=1,2\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\t// CSV export with error\n\texportFunc := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\n\t\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?start_timestamp=-2&csv_export=true\", nil)\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, token)\n\t\trr = executeRequest(req)\n\t}\n\texportFunc()\n\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?limit=e\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, providerEventsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tevents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &events)\n\tassert.NoError(t, err)\n\tif assert.Len(t, events, 1) {\n\t\tev := events[0]\n\t\tfor _, field := range []string{\"id\", \"timestamp\", \"action\", \"username\", \"object_type\", \"object_name\",\n\t\t\t\"object_data\", \"role\", \"instance_id\"} {\n\t\t\t_, ok := ev[field]\n\t\t\tassert.True(t, ok, field)\n\t\t}\n\t}\n\treq, err = http.NewRequest(http.MethodGet, providerEventsPath+\"?omit_object_data=true\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tevents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &events)\n\tassert.NoError(t, err)\n\tif assert.Len(t, events, 1) {\n\t\tev := events[0]\n\t\tfield := \"object_data\"\n\t\t_, ok := ev[field]\n\t\tassert.False(t, ok, field)\n\t}\n\t// CSV export\n\treq, err = http.NewRequest(http.MethodGet, providerEventsPath+\"?csv_export=true\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"text/csv\", rr.Header().Get(\"Content-Type\"))\n\n\t// the test eventsearcher plugin returns error if start_timestamp < 0\n\treq, err = http.NewRequest(http.MethodGet, providerEventsPath+\"?start_timestamp=-1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\t// CSV export with error\n\texportFunc = func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\n\t\treq, err = http.NewRequest(http.MethodGet, providerEventsPath+\"?start_timestamp=-1&csv_export=true\", nil)\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, token)\n\t\trr = executeRequest(req)\n\t}\n\texportFunc()\n\n\treq, err = http.NewRequest(http.MethodGet, logEventsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tevents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &events)\n\tassert.NoError(t, err)\n\tif assert.Len(t, events, 1) {\n\t\tev := events[0]\n\t\tfor _, field := range []string{\"id\", \"timestamp\", \"event\", \"ip\", \"message\", \"role\", \"instance_id\"} {\n\t\t\t_, ok := ev[field]\n\t\t\tassert.True(t, ok, field)\n\t\t}\n\t}\n\treq, err = http.NewRequest(http.MethodGet, logEventsPath+\"?events=a,1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// CSV export\n\treq, err = http.NewRequest(http.MethodGet, logEventsPath+\"?csv_export=true\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"text/csv\", rr.Header().Get(\"Content-Type\"))\n\t// the test eventsearcher plugin returns error if start_timestamp < 0\n\treq, err = http.NewRequest(http.MethodGet, logEventsPath+\"?start_timestamp=-1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\t// CSV export with error\n\texportFunc = func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\n\t\treq, err = http.NewRequest(http.MethodGet, logEventsPath+\"?start_timestamp=-1&csv_export=true\", nil)\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, token)\n\t\trr = executeRequest(req)\n\t}\n\texportFunc()\n\n\treq, err = http.NewRequest(http.MethodGet, providerEventsPath+\"?limit=2000\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, logEventsPath+\"?limit=2000\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?start_timestamp=a\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?end_timestamp=a\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?order=ASSC\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?statuses=a,b\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fsEventsPath+\"?fs_provider=a\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webEventsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestMFAErrors(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.TOTPConfig.Enabled)\n\tuserToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tadminToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\t// invalid config name\n\ttotpReq := generateTOTPRequest{\n\t\tConfigName: \"invalid config name\",\n\t}\n\tasJSON, err := json.Marshal(totpReq)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userTOTPGeneratePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// invalid JSON\n\tinvalidJSON := []byte(\"not a JSON\")\n\treq, err = http.NewRequest(http.MethodPost, userTOTPGeneratePath, bytes.NewBuffer(invalidJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(invalidJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(invalidJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPValidatePath, bytes.NewBuffer(invalidJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// invalid TOTP config name\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: \"missing name\",\n\t\tSecret: kms.NewPlainSecret(xid.New().String()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: config name\")\n\t// invalid TOTP secret\n\tuserTOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: nil,\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: secret is mandatory\")\n\t// no protocol\n\tuserTOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: kms.NewPlainSecret(xid.New().String()),\n\t\tProtocols: nil,\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: specify at least one protocol\")\n\t// invalid protocol\n\tuserTOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: kms.NewPlainSecret(xid.New().String()),\n\t\tProtocols: []string{common.ProtocolWebDAV},\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: invalid protocol\")\n\n\tadminTOTPConfig := dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: \"\",\n\t\tSecret: kms.NewPlainSecret(\"secret\"),\n\t}\n\tasJSON, err = json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: config name is mandatory\")\n\n\tadminTOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: nil,\n\t}\n\tasJSON, err = json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: secret is mandatory\")\n\n\t// invalid TOTP secret status\n\tuserTOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: kms.NewSecret(sdkkms.SecretStatusRedacted, \"\", \"\", \"\"),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// previous secret will be preserved and we have no secret saved\n\tassert.Contains(t, rr.Body.String(), \"totp: secret is mandatory\")\n\n\treq, err = http.NewRequest(http.MethodPost, adminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"totp: secret is mandatory\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMFAInvalidSecret(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuserToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: kms.NewSecret(sdkkms.SecretStatusSecretBox, \"payload\", \"key\", user.Username),\n\t\tProtocols: []string{common.ProtocolSSH, common.ProtocolHTTP},\n\t}\n\tuser.Filters.RecoveryCodes = append(user.Filters.RecoveryCodes, dataprovider.RecoveryCode{\n\t\tUsed: false,\n\t\tSecret: kms.NewSecret(sdkkms.SecretStatusSecretBox, \"payload\", \"key\", user.Username),\n\t})\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to decrypt recovery codes\")\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := getLoginForm(defaultUsername, defaultPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err := getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"passcode\", \"123456\")\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"recovery_code\", \"RC-123456\")\n\treq, err = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, userTokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", \"authcode\")\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusInternalServerError, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err = httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tadmin.Password = altAdminPassword\n\tadmin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: mfa.GetAvailableTOTPConfigNames()[0],\n\t\tSecret: kms.NewSecret(sdkkms.SecretStatusSecretBox, \"payload\", \"key\", user.Username),\n\t}\n\tadmin.Filters.RecoveryCodes = append(user.Filters.RecoveryCodes, dataprovider.RecoveryCode{\n\t\tUsed: false,\n\t\tSecret: kms.NewSecret(sdkkms.SecretStatusSecretBox, \"payload\", \"key\", user.Username),\n\t})\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminTwoFactorPath, rr.Header().Get(\"Location\"))\n\tcookie, err = getCookieFromResponse(rr)\n\tassert.NoError(t, err)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"passcode\", \"123456\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminTwoFactorRecoveryPath, cookie)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"recovery_code\", \"RC-123456\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v%v\", httpBaseURL, tokenPath), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-SFTPGO-OTP\", \"auth-code\")\n\treq.SetBasicAuth(altAdminUsername, altAdminPassword)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusInternalServerError, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserTOTP(t *testing.T) {\n\tu := getTestUser()\n\t// TOTPConfig will be ignored on add\n\tu.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: \"\",\n\t\tSecret: kms.NewEmptySecret(),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.TOTPConfig.Enabled)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userTOTPConfigsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar configs []mfa.TOTPConfig\n\terr = json.Unmarshal(rr.Body.Bytes(), &configs)\n\tassert.NoError(t, err, rr.Body.String())\n\tassert.Len(t, configs, len(mfa.GetAvailableTOTPConfigs()))\n\ttotpConfig := configs[0]\n\ttotpReq := generateTOTPRequest{\n\t\tConfigName: totpConfig.Name,\n\t}\n\tasJSON, err := json.Marshal(totpReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPGeneratePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar totpGenResp generateTOTPResponse\n\terr = json.Unmarshal(rr.Body.Bytes(), &totpGenResp)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, totpGenResp.Secret)\n\tassert.NotEmpty(t, totpGenResp.QRCode)\n\n\tpasscode, err := generateTOTPPasscode(totpGenResp.Secret)\n\tassert.NoError(t, err)\n\tvalidateReq := validateTOTPRequest{\n\t\tConfigName: totpGenResp.ConfigName,\n\t\tPasscode: passcode,\n\t\tSecret: totpGenResp.Secret,\n\t}\n\tasJSON, err = json.Marshal(validateReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPValidatePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// the same passcode cannot be reused\n\treq, err = http.NewRequest(http.MethodPost, userTOTPValidatePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"this passcode was already used\")\n\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: totpGenResp.ConfigName,\n\t\tSecret: kms.NewPlainSecret(totpGenResp.Secret),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\ttotpCfg := user.Filters.TOTPConfig\n\tassert.True(t, totpCfg.Enabled)\n\tsecretPayload := totpCfg.Secret.GetPayload()\n\tassert.Equal(t, totpGenResp.ConfigName, totpCfg.ConfigName)\n\tassert.Empty(t, totpCfg.Secret.GetKey())\n\tassert.Empty(t, totpCfg.Secret.GetAdditionalData())\n\tassert.NotEmpty(t, secretPayload)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, totpCfg.Secret.GetStatus())\n\tassert.Len(t, totpCfg.Protocols, 1)\n\tassert.Contains(t, totpCfg.Protocols, common.ProtocolSSH)\n\t// update protocols only\n\tuserTOTPConfig = dataprovider.UserTOTPConfig{\n\t\tProtocols: []string{common.ProtocolSSH, common.ProtocolFTP},\n\t\tSecret: kms.NewEmptySecret(),\n\t}\n\tasJSON, err = json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// update the user, TOTP should not be affected\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: false,\n\t\tSecret: kms.NewEmptySecret(),\n\t}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, totpCfg.ConfigName, user.Filters.TOTPConfig.ConfigName)\n\tassert.Empty(t, user.Filters.TOTPConfig.Secret.GetKey())\n\tassert.Empty(t, user.Filters.TOTPConfig.Secret.GetAdditionalData())\n\tassert.Equal(t, secretPayload, user.Filters.TOTPConfig.Secret.GetPayload())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.Filters.TOTPConfig.Secret.GetStatus())\n\tassert.Len(t, user.Filters.TOTPConfig.Protocols, 2)\n\tassert.Contains(t, user.Filters.TOTPConfig.Protocols, common.ProtocolSSH)\n\tassert.Contains(t, user.Filters.TOTPConfig.Protocols, common.ProtocolFTP)\n\n\treq, err = http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar recCodes []recoveryCode\n\terr = json.Unmarshal(rr.Body.Bytes(), &recCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, recCodes, 12)\n\t// regenerate recovery codes\n\treq, err = http.NewRequest(http.MethodPost, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check that recovery codes are different\n\treq, err = http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar newRecCodes []recoveryCode\n\terr = json.Unmarshal(rr.Body.Bytes(), &newRecCodes)\n\tassert.NoError(t, err)\n\tassert.Len(t, newRecCodes, 12)\n\tassert.NotEqual(t, recCodes, newRecCodes)\n\t// disable 2FA, the update user API should not work\n\tadminToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser.Filters.TOTPConfig.Enabled = false\n\tuser.Filters.RecoveryCodes = nil\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultUsername, user.Username)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, user.Filters.RecoveryCodes, 12)\n\t// use the dedicated API\n\treq, err = http.NewRequest(http.MethodPut, userPath+\"/\"+defaultUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Len(t, user.Filters.RecoveryCodes, 0)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPut, userPath+\"/\"+defaultUsername+\"/2fa/disable\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, user2FARecoveryCodesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestWebAPIChangeUserProfileMock(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.AllowAPIKeyAuth)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\t// invalid json\n\treq, err := http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer([]byte(\"{\")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\temail := \"userapi@example.com\"\n\tadditionalEmails := []string{\"userapi1@example.com\"}\n\tdescription := \"user API description\"\n\tprofileReq := make(map[string]any)\n\tprofileReq[\"allow_api_key_auth\"] = true\n\tprofileReq[\"email\"] = email\n\tprofileReq[\"description\"] = description\n\tprofileReq[\"public_keys\"] = []string{testPubKey, testPubKey1}\n\tprofileReq[\"tls_certs\"] = []string{httpsCert}\n\tprofileReq[\"additional_emails\"] = additionalEmails\n\tasJSON, err := json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tprofileReq = make(map[string]any)\n\treq, err = http.NewRequest(http.MethodGet, userProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = json.Unmarshal(rr.Body.Bytes(), &profileReq)\n\tassert.NoError(t, err)\n\tassert.Equal(t, email, profileReq[\"email\"].(string))\n\tassert.Len(t, profileReq[\"additional_emails\"].([]interface{}), 1)\n\tassert.Equal(t, description, profileReq[\"description\"].(string))\n\tassert.True(t, profileReq[\"allow_api_key_auth\"].(bool))\n\tval, ok := profileReq[\"public_keys\"].([]any)\n\tif assert.True(t, ok, profileReq) {\n\t\tassert.Len(t, val, 2)\n\t}\n\tval, ok = profileReq[\"tls_certs\"].([]any)\n\tif assert.True(t, ok, profileReq) {\n\t\tassert.Len(t, val, 1)\n\t}\n\t// set an invalid email\n\tprofileReq = make(map[string]any)\n\tprofileReq[\"email\"] = \"notavalidemail\"\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Validation error: email\")\n\t// set an invalid additional email\n\tprofileReq = make(map[string]any)\n\tprofileReq[\"additional_emails\"] = []string{\"not an email\"}\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Validation error: email\")\n\t// set an invalid public key\n\tprofileReq = make(map[string]any)\n\tprofileReq[\"public_keys\"] = []string{\"not a public key\"}\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Validation error: error parsing public key\")\n\t// set an invalid TLS certificate\n\tprofileReq = make(map[string]any)\n\tprofileReq[\"tls_certs\"] = []string{\"not a TLS cert\"}\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Validation error: invalid TLS certificate\")\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled, sdk.WebClientPubKeyChangeDisabled,\n\t\tsdk.WebClientTLSCertChangeDisabled}\n\tuser.Email = email\n\tuser.Description = description\n\tuser.Filters.AllowAPIKeyAuth = true\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tprofileReq = make(map[string]any)\n\tprofileReq[\"allow_api_key_auth\"] = false\n\tprofileReq[\"email\"] = email\n\tprofileReq[\"description\"] = description + \"_mod\" //nolint:goconst\n\tprofileReq[\"public_keys\"] = []string{testPubKey}\n\tprofileReq[\"tls_certs\"] = []string{}\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), \"Profile updated\")\n\t// check that api key auth and public keys were not changed\n\tprofileReq = make(map[string]any)\n\treq, err = http.NewRequest(http.MethodGet, userProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = json.Unmarshal(rr.Body.Bytes(), &profileReq)\n\tassert.NoError(t, err)\n\tassert.Equal(t, email, profileReq[\"email\"].(string))\n\tassert.Equal(t, description+\"_mod\", profileReq[\"description\"].(string))\n\tassert.True(t, profileReq[\"allow_api_key_auth\"].(bool))\n\tval, ok = profileReq[\"public_keys\"].([]any)\n\tif assert.True(t, ok, profileReq) {\n\t\tassert.Len(t, val, 2)\n\t}\n\tval, ok = profileReq[\"tls_certs\"].([]any)\n\tif assert.True(t, ok, profileReq) {\n\t\tassert.Len(t, val, 1)\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled, sdk.WebClientInfoChangeDisabled}\n\tuser.Description = description + \"_mod\"\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tprofileReq = make(map[string]any)\n\tprofileReq[\"allow_api_key_auth\"] = false\n\tprofileReq[\"email\"] = \"newemail@apiuser.com\"\n\tprofileReq[\"description\"] = description\n\tprofileReq[\"public_keys\"] = []string{testPubKey}\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tprofileReq = make(map[string]any)\n\treq, err = http.NewRequest(http.MethodGet, userProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = json.Unmarshal(rr.Body.Bytes(), &profileReq)\n\tassert.NoError(t, err)\n\tassert.Equal(t, email, profileReq[\"email\"].(string))\n\tassert.Equal(t, description+\"_mod\", profileReq[\"description\"].(string))\n\tassert.True(t, profileReq[\"allow_api_key_auth\"].(bool))\n\tassert.Len(t, profileReq[\"public_keys\"].([]any), 1)\n\t// finally disable all profile permissions\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled, sdk.WebClientInfoChangeDisabled,\n\t\tsdk.WebClientPubKeyChangeDisabled, sdk.WebClientTLSCertChangeDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"You are not allowed to change anything\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, userProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, userProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestPermGroupOverride(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.WebClient = []string{sdk.WebClientPasswordChangeDisabled}\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tpwd := make(map[string]string)\n\tpwd[\"current_password\"] = defaultPassword\n\tpwd[\"new_password\"] = altAdminPassword\n\tasJSON, err := json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tgroup.UserSettings.Filters.TwoFactorAuthProtocols = []string{common.ProtocolHTTP}\n\tgroup, _, err = httpdtest.UpdateGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Two-factor authentication requirements not met, please configure two-factor authentication for the following protocols\")\n\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError2FARequired)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAPIChangeUserPwdMock(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// invalid json\n\treq, err = http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer([]byte(\"{\")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tpwd := make(map[string]string)\n\tpwd[\"current_password\"] = defaultPassword\n\tpwd[\"new_password\"] = defaultPassword\n\tasJSON, err := json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the new password must be different from the current one\")\n\n\tpwd[\"new_password\"] = altAdminPassword\n\tasJSON, err = json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, token)\n\n\t// remove the change password permission\n\tuser.Filters.WebClient = []string{sdk.WebClientPasswordChangeDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.WebClient, 1)\n\tassert.Contains(t, user.Filters.WebClient, sdk.WebClientPasswordChangeDisabled)\n\n\ttoken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, token)\n\n\tpwd[\"current_password\"] = altAdminPassword\n\tpwd[\"new_password\"] = defaultPassword\n\tasJSON, err = json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userPwdPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginInvalidPasswordMock(t *testing.T) {\n\t_, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass+\"1\")\n\tassert.Error(t, err)\n\t// now a login with no credentials\n\treq, _ := http.NewRequest(http.MethodGet, \"/api/v2/token\", nil)\n\trr := executeRequest(req)\n\tassert.Equal(t, http.StatusUnauthorized, rr.Code)\n}\n\nfunc TestWebAPIChangeAdminProfileMock(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.AllowAPIKeyAuth)\n\n\ttoken, err := getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\t// invalid json\n\treq, err := http.NewRequest(http.MethodPut, adminProfilePath, bytes.NewBuffer([]byte(\"{\")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\temail := \"adminapi@example.com\"\n\tdescription := \"admin API description\"\n\tprofileReq := make(map[string]any)\n\tprofileReq[\"allow_api_key_auth\"] = true\n\tprofileReq[\"email\"] = email\n\tprofileReq[\"description\"] = description\n\tasJSON, err := json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, adminProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), \"Profile updated\")\n\n\tprofileReq = make(map[string]any)\n\treq, err = http.NewRequest(http.MethodGet, adminProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = json.Unmarshal(rr.Body.Bytes(), &profileReq)\n\tassert.NoError(t, err)\n\tassert.Equal(t, email, profileReq[\"email\"].(string))\n\tassert.Equal(t, description, profileReq[\"description\"].(string))\n\tassert.True(t, profileReq[\"allow_api_key_auth\"].(bool))\n\t// set an invalid email\n\tprofileReq[\"email\"] = \"admin_invalid_email\"\n\tasJSON, err = json.Marshal(profileReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, adminProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Validation error: email\")\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, adminProfilePath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, adminProfilePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestChangeAdminPwdMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminDeleteUsers}\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\taltToken, err := getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tpwd := make(map[string]string)\n\tpwd[\"current_password\"] = altAdminPassword\n\tpwd[\"new_password\"] = defaultTokenAuthPass\n\tasJSON, err = json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, adminPwdPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// try using the old token\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\t_, err = getJWTAPITokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.Error(t, err)\n\n\taltToken, err = getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, adminPwdPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr) // current password does not match\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(adminPath, altAdminUsername), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestUpdateAdminMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\t_, err = getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.Error(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Permissions = []string{dataprovider.PermAdminAny}\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t_, err = getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, \"abc\"), bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername), bytes.NewBuffer([]byte(\"no json\")))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tadmin.Permissions = nil\n\tasJSON, err = json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername), bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tadmin = getTestAdmin()\n\tadmin.Status = 0\n\tasJSON, err = json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, defaultTokenAuthUser), bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"you cannot disable yourself\")\n\tadmin.Status = 1\n\tadmin.Permissions = []string{dataprovider.PermAdminAddUsers}\n\tasJSON, err = json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, defaultTokenAuthUser), bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"you cannot change your permissions\")\n\tadmin.Permissions = []string{dataprovider.PermAdminAny}\n\tadmin.Role = \"missing role\"\n\tasJSON, err = json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, defaultTokenAuthUser), bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"you cannot add/change your role\")\n\tadmin.Role = \"\"\n\n\taltToken, err := getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin.Password = \"\" // it must remain unchanged\n\tadmin.Permissions = []string{dataprovider.PermAdminAny}\n\tasJSON, err = json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername), bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(adminPath, altAdminUsername), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestAdminLastLoginWithAPIKey(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Filters.AllowAPIKeyAuth = true\n\tadmin, resp, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, int64(0), admin.LastLogin)\n\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"admin API key\",\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t\tAdmin: altAdminUsername,\n\t\tLastUseAt: 123,\n\t}\n\n\tapiKey, resp, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, int64(0), apiKey.LastUseAt)\n\n\treq, err := http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, admin.Username)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, admin.LastLogin, int64(0))\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserLastLoginWithAPIKey(t *testing.T) {\n\tuser := getTestUser()\n\tuser.Filters.AllowAPIKeyAuth = true\n\tuser, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tassert.Equal(t, int64(0), user.LastLogin)\n\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"user API key\",\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t\tUser: user.Username,\n\t}\n\n\tapiKey, resp, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, user.LastLogin, int64(0))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminHandlingWithAPIKeys(t *testing.T) {\n\tsysAdmin, _, err := httpdtest.GetAdminByUsername(defaultTokenAuthUser, http.StatusOK)\n\tassert.NoError(t, err)\n\tsysAdmin.Filters.AllowAPIKeyAuth = true\n\tsysAdmin, _, err = httpdtest.UpdateAdmin(sysAdmin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"test admin API key\",\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t\tAdmin: defaultTokenAuthUser,\n\t}\n\n\tapiKey, resp, err := httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t_, err = getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\tadmin.Filters.AllowAPIKeyAuth = true\n\tasJSON, err = json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(adminPath, altAdminUsername), nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar adminGet dataprovider.Admin\n\terr = json.Unmarshal(rr.Body.Bytes(), &adminGet)\n\tassert.NoError(t, err)\n\tassert.True(t, adminGet.Filters.AllowAPIKeyAuth)\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(adminPath, defaultTokenAuthUser), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"updating the admin impersonated with an API key is not allowed\")\n\t// changing the password for the impersonated admin is not allowed\n\tpwd := make(map[string]string)\n\tpwd[\"current_password\"] = defaultTokenAuthPass\n\tpwd[\"new_password\"] = altAdminPassword\n\tasJSON, err = json.Marshal(pwd)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, adminPwdPath, bytes.NewBuffer(asJSON))\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"API key authentication is not allowed\")\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(adminPath, defaultTokenAuthUser), nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"you cannot delete yourself\")\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(adminPath, altAdminUsername), nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tdbAdmin, err := dataprovider.AdminExists(defaultTokenAuthUser)\n\tassert.NoError(t, err)\n\tdbAdmin.Filters.AllowAPIKeyAuth = false\n\terr = dataprovider.UpdateAdmin(&dbAdmin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tsysAdmin, _, err = httpdtest.GetAdminByUsername(defaultTokenAuthUser, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, sysAdmin.Filters.AllowAPIKeyAuth)\n}\n\nfunc TestUserHandlingWithAPIKey(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Filters.AllowAPIKeyAuth = true\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"test admin API key\",\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t\tAdmin: admin.Username,\n\t}\n\n\tapiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, err := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tuser.Filters.DisableFsChecks = true\n\tuser.Description = \"desc\"\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, err = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updatedUser dataprovider.User\n\terr = json.Unmarshal(rr.Body.Bytes(), &updatedUser)\n\tassert.NoError(t, err)\n\tassert.True(t, updatedUser.Filters.DisableFsChecks)\n\tassert.Equal(t, user.Description, updatedUser.Description)\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateUserQuotaUsageMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tvar user dataprovider.User\n\tu := getTestUser()\n\tusedQuotaFiles := 1\n\tusedQuotaSize := int64(65535)\n\tu.UsedQuotaFiles = usedQuotaFiles\n\tu.UsedQuotaSize = usedQuotaSize\n\tu.QuotaFiles = 100\n\tuserAsJSON := getUserAsJSON(t, u)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"users\", u.Username, \"usage\"), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize, user.UsedQuotaSize)\n\t// now update only quota size\n\tu.UsedQuotaFiles = 0\n\tuserAsJSON = getUserAsJSON(t, u)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"users\", u.Username, \"usage\")+\"?mode=add\", bytes.NewBuffer(userAsJSON)) //nolint:goconst\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize*2, user.UsedQuotaSize)\n\t// only quota files\n\tu.UsedQuotaFiles = usedQuotaFiles\n\tu.UsedQuotaSize = 0\n\tuserAsJSON = getUserAsJSON(t, u)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"users\", u.Username, \"usage\")+\"?mode=add\", bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles*2, user.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize*2, user.UsedQuotaSize)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"users\", u.Username, \"usage\"), bytes.NewBuffer([]byte(\"string\")))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.True(t, common.QuotaScans.AddUserQuotaScan(user.Username, \"\"))\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"users\", u.Username, \"usage\"), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\tassert.True(t, common.QuotaScans.RemoveUserQuotaScan(user.Username))\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestUserPermissionsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/somedir\"] = []string{dataprovider.PermAny}\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser.Permissions[\"..\"] = []string{dataprovider.PermAny}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.Permissions[\"/somedir\"] = []string{\"invalid\"}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tdelete(user.Permissions, \"/somedir\")\n\tuser.Permissions[\"/somedir/..\"] = []string{dataprovider.PermAny}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tdelete(user.Permissions, \"/somedir/..\")\n\tuser.Permissions[\"not_abs_path\"] = []string{dataprovider.PermAny}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tdelete(user.Permissions, \"not_abs_path\")\n\tuser.Permissions[\"/somedir/../otherdir/\"] = []string{dataprovider.PermListItems}\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updatedUser)\n\tassert.NoError(t, err)\n\tif val, ok := updatedUser.Permissions[\"/otherdir\"]; ok {\n\t\tassert.True(t, slices.Contains(val, dataprovider.PermListItems))\n\t\tassert.Equal(t, 1, len(val))\n\t} else {\n\t\tassert.Fail(t, \"expected dir not found in permissions\")\n\t}\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestUpdateUserInvalidJsonMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer([]byte(\"Invalid json\")))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestUpdateUserInvalidParamsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.HomeDir = \"\"\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tuserID := user.ID\n\tuser.ID = 0\n\tuser.CreatedAt = 0\n\tuserAsJSON = getUserAsJSON(t, user)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tuser.ID = userID\n\treq, _ = http.NewRequest(http.MethodPut, userPath+\"/0\", bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestGetAdminsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, adminPath+\"?limit=510&offset=0&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar admins []dataprovider.Admin\n\terr = render.DecodeJSON(rr.Body, &admins)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(admins), 1)\n\tfirtAdmin := admins[0].Username\n\treq, _ = http.NewRequest(http.MethodGet, adminPath+\"?limit=510&offset=0&order=DESC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tadmins = nil\n\terr = render.DecodeJSON(rr.Body, &admins)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(admins), 1)\n\tassert.NotEqual(t, firtAdmin, admins[0].Username)\n\n\treq, _ = http.NewRequest(http.MethodGet, adminPath+\"?limit=510&offset=1&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tadmins = nil\n\terr = render.DecodeJSON(rr.Body, &admins)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(admins), 1)\n\tassert.NotEqual(t, firtAdmin, admins[0].Username)\n\n\treq, _ = http.NewRequest(http.MethodGet, adminPath+\"?limit=a&offset=0&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodGet, adminPath+\"?limit=1&offset=aa&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodGet, adminPath+\"?limit=1&offset=0&order=ASCa\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(adminPath, admin.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestGetUsersMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, userPath+\"?limit=510&offset=0&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar users []dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &users)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(users), 1)\n\treq, _ = http.NewRequest(http.MethodGet, userPath+\"?limit=aa&offset=0&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodGet, userPath+\"?limit=1&offset=a&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodGet, userPath+\"?limit=1&offset=0&order=ASCc\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestDeleteUserInvalidParamsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodDelete, userPath+\"/0\", nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestGetQuotaScansMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, quotaScanPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestStartQuotaScanMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\t_, err = os.Stat(user.HomeDir)\n\tif err == nil {\n\t\terr = os.Remove(user.HomeDir)\n\t\tassert.NoError(t, err)\n\t}\n\t// simulate a duplicate quota scan\n\tcommon.QuotaScans.AddUserQuotaScan(user.Username, \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"users\", user.Username, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\tassert.True(t, common.QuotaScans.RemoveUserQuotaScan(user.Username))\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"users\", user.Username, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\n\twaitForUsersQuotaScan(t, token)\n\n\t_, err = os.Stat(user.HomeDir)\n\tif err != nil && errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(user.HomeDir, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"users\", user.Username, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\n\twaitForUsersQuotaScan(t, token)\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"users\", user.Username, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\n\twaitForUsersQuotaScan(t, token)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUpdateFolderQuotaUsageMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Join(os.TempDir(), \"vfolder\")\n\tfolderName := filepath.Base(mappedPath)\n\tf := vfs.BaseVirtualFolder{\n\t\tMappedPath: mappedPath,\n\t\tName: folderName,\n\t}\n\tusedQuotaFiles := 1\n\tusedQuotaSize := int64(65535)\n\tf.UsedQuotaFiles = usedQuotaFiles\n\tf.UsedQuotaSize = usedQuotaSize\n\tvar folder vfs.BaseVirtualFolder\n\tfolderAsJSON, err := json.Marshal(f)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, folderPath, bytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"folders\", folder.Name, \"usage\"), bytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar folderGet vfs.BaseVirtualFolder\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folderGet)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, folderGet.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize, folderGet.UsedQuotaSize)\n\t// now update only quota size\n\tf.UsedQuotaFiles = 0\n\tfolderAsJSON, err = json.Marshal(f)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"folders\", folder.Name, \"usage\")+\"?mode=add\",\n\t\tbytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tfolderGet = vfs.BaseVirtualFolder{}\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folderGet)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles, folderGet.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize*2, folderGet.UsedQuotaSize)\n\t// now update only quota files\n\tf.UsedQuotaSize = 0\n\tf.UsedQuotaFiles = 1\n\tfolderAsJSON, err = json.Marshal(f)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"folders\", folder.Name, \"usage\")+\"?mode=add\",\n\t\tbytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tfolderGet = vfs.BaseVirtualFolder{}\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folderGet)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedQuotaFiles*2, folderGet.UsedQuotaFiles)\n\tassert.Equal(t, usedQuotaSize*2, folderGet.UsedQuotaSize)\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"folders\", folder.Name, \"usage\"),\n\t\tbytes.NewBuffer([]byte(\"not a json\")))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tassert.True(t, common.QuotaScans.AddVFolderQuotaScan(folderName))\n\treq, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, \"folders\", folder.Name, \"usage\"),\n\t\tbytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\tassert.True(t, common.QuotaScans.RemoveVFolderQuotaScan(folderName))\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestStartFolderQuotaScanMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Join(os.TempDir(), \"vfolder\")\n\tfolderName := filepath.Base(mappedPath)\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\tfolderAsJSON, err := json.Marshal(folder)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, folderPath, bytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t_, err = os.Stat(mappedPath)\n\tif err == nil {\n\t\terr = os.Remove(mappedPath)\n\t\tassert.NoError(t, err)\n\t}\n\t// simulate a duplicate quota scan\n\tcommon.QuotaScans.AddVFolderQuotaScan(folderName)\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"folders\", folder.Name, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\tassert.True(t, common.QuotaScans.RemoveVFolderQuotaScan(folderName))\n\t// and now a real quota scan\n\t_, err = os.Stat(mappedPath)\n\tif err != nil && errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(mappedPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"folders\", folder.Name, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\twaitForFoldersQuotaScanPath(t, token)\n\t// cleanup\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = os.RemoveAll(folderPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestStartQuotaScanNonExistentUserMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\n\treq, _ := http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"users\", user.Username, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestStartQuotaScanNonExistentFolderMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"afolder\",\n\t}\n\treq, _ := http.NewRequest(http.MethodPost, path.Join(quotasBasePath, \"folders\", folder.Name, \"scan\"), nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestGetFoldersMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Join(os.TempDir(), \"vfolder\")\n\tfolderName := filepath.Base(mappedPath)\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\tfolderAsJSON, err := json.Marshal(folder)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, folderPath, bytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\n\tvar folders []vfs.BaseVirtualFolder\n\turl, err := url.Parse(folderPath + \"?limit=510&offset=0&order=DESC\")\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, url.String(), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folders)\n\tassert.NoError(t, err)\n\tassert.GreaterOrEqual(t, len(folders), 1)\n\treq, _ = http.NewRequest(http.MethodGet, folderPath+\"?limit=a&offset=0&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodGet, folderPath+\"?limit=1&offset=a&order=ASC\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\treq, _ = http.NewRequest(http.MethodGet, folderPath+\"?limit=1&offset=0&order=ASCV\", nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestGetVersionMock(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodGet, versionPath, nil)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, versionPath, nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, versionPath, nil)\n\tsetBearerForReq(req, \"abcde\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n}\n\nfunc TestGetConnectionsMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, activeConnectionsPath, nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestGetStatusMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestDeleteActiveConnectionMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodDelete, activeConnectionsPath+\"/connectionID\", nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\treq.Header.Set(dataprovider.NodeTokenHeader, \"Bearer abc\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"the provided token cannot be authenticated\")\n\treq, err = http.NewRequest(http.MethodDelete, activeConnectionsPath+\"/connectionID?node=node1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestNotFoundMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, \"/non/existing/path\", nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestMethodNotAllowedMock(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodPost, activeConnectionsPath, nil)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusMethodNotAllowed, rr)\n}\n\nfunc TestHealthCheck(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodGet, healthzPath, nil)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"ok\", rr.Body.String())\n}\n\nfunc TestGetWebRootMock(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodGet, \"/\", nil)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\treq, _ = http.NewRequest(http.MethodGet, webBasePath, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\treq, _ = http.NewRequest(http.MethodGet, webBasePathAdmin, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\treq, _ = http.NewRequest(http.MethodGet, webBasePathClient, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n}\n\nfunc TestWebNotFoundURI(t *testing.T) {\n\turlString := httpBaseURL + webBasePath + \"/a\"\n\treq, err := http.NewRequest(http.MethodGet, urlString, nil)\n\tassert.NoError(t, err)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusNotFound, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, urlString, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, \"invalid token\")\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusNotFound, resp.StatusCode)\n\n\turlString = httpBaseURL + webBasePathClient + \"/a\"\n\treq, err = http.NewRequest(http.MethodGet, urlString, nil)\n\tassert.NoError(t, err)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusNotFound, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, urlString, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, \"invalid client token\")\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusNotFound, resp.StatusCode)\n}\n\nfunc TestLogout(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, logoutPath, nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your token is no longer valid\")\n}\n\nfunc TestDefenderAPIInvalidIDMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, path.Join(defenderHosts, \"abc\"), nil) // not hex id\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid host id\")\n}\n\nfunc TestTokenHeaderCookie(t *testing.T) {\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetJWTCookieForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"no token found\")\n\n\treq, _ = http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetBearerForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestTokenAudience(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your token audience is not valid\")\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetJWTCookieForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n}\n\nfunc TestWebAPILoginMock(t *testing.T) {\n\t_, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername+\"1\", defaultPassword)\n\tassert.Error(t, err)\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword+\"1\")\n\tassert.Error(t, err)\n\tapiToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\t// a web token is not valid for API usage\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your token audience is not valid\")\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath+\"/?path=%2F\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// API token is not valid for web usage\n\treq, _ = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tsetJWTCookieForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebClientLoginMock(t *testing.T) {\n\t_, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\t// a web token is not valid for API or WebAdmin usage\n\treq, _ := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your token audience is not valid\")\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\t// bearer should not work\n\treq, _ = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tsetBearerForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\treq, _ = http.NewRequest(http.MethodGet, webClientPingPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetBearerForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\t// now try to render client pages\n\treq, _ = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webClientPingPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now logout\n\treq, _ = http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\treq, _ = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\treq, _ = http.NewRequest(http.MethodGet, webClientPingPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\t// get a new token and use it after removing the user\n\twebToken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tapiUserToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\treq.RemoteAddr = defaultRemoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorGetUser)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorDirListUser)\n\n\tform := make(url.Values)\n\tform.Set(\"files\", `[]`)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorGetUser)\n\n\treq, _ = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tsetBearerForReq(req, apiUserToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to retrieve your user\")\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath, nil)\n\tsetBearerForReq(req, apiUserToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to retrieve your user\")\n\n\treq, _ = http.NewRequest(http.MethodPost, userStreamZipPath, bytes.NewBuffer([]byte(`{}`)))\n\tsetBearerForReq(req, apiUserToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to retrieve your user\")\n\n\tform = make(url.Values)\n\tform.Set(\"public_keys\", testPubKey)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n}\n\nfunc TestWebClientLoginErrorsMock(t *testing.T) {\n\tform := getLoginForm(\"\", \"\", \"\")\n\treq, _ := http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr := executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\tform = getLoginForm(defaultUsername, defaultPassword, \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n}\n\nfunc TestWebClientMaxConnections(t *testing.T) {\n\toldValue := common.Config.MaxTotalConnections\n\tcommon.Config.MaxTotalConnections = 1\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// now add a fake connection\n\tfs := vfs.NewOsFs(\"id\", os.TempDir(), \"\", nil)\n\tconnection := &httpd.Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolHTTP, \"\", \"\", user),\n\t}\n\terr = common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), common.ErrConnectionDenied.Error())\n\n\tcommon.Connections.Remove(connection.GetID())\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.MaxTotalConnections = oldValue\n}\n\nfunc TestTokenInvalidIPAddress(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\treq.RemoteAddr = \"1.1.1.2\"\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\n\tapiToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath+\"/?path=%2F\", nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = \"2.2.2.2\"\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your token is not valid\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDefender(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.DefenderConfig.Enabled = true\n\tcfg.DefenderConfig.Threshold = 3\n\tcfg.DefenderConfig.ScoreLimitExceeded = 2\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tremoteAddr := \"172.16.5.6:9876\"\n\n\twebAdminToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServerWithAddr(defaultUsername, defaultPassword, remoteAddr)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\treq.RemoteAddr = remoteAddr\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tfor i := 0; i < 3; i++ {\n\t\t_, err = getJWTWebClientTokenFromTestServerWithAddr(defaultUsername, \"wrong pwd\", remoteAddr)\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = getJWTWebClientTokenFromTestServerWithAddr(defaultUsername, defaultPassword, remoteAddr)\n\tassert.Error(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RequestURI = webClientFilesPath\n\tsetJWTCookieForReq(req, webToken)\n\treq.RemoteAddr = remoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorIPForbidden)\n\n\treq, _ = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\treq.RequestURI = webUsersPath\n\tsetJWTCookieForReq(req, webAdminToken)\n\treq.RemoteAddr = remoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorIPForbidden)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.Header.Set(\"X-Real-IP\", \"127.0.0.1:2345\")\n\tsetJWTCookieForReq(req, webToken)\n\treq.RemoteAddr = remoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"your IP address is blocked\")\n\t// requests for static files should be always allowed\n\treq, err = http.NewRequest(http.MethodGet, \"/static/favicon.png\", nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = remoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Empty(t, rr.Header().Get(\"Cache-Control\"))\n\n\treq, err = http.NewRequest(http.MethodGet, \"/.well-known/acme-challenge/foo\", nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = remoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Equal(t, \"no-cache, no-store, max-age=0, must-revalidate, private\", rr.Header().Get(\"Cache-Control\"))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestPostConnectHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tcommon.Config.PostConnectHook = postConnectPath\n\n\tu := getTestUser()\n\tu.Filters.AllowAPIKeyAuth = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tapiKey, _, err := httpdtest.AddAPIKey(dataprovider.APIKey{\n\t\tName: \"name\",\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t\tUser: user.Username,\n\t}, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.PostConnectHook = \"\"\n}\n\nfunc TestMaxSessions(t *testing.T) {\n\tu := getTestUser()\n\tu.MaxSessions = 1\n\tu.Email = \"user@session.com\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\t// now add a fake connection\n\tfs := vfs.NewOsFs(\"id\", os.TempDir(), \"\", nil)\n\tconnection := &httpd.Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolHTTP, \"\", \"\", user),\n\t}\n\terr = common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\t// try an user API call\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath+\"/?path=%2F\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\t// web client requests\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"files\", `[]`)\n\treq, err = http.NewRequest(http.MethodPost, webClientDownloadZipPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorDirList429)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=p\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=file\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=file\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\t// test reset password\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr = smtpCfg.Initialize(configDir, true)\n\tassert.NoError(t, err)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tlastResetCode = \"\"\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"password\", defaultPassword)\n\tform.Set(\"confirm_password\", defaultPassword)\n\tform.Set(\"code\", lastResetCode)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tcommon.Connections.Remove(connection.GetID())\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestMaxTransfers(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 2\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeReadWrite,\n\t\tPaths: []string{\"/\"},\n\t\tPassword: defaultPassword,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\tfileName := \"testfile.txt\"\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=\"+fileName, bytes.NewBuffer([]byte(\" \")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tconn, sftpClient, err := getSftpClient(user)\n\tassert.NoError(t, err)\n\tdefer conn.Close()\n\tdefer sftpClient.Close()\n\n\tf1, err := sftpClient.Create(\"file1\")\n\tassert.NoError(t, err)\n\tf2, err := sftpClient.Create(\"file2\")\n\tassert.NoError(t, err)\n\t_, err = f1.Write([]byte(\" \"))\n\tassert.NoError(t, err)\n\t_, err = f2.Write([]byte(\" \"))\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"filepre\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"file content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+fileName, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError403Message)\n\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=\"+fileName, bytes.NewBuffer([]byte(\" \")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tbody = new(bytes.Buffer)\n\twriter = multipart.NewWriter(body)\n\tpart1, err := writer.CreateFormFile(\"filenames\", \"file11.txt\")\n\tassert.NoError(t, err)\n\t_, err = part1.Write([]byte(\"file11 content\"))\n\tassert.NoError(t, err)\n\tpart2, err := writer.CreateFormFile(\"filenames\", \"file22.txt\")\n\tassert.NoError(t, err)\n\t_, err = part2.Write([]byte(\"file22 content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader = bytes.NewReader(body.Bytes())\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusConflict, rr)\n\n\terr = f1.Close()\n\tassert.NoError(t, err)\n\terr = f2.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn len(common.Connections.GetStats(\"\")) == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetTotalTransfers() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestWebConfigsMock(t *testing.T) {\n\tacmeConfig := config.GetACMEConfig()\n\tacmeConfig.CertsPath = filepath.Clean(os.TempDir())\n\terr := acme.Initialize(acmeConfig, configDir, true)\n\trequire.NoError(t, err)\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webConfigsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform := make(url.Values)\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// parse form error\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webConfigsPath, webToken)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath+\"?p=p%C3%AO%GH\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// save SFTP configs\n\tform.Set(\"sftp_host_key_algos\", ssh.KeyAlgoRSA)\n\tform.Add(\"sftp_host_key_algos\", ssh.InsecureCertAlgoDSAv01) //nolint:staticcheck\n\tform.Set(\"sftp_pub_key_algos\", ssh.InsecureKeyAlgoDSA) //nolint:staticcheck\n\tform.Set(\"form_action\", \"sftp_submit\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message) // invalid algo\n\tform.Set(\"sftp_host_key_algos\", ssh.KeyAlgoRSA)\n\tform.Add(\"sftp_host_key_algos\", ssh.CertAlgoRSAv01)\n\tform.Set(\"sftp_pub_key_algos\", ssh.InsecureKeyAlgoDSA) //nolint:staticcheck\n\tform.Set(\"sftp_kex_algos\", \"diffie-hellman-group18-sha512\")\n\tform.Add(\"sftp_kex_algos\", ssh.KeyExchangeDH16SHA512)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\t// check SFTP configs\n\tconfigs, err := dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.HostKeyAlgos, 1)\n\tassert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.KeyAlgoRSA)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 1)\n\tassert.Contains(t, configs.SFTPD.PublicKeyAlgos, ssh.InsecureKeyAlgoDSA) //nolint:staticcheck\n\tassert.Len(t, configs.SFTPD.KexAlgorithms, 1)\n\tassert.Contains(t, configs.SFTPD.KexAlgorithms, ssh.KeyExchangeDH16SHA512)\n\t// invalid form action\n\tform.Set(\"form_action\", \"\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\t// test SMTP configs\n\tform.Set(\"form_action\", \"smtp_submit\")\n\tform.Set(\"smtp_host\", \"mail.example.net\")\n\tform.Set(\"smtp_from\", \"Example \")\n\tform.Set(\"smtp_username\", defaultUsername)\n\tform.Set(\"smtp_password\", defaultPassword)\n\tform.Set(\"smtp_domain\", \"localdomain\")\n\tform.Set(\"smtp_auth\", \"100\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message) // invalid smtp_auth\n\t// set valid parameters\n\tform.Set(\"smtp_port\", \"a\") // converted to 587\n\tform.Set(\"smtp_auth\", \"1\")\n\tform.Set(\"smtp_encryption\", \"2\")\n\tform.Set(\"smtp_debug\", \"checked\")\n\tform.Set(\"smtp_oauth2_provider\", \"1\")\n\tform.Set(\"smtp_oauth2_client_id\", \"123\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\t// check\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.HostKeyAlgos, 1)\n\tassert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.KeyAlgoRSA)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 1)\n\tassert.Contains(t, configs.SFTPD.PublicKeyAlgos, ssh.InsecureKeyAlgoDSA) //nolint:staticcheck\n\tassert.Equal(t, \"mail.example.net\", configs.SMTP.Host)\n\tassert.Equal(t, 587, configs.SMTP.Port)\n\tassert.Equal(t, \"Example \", configs.SMTP.From)\n\tassert.Equal(t, defaultUsername, configs.SMTP.User)\n\tassert.Equal(t, 1, configs.SMTP.Debug)\n\tassert.Equal(t, \"\", configs.SMTP.OAuth2.ClientID)\n\terr = configs.SMTP.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultPassword, configs.SMTP.Password.GetPayload())\n\tassert.Equal(t, 1, configs.SMTP.AuthType)\n\tassert.Equal(t, 2, configs.SMTP.Encryption)\n\tassert.Equal(t, \"localdomain\", configs.SMTP.Domain)\n\t// set a redacted password, the current password must be preserved\n\tform.Set(\"smtp_password\", redactedSecret)\n\tform.Set(\"smtp_auth\", \"\")\n\tconfigs.SMTP.AuthType = 0 // empty will be converted to 0\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tupdatedConfigs, err := dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tencryptedPayload := updatedConfigs.SMTP.Password.GetPayload()\n\tsecretKey := updatedConfigs.SMTP.Password.GetKey()\n\terr = updatedConfigs.SMTP.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, configs.SFTPD, updatedConfigs.SFTPD)\n\tassert.Equal(t, configs.SMTP, updatedConfigs.SMTP)\n\t// now set an undecryptable password\n\tupdatedConfigs.SMTP.Password = kms.NewSecret(sdkkms.SecretStatusSecretBox, encryptedPayload, secretKey, \"\")\n\terr = dataprovider.UpdateConfigs(&updatedConfigs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tform.Set(\"form_action\", \"acme_submit\")\n\tform.Set(\"acme_port\", \"\") // on error will be set to 80\n\tform.Set(\"acme_protocols\", \"1\")\n\tform.Add(\"acme_protocols\", \"2\")\n\tform.Add(\"acme_protocols\", \"3\")\n\tform.Set(\"acme_domain\", \"example.com\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\t// no email set, validation will fail\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidEmail)\n\tform.Set(\"acme_domain\", \"\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\t// check\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.HostKeyAlgos, 1)\n\tassert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.KeyAlgoRSA)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 1)\n\tassert.Contains(t, configs.SFTPD.PublicKeyAlgos, ssh.InsecureKeyAlgoDSA) //nolint:staticcheck\n\tassert.Equal(t, 80, configs.ACME.HTTP01Challenge.Port)\n\tassert.Equal(t, 7, configs.ACME.Protocols)\n\tassert.Empty(t, configs.ACME.Domain)\n\tassert.Empty(t, configs.ACME.Email)\n\tassert.True(t, configs.ACME.HasProtocol(common.ProtocolFTP))\n\tassert.True(t, configs.ACME.HasProtocol(common.ProtocolWebDAV))\n\tassert.True(t, configs.ACME.HasProtocol(common.ProtocolHTTP))\n\t// create certificate files, so no real ACME call is done\n\tdomain := \"acme.example.com\"\n\tcrtPath := filepath.Join(acmeConfig.CertsPath, util.SanitizeDomain(domain)+\".crt\")\n\tkeyPath := filepath.Join(acmeConfig.CertsPath, util.SanitizeDomain(domain)+\".key\")\n\terr = os.WriteFile(crtPath, nil, 0666)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, nil, 0666)\n\tassert.NoError(t, err)\n\tform.Set(\"acme_port\", \"402\")\n\tform.Set(\"acme_protocols\", \"1\")\n\tform.Add(\"acme_protocols\", \"1000\")\n\tform.Set(\"acme_domain\", domain)\n\tform.Set(\"acme_email\", \"email@example.com\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.SFTPD.HostKeyAlgos, 1)\n\tassert.Len(t, configs.SFTPD.PublicKeyAlgos, 1)\n\tassert.Equal(t, 402, configs.ACME.HTTP01Challenge.Port)\n\tassert.Equal(t, 1, configs.ACME.Protocols)\n\tassert.Equal(t, domain, configs.ACME.Domain)\n\tassert.Equal(t, \"email@example.com\", configs.ACME.Email)\n\tassert.False(t, configs.ACME.HasProtocol(common.ProtocolFTP))\n\tassert.False(t, configs.ACME.HasProtocol(common.ProtocolWebDAV))\n\tassert.True(t, configs.ACME.HasProtocol(common.ProtocolHTTP))\n\n\terr = os.Remove(crtPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestBrandingConfigMock(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\twebClientLogoPath := \"/static/branding/webclient/logo.png\"\n\twebClientFaviconPath := \"/static/branding/webclient/favicon.png\"\n\twebAdminLogoPath := \"/static/branding/webadmin/logo.png\"\n\twebAdminFaviconPath := \"/static/branding/webadmin/favicon.png\"\n\t// no custom log or favicon was set\n\tfor _, p := range []string{webClientLogoPath, webClientFaviconPath, webAdminLogoPath, webAdminFaviconPath} {\n\t\treq, err := http.NewRequest(http.MethodGet, p, nil)\n\t\tassert.NoError(t, err)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t}\n\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webConfigsPath, webToken)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"form_action\", \"branding_submit\")\n\tform.Set(\"branding_webadmin_name\", \"Custom WebAdmin\")\n\tform.Set(\"branding_webadmin_short_name\", \"WebAdmin\")\n\tform.Set(\"branding_webadmin_disclaimer_name\", \"Admin disclaimer\")\n\tform.Set(\"branding_webadmin_disclaimer_url\", \"invalid, not a URL\")\n\tform.Set(\"branding_webclient_name\", \"Custom WebClient\")\n\tform.Set(\"branding_webclient_short_name\", \"WebClient\")\n\tform.Set(\"branding_webclient_disclaimer_name\", \"Client disclaimer\")\n\tform.Set(\"branding_webclient_disclaimer_url\", \"https://example.com\")\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidDisclaimerURL)\n\n\tform.Set(\"branding_webadmin_disclaimer_url\", \"https://example.net\")\n\ttmpFile := filepath.Join(os.TempDir(), util.GenerateUniqueID()+\".png\")\n\terr = createTestPNG(tmpFile, 512, 512, color.RGBA{100, 200, 200, 0xff})\n\tassert.NoError(t, err)\n\n\tb, contentType, err = getMultipartFormData(form, \"branding_webadmin_logo\", tmpFile)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\t// check\n\tconfigs, err := dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"Custom WebAdmin\", configs.Branding.WebAdmin.Name)\n\tassert.Equal(t, \"WebAdmin\", configs.Branding.WebAdmin.ShortName)\n\tassert.Equal(t, \"Admin disclaimer\", configs.Branding.WebAdmin.DisclaimerName)\n\tassert.Equal(t, \"https://example.net\", configs.Branding.WebAdmin.DisclaimerURL)\n\tassert.Equal(t, \"Custom WebClient\", configs.Branding.WebClient.Name)\n\tassert.Equal(t, \"WebClient\", configs.Branding.WebClient.ShortName)\n\tassert.Equal(t, \"Client disclaimer\", configs.Branding.WebClient.DisclaimerName)\n\tassert.Equal(t, \"https://example.com\", configs.Branding.WebClient.DisclaimerURL)\n\tassert.Greater(t, len(configs.Branding.WebAdmin.Logo), 0)\n\tassert.Len(t, configs.Branding.WebAdmin.Favicon, 0)\n\tassert.Len(t, configs.Branding.WebClient.Logo, 0)\n\tassert.Len(t, configs.Branding.WebClient.Favicon, 0)\n\n\terr = createTestPNG(tmpFile, 256, 256, color.RGBA{120, 220, 220, 0xff})\n\tassert.NoError(t, err)\n\tform.Set(\"branding_webadmin_logo_remove\", \"0\") // 0 preserves WebAdmin logo\n\tb, contentType, err = getMultipartFormData(form, \"branding_webadmin_favicon\", tmpFile)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"Custom WebAdmin\", configs.Branding.WebAdmin.Name)\n\tassert.Equal(t, \"WebAdmin\", configs.Branding.WebAdmin.ShortName)\n\tassert.Equal(t, \"Admin disclaimer\", configs.Branding.WebAdmin.DisclaimerName)\n\tassert.Equal(t, \"https://example.net\", configs.Branding.WebAdmin.DisclaimerURL)\n\tassert.Equal(t, \"Custom WebClient\", configs.Branding.WebClient.Name)\n\tassert.Equal(t, \"WebClient\", configs.Branding.WebClient.ShortName)\n\tassert.Equal(t, \"Client disclaimer\", configs.Branding.WebClient.DisclaimerName)\n\tassert.Equal(t, \"https://example.com\", configs.Branding.WebClient.DisclaimerURL)\n\tassert.Greater(t, len(configs.Branding.WebAdmin.Logo), 0)\n\tassert.Greater(t, len(configs.Branding.WebAdmin.Favicon), 0)\n\tassert.Len(t, configs.Branding.WebClient.Logo, 0)\n\tassert.Len(t, configs.Branding.WebClient.Favicon, 0)\n\n\terr = createTestPNG(tmpFile, 256, 256, color.RGBA{80, 90, 110, 0xff})\n\tassert.NoError(t, err)\n\tb, contentType, err = getMultipartFormData(form, \"branding_webclient_logo\", tmpFile)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Greater(t, len(configs.Branding.WebClient.Logo), 0)\n\n\terr = createTestPNG(tmpFile, 256, 256, color.RGBA{120, 50, 120, 0xff})\n\tassert.NoError(t, err)\n\tb, contentType, err = getMultipartFormData(form, \"branding_webclient_favicon\", tmpFile)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Greater(t, len(configs.Branding.WebClient.Favicon), 0)\n\n\tfor _, p := range []string{webClientLogoPath, webClientFaviconPath, webAdminLogoPath, webAdminFaviconPath} {\n\t\treq, err := http.NewRequest(http.MethodGet, p, nil)\n\t\tassert.NoError(t, err)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t}\n\t// remove images\n\tform.Set(\"branding_webadmin_logo_remove\", \"1\")\n\tform.Set(\"branding_webclient_logo_remove\", \"1\")\n\tform.Set(\"branding_webadmin_favicon_remove\", \"1\")\n\tform.Set(\"branding_webclient_favicon_remove\", \"1\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nConfigsOK)\n\tconfigs, err = dataprovider.GetConfigs()\n\tassert.NoError(t, err)\n\tassert.Len(t, configs.Branding.WebAdmin.Logo, 0)\n\tassert.Len(t, configs.Branding.WebAdmin.Favicon, 0)\n\tassert.Len(t, configs.Branding.WebClient.Logo, 0)\n\tassert.Len(t, configs.Branding.WebClient.Favicon, 0)\n\tfor _, p := range []string{webClientLogoPath, webClientFaviconPath, webAdminLogoPath, webAdminFaviconPath} {\n\t\treq, err := http.NewRequest(http.MethodGet, p, nil)\n\t\tassert.NoError(t, err)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t}\n\tform.Del(\"branding_webadmin_logo_remove\")\n\tform.Del(\"branding_webclient_logo_remove\")\n\tform.Del(\"branding_webadmin_favicon_remove\")\n\tform.Del(\"branding_webclient_favicon_remove\")\n\t// image too large\n\terr = createTestPNG(tmpFile, 768, 512, color.RGBA{120, 50, 120, 0xff})\n\tassert.NoError(t, err)\n\tb, contentType, err = getMultipartFormData(form, \"branding_webclient_logo\", tmpFile)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidPNGSize)\n\t// not a png image\n\terr = createTestFile(tmpFile, 128)\n\tassert.NoError(t, err)\n\tb, contentType, err = getMultipartFormData(form, \"branding_webclient_logo\", tmpFile)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidPNG)\n\n\terr = os.Remove(tmpFile)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPLoopError(t *testing.T) {\n\tuser1 := getTestUser()\n\tuser2 := getTestUser()\n\tuser1.Username += \"1\"\n\tuser1.Email = \"user1@test.com\"\n\tuser2.Username += \"2\"\n\tuser1.FsConfig = vfs.Filesystem{\n\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\tUsername: user2.Username,\n\t\t\t},\n\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t},\n\t}\n\n\tuser2.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser2.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user1.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\n\tuser1, resp, err := httpdtest.AddUser(user1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser2, resp, err = httpdtest.AddUser(user2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\t// test reset password\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr = smtpCfg.Initialize(configDir, true)\n\tassert.NoError(t, err)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user1.Username)\n\tlastResetCode = \"\"\n\treq, err := http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr := executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"password\", defaultPassword)\n\tform.Set(\"confirm_password\", defaultPassword)\n\tform.Set(\"code\", lastResetCode)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorLoginAfterReset)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginInvalidFs(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.AllowAPIKeyAuth = true\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.UploadPartSize = 1\n\tu.FsConfig.GCSConfig.UploadPartMaxTime = 10\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"invalid JSON for credentials\")\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tapiKey, _, err := httpdtest.AddAPIKey(dataprovider.APIKey{\n\t\tName: \"testk\",\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t\tUser: u.Username,\n\t}, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\n\t_, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebClientChangePwd(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webChangeClientPwdPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform := make(url.Values)\n\tform.Set(\"current_password\", defaultPassword)\n\tform.Set(\"new_password1\", defaultPassword)\n\tform.Set(\"new_password2\", defaultPassword)\n\t// no csrf token\n\treq, err = http.NewRequest(http.MethodPost, webChangeClientPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webChangeClientPwdPath, webToken)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdNoDifferent)\n\n\tform.Set(\"current_password\", defaultPassword+\"2\")\n\tform.Set(\"new_password1\", defaultPassword+\"1\")\n\tform.Set(\"new_password2\", defaultPassword+\"1\")\n\treq, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdCurrentNoMatch)\n\n\tform.Set(\"current_password\", defaultPassword)\n\tform.Set(\"new_password1\", defaultPassword+\"1\")\n\tform.Set(\"new_password2\", defaultPassword+\"1\")\n\treq, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPingPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.Error(t, err)\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername+\"1\", defaultPassword+\"1\")\n\tassert.Error(t, err)\n\t_, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword+\"1\")\n\tassert.NoError(t, err)\n\n\t// remove the change password permission\n\tuser.Filters.WebClient = []string{sdk.WebClientPasswordChangeDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.WebClient, 1)\n\tassert.Contains(t, user.Filters.WebClient, sdk.WebClientPasswordChangeDisabled)\n\n\twebToken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword+\"1\")\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"current_password\", defaultPassword+\"1\")\n\tform.Set(\"new_password1\", defaultPassword)\n\tform.Set(\"new_password2\", defaultPassword)\n\treq, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPreDownloadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreDownload}\n\tcommon.Config.Actions.Hook = preActionPath\n\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preActionPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"testfile\"\n\ttestFileContents := []byte(\"file contents\")\n\terr = os.MkdirAll(filepath.Join(user.GetHomeDir()), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), testFileName), testFileContents, os.ModePerm)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, testFileContents, rr.Body.Bytes())\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, testFileContents, rr.Body.Bytes())\n\n\terr = os.WriteFile(preActionPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError403Message)\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"permission denied\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPreUploadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreUpload}\n\tcommon.Config.Actions.Hook = preActionPath\n\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preActionPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"filepre\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"file content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=filepre\",\n\t\tbytes.NewBuffer([]byte(\"single upload content\")))\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\terr = os.WriteFile(preActionPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=filepre\",\n\t\tbytes.NewBuffer([]byte(\"single upload content\")))\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestShareUsage(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"testfile.dat\"\n\ttestFileSize := int64(65536)\n\ttestFilePath := filepath.Join(user.GetHomeDir(), testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tPassword: defaultPassword,\n\t\tMaxTokens: 2,\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Second)),\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/unknownid\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\treq.SetBasicAuth(defaultUsername, \"wrong password\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\ttime.Sleep(2 * time.Second)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"_mod\", nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webClientPubSharesPath + \"/\" + objectID + \"_mod\"\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tshare.ExpiresAt = 0\n\tjsonReq := make(map[string]any)\n\tjsonReq[\"name\"] = share.Name\n\tjsonReq[\"scope\"] = share.Scope\n\tjsonReq[\"paths\"] = share.Paths\n\tjsonReq[\"password\"] = share.Password\n\tjsonReq[\"max_tokens\"] = share.MaxTokens\n\tjsonReq[\"expires_at\"] = share.ExpiresAt\n\tasJSON, err = json.Marshal(jsonReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userSharesPath+\"/\"+objectID, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid share scope\")\n\n\tshare.MaxTokens = 3\n\tshare.Scope = dataprovider.ShareScopeWrite\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userSharesPath+\"/\"+objectID, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart1, err := writer.CreateFormFile(\"filenames\", \"file1.txt\")\n\tassert.NoError(t, err)\n\t_, err = part1.Write([]byte(\"file1 content\"))\n\tassert.NoError(t, err)\n\tpart2, err := writer.CreateFormFile(\"filenames\", \"file2.txt\")\n\tassert.NoError(t, err)\n\t_, err = part2.Write([]byte(\"file2 content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to parse multipart form\")\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\t// set the proper content type\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Allowed usage exceeded\")\n\n\tshare.MaxTokens = 6\n\tshare.Scope = dataprovider.ShareScopeWrite\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, userSharesPath+\"/\"+objectID, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientPubSharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tshare, err = dataprovider.ShareExists(objectID, user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 6, share.UsedTokens)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tshare.MaxTokens = 0\n\terr = dataprovider.UpdateShare(&share, user.Username, \"\", \"\")\n\tassert.NoError(t, err)\n\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"permission denied\")\n\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tbody = new(bytes.Buffer)\n\twriter = multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filename\", \"file1.txt\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"file content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader = bytes.NewReader(body.Bytes())\n\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"No files uploaded!\")\n\n\tuser.Filters.WebClient = []string{sdk.WebClientSharesDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tuser.Filters.WebClient = []string{sdk.WebClientShareNoPasswordDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tshare.Password = \"\"\n\terr = dataprovider.UpdateShare(&share, user.Username, \"\", \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"sharing without a password was disabled\")\n\n\tuser.Filters.WebClient = []string{sdk.WebClientInfoChangeDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tshare.Scope = dataprovider.ShareScopeRead\n\tshare.Paths = []string{\"/missing1\", \"/missing2\"}\n\terr = dataprovider.UpdateShare(&share, user.Username, \"\", \"\")\n\tassert.NoError(t, err)\n\n\tdefer func() {\n\t\trcv := recover()\n\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\n\t\tshare, err = dataprovider.ShareExists(objectID, user.Username)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, share.UsedTokens)\n\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}()\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\texecuteRequest(req)\n}\n\nfunc TestSharePasswordPolicy(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.PasswordStrength = 70\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: g.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tu.Password = rand.Text()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, u.Password)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: util.GenerateUniqueID(),\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tPassword: defaultPassword,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"insecure password\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestShareMaxExpiration(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.MaxSharesExpiration = 5\n\tu.Filters.DefaultSharesExpiration = 10\n\t_, resp, err := httpdtest.AddUser(u, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(resp), \"must be less than or equal to max shares expiration\")\n\n\tu.Filters.DefaultSharesExpiration = 0\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebClientToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\ts := dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPassword: defaultPassword,\n\t\tPaths: []string{\"/\"},\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(u.Filters.MaxSharesExpiration+2))),\n\t}\n\tasJSON, err := json.Marshal(s)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"share must expire before\")\n\n\treq, err = http.NewRequest(http.MethodPut, path.Join(userSharesPath, \"shareID\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// expiresAt is mandatory\n\ts.ExpiresAt = 0\n\tasJSON, err = json.Marshal(s)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"share must expire before\")\n\n\ts.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(2 * time.Hour))\n\tasJSON, err = json.Marshal(s)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tshareID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, shareID)\n\n\ts.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(u.Filters.MaxSharesExpiration+2)))\n\tasJSON, err = json.Marshal(s)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, path.Join(userSharesPath, shareID), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"share must expire before\")\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientSharePath, webClientToken)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"name\", s.Name)\n\tform.Set(\"scope\", strconv.Itoa(int(s.Scope)))\n\tform.Set(\"max_tokens\", \"0\")\n\tform.Set(\"paths[0][path]\", \"/\")\n\tform.Set(\"expiration_date\", time.Now().Add(24*time.Hour*time.Duration(u.Filters.MaxSharesExpiration+2)).Format(\"2006-01-02 15:04:05\"))\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webClientToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareExpirationOutOfRange)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientSharePath, shareID), bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webClientToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareExpirationOutOfRange)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webClientToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorGetUser)\n}\n\nfunc TestWebClientShareCredentials(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshareRead := dataprovider.Share{\n\t\tName: \"test share read\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPassword: defaultPassword,\n\t\tPaths: []string{\"/\"},\n\t}\n\n\tshareWrite := dataprovider.Share{\n\t\tName: \"test share write\",\n\t\tScope: dataprovider.ShareScopeReadWrite,\n\t\tPassword: defaultPassword,\n\t\tPaths: []string{\"/\"},\n\t}\n\n\tasJSON, err := json.Marshal(shareRead)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tshareReadID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, shareReadID)\n\n\tasJSON, err = json.Marshal(shareWrite)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tshareWriteID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, shareWriteID)\n\n\turi := path.Join(webClientPubSharesPath, shareReadID, \"browse\")\n\treq, err = http.NewRequest(http.MethodGet, uri, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.Contains(t, location, url.QueryEscape(uri))\n\t// get the login form\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now set the user token, it is not valid for the share\n\treq, err = http.NewRequest(http.MethodGet, uri, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\t// get a share token\n\tform := make(url.Values)\n\tform.Set(\"share_password\", defaultPassword)\n\tloginURI := path.Join(webClientPubSharesPath, shareReadID, \"login\")\n\treq, err = http.NewRequest(http.MethodPost, loginURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\t// set the CSRF token\n\tloginCookie, csrfToken, err := getCSRFTokenMock(loginURI, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, loginURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nShareLoginOK)\n\tcookie := rr.Header().Get(\"Set-Cookie\")\n\tcookie = strings.TrimPrefix(cookie, \"jwt=\")\n\tassert.NotEmpty(t, cookie)\n\treq, err = http.NewRequest(http.MethodGet, uri, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// get the download page\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareReadID, \"download?a=b\"), nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// get the download page for a missing share\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, \"invalidshareid\", \"download\"), nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// the same cookie will not work for the other share\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareWriteID, \"browse\"), nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\t// IP address does not match\n\treq, err = http.NewRequest(http.MethodGet, uri, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\treq.RemoteAddr = \"1.2.3.4:1234\"\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\t// logout to a different share, the cookie is not valid.\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareWriteID, \"logout\"), nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\t// logout\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareReadID, \"logout\"), nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\t// the cookie is no longer valid\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, shareReadID, \"download?b=c\"), nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = uri\n\tsetJWTCookieForReq(req, cookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Contains(t, rr.Header().Get(\"Location\"), \"/login\")\n\n\t// try to login with invalid credentials\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"share_password\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, loginURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\t// login with the next param set\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"share_password\", defaultPassword)\n\tnextURI := path.Join(webClientPubSharesPath, shareReadID, \"browse\")\n\tloginURI = path.Join(webClientPubSharesPath, shareReadID, fmt.Sprintf(\"login?next=%s\", url.QueryEscape(nextURI)))\n\treq, err = http.NewRequest(http.MethodPost, loginURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, nextURI, rr.Header().Get(\"Location\"))\n\t// try to login to a missing share\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tloginURI = path.Join(webClientPubSharesPath, \"missing\", \"login\")\n\treq, err = http.NewRequest(http.MethodPost, loginURI, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestShareMaxSessions(t *testing.T) {\n\tu := getTestUser()\n\tu.MaxSessions = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share max sessions read\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID+\"/dirs\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// add a fake connection\n\tfs := vfs.NewOsFs(\"id\", os.TempDir(), \"\", nil)\n\tconnection := &httpd.Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolHTTP, \"\", \"\", user),\n\t}\n\terr = common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID+\"/dirs\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"/dirs\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=file.pdf\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"/browse\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientPubSharesPath+\"/\"+objectID+\"/browse/exist\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid share scope\")\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID+\"/files?path=afile\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\tform := make(url.Values)\n\tform.Set(\"files\", `[]`)\n\treq, err = http.NewRequest(http.MethodPost, webClientPubSharesPath+\"/\"+objectID+\"/partial\",\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError429Message)\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\treq, err = http.NewRequest(http.MethodDelete, userSharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// now test a write share\n\tshare = dataprovider.Share{\n\t\tName: \"test share max sessions write\",\n\t\tScope: dataprovider.ShareScopeWrite,\n\t\tPaths: []string{\"/\"},\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"file.txt\"), bytes.NewBuffer([]byte(\"content\")))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart1, err := writer.CreateFormFile(\"filenames\", \"file1.txt\")\n\tassert.NoError(t, err)\n\t_, err = part1.Write([]byte(\"file1 content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\tshare = dataprovider.Share{\n\t\tName: \"test share max sessions read&write\",\n\t\tScope: dataprovider.ShareScopeReadWrite,\n\t\tPaths: []string{\"/\"},\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientPubSharesPath+\"/\"+objectID+\"/browse/exist\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusTooManyRequests, rr)\n\tassert.Contains(t, rr.Body.String(), \"too many open sessions\")\n\n\tcommon.Connections.Remove(connection.GetID())\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestShareUploadSingle(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeWrite,\n\t\tPaths: []string{\"/\"},\n\t\tPassword: defaultPassword,\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\tcontent := []byte(\"shared file content\")\n\tmodTime := time.Now().Add(-12 * time.Hour)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"file.txt\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\treq.Header.Set(\"X-SFTPGO-MTIME\", strconv.FormatInt(util.GetTimeAsMsSinceEpoch(modTime), 10))\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tinfo, err := os.Stat(filepath.Join(user.GetHomeDir(), \"file.txt\"))\n\tif assert.NoError(t, err) {\n\t\tassert.InDelta(t, util.GetTimeAsMsSinceEpoch(modTime), util.GetTimeAsMsSinceEpoch(info.ModTime()), float64(1000))\n\t}\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"upload\"), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"file.txt\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tinfo, err = os.Stat(filepath.Join(user.GetHomeDir(), \"file.txt\"))\n\tif assert.NoError(t, err) {\n\t\tassert.InDelta(t, util.GetTimeAsMsSinceEpoch(time.Now()), util.GetTimeAsMsSinceEpoch(info.ModTime()), float64(3000))\n\t}\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"dir\", \"file.dat\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"%2F\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\n\terr = os.MkdirAll(filepath.Join(user.GetHomeDir(), \"dir\"), os.ModePerm)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"dir\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\n\t// only uploads to the share root dir are allowed\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"dir\", \"file.dat\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tshare, err = dataprovider.ShareExists(objectID, user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2, share.UsedTokens)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, \"file1.txt\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestShareReadWrite(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.StartDirectory = path.Join(\"/start\", \"dir\")\n\tu.Permissions[\"/start/dir/limited\"] = []string{dataprovider.PermListItems}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\ttestFileName := \"test.txt\"\n\ttestSubDirs := \"/sub/dir\"\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share rw\",\n\t\tScope: dataprovider.ShareScopeReadWrite,\n\t\tPaths: []string{user.Filters.StartDirectory},\n\t\tPassword: defaultPassword,\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\tfilesToCheck := make(map[string]any)\n\tfilesToCheck[\"files\"] = []string{testFileName}\n\tasJSON, err = json.Marshal(filesToCheck)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"/browse/exist?path=%2F\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar fileList []any\n\terr = json.Unmarshal(rr.Body.Bytes(), &fileList)\n\tassert.NoError(t, err)\n\tassert.Len(t, fileList, 0)\n\n\tcontent := []byte(\"shared rw content\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID, testFileName), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tassert.FileExists(t, filepath.Join(user.GetHomeDir(), user.Filters.StartDirectory, testFileName))\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID)+\"/\"+url.PathEscape(path.Join(testSubDirs, testFileName)), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID)+\"/\"+url.PathEscape(path.Join(testSubDirs, testFileName))+\"?mkdir_parents=true\",\n\t\tbytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tassert.FileExists(t, filepath.Join(user.GetHomeDir(), user.Filters.StartDirectory, testSubDirs, testFileName))\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID)+\"/\"+url.PathEscape(path.Join(\"limited\", \"sub\", testFileName))+\"?mkdir_parents=true\",\n\t\tbytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"/browse/exist?path=%2F\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tfileList = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &fileList)\n\tassert.NoError(t, err)\n\tassert.Len(t, fileList, 1)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=\"+testFileName), nil) //nolint:goconst\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontentDisposition := rr.Header().Get(\"Content-Disposition\")\n\tassert.NotEmpty(t, contentDisposition)\n\n\tform := make(url.Values)\n\tform.Set(\"files\", fmt.Sprintf(`[\"%s\"]`, testFileName))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontentDisposition = rr.Header().Get(\"Content-Disposition\")\n\tassert.NotEmpty(t, contentDisposition)\n\tassert.Equal(t, \"application/zip\", rr.Header().Get(\"Content-Type\"))\n\t// parse form error\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial?path=p%C3%AO%GK\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// invalid files list\n\tform.Set(\"files\", fmt.Sprintf(`[%s]`, testFileName))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\t// missing directory\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial?path=missing\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID)+\"/\"+url.PathEscape(\"../\"+testFileName),\n\t\tbytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Uploading outside the share is not allowed\")\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(sharesPath, objectID)+\"/\"+url.PathEscape(\"/../../\"+testFileName),\n\t\tbytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Uploading outside the share is not allowed\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestShareUncompressed(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"testfile.dat\"\n\ttestFileSize := int64(65536)\n\ttestFilePath := filepath.Join(user.GetHomeDir(), testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tPassword: defaultPassword,\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\ts, err := dataprovider.ShareExists(objectID, defaultUsername)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), s.ExpiresAt)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"application/zip\", rr.Header().Get(\"Content-Type\"))\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"?compress=false\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"application/zip\", rr.Header().Get(\"Content-Type\"))\n\n\tshare = dataprovider.Share{\n\t\tName: \"test share1\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{testFileName},\n\t\tPassword: defaultPassword,\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"application/zip\", rr.Header().Get(\"Content-Type\"))\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"?compress=false\", nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"application/octet-stream\", rr.Header().Get(\"Content-Type\"))\n\n\tshare, err = dataprovider.ShareExists(objectID, user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2, share.UsedTokens)\n\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"?compress=false\", nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tshare, err = dataprovider.ShareExists(objectID, user.Username)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2, share.UsedTokens)\n\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"?compress=false\", nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDownloadFromShareError(t *testing.T) {\n\tu := getTestUser()\n\tu.DownloadDataTransfer = 1\n\tu.Filters.DefaultSharesExpiration = 10\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.UsedDownloadDataTransfer = 1024*1024 - 32768\n\t_, err = httpdtest.UpdateTransferQuotaUsage(user, \"add\", http.StatusOK)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1024*1024-32768), user.UsedDownloadDataTransfer)\n\ttestFileName := \"test_share_file.dat\"\n\ttestFileSize := int64(524288)\n\ttestFilePath := filepath.Join(user.GetHomeDir(), testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tshare := dataprovider.Share{\n\t\tName: \"test share root browse\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tMaxTokens: 2,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\ts, err := dataprovider.ShareExists(objectID, defaultUsername)\n\tassert.NoError(t, err)\n\tassert.Greater(t, s.ExpiresAt, int64(0))\n\n\tdefer func() {\n\t\trcv := recover()\n\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\n\t\tshare, err = dataprovider.ShareExists(objectID, user.Username)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, share.UsedTokens)\n\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}()\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=\"+testFileName), nil)\n\tassert.NoError(t, err)\n\texecuteRequest(req)\n}\n\nfunc TestBrowseShares(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"testsharefile.dat\"\n\ttestFileNameLink := \"testsharefile.link\"\n\tshareDir := \"share\"\n\tsubDir := \"sub\"\n\ttestFileSize := int64(65536)\n\ttestFilePath := filepath.Join(user.GetHomeDir(), shareDir, testFileName)\n\ttestLinkPath := filepath.Join(user.GetHomeDir(), shareDir, testFileNameLink)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(filepath.Join(user.GetHomeDir(), shareDir, subDir, testFileName), testFileSize)\n\tassert.NoError(t, err)\n\terr = os.Symlink(testFilePath, testLinkPath)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share browse\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{shareDir},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"upload\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid share scope\")\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Please set the path to a valid file\")\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents := make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=%2F\"+subDir), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 1)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F..\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPathInvalid)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"dirs?path=%2F..\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=%2F..\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=%2F..%2F\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontentDisposition := rr.Header().Get(\"Content-Disposition\")\n\tassert.NotEmpty(t, contentDisposition)\n\n\tform := make(url.Values)\n\tform.Set(\"files\", `[]`)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial?path=%2F..\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPathInvalid)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=\"+testFileName), nil) //nolint:goconst\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontentDisposition = rr.Header().Get(\"Content-Disposition\")\n\tassert.NotEmpty(t, contentDisposition)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=\"+subDir+\"%2F\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontentDisposition = rr.Header().Get(\"Content-Disposition\")\n\tassert.NotEmpty(t, contentDisposition)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=missing\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFsGeneric)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=missing\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"dirs?path=missing\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=missing\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=\"+testFileNameLink), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFsGeneric)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=\"+testFileNameLink), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"non regular files are not supported for shares\")\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPDFMessage)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=missing\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFsGeneric)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPDFMessage)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=%2F..\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPathInvalid)\n\n\tfakePDF := []byte(`%PDF-1.6`)\n\tfor i := 0; i < 128; i++ {\n\t\tfakePDF = append(fakePDF, []byte(fmt.Sprintf(\"%d\", i))...)\n\t}\n\tpdfPath := filepath.Join(user.GetHomeDir(), shareDir, \"test.pdf\")\n\tpdfLinkPath := filepath.Join(user.GetHomeDir(), shareDir, \"link.pdf\")\n\terr = os.WriteFile(pdfPath, fakePDF, 0666)\n\tassert.NoError(t, err)\n\terr = os.Symlink(pdfPath, pdfLinkPath)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"viewpdf?path=test.pdf\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=test.pdf\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\ts, err := dataprovider.ShareExists(objectID, defaultUsername)\n\tassert.NoError(t, err)\n\tusedTokens := s.UsedTokens\n\tassert.Greater(t, usedTokens, 0)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=link.pdf\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// downloading a symlink will fail, usage should not change\n\ts, err = dataprovider.ShareExists(objectID, defaultUsername)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedTokens, s.UsedTokens)\n\n\t// share a symlink\n\tshare = dataprovider.Share{\n\t\tName: \"test share browse\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{path.Join(shareDir, testFileNameLink)},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\t// uncompressed download should not work\n\treq, err = http.NewRequest(http.MethodGet, webClientPubSharesPath+\"/\"+objectID+\"?compress=false\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"application/zip\", rr.Header().Get(\"Content-Type\"))\n\t// this share is not browsable, it does not contains a directory\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tform = make(url.Values)\n\tform.Set(\"files\", `[]`)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareBrowseNoDir)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareBrowseNoDir)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the shared object is not a directory and so it is not browsable\")\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareBrowseNoDir)\n\n\t// now test a missing shareID\n\tobjectID = \"123456\"\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"files?path=\"+testFileName), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tform = make(url.Values)\n\tform.Set(\"files\", `[]`)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"partial?path=%2F\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"viewpdf?path=p\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"getpdf?path=p\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// share a missing base path\n\tshare = dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{path.Join(shareDir, \"missingdir\")},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"unable to check the share directory\")\n\t// share multiple paths\n\tshare = dataprovider.Share{\n\t\tName: \"test share\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{shareDir, \"/anotherdir\"},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareBrowsePaths)\n\n\tshare = dataprovider.Share{\n\t\tName: \"test share rw\",\n\t\tScope: dataprovider.ShareScopeReadWrite,\n\t\tPaths: []string{\"/missingdir\"},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"/browse/exist?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"unable to check the share directory\")\n\n\tshare = dataprovider.Share{\n\t\tName: \"test share rw\",\n\t\tScope: dataprovider.ShareScopeReadWrite,\n\t\tPaths: []string{shareDir},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"/browse/exist?path=%2F..\"), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid path\")\n\t// share the root path\n\tshare = dataprovider.Share{\n\t\tName: \"test share root\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tMaxTokens: 0,\n\t}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 1)\n\t// if we require two-factor auth for HTTP protocol the share should not work anymore\n\tuser.Filters.TwoFactorAuthProtocols = []string{common.ProtocolSSH}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tuser.Filters.TwoFactorAuthProtocols = []string{common.ProtocolSSH, common.ProtocolHTTP}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(sharesPath, objectID, \"dirs?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"two-factor authentication requirements not met\")\n\tuser.Filters.TwoFactorAuthProtocols = []string{common.ProtocolSSH}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// share read/write\n\tshare.Scope = dataprovider.ShareScopeReadWrite\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"browse?path=%2F\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// on upload we should be redirected\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, objectID, \"upload\"), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(defaultUsername, defaultPassword)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.Equal(t, path.Join(webClientPubSharesPath, objectID, \"browse\"), location)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUserAPIShareErrors(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tScope: 1000,\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid scope\")\n\t// invalid json\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer([]byte(\"{\")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tshare.Scope = dataprovider.ShareScopeWrite\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"at least a shared path is required\")\n\n\tshare.Paths = []string{\"path1\", \"../path1\", \"/path2\"}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the write share scope requires exactly one path\")\n\n\tshare.Paths = []string{\"\", \"\"}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"at least a shared path is required\")\n\n\tshare.Paths = []string{\"path1\", \"../path1\", \"/path1\"}\n\tshare.Password = redactedSecret\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"cannot save a share with a redacted password\")\n\n\tshare.Password = \"newpass\"\n\tshare.AllowFrom = []string{\"not valid\"}\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"could not parse allow from entry\")\n\n\tshare.AllowFrom = []string{\"127.0.0.1/8\"}\n\tshare.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-12 * time.Hour))\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"expiration must be in the future\")\n\n\tshare.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(12 * time.Hour))\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"name is mandatory\")\n\t// invalid json\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer([]byte(\"}\")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userSharesPath+\"?limit=a\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUserAPIShares(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Username = altAdminUsername\n\tuser1, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken1, err := getJWTAPIUserTokenFromTestServer(user1.Username, defaultPassword)\n\tassert.NoError(t, err)\n\n\t// the share username will be set from the claims\n\tshare := dataprovider.Share{\n\t\tName: \"share1\",\n\t\tDescription: \"description1\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tCreatedAt: 1,\n\t\tUpdatedAt: 2,\n\t\tLastUseAt: 3,\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(2 * time.Hour)),\n\t\tPassword: defaultPassword,\n\t\tMaxTokens: 10,\n\t\tUsedTokens: 2,\n\t\tAllowFrom: []string{\"192.168.1.0/24\"},\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.NotEmpty(t, location)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\tassert.Equal(t, fmt.Sprintf(\"%v/%v\", userSharesPath, objectID), location)\n\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar shareGet dataprovider.Share\n\terr = json.Unmarshal(rr.Body.Bytes(), &shareGet)\n\tassert.NoError(t, err)\n\tassert.Equal(t, objectID, shareGet.ShareID)\n\tassert.Equal(t, share.Name, shareGet.Name)\n\tassert.Equal(t, share.Description, shareGet.Description)\n\tassert.Equal(t, share.Scope, shareGet.Scope)\n\tassert.Equal(t, share.Paths, shareGet.Paths)\n\tassert.Equal(t, int64(0), shareGet.LastUseAt)\n\tassert.Greater(t, shareGet.CreatedAt, share.CreatedAt)\n\tassert.Greater(t, shareGet.UpdatedAt, share.UpdatedAt)\n\tassert.Equal(t, share.ExpiresAt, shareGet.ExpiresAt)\n\tassert.Equal(t, share.MaxTokens, shareGet.MaxTokens)\n\tassert.Equal(t, 0, shareGet.UsedTokens)\n\tassert.Equal(t, share.Paths, shareGet.Paths)\n\tassert.Equal(t, redactedSecret, shareGet.Password)\n\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token1)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\ts, err := dataprovider.ShareExists(objectID, defaultUsername)\n\tassert.NoError(t, err)\n\tmatch, err := s.CheckCredentials(defaultPassword)\n\tassert.True(t, match)\n\tassert.NoError(t, err)\n\tmatch, err = s.CheckCredentials(defaultPassword + \"mod\")\n\tassert.False(t, match)\n\tassert.Error(t, err)\n\n\tshareGet.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(3 * time.Hour))\n\tasJSON, err = json.Marshal(shareGet)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\ts, err = dataprovider.ShareExists(objectID, defaultUsername)\n\tassert.NoError(t, err)\n\tmatch, err = s.CheckCredentials(defaultPassword)\n\tassert.True(t, match)\n\tassert.NoError(t, err)\n\tmatch, err = s.CheckCredentials(defaultPassword + \"mod\")\n\tassert.False(t, match)\n\tassert.Error(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar shareGetNew dataprovider.Share\n\terr = json.Unmarshal(rr.Body.Bytes(), &shareGetNew)\n\tassert.NoError(t, err)\n\tassert.NotEqual(t, shareGet.UpdatedAt, shareGetNew.UpdatedAt)\n\tshareGet.UpdatedAt = shareGetNew.UpdatedAt\n\tassert.Equal(t, shareGet, shareGetNew)\n\n\treq, err = http.NewRequest(http.MethodGet, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar shares []dataprovider.Share\n\terr = json.Unmarshal(rr.Body.Bytes(), &shares)\n\tassert.NoError(t, err)\n\tif assert.Len(t, shares, 1) {\n\t\tassert.Equal(t, shareGetNew, shares[0])\n\t}\n\n\terr = dataprovider.UpdateShareLastUse(&shareGetNew, 2)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tshareGetNew = dataprovider.Share{}\n\terr = json.Unmarshal(rr.Body.Bytes(), &shareGetNew)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 2, shareGetNew.UsedTokens, \"share: %v\", shareGetNew)\n\tassert.Greater(t, shareGetNew.LastUseAt, int64(0), \"share: %v\", shareGetNew)\n\n\treq, err = http.NewRequest(http.MethodGet, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token1)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tshares = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &shares)\n\tassert.NoError(t, err)\n\tassert.Len(t, shares, 0)\n\n\t// set an empty password\n\tshareGet.Password = \"\"\n\tasJSON, err = json.Marshal(shareGet)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tshareGetNew = dataprovider.Share{}\n\terr = json.Unmarshal(rr.Body.Bytes(), &shareGetNew)\n\tassert.NoError(t, err)\n\tassert.Empty(t, shareGetNew.Password)\n\n\treq, err = http.NewRequest(http.MethodDelete, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tshare.Name = \"\"\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tlocation = rr.Header().Get(\"Location\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t// the share should be deleted with the associated user\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUsersAPISharesNoPasswordDisabled(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.WebClient = []string{sdk.WebClientShareNoPasswordDisabled}\n\tu.Filters.PasswordStrength = 70\n\tu.Password = \"ahpoo8baa6EeZieshies\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, u.Password)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"s\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t}\n\tasJSON, err := json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"You are not authorized to share files/folders without a password\")\n\n\tshare.Password = defaultPassword\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tshare.Password = \"vi5eiJoovee5ya9yahpi\"\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.NotEmpty(t, location)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\tassert.Equal(t, fmt.Sprintf(\"%v/%v\", userSharesPath, objectID), location)\n\n\tshare.Password = \"\"\n\tasJSON, err = json.Marshal(share)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"You are not authorized to share files/folders without a password\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUserAPIKey(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.AllowAPIKeyAuth = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"testkey\",\n\t\tUser: user.Username + \"1\",\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t}\n\t_, _, err = httpdtest.AddAPIKey(apiKey, http.StatusBadRequest)\n\tassert.NoError(t, err)\n\tapiKey.User = user.Username\n\tapiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tadminAPIKey := dataprovider.APIKey{\n\t\tName: \"testadminkey\",\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t}\n\tadminAPIKey, _, err = httpdtest.AddAPIKey(adminAPIKey, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"filenametest\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"test file content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar dirEntries []map[string]any\n\terr = json.Unmarshal(rr.Body.Bytes(), &dirEntries)\n\tassert.NoError(t, err)\n\tassert.Len(t, dirEntries, 1)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, adminAPIKey.Key, user.Username)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tuser.Status = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\tuser.Status = 1\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tapiKeyNew := dataprovider.APIKey{\n\t\tName: apiKey.Name,\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t}\n\n\tapiKeyNew, _, err = httpdtest.AddAPIKey(apiKeyNew, http.StatusCreated)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKeyNew.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\t// now associate a user\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKeyNew.Key, user.Username)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now with a missing user\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKeyNew.Key, user.Username+\"1\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\t// empty user and key not associated to any user\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKeyNew.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tapiKeyNew.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour))\n\t_, _, err = httpdtest.UpdateAPIKey(apiKeyNew, http.StatusOK)\n\tassert.NoError(t, err)\n\t// expired API key\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKeyNew.Key, user.Username)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAPIKey(adminAPIKey, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebClientExistenceCheck(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodPost, webClientExistPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr) // no CSRF header\n\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath, bytes.NewBuffer([]byte(`[]`)))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tfilesToCheck := make(map[string]any)\n\tfilesToCheck[\"files\"] = nil\n\tasJSON, err := json.Marshal(filesToCheck)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"files to be checked are mandatory\")\n\n\ttestFileName := \"file.dat\"\n\ttestDirName := \"adirname\"\n\tfilesToCheck[\"files\"] = []string{testFileName}\n\tasJSON, err = json.Marshal(filesToCheck)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath+\"?path=%2Fmissingdir\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath+\"?path=%2F\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar fileList []any\n\terr = json.Unmarshal(rr.Body.Bytes(), &fileList)\n\tassert.NoError(t, err)\n\tassert.Len(t, fileList, 0)\n\n\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFileName), 100)\n\tassert.NoError(t, err)\n\terr = os.Mkdir(filepath.Join(user.GetHomeDir(), testDirName), 0755)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath+\"?path=%2F\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tfileList = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &fileList)\n\tassert.NoError(t, err)\n\tassert.Len(t, fileList, 1)\n\n\tfilesToCheck[\"files\"] = []string{testFileName, testDirName}\n\tasJSON, err = json.Marshal(filesToCheck)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath+\"?path=%2F\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tfileList = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &fileList)\n\tassert.NoError(t, err)\n\tassert.Len(t, fileList, 2)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath+\"?path=%2F\"+testDirName, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tfileList = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &fileList)\n\tassert.NoError(t, err)\n\tassert.Len(t, fileList, 0)\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientExistPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebClientViewPDF(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientViewPDFPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientViewPDFPath+\"?path=test.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=test.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFsGeneric)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2F\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPDFMessage)\n\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"test.pdf\"), []byte(\"some text data\"), 0666)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2Ftest.pdf\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPDFMessage)\n\n\terr = createTestFile(filepath.Join(user.GetHomeDir(), \"test.pdf\"), 1024)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2Ftest.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPDFMessage)\n\n\tfakePDF := []byte(`%PDF-1.6`)\n\tfor i := 0; i < 128; i++ {\n\t\tfakePDF = append(fakePDF, []byte(fmt.Sprintf(\"%d\", i))...)\n\t}\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"test.pdf\"), fakePDF, 0666)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2Ftest.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tDeniedPatterns: []string{\"*.pdf\"},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2Ftest.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError403Message)\n\n\tuser.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tDeniedPatterns: []string{\"*.txt\"},\n\t\t},\n\t}\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2Ftest.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientGetPDFPath+\"?path=%2Ftest.pdf\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestWebEditFile(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFile1 := \"testfile1.txt\"\n\ttestFile2 := \"testfile2\"\n\tfile1Size := int64(65536)\n\tfile2Size := int64(1048576 * 5)\n\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFile1), file1Size)\n\tassert.NoError(t, err)\n\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFile2), file2Size)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=\"+testFile1, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=\"+testFile2, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorEditSize)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=missing\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFsGeneric)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=%2F\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorEditDir)\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=\"+testFile1, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tuser.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tDeniedPatterns: []string{\"*.txt\"},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=\"+testFile1, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError403Message)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=\"+testFile1, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestWebGetFiles(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileName := \"testfile\"\n\ttestDir := \"testdir\"\n\ttestFileContents := []byte(\"file contents\")\n\terr = os.MkdirAll(filepath.Join(user.GetHomeDir(), testDir), os.ModePerm)\n\tassert.NoError(t, err)\n\textensions := []string{\"\", \".doc\", \".ppt\", \".xls\", \".pdf\", \".mkv\", \".png\", \".go\", \".zip\", \".txt\"}\n\tfor _, ext := range extensions {\n\t\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), testFileName+ext), testFileContents, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.Symlink(filepath.Join(user.GetHomeDir(), testFileName+\".doc\"), filepath.Join(user.GetHomeDir(), testDir, testFileName+\".link\"))\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testDir, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath+\"?path=\"+testDir, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar dirContents []map[string]any\n\terr = json.Unmarshal(rr.Body.Bytes(), &dirContents)\n\tassert.NoError(t, err)\n\tassert.Len(t, dirContents, 1)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath+\"?dirtree=1&path=\"+testDir, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tdirContents = make([]map[string]any, 0)\n\terr = json.Unmarshal(rr.Body.Bytes(), &dirContents)\n\tassert.NoError(t, err)\n\tassert.Len(t, dirContents, 0)\n\n\treq, _ = http.NewRequest(http.MethodGet, userDirsPath+\"?path=\"+testDir, nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar dirEntries []map[string]any\n\terr = json.Unmarshal(rr.Body.Bytes(), &dirEntries)\n\tassert.NoError(t, err)\n\tassert.Len(t, dirEntries, 1)\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"files\", fmt.Sprintf(`[\"%s\",\"%s\",\"%s\"]`, testFileName, testDir, testFileName+extensions[2]))\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath+\"?path=\"+url.QueryEscape(\"/\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// add csrf token\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath+\"?path=\"+url.QueryEscape(\"/\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// parse form error\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath+\"?path=p%C3%AO%GK\",\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tfilesList := []string{testFileName, testDir, testFileName + extensions[2]}\n\tasJSON, err := json.Marshal(filesList)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPost, userStreamZipPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPost, userStreamZipPath, bytes.NewBuffer([]byte(`file`)))\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"files\", fmt.Sprintf(`[\"%v\"]`, testDir))\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath+\"?path=\"+url.QueryEscape(\"/\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"files\", \"notalist\")\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath+\"?path=\"+url.QueryEscape(\"/\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath+\"?path=/\", nil) //nolint:goconst\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tdirContents = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &dirContents)\n\tassert.NoError(t, err)\n\tassert.Len(t, dirContents, len(extensions)+1)\n\n\treq, _ = http.NewRequest(http.MethodGet, userDirsPath+\"?path=/\", nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tdirEntries = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &dirEntries)\n\tassert.NoError(t, err)\n\tassert.Len(t, dirEntries, len(extensions)+1)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath+\"?path=/missing\", nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorDirListGeneric)\n\n\treq, _ = http.NewRequest(http.MethodGet, userDirsPath+\"?path=missing\", nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to get directory lister\")\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, testFileContents, rr.Body.Bytes())\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, testFileContents, rr.Body.Bytes())\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\", nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Please set the path to a valid file\")\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testDir, nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"is a directory\")\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=notafile\", nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to stat the requested file\")\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=2-\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\tassert.Equal(t, testFileContents[2:], rr.Body.Bytes())\n\tlastModified, err := http.ParseTime(rr.Header().Get(\"Last-Modified\"))\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=2-\")\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\tassert.Equal(t, testFileContents[2:], rr.Body.Bytes())\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=-2\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\tassert.Equal(t, testFileContents[11:], rr.Body.Bytes())\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=-2,\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestedRangeNotSatisfiable, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=1a-\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestedRangeNotSatisfiable, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=2b-\")\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestedRangeNotSatisfiable, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=2-\")\n\treq.Header.Set(\"If-Range\", lastModified.UTC().Format(http.TimeFormat))\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"Range\", \"bytes=2-\")\n\treq.Header.Set(\"If-Range\", lastModified.UTC().Add(-120*time.Second).Format(http.TimeFormat))\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"If-Modified-Since\", lastModified.UTC().Add(-120*time.Second).Format(http.TimeFormat))\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"If-Modified-Since\", lastModified.UTC().Add(120*time.Second).Format(http.TimeFormat))\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotModified, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"If-Unmodified-Since\", lastModified.UTC().Add(-120*time.Second).Format(http.TimeFormat))\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPreconditionFailed, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, userFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"If-Unmodified-Since\", lastModified.UTC().Add(-120*time.Second).Format(http.TimeFormat))\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPreconditionFailed, rr)\n\n\treq, _ = http.NewRequest(http.MethodHead, webClientFilesPath+\"?path=\"+testFileName, nil)\n\treq.Header.Set(\"If-Unmodified-Since\", lastModified.UTC().Add(120*time.Second).Format(http.TimeFormat))\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\t_, resp, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath+\"?path=/\", nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, userDirsPath+\"?path=\"+testDir, nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tfilesList = []string{testDir}\n\tasJSON, err = json.Marshal(filesList)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPost, userStreamZipPath, bytes.NewBuffer(asJSON))\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\t_, resp, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tform = make(url.Values)\n\tform.Set(\"files\", `[]`)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientDownloadZipPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, userDirsPath+\"?path=\"+testDir, nil)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRenameDifferentResource(t *testing.T) {\n\tfolderName := \"foldercryptfs\"\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: filepath.Join(os.TempDir(), \"folderName\"),\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(\"super secret\"),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/folderPath\",\n\t})\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"file.txt\"\n\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\n\tgetStatusResponse := func(taskID string) int {\n\t\treq, _ := http.NewRequest(http.MethodGet, webClientTasksPath+\"/\"+url.PathEscape(taskID), nil)\n\t\treq.RemoteAddr = defaultRemoteAddr\n\t\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr := executeRequest(req)\n\t\tif rr.Code != http.StatusOK {\n\t\t\treturn -1\n\t\t}\n\t\tresp := make(map[string]any)\n\t\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\t\tif err != nil {\n\t\t\treturn -1\n\t\t}\n\t\treturn int(resp[\"status\"].(float64))\n\t}\n\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testFileName+\"&target=\"+url.QueryEscape(path.Join(\"/\", \"folderPath\", testFileName)), nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Cannot perform copy step\")\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileMovePath+\"?path=\"+testFileName+\"&target=\"+url.QueryEscape(path.Join(\"/\", \"folderPath\", testFileName)), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\ttaskResp := make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &taskResp)\n\tassert.NoError(t, err)\n\ttaskID := taskResp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusNotFound\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), testFileName), []byte(\"just a test\"), os.ModePerm)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testFileName+\"&target=\"+url.QueryEscape(path.Join(\"/\", \"folderPath\", testFileName)), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// recreate the file and remove the delete permission\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), testFileName), []byte(\"just another test\"), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tu.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermUpload, dataprovider.PermListItems, dataprovider.PermCreateDirs,\n\t\t\tdataprovider.PermDownload, dataprovider.PermOverwrite},\n\t}\n\t_, resp, err := httpdtest.UpdateUser(u, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\twebAPIToken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testFileName+\"&target=\"+url.QueryEscape(path.Join(\"/\", \"folderPath\", testFileName)), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Cannot perform copy step\")\n\n\tu.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermUpload, dataprovider.PermListItems, dataprovider.PermCreateDirs,\n\t\t\tdataprovider.PermDownload, dataprovider.PermOverwrite, dataprovider.PermCopy},\n\t}\n\t_, resp, err = httpdtest.UpdateUser(u, http.StatusOK, \"\")\n\tassert.NoError(t, err, string(resp))\n\twebAPIToken, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testFileName+\"&target=\"+url.QueryEscape(path.Join(\"/\", \"folderPath\", testFileName)), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Cannot perform remove step\")\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileMovePath+\"?path=\"+testFileName+\"&target=\"+url.QueryEscape(path.Join(\"/\", \"folderPath\", testFileName)), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\ttaskResp = make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &taskResp)\n\tassert.NoError(t, err)\n\ttaskID = taskResp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusForbidden\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebDirsAPI(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\ttestDir := \"testdir\"\n\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar contents []map[string]any\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 0)\n\n\t// rename a missing folder\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testDir+\"&target=\"+testDir+\"new\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// copy a missing folder\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/copy?path=\"+testDir+\"%2F&target=\"+testDir+\"new%2F\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// delete a missing folder\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// create a dir\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t// check the dir was created\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tif assert.Len(t, contents, 1) {\n\t\tassert.Equal(t, testDir, contents[0][\"name\"])\n\t}\n\t// rename a dir with the same source and target name\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testDir+\"&target=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testDir+\"&target=%2F\"+testDir+\"%2F\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\t// copy a dir with the same source and target name\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/copy?path=\"+testDir+\"&target=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\t// create a dir with missing parents\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=\"+url.QueryEscape(path.Join(\"/sub/dir\", testDir)), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// setting the mkdir_parents param will work\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?mkdir_parents=true&path=\"+url.QueryEscape(path.Join(\"/sub/dir\", testDir)), nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t// copy the dir\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/copy?path=\"+testDir+\"&target=\"+testDir+\"copy\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// rename the dir\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testDir+\"&target=\"+testDir+\"new\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// delete the dir\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=\"+testDir+\"new\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=\"+testDir+\"copy\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// the root dir cannot be created\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// the user has no more the permission to create the directory\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t// the user is deleted, any API call should fail\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=\"+testDir+\"&target=\"+testDir+\"new\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/copy?path=\"+testDir+\"&target=\"+testDir+\"new\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=\"+testDir+\"new\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestWebUploadSingleFile(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tcontent := []byte(\"test content\")\n\n\treq, err := http.NewRequest(http.MethodPost, userUploadFilePath, bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"please set a file path\")\n\n\tmodTime := time.Now().Add(-24 * time.Hour)\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=file.txt\", bytes.NewBuffer(content)) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\treq.Header.Set(\"X-SFTPGO-MTIME\", strconv.FormatInt(util.GetTimeAsMsSinceEpoch(modTime), 10))\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tinfo, err := os.Stat(filepath.Join(user.GetHomeDir(), \"file.txt\"))\n\tif assert.NoError(t, err) {\n\t\tassert.InDelta(t, util.GetTimeAsMsSinceEpoch(modTime), util.GetTimeAsMsSinceEpoch(info.ModTime()), float64(1000))\n\t}\n\t// invalid modification time will be ignored\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=file.txt\", bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\treq.Header.Set(\"X-SFTPGO-MTIME\", \"123abc\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tinfo, err = os.Stat(filepath.Join(user.GetHomeDir(), \"file.txt\"))\n\tif assert.NoError(t, err) {\n\t\tassert.InDelta(t, util.GetTimeAsMsSinceEpoch(time.Now()), util.GetTimeAsMsSinceEpoch(info.ModTime()), float64(3000))\n\t}\n\t// upload to a missing dir will fail without the mkdir_parents param\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=\"+url.QueryEscape(\"/subdir/file.txt\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?mkdir_parents=true&path=\"+url.QueryEscape(\"/subdir/file.txt\"), bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tmetadataReq := make(map[string]int64)\n\tmetadataReq[\"modification_time\"] = util.GetTimeAsMsSinceEpoch(modTime)\n\tasJSON, err := json.Marshal(metadataReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPatch, userFilesDirsMetadataPath+\"?path=file.txt\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tinfo, err = os.Stat(filepath.Join(user.GetHomeDir(), \"file.txt\"))\n\tif assert.NoError(t, err) {\n\t\tassert.InDelta(t, util.GetTimeAsMsSinceEpoch(modTime), util.GetTimeAsMsSinceEpoch(info.ModTime()), float64(1000))\n\t}\n\t// missing file\n\treq, err = http.NewRequest(http.MethodPatch, userFilesDirsMetadataPath+\"?path=file2.txt\", bytes.NewBuffer(asJSON)) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to set metadata for path\")\n\t// invalid JSON\n\treq, err = http.NewRequest(http.MethodPatch, userFilesDirsMetadataPath+\"?path=file.txt\", bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// missing mandatory parameter\n\treq, err = http.NewRequest(http.MethodPatch, userFilesDirsMetadataPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"please set a modification_time and a path\")\n\n\tmetadataReq = make(map[string]int64)\n\tasJSON, err = json.Marshal(metadataReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPatch, userFilesDirsMetadataPath+\"?path=file.txt\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"please set a modification_time and a path\")\n\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=%2Fdir%2Ffile.txt\", bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to write file\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=file.txt\", bytes.NewBuffer(content))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to retrieve your user\")\n\n\tmetadataReq[\"modification_time\"] = util.GetTimeAsMsSinceEpoch(modTime)\n\tasJSON, err = json.Marshal(metadataReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPatch, userFilesDirsMetadataPath+\"?path=file.txt\", bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to retrieve your user\")\n}\n\nfunc TestWebFilesAPI(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart1, err := writer.CreateFormFile(\"filenames\", \"file1.txt\")\n\tassert.NoError(t, err)\n\t_, err = part1.Write([]byte(\"file1 content\"))\n\tassert.NoError(t, err)\n\tpart2, err := writer.CreateFormFile(\"filenames\", \"file2.txt\")\n\tassert.NoError(t, err)\n\t_, err = part2.Write([]byte(\"file2 content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to parse multipart form\")\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), user.FirstUpload)\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\t// set the proper content type\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, user.FirstUpload, int64(0))\n\tassert.Equal(t, int64(0), user.FirstDownload)\n\t// check we have 2 files\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar contents []map[string]any\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\t// download a file\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=file1.txt\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"file1 content\", rr.Body.String())\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, user.FirstUpload, int64(0))\n\tassert.Greater(t, user.FirstDownload, int64(0))\n\t// overwrite the existing files\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\t// now create a dir and upload to that dir\n\ttestDir := \"tdir\"\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=\"+testDir, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t// upload to a missing subdir will fail without the mkdir_parents param\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=\"+url.QueryEscape(\"/sub/\"+testDir), reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?mkdir_parents=true&path=\"+url.QueryEscape(\"/sub/\"+testDir), reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 4)\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath+\"?path=\"+testDir, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\t// copy a file\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/copy?path=file1.txt&target=%2Ftdir%2Ffile_copy.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// rename a file\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?target=%2Ftdir%2Ffile3.txt&path=file1.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// rename a missing file\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=file1.txt&target=%2Ftdir%2Ffile3.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// rename a file with target name equal to source name\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=file1.txt&target=file1.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\t// delete a file\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file2.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// delete a missing file\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file2.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// delete a directory\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=tdir\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// make a symlink outside the home dir and then try to delete it\n\textPath := filepath.Join(os.TempDir(), \"file\")\n\terr = os.WriteFile(extPath, []byte(\"contents\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.Symlink(extPath, filepath.Join(user.GetHomeDir(), \"file\"))\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\terr = os.Remove(extPath)\n\tassert.NoError(t, err)\n\t// remove delete and overwrite permissions\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=tdir\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=%2Ftdir%2Ffile1.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t// the user is deleted, any API call should fail\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=file1.txt&target=%2Ftdir%2Ffile3.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file2.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestBufferedWebFilesAPI(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tReadBufferSize: 1,\n\t\tWriteBufferSize: 1,\n\t}\n\tvdirPath := \"/crypted\"\n\tmappedPath := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName := filepath.Base(mappedPath)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tOSFsConfig: sdk.OSFsConfig{\n\t\t\t\t\tWriteBufferSize: 3,\n\t\t\t\t\tReadBufferSize: 2,\n\t\t\t\t},\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart1, err := writer.CreateFormFile(\"filenames\", \"file1.txt\")\n\tassert.NoError(t, err)\n\t_, err = part1.Write([]byte(\"file1 content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=\"+url.QueryEscape(vdirPath), reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=file1.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"file1 content\", rr.Body.String())\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+url.QueryEscape(vdirPath+\"/file1.txt\"), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, \"file1 content\", rr.Body.String())\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=file1.txt\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Range\", \"bytes=2-\")\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\tassert.Equal(t, \"le1 content\", rr.Body.String())\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+url.QueryEscape(vdirPath+\"/file1.txt\"), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Range\", \"bytes=3-6\")\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\tassert.Equal(t, \"e1 c\", rr.Body.String())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebClientTasksAPI(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu1 := getTestUser()\n\tu1.Username = xid.New().String()\n\tuser1, _, err := httpdtest.AddUser(u1, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestDir := \"subdir\"\n\ttestFileData := []byte(\"data\")\n\ttestFilePath := filepath.Join(user.GetHomeDir(), testDir, \"file.txt\")\n\ttestFileName := filepath.Base(testFilePath)\n\terr = os.MkdirAll(filepath.Dir(testFilePath), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFilePath, testFileData, 0666)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\twebToken1, err := getJWTWebClientTokenFromTestServer(user1.Username, defaultPassword)\n\tassert.NoError(t, err)\n\n\tgetStatusResponse := func(taskID string) int {\n\t\treq, _ := http.NewRequest(http.MethodGet, webClientTasksPath+\"/\"+url.PathEscape(taskID), nil)\n\t\treq.RemoteAddr = defaultRemoteAddr\n\t\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr := executeRequest(req)\n\t\tif rr.Code != http.StatusOK {\n\t\t\treturn -1\n\t\t}\n\t\tresp := make(map[string]any)\n\t\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\t\tif err != nil {\n\t\t\treturn -1\n\t\t}\n\t\treturn int(resp[\"status\"].(float64))\n\t}\n\t// missing task\n\tassert.Equal(t, -1, getStatusResponse(\"missing\"))\n\n\treq, err := http.NewRequest(http.MethodPost, webClientFileCopyPath+\"?path=\"+\n\t\turl.QueryEscape(path.Join(testDir, testFileName))+\"&target=\"+url.QueryEscape(testFileName), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\tresp := make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\ttaskID := resp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusOK\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\t// cannot get the task with a different user\n\treq, err = http.NewRequest(http.MethodGet, webClientTasksPath+\"/\"+url.PathEscape(taskID), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken1)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileMovePath+\"?path=\"+\n\t\turl.QueryEscape(path.Join(testDir, testFileName))+\"&target=\"+url.QueryEscape(testFileName), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\tresp = make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\ttaskID = resp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusOK\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\treq, err = http.NewRequest(http.MethodDelete, webClientDirsPath+\"?path=\"+\n\t\turl.QueryEscape(testDir), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\tresp = make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\ttaskID = resp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusOK\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\treq, err = http.NewRequest(http.MethodDelete, webClientDirsPath+\"?path=\"+\n\t\turl.QueryEscape(testDir), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\tresp = make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\ttaskID = resp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusNotFound\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileMovePath+\"?path=\"+\n\t\turl.QueryEscape(path.Join(testDir, testFileName))+\"&target=\"+url.QueryEscape(testFileName), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\tresp = make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\ttaskID = resp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusNotFound\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileCopyPath+\"?path=\"+\n\t\turl.QueryEscape(path.Join(testDir, testFileName)+\"/\")+\"&target=\"+url.QueryEscape(testFileName+\"/\"), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusAccepted, rr)\n\tresp = make(map[string]any)\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\ttaskID = resp[\"message\"].(string)\n\tassert.NotEmpty(t, taskID)\n\n\tassert.Eventually(t, func() bool {\n\t\tstatus := getStatusResponse(taskID)\n\t\treturn status == http.StatusNotFound\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t// user deleted\n\treq, err = http.NewRequest(http.MethodDelete, webClientDirsPath+\"?path=\"+\n\t\turl.QueryEscape(testDir), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileMovePath+\"?path=\"+\n\t\turl.QueryEscape(path.Join(testDir, testFileName))+\"&target=\"+url.QueryEscape(testFileName), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientFileCopyPath+\"?path=\"+\n\t\turl.QueryEscape(path.Join(testDir, testFileName))+\"&target=\"+url.QueryEscape(testFileName), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestStartDirectory(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.StartDirectory = \"/start/dir\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tfilename := \"file1.txt\"\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart1, err := writer.CreateFormFile(\"filenames\", filename)\n\tassert.NoError(t, err)\n\t_, err = part1.Write([]byte(\"test content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t// check we have 2 files in the defined start dir\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar contents []map[string]any\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tif assert.Len(t, contents, 1) {\n\t\tassert.Equal(t, filename, contents[0][\"name\"].(string))\n\t}\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=file2.txt\",\n\t\tbytes.NewBuffer([]byte(\"single upload content\")))\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=testdir\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=testdir&target=testdir1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=%2Ftestdirroot\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath+\"?path=\"+url.QueryEscape(u.Filters.StartDirectory), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 3)\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+filename, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=%2F\"+filename, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPatch, userFilesPath+\"?path=\"+filename+\"&target=\"+filename+\"_rename\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=testdir1\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 2)\n\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=\"+filename+\"_rename\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath+\"?path=\"+url.QueryEscape(u.Filters.StartDirectory), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcontents = nil\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 1)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebFilesTransferQuotaLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.UploadDataTransfer = 1\n\tu.DownloadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"file.data\"\n\ttestFileSize := 550000\n\ttestFileContents := make([]byte, testFileSize)\n\tn, err := io.ReadFull(rand.Reader, testFileContents)\n\tassert.NoError(t, err)\n\tassert.Equal(t, testFileSize, n)\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", testFileName)\n\tassert.NoError(t, err)\n\t_, err = part.Write(testFileContents)\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, testFileContents, rr.Body.Bytes())\n\t// error while download is active\n\tdownloadFunc := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\n\t\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, webAPIToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t}\n\tdownloadFunc()\n\t// error before starting the download\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=\"+testFileName, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// error while upload is active\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestEntityTooLarge, rr)\n\t// error before starting the upload\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestEntityTooLarge, rr)\n\t// now test upload/download to/from shares\n\tshare1 := dataprovider.Share{\n\t\tName: \"share1\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t}\n\tasJSON, err := json.Marshal(share1)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\treq, err = http.NewRequest(http.MethodGet, sharesPath+\"/\"+objectID, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tform := make(url.Values)\n\tform.Set(\"files\", `[]`)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, objectID, \"/partial\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorQuotaRead)\n\n\tshare2 := dataprovider.Share{\n\t\tName: \"share2\",\n\t\tScope: dataprovider.ShareScopeWrite,\n\t\tPaths: []string{\"/\"},\n\t}\n\tasJSON, err = json.Marshal(share2)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userSharesPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tobjectID = rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, sharesPath+\"/\"+objectID, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestEntityTooLarge, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUploadErrors(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 65535\n\tsubDir1 := \"sub1\"\n\tsubDir2 := \"sub2\"\n\tu.Permissions[path.Join(\"/\", subDir1)] = []string{dataprovider.PermListItems}\n\tu.Permissions[path.Join(\"/\", subDir2)] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermDelete}\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/sub2\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{\"*.zip\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"file.zip\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"file content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\t// zip file are not allowed within sub2\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath+\"?path=sub2\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\t// we have no upload permissions within sub1\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=sub1\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// we cannot create dirs in sub2\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?mkdir_parents=true&path=\"+url.QueryEscape(\"/sub2/dir\"), reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"unable to check/create missing parent dir\")\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?mkdir_parents=true&path=\"+url.QueryEscape(\"/sub2/dir/test\"), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Error checking parent directories\")\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?mkdir_parents=true&path=\"+url.QueryEscape(\"/sub2/dir1/file.txt\"), bytes.NewBuffer([]byte(\"\")))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Error checking parent directories\")\n\t// create a dir and try to overwrite it with a file\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=file.zip\", nil) //nolint:goconst\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"operation unsupported\")\n\t// try to upload to a missing parent directory\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=missingdir\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=file.zip\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// upload will work now\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\t// overwrite the file\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tvfs.SetTempPath(filepath.Join(os.TempDir(), \"missingpath\"))\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tif runtime.GOOS != osWindows {\n\t\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file.zip\", nil)\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, webAPIToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t\tvfs.SetTempPath(filepath.Clean(os.TempDir()))\n\t\terr = os.Chmod(user.GetHomeDir(), 0555)\n\t\tassert.NoError(t, err)\n\n\t\t_, err = reader.Seek(0, io.SeekStart)\n\t\tassert.NoError(t, err)\n\t\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\t\tassert.NoError(t, err)\n\t\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\t\tsetBearerForReq(req, webAPIToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t\tassert.Contains(t, rr.Body.String(), \"Error closing file\")\n\n\t\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=file.zip\", bytes.NewBuffer(nil))\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, webAPIToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t\tassert.Contains(t, rr.Body.String(), \"Error closing file\")\n\n\t\terr = os.Chmod(user.GetHomeDir(), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\n\tvfs.SetTempPath(\"\")\n\n\t// upload a multipart form with no files\n\tbody = new(bytes.Buffer)\n\twriter = multipart.NewWriter(body)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader = bytes.NewReader(body.Bytes())\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=sub2\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"No files uploaded!\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAPIVFolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 65535\n\tvdir := \"/vdir\"\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdir,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(user.Username, defaultPassword)\n\tassert.NoError(t, err)\n\n\tfileContents := []byte(\"test contents\")\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"file.txt\")\n\tassert.NoError(t, err)\n\t_, err = part.Write(fileContents)\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath+\"?path=vdir\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(len(fileContents)), user.UsedQuotaSize)\n\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath+\"?path=vdir\", reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(len(fileContents)), user.UsedQuotaSize)\n\n\tfolder, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAPIWritePermission(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.WebClient = append(u.Filters.WebClient, sdk.WebClientWriteDisabled)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"file.txt\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=a&target=b\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=a\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userFilesPath+\"?path=a.txt\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userDirsPath+\"?path=dir\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, userFileActionsPath+\"/move?path=dir&target=dir1\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, userDirsPath+\"?path=dir\", nil)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAPICryptFs(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 65535\n\tu.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tu.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(defaultPassword)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"file.txt\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUploadSFTP(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 100\n\tu.FsConfig.SFTPConfig.BufferSize = 2\n\tu.HomeDir = filepath.Join(os.TempDir(), u.Username)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(sftpUser.Username, defaultPassword)\n\tassert.NoError(t, err)\n\n\tbody := new(bytes.Buffer)\n\twriter := multipart.NewWriter(body)\n\tpart, err := writer.CreateFormFile(\"filenames\", \"file.txt\")\n\tassert.NoError(t, err)\n\t_, err = part.Write([]byte(\"test file content\"))\n\tassert.NoError(t, err)\n\terr = writer.Close()\n\tassert.NoError(t, err)\n\treader := bytes.NewReader(body.Bytes())\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\texpectedQuotaSize := int64(17)\n\texpectedQuotaFiles := 1\n\tuser, _, err := httpdtest.GetUserByUsername(sftpUser.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\n\tuser.QuotaSize = 10\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// we are now overquota on overwrite\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestEntityTooLarge, rr)\n\tassert.Contains(t, rr.Body.String(), \"denying write due to space limit\")\n\tassert.Contains(t, rr.Body.String(), \"Unable to write file\")\n\n\t// delete the file\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(sftpUser.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\n\treq, err = http.NewRequest(http.MethodPost, userUploadFilePath+\"?path=file.txt\",\n\t\tbytes.NewBuffer([]byte(\"test upload single file content\")))\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestEntityTooLarge, rr)\n\tassert.Contains(t, rr.Body.String(), \"denying write due to space limit\")\n\tassert.Contains(t, rr.Body.String(), \"Error saving file\")\n\n\t// delete the file\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = reader.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, userFilesPath, reader)\n\tassert.NoError(t, err)\n\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusRequestEntityTooLarge, rr)\n\tassert.Contains(t, rr.Body.String(), \"denying write due to space limit\")\n\tassert.Contains(t, rr.Body.String(), \"Error saving file\")\n\n\t// delete the file\n\treq, err = http.NewRequest(http.MethodDelete, userFilesPath+\"?path=file.txt\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, webAPIToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(sftpUser.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(sftpUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAPISFTPPasswordProtectedPrivateKey(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tu.PublicKeys = []string{testPubKeyPwd}\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.FsConfig.SFTPConfig.Password = kms.NewEmptySecret()\n\tu.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(testPrivateKeyPwd)\n\tu.FsConfig.SFTPConfig.KeyPassphrase = kms.NewPlainSecret(privateKeyPwd)\n\tu.HomeDir = filepath.Join(os.TempDir(), u.Username)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(sftpUser.Username, defaultPassword)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// update the user, the key must be preserved\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, sftpUser.FsConfig.SFTPConfig.KeyPassphrase.GetStatus())\n\t_, _, err = httpdtest.UpdateUser(sftpUser, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// using a wrong passphrase or no passphrase should fail\n\tsftpUser.FsConfig.SFTPConfig.KeyPassphrase = kms.NewPlainSecret(\"wrong\")\n\t_, _, err = httpdtest.UpdateUser(sftpUser, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = getJWTWebClientTokenFromTestServer(sftpUser.Username, defaultPassword)\n\tassert.Error(t, err)\n\tsftpUser.FsConfig.SFTPConfig.KeyPassphrase = kms.NewEmptySecret()\n\t_, _, err = httpdtest.UpdateUser(sftpUser, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = getJWTWebClientTokenFromTestServer(sftpUser.Username, defaultPassword)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(sftpUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUploadMultipartFormReadError(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodPost, userFilesPath, nil)\n\tassert.NoError(t, err)\n\n\tmpartForm := &multipart.Form{\n\t\tFile: make(map[string][]*multipart.FileHeader),\n\t}\n\tmpartForm.File[\"filenames\"] = append(mpartForm.File[\"filenames\"], &multipart.FileHeader{Filename: \"missing\"})\n\treq.MultipartForm = mpartForm\n\treq.Header.Add(\"Content-Type\", \"multipart/form-data\")\n\tsetBearerForReq(req, webAPIToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tassert.Contains(t, rr.Body.String(), \"Unable to read uploaded file\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCompressionErrorMock(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tdefer func() {\n\t\trcv := recover()\n\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t_, err := httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}()\n\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, webToken)\n\tassert.NoError(t, err)\n\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"files\", `[\"missing\"]`)\n\treq, _ := http.NewRequest(http.MethodPost, webClientDownloadZipPath+\"?path=%2F\",\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\texecuteRequest(req)\n}\n\nfunc TestGetFilesSFTPBackend(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestSFTPUser()\n\tu.HomeDir = filepath.Clean(os.TempDir())\n\tu.FsConfig.SFTPConfig.BufferSize = 2\n\tu.Permissions[\"/adir\"] = nil\n\tu.Permissions[\"/adir1\"] = []string{dataprovider.PermListItems}\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/adir2\",\n\t\t\tDeniedPatterns: []string{\"*.txt\"},\n\t\t},\n\t}\n\tsftpUserBuffered, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.Username += \"_unbuffered\"\n\tu.FsConfig.SFTPConfig.BufferSize = 0\n\tsftpUserUnbuffered, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileName := \"testsftpfile\"\n\ttestDir := \"testsftpdir\"\n\ttestFileContents := []byte(\"sftp file contents\")\n\terr = os.MkdirAll(filepath.Join(user.GetHomeDir(), testDir, \"sub\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(filepath.Join(user.GetHomeDir(), \"adir1\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(filepath.Join(user.GetHomeDir(), \"adir2\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), testFileName), testFileContents, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"adir1\", \"afile\"), testFileContents, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(filepath.Join(user.GetHomeDir(), \"adir2\", \"afile.txt\"), testFileContents, os.ModePerm)\n\tassert.NoError(t, err)\n\tfor _, sftpUser := range []dataprovider.User{sftpUserBuffered, sftpUserUnbuffered} {\n\t\twebToken, err := getJWTWebClientTokenFromTestServer(sftpUser.Username, defaultPassword)\n\t\tassert.NoError(t, err)\n\t\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+path.Join(testDir, \"sub\"), nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t\thtmlErrFrag := `div id=\"errorMsg\" class=\"rounded border-warning border border-dashed bg-light-warning`\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+path.Join(testDir, \"missing\"), nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), htmlErrFrag)\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=adir/sub\", nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), htmlErrFrag)\n\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=adir1/afile\", nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), htmlErrFrag)\n\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=adir2/afile.txt\", nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), htmlErrFrag)\n\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Equal(t, testFileContents, rr.Body.Bytes())\n\n\t\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\t\treq.Header.Set(\"Range\", \"bytes=2-\")\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusPartialContent, rr)\n\t\tassert.Equal(t, testFileContents[2:], rr.Body.Bytes())\n\n\t\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientUserClose(t *testing.T) {\n\tu := getTestUser()\n\tu.UploadBandwidth = 32\n\tu.DownloadBandwidth = 32\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileName := \"file.dat\"\n\ttestFileSize := int64(524288)\n\ttestFilePath := filepath.Join(user.GetHomeDir(), testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tuploadContent := make([]byte, testFileSize)\n\t_, err = rand.Read(uploadContent)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\twebAPIToken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath+\"?path=\"+testFileName, nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t}()\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\treq, _ := http.NewRequest(http.MethodGet, webClientEditFilePath+\"?path=\"+testFileName, nil)\n\t\tsetJWTCookieForReq(req, webToken)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\t\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\t}()\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\t\tbody := new(bytes.Buffer)\n\t\twriter := multipart.NewWriter(body)\n\t\tpart, err := writer.CreateFormFile(\"filenames\", \"upload.dat\")\n\t\tassert.NoError(t, err)\n\t\tn, err := part.Write(uploadContent)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, int64(n))\n\t\terr = writer.Close()\n\t\tassert.NoError(t, err)\n\t\treader := bytes.NewReader(body.Bytes())\n\t\treq, err := http.NewRequest(http.MethodPost, userFilesPath, reader)\n\t\tassert.NoError(t, err)\n\t\treq.Header.Add(\"Content-Type\", writer.FormDataContentType())\n\t\tsetBearerForReq(req, webAPIToken)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t\tassert.Contains(t, rr.Body.String(), \"transfer aborted\")\n\t}()\n\t// wait for the transfers\n\tassert.Eventually(t, func() bool {\n\t\tstats := common.Connections.GetStats(\"\")\n\t\tif len(stats) == 3 {\n\t\t\tif len(stats[0].Transfers) > 0 && len(stats[1].Transfers) > 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t\treturn false\n\t}, 1*time.Second, 50*time.Millisecond)\n\n\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t// close all the active transfers\n\t\tcommon.Connections.Close(stat.ConnectionID, \"\")\n\t}\n\twg.Wait()\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAdminSetupMock(t *testing.T) {\n\treq, err := http.NewRequest(http.MethodGet, webAdminSetupPath, nil)\n\tassert.NoError(t, err)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\t// now delete all the admins\n\tadmins, err := dataprovider.GetAdmins(100, 0, dataprovider.OrderASC)\n\tassert.NoError(t, err)\n\tfor _, admin := range admins {\n\t\terr = dataprovider.DeleteAdmin(admin.Username, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\t// close the provider and initializes it without creating the default admin\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"0\")\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t// now the setup page must be rendered\n\treq, err = http.NewRequest(http.MethodGet, webAdminSetupPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check redirects to the setup page\n\treq, err = http.NewRequest(http.MethodGet, \"/\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\treq, err = http.NewRequest(http.MethodGet, webBasePath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\treq, err = http.NewRequest(http.MethodGet, webBasePathAdmin, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\treq, err = http.NewRequest(http.MethodGet, webLoginPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\treq, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webAdminSetupPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"username\", defaultTokenAuthUser)\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"password\", defaultTokenAuthPass)\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdNoMatch)\n\tform.Set(\"confirm_password\", defaultTokenAuthPass)\n\t// test a parse form error\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath+\"?param=p%C3%AO%GH\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test a dataprovider error\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// finally initialize the provider and create the default admin\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webAdminMFAPath, rr.Header().Get(\"Location\"))\n\t// if we resubmit the form we get a bad request, an admin already exists\n\treq, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"1\")\n}\n\nfunc TestAllowList(t *testing.T) {\n\tconfigCopy := common.Config\n\n\tentries := []dataprovider.IPListEntry{\n\t\t{\n\t\t\tIPOrNet: \"172.120.1.1/32\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"172.120.1.2/32\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 0,\n\t\t},\n\t\t{\n\t\t\tIPOrNet: \"192.8.7.0/22\",\n\t\t\tType: dataprovider.IPListTypeAllowList,\n\t\t\tMode: dataprovider.ListModeAllow,\n\t\t\tProtocols: 8,\n\t\t},\n\t}\n\n\tfor _, e := range entries {\n\t\t_, _, err := httpdtest.AddIPListEntry(e, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t}\n\n\tcommon.Config.MaxTotalConnections = 1\n\tcommon.Config.AllowListStatus = 1\n\terr := common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, webLoginPath, nil)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), common.ErrConnectionDenied.Error())\n\n\treq.RemoteAddr = \"172.120.1.1\"\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\ttestIP := \"172.120.1.3\"\n\treq.RemoteAddr = testIP\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), common.ErrConnectionDenied.Error())\n\n\treq.RemoteAddr = \"192.8.7.1\"\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tentry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"172.120.1.3/32\",\n\t\tType: dataprovider.IPListTypeAllowList,\n\t\tMode: dataprovider.ListModeAllow,\n\t\tProtocols: 8,\n\t}\n\terr = dataprovider.AddIPListEntry(&entry, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\treq.RemoteAddr = testIP\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\terr = dataprovider.DeleteIPListEntry(entry.IPOrNet, entry.Type, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\treq.RemoteAddr = testIP\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), common.ErrConnectionDenied.Error())\n\n\tcommon.Config = configCopy\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n\n\tfor _, e := range entries {\n\t\t_, err := httpdtest.RemoveIPListEntry(e, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestWebAdminLoginMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath+\"notfound\", nil)\n\treq.RequestURI = webStatusPath + \"notfound\"\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webLogoutPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tcookie := rr.Header().Get(\"Cookie\")\n\tassert.Empty(t, cookie)\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, logoutPath, nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, serverStatusPath, nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your token is no longer valid\")\n\n\treq, _ = http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\t// now try using wrong password\n\tform := getLoginForm(defaultTokenAuthUser, \"wrong pwd\", csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\t// wrong username\n\tform = getLoginForm(\"wrong username\", defaultTokenAuthPass, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\t// try from an ip not allowed\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Filters.AllowList = []string{\"10.0.0.0/8\"}\n\n\t_, _, err = httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\trAddr := \"127.1.1.1:1234\"\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, rAddr)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, loginCookie)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.RemoteAddr = rAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\trAddr = \"10.9.9.9:1234\"\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, rAddr)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, loginCookie)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.RemoteAddr = rAddr\n\tsetLoginCookie(req, loginCookie)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\n\trAddr = \"127.0.1.1:4567\"\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, rAddr)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, loginCookie)\n\tform = getLoginForm(altAdminUsername, altAdminPassword, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.RemoteAddr = rAddr\n\treq.Header.Set(\"X-Forwarded-For\", \"10.9.9.9\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\t// invalid csrf token\n\tform = getLoginForm(altAdminUsername, altAdminPassword, \"invalid csrf\")\n\treq, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.RemoteAddr = \"10.9.9.8:1234\"\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\treq, _ = http.NewRequest(http.MethodGet, webLoginPath, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveAdmin(a, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminNoToken(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodGet, webAdminProfilePath, nil)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, _ = http.NewRequest(http.MethodGet, userPath, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, activeConnectionsPath, nil)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n}\n\nfunc TestWebUserShare(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, token)\n\tassert.NoError(t, err)\n\tuserAPItoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"test share\",\n\t\tDescription: \"test share desc\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour)),\n\t\tMaxTokens: 100,\n\t\tAllowFrom: []string{\"127.0.0.0/8\", \"172.16.0.0/16\"},\n\t\tPassword: defaultPassword,\n\t}\n\tform := make(url.Values)\n\tform.Set(\"name\", share.Name)\n\tform.Set(\"scope\", strconv.Itoa(int(share.Scope)))\n\tform.Set(\"paths[0][path]\", \"/\")\n\tform.Set(\"max_tokens\", strconv.Itoa(share.MaxTokens))\n\tform.Set(\"allowed_ip\", strings.Join(share.AllowFrom, \",\"))\n\tform.Set(\"description\", share.Description)\n\tform.Set(\"password\", share.Password)\n\tform.Set(\"expiration_date\", \"123\")\n\t// invalid expiration date\n\treq, err := http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareExpiration)\n\tform.Set(\"expiration_date\", util.GetTimeFromMsecSinceEpoch(share.ExpiresAt).UTC().Format(\"2006-01-02 15:04:05\"))\n\tform.Set(\"scope\", \"\")\n\t// invalid scope\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareScope)\n\tform.Set(\"scope\", strconv.Itoa(int(share.Scope)))\n\t// invalid max tokens\n\tform.Set(\"max_tokens\", \"t\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareMaxTokens)\n\tform.Set(\"max_tokens\", strconv.Itoa(share.MaxTokens))\n\t// no csrf token\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"scope\", \"100\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareScope)\n\n\tform.Set(\"scope\", strconv.Itoa(int(share.Scope)))\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPItoken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar shares []dataprovider.Share\n\terr = json.Unmarshal(rr.Body.Bytes(), &shares)\n\tassert.NoError(t, err)\n\tif assert.Len(t, shares, 1) {\n\t\ts := shares[0]\n\t\tassert.Equal(t, share.Name, s.Name)\n\t\tassert.Equal(t, share.Description, s.Description)\n\t\tassert.Equal(t, share.Scope, s.Scope)\n\t\tassert.Equal(t, share.Paths, s.Paths)\n\t\tassert.InDelta(t, share.ExpiresAt, s.ExpiresAt, 999)\n\t\tassert.Equal(t, share.MaxTokens, s.MaxTokens)\n\t\tassert.Equal(t, share.AllowFrom, s.AllowFrom)\n\t\tassert.Equal(t, redactedSecret, s.Password)\n\t\tshare.ShareID = s.ShareID\n\t}\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"expiration_date\", \"123\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/unknowid\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/\"+share.ShareID, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareExpiration)\n\n\tform.Set(\"expiration_date\", \"\")\n\tform.Set(csrfFormToken, \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/\"+share.ShareID, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"allowed_ip\", \"1.1.1\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/\"+share.ShareID, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidIPMask)\n\n\tform.Set(\"allowed_ip\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/\"+share.ShareID, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPItoken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tshares = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &shares)\n\tassert.NoError(t, err)\n\tif assert.Len(t, shares, 1) {\n\t\ts := shares[0]\n\t\tassert.Equal(t, share.Name, s.Name)\n\t\tassert.Equal(t, share.Description, s.Description)\n\t\tassert.Equal(t, share.Scope, s.Scope)\n\t\tassert.Equal(t, share.Paths, s.Paths)\n\t\tassert.Equal(t, int64(0), s.ExpiresAt)\n\t\tassert.Equal(t, share.MaxTokens, s.MaxTokens)\n\t\tassert.Empty(t, s.AllowFrom)\n\t}\n\t// check the password\n\ts, err := dataprovider.ShareExists(share.ShareID, user.Username)\n\tassert.NoError(t, err)\n\tmatch, err := s.CheckCredentials(defaultPassword)\n\tassert.NoError(t, err)\n\tassert.True(t, match)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath+\"?path=%2F&files=a\", nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath+\"?path=%2F&files=%5B\\\"adir\\\"%5D\", nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath+\"/unknown\", nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath+\"/\"+share.ShareID, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharesPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharesPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserShareNoPasswordDisabled(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.WebClient = []string{sdk.WebClientShareNoPasswordDisabled}\n\tu.Filters.DefaultSharesExpiration = 15\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Filters.DefaultSharesExpiration = 30\n\tuser, _, err = httpdtest.UpdateUser(u, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientSharePath, token)\n\tassert.NoError(t, err)\n\tuserAPItoken, err := getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\n\tshare := dataprovider.Share{\n\t\tName: \"s\",\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPaths: []string{\"/\"},\n\t}\n\tform := make(url.Values)\n\tform.Set(\"name\", share.Name)\n\tform.Set(\"scope\", strconv.Itoa(int(share.Scope)))\n\tform.Set(\"paths[0][path]\", \"/\")\n\tform.Set(\"max_tokens\", \"0\")\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err := http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareNoPwd)\n\n\tform.Set(\"password\", defaultPassword)\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, userSharesPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, userAPItoken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar shares []dataprovider.Share\n\terr = json.Unmarshal(rr.Body.Bytes(), &shares)\n\tassert.NoError(t, err)\n\tif assert.Len(t, shares, 1) {\n\t\ts := shares[0]\n\t\tassert.Equal(t, share.Name, s.Name)\n\t\tassert.Equal(t, share.Scope, s.Scope)\n\t\tassert.Equal(t, share.Paths, s.Paths)\n\t\tshare.ShareID = s.ShareID\n\t}\n\tassert.NotEmpty(t, share.ShareID)\n\tform.Set(\"password\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientSharePath+\"/\"+share.ShareID, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorShareNoPwd)\n\n\tuser.Filters.DefaultSharesExpiration = 0\n\tuser.Filters.MaxSharesExpiration = 30\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webClientSharePath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestInvalidCSRF(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, loginURL := range []string{webClientLoginPath, webLoginPath} {\n\t\t// try using an invalid CSRF token\n\t\tloginCookie1, csrfToken1, err := getCSRFTokenMock(loginURL, defaultRemoteAddr)\n\t\tassert.NoError(t, err)\n\t\tassert.NotEmpty(t, loginCookie1)\n\t\tassert.NotEmpty(t, csrfToken1)\n\t\tloginCookie2, csrfToken2, err := getCSRFTokenMock(loginURL, defaultRemoteAddr)\n\t\tassert.NoError(t, err)\n\t\tassert.NotEmpty(t, loginCookie2)\n\t\tassert.NotEmpty(t, csrfToken2)\n\t\trAddr := \"1.2.3.4\"\n\t\tloginCookie3, csrfToken3, err := getCSRFTokenMock(loginURL, rAddr)\n\t\tassert.NoError(t, err)\n\t\tassert.NotEmpty(t, loginCookie3)\n\t\tassert.NotEmpty(t, csrfToken3)\n\n\t\tform := getLoginForm(defaultUsername, defaultPassword, csrfToken1)\n\t\treq, err := http.NewRequest(http.MethodPost, loginURL, bytes.NewBuffer([]byte(form.Encode())))\n\t\tassert.NoError(t, err)\n\t\treq.RemoteAddr = defaultRemoteAddr\n\t\treq.RequestURI = loginURL\n\t\tsetLoginCookie(req, loginCookie2)\n\t\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\t\t// use a CSRF token as login cookie (invalid audience)\n\t\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken1)\n\t\treq, err = http.NewRequest(http.MethodPost, loginURL, bytes.NewBuffer([]byte(form.Encode())))\n\t\tassert.NoError(t, err)\n\t\treq.RemoteAddr = defaultRemoteAddr\n\t\treq.RequestURI = loginURL\n\t\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", csrfToken1))\n\t\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\t\t// invalid IP\n\t\tform = getLoginForm(defaultUsername, defaultPassword, csrfToken3)\n\t\treq, err = http.NewRequest(http.MethodPost, loginURL, bytes.NewBuffer([]byte(form.Encode())))\n\t\tassert.NoError(t, err)\n\t\treq.RemoteAddr = defaultRemoteAddr\n\t\treq.RequestURI = loginURL\n\t\tsetLoginCookie(req, loginCookie3)\n\t\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t\trr = executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\t}\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserProfile(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, token)\n\tassert.NoError(t, err)\n\n\temail := \"user@user.com\"\n\tdescription := \"User\"\n\n\tform := make(url.Values)\n\tform.Set(\"allow_api_key_auth\", \"1\")\n\tform.Set(\"email\", email)\n\tform.Set(\"description\", description)\n\tform.Set(\"public_keys[0][public_key]\", testPubKey)\n\tform.Set(\"public_keys[1][public_key]\", testPubKey1)\n\tform.Set(\"tls_certs[0][tls_cert]\", httpsCert)\n\tform.Set(\"additional_emails[0][additional_email]\", \"email1@user.com\")\n\t// no csrf token\n\treq, err := http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nProfileUpdated)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.AllowAPIKeyAuth)\n\tassert.Len(t, user.PublicKeys, 2)\n\tassert.Len(t, user.Filters.TLSCerts, 1)\n\tassert.Equal(t, email, user.Email)\n\tassert.Equal(t, description, user.Description)\n\tif assert.Len(t, user.Filters.AdditionalEmails, 1) {\n\t\tassert.Equal(t, \"email1@user.com\", user.Filters.AdditionalEmails[0])\n\t}\n\n\t// set an invalid email\n\tform.Set(\"email\", \"not an email\")\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidEmail)\n\t// invalid tls cert\n\tform.Set(\"email\", email)\n\tform.Set(\"tls_certs[0][tls_cert]\", \"not a TLS cert\")\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidTLSCert)\n\t// invalid public key\n\tform.Set(\"tls_certs[0][tls_cert]\", httpsCert)\n\tform.Set(\"public_keys[0][public_key]\", \"invalid\")\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPubKeyInvalid)\n\t// now remove permissions\n\tform.Set(\"public_keys[0][public_key]\", testPubKey)\n\tform.Del(\"public_keys[1][public_key]\")\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientProfilePath, token)\n\tassert.NoError(t, err)\n\n\tform.Set(\"allow_api_key_auth\", \"0\")\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nProfileUpdated)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.AllowAPIKeyAuth)\n\tassert.Len(t, user.PublicKeys, 1)\n\tassert.Len(t, user.Filters.TLSCerts, 1)\n\tassert.Equal(t, email, user.Email)\n\tassert.Equal(t, description, user.Description)\n\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled,\n\t\tsdk.WebClientPubKeyChangeDisabled, sdk.WebClientTLSCertChangeDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientProfilePath, token)\n\tassert.NoError(t, err)\n\tform.Set(\"public_keys[0][public_key]\", testPubKey)\n\tform.Set(\"public_keys[1][public_key]\", testPubKey1)\n\tform.Set(\"tls_certs[0][tls_cert]\", \"\")\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nProfileUpdated)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.AllowAPIKeyAuth)\n\tassert.Len(t, user.PublicKeys, 1)\n\tassert.Len(t, user.Filters.TLSCerts, 1)\n\tassert.Equal(t, email, user.Email)\n\tassert.Equal(t, description, user.Description)\n\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled, sdk.WebClientInfoChangeDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webClientProfilePath, token)\n\tassert.NoError(t, err)\n\tform.Set(\"email\", \"newemail@user.com\")\n\tform.Set(\"description\", \"new description\")\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nProfileUpdated)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.AllowAPIKeyAuth)\n\tassert.Len(t, user.PublicKeys, 2)\n\tassert.Len(t, user.Filters.TLSCerts, 0)\n\tassert.Equal(t, email, user.Email)\n\tassert.Equal(t, description, user.Description)\n\t// finally disable all profile permissions\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled, sdk.WebClientInfoChangeDisabled,\n\t\tsdk.WebClientPubKeyChangeDisabled, sdk.WebClientTLSCertChangeDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\ttoken, err = getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webChangeClientPwdPath, token)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n}\n\nfunc TestWebAdminProfile(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTWebTokenFromTestServer(admin.Username, altAdminPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminProfilePath, token)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webAdminProfilePath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform := make(url.Values)\n\tform.Set(\"allow_api_key_auth\", \"1\")\n\tform.Set(\"email\", \"admin@example.com\")\n\tform.Set(\"description\", \"admin desc\")\n\t// no csrf token\n\treq, err = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nProfileUpdated)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.AllowAPIKeyAuth)\n\tassert.Equal(t, \"admin@example.com\", admin.Email)\n\tassert.Equal(t, \"admin desc\", admin.Description)\n\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nProfileUpdated)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.AllowAPIKeyAuth)\n\tassert.Empty(t, admin.Email)\n\tassert.Empty(t, admin.Description)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n}\n\nfunc TestWebAdminPwdChange(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Filters.Preferences.HideUserPageSections = 16 + 32\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTWebTokenFromTestServer(admin.Username, altAdminPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webChangeAdminPwdPath, token)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webChangeAdminPwdPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform := make(url.Values)\n\tform.Set(\"current_password\", altAdminPassword)\n\tform.Set(\"new_password1\", altAdminPassword)\n\tform.Set(\"new_password2\", altAdminPassword)\n\t// no csrf token\n\treq, _ = http.NewRequest(http.MethodPost, webChangeAdminPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ = http.NewRequest(http.MethodPost, webChangeAdminPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdNoDifferent)\n\n\tform.Set(\"new_password1\", altAdminPassword+\"1\")\n\tform.Set(\"new_password2\", altAdminPassword+\"1\")\n\treq, _ = http.NewRequest(http.MethodPost, webChangeAdminPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAPIKeysManagement(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"test key\",\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t}\n\tasJSON, err := json.Marshal(apiKey)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.NotEmpty(t, location)\n\tobjectID := rr.Header().Get(\"X-Object-ID\")\n\tassert.NotEmpty(t, objectID)\n\tassert.Equal(t, fmt.Sprintf(\"%v/%v\", apiKeysPath, objectID), location)\n\tapiKey.KeyID = objectID\n\tresponse := make(map[string]string)\n\terr = json.Unmarshal(rr.Body.Bytes(), &response)\n\tassert.NoError(t, err)\n\tkey := response[\"key\"]\n\tassert.NotEmpty(t, key)\n\tassert.True(t, strings.HasPrefix(key, apiKey.KeyID+\".\"))\n\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar keyGet dataprovider.APIKey\n\terr = json.Unmarshal(rr.Body.Bytes(), &keyGet)\n\tassert.NoError(t, err)\n\tassert.Empty(t, keyGet.Key)\n\tassert.Equal(t, apiKey.KeyID, keyGet.KeyID)\n\tassert.Equal(t, apiKey.Scope, keyGet.Scope)\n\tassert.Equal(t, apiKey.Name, keyGet.Name)\n\tassert.Equal(t, int64(0), keyGet.ExpiresAt)\n\tassert.Equal(t, int64(0), keyGet.LastUseAt)\n\tassert.Greater(t, keyGet.CreatedAt, int64(0))\n\tassert.Greater(t, keyGet.UpdatedAt, int64(0))\n\tassert.Empty(t, keyGet.Description)\n\tassert.Empty(t, keyGet.User)\n\tassert.Empty(t, keyGet.Admin)\n\n\t// API key is not enabled for the admin user so this request should fail\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, admin.Username)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"the admin associated with the provided api key cannot be authenticated\")\n\n\tadmin.Filters.AllowAPIKeyAuth = true\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, admin.Username)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, admin.Username+\"1\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\t// now associate the key directly to the admin\n\tapiKey.Admin = admin.Username\n\tapiKey.Description = \"test description\"\n\tasJSON, err = json.Marshal(apiKey)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, apiKeysPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar keys []dataprovider.APIKey\n\terr = json.Unmarshal(rr.Body.Bytes(), &keys)\n\tassert.NoError(t, err)\n\tif assert.GreaterOrEqual(t, len(keys), 1) {\n\t\tfound := false\n\t\tfor _, k := range keys {\n\t\t\tif k.KeyID == apiKey.KeyID {\n\t\t\t\tfound = true\n\t\t\t\tassert.Empty(t, k.Key)\n\t\t\t\tassert.Equal(t, apiKey.Scope, k.Scope)\n\t\t\t\tassert.Equal(t, apiKey.Name, k.Name)\n\t\t\t\tassert.Equal(t, int64(0), k.ExpiresAt)\n\t\t\t\tassert.Greater(t, k.LastUseAt, int64(0))\n\t\t\t\tassert.Equal(t, k.CreatedAt, keyGet.CreatedAt)\n\t\t\t\tassert.Greater(t, k.UpdatedAt, keyGet.UpdatedAt)\n\t\t\t\tassert.Equal(t, apiKey.Description, k.Description)\n\t\t\t\tassert.Empty(t, k.User)\n\t\t\t\tassert.Equal(t, admin.Username, k.Admin)\n\t\t\t}\n\t\t}\n\t\tassert.True(t, found)\n\t}\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// invalid API keys\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key+\"invalid\", \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\tassert.Contains(t, rr.Body.String(), \"the provided api key cannot be authenticated\")\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, \"invalid\", \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// using an API key we cannot modify/get API keys\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tadmin.Filters.AllowList = []string{\"172.16.18.0/24\"}\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"the provided api key is not valid\")\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAPIKeySearch(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiKey := dataprovider.APIKey{\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t}\n\tfor i := 1; i < 5; i++ {\n\t\tapiKey.Name = fmt.Sprintf(\"testapikey%v\", i)\n\t\tasJSON, err := json.Marshal(apiKey)\n\t\tassert.NoError(t, err)\n\t\treq, err := http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON))\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, token)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusCreated, rr)\n\t}\n\n\treq, err := http.NewRequest(http.MethodGet, apiKeysPath+\"?limit=1&order=ASC\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar keys []dataprovider.APIKey\n\terr = json.Unmarshal(rr.Body.Bytes(), &keys)\n\tassert.NoError(t, err)\n\tassert.Len(t, keys, 1)\n\tfirstKey := keys[0]\n\n\treq, err = http.NewRequest(http.MethodGet, apiKeysPath+\"?limit=1&order=DESC\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tkeys = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &keys)\n\tassert.NoError(t, err)\n\tif assert.Len(t, keys, 1) {\n\t\tassert.NotEqual(t, firstKey.KeyID, keys[0].KeyID)\n\t}\n\n\treq, err = http.NewRequest(http.MethodGet, apiKeysPath+\"?limit=1&offset=100\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tkeys = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &keys)\n\tassert.NoError(t, err)\n\tassert.Len(t, keys, 0)\n\n\treq, err = http.NewRequest(http.MethodGet, apiKeysPath+\"?limit=f\", nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"%v/%v\", apiKeysPath, \"missingid\"), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, apiKeysPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tkeys = nil\n\terr = json.Unmarshal(rr.Body.Bytes(), &keys)\n\tassert.NoError(t, err)\n\tcounter := 0\n\tfor _, k := range keys {\n\t\tif strings.HasPrefix(k.Name, \"testapikey\") {\n\t\t\treq, err = http.NewRequest(http.MethodDelete, fmt.Sprintf(\"%v/%v\", apiKeysPath, k.KeyID), nil)\n\t\t\tassert.NoError(t, err)\n\t\t\tsetBearerForReq(req, token)\n\t\t\trr = executeRequest(req)\n\t\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\t\tcounter++\n\t\t}\n\t}\n\tassert.Equal(t, 4, counter)\n}\n\nfunc TestAPIKeyErrors(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"testkey\",\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t}\n\tasJSON, err := json.Marshal(apiKey)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.NotEmpty(t, location)\n\n\t// invalid API scope\n\tapiKey.Scope = 1000\n\tasJSON, err = json.Marshal(apiKey)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\t// invalid JSON\n\treq, err = http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer([]byte(`invalid JSON`)))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer([]byte(`invalid JSON`)))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, location, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestAPIKeyOnDeleteCascade(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin, _, err = httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"user api key\",\n\t\tScope: dataprovider.APIKeyScopeUser,\n\t\tUser: user.Username,\n\t}\n\n\tapiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusUnauthorized, rr)\n\n\tuser.Filters.AllowAPIKeyAuth = true\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, userDirsPath, nil)\n\tassert.NoError(t, err)\n\tsetAPIKeyForReq(req, apiKey.Key, \"\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar contents []map[string]any\n\terr = json.NewDecoder(rr.Body).Decode(&contents)\n\tassert.NoError(t, err)\n\tassert.Len(t, contents, 0)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t_, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\tapiKey.User = \"\"\n\tapiKey.Admin = admin.Username\n\tapiKey.Scope = dataprovider.APIKeyScopeAdmin\n\n\tapiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusNotFound)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicWebUsersMock(t *testing.T) {\n\ttoken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser1 := getTestUser()\n\tuser1.Username += \"1\"\n\tuser1AsJSON := getUserAsJSON(t, user1)\n\treq, _ = http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(user1AsJSON))\n\tsetBearerForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user1)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webUsersPath+jsonAPISuffix, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath, nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(webUserPath, user.Username), nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath+\"/0\", nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"username\", user.Username)\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath+\"/0\", &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath+\"/aaa\", &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webUserPath, user.Username), nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webUserPath, user.Username), nil)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webUserPath, user1.Username), nil)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestRenderDefenderPageMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webDefenderPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nDefenderTitle)\n}\n\nfunc TestWebAdminBasicMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminPath, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"username\", admin.Username)\n\tform.Set(\"password\", \"\")\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"description\", admin.Description)\n\tform.Set(\"user_page_hidden_sections\", \"1\")\n\tform.Add(\"user_page_hidden_sections\", \"2\")\n\tform.Add(\"user_page_hidden_sections\", \"3\")\n\tform.Add(\"user_page_hidden_sections\", \"4\")\n\tform.Add(\"user_page_hidden_sections\", \"5\")\n\tform.Add(\"user_page_hidden_sections\", \"6\")\n\tform.Add(\"user_page_hidden_sections\", \"7\")\n\tform.Set(\"default_users_expiration\", \"10\")\n\treq, _ := http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"status\", \"a\")\n\treq, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"default_users_expiration\", \"a\")\n\treq, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\tform.Set(\"default_users_expiration\", \"10\")\n\tform.Set(\"password\", admin.Password)\n\treq, _ = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\t// add TOTP config\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], altAdminUsername)\n\tassert.NoError(t, err)\n\taltToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tadminTOTPConfig := dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t}\n\tasJSON, err := json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\t// no CSRF token\n\treq, err = http.NewRequest(http.MethodPost, webAdminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, altToken)\n\tsetCSRFHeaderForReq(req, csrfToken) // invalid CSRF token\n\treq.RemoteAddr = defaultRemoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"the token is not valid\")\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminPath, altToken)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, altToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\treq.RemoteAddr = defaultRemoteAddr\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tsecretPayload := admin.Filters.TOTPConfig.Secret.GetPayload()\n\tassert.NotEmpty(t, secretPayload)\n\tassert.Equal(t, 1+2+4+8+16+32+64, admin.Filters.Preferences.HideUserPageSections)\n\tassert.Equal(t, 10, admin.Filters.Preferences.DefaultUsersExpiration)\n\n\tadminTOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewEmptySecret(),\n\t}\n\tasJSON, err = json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, altToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, secretPayload, admin.Filters.TOTPConfig.Secret.GetPayload())\n\n\tadminTOTPConfig = dataprovider.AdminTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: nil,\n\t}\n\tasJSON, err = json.Marshal(adminTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webAdminTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, altToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webAdminsPath+jsonAPISuffix, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, webAdminsPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webAdminPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"password\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, altAdminUsername), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tform.Set(csrfFormToken, csrfToken) // associated to altToken\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, altAdminUsername), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webAdminPath, token)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"email\", \"not-an-email\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, altAdminUsername), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"email\", \"\")\n\tform.Set(\"status\", \"b\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, altAdminUsername), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"email\", \"admin@example.com\")\n\tform.Set(\"status\", \"0\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, altAdminUsername), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, admin.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, \"admin@example.com\", admin.Email)\n\tassert.Equal(t, 0, admin.Status)\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, altAdminUsername+\"1\"), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(webAdminPath, altAdminUsername), nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(webAdminPath, altAdminUsername+\"1\"), nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webAdminPath, altAdminUsername), nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath, nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webAdminPath, defaultTokenAuthUser), nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"you cannot delete yourself\")\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webAdminPath, defaultTokenAuthUser), nil)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n}\n\nfunc TestWebAdminGroupsMock(t *testing.T) {\n\tgroup1 := getTestGroup()\n\tgroup1.Name += \"_1\"\n\tgroup1, _, err := httpdtest.AddGroup(group1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup2 := getTestGroup()\n\tgroup2.Name += \"_2\"\n\tgroup2, _, err = httpdtest.AddGroup(group2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup3 := getTestGroup()\n\tgroup3.Name += \"_3\"\n\tgroup3, _, err = httpdtest.AddGroup(group3, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminPath, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", admin.Username)\n\tform.Set(\"password\", \"\")\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"description\", admin.Description)\n\tform.Set(\"password\", admin.Password)\n\tform.Set(\"groups[0][group]\", group1.Name)\n\tform.Set(\"groups[0][group_type]\", \"1\")\n\tform.Set(\"groups[1][group]\", group2.Name)\n\tform.Set(\"groups[1][group_type]\", \"2\")\n\tform.Set(\"groups[2][group]\", group3.Name)\n\treq, err := http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, admin.Groups, 3) {\n\t\tfor _, g := range admin.Groups {\n\t\t\tswitch g.Name {\n\t\t\tcase group1.Name:\n\t\t\t\tassert.Equal(t, dataprovider.GroupAddToUsersAsPrimary, g.Options.AddToUsersAs)\n\t\t\tcase group2.Name:\n\t\t\t\tassert.Equal(t, dataprovider.GroupAddToUsersAsSecondary, g.Options.AddToUsersAs)\n\t\t\tcase group3.Name:\n\t\t\t\tassert.Equal(t, dataprovider.GroupAddToUsersAsMembership, g.Options.AddToUsersAs)\n\t\t\tdefault:\n\t\t\t\tt.Errorf(\"unexpected group %q\", g.Name)\n\t\t\t}\n\t\t}\n\t}\n\tadminToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webUserPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodGet, webUserPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, adminToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAdminPermissions(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Permissions = []string{dataprovider.PermAdminAddUsers}\n\t_, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTWebToken(altAdminUsername, altAdminPassword)\n\trequire.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, httpBaseURL+webUserPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, httpBaseURL+path.Join(webUserPath, \"auser\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, httpBaseURL+webFolderPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, httpBaseURL+webStatusPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, httpBaseURL+webConnectionsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, httpBaseURL+webAdminPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\n\treq, err = http.NewRequest(http.MethodGet, httpBaseURL+path.Join(webAdminPath, \"a\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\tresp, err = httpclient.GetHTTPClient().Do(req)\n\trequire.NoError(t, err)\n\tdefer resp.Body.Close()\n\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAdminUpdateSelfMock(t *testing.T) {\n\tadmin, _, err := httpdtest.GetAdminByUsername(defaultTokenAuthUser, http.StatusOK)\n\tassert.NoError(t, err)\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminPath, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"username\", admin.Username)\n\tform.Set(\"password\", admin.Password)\n\tform.Set(\"status\", \"0\")\n\tform.Set(\"permissions\", dataprovider.PermAdminAddUsers)\n\tform.Set(\"permissions\", dataprovider.PermAdminCloseConnections)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, _ := http.NewRequest(http.MethodPost, path.Join(webAdminPath, defaultTokenAuthUser), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorAdminSelfPerms)\n\n\tform.Set(\"permissions\", dataprovider.PermAdminAny)\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, defaultTokenAuthUser), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorAdminSelfDisable)\n\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"require_two_factor\", \"1\")\n\tform.Set(\"require_password_change\", \"1\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, defaultTokenAuthUser), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(defaultTokenAuthUser, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.RequirePasswordChange)\n\tassert.False(t, admin.Filters.RequireTwoFactor)\n\n\tform.Set(\"role\", \"my role\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, defaultTokenAuthUser), bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorAdminSelfRole)\n}\n\nfunc TestWebMaintenanceMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, webMaintenancePath, nil)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webMaintenancePath, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"mode\", \"a\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"mode\", \"0\")\n\tform.Set(\"quota\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"quota\", \"0\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath+\"?a=%3\", &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tbackupFilePath := filepath.Join(os.TempDir(), \"backup.json\")\n\terr = createTestFile(backupFilePath, 0)\n\tassert.NoError(t, err)\n\n\tb, contentType, _ = getMultipartFormData(form, \"backup_file\", backupFilePath)\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\terr = createTestFile(backupFilePath, 10)\n\tassert.NoError(t, err)\n\n\tb, contentType, _ = getMultipartFormData(form, \"backup_file\", backupFilePath)\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser := getTestUser()\n\tuser.ID = 1\n\tuser.Username = \"test_user_web_restore\"\n\tadmin := getTestAdmin()\n\tadmin.ID = 1\n\tadmin.Username = \"test_admin_web_restore\"\n\n\tapiKey := dataprovider.APIKey{\n\t\tName: \"key name\",\n\t\tKeyID: util.GenerateUniqueID(),\n\t\tKey: fmt.Sprintf(\"%v.%v\", util.GenerateUniqueID(), util.GenerateUniqueID()),\n\t\tScope: dataprovider.APIKeyScopeAdmin,\n\t}\n\tbackupData := dataprovider.BackupData{\n\t\tVersion: dataprovider.DumpVersion,\n\t}\n\tbackupData.Users = append(backupData.Users, user)\n\tbackupData.Admins = append(backupData.Admins, admin)\n\tbackupData.APIKeys = append(backupData.APIKeys, apiKey)\n\tbackupContent, err := json.Marshal(backupData)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(backupFilePath, backupContent, os.ModePerm)\n\tassert.NoError(t, err)\n\n\tb, contentType, _ = getMultipartFormData(form, \"backup_file\", backupFilePath)\n\treq, _ = http.NewRequest(http.MethodPost, webRestorePath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nBackupOK)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = os.Remove(backupFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserAddMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tgroup1 := getTestGroup()\n\tgroup1.Name += \"_1\"\n\tgroup1, _, err = httpdtest.AddGroup(group1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup2 := getTestGroup()\n\tgroup2.Name += \"_2\"\n\tgroup2, _, err = httpdtest.AddGroup(group2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tgroup3 := getTestGroup()\n\tgroup3.Name += \"_3\"\n\tgroup3, _, err = httpdtest.AddGroup(group3, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.UploadBandwidth = 32\n\tuser.DownloadBandwidth = 64\n\tuser.UploadDataTransfer = 1000\n\tuser.DownloadDataTransfer = 2000\n\tuser.UID = 1000\n\tuser.AdditionalInfo = \"info\"\n\tuser.Description = \"user dsc\"\n\tuser.Email = \"test@test.com\"\n\tuser.Filters.AdditionalEmails = []string{\"example1@test.com\", \"example2@test.com\"}\n\tmappedDir := filepath.Join(os.TempDir(), \"mapped\")\n\tfolderName := filepath.Base(mappedDir)\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedDir,\n\t}\n\tfolderAsJSON, err := json.Marshal(f)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPost, folderPath, bytes.NewBuffer(folderAsJSON))\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"email\", user.Email)\n\tform.Set(\"additional_emails[0][additional_email]\", user.Filters.AdditionalEmails[0])\n\tform.Set(\"additional_emails[1][additional_email]\", user.Filters.AdditionalEmails[1])\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"osfs_read_buffer_size\", \"2\")\n\tform.Set(\"osfs_write_buffer_size\", \"3\")\n\tform.Set(\"password\", user.Password)\n\tform.Set(\"primary_group\", group1.Name)\n\tform.Set(\"secondary_groups\", group2.Name)\n\tform.Set(\"membership_groups\", group3.Name)\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"directory_permissions[0][sub_perm_path]\", \"/subdir\")\n\tform.Set(\"directory_permissions[0][sub_perm_permissions][]\", \"list\")\n\tform.Add(\"directory_permissions[0][sub_perm_permissions][]\", \"download\")\n\tform.Set(\"virtual_folders[0][vfolder_path]\", \" /vdir\")\n\tform.Set(\"virtual_folders[0][vfolder_name]\", folderName)\n\tform.Set(\"virtual_folders[0][vfolder_quota_files]\", \"2\")\n\tform.Set(\"virtual_folders[0][vfolder_quota_size]\", \"1024\")\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[0][pattern_policy]\", \"1\")\n\tform.Set(\"directory_patterns[1][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[1][patterns]\", \"*.png\")\n\tform.Set(\"directory_patterns[1][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[2][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[2][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[2][pattern_type]\", \"denied\")\n\tform.Set(\"directory_patterns[3][pattern_path]\", \"/dir3\")\n\tform.Set(\"directory_patterns[3][patterns]\", \"*.rar\")\n\tform.Set(\"directory_patterns[3][pattern_type]\", \"denied\")\n\tform.Set(\"directory_patterns[4][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[4][patterns]\", \"*.mkv\")\n\tform.Set(\"directory_patterns[4][pattern_type]\", \"denied\")\n\tform.Set(\"access_time_restrictions[0][access_time_day_of_week]\", \"2\")\n\tform.Set(\"access_time_restrictions[0][access_time_start]\", \"10\") // invalid and no end, ignored\n\tform.Set(\"access_time_restrictions[1][access_time_day_of_week]\", \"3\")\n\tform.Set(\"access_time_restrictions[1][access_time_start]\", \"12:00\")\n\tform.Set(\"access_time_restrictions[1][access_time_end]\", \"14:09\")\n\tform.Set(\"additional_info\", user.AdditionalInfo)\n\tform.Set(\"description\", user.Description)\n\tform.Add(\"hooks\", \"external_auth_disabled\")\n\tform.Set(\"disable_fs_checks\", \"checked\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"start_directory\", \"start/dir\")\n\tform.Set(\"require_password_change\", \"1\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\t// test invalid url escape\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath+\"?a=%2\", &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"public_keys\", testPubKey)\n\tform.Add(\"public_keys\", testPubKey1)\n\tform.Set(\"uid\", strconv.FormatInt(int64(user.UID), 10))\n\tform.Set(\"gid\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid gid\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"gid\", \"0\")\n\tform.Set(\"max_sessions\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid max sessions\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"max_sessions\", \"0\")\n\tform.Set(\"quota_size\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid quota size\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"quota_size\", \"0\")\n\tform.Set(\"quota_files\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid quota files\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"quota_files\", \"0\")\n\tform.Set(\"upload_bandwidth\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid upload bandwidth\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"upload_bandwidth\", strconv.FormatInt(user.UploadBandwidth, 10))\n\tform.Set(\"download_bandwidth\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid download bandwidth\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"download_bandwidth\", strconv.FormatInt(user.DownloadBandwidth, 10))\n\tform.Set(\"upload_data_transfer\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid upload data transfer\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"upload_data_transfer\", strconv.FormatInt(user.UploadDataTransfer, 10))\n\tform.Set(\"download_data_transfer\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid download data transfer\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"download_data_transfer\", strconv.FormatInt(user.DownloadDataTransfer, 10))\n\tform.Set(\"total_data_transfer\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid total data transfer\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"total_data_transfer\", strconv.FormatInt(user.TotalDataTransfer, 10))\n\tform.Set(\"status\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid status\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"123\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid expiration date\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"expiration_date\", \"\")\n\tform.Set(\"allowed_ip\", \"invalid,ip\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid allowed_ip\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"192.168.1.2\") // it should be 192.168.1.2/32\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\t// test invalid denied_ip\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"denied_ip\", \"\")\n\t// test invalid max file upload size\n\tform.Set(\"max_upload_file_size\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"max_upload_file_size\", \"1 KB\")\n\t// test invalid default shares expiration\n\tform.Set(\"default_shares_expiration\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"default_shares_expiration\", \"10\")\n\t// test invalid max shares expiration\n\tform.Set(\"max_shares_expiration\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"max_shares_expiration\", \"30\")\n\t// test invalid password expiration\n\tform.Set(\"password_expiration\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"password_expiration\", \"90\")\n\t// test invalid password strength\n\tform.Set(\"password_strength\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"password_strength\", \"60\")\n\t// test invalid tls username\n\tform.Set(\"tls_username\", \"username\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"tls_username\", string(sdk.TLSUsernameNone))\n\t// invalid upload bandwidth source\n\tform.Set(\"src_bandwidth_limits[0][bandwidth_limit_sources]\", \"192.168.1.0/24, 192.168.2.0/25\")\n\tform.Set(\"src_bandwidth_limits[0][upload_bandwidth_source]\", \"a\")\n\tform.Set(\"src_bandwidth_limits[0][download_bandwidth_source]\", \"0\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\t// invalid download bandwidth source\n\tform.Set(\"src_bandwidth_limits[0][upload_bandwidth_source]\", \"256\")\n\tform.Set(\"src_bandwidth_limits[0][download_bandwidth_source]\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"src_bandwidth_limits[0][download_bandwidth_source]\", \"512\")\n\tform.Set(\"src_bandwidth_limits[1][download_bandwidth_source]\", \"1024\")\n\tform.Set(\"src_bandwidth_limits[1][bandwidth_limit_sources]\", \"1.1.1\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorSourceBWLimitInvalid)\n\tform.Set(\"src_bandwidth_limits[1][bandwidth_limit_sources]\", \"127.0.0.1/32\")\n\tform.Set(\"src_bandwidth_limits[1][upload_bandwidth_source]\", \"-1\")\n\t// invalid external auth cache size\n\tform.Set(\"external_auth_cache_time\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(csrfFormToken, \"invalid form token\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tdbUser, err := dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\t// the user already exists, was created with the above request\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tnewUser := dataprovider.User{}\n\terr = render.DecodeJSON(rr.Body, &newUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, user.UID, newUser.UID)\n\tassert.Equal(t, 2, newUser.FsConfig.OSConfig.ReadBufferSize)\n\tassert.Equal(t, 3, newUser.FsConfig.OSConfig.WriteBufferSize)\n\tassert.Equal(t, user.UploadBandwidth, newUser.UploadBandwidth)\n\tassert.Equal(t, user.DownloadBandwidth, newUser.DownloadBandwidth)\n\tassert.Equal(t, user.UploadDataTransfer, newUser.UploadDataTransfer)\n\tassert.Equal(t, user.DownloadDataTransfer, newUser.DownloadDataTransfer)\n\tassert.Equal(t, user.TotalDataTransfer, newUser.TotalDataTransfer)\n\tassert.Equal(t, int64(1000), newUser.Filters.MaxUploadFileSize)\n\tassert.Equal(t, user.AdditionalInfo, newUser.AdditionalInfo)\n\tassert.Equal(t, user.Description, newUser.Description)\n\tassert.True(t, newUser.Filters.Hooks.ExternalAuthDisabled)\n\tassert.False(t, newUser.Filters.Hooks.PreLoginDisabled)\n\tassert.False(t, newUser.Filters.Hooks.CheckPasswordDisabled)\n\tassert.True(t, newUser.Filters.DisableFsChecks)\n\tassert.False(t, newUser.Filters.AllowAPIKeyAuth)\n\tassert.Equal(t, user.Email, newUser.Email)\n\tassert.Equal(t, len(user.Filters.AdditionalEmails), len(newUser.Filters.AdditionalEmails))\n\tassert.Equal(t, \"/start/dir\", newUser.Filters.StartDirectory)\n\tassert.Equal(t, 0, newUser.Filters.FTPSecurity)\n\tassert.Equal(t, 10, newUser.Filters.DefaultSharesExpiration)\n\tassert.Equal(t, 30, newUser.Filters.MaxSharesExpiration)\n\tassert.Equal(t, 90, newUser.Filters.PasswordExpiration)\n\tassert.Equal(t, 60, newUser.Filters.PasswordStrength)\n\tassert.Greater(t, newUser.LastPasswordChange, int64(0))\n\tassert.True(t, newUser.Filters.RequirePasswordChange)\n\tassert.True(t, slices.Contains(newUser.PublicKeys, testPubKey))\n\tif val, ok := newUser.Permissions[\"/subdir\"]; ok {\n\t\tassert.True(t, slices.Contains(val, dataprovider.PermListItems))\n\t\tassert.True(t, slices.Contains(val, dataprovider.PermDownload))\n\t} else {\n\t\tassert.Fail(t, \"user permissions must contain /somedir\", \"actual: %v\", newUser.Permissions)\n\t}\n\tassert.Len(t, newUser.PublicKeys, 2)\n\tassert.Len(t, newUser.VirtualFolders, 1)\n\tfor _, v := range newUser.VirtualFolders {\n\t\tassert.Equal(t, v.VirtualPath, \"/vdir\")\n\t\tassert.Equal(t, v.Name, folderName)\n\t\tassert.Equal(t, v.MappedPath, mappedDir)\n\t\tassert.Equal(t, v.QuotaFiles, 2)\n\t\tassert.Equal(t, v.QuotaSize, int64(1024))\n\t}\n\tassert.Len(t, newUser.Filters.FilePatterns, 3)\n\tfor _, filter := range newUser.Filters.FilePatterns {\n\t\tswitch filter.Path {\n\t\tcase \"/dir1\":\n\t\t\tassert.Len(t, filter.DeniedPatterns, 1)\n\t\t\tassert.Len(t, filter.AllowedPatterns, 1)\n\t\t\tassert.True(t, slices.Contains(filter.AllowedPatterns, \"*.png\"))\n\t\t\tassert.True(t, slices.Contains(filter.DeniedPatterns, \"*.zip\"))\n\t\t\tassert.Equal(t, sdk.DenyPolicyDefault, filter.DenyPolicy)\n\t\tcase \"/dir2\":\n\t\t\tassert.Len(t, filter.DeniedPatterns, 1)\n\t\t\tassert.Len(t, filter.AllowedPatterns, 2)\n\t\t\tassert.True(t, slices.Contains(filter.AllowedPatterns, \"*.jpg\"))\n\t\t\tassert.True(t, slices.Contains(filter.AllowedPatterns, \"*.png\"))\n\t\t\tassert.True(t, slices.Contains(filter.DeniedPatterns, \"*.mkv\"))\n\t\t\tassert.Equal(t, sdk.DenyPolicyHide, filter.DenyPolicy)\n\t\tcase \"/dir3\":\n\t\t\tassert.Len(t, filter.DeniedPatterns, 1)\n\t\t\tassert.Len(t, filter.AllowedPatterns, 0)\n\t\t\tassert.True(t, slices.Contains(filter.DeniedPatterns, \"*.rar\"))\n\t\t\tassert.Equal(t, sdk.DenyPolicyDefault, filter.DenyPolicy)\n\t\t}\n\t}\n\tif assert.Len(t, newUser.Filters.BandwidthLimits, 2) {\n\t\tfor _, bwLimit := range newUser.Filters.BandwidthLimits {\n\t\t\tif len(bwLimit.Sources) == 2 {\n\t\t\t\tassert.Equal(t, \"192.168.1.0/24\", bwLimit.Sources[0])\n\t\t\t\tassert.Equal(t, \"192.168.2.0/25\", bwLimit.Sources[1])\n\t\t\t\tassert.Equal(t, int64(256), bwLimit.UploadBandwidth)\n\t\t\t\tassert.Equal(t, int64(512), bwLimit.DownloadBandwidth)\n\t\t\t} else {\n\t\t\t\tassert.Equal(t, []string{\"127.0.0.1/32\"}, bwLimit.Sources)\n\t\t\t\tassert.Equal(t, int64(0), bwLimit.UploadBandwidth)\n\t\t\t\tassert.Equal(t, int64(1024), bwLimit.DownloadBandwidth)\n\t\t\t}\n\t\t}\n\t}\n\tif assert.Len(t, newUser.Filters.AccessTime, 1) {\n\t\tassert.Equal(t, 3, newUser.Filters.AccessTime[0].DayOfWeek)\n\t\tassert.Equal(t, \"12:00\", newUser.Filters.AccessTime[0].From)\n\t\tassert.Equal(t, \"14:09\", newUser.Filters.AccessTime[0].To)\n\t}\n\tassert.Len(t, newUser.Groups, 3)\n\tassert.Equal(t, sdk.TLSUsernameNone, newUser.Filters.TLSUsername)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, newUser.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t_, err = httpdtest.RemoveGroup(group1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group3, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserUpdateMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.Filters.BandwidthLimits = []sdk.BandwidthLimit{\n\t\t{\n\t\t\tSources: []string{\"10.8.0.0/16\", \"192.168.1.0/25\"},\n\t\t\tUploadBandwidth: 256,\n\t\t\tDownloadBandwidth: 512,\n\t\t},\n\t}\n\tuser.TotalDataTransfer = 4000\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tlastPwdChange := user.LastPasswordChange\n\tassert.Greater(t, lastPwdChange, int64(0))\n\t// add TOTP config\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuserToken, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword)\n\tassert.NoError(t, err)\n\tuserTOTPConfig := dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH, common.ProtocolFTP},\n\t}\n\tasJSON, err := json.Marshal(userTOTPConfig)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, userToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webClientProfilePath, userToken)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientTOTPSavePath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, userToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, int64(4000), user.TotalDataTransfer)\n\tassert.Equal(t, lastPwdChange, user.LastPasswordChange)\n\tif assert.Len(t, user.Filters.BandwidthLimits, 1) {\n\t\tif assert.Len(t, user.Filters.BandwidthLimits[0].Sources, 2) {\n\t\t\tassert.Equal(t, \"10.8.0.0/16\", user.Filters.BandwidthLimits[0].Sources[0])\n\t\t\tassert.Equal(t, \"192.168.1.0/25\", user.Filters.BandwidthLimits[0].Sources[1])\n\t\t}\n\t\tassert.Equal(t, int64(256), user.Filters.BandwidthLimits[0].UploadBandwidth)\n\t\tassert.Equal(t, int64(512), user.Filters.BandwidthLimits[0].DownloadBandwidth)\n\t}\n\n\tdbUser, err := dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.MaxSessions = 1\n\tuser.QuotaFiles = 2\n\tuser.QuotaSize = 1000 * 1000 * 1000\n\tuser.GID = 1000\n\tuser.Filters.AllowAPIKeyAuth = true\n\tuser.AdditionalInfo = \"new additional info\"\n\tuser.Email = \"user@example.com\"\n\tform := make(url.Values)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"email\", user.Email)\n\tform.Set(\"password\", \"\")\n\tform.Set(\"public_keys[0][public_key]\", testPubKey)\n\tform.Set(\"tls_certs[0][tls_cert]\", httpsCert)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", \"1 GB\")\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"directory_permissions[0][sub_perm_path]\", \"/otherdir\")\n\tform.Set(\"directory_permissions[0][sub_perm_permissions][]\", \"list\")\n\tform.Add(\"directory_permissions[0][sub_perm_permissions][]\", \"upload\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \" 192.168.1.3/32, 192.168.2.0/24 \")\n\tform.Set(\"denied_ip\", \" 10.0.0.2/32 \")\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"denied\")\n\tform.Set(\"denied_login_methods\", dataprovider.SSHLoginMethodKeyboardInteractive)\n\tform.Set(\"denied_protocols\", common.ProtocolFTP)\n\tform.Set(\"max_upload_file_size\", \"100\")\n\tform.Set(\"default_shares_expiration\", \"30\")\n\tform.Set(\"max_shares_expiration\", \"60\")\n\tform.Set(\"password_expiration\", \"60\")\n\tform.Set(\"password_strength\", \"40\")\n\tform.Set(\"disconnect\", \"1\")\n\tform.Set(\"additional_info\", user.AdditionalInfo)\n\tform.Set(\"description\", user.Description)\n\tform.Set(\"tls_username\", string(sdk.TLSUsernameCN))\n\tform.Set(\"allow_api_key_auth\", \"1\")\n\tform.Set(\"require_password_change\", \"1\")\n\tform.Set(\"external_auth_cache_time\", \"120\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tdbUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.Empty(t, dbUser.Password)\n\tassert.False(t, dbUser.IsPasswordHashed())\n\n\tform.Set(\"password\", defaultPassword)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tdbUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\tprevPwd := dbUser.Password\n\n\tform.Set(\"password\", redactedSecret)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tdbUser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, dbUser.Password)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\tassert.Equal(t, prevPwd, dbUser.Password)\n\tassert.True(t, dbUser.Filters.TOTPConfig.Enabled)\n\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, user.Email, updateUser.Email)\n\tassert.Equal(t, user.HomeDir, updateUser.HomeDir)\n\tassert.Equal(t, user.MaxSessions, updateUser.MaxSessions)\n\tassert.Equal(t, user.QuotaFiles, updateUser.QuotaFiles)\n\tassert.Equal(t, user.QuotaSize, updateUser.QuotaSize)\n\tassert.Equal(t, user.UID, updateUser.UID)\n\tassert.Equal(t, user.GID, updateUser.GID)\n\tassert.Equal(t, user.AdditionalInfo, updateUser.AdditionalInfo)\n\tassert.Equal(t, user.Description, updateUser.Description)\n\tassert.Equal(t, int64(100), updateUser.Filters.MaxUploadFileSize)\n\tassert.Equal(t, sdk.TLSUsernameCN, updateUser.Filters.TLSUsername)\n\tassert.True(t, updateUser.Filters.AllowAPIKeyAuth)\n\tassert.True(t, updateUser.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, int64(0), updateUser.TotalDataTransfer)\n\tassert.Equal(t, int64(0), updateUser.DownloadDataTransfer)\n\tassert.Equal(t, int64(0), updateUser.UploadDataTransfer)\n\tassert.Equal(t, int64(0), updateUser.Filters.ExternalAuthCacheTime)\n\tassert.Equal(t, 30, updateUser.Filters.DefaultSharesExpiration)\n\tassert.Equal(t, 60, updateUser.Filters.MaxSharesExpiration)\n\tassert.Equal(t, 60, updateUser.Filters.PasswordExpiration)\n\tassert.Equal(t, 40, updateUser.Filters.PasswordStrength)\n\tassert.True(t, updateUser.Filters.RequirePasswordChange)\n\tif val, ok := updateUser.Permissions[\"/otherdir\"]; ok {\n\t\tassert.True(t, slices.Contains(val, dataprovider.PermListItems))\n\t\tassert.True(t, slices.Contains(val, dataprovider.PermUpload))\n\t} else {\n\t\tassert.Fail(t, \"user permissions must contains /otherdir\", \"actual: %v\", updateUser.Permissions)\n\t}\n\tassert.True(t, slices.Contains(updateUser.Filters.AllowedIP, \"192.168.1.3/32\"))\n\tassert.True(t, slices.Contains(updateUser.Filters.DeniedIP, \"10.0.0.2/32\"))\n\tassert.True(t, slices.Contains(updateUser.Filters.DeniedLoginMethods, dataprovider.SSHLoginMethodKeyboardInteractive))\n\tassert.True(t, slices.Contains(updateUser.Filters.DeniedProtocols, common.ProtocolFTP))\n\tassert.True(t, slices.Contains(updateUser.Filters.FilePatterns[0].DeniedPatterns, \"*.zip\"))\n\tassert.Len(t, updateUser.Filters.BandwidthLimits, 0)\n\tassert.Len(t, updateUser.Filters.TLSCerts, 1)\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestRenderFolderTemplateMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webTemplateFolder, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: \"templatefolder\",\n\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped\"),\n\t\tDescription: \"template folder desc\",\n\t}\n\tfolder, _, err = httpdtest.AddFolder(folder, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webTemplateFolder+fmt.Sprintf(\"?from=%v\", folder.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webTemplateFolder+\"?from=unknown-folder\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestRenderUserTemplateMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, webTemplateUser, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webTemplateUser+fmt.Sprintf(\"?from=%v\", user.Username), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webTemplateUser+\"?from=unknown\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserSaveFromTemplateMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webTemplateFolder, token)\n\tassert.NoError(t, err)\n\tuser1 := \"u1\"\n\tuser2 := \"u2\"\n\tform := make(url.Values)\n\tform.Set(\"username\", \"\")\n\tform.Set(\"home_dir\", filepath.Join(os.TempDir(), \"%username%\"))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", \"0\")\n\tform.Set(\"max_sessions\", \"0\")\n\tform.Set(\"quota_size\", \"0\")\n\tform.Set(\"quota_files\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"expiration_date\", \"\")\n\tform.Set(\"fs_provider\", \"0\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Add(\"template_users[0][tpl_username]\", user1)\n\tform.Add(\"template_users[0][tpl_password]\", \"password1\")\n\tform.Add(\"template_users[0][tpl_public_keys]\", \" \")\n\tform.Add(\"template_users[1][tpl_username]\", user2)\n\tform.Add(\"template_users[1][tpl_public_keys]\", testPubKey)\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ := http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tu1, _, err := httpdtest.GetUserByUsername(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, u1.Filters.RequirePasswordChange)\n\tu2, _, err := httpdtest.GetUserByUsername(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, u2.Filters.RequirePasswordChange)\n\n\t_, err = httpdtest.RemoveUser(u1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(u2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tform.Add(\"tpl_require_password_change\", \"checked\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tu1, _, err = httpdtest.GetUserByUsername(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, u1.Filters.RequirePasswordChange)\n\tu2, _, err = httpdtest.GetUserByUsername(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, u2.Filters.RequirePasswordChange)\n\n\t_, err = httpdtest.RemoveUser(u1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(u2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserTemplateErrors(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webTemplateFolder, token)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\tuser.FsConfig.S3Config.Bucket = \"test\"\n\tuser.FsConfig.S3Config.Region = \"eu-central-1\"\n\tuser.FsConfig.S3Config.AccessKey = \"%username%\"\n\tuser.FsConfig.S3Config.KeyPrefix = \"somedir/subdir/\"\n\tuser.FsConfig.S3Config.UploadPartSize = 5\n\tuser.FsConfig.S3Config.UploadConcurrency = 4\n\tuser.FsConfig.S3Config.DownloadPartSize = 6\n\tuser.FsConfig.S3Config.DownloadConcurrency = 3\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"home_dir\", filepath.Join(os.TempDir(), \"%username%\"))\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"1\")\n\tform.Set(\"s3_bucket\", user.FsConfig.S3Config.Bucket)\n\tform.Set(\"s3_region\", user.FsConfig.S3Config.Region)\n\tform.Set(\"s3_access_key\", \"%username%\")\n\tform.Set(\"s3_access_secret\", \"%password%\")\n\tform.Set(\"s3_sse_customer_key\", \"%password%\")\n\tform.Set(\"s3_key_prefix\", \"base/%username%\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Add(\"hooks\", \"external_auth_disabled\")\n\tform.Add(\"hooks\", \"check_password_disabled\")\n\tform.Set(\"disable_fs_checks\", \"checked\")\n\tform.Set(\"s3_download_part_max_time\", \"0\")\n\tform.Set(\"s3_upload_part_max_time\", \"0\")\n\t// test invalid s3_upload_part_size\n\tform.Set(\"s3_upload_part_size\", \"a\")\n\tform.Set(\"form_action\", \"export_from_template\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ := http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tform.Set(\"s3_upload_part_size\", strconv.FormatInt(user.FsConfig.S3Config.UploadPartSize, 10))\n\tform.Set(\"s3_upload_concurrency\", strconv.Itoa(user.FsConfig.S3Config.UploadConcurrency))\n\tform.Set(\"s3_download_part_size\", strconv.FormatInt(user.FsConfig.S3Config.DownloadPartSize, 10))\n\tform.Set(\"s3_download_concurrency\", strconv.Itoa(user.FsConfig.S3Config.DownloadConcurrency))\n\t// no user defined\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorUserTemplate)\n\n\tform.Set(\"template_users[0][tpl_username]\", \"user1\")\n\tform.Set(\"template_users[0][tpl_password]\", \"password1\")\n\tform.Set(\"template_users[0][tpl_public_keys]\", \"invalid-pkey\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\trequire.Contains(t, rr.Body.String(), util.I18nErrorPubKeyInvalid)\n\n\tform.Set(\"template_users[0][tpl_username]\", \" \")\n\tform.Set(\"template_users[0][tpl_password]\", \"pwd\")\n\tform.Set(\"template_users[0][tpl_public_keys]\", testPubKey)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\trequire.Contains(t, rr.Body.String(), util.I18nErrorUserTemplate)\n}\n\nfunc TestUserTemplateRoleAndPermissions(t *testing.T) {\n\tr1 := getTestRole()\n\tr2 := getTestRole()\n\tr2.Name += \"_mod\"\n\trole1, resp, err := httpdtest.AddRole(r1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\trole2, resp, err := httpdtest.AddRole(r2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Role = role1.Name\n\tadmin.Permissions = []string{dataprovider.PermAdminManageFolders, dataprovider.PermAdminChangeUsers,\n\t\tdataprovider.PermAdminViewUsers}\n\tadmin, _, err = httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, webTemplateUser, nil)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webTemplateFolder, token)\n\tassert.NoError(t, err)\n\tuser1 := \"u1\"\n\tuser2 := \"u2\"\n\tform := make(url.Values)\n\tform.Set(\"username\", \"\")\n\tform.Set(\"role\", role2.Name)\n\tform.Set(\"home_dir\", filepath.Join(os.TempDir(), \"%username%\"))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", \"0\")\n\tform.Set(\"max_sessions\", \"0\")\n\tform.Set(\"quota_size\", \"0\")\n\tform.Set(\"quota_files\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"expiration_date\", \"\")\n\tform.Set(\"fs_provider\", \"0\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Add(\"template_users[0][tpl_username]\", user1)\n\tform.Add(\"template_users[0][tpl_password]\", \"password1\")\n\tform.Add(\"template_users[0][tpl_public_keys]\", \" \")\n\tform.Add(\"template_users[1][tpl_username]\", user2)\n\tform.Add(\"template_users[1][tpl_public_keys]\", testPubKey)\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\t// Add the required permissions\n\tadmin.Permissions = append(admin.Permissions, dataprovider.PermAdminAddUsers)\n\t_, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\ttoken, err = getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, webTemplateUser, nil)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tcsrfToken, err = getCSRFTokenFromInternalPageMock(webTemplateUser, token)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tu1, _, err := httpdtest.GetUserByUsername(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, admin.Role, u1.Role)\n\tu2, _, err := httpdtest.GetUserByUsername(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, admin.Role, u2.Role)\n\n\t_, err = httpdtest.RemoveUser(u1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(u2, http.StatusOK)\n\tassert.NoError(t, err)\n\t// Set an empty role\n\tform.Set(\"role\", \"\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tu1, _, err = httpdtest.GetUserByUsername(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, admin.Role, u1.Role)\n\tu2, _, err = httpdtest.GetUserByUsername(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, admin.Role, u2.Role)\n\n\t_, err = httpdtest.RemoveUser(u1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(u2, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserPlaceholders(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, token)\n\tassert.NoError(t, err)\n\tu := getTestUser()\n\tu.HomeDir = filepath.Join(os.TempDir(), \"%username%_%password%\")\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", u.Username)\n\tform.Set(\"home_dir\", u.HomeDir)\n\tform.Set(\"password\", u.Password)\n\tform.Set(\"status\", strconv.Itoa(u.Status))\n\tform.Set(\"expiration_date\", \"\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"public_keys[0][public_key]\", testPubKey)\n\tform.Set(\"public_keys[1][public_key]\", testPubKey1)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", \"0\")\n\tform.Set(\"max_sessions\", \"0\")\n\tform.Set(\"quota_size\", \"0\")\n\tform.Set(\"quota_files\", \"0\")\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ := http.NewRequest(http.MethodPost, webUserPath, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Join(os.TempDir(), fmt.Sprintf(\"%v_%v\", defaultUsername, defaultPassword)), user.HomeDir)\n\n\tdbUser, err := dataprovider.UserExists(defaultUsername, \"\")\n\tassert.NoError(t, err)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\thashedPwd := dbUser.Password\n\n\tform.Set(\"password\", redactedSecret)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webUserPath, defaultUsername), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Join(os.TempDir(), defaultUsername+\"_%password%\"), user.HomeDir)\n\t// check that the password was unchanged\n\tdbUser, err = dataprovider.UserExists(defaultUsername, \"\")\n\tassert.NoError(t, err)\n\tassert.True(t, dbUser.IsPasswordHashed())\n\tassert.Equal(t, hashedPwd, dbUser.Password)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestFolderPlaceholders(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webFolderPath, token)\n\tassert.NoError(t, err)\n\tfolderName := \"folderName\"\n\tform := make(url.Values)\n\tform.Set(\"name\", folderName)\n\tform.Set(\"mapped_path\", filepath.Join(os.TempDir(), \"%name%\"))\n\tform.Set(\"description\", \"desc folder %name%\")\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, err := http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tfolderGet, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Join(os.TempDir(), folderName), folderGet.MappedPath)\n\tassert.Equal(t, fmt.Sprintf(\"desc folder %v\", folderName), folderGet.Description)\n\n\tform.Set(\"mapped_path\", filepath.Join(os.TempDir(), \"%name%_%name%\"))\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tfolderGet, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Join(os.TempDir(), fmt.Sprintf(\"%v_%v\", folderName, folderName)), folderGet.MappedPath)\n\tassert.Equal(t, fmt.Sprintf(\"desc folder %v\", folderName), folderGet.Description)\n\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestFolderSaveFromTemplateMock(t *testing.T) {\n\tfolder1 := \"f1\"\n\tfolder2 := \"f2\"\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webTemplateFolder, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"name\", \"name\")\n\tform.Set(\"mapped_path\", filepath.Join(os.TempDir(), \"%name%\"))\n\tform.Set(\"description\", \"desc folder %name%\")\n\tform.Set(\"template_folders[0][tpl_foldername]\", folder1)\n\tform.Set(\"template_folders[1][tpl_foldername]\", folder2)\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, err := http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\t_, _, err = httpdtest.GetFolderByName(folder1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetFolderByName(folder2, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folder1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folder2}, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestFolderTemplateErrors(t *testing.T) {\n\tfolderName := \"vfolder-template\"\n\tmappedPath := filepath.Join(os.TempDir(), \"%name%mapped%name%path\")\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webTemplateFolder, token)\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"name\", folderName)\n\tform.Set(\"mapped_path\", mappedPath)\n\tform.Set(\"description\", \"desc folder %name%\")\n\tform.Set(\"template_folders[0][tpl_foldername]\", \"folder1\")\n\tform.Set(\"template_folders[1][tpl_foldername]\", \"folder2\")\n\tform.Set(\"template_folders[2][tpl_foldername]\", \"folder3\")\n\tform.Set(\"template_folders[3][tpl_foldername]\", \"folder1 \")\n\tform.Add(\"template_folders[3][tpl_foldername]\", \" \")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ := http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateFolder+\"?param=p%C3%AO%GG\", &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\tform.Set(\"fs_provider\", \"1\")\n\tform.Set(\"s3_bucket\", \"bucket\")\n\tform.Set(\"s3_region\", \"us-east-1\")\n\tform.Set(\"s3_access_key\", \"%name%\")\n\tform.Set(\"s3_access_secret\", \"pwd%name%\")\n\tform.Set(\"s3_sse_customer_key\", \"key%name%\")\n\tform.Set(\"s3_key_prefix\", \"base/%name%\")\n\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\tform.Set(\"s3_upload_part_size\", \"5\")\n\tform.Set(\"s3_upload_concurrency\", \"4\")\n\tform.Set(\"s3_download_part_max_time\", \"0\")\n\tform.Set(\"s3_upload_part_max_time\", \"0\")\n\tform.Set(\"s3_download_part_size\", \"6\")\n\tform.Set(\"s3_download_concurrency\", \"2\")\n\n\tform.Set(\"template_folders[0][tpl_foldername]\", \" \")\n\tform.Set(\"template_folders[1][tpl_foldername]\", \"\")\n\tform.Set(\"template_folders[2][tpl_foldername]\", \"\")\n\tform.Set(\"template_folders[3][tpl_foldername]\", \" \")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFolderTemplate)\n\n\tform.Set(\"template_folders[0][tpl_foldername]\", \"name\")\n\tform.Set(\"mapped_path\", \"relative-path\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidHomeDir)\n}\n\nfunc TestFolderTemplatePermission(t *testing.T) {\n\tadmin := getTestAdmin()\n\tadmin.Username = altAdminUsername\n\tadmin.Password = altAdminPassword\n\tadmin.Permissions = []string{dataprovider.PermAdminChangeUsers, dataprovider.PermAdminAddUsers, dataprovider.PermAdminViewUsers}\n\tadmin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// no permission to view or add folders from templates\n\ttoken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webTemplateUser, token)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webTemplateFolder, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webTemplateFolder\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tform := make(url.Values)\n\tform.Set(\"name\", \"name\")\n\tform.Set(\"mapped_path\", filepath.Join(os.TempDir(), \"%name%\"))\n\tform.Set(\"description\", \"desc folder %name%\")\n\tform.Set(\"template_folders[0][tpl_foldername]\", \"folder1\")\n\tform.Set(\"template_folders[1][tpl_foldername]\", \"folder2\")\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webTemplateFolder, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\n\tadmin.Permissions = append(admin.Permissions, dataprovider.PermAdminManageFolders)\n\t_, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\ttoken, err = getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\t_, err = getCSRFTokenFromInternalPageMock(webTemplateUser, token)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webTemplateFolder, nil)\n\tassert.NoError(t, err)\n\treq.RequestURI = webTemplateFolder\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserS3Mock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tlastPwdChange := user.LastPasswordChange\n\tassert.Greater(t, lastPwdChange, int64(0))\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\tuser.FsConfig.S3Config.Bucket = \"test\"\n\tuser.FsConfig.S3Config.Region = \"eu-west-1\"\n\tuser.FsConfig.S3Config.AccessKey = \"access-key\"\n\tuser.FsConfig.S3Config.AccessSecret = kms.NewPlainSecret(\"access-secret\")\n\tuser.FsConfig.S3Config.SSECustomerKey = kms.NewPlainSecret(\"enc-key\")\n\tuser.FsConfig.S3Config.RoleARN = \"arn:aws:iam::123456789012:user/Development/product_1234/*\"\n\tuser.FsConfig.S3Config.Endpoint = \"http://127.0.0.1:9000/path?a=b\"\n\tuser.FsConfig.S3Config.StorageClass = \"Standard\"\n\tuser.FsConfig.S3Config.KeyPrefix = \"somedir/subdir/\"\n\tuser.FsConfig.S3Config.UploadPartSize = 5\n\tuser.FsConfig.S3Config.UploadConcurrency = 4\n\tuser.FsConfig.S3Config.DownloadPartMaxTime = 60\n\tuser.FsConfig.S3Config.UploadPartMaxTime = 120\n\tuser.FsConfig.S3Config.DownloadPartSize = 6\n\tuser.FsConfig.S3Config.DownloadConcurrency = 3\n\tuser.FsConfig.S3Config.ForcePathStyle = true\n\tuser.FsConfig.S3Config.SkipTLSVerify = true\n\tuser.FsConfig.S3Config.ACL = \"public-read\"\n\tuser.Description = \"s3 tèst user\"\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"1\")\n\tform.Set(\"s3_bucket\", user.FsConfig.S3Config.Bucket)\n\tform.Set(\"s3_region\", user.FsConfig.S3Config.Region)\n\tform.Set(\"s3_access_key\", user.FsConfig.S3Config.AccessKey)\n\tform.Set(\"s3_access_secret\", user.FsConfig.S3Config.AccessSecret.GetPayload())\n\tform.Set(\"s3_sse_customer_key\", user.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tform.Set(\"s3_role_arn\", user.FsConfig.S3Config.RoleARN)\n\tform.Set(\"s3_storage_class\", user.FsConfig.S3Config.StorageClass)\n\tform.Set(\"s3_acl\", user.FsConfig.S3Config.ACL)\n\tform.Set(\"s3_endpoint\", user.FsConfig.S3Config.Endpoint)\n\tform.Set(\"s3_key_prefix\", user.FsConfig.S3Config.KeyPrefix)\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[0][pattern_policy]\", \"0\")\n\tform.Set(\"directory_patterns[1][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[1][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[1][pattern_type]\", \"denied\")\n\tform.Set(\"directory_patterns[1][pattern_policy]\", \"1\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Set(\"ftp_security\", \"1\")\n\tform.Set(\"s3_force_path_style\", \"checked\")\n\tform.Set(\"s3_skip_tls_verify\", \"checked\")\n\tform.Set(\"description\", user.Description)\n\tform.Add(\"hooks\", \"pre_login_disabled\")\n\tform.Add(\"allow_api_key_auth\", \"1\")\n\t// test invalid s3_upload_part_size\n\tform.Set(\"s3_upload_part_size\", \"a\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid s3_upload_concurrency\n\tform.Set(\"s3_upload_part_size\", strconv.FormatInt(user.FsConfig.S3Config.UploadPartSize, 10))\n\tform.Set(\"s3_upload_concurrency\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid s3_download_part_size\n\tform.Set(\"s3_upload_concurrency\", strconv.Itoa(user.FsConfig.S3Config.UploadConcurrency))\n\tform.Set(\"s3_download_part_size\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid s3_download_concurrency\n\tform.Set(\"s3_download_part_size\", strconv.FormatInt(user.FsConfig.S3Config.DownloadPartSize, 10))\n\tform.Set(\"s3_download_concurrency\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid s3_download_part_max_time\n\tform.Set(\"s3_download_concurrency\", strconv.Itoa(user.FsConfig.S3Config.DownloadConcurrency))\n\tform.Set(\"s3_download_part_max_time\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid s3_upload_part_max_time\n\tform.Set(\"s3_download_part_max_time\", strconv.Itoa(user.FsConfig.S3Config.DownloadPartMaxTime))\n\tform.Set(\"s3_upload_part_max_time\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now add the user\n\tform.Set(\"s3_upload_part_max_time\", strconv.Itoa(user.FsConfig.S3Config.UploadPartMaxTime))\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1577836800000), updateUser.ExpirationDate)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.Bucket, user.FsConfig.S3Config.Bucket)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.Region, user.FsConfig.S3Config.Region)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.AccessKey, user.FsConfig.S3Config.AccessKey)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.RoleARN, user.FsConfig.S3Config.RoleARN)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.StorageClass, user.FsConfig.S3Config.StorageClass)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.ACL, user.FsConfig.S3Config.ACL)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.Endpoint, user.FsConfig.S3Config.Endpoint)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.KeyPrefix, user.FsConfig.S3Config.KeyPrefix)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.UploadPartSize, user.FsConfig.S3Config.UploadPartSize)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.UploadConcurrency, user.FsConfig.S3Config.UploadConcurrency)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.DownloadPartMaxTime, user.FsConfig.S3Config.DownloadPartMaxTime)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.UploadPartMaxTime, user.FsConfig.S3Config.UploadPartMaxTime)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.DownloadPartSize, user.FsConfig.S3Config.DownloadPartSize)\n\tassert.Equal(t, updateUser.FsConfig.S3Config.DownloadConcurrency, user.FsConfig.S3Config.DownloadConcurrency)\n\tassert.Equal(t, lastPwdChange, updateUser.LastPasswordChange)\n\tassert.True(t, updateUser.FsConfig.S3Config.ForcePathStyle)\n\tassert.True(t, updateUser.FsConfig.S3Config.SkipTLSVerify)\n\tif assert.Equal(t, 2, len(updateUser.Filters.FilePatterns)) {\n\t\tfor _, filter := range updateUser.Filters.FilePatterns {\n\t\t\tswitch filter.Path {\n\t\t\tcase \"/dir1\":\n\t\t\t\tassert.Equal(t, sdk.DenyPolicyDefault, filter.DenyPolicy)\n\t\t\tcase \"/dir2\":\n\t\t\t\tassert.Equal(t, sdk.DenyPolicyHide, filter.DenyPolicy)\n\t\t\t}\n\t\t}\n\t}\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.S3Config.AccessSecret.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.S3Config.SSECustomerKey.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.S3Config.SSECustomerKey.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.S3Config.SSECustomerKey.GetAdditionalData())\n\tassert.Equal(t, user.Description, updateUser.Description)\n\tassert.True(t, updateUser.Filters.Hooks.PreLoginDisabled)\n\tassert.False(t, updateUser.Filters.Hooks.ExternalAuthDisabled)\n\tassert.False(t, updateUser.Filters.Hooks.CheckPasswordDisabled)\n\tassert.False(t, updateUser.Filters.DisableFsChecks)\n\tassert.True(t, updateUser.Filters.AllowAPIKeyAuth)\n\tassert.Equal(t, 1, updateUser.Filters.FTPSecurity)\n\t// now check that a redacted password is not saved\n\tform.Set(\"s3_access_secret\", redactedSecret)\n\tform.Set(\"s3_sse_customer_key\", redactedSecret)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tvar lastUpdatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &lastUpdatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.S3Config.AccessSecret.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.S3Config.AccessSecret.GetPayload(), lastUpdatedUser.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.S3Config.AccessSecret.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.S3Config.AccessSecret.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.S3Config.SSECustomerKey.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.S3Config.SSECustomerKey.GetPayload(), lastUpdatedUser.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.S3Config.SSECustomerKey.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.S3Config.SSECustomerKey.GetAdditionalData())\n\tassert.Equal(t, lastPwdChange, lastUpdatedUser.LastPasswordChange)\n\t// now clear credentials\n\tform.Set(\"s3_access_key\", \"\")\n\tform.Set(\"s3_access_secret\", \"\")\n\tform.Set(\"s3_sse_customer_key\", \"\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar userGet dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &userGet)\n\tassert.NoError(t, err)\n\tassert.Nil(t, userGet.FsConfig.S3Config.AccessSecret)\n\tassert.Nil(t, userGet.FsConfig.S3Config.SSECustomerKey)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebUserGCSMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, err := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tcredentialsFilePath := filepath.Join(os.TempDir(), \"gcs.json\")\n\terr = createTestFile(credentialsFilePath, 0)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tuser.FsConfig.GCSConfig.Bucket = \"test\"\n\tuser.FsConfig.GCSConfig.KeyPrefix = \"somedir/subdir/\"\n\tuser.FsConfig.GCSConfig.StorageClass = \"standard\"\n\tuser.FsConfig.GCSConfig.ACL = \"publicReadWrite\"\n\tuser.FsConfig.GCSConfig.UploadPartSize = 16\n\tuser.FsConfig.GCSConfig.UploadPartMaxTime = 32\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"2\")\n\tform.Set(\"gcs_bucket\", user.FsConfig.GCSConfig.Bucket)\n\tform.Set(\"gcs_storage_class\", user.FsConfig.GCSConfig.StorageClass)\n\tform.Set(\"gcs_acl\", user.FsConfig.GCSConfig.ACL)\n\tform.Set(\"gcs_key_prefix\", user.FsConfig.GCSConfig.KeyPrefix)\n\tform.Set(\"gcs_upload_part_size\", strconv.FormatInt(user.FsConfig.GCSConfig.UploadPartSize, 10))\n\tform.Set(\"gcs_upload_part_max_time\", strconv.FormatInt(int64(user.FsConfig.GCSConfig.UploadPartMaxTime), 10))\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Set(\"ftp_security\", \"1\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tb, contentType, _ = getMultipartFormData(form, \"gcs_credential_file\", credentialsFilePath)\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = createTestFile(credentialsFilePath, 4096)\n\tassert.NoError(t, err)\n\tb, contentType, _ = getMultipartFormData(form, \"gcs_credential_file\", credentialsFilePath)\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1577836800000), updateUser.ExpirationDate)\n\tassert.Equal(t, user.FsConfig.Provider, updateUser.FsConfig.Provider)\n\tassert.Equal(t, user.FsConfig.GCSConfig.Bucket, updateUser.FsConfig.GCSConfig.Bucket)\n\tassert.Equal(t, user.FsConfig.GCSConfig.StorageClass, updateUser.FsConfig.GCSConfig.StorageClass)\n\tassert.Equal(t, user.FsConfig.GCSConfig.ACL, updateUser.FsConfig.GCSConfig.ACL)\n\tassert.Equal(t, user.FsConfig.GCSConfig.KeyPrefix, updateUser.FsConfig.GCSConfig.KeyPrefix)\n\tassert.Equal(t, user.FsConfig.GCSConfig.UploadPartSize, updateUser.FsConfig.GCSConfig.UploadPartSize)\n\tassert.Equal(t, user.FsConfig.GCSConfig.UploadPartMaxTime, updateUser.FsConfig.GCSConfig.UploadPartMaxTime)\n\tif assert.Len(t, updateUser.Filters.FilePatterns, 1) {\n\t\tassert.Equal(t, \"/dir1\", updateUser.Filters.FilePatterns[0].Path)\n\t\tassert.Len(t, updateUser.Filters.FilePatterns[0].AllowedPatterns, 2)\n\t\tassert.Contains(t, updateUser.Filters.FilePatterns[0].AllowedPatterns, \"*.png\")\n\t\tassert.Contains(t, updateUser.Filters.FilePatterns[0].AllowedPatterns, \"*.jpg\")\n\t}\n\tassert.Equal(t, 1, updateUser.Filters.FTPSecurity)\n\tform.Set(\"gcs_auto_credentials\", \"on\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tupdateUser = dataprovider.User{}\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 1, updateUser.FsConfig.GCSConfig.AutomaticCredentials)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = os.Remove(credentialsFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebUserHTTPFsMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, err := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tuser.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: \"https://127.0.0.1:9999/api/v1\",\n\t\t\tUsername: defaultUsername,\n\t\t\tSkipTLSVerify: true,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\tAPIKey: kms.NewPlainSecret(defaultTokenAuthPass),\n\t}\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"6\")\n\tform.Set(\"http_endpoint\", user.FsConfig.HTTPConfig.Endpoint)\n\tform.Set(\"http_username\", user.FsConfig.HTTPConfig.Username)\n\tform.Set(\"http_password\", user.FsConfig.HTTPConfig.Password.GetPayload())\n\tform.Set(\"http_api_key\", user.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tform.Set(\"http_skip_tls_verify\", \"checked\")\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[1][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[1][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[1][pattern_type]\", \"denied\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Set(\"http_equality_check_mode\", \"true\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the updated user\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1577836800000), updateUser.ExpirationDate)\n\tassert.Equal(t, 2, len(updateUser.Filters.FilePatterns))\n\tassert.Equal(t, user.FsConfig.HTTPConfig.Endpoint, updateUser.FsConfig.HTTPConfig.Endpoint)\n\tassert.Equal(t, user.FsConfig.HTTPConfig.Username, updateUser.FsConfig.HTTPConfig.Username)\n\tassert.Equal(t, user.FsConfig.HTTPConfig.SkipTLSVerify, updateUser.FsConfig.HTTPConfig.SkipTLSVerify)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.HTTPConfig.APIKey.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\tassert.Equal(t, 1, updateUser.FsConfig.HTTPConfig.EqualityCheckMode)\n\t// now check that a redacted password is not saved\n\tform.Set(\"http_equality_check_mode\", \"\")\n\tform.Set(\"http_password\", \" \"+redactedSecret+\" \")\n\tform.Set(\"http_api_key\", redactedSecret)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar lastUpdatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &lastUpdatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.HTTPConfig.Password.GetPayload(), lastUpdatedUser.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.HTTPConfig.APIKey.GetPayload(), lastUpdatedUser.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.HTTPConfig.APIKey.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\tassert.Equal(t, 0, lastUpdatedUser.FsConfig.HTTPConfig.EqualityCheckMode)\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebUserAzureBlobMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tuser.FsConfig.AzBlobConfig.Container = \"container\"\n\tuser.FsConfig.AzBlobConfig.AccountName = \"aname\"\n\tuser.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret(\"access-skey\")\n\tuser.FsConfig.AzBlobConfig.Endpoint = \"http://127.0.0.1:9000/path?b=c\"\n\tuser.FsConfig.AzBlobConfig.KeyPrefix = \"somedir/subdir/\"\n\tuser.FsConfig.AzBlobConfig.UploadPartSize = 5\n\tuser.FsConfig.AzBlobConfig.UploadConcurrency = 4\n\tuser.FsConfig.AzBlobConfig.DownloadPartSize = 3\n\tuser.FsConfig.AzBlobConfig.DownloadConcurrency = 6\n\tuser.FsConfig.AzBlobConfig.UseEmulator = true\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"3\")\n\tform.Set(\"az_container\", user.FsConfig.AzBlobConfig.Container)\n\tform.Set(\"az_account_name\", user.FsConfig.AzBlobConfig.AccountName)\n\tform.Set(\"az_account_key\", user.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\tform.Set(\"az_endpoint\", user.FsConfig.AzBlobConfig.Endpoint)\n\tform.Set(\"az_key_prefix\", user.FsConfig.AzBlobConfig.KeyPrefix)\n\tform.Set(\"az_use_emulator\", \"checked\")\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[1][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[1][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[1][pattern_type]\", \"denied\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\t// test invalid az_upload_part_size\n\tform.Set(\"az_upload_part_size\", \"a\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid az_upload_concurrency\n\tform.Set(\"az_upload_part_size\", strconv.FormatInt(user.FsConfig.AzBlobConfig.UploadPartSize, 10))\n\tform.Set(\"az_upload_concurrency\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid az_download_part_size\n\tform.Set(\"az_upload_concurrency\", strconv.Itoa(user.FsConfig.AzBlobConfig.UploadConcurrency))\n\tform.Set(\"az_download_part_size\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// test invalid az_download_concurrency\n\tform.Set(\"az_download_part_size\", strconv.FormatInt(user.FsConfig.AzBlobConfig.DownloadPartSize, 10))\n\tform.Set(\"az_download_concurrency\", \"a\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// now add the user\n\tform.Set(\"az_download_concurrency\", strconv.Itoa(user.FsConfig.AzBlobConfig.DownloadConcurrency))\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1577836800000), updateUser.ExpirationDate)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.Container, user.FsConfig.AzBlobConfig.Container)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.AccountName, user.FsConfig.AzBlobConfig.AccountName)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.Endpoint, user.FsConfig.AzBlobConfig.Endpoint)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.KeyPrefix, user.FsConfig.AzBlobConfig.KeyPrefix)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.UploadPartSize, user.FsConfig.AzBlobConfig.UploadPartSize)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.UploadConcurrency, user.FsConfig.AzBlobConfig.UploadConcurrency)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.DownloadPartSize, user.FsConfig.AzBlobConfig.DownloadPartSize)\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.DownloadConcurrency, user.FsConfig.AzBlobConfig.DownloadConcurrency)\n\tassert.Equal(t, 2, len(updateUser.Filters.FilePatterns))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\t// now check that a redacted password is not saved\n\tform.Set(\"az_account_key\", redactedSecret+\" \")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar lastUpdatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &lastUpdatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.AzBlobConfig.AccountKey.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.AccountKey.GetPayload(), lastUpdatedUser.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.AzBlobConfig.AccountKey.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData())\n\t// test SAS url\n\tuser.FsConfig.AzBlobConfig.SASURL = kms.NewPlainSecret(\"sasurl\")\n\tform.Set(\"az_account_name\", \"\")\n\tform.Set(\"az_account_key\", \"\")\n\tform.Set(\"az_container\", \"\")\n\tform.Set(\"az_sas_url\", user.FsConfig.AzBlobConfig.SASURL.GetPayload())\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tupdateUser = dataprovider.User{}\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.AzBlobConfig.SASURL.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.AzBlobConfig.SASURL.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.AzBlobConfig.SASURL.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.AzBlobConfig.SASURL.GetAdditionalData())\n\t// now check that a redacted sas url is not saved\n\tform.Set(\"az_sas_url\", redactedSecret)\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tlastUpdatedUser = dataprovider.User{}\n\terr = render.DecodeJSON(rr.Body, &lastUpdatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.AzBlobConfig.SASURL.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.AzBlobConfig.SASURL.GetPayload(), lastUpdatedUser.FsConfig.AzBlobConfig.SASURL.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.AzBlobConfig.SASURL.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.AzBlobConfig.SASURL.GetAdditionalData())\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebUserCryptMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"crypted passphrase\")\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"4\")\n\tform.Set(\"crypt_passphrase\", \"\")\n\tform.Set(\"cryptfs_read_buffer_size\", \"1\")\n\tform.Set(\"cryptfs_write_buffer_size\", \"2\")\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[1][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[1][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[1][pattern_type]\", \"denied\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\t// passphrase cannot be empty\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"crypt_passphrase\", user.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1577836800000), updateUser.ExpirationDate)\n\tassert.Equal(t, 2, len(updateUser.Filters.FilePatterns))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\tassert.Equal(t, 1, updateUser.FsConfig.CryptConfig.ReadBufferSize)\n\tassert.Equal(t, 2, updateUser.FsConfig.CryptConfig.WriteBufferSize)\n\t// now check that a redacted password is not saved\n\tform.Set(\"crypt_passphrase\", redactedSecret+\" \")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar lastUpdatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &lastUpdatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.CryptConfig.Passphrase.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.CryptConfig.Passphrase.GetPayload(), lastUpdatedUser.FsConfig.CryptConfig.Passphrase.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.CryptConfig.Passphrase.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.CryptConfig.Passphrase.GetAdditionalData())\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebUserSFTPFsMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tuserAsJSON := getUserAsJSON(t, user)\n\treq, _ := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON))\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusCreated, rr)\n\terr = render.DecodeJSON(rr.Body, &user)\n\tassert.NoError(t, err)\n\tuser.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser.FsConfig.SFTPConfig.Endpoint = \"127.0.0.1:22\"\n\tuser.FsConfig.SFTPConfig.Username = \"sftpuser\"\n\tuser.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(\"pwd\")\n\tuser.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(testPrivateKeyPwd)\n\tuser.FsConfig.SFTPConfig.KeyPassphrase = kms.NewPlainSecret(privateKeyPwd)\n\tuser.FsConfig.SFTPConfig.Fingerprints = []string{sftpPkeyFingerprint}\n\tuser.FsConfig.SFTPConfig.Prefix = \"/home/sftpuser\"\n\tuser.FsConfig.SFTPConfig.DisableCouncurrentReads = true\n\tuser.FsConfig.SFTPConfig.BufferSize = 5\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", redactedSecret)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", strconv.FormatInt(int64(user.GID), 10))\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(user.MaxSessions), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(user.QuotaSize, 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(user.QuotaFiles), 10))\n\tform.Set(\"upload_bandwidth\", \"0\")\n\tform.Set(\"download_bandwidth\", \"0\")\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"expiration_date\", \"2020-01-01 00:00:00\")\n\tform.Set(\"allowed_ip\", \"\")\n\tform.Set(\"denied_ip\", \"\")\n\tform.Set(\"fs_provider\", \"5\")\n\tform.Set(\"crypt_passphrase\", \"\")\n\tform.Set(\"directory_patterns[0][pattern_path]\", \"/dir1\")\n\tform.Set(\"directory_patterns[0][patterns]\", \"*.jpg,*.png\")\n\tform.Set(\"directory_patterns[0][pattern_type]\", \"allowed\")\n\tform.Set(\"directory_patterns[1][pattern_path]\", \"/dir2\")\n\tform.Set(\"directory_patterns[1][patterns]\", \"*.zip\")\n\tform.Set(\"directory_patterns[1][pattern_type]\", \"denied\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\t// empty sftpconfig\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tform.Set(\"sftp_endpoint\", user.FsConfig.SFTPConfig.Endpoint)\n\tform.Set(\"sftp_username\", user.FsConfig.SFTPConfig.Username)\n\tform.Set(\"sftp_password\", user.FsConfig.SFTPConfig.Password.GetPayload())\n\tform.Set(\"sftp_private_key\", user.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tform.Set(\"sftp_key_passphrase\", user.FsConfig.SFTPConfig.KeyPassphrase.GetPayload())\n\tform.Set(\"sftp_fingerprints\", user.FsConfig.SFTPConfig.Fingerprints[0])\n\tform.Set(\"sftp_prefix\", user.FsConfig.SFTPConfig.Prefix)\n\tform.Set(\"sftp_disable_concurrent_reads\", \"true\")\n\tform.Set(\"sftp_equality_check_mode\", \"true\")\n\tform.Set(\"sftp_buffer_size\", strconv.FormatInt(user.FsConfig.SFTPConfig.BufferSize, 10))\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar updateUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &updateUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(1577836800000), updateUser.ExpirationDate)\n\tassert.Equal(t, 2, len(updateUser.Filters.FilePatterns))\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.SFTPConfig.Password.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateUser.FsConfig.SFTPConfig.KeyPassphrase.GetStatus())\n\tassert.NotEmpty(t, updateUser.FsConfig.SFTPConfig.KeyPassphrase.GetPayload())\n\tassert.Empty(t, updateUser.FsConfig.SFTPConfig.KeyPassphrase.GetKey())\n\tassert.Empty(t, updateUser.FsConfig.SFTPConfig.KeyPassphrase.GetAdditionalData())\n\tassert.Equal(t, updateUser.FsConfig.SFTPConfig.Prefix, user.FsConfig.SFTPConfig.Prefix)\n\tassert.Equal(t, updateUser.FsConfig.SFTPConfig.Username, user.FsConfig.SFTPConfig.Username)\n\tassert.Equal(t, updateUser.FsConfig.SFTPConfig.Endpoint, user.FsConfig.SFTPConfig.Endpoint)\n\tassert.True(t, updateUser.FsConfig.SFTPConfig.DisableCouncurrentReads)\n\tassert.Len(t, updateUser.FsConfig.SFTPConfig.Fingerprints, 1)\n\tassert.Equal(t, user.FsConfig.SFTPConfig.BufferSize, updateUser.FsConfig.SFTPConfig.BufferSize)\n\tassert.Contains(t, updateUser.FsConfig.SFTPConfig.Fingerprints, sftpPkeyFingerprint)\n\tassert.Equal(t, 1, updateUser.FsConfig.SFTPConfig.EqualityCheckMode)\n\t// now check that a redacted credentials are not saved\n\tform.Set(\"sftp_password\", redactedSecret+\" \")\n\tform.Set(\"sftp_private_key\", redactedSecret)\n\tform.Set(\"sftp_key_passphrase\", redactedSecret)\n\tform.Set(\"sftp_equality_check_mode\", \"\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar lastUpdatedUser dataprovider.User\n\terr = render.DecodeJSON(rr.Body, &lastUpdatedUser)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.SFTPConfig.Password.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.SFTPConfig.Password.GetPayload(), lastUpdatedUser.FsConfig.SFTPConfig.Password.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.SFTPConfig.Password.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.SFTPConfig.Password.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.SFTPConfig.PrivateKey.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.SFTPConfig.PrivateKey.GetPayload(), lastUpdatedUser.FsConfig.SFTPConfig.PrivateKey.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.SFTPConfig.PrivateKey.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, lastUpdatedUser.FsConfig.SFTPConfig.KeyPassphrase.GetStatus())\n\tassert.Equal(t, updateUser.FsConfig.SFTPConfig.KeyPassphrase.GetPayload(), lastUpdatedUser.FsConfig.SFTPConfig.KeyPassphrase.GetPayload())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.SFTPConfig.KeyPassphrase.GetKey())\n\tassert.Empty(t, lastUpdatedUser.FsConfig.SFTPConfig.KeyPassphrase.GetAdditionalData())\n\tassert.Equal(t, 0, lastUpdatedUser.FsConfig.SFTPConfig.EqualityCheckMode)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebUserRole(t *testing.T) {\n\trole, resp, err := httpdtest.AddRole(getTestRole(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Role = role.Name\n\ta.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers,\n\t\tdataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers}\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\twebToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\tuser := getTestUser()\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"home_dir\", user.HomeDir)\n\tform.Set(\"password\", user.Password)\n\tform.Set(\"status\", strconv.Itoa(user.Status))\n\tform.Set(\"permissions\", \"*\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"uid\", \"0\")\n\tform.Set(\"gid\", \"0\")\n\tform.Set(\"max_sessions\", \"0\")\n\tform.Set(\"quota_size\", \"0\")\n\tform.Set(\"quota_files\", \"0\")\n\tform.Set(\"upload_bandwidth\", strconv.FormatInt(user.UploadBandwidth, 10))\n\tform.Set(\"download_bandwidth\", strconv.FormatInt(user.DownloadBandwidth, 10))\n\tform.Set(\"upload_data_transfer\", strconv.FormatInt(user.UploadDataTransfer, 10))\n\tform.Set(\"download_data_transfer\", strconv.FormatInt(user.DownloadDataTransfer, 10))\n\tform.Set(\"total_data_transfer\", strconv.FormatInt(user.TotalDataTransfer, 10))\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"10\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tb, contentType, _ := getMultipartFormData(form, \"\", \"\")\n\treq, err := http.NewRequest(http.MethodPost, webUserPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user.Role)\n\n\tform.Set(\"role\", \"\")\n\tb, contentType, _ = getMultipartFormData(form, \"\", \"\")\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, role.Name, user.Role)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebEventAction(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminEventActionPath, webToken)\n\tassert.NoError(t, err)\n\taction := dataprovider.BaseEventAction{\n\t\tName: \"web_action_http\",\n\t\tDescription: \"http web action\",\n\t\tType: dataprovider.ActionTypeHTTP,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\t\tEndpoint: \"https://localhost:4567/action\",\n\t\t\t\tUsername: defaultUsername,\n\t\t\t\tHeaders: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"Content-Type\",\n\t\t\t\t\t\tValue: \"application/json\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t\tTimeout: 10,\n\t\t\t\tSkipTLSVerify: true,\n\t\t\t\tMethod: http.MethodPost,\n\t\t\t\tQueryParameters: []dataprovider.KeyValue{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: \"param1\",\n\t\t\t\t\t\tValue: \"value1\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tBody: `{\"event\":\"{{.Event}}\",\"name\":\"{{.Name}}\"}`,\n\t\t\t},\n\t\t},\n\t}\n\tform := make(url.Values)\n\tform.Set(\"name\", action.Name)\n\tform.Set(\"description\", action.Description)\n\tform.Set(\"fs_action_type\", \"0\")\n\tform.Set(\"type\", \"a\")\n\treq, err := http.NewRequest(http.MethodPost, webAdminEventActionPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"http_timeout\", \"b\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"cmd_timeout\", \"20\")\n\tform.Set(\"pwd_expiration_threshold\", \"10\")\n\tform.Set(\"http_timeout\", fmt.Sprintf(\"%d\", action.Options.HTTPConfig.Timeout))\n\tform.Set(\"http_headers[0][http_header_key]\", action.Options.HTTPConfig.Headers[0].Key)\n\tform.Set(\"http_headers[0][http_header_value]\", action.Options.HTTPConfig.Headers[0].Value)\n\tform.Set(\"http_headers[1][http_header_key]\", action.Options.HTTPConfig.Headers[0].Key) // ignored\n\tform.Set(\"query_parameters[0][http_query_key]\", action.Options.HTTPConfig.QueryParameters[0].Key)\n\tform.Set(\"query_parameters[0][http_query_value]\", action.Options.HTTPConfig.QueryParameters[0].Value)\n\tform.Set(\"http_body\", action.Options.HTTPConfig.Body)\n\tform.Set(\"http_skip_tls_verify\", \"1\")\n\tform.Set(\"http_username\", action.Options.HTTPConfig.Username)\n\tform.Set(\"http_password\", action.Options.HTTPConfig.Password.GetPayload())\n\tform.Set(\"http_method\", action.Options.HTTPConfig.Method)\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorURLRequired)\n\tform.Set(\"http_endpoint\", action.Options.HTTPConfig.Endpoint)\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// a new add will fail\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// list actions\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventActionsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventActionsPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// render add page\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventActionPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// render action page\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminEventActionPath, action.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// missing action\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminEventActionPath, action.Name+\"1\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// check the action\n\tactionGet, _, err := httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Equal(t, action.Description, actionGet.Description)\n\tassert.Equal(t, action.Options.HTTPConfig.Body, actionGet.Options.HTTPConfig.Body)\n\tassert.Equal(t, action.Options.HTTPConfig.Endpoint, actionGet.Options.HTTPConfig.Endpoint)\n\tassert.Equal(t, action.Options.HTTPConfig.Headers, actionGet.Options.HTTPConfig.Headers)\n\tassert.Equal(t, action.Options.HTTPConfig.Method, actionGet.Options.HTTPConfig.Method)\n\tassert.Equal(t, action.Options.HTTPConfig.SkipTLSVerify, actionGet.Options.HTTPConfig.SkipTLSVerify)\n\tassert.Equal(t, action.Options.HTTPConfig.Timeout, actionGet.Options.HTTPConfig.Timeout)\n\tassert.Equal(t, action.Options.HTTPConfig.Username, actionGet.Options.HTTPConfig.Username)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, actionGet.Options.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, actionGet.Options.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, actionGet.Options.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, actionGet.Options.HTTPConfig.Password.GetAdditionalData())\n\t// update and check that the password is preserved and the multipart fields\n\tform.Set(\"http_password\", redactedSecret)\n\tform.Set(\"http_body\", \"\")\n\tform.Set(\"http_timeout\", \"0\")\n\tform.Del(\"http_headers[0][http_header_key]\")\n\tform.Del(\"http_headers[0][http_header_val]\")\n\tform.Set(\"multipart_body[0][http_part_name]\", \"part1\")\n\tform.Set(\"multipart_body[0][http_part_file]\", \"{{.VirtualPath}}\")\n\tform.Set(\"multipart_body[0][http_part_body]\", \"\")\n\tform.Set(\"multipart_body[0][http_part_headers]\", \"X-MyHeader: a:b,c\")\n\tform.Set(\"multipart_body[12][http_part_name]\", \"part2\")\n\tform.Set(\"multipart_body[12][http_part_headers]\", \"Content-Type:application/json \\r\\n\")\n\tform.Set(\"multipart_body[12][http_part_body]\", \"{{.ObjectData}}\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tdbAction, err := dataprovider.EventActionExists(action.Name)\n\tassert.NoError(t, err)\n\terr = dbAction.Options.HTTPConfig.Password.Decrypt()\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultPassword, dbAction.Options.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, dbAction.Options.HTTPConfig.Body)\n\tassert.Equal(t, 0, dbAction.Options.HTTPConfig.Timeout)\n\tif assert.Len(t, dbAction.Options.HTTPConfig.Parts, 2) {\n\t\tassert.Equal(t, \"part1\", dbAction.Options.HTTPConfig.Parts[0].Name)\n\t\tassert.Equal(t, \"/{{.VirtualPath}}\", dbAction.Options.HTTPConfig.Parts[0].Filepath)\n\t\tassert.Empty(t, dbAction.Options.HTTPConfig.Parts[0].Body)\n\t\tassert.Equal(t, \"X-MyHeader\", dbAction.Options.HTTPConfig.Parts[0].Headers[0].Key)\n\t\tassert.Equal(t, \"a:b,c\", dbAction.Options.HTTPConfig.Parts[0].Headers[0].Value)\n\t\tassert.Equal(t, \"part2\", dbAction.Options.HTTPConfig.Parts[1].Name)\n\t\tassert.Equal(t, \"{{.ObjectData}}\", dbAction.Options.HTTPConfig.Parts[1].Body)\n\t\tassert.Empty(t, dbAction.Options.HTTPConfig.Parts[1].Filepath)\n\t\tassert.Equal(t, \"Content-Type\", dbAction.Options.HTTPConfig.Parts[1].Headers[0].Key)\n\t\tassert.Equal(t, \"application/json\", dbAction.Options.HTTPConfig.Parts[1].Headers[0].Value)\n\t}\n\t// change action type\n\taction.Type = dataprovider.ActionTypeCommand\n\taction.Options.CmdConfig = dataprovider.EventActionCommandConfig{\n\t\tCmd: filepath.Join(os.TempDir(), \"cmd\"),\n\t\tArgs: []string{\"arg1\", \"arg2\"},\n\t\tTimeout: 20,\n\t\tEnvVars: []dataprovider.KeyValue{\n\t\t\t{\n\t\t\t\tKey: \"key\",\n\t\t\t\tValue: \"val\",\n\t\t\t},\n\t\t},\n\t}\n\tdataprovider.EnabledActionCommands = []string{action.Options.CmdConfig.Cmd}\n\tdefer func() {\n\t\tdataprovider.EnabledActionCommands = nil\n\t}()\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorCommandRequired)\n\tform.Set(\"cmd_path\", action.Options.CmdConfig.Cmd)\n\tform.Set(\"cmd_timeout\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"cmd_timeout\", fmt.Sprintf(\"%d\", action.Options.CmdConfig.Timeout))\n\tform.Set(\"env_vars[0][cmd_env_key]\", action.Options.CmdConfig.EnvVars[0].Key)\n\tform.Set(\"env_vars[0][cmd_env_value]\", action.Options.CmdConfig.EnvVars[0].Value)\n\tform.Set(\"cmd_arguments\", \"arg1 ,arg2 \")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// update a missing action\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name+\"1\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// update with no csrf token\n\tform.Del(csrfFormToken)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\tform.Set(csrfFormToken, csrfToken)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Equal(t, action.Options.CmdConfig.Cmd, actionGet.Options.CmdConfig.Cmd)\n\tassert.Equal(t, action.Options.CmdConfig.Args, actionGet.Options.CmdConfig.Args)\n\tassert.Equal(t, action.Options.CmdConfig.Timeout, actionGet.Options.CmdConfig.Timeout)\n\tassert.Equal(t, action.Options.CmdConfig.EnvVars, actionGet.Options.CmdConfig.EnvVars)\n\tassert.Equal(t, dataprovider.EventActionHTTPConfig{}, actionGet.Options.HTTPConfig)\n\tassert.Equal(t, dataprovider.EventActionPasswordExpiration{}, actionGet.Options.PwdExpirationConfig)\n\t// change action type again\n\taction.Type = dataprovider.ActionTypeEmail\n\taction.Options.EmailConfig = dataprovider.EventActionEmailConfig{\n\t\tRecipients: []string{\"address1@example.com\", \"address2@example.com\"},\n\t\tBcc: []string{\"address3@example.com\"},\n\t\tSubject: \"subject\",\n\t\tContentType: 1,\n\t\tBody: \"body\",\n\t\tAttachments: []string{\"/file1.txt\", \"/file2.txt\"},\n\t}\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"email_recipients\", \"address1@example.com, address2@example.com\")\n\tform.Set(\"email_bcc\", \"address3@example.com\")\n\tform.Set(\"email_subject\", action.Options.EmailConfig.Subject)\n\tform.Set(\"email_content_type\", fmt.Sprintf(\"%d\", action.Options.EmailConfig.ContentType))\n\tform.Set(\"email_body\", action.Options.EmailConfig.Body)\n\tform.Set(\"email_attachments\", \"file1.txt, file2.txt\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Equal(t, action.Options.EmailConfig.Recipients, actionGet.Options.EmailConfig.Recipients)\n\tassert.Equal(t, action.Options.EmailConfig.Bcc, actionGet.Options.EmailConfig.Bcc)\n\tassert.Equal(t, action.Options.EmailConfig.Subject, actionGet.Options.EmailConfig.Subject)\n\tassert.Equal(t, action.Options.EmailConfig.ContentType, actionGet.Options.EmailConfig.ContentType)\n\tassert.Equal(t, action.Options.EmailConfig.Body, actionGet.Options.EmailConfig.Body)\n\tassert.Equal(t, action.Options.EmailConfig.Attachments, actionGet.Options.EmailConfig.Attachments)\n\tassert.Equal(t, dataprovider.EventActionHTTPConfig{}, actionGet.Options.HTTPConfig)\n\tassert.Empty(t, actionGet.Options.CmdConfig.Cmd)\n\tassert.Equal(t, 0, actionGet.Options.CmdConfig.Timeout)\n\tassert.Len(t, actionGet.Options.CmdConfig.EnvVars, 0)\n\t// change action type to data retention check\n\taction.Type = dataprovider.ActionTypeDataRetentionCheck\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"data_retention[10][folder_retention_path]\", \"p1\")\n\tform.Set(\"data_retention[10][folder_retention_val]\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"data_retention[10][folder_retention_val]\", \"24\")\n\tform.Set(\"data_retention[10][folder_retention_options][]\", \"1\")\n\tform.Set(\"data_retention[11][folder_retention_path]\", \"../p2\")\n\tform.Set(\"data_retention[11][folder_retention_val]\", \"48\")\n\tform.Set(\"data_retention[11][folder_retention_options][]\", \"1\")\n\tform.Set(\"data_retention[13][folder_retention_options][]\", \"1\") // ignored\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tif assert.Len(t, actionGet.Options.RetentionConfig.Folders, 2) {\n\t\tfor _, folder := range actionGet.Options.RetentionConfig.Folders {\n\t\t\tswitch folder.Path {\n\t\t\tcase \"/p1\":\n\t\t\t\tassert.Equal(t, 24, folder.Retention)\n\t\t\t\tassert.True(t, folder.DeleteEmptyDirs)\n\t\t\tcase \"/p2\":\n\t\t\t\tassert.Equal(t, 48, folder.Retention)\n\t\t\t\tassert.True(t, folder.DeleteEmptyDirs)\n\t\t\tdefault:\n\t\t\t\tt.Errorf(\"unexpected folder path %v\", folder.Path)\n\t\t\t}\n\t\t}\n\t}\n\taction.Type = dataprovider.ActionTypeFilesystem\n\taction.Options.FsConfig = dataprovider.EventActionFilesystemConfig{\n\t\tType: dataprovider.FilesystemActionMkdirs,\n\t\tMkDirs: []string{\"a \", \" a/b\"},\n\t}\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"fs_mkdir_paths\", strings.Join(action.Options.FsConfig.MkDirs, \",\"))\n\tform.Set(\"fs_action_type\", \"invalid\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\tform.Set(\"fs_action_type\", fmt.Sprintf(\"%d\", action.Options.FsConfig.Type))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tif assert.Len(t, actionGet.Options.FsConfig.MkDirs, 2) {\n\t\tfor _, dir := range actionGet.Options.FsConfig.MkDirs {\n\t\t\tswitch dir {\n\t\t\tcase \"/a\":\n\t\t\tcase \"/a/b\":\n\t\t\tdefault:\n\t\t\t\tt.Errorf(\"unexpected dir path %v\", dir)\n\t\t\t}\n\t\t}\n\t}\n\n\taction.Options.FsConfig = dataprovider.EventActionFilesystemConfig{\n\t\tType: dataprovider.FilesystemActionExist,\n\t\tExist: []string{\"b \", \" c/d\"},\n\t}\n\tform.Set(\"fs_action_type\", fmt.Sprintf(\"%d\", action.Options.FsConfig.Type))\n\tform.Set(\"fs_exist_paths\", strings.Join(action.Options.FsConfig.Exist, \",\"))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tif assert.Len(t, actionGet.Options.FsConfig.Exist, 2) {\n\t\tfor _, p := range actionGet.Options.FsConfig.Exist {\n\t\t\tswitch p {\n\t\t\tcase \"/b\":\n\t\t\tcase \"/c/d\":\n\t\t\tdefault:\n\t\t\t\tt.Errorf(\"unexpected path %v\", p)\n\t\t\t}\n\t\t}\n\t}\n\n\taction.Options.FsConfig = dataprovider.EventActionFilesystemConfig{\n\t\tType: dataprovider.FilesystemActionRename,\n\t\tRenames: []dataprovider.RenameConfig{\n\t\t\t{\n\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\tKey: \"/src\",\n\t\t\t\t\tValue: \"/target\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tform.Set(\"fs_action_type\", fmt.Sprintf(\"%d\", action.Options.FsConfig.Type))\n\tform.Set(\"fs_rename[0][fs_rename_source]\", action.Options.FsConfig.Renames[0].Key)\n\tform.Set(\"fs_rename[0][fs_rename_target]\", action.Options.FsConfig.Renames[0].Value)\n\tform.Set(\"fs_rename[0][fs_rename_options][]\", \"1\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tif assert.Len(t, actionGet.Options.FsConfig.Renames, 1) {\n\t\tassert.True(t, actionGet.Options.FsConfig.Renames[0].UpdateModTime)\n\t}\n\n\taction.Options.FsConfig = dataprovider.EventActionFilesystemConfig{\n\t\tType: dataprovider.FilesystemActionCopy,\n\t\tCopy: []dataprovider.KeyValue{\n\t\t\t{\n\t\t\t\tKey: \"/copy_src\",\n\t\t\t\tValue: \"/copy_target\",\n\t\t\t},\n\t\t},\n\t}\n\tform.Set(\"fs_action_type\", fmt.Sprintf(\"%d\", action.Options.FsConfig.Type))\n\tform.Set(\"fs_copy[0][fs_copy_source]\", action.Options.FsConfig.Copy[0].Key)\n\tform.Set(\"fs_copy[0][fs_copy_target]\", action.Options.FsConfig.Copy[0].Value)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the update\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Len(t, actionGet.Options.FsConfig.Copy, 1)\n\n\taction.Type = dataprovider.ActionTypePasswordExpirationCheck\n\taction.Options.PwdExpirationConfig.Threshold = 15\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"pwd_expiration_threshold\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"pwd_expiration_threshold\", strconv.Itoa(action.Options.PwdExpirationConfig.Threshold))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Equal(t, action.Options.PwdExpirationConfig.Threshold, actionGet.Options.PwdExpirationConfig.Threshold)\n\tassert.Equal(t, 0, actionGet.Options.CmdConfig.Timeout)\n\tassert.Len(t, actionGet.Options.CmdConfig.EnvVars, 0)\n\n\taction.Type = dataprovider.ActionTypeUserInactivityCheck\n\taction.Options.UserInactivityConfig = dataprovider.EventActionUserInactivity{\n\t\tDisableThreshold: 10,\n\t\tDeleteThreshold: 15,\n\t}\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"inactivity_disable_threshold\", strconv.Itoa(action.Options.UserInactivityConfig.DisableThreshold))\n\tform.Set(\"inactivity_delete_threshold\", strconv.Itoa(action.Options.UserInactivityConfig.DeleteThreshold))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Equal(t, 0, actionGet.Options.PwdExpirationConfig.Threshold)\n\tassert.Equal(t, action.Options.UserInactivityConfig.DisableThreshold, actionGet.Options.UserInactivityConfig.DisableThreshold)\n\tassert.Equal(t, action.Options.UserInactivityConfig.DeleteThreshold, actionGet.Options.UserInactivityConfig.DeleteThreshold)\n\n\taction.Type = dataprovider.ActionTypeIDPAccountCheck\n\tform.Set(\"type\", fmt.Sprintf(\"%d\", action.Type))\n\tform.Set(\"idp_mode\", \"1\")\n\tform.Set(\"idp_user\", `{\"username\":\"user\"}`)\n\tform.Set(\"idp_admin\", `{\"username\":\"admin\"}`)\n\tform.Set(\"pwd_expiration_threshold\", strconv.Itoa(action.Options.PwdExpirationConfig.Threshold))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventActionPath, action.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tactionGet, _, err = httpdtest.GetEventActionByName(action.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, action.Type, actionGet.Type)\n\tassert.Equal(t, 1, actionGet.Options.IDPConfig.Mode)\n\tassert.Contains(t, actionGet.Options.IDPConfig.TemplateUser, `\"user\"`)\n\tassert.Contains(t, actionGet.Options.IDPConfig.TemplateAdmin, `\"admin\"`)\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(webAdminEventActionPath, action.Name), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(webAdminEventActionPath, action.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventActionsPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Equal(t, `[]`, rr.Body.String())\n}\n\nfunc TestWebEventRule(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminEventRulePath, webToken)\n\tassert.NoError(t, err)\n\ta := dataprovider.BaseEventAction{\n\t\tName: \"web_action\",\n\t\tType: dataprovider.ActionTypeFilesystem,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\t\tType: dataprovider.FilesystemActionExist,\n\t\t\t\tExist: []string{\"/dir1\"},\n\t\t\t},\n\t\t},\n\t}\n\taction, _, err := httpdtest.AddEventAction(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\trule := dataprovider.EventRule{\n\t\tName: \"test_web_rule\",\n\t\tStatus: 1,\n\t\tDescription: \"rule added using web API\",\n\t\tTrigger: dataprovider.EventTriggerSchedule,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tSchedules: []dataprovider.Schedule{\n\t\t\t\t{\n\t\t\t\t\tHours: \"0\",\n\t\t\t\t\tDayOfWeek: \"*\",\n\t\t\t\t\tDayOfMonth: \"*\",\n\t\t\t\t\tMonth: \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tOptions: dataprovider.ConditionOptions{\n\t\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"u*\",\n\t\t\t\t\t\tInverseMatch: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"g*\",\n\t\t\t\t\t\tInverseMatch: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t\t\t{\n\t\t\t\t\t\tPattern: \"r*\",\n\t\t\t\t\t\tInverseMatch: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action.Name,\n\t\t\t\t},\n\t\t\t\tOrder: 1,\n\t\t\t},\n\t\t},\n\t}\n\tform := make(url.Values)\n\tform.Set(\"name\", rule.Name)\n\tform.Set(\"description\", rule.Description)\n\tform.Set(\"status\", \"a\")\n\treq, err := http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"status\", fmt.Sprintf(\"%d\", rule.Status))\n\tform.Set(\"trigger\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"trigger\", fmt.Sprintf(\"%d\", rule.Trigger))\n\tform.Set(\"schedules[0][schedule_hour]\", rule.Conditions.Schedules[0].Hours)\n\tform.Set(\"schedules[0][schedule_day_of_week]\", rule.Conditions.Schedules[0].DayOfWeek)\n\tform.Set(\"schedules[0][schedule_day_of_month]\", rule.Conditions.Schedules[0].DayOfMonth)\n\tform.Set(\"schedules[0][schedule_month]\", rule.Conditions.Schedules[0].Month)\n\tform.Set(\"name_filters[0][name_pattern]\", rule.Conditions.Options.Names[0].Pattern)\n\tform.Set(\"name_filters[0][type_name_pattern]\", \"inverse\")\n\tform.Set(\"group_name_filters[0][group_name_pattern]\", rule.Conditions.Options.GroupNames[0].Pattern)\n\tform.Set(\"group_name_filters[0][type_group_name_pattern]\", \"inverse\")\n\tform.Set(\"role_name_filters[0][role_name_pattern]\", rule.Conditions.Options.RoleNames[0].Pattern)\n\tform.Set(\"role_name_filters[0][type_role_name_pattern]\", \"inverse\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidMinSize)\n\tform.Set(\"fs_min_size\", \"0\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidMaxSize)\n\tform.Set(\"fs_max_size\", \"0\")\n\tform.Set(\"actions[0][action_name]\", action.Name)\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// a new add will fail\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventRulePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// list rules\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventRulesPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventRulesPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// render add page\n\treq, err = http.NewRequest(http.MethodGet, webAdminEventRulePath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// render rule page\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminEventRulePath, rule.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// missing rule\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminEventRulePath, rule.Name+\"1\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// check the rule\n\truleGet, _, err := httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, rule.Trigger, ruleGet.Trigger)\n\tassert.Equal(t, rule.Status, ruleGet.Status)\n\tassert.Equal(t, rule.Description, ruleGet.Description)\n\tassert.Equal(t, rule.Conditions, ruleGet.Conditions)\n\tif assert.Len(t, ruleGet.Actions, 1) {\n\t\tassert.Equal(t, rule.Actions[0].Name, ruleGet.Actions[0].Name)\n\t\tassert.Equal(t, rule.Actions[0].Order, ruleGet.Actions[0].Order)\n\t}\n\t// change rule trigger and status\n\trule.Status = 0\n\trule.Trigger = dataprovider.EventTriggerFsEvent\n\trule.Conditions = dataprovider.EventConditions{\n\t\tFsEvents: []string{\"upload\", \"download\"},\n\t\tOptions: dataprovider.ConditionOptions{\n\t\t\tNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"u*\",\n\t\t\t\t\tInverseMatch: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tGroupNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"g*\",\n\t\t\t\t\tInverseMatch: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tRoleNames: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"r*\",\n\t\t\t\t\tInverseMatch: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tFsPaths: []dataprovider.ConditionPattern{\n\t\t\t\t{\n\t\t\t\t\tPattern: \"/subdir/*.txt\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tProtocols: []string{common.ProtocolSFTP, common.ProtocolHTTP},\n\t\t\tMinFileSize: 1024 * 1024,\n\t\t\tMaxFileSize: 5 * 1024 * 1024,\n\t\t},\n\t}\n\tform.Set(\"status\", fmt.Sprintf(\"%d\", rule.Status))\n\tform.Set(\"trigger\", fmt.Sprintf(\"%d\", rule.Trigger))\n\tfor _, event := range rule.Conditions.FsEvents {\n\t\tform.Add(\"fs_events\", event)\n\t}\n\tform.Set(\"path_filters[0][fs_path_pattern]\", rule.Conditions.Options.FsPaths[0].Pattern)\n\tfor _, protocol := range rule.Conditions.Options.Protocols {\n\t\tform.Add(\"fs_protocols\", protocol)\n\t}\n\tform.Set(\"fs_min_size\", fmt.Sprintf(\"%d\", rule.Conditions.Options.MinFileSize))\n\tform.Set(\"fs_max_size\", fmt.Sprintf(\"%d\", rule.Conditions.Options.MaxFileSize))\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the rule\n\truleGet, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, rule.Status, ruleGet.Status)\n\tassert.Equal(t, rule.Trigger, ruleGet.Trigger)\n\tassert.Equal(t, rule.Description, ruleGet.Description)\n\tassert.Equal(t, rule.Conditions, ruleGet.Conditions)\n\tif assert.Len(t, ruleGet.Actions, 1) {\n\t\tassert.Equal(t, rule.Actions[0].Name, ruleGet.Actions[0].Name)\n\t\tassert.Equal(t, rule.Actions[0].Order, ruleGet.Actions[0].Order)\n\t}\n\trule.Trigger = dataprovider.EventTriggerIDPLogin\n\tform.Set(\"trigger\", fmt.Sprintf(\"%d\", rule.Trigger))\n\tform.Set(\"idp_login_event\", \"1\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the rule\n\truleGet, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, rule.Trigger, ruleGet.Trigger)\n\tassert.Equal(t, 1, ruleGet.Conditions.IDPLoginEvent)\n\n\tform.Set(\"idp_login_event\", \"2\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the rule\n\truleGet, _, err = httpdtest.GetEventRuleByName(rule.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, rule.Trigger, ruleGet.Trigger)\n\tassert.Equal(t, 2, ruleGet.Conditions.IDPLoginEvent)\n\n\t// update a missing rule\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name+\"1\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// update with no csrf token\n\tform.Del(csrfFormToken)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\tform.Set(csrfFormToken, csrfToken)\n\t// update with no action defined\n\tform.Del(\"actions[0][action_name]\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorRuleActionRequired)\n\t// invalid trigger\n\tform.Set(\"trigger\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminEventRulePath, rule.Name),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(webAdminEventRulePath, rule.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(webAdminEventActionPath, action.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebIPListEntries(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, webToken)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webIPListPath+\"/mode\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webIPListPath+\"/mode/a\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webIPListPath, \"/1/a\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webIPListPath+\"/1\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webIPListsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tentry := dataprovider.IPListEntry{\n\t\tIPOrNet: \"12.34.56.78/20\",\n\t\tType: dataprovider.IPListTypeDefender,\n\t\tMode: dataprovider.ListModeDeny,\n\t\tDescription: \"note\",\n\t\tProtocols: 5,\n\t}\n\tform := make(url.Values)\n\tform.Set(\"ipornet\", entry.IPOrNet)\n\tform.Set(\"description\", entry.Description)\n\tform.Set(\"mode\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/mode\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError400Message)\n\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/1\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/2\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\tform.Set(\"mode\", \"2\")\n\tform.Set(\"protocols\", \"a\")\n\tform.Add(\"protocols\", \"1\")\n\tform.Add(\"protocols\", \"4\")\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/\"+strconv.Itoa(int(entry.Type)),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tentry1, _, err := httpdtest.GetIPListEntry(entry.IPOrNet, dataprovider.IPListTypeDefender, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, entry.Description, entry1.Description)\n\tassert.Equal(t, entry.Mode, entry1.Mode)\n\tassert.Equal(t, entry.Protocols, entry1.Protocols)\n\n\tform.Set(\"ipornet\", \"1111.11.11.11\")\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/1\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorIPInvalid)\n\n\tform.Set(\"ipornet\", entry.IPOrNet)\n\tform.Set(\"mode\", \"invalid\") // ignored for list type 1\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/1\", bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tentry2, _, err := httpdtest.GetIPListEntry(entry.IPOrNet, dataprovider.IPListTypeAllowList, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, entry.Description, entry2.Description)\n\tassert.Equal(t, dataprovider.ListModeAllow, entry2.Mode)\n\tassert.Equal(t, entry.Protocols, entry2.Protocols)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webIPListPath, \"1\", url.PathEscape(entry2.IPOrNet)), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"protocols\", \"1\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webIPListPath, \"1\", url.PathEscape(entry.IPOrNet)),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\tentry2, _, err = httpdtest.GetIPListEntry(entry.IPOrNet, dataprovider.IPListTypeAllowList, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, entry.Description, entry2.Description)\n\tassert.Equal(t, dataprovider.ListModeAllow, entry2.Mode)\n\tassert.Equal(t, 1, entry2.Protocols)\n\n\tform.Del(csrfFormToken)\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/1/\"+url.PathEscape(entry.IPOrNet),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/a/\"+url.PathEscape(entry.IPOrNet),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/1/\"+url.PathEscape(entry.IPOrNet)+\"a\",\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tform.Set(\"mode\", \"a\")\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/2/\"+url.PathEscape(entry.IPOrNet),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\tform.Set(\"mode\", \"100\")\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/2/\"+url.PathEscape(entry.IPOrNet),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\t_, err = httpdtest.RemoveIPListEntry(entry1, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveIPListEntry(entry2, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebRole(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webAdminRolePath, webToken)\n\tassert.NoError(t, err)\n\trole := getTestRole()\n\tform := make(url.Values)\n\tform.Set(\"name\", \"\")\n\tform.Set(\"description\", role.Description)\n\treq, err := http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorNameRequired)\n\tform.Set(\"name\", role.Name)\n\treq, err = http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// a new add will fail\n\treq, err = http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// list roles\n\treq, err = http.NewRequest(http.MethodGet, webAdminRolesPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webAdminRolesPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// render the new role page\n\treq, err = http.NewRequest(http.MethodGet, webAdminRolePath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminRolePath, role.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminRolePath, \"missing_role\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\t// parse form error\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name)+\"?param=p%C4%AO%GH\",\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\t// update role\n\tform.Set(\"description\", \"new desc\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check the changes\n\trole, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"new desc\", role.Description)\n\t// no CSRF token\n\tform.Set(csrfFormToken, \"\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\t// missing role\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, \"missing\"), bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestAddWebGroup(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webGroupPath, webToken)\n\tassert.NoError(t, err)\n\tgroup := getTestGroup()\n\tgroup.UserSettings = dataprovider.GroupUserSettings{\n\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\tHomeDir: filepath.Join(os.TempDir(), util.GenerateUniqueID()),\n\t\t\tPermissions: make(map[string][]string),\n\t\t\tMaxSessions: 2,\n\t\t\tQuotaSize: 123,\n\t\t\tQuotaFiles: 10,\n\t\t\tUploadBandwidth: 128,\n\t\t\tDownloadBandwidth: 256,\n\t\t\tExpiresIn: 10,\n\t\t},\n\t}\n\tform := make(url.Values)\n\tform.Set(\"name\", group.Name)\n\tform.Set(\"description\", group.Description)\n\tform.Set(\"home_dir\", group.UserSettings.HomeDir)\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(group.UserSettings.MaxSessions), 10))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidQuotaSize)\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(group.UserSettings.QuotaFiles), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(group.UserSettings.QuotaSize, 10))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"upload_bandwidth\", strconv.FormatInt(group.UserSettings.UploadBandwidth, 10))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"download_bandwidth\", strconv.FormatInt(group.UserSettings.DownloadBandwidth, 10))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"expires_in\", strconv.Itoa(group.UserSettings.ExpiresIn))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidMaxFilesize)\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath+\"?b=%2\", &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr) // error parsing the multipart form\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// a new add will fail\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webGroupPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// list groups\n\treq, err = http.NewRequest(http.MethodGet, webGroupsPath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webGroupsPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// render the new group page\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webGroupPath, group.Name), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// check the added group\n\tgroupGet, _, err := httpdtest.GetGroupByName(group.Name, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, group.UserSettings, groupGet.UserSettings)\n\tassert.Equal(t, group.Name, groupGet.Name)\n\tassert.Equal(t, group.Description, groupGet.Description)\n\t// cleanup\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(groupPath, group.Name), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webGroupPath, group.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestAddWebFoldersMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webFolderPath, webToken)\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Clean(os.TempDir())\n\tfolderName := filepath.Base(mappedPath)\n\tfolderDesc := \"a simple desc\"\n\tform := make(url.Values)\n\tform.Set(\"mapped_path\", mappedPath)\n\tform.Set(\"name\", folderName)\n\tform.Set(\"description\", folderDesc)\n\tform.Set(\"osfs_read_buffer_size\", \"3\")\n\tform.Set(\"osfs_write_buffer_size\", \"4\")\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// adding the same folder will fail since the name must be unique\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// invalid form\n\treq, err = http.NewRequest(http.MethodPost, webFolderPath, strings.NewReader(form.Encode()))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", \"text/plain; boundary=\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// now render the add folder page\n\treq, err = http.NewRequest(http.MethodGet, webFolderPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tvar folder vfs.BaseVirtualFolder\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath, folder.MappedPath)\n\tassert.Equal(t, folderName, folder.Name)\n\tassert.Equal(t, folderDesc, folder.Description)\n\tassert.Equal(t, 3, folder.FsConfig.OSConfig.ReadBufferSize)\n\tassert.Equal(t, 4, folder.FsConfig.OSConfig.WriteBufferSize)\n\t// cleanup\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestHTTPFsWebFolderMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webFolderPath, webToken)\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Clean(os.TempDir())\n\tfolderName := filepath.Base(mappedPath)\n\thttpfsConfig := vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: \"https://127.0.0.1:9998/api/v1\",\n\t\t\tUsername: folderName,\n\t\t\tSkipTLSVerify: true,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\tAPIKey: kms.NewPlainSecret(defaultTokenAuthPass),\n\t}\n\tform := make(url.Values)\n\tform.Set(\"mapped_path\", mappedPath)\n\tform.Set(\"name\", folderName)\n\tform.Set(\"fs_provider\", \"6\")\n\tform.Set(\"http_endpoint\", httpfsConfig.Endpoint)\n\tform.Set(\"http_username\", \"%name%\")\n\tform.Set(\"http_password\", httpfsConfig.Password.GetPayload())\n\tform.Set(\"http_api_key\", httpfsConfig.APIKey.GetPayload())\n\tform.Set(\"http_skip_tls_verify\", \"checked\")\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check\n\tvar folder vfs.BaseVirtualFolder\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath, folder.MappedPath)\n\tassert.Equal(t, folderName, folder.Name)\n\tassert.Equal(t, sdk.HTTPFilesystemProvider, folder.FsConfig.Provider)\n\tassert.Equal(t, httpfsConfig.Endpoint, folder.FsConfig.HTTPConfig.Endpoint)\n\tassert.Equal(t, httpfsConfig.Username, folder.FsConfig.HTTPConfig.Username)\n\tassert.Equal(t, httpfsConfig.SkipTLSVerify, folder.FsConfig.HTTPConfig.SkipTLSVerify)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, folder.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.NotEmpty(t, folder.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, folder.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, folder.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, folder.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.NotEmpty(t, folder.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tassert.Empty(t, folder.FsConfig.HTTPConfig.APIKey.GetKey())\n\tassert.Empty(t, folder.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\t// update\n\tform.Set(\"http_password\", redactedSecret)\n\tform.Set(\"http_api_key\", redactedSecret)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\t// check\n\tvar updateFolder vfs.BaseVirtualFolder\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &updateFolder)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath, updateFolder.MappedPath)\n\tassert.Equal(t, folderName, updateFolder.Name)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateFolder.FsConfig.HTTPConfig.Password.GetStatus())\n\tassert.Equal(t, folder.FsConfig.HTTPConfig.Password.GetPayload(), updateFolder.FsConfig.HTTPConfig.Password.GetPayload())\n\tassert.Empty(t, updateFolder.FsConfig.HTTPConfig.Password.GetKey())\n\tassert.Empty(t, updateFolder.FsConfig.HTTPConfig.Password.GetAdditionalData())\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, updateFolder.FsConfig.HTTPConfig.APIKey.GetStatus())\n\tassert.Equal(t, folder.FsConfig.HTTPConfig.APIKey.GetPayload(), updateFolder.FsConfig.HTTPConfig.APIKey.GetPayload())\n\tassert.Empty(t, updateFolder.FsConfig.HTTPConfig.APIKey.GetKey())\n\tassert.Empty(t, updateFolder.FsConfig.HTTPConfig.APIKey.GetAdditionalData())\n\n\t// cleanup\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestS3WebFolderMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webFolderPath, webToken)\n\tassert.NoError(t, err)\n\tmappedPath := filepath.Clean(os.TempDir())\n\tfolderName := filepath.Base(mappedPath)\n\tfolderDesc := \"a simple desc\"\n\tS3Bucket := \"test\"\n\tS3Region := \"eu-west-1\"\n\tS3AccessKey := \"access-key\"\n\tS3AccessSecret := kms.NewPlainSecret(\"folder-access-secret\")\n\tS3SSEKey := kms.NewPlainSecret(\"folder-sse-key\")\n\tS3SessionToken := \"fake session token\"\n\tS3RoleARN := \"arn:aws:iam::123456789012:user/Development/product_1234/*\"\n\tS3Endpoint := \"http://127.0.0.1:9000/path?b=c\"\n\tS3StorageClass := \"Standard\"\n\tS3ACL := \"public-read-write\"\n\tS3KeyPrefix := \"somedir/subdir/\"\n\tS3UploadPartSize := 5\n\tS3UploadConcurrency := 4\n\tS3MaxPartDownloadTime := 120\n\tS3MaxPartUploadTime := 60\n\tS3DownloadPartSize := 6\n\tS3DownloadConcurrency := 3\n\tform := make(url.Values)\n\tform.Set(\"mapped_path\", mappedPath)\n\tform.Set(\"name\", folderName)\n\tform.Set(\"description\", folderDesc)\n\tform.Set(\"fs_provider\", \"1\")\n\tform.Set(\"s3_bucket\", S3Bucket)\n\tform.Set(\"s3_region\", S3Region)\n\tform.Set(\"s3_access_key\", S3AccessKey)\n\tform.Set(\"s3_access_secret\", S3AccessSecret.GetPayload())\n\tform.Set(\"s3_sse_customer_key\", S3SSEKey.GetPayload())\n\tform.Set(\"s3_session_token\", S3SessionToken)\n\tform.Set(\"s3_role_arn\", S3RoleARN)\n\tform.Set(\"s3_storage_class\", S3StorageClass)\n\tform.Set(\"s3_acl\", S3ACL)\n\tform.Set(\"s3_endpoint\", S3Endpoint)\n\tform.Set(\"s3_key_prefix\", S3KeyPrefix)\n\tform.Set(\"s3_upload_part_size\", strconv.Itoa(S3UploadPartSize))\n\tform.Set(\"s3_download_part_max_time\", strconv.Itoa(S3MaxPartDownloadTime))\n\tform.Set(\"s3_download_part_size\", strconv.Itoa(S3DownloadPartSize))\n\tform.Set(\"s3_download_concurrency\", strconv.Itoa(S3DownloadConcurrency))\n\tform.Set(\"s3_upload_part_max_time\", strconv.Itoa(S3MaxPartUploadTime))\n\tform.Set(\"s3_upload_concurrency\", \"a\")\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"s3_upload_concurrency\", strconv.Itoa(S3UploadConcurrency))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webFolderPath, &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tvar folder vfs.BaseVirtualFolder\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath, folder.MappedPath)\n\tassert.Equal(t, folderName, folder.Name)\n\tassert.Equal(t, folderDesc, folder.Description)\n\tassert.Equal(t, sdk.S3FilesystemProvider, folder.FsConfig.Provider)\n\tassert.Equal(t, S3Bucket, folder.FsConfig.S3Config.Bucket)\n\tassert.Equal(t, S3Region, folder.FsConfig.S3Config.Region)\n\tassert.Equal(t, S3AccessKey, folder.FsConfig.S3Config.AccessKey)\n\tassert.NotEmpty(t, folder.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.NotEmpty(t, folder.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tassert.Equal(t, S3Endpoint, folder.FsConfig.S3Config.Endpoint)\n\tassert.Equal(t, S3StorageClass, folder.FsConfig.S3Config.StorageClass)\n\tassert.Equal(t, S3ACL, folder.FsConfig.S3Config.ACL)\n\tassert.Equal(t, S3KeyPrefix, folder.FsConfig.S3Config.KeyPrefix)\n\tassert.Equal(t, S3UploadConcurrency, folder.FsConfig.S3Config.UploadConcurrency)\n\tassert.Equal(t, int64(S3UploadPartSize), folder.FsConfig.S3Config.UploadPartSize)\n\tassert.Equal(t, S3MaxPartDownloadTime, folder.FsConfig.S3Config.DownloadPartMaxTime)\n\tassert.Equal(t, S3MaxPartUploadTime, folder.FsConfig.S3Config.UploadPartMaxTime)\n\tassert.Equal(t, S3DownloadConcurrency, folder.FsConfig.S3Config.DownloadConcurrency)\n\tassert.Equal(t, int64(S3DownloadPartSize), folder.FsConfig.S3Config.DownloadPartSize)\n\tassert.False(t, folder.FsConfig.S3Config.ForcePathStyle)\n\tassert.False(t, folder.FsConfig.S3Config.SkipTLSVerify)\n\t// update\n\tS3UploadConcurrency = 10\n\tform.Set(\"s3_upload_concurrency\", \"b\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tform.Set(\"s3_upload_concurrency\", strconv.Itoa(S3UploadConcurrency))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\tfolder = vfs.BaseVirtualFolder{}\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\tassert.Equal(t, mappedPath, folder.MappedPath)\n\tassert.Equal(t, folderName, folder.Name)\n\tassert.Equal(t, folderDesc, folder.Description)\n\tassert.Equal(t, sdk.S3FilesystemProvider, folder.FsConfig.Provider)\n\tassert.Equal(t, S3Bucket, folder.FsConfig.S3Config.Bucket)\n\tassert.Equal(t, S3Region, folder.FsConfig.S3Config.Region)\n\tassert.Equal(t, S3AccessKey, folder.FsConfig.S3Config.AccessKey)\n\tassert.Equal(t, S3RoleARN, folder.FsConfig.S3Config.RoleARN)\n\tassert.NotEmpty(t, folder.FsConfig.S3Config.AccessSecret.GetPayload())\n\tassert.NotEmpty(t, folder.FsConfig.S3Config.SSECustomerKey.GetPayload())\n\tassert.Equal(t, S3Endpoint, folder.FsConfig.S3Config.Endpoint)\n\tassert.Equal(t, S3StorageClass, folder.FsConfig.S3Config.StorageClass)\n\tassert.Equal(t, S3KeyPrefix, folder.FsConfig.S3Config.KeyPrefix)\n\tassert.Equal(t, S3UploadConcurrency, folder.FsConfig.S3Config.UploadConcurrency)\n\tassert.Equal(t, int64(S3UploadPartSize), folder.FsConfig.S3Config.UploadPartSize)\n\n\t// cleanup\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestUpdateWebGroupMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webGroupPath, webToken)\n\tassert.NoError(t, err)\n\tgroup, _, err := httpdtest.AddGroup(getTestGroup(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tgroup.UserSettings = dataprovider.GroupUserSettings{\n\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\tHomeDir: filepath.Join(os.TempDir(), util.GenerateUniqueID()),\n\t\t\tPermissions: make(map[string][]string),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: defaultUsername,\n\t\t\t\t\tBufferSize: 1,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tform := make(url.Values)\n\tform.Set(\"name\", group.Name)\n\tform.Set(\"description\", group.Description)\n\tform.Set(\"home_dir\", group.UserSettings.HomeDir)\n\tform.Set(\"max_sessions\", strconv.FormatInt(int64(group.UserSettings.MaxSessions), 10))\n\tform.Set(\"quota_files\", strconv.FormatInt(int64(group.UserSettings.QuotaFiles), 10))\n\tform.Set(\"quota_size\", strconv.FormatInt(group.UserSettings.QuotaSize, 10))\n\tform.Set(\"upload_bandwidth\", strconv.FormatInt(group.UserSettings.UploadBandwidth, 10))\n\tform.Set(\"download_bandwidth\", strconv.FormatInt(group.UserSettings.DownloadBandwidth, 10))\n\tform.Set(\"upload_data_transfer\", \"0\")\n\tform.Set(\"download_data_transfer\", \"0\")\n\tform.Set(\"total_data_transfer\", \"0\")\n\tform.Set(\"max_upload_file_size\", \"0\")\n\tform.Set(\"default_shares_expiration\", \"0\")\n\tform.Set(\"max_shares_expiration\", \"0\")\n\tform.Set(\"expires_in\", \"0\")\n\tform.Set(\"password_expiration\", \"0\")\n\tform.Set(\"password_strength\", \"0\")\n\tform.Set(\"external_auth_cache_time\", \"0\")\n\tform.Set(\"fs_provider\", strconv.FormatInt(int64(group.UserSettings.FsConfig.Provider), 10))\n\tform.Set(\"sftp_endpoint\", group.UserSettings.FsConfig.SFTPConfig.Endpoint)\n\tform.Set(\"sftp_username\", group.UserSettings.FsConfig.SFTPConfig.Username)\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, path.Join(webGroupPath, group.Name), &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\tform.Set(\"sftp_buffer_size\", strconv.FormatInt(group.UserSettings.FsConfig.SFTPConfig.BufferSize, 10))\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webGroupPath, group.Name), &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webGroupPath, group.Name), &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorFsCredentialsRequired)\n\n\tform.Set(\"sftp_password\", defaultPassword)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webGroupPath, group.Name), &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\treq, err = http.NewRequest(http.MethodDelete, path.Join(groupPath, group.Name), nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webGroupPath, group.Name), &b)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Content-Type\", contentType)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestUpdateWebFolderMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webFolderPath, webToken)\n\tassert.NoError(t, err)\n\tfolderName := \"vfolderupdate\"\n\tfolderDesc := \"updated desc\"\n\tfolder := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: filepath.Join(os.TempDir(), \"folderupdate\"),\n\t\tDescription: \"dsc\",\n\t}\n\t_, _, err = httpdtest.AddFolder(folder, http.StatusCreated)\n\tnewMappedPath := folder.MappedPath + \"1\"\n\tassert.NoError(t, err)\n\tform := make(url.Values)\n\tform.Set(\"mapped_path\", newMappedPath)\n\tform.Set(\"name\", folderName)\n\tform.Set(\"description\", folderDesc)\n\tform.Set(csrfFormToken, \"\")\n\tb, contentType, err := getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\tform.Set(csrfFormToken, csrfToken)\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusSeeOther, rr)\n\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(folderPath, folderName), nil)\n\tsetBearerForReq(req, apiToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\terr = render.DecodeJSON(rr.Body, &folder)\n\tassert.NoError(t, err)\n\tassert.Equal(t, newMappedPath, folder.MappedPath)\n\tassert.Equal(t, folderName, folder.Name)\n\tassert.Equal(t, folderDesc, folder.Description)\n\n\t// parse form error\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName)+\"??a=a%B3%A2%G3\", &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName+\"1\"), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tform.Set(\"mapped_path\", \"arelative/path\")\n\tb, contentType, err = getMultipartFormData(form, \"\", \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webFolderPath, folderName), &b)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\treq.Header.Set(\"Content-Type\", contentType)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// render update folder page\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webFolderPath, folderName), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webFolderPath, folderName+\"1\"), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webFolderPath, folderName), nil)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webFolderPath, folderName), nil)\n\tsetJWTCookieForReq(req, apiToken) // api token is not accepted\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusFound, rr)\n\tassert.Equal(t, webLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webFolderPath, folderName), nil)\n\tsetJWTCookieForReq(req, webToken)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestWebFoldersMock(t *testing.T) {\n\twebToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tapiToken, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vfolder1\")\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vfolder2\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tfolderName2 := filepath.Base(mappedPath2)\n\tfolderDesc1 := \"vfolder1 desc\"\n\tfolderDesc2 := \"vfolder2 desc\"\n\tfolders := []vfs.BaseVirtualFolder{\n\t\t{\n\t\t\tName: folderName1,\n\t\t\tMappedPath: mappedPath1,\n\t\t\tDescription: folderDesc1,\n\t\t},\n\t\t{\n\t\t\tName: folderName2,\n\t\t\tMappedPath: mappedPath2,\n\t\t\tDescription: folderDesc2,\n\t\t},\n\t}\n\tfor _, folder := range folders {\n\t\tfolderAsJSON, err := json.Marshal(folder)\n\t\tassert.NoError(t, err)\n\t\treq, err := http.NewRequest(http.MethodPost, folderPath, bytes.NewBuffer(folderAsJSON))\n\t\tassert.NoError(t, err)\n\t\tsetBearerForReq(req, apiToken)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusCreated, rr)\n\t}\n\n\treq, err := http.NewRequest(http.MethodGet, folderPath, nil)\n\tassert.NoError(t, err)\n\tsetBearerForReq(req, apiToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tvar foldersGet []vfs.BaseVirtualFolder\n\terr = render.DecodeJSON(rr.Body, &foldersGet)\n\tassert.NoError(t, err)\n\tnumFound := 0\n\tfor _, f := range foldersGet {\n\t\tif f.Name == folderName1 {\n\t\t\tassert.Equal(t, mappedPath1, f.MappedPath)\n\t\t\tassert.Equal(t, folderDesc1, f.Description)\n\t\t\tnumFound++\n\t\t}\n\t\tif f.Name == folderName2 {\n\t\t\tassert.Equal(t, mappedPath2, f.MappedPath)\n\t\t\tassert.Equal(t, folderDesc2, f.Description)\n\t\t\tnumFound++\n\t\t}\n\t}\n\tassert.Equal(t, 2, numFound)\n\n\treq, err = http.NewRequest(http.MethodGet, webFoldersPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\treq, err = http.NewRequest(http.MethodGet, webFoldersPath+jsonAPISuffix, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, webToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tfor _, folder := range folders {\n\t\treq, _ := http.NewRequest(http.MethodDelete, path.Join(folderPath, folder.Name), nil)\n\t\tsetBearerForReq(req, apiToken)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t}\n}\n\nfunc TestAdminForgotPassword(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Filters.RequirePasswordChange = true\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webAdminForgotPwdPath, nil)\n\tassert.NoError(t, err)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminResetPwdPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webLoginPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\n\tform := make(url.Values)\n\tform.Set(\"username\", \"\")\n\t// no csrf token\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\t// empty username\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorUsernameRequired)\n\n\tlastResetCode = \"\"\n\tform.Set(\"username\", altAdminUsername)\n\t// disable the admin\n\tadmin.Status = 0\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Len(t, lastResetCode, 0)\n\n\tadmin.Status = 1\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\tform = make(url.Values)\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\t// no password\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\t// no code\n\tform.Set(\"password\", defaultPassword)\n\tform.Set(\"confirm_password\", defaultPassword)\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\t// disable the admin\n\tadmin.Status = 0\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\tform.Set(\"code\", lastResetCode)\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\n\tadmin.Status = 1\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t// ok\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", altAdminUsername)\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\t// not working smtp server\n\tsmtpCfg = smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3526,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tform = make(url.Values)\n\tform.Set(\"username\", altAdminUsername)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPwdResetSendEmail)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tform.Set(\"username\", altAdminUsername)\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPwdResetGeneric)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminForgotPwdPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminResetPwdPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\tadmin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, admin.Filters.RequirePasswordChange)\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserForgotPassword(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\tu := getTestUser()\n\tu.Email = \"user@test.com\"\n\tu.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientForgotPwdPath, nil)\n\tassert.NoError(t, err)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientResetPwdPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\n\tform := make(url.Values)\n\tform.Set(\"username\", \"\")\n\t// no csrf token\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\t// empty username\n\tform.Set(csrfFormToken, csrfToken)\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorUsernameRequired)\n\t// user cannot reset the password\n\tform.Set(\"username\", user.Username)\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorPwdResetForbidded)\n\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(-1 * time.Hour))\n\tuser.Filters.WebClient = []string{sdk.WebClientAPIKeyAuthChangeDisabled}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t// user is expired\n\tlastResetCode = \"\"\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Len(t, lastResetCode, 0)\n\n\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour))\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\t// no login token\n\tform = make(url.Values)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\t// no password\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"password\", \"\")\n\tform.Set(\"confirm_password\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\t// passwords mismatch\n\tform.Set(\"password\", altAdminPassword)\n\tform.Set(\"code\", lastResetCode)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdNoMatch)\n\t// no code\n\tform.Del(\"code\")\n\tform.Set(\"confirm_password\", altAdminPassword)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\t// Invalid login condition\n\tform.Set(\"code\", lastResetCode)\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n\t// ok\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\n\tloginCookie, csrfToken, err = getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tassert.NoError(t, err)\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", user.Username)\n\tlastResetCode = \"\"\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientForgotPwdPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientResetPwdPath, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t// user does not exist anymore\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"code\", lastResetCode)\n\tform.Set(\"password\", \"pwd\")\n\tform.Set(\"confirm_password\", \"pwd\")\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorChangePwdGeneric)\n}\n\nfunc TestAPIForgotPassword(t *testing.T) {\n\tsmtpCfg := smtp.Config{\n\t\tHost: \"127.0.0.1\",\n\t\tPort: 3525,\n\t\tFrom: \"notification@example.com\",\n\t\tTemplatesPath: \"templates\",\n\t}\n\terr := smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Email = \"\"\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// no email, forgot pwd will not work\n\tlastResetCode = \"\"\n\treq, err := http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your account does not have an email address\")\n\n\tadmin.Email = \"admin@test.com\"\n\tadmin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\t// invalid JSON\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/reset-password\"), bytes.NewBuffer([]byte(`{`)))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\n\tresetReq := make(map[string]string)\n\tresetReq[\"code\"] = lastResetCode\n\tresetReq[\"password\"] = defaultPassword\n\tasJSON, err := json.Marshal(resetReq)\n\tassert.NoError(t, err)\n\n\t// a user cannot use an admin code\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"invalid confirmation code\")\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\t// the same code cannot be reused\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"confirmation code not found\")\n\n\tadmin, err = dataprovider.AdminExists(altAdminUsername)\n\tassert.NoError(t, err)\n\n\tmatch, err := admin.CheckPassword(defaultPassword)\n\tassert.NoError(t, err)\n\tassert.True(t, match)\n\tlastResetCode = \"\"\n\t// now the same for a user\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"Your account does not have an email address\")\n\n\tuser.Email = \"user@test.com\"\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\t// invalid JSON\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/reset-password\"), bytes.NewBuffer([]byte(`{`)))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\t// remove the reset password permission\n\tuser.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tresetReq[\"code\"] = lastResetCode\n\tresetReq[\"password\"] = altAdminPassword\n\tasJSON, err = json.Marshal(resetReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"you are not allowed to reset your password\")\n\n\tuser.Filters.WebClient = []string{sdk.WebClientSharesDisabled}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\t// the same code cannot be reused\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"confirmation code not found\")\n\n\tuser, err = dataprovider.UserExists(defaultUsername, \"\")\n\tassert.NoError(t, err)\n\terr = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(altAdminPassword))\n\tassert.NoError(t, err)\n\n\tlastResetCode = \"\"\n\t// a request for a missing admin/user will be silently ignored\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, \"missing-admin\", \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Empty(t, lastResetCode)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, \"missing-user\", \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.Empty(t, lastResetCode)\n\n\tlastResetCode = \"\"\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\tassert.GreaterOrEqual(t, len(lastResetCode), 20)\n\n\tsmtpCfg = smtp.Config{}\n\terr = smtpCfg.Initialize(configDir, true)\n\trequire.NoError(t, err)\n\n\t// without an smtp configuration reset password is not available\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"No SMTP configuration\")\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(userPath, defaultUsername, \"/forgot-password\"), nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"No SMTP configuration\")\n\n\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\tassert.NoError(t, err)\n\t// the admin does not exist anymore\n\tresetReq[\"code\"] = lastResetCode\n\tresetReq[\"password\"] = altAdminPassword\n\tasJSON, err = json.Marshal(resetReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, altAdminUsername, \"/reset-password\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusBadRequest, rr)\n\tassert.Contains(t, rr.Body.String(), \"unable to associate the confirmation code with an existing admin\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestProviderClosedMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webConfigsPath, token)\n\tassert.NoError(t, err)\n\t// create a role admin\n\trole, resp, err := httpdtest.AddRole(getTestRole(), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\ta := getTestAdmin()\n\ta.Username = altAdminUsername\n\ta.Password = altAdminPassword\n\ta.Role = role.Name\n\ta.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers,\n\t\tdataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers}\n\tadmin, _, err := httpdtest.AddAdmin(a, http.StatusCreated)\n\tassert.NoError(t, err)\n\taltToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword)\n\tassert.NoError(t, err)\n\n\tdataprovider.Close()\n\n\ttestReq := make(map[string]any)\n\ttestReq[\"password\"] = redactedSecret\n\tasJSON, err := json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, path.Join(webConfigsPath, \"smtp\", \"test\"), bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\ttestReq[\"base_redirect_url\"] = \"http://localhost\"\n\ttestReq[\"client_secret\"] = redactedSecret\n\tasJSON, err = json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webConfigsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webConfigsPath, nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\tgetJSONFolders := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, _ := http.NewRequest(http.MethodGet, webFoldersPath+jsonAPISuffix, nil)\n\t\tsetJWTCookieForReq(req, token)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONFolders()\n\n\tgetJSONGroups := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, _ := http.NewRequest(http.MethodGet, webGroupsPath+jsonAPISuffix, nil)\n\t\tsetJWTCookieForReq(req, token)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONGroups()\n\n\tgetJSONUsers := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, _ := http.NewRequest(http.MethodGet, webUsersPath+jsonAPISuffix, nil)\n\t\tsetJWTCookieForReq(req, token)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONUsers()\n\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath+\"/0\", nil)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", \"test\")\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath+\"/0\", strings.NewReader(form.Encode()))\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(webAdminPath, defaultTokenAuthUser), nil)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, defaultTokenAuthUser), strings.NewReader(form.Encode()))\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\tgetJSONAdmins := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, _ := http.NewRequest(http.MethodGet, webAdminsPath+jsonAPISuffix, nil)\n\t\tsetJWTCookieForReq(req, token)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONAdmins()\n\n\treq, _ = http.NewRequest(http.MethodGet, path.Join(webFolderPath, defaultTokenAuthUser), nil)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webFolderPath, defaultTokenAuthUser), strings.NewReader(form.Encode()))\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode()))\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, _ = http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode()))\n\tsetJWTCookieForReq(req, altToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, webIPListPath+\"/1/a\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, webIPListPath+\"/1/a\", nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\tgetJSONRoles := func() {\n\t\tdefer func() {\n\t\t\trcv := recover()\n\t\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t\t}()\n\t\treq, err := http.NewRequest(http.MethodGet, webAdminRolesPath+jsonAPISuffix, nil)\n\t\tassert.NoError(t, err)\n\t\tsetJWTCookieForReq(req, token)\n\t\texecuteRequest(req)\n\t}\n\tgetJSONRoles()\n\n\treq, err = http.NewRequest(http.MethodGet, path.Join(webAdminRolePath, role.Name), nil)\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), strings.NewReader(form.Encode()))\n\tassert.NoError(t, err)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusInternalServerError, rr)\n\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.BackupsPath = backupsPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tif config.GetProviderConf().Driver != dataprovider.MemoryDataProviderName {\n\t\t_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveRole(role, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestWebConnectionsMock(t *testing.T) {\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, webConnectionsPath, nil)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webConnectionsPath, \"id\"), nil)\n\tsetJWTCookieForReq(req, token)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webConnectionsPath, \"id\"), nil)\n\tsetJWTCookieForReq(req, token)\n\tsetCSRFHeaderForReq(req, \"csrfToken\")\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusForbidden, rr)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\n\tcsrfToken, err := getCSRFTokenFromInternalPageMock(webUserPath, token)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(webConnectionsPath, \"id\"), nil)\n\tsetJWTCookieForReq(req, token)\n\tsetCSRFHeaderForReq(req, csrfToken)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n}\n\nfunc TestGetWebStatusMock(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.RateLimitersConfig = []common.RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 1,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 1,\n\t\t\tType: 1,\n\t\t\tProtocols: []string{common.ProtocolFTP},\n\t\t},\n\t}\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\ttoken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodGet, webStatusPath, nil)\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestStaticFilesMock(t *testing.T) {\n\treq, err := http.NewRequest(http.MethodGet, \"/static/favicon.png\", nil)\n\tassert.NoError(t, err)\n\trr := executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, \"/openapi/openapi.yaml\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, \"/static\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusMovedPermanently, rr)\n\tlocation := rr.Header().Get(\"Location\")\n\tassert.Equal(t, \"/static/\", location)\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusNotFound, rr)\n\n\treq, err = http.NewRequest(http.MethodGet, \"/openapi\", nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusMovedPermanently, rr)\n\tlocation = rr.Header().Get(\"Location\")\n\tassert.Equal(t, \"/openapi/\", location)\n\treq, err = http.NewRequest(http.MethodGet, location, nil)\n\tassert.NoError(t, err)\n\trr = executeRequest(req)\n\tcheckResponseCode(t, http.StatusOK, rr)\n}\n\nfunc TestPasswordChangeRequired(t *testing.T) {\n\tuser := getTestUser()\n\tassert.False(t, user.MustChangePassword())\n\tuser.Filters.RequirePasswordChange = true\n\tassert.True(t, user.MustChangePassword())\n\tuser.Filters.RequirePasswordChange = false\n\tassert.False(t, user.MustChangePassword())\n\tuser.Filters.PasswordExpiration = 2\n\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now())\n\tassert.False(t, user.MustChangePassword())\n\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now().Add(49 * time.Hour))\n\tassert.False(t, user.MustChangePassword())\n\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now().Add(-49 * time.Hour))\n\tassert.True(t, user.MustChangePassword())\n}\n\nfunc TestPasswordExpiresIn(t *testing.T) {\n\tuser := getTestUser()\n\tuser.Filters.PasswordExpiration = 30\n\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now().Add(-15*24*time.Hour + 1*time.Hour))\n\tres := user.PasswordExpiresIn()\n\tassert.Equal(t, 15, res)\n\tuser.Filters.PasswordExpiration = 15\n\tres = user.PasswordExpiresIn()\n\tassert.Equal(t, 1, res)\n\tuser.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now().Add(-15*24*time.Hour - 1*time.Hour))\n\tres = user.PasswordExpiresIn()\n\tassert.Equal(t, 0, res)\n\tuser.Filters.PasswordExpiration = 5\n\tres = user.PasswordExpiresIn()\n\tassert.Equal(t, -10, res)\n}\n\nfunc TestSecondFactorRequirements(t *testing.T) {\n\tuser := getTestUser()\n\tuser.Filters.TwoFactorAuthProtocols = []string{common.ProtocolHTTP, common.ProtocolSSH}\n\tassert.True(t, user.MustSetSecondFactor())\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolFTP))\n\tassert.True(t, user.MustSetSecondFactorForProtocol(common.ProtocolHTTP))\n\tassert.True(t, user.MustSetSecondFactorForProtocol(common.ProtocolSSH))\n\n\tuser.Filters.TOTPConfig.Enabled = true\n\tassert.True(t, user.MustSetSecondFactor())\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolFTP))\n\tassert.True(t, user.MustSetSecondFactorForProtocol(common.ProtocolHTTP))\n\tassert.True(t, user.MustSetSecondFactorForProtocol(common.ProtocolSSH))\n\n\tuser.Filters.TOTPConfig.Protocols = []string{common.ProtocolHTTP}\n\tassert.True(t, user.MustSetSecondFactor())\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolFTP))\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolHTTP))\n\tassert.True(t, user.MustSetSecondFactorForProtocol(common.ProtocolSSH))\n\n\tuser.Filters.TOTPConfig.Protocols = []string{common.ProtocolHTTP, common.ProtocolSSH}\n\tassert.False(t, user.MustSetSecondFactor())\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolFTP))\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolHTTP))\n\tassert.False(t, user.MustSetSecondFactorForProtocol(common.ProtocolSSH))\n}\n\nfunc TestIsNameValid(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tinput string\n\t\texpected bool\n\t}{\n\t\t{\"simple name\", \"user\", true},\n\t\t{\"alphanumeric\", \"User123\", true},\n\t\t{\"unicode allowed\", \"你好\", true},\n\t\t{\"emoji allowed\", \"user😊\", true},\n\t\t{\"name with dot\", \"file.txt\", true},\n\t\t{\"name with multiple dots\", \"archive.tar.gz\", true},\n\t\t{\"control char\", \"abc\\u0001\", false},\n\t\t{\"newline\", \"abc\\n\", false},\n\t\t{\"tab\", \"abc\\t\", false},\n\t\t{\"slash\", \"user/name\", false},\n\t\t{\"backslash\", \"user\\\\name\", false},\n\t\t{\"colon\", \"user:name\", false},\n\t\t{\"single dot\", \".\", false},\n\t\t{\"double dot\", \"..\", false},\n\t\t{\"dot with suffix allowed\", \".hidden\", true},\n\t\t{\"name ending with dot\", \"file.\", false},\n\t\t{\"name ending with space\", \"file \", false},\n\t\t{\"CON\", \"CON\", false},\n\t\t{\"con lowercase\", \"con\", false},\n\t\t{\"con with extension\", \"con.txt\", false},\n\t\t{\"LPT1\", \"LPT1\", false},\n\t\t{\"lpt1 lowercase\", \"lpt1\", false},\n\t\t{\"COM5 uppercase\", \"COM5\", false},\n\t\t{\"com9 with extension\", \"com9.log\", false},\n\t\t{\"NUL\", \"NUL\", false},\n\t\t{\"Valid because suffix changes base\", \"con123\", true},\n\t\t{\"base name split\", \"aux.pdf\", false},\n\t\t{\"valid long name\", \"auxiliary\", true},\n\t\t{\"space only\", \" \", false},\n\t\t{\"dot inside\", \"ab.cd.ef\", true},\n\t\t{\"unicode that ends with dot\", \"你好.\", false},\n\t\t{\"unicode that ends with space\", \"你好 \", false},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tresult := util.IsNameValid(tt.input)\n\t\t\tif result != tt.expected {\n\t\t\t\tt.Errorf(\"IsNameValid(%q) = %v, expected %v\", tt.input, result, tt.expected)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc startOIDCMockServer() {\n\tgo func() {\n\t\thttp.HandleFunc(\"/\", func(w http.ResponseWriter, _ *http.Request) {\n\t\t\tfmt.Fprintf(w, \"OK\\n\")\n\t\t})\n\t\thttp.HandleFunc(\"/auth/realms/sftpgo/.well-known/openid-configuration\", func(w http.ResponseWriter, _ *http.Request) {\n\t\t\tw.Header().Set(\"Content-Type\", \"application/json\")\n\t\t\tfmt.Fprintf(w, `{\"issuer\":\"http://127.0.0.1:11111/auth/realms/sftpgo\",\"authorization_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/auth\",\"token_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/token\",\"introspection_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/token/introspect\",\"userinfo_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/userinfo\",\"end_session_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/logout\",\"frontchannel_logout_session_supported\":true,\"frontchannel_logout_supported\":true,\"jwks_uri\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/certs\",\"check_session_iframe\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/login-status-iframe.html\",\"grant_types_supported\":[\"authorization_code\",\"implicit\",\"refresh_token\",\"password\",\"client_credentials\",\"urn:ietf:params:oauth:grant-type:device_code\",\"urn:openid:params:grant-type:ciba\"],\"response_types_supported\":[\"code\",\"none\",\"id_token\",\"token\",\"id_token token\",\"code id_token\",\"code token\",\"code id_token token\"],\"subject_types_supported\":[\"public\",\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\"],\"id_token_encryption_alg_values_supported\":[\"RSA-OAEP\",\"RSA-OAEP-256\",\"RSA1_5\"],\"id_token_encryption_enc_values_supported\":[\"A256GCM\",\"A192GCM\",\"A128GCM\",\"A128CBC-HS256\",\"A192CBC-HS384\",\"A256CBC-HS512\"],\"userinfo_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\",\"none\"],\"request_object_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\",\"none\"],\"request_object_encryption_alg_values_supported\":[\"RSA-OAEP\",\"RSA-OAEP-256\",\"RSA1_5\"],\"request_object_encryption_enc_values_supported\":[\"A256GCM\",\"A192GCM\",\"A128GCM\",\"A128CBC-HS256\",\"A192CBC-HS384\",\"A256CBC-HS512\"],\"response_modes_supported\":[\"query\",\"fragment\",\"form_post\",\"query.jwt\",\"fragment.jwt\",\"form_post.jwt\",\"jwt\"],\"registration_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/clients-registrations/openid-connect\",\"token_endpoint_auth_methods_supported\":[\"private_key_jwt\",\"client_secret_basic\",\"client_secret_post\",\"tls_client_auth\",\"client_secret_jwt\"],\"token_endpoint_auth_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\"],\"introspection_endpoint_auth_methods_supported\":[\"private_key_jwt\",\"client_secret_basic\",\"client_secret_post\",\"tls_client_auth\",\"client_secret_jwt\"],\"introspection_endpoint_auth_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\"],\"authorization_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\"],\"authorization_encryption_alg_values_supported\":[\"RSA-OAEP\",\"RSA-OAEP-256\",\"RSA1_5\"],\"authorization_encryption_enc_values_supported\":[\"A256GCM\",\"A192GCM\",\"A128GCM\",\"A128CBC-HS256\",\"A192CBC-HS384\",\"A256CBC-HS512\"],\"claims_supported\":[\"aud\",\"sub\",\"iss\",\"auth_time\",\"name\",\"given_name\",\"family_name\",\"preferred_username\",\"email\",\"acr\"],\"claim_types_supported\":[\"normal\"],\"claims_parameter_supported\":true,\"scopes_supported\":[\"openid\",\"phone\",\"email\",\"web-origins\",\"offline_access\",\"microprofile-jwt\",\"profile\",\"address\",\"roles\"],\"request_parameter_supported\":true,\"request_uri_parameter_supported\":true,\"require_request_uri_registration\":true,\"code_challenge_methods_supported\":[\"plain\",\"S256\"],\"tls_client_certificate_bound_access_tokens\":true,\"revocation_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/revoke\",\"revocation_endpoint_auth_methods_supported\":[\"private_key_jwt\",\"client_secret_basic\",\"client_secret_post\",\"tls_client_auth\",\"client_secret_jwt\"],\"revocation_endpoint_auth_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"HS256\",\"HS512\",\"ES256\",\"RS256\",\"HS384\",\"ES512\",\"PS256\",\"PS512\",\"RS512\"],\"backchannel_logout_supported\":true,\"backchannel_logout_session_supported\":true,\"device_authorization_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/auth/device\",\"backchannel_token_delivery_modes_supported\":[\"poll\",\"ping\"],\"backchannel_authentication_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/ext/ciba/auth\",\"backchannel_authentication_request_signing_alg_values_supported\":[\"PS384\",\"ES384\",\"RS384\",\"ES256\",\"RS256\",\"ES512\",\"PS256\",\"PS512\",\"RS512\"],\"require_pushed_authorization_requests\":false,\"pushed_authorization_request_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/ext/par/request\",\"mtls_endpoint_aliases\":{\"token_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/token\",\"revocation_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/revoke\",\"introspection_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/token/introspect\",\"device_authorization_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/auth/device\",\"registration_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/clients-registrations/openid-connect\",\"userinfo_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/userinfo\",\"pushed_authorization_request_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/ext/par/request\",\"backchannel_authentication_endpoint\":\"http://127.0.0.1:11111/auth/realms/sftpgo/protocol/openid-connect/ext/ciba/auth\"}}`)\n\t\t})\n\t\thttp.HandleFunc(\"/404\", func(w http.ResponseWriter, _ *http.Request) {\n\t\t\tw.WriteHeader(http.StatusNotFound)\n\t\t\tfmt.Fprintf(w, \"Not found\\n\")\n\t\t})\n\t\tif err := http.ListenAndServe(oidcMockAddr, nil); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP notification server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\twaitTCPListening(oidcMockAddr)\n}\n\nfunc waitForUsersQuotaScan(t *testing.T, token string) {\n\tfor {\n\t\tvar scans []common.ActiveQuotaScan\n\t\treq, _ := http.NewRequest(http.MethodGet, quotaScanPath, nil)\n\t\tsetBearerForReq(req, token)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\terr := render.DecodeJSON(rr.Body, &scans)\n\n\t\tif !assert.NoError(t, err, \"Error getting active scans\") {\n\t\t\tbreak\n\t\t}\n\t\tif len(scans) == 0 {\n\t\t\tbreak\n\t\t}\n\t\ttime.Sleep(100 * time.Millisecond)\n\t}\n}\n\nfunc waitForFoldersQuotaScanPath(t *testing.T, token string) {\n\tvar scans []common.ActiveVirtualFolderQuotaScan\n\tfor {\n\t\treq, _ := http.NewRequest(http.MethodGet, quotaScanVFolderPath, nil)\n\t\tsetBearerForReq(req, token)\n\t\trr := executeRequest(req)\n\t\tcheckResponseCode(t, http.StatusOK, rr)\n\t\terr := render.DecodeJSON(rr.Body, &scans)\n\t\tif !assert.NoError(t, err, \"Error getting active folders scans\") {\n\t\t\tbreak\n\t\t}\n\t\tif len(scans) == 0 {\n\t\t\tbreak\n\t\t}\n\t\ttime.Sleep(100 * time.Millisecond)\n\t}\n}\n\nfunc waitTCPListening(address string) {\n\tfor {\n\t\tconn, err := net.Dial(\"tcp\", address)\n\t\tif err != nil {\n\t\t\tlogger.WarnToConsole(\"tcp server %v not listening: %v\", address, err)\n\t\t\ttime.Sleep(100 * time.Millisecond)\n\t\t\tcontinue\n\t\t}\n\t\tlogger.InfoToConsole(\"tcp server %v now listening\", address)\n\t\tconn.Close()\n\t\tbreak\n\t}\n}\n\nfunc startSMTPServer() {\n\tgo func() {\n\t\tif err := smtpd.ListenAndServe(smtpServerAddr, func(_ net.Addr, _ string, _ []string, data []byte) error {\n\t\t\tre := regexp.MustCompile(`code is \".*?\"`)\n\t\t\tcode := strings.TrimPrefix(string(re.Find(data)), \"code is \")\n\t\t\tlastResetCode = strings.ReplaceAll(code, \"\\\"\", \"\")\n\t\t\treturn nil\n\t\t}, \"SFTPGo test\", \"localhost\"); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SMTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\twaitTCPListening(smtpServerAddr)\n}\n\nfunc getTestAdmin() dataprovider.Admin {\n\treturn dataprovider.Admin{\n\t\tUsername: defaultTokenAuthUser,\n\t\tPassword: defaultTokenAuthPass,\n\t\tStatus: 1,\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t\tEmail: \"admin@example.com\",\n\t\tDescription: \"test admin\",\n\t}\n}\n\nfunc getTestGroup() dataprovider.Group {\n\treturn dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"test_group\",\n\t\t\tDescription: \"test group description\",\n\t\t},\n\t}\n}\n\nfunc getTestRole() dataprovider.Role {\n\treturn dataprovider.Role{\n\t\tName: \"test_role\",\n\t\tDescription: \"test role description\",\n\t}\n}\n\nfunc getTestUser() dataprovider.User {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: defaultUsername,\n\t\t\tPassword: defaultPassword,\n\t\t\tHomeDir: filepath.Join(homeBasePath, defaultUsername),\n\t\t\tStatus: 1,\n\t\t\tDescription: \"test user\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = defaultPerms\n\treturn user\n}\n\nfunc getTestSFTPUser() dataprovider.User {\n\tu := getTestUser()\n\tu.Username = u.Username + \"_sftp\"\n\tu.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tu.FsConfig.SFTPConfig.Endpoint = sftpServerAddr\n\tu.FsConfig.SFTPConfig.Username = defaultUsername\n\tu.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\treturn u\n}\n\nfunc getUserAsJSON(t *testing.T, user dataprovider.User) []byte {\n\tjson, err := json.Marshal(user)\n\tassert.NoError(t, err)\n\treturn json\n}\n\nfunc getCSRFTokenFromInternalPageMock(urlPath, token string) (string, error) {\n\treq, err := http.NewRequest(http.MethodGet, urlPath, nil)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treq.RequestURI = urlPath\n\tsetJWTCookieForReq(req, token)\n\trr := executeRequest(req)\n\tif rr.Code != http.StatusOK {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code: %d\", rr.Code)\n\t}\n\treturn getCSRFTokenFromBody(rr.Body)\n}\n\nfunc getCSRFTokenMock(loginURLPath, remoteAddr string) (string, string, error) {\n\treq, err := http.NewRequest(http.MethodGet, loginURLPath, nil)\n\tif err != nil {\n\t\treturn \"\", \"\", err\n\t}\n\treq.RemoteAddr = remoteAddr\n\trr := executeRequest(req)\n\tcookie := rr.Header().Get(\"Set-Cookie\")\n\tif cookie == \"\" {\n\t\treturn \"\", \"\", errors.New(\"unable to get login cookie\")\n\t}\n\ttoken, err := getCSRFTokenFromBody(bytes.NewBuffer(rr.Body.Bytes()))\n\treturn cookie, token, err\n}\n\nfunc getCSRFToken(url string) (string, string, error) {\n\treq, err := http.NewRequest(http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn \"\", \"\", err\n\t}\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tif err != nil {\n\t\treturn \"\", \"\", err\n\t}\n\tcookie := resp.Header.Get(\"Set-Cookie\")\n\tif cookie == \"\" {\n\t\treturn \"\", \"\", errors.New(\"no login cookie\")\n\t}\n\n\tdefer resp.Body.Close()\n\n\ttoken, err := getCSRFTokenFromBody(resp.Body)\n\treturn cookie, token, err\n}\n\nfunc getCSRFTokenFromBody(body io.Reader) (string, error) {\n\tdoc, err := html.Parse(body)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar csrfToken string\n\tvar f func(*html.Node)\n\n\tf = func(n *html.Node) {\n\t\tif n.Type == html.ElementNode && n.Data == \"input\" {\n\t\t\tvar name, value string\n\t\t\tfor _, attr := range n.Attr {\n\t\t\t\tif attr.Key == \"value\" {\n\t\t\t\t\tvalue = attr.Val\n\t\t\t\t}\n\t\t\t\tif attr.Key == \"name\" {\n\t\t\t\t\tname = attr.Val\n\t\t\t\t}\n\t\t\t}\n\t\t\tif name == csrfFormToken {\n\t\t\t\tcsrfToken = value\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\n\t\tfor c := n.FirstChild; c != nil; c = c.NextSibling {\n\t\t\tf(c)\n\t\t}\n\t}\n\n\tf(doc)\n\n\tif csrfToken == \"\" {\n\t\treturn \"\", errors.New(\"CSRF token not found\")\n\t}\n\n\treturn csrfToken, nil\n}\n\nfunc getLoginForm(username, password, csrfToken string) url.Values {\n\tform := make(url.Values)\n\tform.Set(\"username\", username)\n\tform.Set(\"password\", password)\n\tform.Set(csrfFormToken, csrfToken)\n\treturn form\n}\n\nfunc setCSRFHeaderForReq(req *http.Request, csrfToken string) {\n\treq.Header.Set(\"X-CSRF-TOKEN\", csrfToken)\n}\n\nfunc setBearerForReq(req *http.Request, jwtToken string) {\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", jwtToken))\n}\n\nfunc setAPIKeyForReq(req *http.Request, apiKey, username string) {\n\tif username != \"\" {\n\t\tapiKey += \".\" + username\n\t}\n\treq.Header.Set(\"X-SFTPGO-API-KEY\", apiKey)\n}\n\nfunc setLoginCookie(req *http.Request, cookie string) {\n\treq.Header.Set(\"Cookie\", cookie)\n}\n\nfunc setJWTCookieForReq(req *http.Request, jwtToken string) {\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%v\", jwtToken))\n}\n\nfunc getJWTAPITokenFromTestServer(username, password string) (string, error) {\n\treturn getJWTAPITokenFromTestServerWithPasscode(username, password, \"\")\n}\n\nfunc getJWTAPITokenFromTestServerWithPasscode(username, password, passcode string) (string, error) {\n\treq, _ := http.NewRequest(http.MethodGet, tokenPath, nil)\n\treq.SetBasicAuth(username, password)\n\tif passcode != \"\" {\n\t\treq.Header.Set(\"X-SFTPGO-OTP\", passcode)\n\t}\n\trr := executeRequest(req)\n\tif rr.Code != http.StatusOK {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code %v\", rr.Code)\n\t}\n\tresponseHolder := make(map[string]any)\n\terr := render.DecodeJSON(rr.Body, &responseHolder)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn responseHolder[\"access_token\"].(string), nil\n}\n\nfunc getJWTAPIUserTokenFromTestServer(username, password string) (string, error) {\n\treq, _ := http.NewRequest(http.MethodGet, userTokenPath, nil)\n\treq.SetBasicAuth(username, password)\n\trr := executeRequest(req)\n\tif rr.Code != http.StatusOK {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code %v\", rr.Code)\n\t}\n\tresponseHolder := make(map[string]any)\n\terr := render.DecodeJSON(rr.Body, &responseHolder)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn responseHolder[\"access_token\"].(string), nil\n}\n\nfunc getJWTWebToken(username, password string) (string, error) {\n\tloginCookie, csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tform := getLoginForm(username, password, csrfToken)\n\treq, _ := http.NewRequest(http.MethodPost, httpBaseURL+webLoginPath,\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tclient := &http.Client{\n\t\tTimeout: 10 * time.Second,\n\t\tCheckRedirect: func(_ *http.Request, _ []*http.Request) error {\n\t\t\treturn http.ErrUseLastResponse\n\t\t},\n\t}\n\tresp, err := client.Do(req)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != http.StatusFound {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code %v\", resp.StatusCode)\n\t}\n\tcookie := resp.Header.Get(\"Set-Cookie\")\n\tif strings.HasPrefix(cookie, \"jwt=\") {\n\t\treturn cookie[4:], nil\n\t}\n\treturn \"\", errors.New(\"no cookie found\")\n}\n\nfunc getCookieFromResponse(rr *httptest.ResponseRecorder) (string, error) {\n\tcookie := strings.Split(rr.Header().Get(\"Set-Cookie\"), \";\")\n\tif strings.HasPrefix(cookie[0], \"jwt=\") {\n\t\treturn cookie[0][4:], nil\n\t}\n\treturn \"\", errors.New(\"no cookie found\")\n}\n\nfunc getJWTWebClientTokenFromTestServerWithAddr(username, password, remoteAddr string) (string, error) {\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, remoteAddr)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tform := getLoginForm(username, password, csrfToken)\n\treq, _ := http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = remoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr := executeRequest(req)\n\tif rr.Code != http.StatusFound {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code %v\", rr)\n\t}\n\treturn getCookieFromResponse(rr)\n}\n\nfunc getJWTWebClientTokenFromTestServer(username, password string) (string, error) {\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webClientLoginPath, defaultRemoteAddr)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tform := getLoginForm(username, password, csrfToken)\n\treq, _ := http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\treq.Header.Set(\"Cookie\", loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr := executeRequest(req)\n\tif rr.Code != http.StatusFound {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code %v\", rr)\n\t}\n\treturn getCookieFromResponse(rr)\n}\n\nfunc getJWTWebTokenFromTestServer(username, password string) (string, error) {\n\tloginCookie, csrfToken, err := getCSRFTokenMock(webLoginPath, defaultRemoteAddr)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tform := getLoginForm(username, password, csrfToken)\n\treq, _ := http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.RemoteAddr = defaultRemoteAddr\n\tsetLoginCookie(req, loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr := executeRequest(req)\n\tif rr.Code != http.StatusFound {\n\t\treturn \"\", fmt.Errorf(\"unexpected status code %v\", rr)\n\t}\n\treturn getCookieFromResponse(rr)\n}\n\nfunc executeRequest(req *http.Request) *httptest.ResponseRecorder {\n\trr := httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\treturn rr\n}\n\nfunc checkResponseCode(t *testing.T, expected int, rr *httptest.ResponseRecorder) {\n\tassert.Equal(t, expected, rr.Code, rr.Body.String())\n}\n\nfunc getSftpClient(user dataprovider.User) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif user.Password != \"\" {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}\n\t} else {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t}\n\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc createTestFile(path string, size int64) error {\n\tbaseDir := filepath.Dir(path)\n\tif _, err := os.Stat(baseDir); errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(baseDir, os.ModePerm)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tcontent := make([]byte, size)\n\tif size > 0 {\n\t\t_, err := rand.Read(content)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn os.WriteFile(path, content, os.ModePerm)\n}\n\nfunc getExitCodeScriptContent(exitCode int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"exit %v\", exitCode))...)\n\treturn content\n}\n\nfunc getMultipartFormData(values url.Values, fileFieldName, filePath string) (bytes.Buffer, string, error) {\n\tvar b bytes.Buffer\n\tw := multipart.NewWriter(&b)\n\tfor k, v := range values {\n\t\tfor _, s := range v {\n\t\t\tif err := w.WriteField(k, s); err != nil {\n\t\t\t\treturn b, \"\", err\n\t\t\t}\n\t\t}\n\t}\n\tif len(fileFieldName) > 0 && len(filePath) > 0 {\n\t\tfw, err := w.CreateFormFile(fileFieldName, filepath.Base(filePath))\n\t\tif err != nil {\n\t\t\treturn b, \"\", err\n\t\t}\n\t\tf, err := os.Open(filePath)\n\t\tif err != nil {\n\t\t\treturn b, \"\", err\n\t\t}\n\t\tdefer f.Close()\n\t\tif _, err = io.Copy(fw, f); err != nil {\n\t\t\treturn b, \"\", err\n\t\t}\n\t}\n\terr := w.Close()\n\treturn b, w.FormDataContentType(), err\n}\n\nfunc generateTOTPPasscode(secret string) (string, error) {\n\treturn totp.GenerateCodeCustom(secret, time.Now(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: otp.AlgorithmSHA1,\n\t})\n}\n\nfunc isDbDefenderSupported() bool {\n\t// SQLite shares the implementation with other SQL-based provider but it makes no sense\n\t// to use it outside test cases\n\tswitch dataprovider.GetProviderStatus().Driver {\n\tcase dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,\n\t\tdataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc createTestPNG(name string, width, height int, imgColor color.Color) error {\n\tupLeft := image.Point{0, 0}\n\tlowRight := image.Point{width, height}\n\timg := image.NewRGBA(image.Rectangle{upLeft, lowRight})\n\tfor x := 0; x < width; x++ {\n\t\tfor y := 0; y < height; y++ {\n\t\t\timg.Set(x, y, imgColor)\n\t\t}\n\t}\n\tf, err := os.Create(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\treturn png.Encode(f, img)\n}\n\nfunc BenchmarkSecretDecryption(b *testing.B) {\n\ts := kms.NewPlainSecret(\"test data\")\n\ts.SetAdditionalData(\"username\")\n\terr := s.Encrypt()\n\trequire.NoError(b, err)\n\tfor i := 0; i < b.N; i++ {\n\t\terr = s.Clone().Decrypt()\n\t\trequire.NoError(b, err)\n\t}\n}\n" }, { "path": "internal/httpd/internal_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"html/template\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-jose/go-jose/v4\"\n\tjosejwt \"github.com/go-jose/go-jose/v4/jwt\"\n\t\"github.com/klauspost/compress/zip\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/net/html\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\thttpdCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\thttpdKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n\tcaCRT = `-----BEGIN CERTIFICATE-----\nMIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0\nQXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT\nCENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m\nfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1\nv03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh\nyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL\nCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U\n4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb\nKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo\nNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb\nS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i\nM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY\n/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy\nOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD\nAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu\nXgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F\nsYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki\npAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE\njbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX\ny2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy\nWFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV\noUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV\nL/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5\nDvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E\neL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli\nSXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w\nkK8u1YiiVenmoQ==\n-----END CERTIFICATE-----`\n\tcaKey = `-----BEGIN RSA PRIVATE KEY-----\nMIIJKgIBAAKCAgEA7WHW216mfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7x\nb64rkpdzx1aWetSiCrEyc3D1v03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvD\nOBUYZgtMqHZzpE6xRrqQ84zhyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKz\nn/2uEVt33qmO85WtN3RzbSqLCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj\n7B5P5MeamkkogwbExUjdHp3U4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZ\nDe67V/Q8iB2May1k7zBz1ZtbKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmOb\ncn8AIfH6smLQrn0C3cs7CYfoNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLq\nR/BJTbbyXUB0imne1u00fuzbS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb7\n8x7ivdyXSF5LVQJ1JvhhWu6iM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpB\nP8d2jcRZVUVrSXGc2mAGuGOY/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2Z\nxugCXULtRWJ9p4C9zUl40HEyOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEA\nAQKCAgEA4x0OoceG54ZrVxifqVaQd8qw3uRmUKUMIMdfuMlsdideeLO97ynmSlRY\n00kGo/I4Lp6mNEjI9gUie9+uBrcUhri4YLcujHCH+YlNnCBDbGjwbe0ds9SLCWaa\nKztZHMSlW5Q4Bqytgu+MpOnxSgqjlOk+vz9TcGFKVnUkHIkAcqKFJX8gOFxPZA/t\nOb1kJaz4kuv5W2Kur/ISKvQtvFvOtQeV0aJyZm8LqXnvS4cPI7yN4329NDU0HyDR\ny/deqS2aqV4zII3FFqbz8zix/m1xtVQzWCugZGMKrz0iuJMfNeCABb8rRGc6GsZz\n+465v/kobqgeyyneJ1s5rMFrLp2o+dwmnIVMNsFDUiN1lIZDHLvlgonaUO3IdTZc\n9asamFWKFKUMgWqM4zB1vmUO12CKowLNIIKb0L+kf1ixaLLDRGf/f9vLtSHE+oyx\nlATiS18VNA8+CGsHF6uXMRwf2auZdRI9+s6AAeyRISSbO1khyWKHo+bpOvmPAkDR\nnknTjbYgkoZOV+mrsU5oxV8s6vMkuvA3rwFhT2gie8pokuACFcCRrZi9MVs4LmUQ\nu0GYTHvp2WJUjMWBm6XX7Hk3g2HV842qpk/mdtTjNsXws81djtJPn4I/soIXSgXz\npY3SvKTuOckP9OZVF0yqKGeZXKpD288PKpC+MAg3GvEJaednagECggEBAPsfLwuP\nL1kiDjXyMcRoKlrQ6Q/zBGyBmJbZ5uVGa02+XtYtDAzLoVupPESXL0E7+r8ZpZ39\n0dV4CEJKpbVS/BBtTEkPpTK5kz778Ib04TAyj+YLhsZjsnuja3T5bIBZXFDeDVDM\n0ZaoFoKpIjTu2aO6pzngsgXs6EYbo2MTuJD3h0nkGZsICL7xvT9Mw0P1p2Ftt/hN\n+jKk3vN220wTWUsq43AePi45VwK+PNP12ZXv9HpWDxlPo3j0nXtgYXittYNAT92u\nBZbFAzldEIX9WKKZgsWtIzLaASjVRntpxDCTby/nlzQ5dw3DHU1DV3PIqxZS2+Oe\nKV+7XFWgZ44YjYECggEBAPH+VDu3QSrqSahkZLkgBtGRkiZPkZFXYvU6kL8qf5wO\nZ/uXMeqHtznAupLea8I4YZLfQim/NfC0v1cAcFa9Ckt9g3GwTSirVcN0AC1iOyv3\n/hMZCA1zIyIcuUplNr8qewoX71uPOvCNH0dix77423mKFkJmNwzy4Q+rV+qkRdLn\nv+AAgh7g5N91pxNd6LQJjoyfi1Ka6rRP2yGXM5v7QOwD16eN4JmExUxX1YQ7uNuX\npVS+HRxnBquA+3/DB1LtBX6pa2cUa+LRUmE/NCPHMvJcyuNkYpJKlNTd9vnbfo0H\nRNSJSWm+aGxDFMjuPjV3JLj2OdKMPwpnXdh2vBZCPpMCggEAM+yTvrEhmi2HgLIO\nhkz/jP2rYyfdn04ArhhqPLgd0dpuI5z24+Jq/9fzZT9ZfwSW6VK1QwDLlXcXRhXH\nQ8Hf6smev3CjuORURO61IkKaGWwrAucZPAY7ToNQ4cP9ImDXzMTNPgrLv3oMBYJR\nV16X09nxX+9NABqnQG/QjdjzDc6Qw7+NZ9f2bvzvI5qMuY2eyW91XbtJ45ThoLfP\nymAp03gPxQwL0WT7z85kJ3OrROxzwaPvxU0JQSZbNbqNDPXmFTiECxNDhpRAAWlz\n1DC5Vg2l05fkMkyPdtD6nOQWs/CYSfB5/EtxiX/xnBszhvZUIe6KFvuKFIhaJD5h\niykagQKCAQEAoBRm8k3KbTIo4ZzvyEq4V/+dF3zBRczx6FkCkYLygXBCNvsQiR2Y\nBjtI8Ijz7bnQShEoOmeDriRTAqGGrspEuiVgQ1+l2wZkKHRe/aaij/Zv+4AuhH8q\nuZEYvW7w5Uqbs9SbgQzhp2kjTNy6V8lVnjPLf8cQGZ+9Y9krwktC6T5m/i435WdN\n38h7amNP4XEE/F86Eb3rDrZYtgLIoCF4E+iCyxMehU+AGH1uABhls9XAB6vvo+8/\nSUp8lEqWWLP0U5KNOtYWfCeOAEiIHDbUq+DYUc4BKtbtV1cx3pzlPTOWw6XBi5Lq\njttdL4HyYvnasAQpwe8GcMJqIRyCVZMiwwKCAQEAhQTTS3CC8PwcoYrpBdTjW1ck\nvVFeF1YbfqPZfYxASCOtdx6wRnnEJ+bjqntagns9e88muxj9UhxSL6q9XaXQBD8+\n2AmKUxphCZQiYFZcTucjQEQEI2nN+nAKgRrUSMMGiR8Ekc2iFrcxBU0dnSohw+aB\nPbMKVypQCREu9PcDFIp9rXQTeElbaNsIg1C1w/SQjODbmN/QFHTVbRODYqLeX1J/\nVcGsykSIq7hv6bjn7JGkr2JTdANbjk9LnMjMdJFsKRYxPKkOQfYred6Hiojp5Sor\nPW5am8ejnNSPhIfqQp3uV3KhwPDKIeIpzvrB4uPfTjQWhekHCb8cKSWux3flqw==\n-----END RSA PRIVATE KEY-----`\n\tcaCRL = `-----BEGIN X509 CRL-----\nMIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN\nMjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg\nZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r\nrl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV\n+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199\nXSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE\njF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF\nDouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD\nMSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4\niYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE\nypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4\nhVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94\ncp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67\nsn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn\nw7bXJGfJcIMrrKs=\n-----END X509 CRL-----`\n\tclient1Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6\nHUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE\nOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7\nQie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf\nXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO\nc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo\nGzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU\nOrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC\nsDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I\nl59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb\nBbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz\nMYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7\nQPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz\nJ20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+\noffI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX\nG8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr\nkvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au\nMU3Bo0A=\n-----END CERTIFICATE-----`\n\tclient1Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki\nJ3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi\n85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW\neYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4\nZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy\nbbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO\nhHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw\neezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl\nX3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ\nCFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL\nj+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU\nNhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf\nsXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB\nZ29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB\nLGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g\nmCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67\nT8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn\nRunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa\nItjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW\nasmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+\nDYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59\n0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls\nujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY\nnXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe\nyEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==\n-----END RSA PRIVATE KEY-----`\n\t// client 2 crt is revoked\n\tclient2Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b\nQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua\neq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ\ncr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT\nA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0\n6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f\nZjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz\nPQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY\nxcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D\nEP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB\n4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO\n78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925\n7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e\nqc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N\nf5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv\n/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S\nANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR\nE0+r2+4=\n-----END CERTIFICATE-----`\n\tclient2Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV\njm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP\nkZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK\nh4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P\nQAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu\n4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq\nop4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM\nqLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt\nRvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL\nVBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO\nqkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy\nVILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl\nNiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7\n4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl\n/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd\naoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu\nkhrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz\n3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/\neMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i\nvG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB\nGcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb\nAp157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D\n8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl\nRKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA\nubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl\n-----END RSA PRIVATE KEY-----`\n\tdefaultAdminUsername = \"admin\"\n\tdefaultAdminPass = \"password\"\n\tdefeaultUsername = \"test_user\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n)\n\ntype failingWriter struct {\n}\n\nfunc (r *failingWriter) Write(_ []byte) (n int, err error) {\n\treturn 0, errors.New(\"write error\")\n}\n\nfunc (r *failingWriter) WriteHeader(_ int) {}\n\nfunc (r *failingWriter) Header() http.Header {\n\treturn make(http.Header)\n}\n\ntype failingJoseSigner struct{}\n\nfunc (s *failingJoseSigner) Sign(payload []byte) (*jose.JSONWebSignature, error) {\n\treturn nil, errors.New(\"sign test error\")\n}\n\nfunc (s *failingJoseSigner) Options() jose.SignerOptions {\n\treturn jose.SignerOptions{}\n}\n\nfunc TestShouldBind(t *testing.T) {\n\tc := Conf{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 10000,\n\t\t\t},\n\t\t},\n\t}\n\trequire.False(t, c.ShouldBind())\n\tc.Bindings[0].EnableRESTAPI = true\n\trequire.True(t, c.ShouldBind())\n\n\tc.Bindings[0].Port = 0\n\trequire.False(t, c.ShouldBind())\n\n\tif runtime.GOOS != osWindows {\n\t\tc.Bindings[0].Address = \"/absolute/path\"\n\t\trequire.True(t, c.ShouldBind())\n\t}\n}\n\nfunc TestBrandingValidation(t *testing.T) {\n\tb := Binding{\n\t\tBranding: Branding{\n\t\t\tWebAdmin: UIBranding{\n\t\t\t\tLogoPath: \"path1\",\n\t\t\t\tDefaultCSS: []string{\"my.css\"},\n\t\t\t},\n\t\t\tWebClient: UIBranding{\n\t\t\t\tFaviconPath: \"favicon1.ico\",\n\t\t\t\tDisclaimerPath: \"../path2\",\n\t\t\t\tExtraCSS: []string{\"1.css\"},\n\t\t\t},\n\t\t},\n\t}\n\tb.checkBranding()\n\tassert.Equal(t, \"/favicon.png\", b.Branding.WebAdmin.FaviconPath)\n\tassert.Equal(t, \"/path1\", b.Branding.WebAdmin.LogoPath)\n\tassert.Equal(t, []string{\"/my.css\"}, b.Branding.WebAdmin.DefaultCSS)\n\tassert.Len(t, b.Branding.WebAdmin.ExtraCSS, 0)\n\tassert.Equal(t, \"/favicon1.ico\", b.Branding.WebClient.FaviconPath)\n\tassert.Equal(t, path.Join(webStaticFilesPath, \"/path2\"), b.Branding.WebClient.DisclaimerPath)\n\tif assert.Len(t, b.Branding.WebClient.ExtraCSS, 1) {\n\t\tassert.Equal(t, \"/1.css\", b.Branding.WebClient.ExtraCSS[0])\n\t}\n\tb.Branding.WebAdmin.DisclaimerPath = \"https://example.com\"\n\tb.checkBranding()\n\tassert.Equal(t, \"https://example.com\", b.Branding.WebAdmin.DisclaimerPath)\n}\n\nfunc TestRedactedConf(t *testing.T) {\n\tc := Conf{\n\t\tSigningPassphrase: \"passphrase\",\n\t\tSetup: SetupConfig{\n\t\t\tInstallationCode: \"123\",\n\t\t},\n\t}\n\tredactedField := \"[redacted]\"\n\tredactedConf := c.getRedacted()\n\tassert.Equal(t, redactedField, redactedConf.SigningPassphrase)\n\tassert.Equal(t, redactedField, redactedConf.Setup.InstallationCode)\n\tassert.NotEqual(t, c.SigningPassphrase, redactedConf.SigningPassphrase)\n\tassert.NotEqual(t, c.Setup.InstallationCode, redactedConf.Setup.InstallationCode)\n}\n\nfunc TestGetRespStatus(t *testing.T) {\n\tvar err error\n\terr = util.NewMethodDisabledError(\"\")\n\trespStatus := getRespStatus(err)\n\tassert.Equal(t, http.StatusForbidden, respStatus)\n\terr = fmt.Errorf(\"generic error\")\n\trespStatus = getRespStatus(err)\n\tassert.Equal(t, http.StatusInternalServerError, respStatus)\n\trespStatus = getRespStatus(plugin.ErrNoSearcher)\n\tassert.Equal(t, http.StatusNotImplemented, respStatus)\n}\n\nfunc TestMappedStatusCode(t *testing.T) {\n\terr := os.ErrPermission\n\tcode := getMappedStatusCode(err)\n\tassert.Equal(t, http.StatusForbidden, code)\n\terr = os.ErrNotExist\n\tcode = getMappedStatusCode(err)\n\tassert.Equal(t, http.StatusNotFound, code)\n\terr = common.ErrQuotaExceeded\n\tcode = getMappedStatusCode(err)\n\tassert.Equal(t, http.StatusRequestEntityTooLarge, code)\n\terr = os.ErrClosed\n\tcode = getMappedStatusCode(err)\n\tassert.Equal(t, http.StatusInternalServerError, code)\n\terr = &http.MaxBytesError{}\n\tcode = getMappedStatusCode(err)\n\tassert.Equal(t, http.StatusRequestEntityTooLarge, code)\n}\n\nfunc TestGCSWebInvalidFormFile(t *testing.T) {\n\tform := make(url.Values)\n\tform.Set(\"username\", \"test_username\")\n\tform.Set(\"fs_provider\", \"2\")\n\treq, _ := http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode()))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\terr := req.ParseForm()\n\tassert.NoError(t, err)\n\t_, err = getFsConfigFromPostFields(req)\n\tassert.EqualError(t, err, http.ErrNotMultipart.Error())\n}\n\nfunc TestBrandingInvalidFormFile(t *testing.T) {\n\tform := make(url.Values)\n\treq, _ := http.NewRequest(http.MethodPost, webConfigsPath, strings.NewReader(form.Encode()))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\terr := req.ParseForm()\n\tassert.NoError(t, err)\n\t_, err = getBrandingConfigFromPostFields(req, &dataprovider.BrandingConfigs{})\n\tassert.EqualError(t, err, http.ErrNotMultipart.Error())\n}\n\nfunc TestTokenDuration(t *testing.T) {\n\tassert.Equal(t, shareTokenDuration, getTokenDuration(tokenAudienceWebShare))\n\tassert.Equal(t, apiTokenDuration, getTokenDuration(tokenAudienceAPI))\n\tassert.Equal(t, apiTokenDuration, getTokenDuration(tokenAudienceAPIUser))\n\tassert.Equal(t, cookieTokenDuration, getTokenDuration(tokenAudienceWebAdmin))\n\tassert.Equal(t, csrfTokenDuration, getTokenDuration(tokenAudienceCSRF))\n\tassert.Equal(t, 20*time.Minute, getTokenDuration(\"\"))\n\n\tupdateTokensDuration(30, 660, 360)\n\tassert.Equal(t, 30*time.Minute, apiTokenDuration)\n\tassert.Equal(t, 11*time.Hour, cookieTokenDuration)\n\tassert.Equal(t, 11*time.Hour, csrfTokenDuration)\n\tassert.Equal(t, 6*time.Hour, shareTokenDuration)\n\tassert.Equal(t, 11*time.Hour, getMaxCookieDuration())\n\n\tcsrfTokenDuration = 1 * time.Hour\n\tassert.Equal(t, 11*time.Hour, getMaxCookieDuration())\n}\n\nfunc TestVerifyCSRFToken(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webAdminEventActionPath, nil)\n\trequire.NoError(t, err)\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{}, fs.ErrPermission))\n\n\trr := httptest.NewRecorder()\n\ttokenString := createCSRFToken(rr, req, server.csrfTokenAuth, \"\", webBaseAdminPath)\n\tassert.NotEmpty(t, tokenString)\n\n\tclaims, err := jwt.VerifyToken(server.csrfTokenAuth, tokenString)\n\trequire.NoError(t, err)\n\tassert.Empty(t, claims.Ref)\n\n\treq.Form = url.Values{}\n\treq.Form.Set(csrfFormToken, tokenString)\n\terr = verifyCSRFToken(req, server.csrfTokenAuth)\n\tassert.ErrorIs(t, err, fs.ErrPermission)\n\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, nil)\n\trequire.NoError(t, err)\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{Claims: josejwt.Claims{ID: xid.New().String()}}, nil))\n\treq.Form = url.Values{}\n\treq.Form.Set(csrfFormToken, tokenString)\n\terr = verifyCSRFToken(req, server.csrfTokenAuth)\n\tassert.ErrorContains(t, err, \"unexpected form token\")\n\n\tclaims = jwt.NewClaims(tokenAudienceCSRF, \"\", getTokenDuration(tokenAudienceCSRF))\n\ttokenString, err = josejwt.Signed(server.csrfTokenAuth.Signer()).Claims(claims).Serialize()\n\tassert.NoError(t, err)\n\treq, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, nil)\n\trequire.NoError(t, err)\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{Claims: josejwt.Claims{ID: xid.New().String()}}, nil))\n\treq.Form = url.Values{}\n\treq.Form.Set(csrfFormToken, tokenString)\n\terr = verifyCSRFToken(req, server.csrfTokenAuth)\n\tassert.ErrorContains(t, err, \"the form token is not valid\")\n}\n\nfunc TestInvalidToken(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"admin\",\n\t}\n\terrFake := errors.New(\"fake error\")\n\tasJSON, err := json.Marshal(admin)\n\tassert.NoError(t, err)\n\treq, _ := http.NewRequest(http.MethodPut, path.Join(adminPath, admin.Username), bytes.NewBuffer(asJSON))\n\trctx := chi.NewRouteContext()\n\trctx.URLParams.Add(\"username\", admin.Username)\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\treq = req.WithContext(context.WithValue(req.Context(), jwt.ErrorCtxKey, errFake))\n\trr := httptest.NewRecorder()\n\tupdateAdmin(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\trr = httptest.NewRecorder()\n\tdeleteAdmin(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\tadminPwd := pwdChange{\n\t\tCurrentPassword: \"old\",\n\t\tNewPassword: \"new\",\n\t}\n\tasJSON, err = json.Marshal(adminPwd)\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodPut, \"\", bytes.NewBuffer(asJSON))\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\treq = req.WithContext(context.WithValue(req.Context(), jwt.ErrorCtxKey, errFake))\n\trr = httptest.NewRecorder()\n\tchangeAdminPassword(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\tadm := getAdminFromToken(req)\n\tassert.Empty(t, adm.Username)\n\n\trr = httptest.NewRecorder()\n\treadUserFolder(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetUserFile(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetUserFilesAsZipStream(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetShares(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetShareByID(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddShare(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateShare(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteShare(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgenerateTOTPSecret(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tsaveTOTPConfig(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetRecoveryCodes(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgenerateRecoveryCodes(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetUserProfile(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateUserProfile(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetWebTask(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetAdminProfile(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateAdminProfile(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tloadData(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tloadDataFromRequest(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddUser(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdisableUser2FA(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateUser(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteUser(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetActiveConnections(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\thandleCloseConnection(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebRestore(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddUserPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateUserPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebTemplateFolderPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebTemplateUserPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tgetAllAdmins(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tgetAllUsers(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\taddFolder(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateFolder(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetFolderByName(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteFolder(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddFolderPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateFolderPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebGetConnections(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebConfigsPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\taddAdmin(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdisableAdmin2FA(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddAPIKey(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateAPIKey(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteAPIKey(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddGroup(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateGroup(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetGroupByName(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteGroup(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddEventAction(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetEventActionByName(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateEventAction(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteEventAction(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetEventRuleByName(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddEventRule(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateEventRule(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteEventRule(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetUsersQuotaScans(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateUserTransferQuotaUsage(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdoUpdateUserQuotaUsage(rr, req, \"\", quotaUsage{})\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdoStartUserQuotaScan(rr, req, \"\")\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetRetentionChecks(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddRole(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateRole(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteRole(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetUsers(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tgetUserByUsername(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tsearchFsEvents(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tsearchProviderEvents(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tsearchLogEvents(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\taddIPListEntry(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tupdateIPListEntry(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tdeleteIPListEntry(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n\n\trr = httptest.NewRecorder()\n\tserver.handleGetWebUsers(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateUserGet(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateRolePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddRolePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddAdminPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddGroupPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateGroupPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddEventActionPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateEventActionPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddEventRulePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateEventRulePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateIPListEntryPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientTwoFactorRecoveryPost(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientTwoFactorPost(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminTwoFactorRecoveryPost(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminTwoFactorPost(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\tserver.handleWebUpdateIPListEntryPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\tform := make(url.Values)\n\treq, _ = http.NewRequest(http.MethodPost, webIPListPath+\"/1\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trctx = chi.NewRouteContext()\n\trctx.URLParams.Add(\"type\", \"1\")\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddIPListEntryPost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n}\n\nfunc TestTokenSignatureValidation(t *testing.T) {\n\ttokenValidationMode = 0\n\tserver := httpdServer{\n\t\tbinding: Binding{\n\t\t\tAddress: \"\",\n\t\t\tPort: 8080,\n\t\t\tEnableWebAdmin: true,\n\t\t\tEnableWebClient: true,\n\t\t\tEnableRESTAPI: true,\n\t\t},\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t\tenableRESTAPI: true,\n\t}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\ttestServer := httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\trr := httptest.NewRecorder()\n\treq, err := http.NewRequest(http.MethodGet, tokenPath, nil)\n\trequire.NoError(t, err)\n\treq.SetBasicAuth(defaultAdminUsername, defaultAdminPass)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tvar resp map[string]any\n\terr = json.Unmarshal(rr.Body.Bytes(), &resp)\n\tassert.NoError(t, err)\n\taccessToken := resp[\"access_token\"]\n\trequire.NotEmpty(t, accessToken)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", accessToken))\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// change the token validation mode\n\ttokenValidationMode = 2\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", accessToken))\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// Now update the admin\n\tadmin, err := dataprovider.AdminExists(defaultAdminUsername)\n\tassert.NoError(t, err)\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// token validation mode is 0, the old token is still valid\n\ttokenValidationMode = 0\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", accessToken))\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// change the token validation mode\n\ttokenValidationMode = 2\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", accessToken))\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusUnauthorized, rr.Code)\n\t// the token is invalidated, changing the validation mode has no effect\n\ttokenValidationMode = 0\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, versionPath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", accessToken))\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusUnauthorized, rr.Code)\n\n\tuserPwd := \"pwd\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: defeaultUsername,\n\t\t\tPassword: userPwd,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), defeaultUsername),\n\t\t\tStatus: 1,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tdefer func() {\n\t\tdataprovider.DeleteUser(defeaultUsername, \"\", \"\", \"\") //nolint:errcheck\n\t}()\n\n\ttokenValidationMode = 2\n\treq, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\trequire.NoError(t, err)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tloginCookie := strings.Split(rr.Header().Get(\"Set-Cookie\"), \";\")[0]\n\tassert.NotEmpty(t, loginCookie)\n\tcsrfToken, err := getCSRFTokenFromBody(rr.Body)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, csrfToken)\n\t// Now login\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"username\", defeaultUsername)\n\tform.Set(\"password\", userPwd)\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tuserCookie := strings.Split(rr.Header().Get(\"Set-Cookie\"), \";\")[0]\n\tassert.NotEmpty(t, userCookie)\n\t// Test a WebClient page and a JSON API\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Cookie\", userCookie)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Cookie\", userCookie)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tcsrfToken, err = getCSRFTokenFromBody(rr.Body)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, csrfToken)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, webClientFilePath+\"?path=missing.txt\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Cookie\", userCookie)\n\treq.Header.Set(csrfHeaderToken, csrfToken)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\ttokenValidationMode = 0\n\terr = dataprovider.DeleteUser(defeaultUsername, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, webClientFilePath+\"?path=missing.txt\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Cookie\", userCookie)\n\treq.Header.Set(csrfHeaderToken, csrfToken)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\ttokenValidationMode = 2\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, webClientFilePath+\"?path=missing.txt\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Cookie\", userCookie)\n\treq.Header.Set(csrfHeaderToken, csrfToken)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\n\ttokenValidationMode = 0\n}\n\nfunc TestUpdateWebAdminInvalidClaims(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"\",\n\t\tPassword: \"password\",\n\t}\n\tc := &jwt.Claims{\n\t\tUsername: admin.Username,\n\t\tPermissions: admin.Permissions,\n\t}\n\tc.Subject = admin.GetSignature()\n\ttoken, err := server.tokenAuth.SignWithParams(c, tokenAudienceWebAdmin, \"\", 10*time.Minute)\n\tassert.NoError(t, err)\n\tresp := c.BuildTokenResponse(token)\n\n\treq, err := http.NewRequest(http.MethodGet, webAdminPath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", resp.Token))\n\tparsedToken, err := jwt.VerifyRequest(server.tokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx := req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, \"\", webBaseAdminPath))\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"default_users_expiration\", \"30\")\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webAdminPath, \"admin\"), bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\trctx := chi.NewRouteContext()\n\trctx.URLParams.Add(\"username\", \"admin\")\n\treq = req.WithContext(ctx)\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", resp.Token))\n\tserver.handleWebUpdateAdminPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n}\n\nfunc TestUpdateSMTPSecrets(t *testing.T) {\n\tcurrentConfigs := &dataprovider.SMTPConfigs{\n\t\tOAuth2: dataprovider.SMTPOAuth2{\n\t\t\tClientSecret: kms.NewPlainSecret(\"client secret\"),\n\t\t\tRefreshToken: kms.NewPlainSecret(\"refresh token\"),\n\t\t},\n\t}\n\tredactedClientSecret := kms.NewPlainSecret(\"secret\")\n\tredactedRefreshToken := kms.NewPlainSecret(\"token\")\n\tredactedClientSecret.SetStatus(sdkkms.SecretStatusRedacted)\n\tredactedRefreshToken.SetStatus(sdkkms.SecretStatusRedacted)\n\tnewConfigs := &dataprovider.SMTPConfigs{\n\t\tPassword: kms.NewPlainSecret(\"pwd\"),\n\t\tOAuth2: dataprovider.SMTPOAuth2{\n\t\t\tClientSecret: redactedClientSecret,\n\t\t\tRefreshToken: redactedRefreshToken,\n\t\t},\n\t}\n\tupdateSMTPSecrets(newConfigs, currentConfigs)\n\tassert.Nil(t, currentConfigs.Password)\n\tassert.NotNil(t, newConfigs.Password)\n\tassert.Equal(t, currentConfigs.OAuth2.ClientSecret, newConfigs.OAuth2.ClientSecret)\n\tassert.Equal(t, currentConfigs.OAuth2.RefreshToken, newConfigs.OAuth2.RefreshToken)\n\n\tclientSecret := kms.NewPlainSecret(\"plain secret\")\n\trefreshToken := kms.NewPlainSecret(\"plain token\")\n\tnewConfigs = &dataprovider.SMTPConfigs{\n\t\tPassword: kms.NewPlainSecret(\"pwd\"),\n\t\tOAuth2: dataprovider.SMTPOAuth2{\n\t\t\tClientSecret: clientSecret,\n\t\t\tRefreshToken: refreshToken,\n\t\t},\n\t}\n\tupdateSMTPSecrets(newConfigs, currentConfigs)\n\tassert.Equal(t, clientSecret, newConfigs.OAuth2.ClientSecret)\n\tassert.Equal(t, refreshToken, newConfigs.OAuth2.RefreshToken)\n}\n\nfunc TestOAuth2Redirect(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\treq, err := http.NewRequest(http.MethodGet, webOAuth2RedirectPath+\"?state=invalid\", nil)\n\tassert.NoError(t, err)\n\tserver.handleOAuth2TokenRedirect(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nOAuth2ErrorTitle)\n\n\tip := \"127.1.1.4\"\n\ttokenString := createOAuth2Token(server.csrfTokenAuth, xid.New().String(), ip)\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodGet, webOAuth2RedirectPath+\"?state=\"+tokenString, nil) //nolint:goconst\n\tassert.NoError(t, err)\n\treq.RemoteAddr = ip\n\tserver.handleOAuth2TokenRedirect(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nOAuth2ErrorValidateState)\n}\n\nfunc TestOAuth2Token(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\t// invalid token\n\t_, err = verifyOAuth2Token(server.csrfTokenAuth, \"token\", \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to verify OAuth2 state\")\n\t}\n\t// bad audience\n\tclaims := jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\n\ttokenString, err := server.csrfTokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\t_, err = verifyOAuth2Token(server.csrfTokenAuth, tokenString, \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid OAuth2 state\")\n\t}\n\t// bad IP\n\ttokenString = createOAuth2Token(server.csrfTokenAuth, \"state\", \"127.1.1.1\")\n\t_, err = verifyOAuth2Token(server.csrfTokenAuth, tokenString, \"127.1.1.2\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid OAuth2 state\")\n\t}\n\t// ok\n\tstate := xid.New().String()\n\ttokenString = createOAuth2Token(server.csrfTokenAuth, state, \"127.1.1.3\")\n\ts, err := verifyOAuth2Token(server.csrfTokenAuth, tokenString, \"127.1.1.3\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, state, s)\n\t// no jti\n\tclaims = jwt.NewClaims(tokenAudienceOAuth2, \"127.1.1.4\", getTokenDuration(tokenAudienceOAuth2))\n\ttokenString, err = josejwt.Signed(server.csrfTokenAuth.Signer()).Claims(claims).Serialize()\n\tassert.NoError(t, err)\n\t_, err = verifyOAuth2Token(server.csrfTokenAuth, tokenString, \"127.1.1.4\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid OAuth2 state\")\n\t}\n\t// encode error\n\tserver.csrfTokenAuth.SetSigner(&failingJoseSigner{})\n\ttokenString = createOAuth2Token(server.csrfTokenAuth, xid.New().String(), \"\")\n\tassert.Empty(t, tokenString)\n\n\trr := httptest.NewRecorder()\n\ttestReq := make(map[string]any)\n\ttestReq[\"base_redirect_url\"] = \"http://localhost:8082\"\n\tasJSON, err := json.Marshal(testReq)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))\n\tassert.NoError(t, err)\n\tserver.handleSMTPOAuth2TokenRequestPost(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"unable to create state token\")\n}\n\nfunc TestCSRFToken(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\t// invalid token\n\treq := &http.Request{}\n\terr = verifyCSRFToken(req, server.csrfTokenAuth)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to verify form token\")\n\t}\n\t// bad audience\n\tclaims := jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\ttokenString, err := server.csrfTokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\tvalues := url.Values{}\n\tvalues.Set(csrfFormToken, tokenString)\n\treq.Form = values\n\terr = verifyCSRFToken(req, server.csrfTokenAuth)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"form token is not valid\")\n\t}\n\n\t// bad IP\n\treq.RemoteAddr = \"127.1.1.1\"\n\ttokenString = createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseAdminPath)\n\tvalues.Set(csrfFormToken, tokenString)\n\treq.Form = values\n\treq.RemoteAddr = \"127.1.1.2\"\n\terr = verifyCSRFToken(req, server.csrfTokenAuth)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"form token is not valid\")\n\t}\n\n\tclaims = jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\ttokenString, err = server.csrfTokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, tokenString)\n\n\tr, err := GetHTTPRouter(Binding{\n\t\tAddress: \"\",\n\t\tPort: 8080,\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: true,\n\t\tEnableRESTAPI: true,\n\t\tRenderOpenAPI: true,\n\t})\n\tassert.NoError(t, err)\n\tfn := server.verifyCSRFHeader(r)\n\trr := httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, \"username\"), nil)\n\tfn.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token\")\n\n\t// invalid audience\n\treq.Header.Set(csrfHeaderToken, tokenString)\n\trr = httptest.NewRecorder()\n\tfn.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"the token is not valid\")\n\n\t// invalid IP\n\ttokenString = createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseAdminPath)\n\treq.Header.Set(csrfHeaderToken, tokenString)\n\treq.RemoteAddr = \"172.16.1.2\"\n\trr = httptest.NewRecorder()\n\tfn.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"the token is not valid\")\n\n\tcsrfTokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tcsrfTokenAuth.SetSigner(&failingJoseSigner{})\n\ttokenString = createCSRFToken(httptest.NewRecorder(), req, csrfTokenAuth, \"\", webBaseAdminPath)\n\tassert.Empty(t, tokenString)\n\trr = httptest.NewRecorder()\n\tcreateLoginCookie(rr, req, csrfTokenAuth, \"\", webBaseAdminPath, req.RemoteAddr)\n\tassert.Empty(t, rr.Header().Get(\"Set-Cookie\"))\n}\n\nfunc TestCreateShareCookieError(t *testing.T) {\n\tusername := \"share_user\"\n\tpwd := util.GenerateUniqueID()\n\tuser := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: pwd,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\terr := dataprovider.AddUser(user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tshare := &dataprovider.Share{\n\t\tName: \"test_share_cookie_error\",\n\t\tShareID: util.GenerateUniqueID(),\n\t\tScope: dataprovider.ShareScopeRead,\n\t\tPassword: pwd,\n\t\tPaths: []string{\"/\"},\n\t\tUsername: username,\n\t}\n\terr = dataprovider.AddShare(share, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\ttokenAuth.SetSigner(&failingJoseSigner{})\n\tcsrfTokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\n\tserver := httpdServer{\n\t\ttokenAuth: tokenAuth,\n\t\tcsrfTokenAuth: csrfTokenAuth,\n\t}\n\n\tc := jwt.NewClaims(tokenAudienceWebLogin, \"127.0.0.1\", getTokenDuration(tokenAudienceWebLogin))\n\ttoken, err := server.csrfTokenAuth.Sign(c)\n\tassert.NoError(t, err)\n\tresp := c.BuildTokenResponse(token)\n\tparsedToken, err := jwt.VerifyToken(server.csrfTokenAuth, resp.Token)\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, share.ShareID, \"login\"), nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = \"127.0.0.1:4567\"\n\tctx := req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform := make(url.Values)\n\tform.Set(\"share_password\", pwd)\n\tform.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseClientPath))\n\trctx := chi.NewRouteContext()\n\trctx.URLParams.Add(\"id\", share.ShareID)\n\trr := httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, share.ShareID, \"login\"),\n\t\tbytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = \"127.0.0.1:2345\"\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", resp.Token))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq = req.WithContext(ctx)\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\tserver.handleClientShareLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nError500Message)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestCreateTokenError(t *testing.T) {\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\ttokenAuth.SetSigner(&failingJoseSigner{})\n\tcsrfTokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\n\tserver := httpdServer{\n\t\ttokenAuth: tokenAuth,\n\t\tcsrfTokenAuth: csrfTokenAuth,\n\t}\n\trr := httptest.NewRecorder()\n\tadmin := dataprovider.Admin{\n\t\tUsername: defaultAdminUsername,\n\t\tPassword: \"password\",\n\t}\n\treq, _ := http.NewRequest(http.MethodGet, tokenPath, nil)\n\n\tserver.generateAndSendToken(rr, req, admin, \"\")\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\n\trr = httptest.NewRecorder()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"u\",\n\t\t\tPassword: util.GenerateUniqueID(),\n\t\t},\n\t}\n\treq, _ = http.NewRequest(http.MethodGet, userTokenPath, nil)\n\n\tserver.generateAndSendUserToken(rr, req, \"\", user)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n\n\tc := &jwt.Claims{}\n\tc.ID = xid.New().String()\n\tc.SetExpiry(time.Now().Add(1 * time.Minute))\n\ttokenString, err := server.csrfTokenAuth.SignWithParams(c, tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\tassert.NoError(t, err)\n\ttoken := c.BuildTokenResponse(tokenString)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token.Token))\n\tparsedToken, err := jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx := req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\trr = httptest.NewRecorder()\n\tform := make(url.Values)\n\tform.Set(\"username\", admin.Username)\n\tform.Set(\"password\", admin.Password)\n\tform.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, xid.New().String(), webBaseAdminPath))\n\tcookie := rr.Header().Get(\"Set-Cookie\")\n\tassert.NotEmpty(t, cookie)\n\treq, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Cookie\", cookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tparsedToken, err = jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\tserver.handleWebAdminLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\t// req with no content type\n\treq, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, nil)\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\treq, _ = http.NewRequest(http.MethodPost, webAdminSetupPath, nil)\n\trr = httptest.NewRecorder()\n\tserver.loginAdmin(rr, req, &admin, false, nil, \"\")\n\t// req with no POST body\n\treq, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+\"?a=a%C3%AO%GG\", nil)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\n\treq, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+\"?a=a%C3%A1%G2\", nil)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminChangePwdPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+\"?a=a%C3%A2%G3\", nil)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t_, err = getAdminFromPostFields(req)\n\tassert.Error(t, err)\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminEventActionPath+\"?a=a%C3%A2%GG\", nil)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t_, err = getEventActionFromPostFields(req)\n\tassert.Error(t, err)\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminEventRulePath+\"?a=a%C3%A3%GG\", nil)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t_, err = getEventRuleFromPostFields(req)\n\tassert.Error(t, err)\n\n\treq, _ = http.NewRequest(http.MethodPost, webIPListPath+\"/1?a=a%C3%AO%GG\", nil)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\t_, err = getIPListEntryFromPostFields(req, dataprovider.IPListTypeAllowList)\n\tassert.Error(t, err)\n\n\treq, _ = http.NewRequest(http.MethodPost, path.Join(webClientSharePath, \"shareID\", \"login?a=a%C3%AO%GG\"), bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleClientShareLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientLoginPath+\"?a=a%C3%AO%GG\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\n\treq, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+\"?a=a%C3%AO%GA\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientChangePwdPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath+\"?a=a%C3%AO%GB\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientProfilePost(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminProfilePath+\"?a=a%C3%AO%GB\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminProfilePost(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorPath+\"?a=a%C3%AO%GC\", bytes.NewBuffer([]byte(form.Encode())))\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{}, nil))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminTwoFactorPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath+\"?a=a%C3%AO%GD\", bytes.NewBuffer([]byte(form.Encode())))\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{}, nil))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminTwoFactorRecoveryPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientTwoFactorPath+\"?a=a%C3%AO%GC\", bytes.NewBuffer([]byte(form.Encode())))\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{}, nil))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientTwoFactorPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath+\"?a=a%C3%AO%GD\", bytes.NewBuffer([]byte(form.Encode())))\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{}, nil))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientTwoFactorRecoveryPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminForgotPwdPath+\"?a=a%C3%A1%GD\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminForgotPwdPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientForgotPwdPath+\"?a=a%C2%A1%GD\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientForgotPwdPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminResetPwdPath+\"?a=a%C3%AO%JD\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAdminPasswordResetPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webAdminRolePath+\"?a=a%C3%AO%JE\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebAddRolePost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+\"?a=a%C3%AO%JD\", bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\tserver.handleWebClientPasswordResetPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)\n\n\treq, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+\"?a=a%K3%AO%GA\", bytes.NewBuffer([]byte(form.Encode())))\n\t_, err = getShareFromPostFields(req)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid URL escape\")\n\t}\n\n\tusername := \"webclientuser\"\n\tuser = dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"clientpwd\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tDescription: \"test user\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tuser.Filters.AllowAPIKeyAuth = true\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token.Token))\n\tparsedToken, err = jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\trr = httptest.NewRecorder()\n\tform = make(url.Values)\n\tform.Set(\"username\", user.Username)\n\tform.Set(\"password\", \"clientpwd\")\n\tform.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, \"\", webBaseClientPath))\n\treq, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tserver.handleWebClientLoginPost(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\n\terr = authenticateUserWithAPIKey(username, \"\", server.tokenAuth, req)\n\tassert.Error(t, err)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.HomeDir)\n\tassert.NoError(t, err)\n\n\tadmin.Username += \"1\"\n\tadmin.Status = 1\n\tadmin.Filters.AllowAPIKeyAuth = true\n\tadmin.Permissions = []string{dataprovider.PermAdminAny}\n\terr = dataprovider.AddAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = authenticateAdminWithAPIKey(admin.Username, \"\", server.tokenAuth, req)\n\tassert.Error(t, err)\n\n\terr = dataprovider.DeleteAdmin(admin.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestAPIKeyAuthForbidden(t *testing.T) {\n\tr, err := GetHTTPRouter(Binding{\n\t\tAddress: \"\",\n\t\tPort: 8080,\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: true,\n\t\tEnableRESTAPI: true,\n\t\tRenderOpenAPI: true,\n\t})\n\trequire.NoError(t, err)\n\tfn := forbidAPIKeyAuthentication(r)\n\trr := httptest.NewRecorder()\n\treq, _ := http.NewRequest(http.MethodGet, versionPath, nil)\n\tfn.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"Invalid token claims\")\n}\n\nfunc TestJWTTokenValidation(t *testing.T) {\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tclaims := &jwt.Claims{\n\t\tUsername: defaultAdminUsername,\n\t}\n\tclaims.SetExpiry(time.Now().UTC().Add(-1 * time.Hour))\n\t_, err = tokenAuth.SignWithParams(claims, tokenAudienceWebAdmin, \"\", getTokenDuration(tokenAudienceWebAdmin))\n\trequire.NoError(t, err)\n\n\tserver := httpdServer{\n\t\tbinding: Binding{\n\t\t\tAddress: \"\",\n\t\t\tPort: 8080,\n\t\t\tEnableWebAdmin: true,\n\t\t\tEnableWebClient: true,\n\t\t\tEnableRESTAPI: true,\n\t\t\tRenderOpenAPI: true,\n\t\t},\n\t}\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\tr := server.router\n\tfn := jwtAuthenticatorAPI(r)\n\trr := httptest.NewRecorder()\n\treq, _ := http.NewRequest(http.MethodGet, userPath, nil)\n\tctx := jwt.NewContext(req.Context(), claims, nil)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusUnauthorized, rr.Code)\n\n\tfn = jwtAuthenticatorWebAdmin(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\n\tfn = jwtAuthenticatorWebClient(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\n\terrTest := errors.New(\"test error\")\n\tpermFn := server.checkPerms(dataprovider.PermAdminAny)\n\tfn = permFn(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, userPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\tpermFn = server.checkPerms(dataprovider.PermAdminAny)\n\tfn = permFn(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webUserPath, nil)\n\treq.RequestURI = webUserPath\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\tpermClientFn := server.checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)\n\tfn = permClientFn(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)\n\treq.RequestURI = webClientProfilePath\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, userProfilePath, nil)\n\treq.RequestURI = userProfilePath\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\tfn = server.checkAuthRequirements(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)\n\treq.RequestURI = webClientProfilePath\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\tfn = server.checkAuthRequirements(r)\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, webGroupsPath, nil)\n\treq.RequestURI = webGroupsPath\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, userSharesPath, nil)\n\treq.RequestURI = userSharesPath\n\tctx = jwt.NewContext(req.Context(), claims, errTest)\n\tfn.ServeHTTP(rr, req.WithContext(ctx))\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n}\n\nfunc TestUpdateContextFromCookie(t *testing.T) {\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tserver := httpdServer{\n\t\ttokenAuth: tokenAuth,\n\t}\n\treq, _ := http.NewRequest(http.MethodGet, tokenPath, nil)\n\tclaims := jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\tctx := jwt.NewContext(req.Context(), claims, nil)\n\treq = server.updateContextFromCookie(req.WithContext(ctx))\n\ttoken, err := jwt.FromContext(req.Context())\n\trequire.NoError(t, err)\n\trequire.True(t, token.Audience.Contains(tokenAudienceWebClient))\n\trequire.NotEmpty(t, token.ID)\n}\n\nfunc TestCookieExpiration(t *testing.T) {\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tserver := httpdServer{\n\t\ttokenAuth: tokenAuth,\n\t}\n\terr = errors.New(\"test error\")\n\trr := httptest.NewRecorder()\n\treq, _ := http.NewRequest(http.MethodGet, tokenPath, nil)\n\tctx := jwt.NewContext(req.Context(), nil, err)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie := rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\treq, _ = http.NewRequest(http.MethodGet, tokenPath, nil)\n\tclaims := jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"newtestadmin\",\n\t\tPassword: \"password\",\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t}\n\tclaims = jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\tclaims.Username = admin.Username\n\tclaims.Permissions = admin.Permissions\n\tclaims.Subject = admin.GetSignature()\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, tokenPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\tadmin.Status = 0\n\terr = dataprovider.AddAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, tokenPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\tadmin.Status = 1\n\tadmin.Filters.AllowList = []string{\"172.16.1.0/24\"}\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, tokenPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\tadmin, err = dataprovider.AdminExists(admin.Username)\n\tassert.NoError(t, err)\n\ttokenID := xid.New().String()\n\tclaims = jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\tclaims.ID = tokenID\n\tclaims.Username = admin.Username\n\tclaims.Permissions = admin.Permissions\n\tclaims.Subject = admin.GetSignature()\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, tokenPath, nil)\n\treq.RemoteAddr = \"192.168.8.1:1234\"\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\treq, _ = http.NewRequest(http.MethodGet, tokenPath, nil)\n\treq.RemoteAddr = \"172.16.1.12:4567\"\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.True(t, strings.HasPrefix(cookie, \"jwt=\"))\n\treq.Header.Set(\"Cookie\", cookie)\n\tc, err := jwt.VerifyRequest(server.tokenAuth, req, jwt.TokenFromCookie)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, tokenID, c.ID)\n\t}\n\n\terr = dataprovider.DeleteAdmin(admin.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// now check client cookie expiration\n\tusername := \"client\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"clientpwd\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tDescription: \"test user\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{\"*\"}\n\n\tclaims = jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tclaims.ID = tokenID\n\tclaims.Username = user.Username\n\tclaims.Permissions = user.Filters.WebClient\n\tclaims.Subject = user.GetSignature()\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\t// the password will be hashed and so the signature will change\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\tuser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tuser.Filters.AllowedIP = []string{\"172.16.4.0/24\"}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tuser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\tissuedAt := time.Now().Add(-1 * time.Minute)\n\texpiresAt := time.Now().Add(1 * time.Minute)\n\n\tclaims = jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tclaims.ID = tokenID\n\tclaims.Username = user.Username\n\tclaims.Permissions = user.Filters.WebClient\n\tclaims.Subject = user.GetSignature()\n\tclaims.SetExpiry(expiresAt)\n\tclaims.SetIssuedAt(issuedAt)\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RemoteAddr = \"172.16.3.12:4567\"\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RemoteAddr = \"172.16.4.16:4567\"\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.NotEmpty(t, cookie)\n\treq.Header.Set(\"Cookie\", cookie)\n\tc, err = jwt.VerifyRequest(server.tokenAuth, req, jwt.TokenFromCookie)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, tokenID, c.ID)\n\t\tassert.Equal(t, issuedAt.Unix(), c.IssuedAt.Time().Unix())\n\t\tassert.NotEqual(t, expiresAt.Unix(), c.Expiry.Time().Unix())\n\t}\n\t// test a cookie issued more that 12 hours ago\n\tclaims = jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tclaims.ID = tokenID\n\tclaims.Username = user.Username\n\tclaims.Permissions = user.Filters.WebClient\n\tclaims.Subject = user.GetSignature()\n\tclaims.SetExpiry(expiresAt)\n\tclaims.SetIssuedAt(time.Now().Add(-24 * time.Hour))\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.RemoteAddr = \"172.16.4.16:6789\"\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\t// test a disabled user\n\tuser.Status = 0\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser, err = dataprovider.UserExists(user.Username, \"\")\n\tassert.NoError(t, err)\n\n\tclaims = jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tclaims.ID = tokenID\n\tclaims.Username = user.Username\n\tclaims.Permissions = user.Filters.WebClient\n\tclaims.Subject = user.GetSignature()\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\tclaims.SetIssuedAt(issuedAt)\n\t_, err = server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tctx = jwt.NewContext(req.Context(), claims, nil)\n\tserver.checkCookieExpiration(rr, req.WithContext(ctx))\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Empty(t, cookie)\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestGetURLParam(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodGet, adminPwdPath, nil)\n\trctx := chi.NewRouteContext()\n\trctx.URLParams.Add(\"val\", \"testuser%C3%A0\")\n\trctx.URLParams.Add(\"inval\", \"testuser%C3%AO%GG\")\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\tescaped := getURLParam(req, \"val\")\n\tassert.Equal(t, \"testuserà\", escaped)\n\tescaped = getURLParam(req, \"inval\")\n\tassert.Equal(t, \"testuser%C3%AO%GG\", escaped)\n}\n\nfunc TestChangePwdValidationErrors(t *testing.T) {\n\terr := doChangeAdminPassword(nil, \"\", \"\", \"\")\n\trequire.Error(t, err)\n\terr = doChangeAdminPassword(nil, \"a\", \"b\", \"c\")\n\trequire.Error(t, err)\n\terr = doChangeAdminPassword(nil, \"a\", \"a\", \"a\")\n\trequire.Error(t, err)\n\n\treq, _ := http.NewRequest(http.MethodPut, adminPwdPath, nil)\n\treq = req.WithContext(jwt.NewContext(req.Context(), &jwt.Claims{Claims: josejwt.Claims{ID: xid.New().String()}}, nil))\n\terr = doChangeAdminPassword(req, \"currentpwd\", \"newpwd\", \"newpwd\")\n\tassert.Error(t, err)\n}\n\nfunc TestRenderUnexistingFolder(t *testing.T) {\n\trr := httptest.NewRecorder()\n\treq, _ := http.NewRequest(http.MethodPost, folderPath, nil)\n\trenderFolder(rr, req, \"path not mapped\", &jwt.Claims{}, http.StatusOK)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n}\n\nfunc TestCloseConnectionHandler(t *testing.T) {\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tclaims := jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\tclaims.Username = defaultAdminUsername\n\tclaims.SetExpiry(time.Now().UTC().Add(1 * time.Hour))\n\t_, err = tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodDelete, activeConnectionsPath+\"/connectionID\", nil)\n\tassert.NoError(t, err)\n\trctx := chi.NewRouteContext()\n\trctx.URLParams.Add(\"connectionID\", \"\")\n\treq = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))\n\treq = req.WithContext(context.WithValue(req.Context(), jwt.TokenCtxKey, claims))\n\trr := httptest.NewRecorder()\n\thandleCloseConnection(rr, req)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), \"connectionID is mandatory\")\n}\n\nfunc TestRenderInvalidTemplate(t *testing.T) {\n\ttmpl, err := template.New(\"test\").Parse(\"{{.Count}}\")\n\tif assert.NoError(t, err) {\n\t\tnoMatchTmpl := \"no_match\"\n\t\tadminTemplates[noMatchTmpl] = tmpl\n\t\trw := httptest.NewRecorder()\n\t\trenderAdminTemplate(rw, noMatchTmpl, map[string]string{})\n\t\tassert.Equal(t, http.StatusInternalServerError, rw.Code)\n\t\tclientTemplates[noMatchTmpl] = tmpl\n\t\trenderClientTemplate(rw, noMatchTmpl, map[string]string{})\n\t\tassert.Equal(t, http.StatusInternalServerError, rw.Code)\n\t}\n}\n\nfunc TestQuotaScanInvalidFs(t *testing.T) {\n\tuser := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.S3FilesystemProvider,\n\t\t},\n\t}\n\tcommon.QuotaScans.AddUserQuotaScan(user.Username, \"\")\n\terr := doUserQuotaScan(user)\n\tassert.Error(t, err)\n}\n\nfunc TestVerifyTLSConnection(t *testing.T) {\n\toldCertMgr := certMgr\n\n\tcaCrlPath := filepath.Join(os.TempDir(), \"testcrl.crt\")\n\tcertPath := filepath.Join(os.TempDir(), \"testh.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"testh.key\")\n\terr := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(certPath, []byte(httpdCert), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(httpdKey), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tkeyPairs := []common.TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertMgr, err = common.NewCertManager(keyPairs, \"\", \"httpd_test\")\n\tassert.NoError(t, err)\n\n\tcertMgr.SetCARevocationLists([]string{caCrlPath})\n\terr = certMgr.LoadCRLs()\n\tassert.NoError(t, err)\n\n\tcrt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\tx509crt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tserver := httpdServer{}\n\tstate := tls.ConnectionState{\n\t\tPeerCertificates: []*x509.Certificate{x509crt},\n\t}\n\n\terr = server.verifyTLSConnection(state)\n\tassert.Error(t, err) // no verified certification chain\n\n\tcrt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey))\n\tassert.NoError(t, err)\n\n\tx509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tstate.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt})\n\terr = server.verifyTLSConnection(state)\n\tassert.NoError(t, err)\n\n\tcrt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\tx509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tstate.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt})\n\tstate.PeerCertificates = []*x509.Certificate{x509crtRevoked}\n\terr = server.verifyTLSConnection(state)\n\tassert.EqualError(t, err, common.ErrCrtRevoked.Error())\n\n\terr = os.Remove(caCrlPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(certPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\n\tcertMgr = oldCertMgr\n}\n\nfunc TestGetFolderFromTemplate(t *testing.T) {\n\tfolder := vfs.BaseVirtualFolder{\n\t\tMappedPath: \"Folder%name%\",\n\t\tDescription: \"Folder %name% desc\",\n\t}\n\tfolderName := \"folderTemplate\"\n\tfolderTemplate := getFolderFromTemplate(folder, folderName)\n\trequire.Equal(t, folderName, folderTemplate.Name)\n\trequire.Equal(t, fmt.Sprintf(\"Folder%v\", folderName), folderTemplate.MappedPath)\n\trequire.Equal(t, fmt.Sprintf(\"Folder %v desc\", folderName), folderTemplate.Description)\n\n\tfolder.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tfolder.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"%name%\")\n\tfolderTemplate = getFolderFromTemplate(folder, folderName)\n\trequire.Equal(t, folderName, folderTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())\n\n\tfolder.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tfolder.FsConfig.GCSConfig.KeyPrefix = \"prefix%name%/\"\n\tfolderTemplate = getFolderFromTemplate(folder, folderName)\n\trequire.Equal(t, fmt.Sprintf(\"prefix%v/\", folderName), folderTemplate.FsConfig.GCSConfig.KeyPrefix)\n\n\tfolder.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tfolder.FsConfig.AzBlobConfig.KeyPrefix = \"a%name%\"\n\tfolder.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret(\"pwd%name%\")\n\tfolderTemplate = getFolderFromTemplate(folder, folderName)\n\trequire.Equal(t, \"a\"+folderName, folderTemplate.FsConfig.AzBlobConfig.KeyPrefix)\n\trequire.Equal(t, \"pwd\"+folderName, folderTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\n\tfolder.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tfolder.FsConfig.SFTPConfig.Prefix = \"%name%\"\n\tfolder.FsConfig.SFTPConfig.Username = \"sftp_%name%\"\n\tfolder.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(\"sftp%name%\")\n\tfolderTemplate = getFolderFromTemplate(folder, folderName)\n\trequire.Equal(t, folderName, folderTemplate.FsConfig.SFTPConfig.Prefix)\n\trequire.Equal(t, \"sftp_\"+folderName, folderTemplate.FsConfig.SFTPConfig.Username)\n\trequire.Equal(t, \"sftp\"+folderName, folderTemplate.FsConfig.SFTPConfig.Password.GetPayload())\n}\n\nfunc TestGetUserFromTemplate(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tStatus: 1,\n\t\t},\n\t}\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: \"Folder%username%\",\n\t\t},\n\t})\n\n\tusername := \"userTemplate\"\n\tpassword := \"pwdTemplate\"\n\ttemplateFields := userTemplateFields{\n\t\tUsername: username,\n\t\tPassword: password,\n\t}\n\n\tuserTemplate := getUserFromTemplate(user, templateFields)\n\trequire.Len(t, userTemplate.VirtualFolders, 1)\n\trequire.Equal(t, \"Folder\"+username, userTemplate.VirtualFolders[0].Name)\n\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"%password%\")\n\tuserTemplate = getUserFromTemplate(user, templateFields)\n\trequire.Equal(t, password, userTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())\n\n\tuser.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tuser.FsConfig.GCSConfig.KeyPrefix = \"%username%%password%\"\n\tuserTemplate = getUserFromTemplate(user, templateFields)\n\trequire.Equal(t, username+password, userTemplate.FsConfig.GCSConfig.KeyPrefix)\n\n\tuser.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tuser.FsConfig.AzBlobConfig.KeyPrefix = \"a%username%\"\n\tuser.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret(\"pwd%password%%username%\")\n\tuserTemplate = getUserFromTemplate(user, templateFields)\n\trequire.Equal(t, \"a\"+username, userTemplate.FsConfig.AzBlobConfig.KeyPrefix)\n\trequire.Equal(t, \"pwd\"+password+username, userTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())\n\n\tuser.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser.FsConfig.SFTPConfig.Prefix = \"%username%\"\n\tuser.FsConfig.SFTPConfig.Username = \"sftp_%username%\"\n\tuser.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(\"sftp%password%\")\n\tuserTemplate = getUserFromTemplate(user, templateFields)\n\trequire.Equal(t, username, userTemplate.FsConfig.SFTPConfig.Prefix)\n\trequire.Equal(t, \"sftp_\"+username, userTemplate.FsConfig.SFTPConfig.Username)\n\trequire.Equal(t, \"sftp\"+password, userTemplate.FsConfig.SFTPConfig.Password.GetPayload())\n}\n\nfunc TestJWTTokenCleanup(t *testing.T) {\n\ttokenAuth, err := jwt.NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tserver := httpdServer{\n\t\ttokenAuth: tokenAuth,\n\t}\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"newtestadmin\",\n\t\tPassword: \"password\",\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t}\n\tclaims := jwt.NewClaims(tokenAudienceAPI, \"\", getTokenDuration(tokenAudienceAPI))\n\tclaims.Username = admin.Username\n\tclaims.Permissions = admin.Permissions\n\tclaims.Subject = admin.GetSignature()\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\ttoken, err := server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, versionPath, nil)\n\tassert.True(t, isTokenInvalidated(req))\n\n\tfakeToken := \"abc\"\n\tinvalidateTokenString(req, fakeToken, -100*time.Millisecond)\n\tassert.True(t, invalidatedJWTTokens.Get(fakeToken))\n\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", token))\n\n\tinvalidatedJWTTokens.Add(token, time.Now().Add(-getTokenDuration(tokenAudienceWebAdmin)).UTC())\n\trequire.True(t, isTokenInvalidated(req))\n\tstartCleanupTicker(100 * time.Millisecond)\n\tassert.Eventually(t, func() bool { return !isTokenInvalidated(req) }, 1*time.Second, 200*time.Millisecond)\n\tassert.False(t, invalidatedJWTTokens.Get(fakeToken))\n\tstopCleanupTicker()\n}\n\nfunc TestDbTokenManager(t *testing.T) {\n\tif !isSharedProviderSupported() {\n\t\tt.Skip(\"this test it is not available with this provider\")\n\t}\n\tmgr := newTokenManager(1)\n\tdbTokenManager := mgr.(*dbTokenManager)\n\ttestToken := \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiV2ViQWRtaW4iLCI6OjEiXSwiZXhwIjoxNjk4NjYwMDM4LCJqdGkiOiJja3ZuazVrYjF1aHUzZXRmZmhyZyIsIm5iZiI6MTY5ODY1ODgwOCwicGVybWlzc2lvbnMiOlsiKiJdLCJzdWIiOiIxNjk3ODIwNDM3NTMyIiwidXNlcm5hbWUiOiJhZG1pbiJ9.LXuFFksvnSuzHqHat6r70yR0jEulNRju7m7SaWrOfy8; csrftoken=mP0C7DqjwpAXsptO2gGCaYBkYw3oNMWB\"\n\tkey := dbTokenManager.getKey(testToken)\n\trequire.Len(t, key, 64)\n\tdbTokenManager.Add(testToken, time.Now().Add(-getTokenDuration(tokenAudienceWebClient)).UTC())\n\tisInvalidated := dbTokenManager.Get(testToken)\n\tassert.True(t, isInvalidated)\n\tdbTokenManager.Cleanup()\n\tisInvalidated = dbTokenManager.Get(testToken)\n\tassert.False(t, isInvalidated)\n\tdbTokenManager.Add(testToken, time.Now().Add(getTokenDuration(tokenAudienceWebAdmin)).UTC())\n\tisInvalidated = dbTokenManager.Get(testToken)\n\tassert.True(t, isInvalidated)\n\tdbTokenManager.Cleanup()\n\tisInvalidated = dbTokenManager.Get(testToken)\n\tassert.True(t, isInvalidated)\n\terr := dataprovider.DeleteSharedSession(key, dataprovider.SessionTypeInvalidToken)\n\tassert.NoError(t, err)\n}\n\nfunc TestDatabaseSharedSessions(t *testing.T) {\n\tif !isSharedProviderSupported() {\n\t\tt.Skip(\"this test it is not available with this provider\")\n\t}\n\tsession1 := dataprovider.Session{\n\t\tKey: \"1\",\n\t\tData: map[string]string{\"a\": \"b\"},\n\t\tType: dataprovider.SessionTypeOIDCAuth,\n\t\tTimestamp: 10,\n\t}\n\terr := dataprovider.AddSharedSession(session1)\n\tassert.NoError(t, err)\n\t// Adding another session with the same key but a different type should work\n\tsession2 := session1\n\tsession2.Type = dataprovider.SessionTypeOIDCToken\n\terr = dataprovider.AddSharedSession(session2)\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteSharedSession(session1.Key, dataprovider.SessionTypeInvalidToken)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t_, err = dataprovider.GetSharedSession(session1.Key, dataprovider.SessionTypeResetCode)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\tsession1Get, err := dataprovider.GetSharedSession(session1.Key, dataprovider.SessionTypeOIDCAuth)\n\tassert.NoError(t, err)\n\tassert.Equal(t, session1.Timestamp, session1Get.Timestamp)\n\tvar stored map[string]string\n\terr = json.Unmarshal(session1Get.Data.([]byte), &stored)\n\tassert.NoError(t, err)\n\tassert.Equal(t, session1.Data, stored)\n\tsession1.Timestamp = 20\n\tsession1.Data = map[string]string{\"c\": \"d\"}\n\terr = dataprovider.AddSharedSession(session1)\n\tassert.NoError(t, err)\n\tsession1Get, err = dataprovider.GetSharedSession(session1.Key, dataprovider.SessionTypeOIDCAuth)\n\tassert.NoError(t, err)\n\tassert.Equal(t, session1.Timestamp, session1Get.Timestamp)\n\tstored = make(map[string]string)\n\terr = json.Unmarshal(session1Get.Data.([]byte), &stored)\n\tassert.NoError(t, err)\n\tassert.Equal(t, session1.Data, stored)\n\terr = dataprovider.DeleteSharedSession(session1.Key, dataprovider.SessionTypeOIDCAuth)\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteSharedSession(session2.Key, dataprovider.SessionTypeOIDCToken)\n\tassert.NoError(t, err)\n\t_, err = dataprovider.GetSharedSession(session1.Key, dataprovider.SessionTypeOIDCAuth)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t_, err = dataprovider.GetSharedSession(session2.Key, dataprovider.SessionTypeOIDCToken)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n}\n\nfunc TestAllowedProxyUnixDomainSocket(t *testing.T) {\n\tb := Binding{\n\t\tAddress: filepath.Join(os.TempDir(), \"sock\"),\n\t\tProxyAllowed: []string{\"127.0.0.1\", \"127.0.1.1\"},\n\t}\n\terr := b.parseAllowedProxy()\n\tassert.NoError(t, err)\n\tif assert.Len(t, b.allowHeadersFrom, 1) {\n\t\tassert.True(t, b.allowHeadersFrom[0](nil))\n\t}\n}\n\nfunc TestProxyListenerWrapper(t *testing.T) {\n\tb := Binding{\n\t\tProxyMode: 0,\n\t}\n\trequire.Nil(t, b.listenerWrapper())\n\tb.ProxyMode = 1\n\trequire.NotNil(t, b.listenerWrapper())\n}\n\nfunc TestProxyHeaders(t *testing.T) {\n\tusername := \"adminTest\"\n\tpassword := \"testPwd\"\n\tadmin := dataprovider.Admin{\n\t\tUsername: username,\n\t\tPassword: password,\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t\tStatus: 1,\n\t\tFilters: dataprovider.AdminFilters{\n\t\t\tAllowList: []string{\"172.19.2.0/24\"},\n\t\t},\n\t}\n\n\terr := dataprovider.AddAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\ttestIP := \"10.29.1.9\"\n\tvalidForwardedFor := \"172.19.2.6\"\n\tb := Binding{\n\t\tAddress: \"\",\n\t\tPort: 8080,\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: false,\n\t\tEnableRESTAPI: true,\n\t\tProxyAllowed: []string{testIP, \"10.8.0.0/30\"},\n\t\tClientIPProxyHeader: \"x-forwarded-for\",\n\t}\n\terr = b.parseAllowedProxy()\n\tassert.NoError(t, err)\n\tserver := newHttpdServer(b, \"\", \"\", CorsConfig{Enabled: true}, \"\")\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\ttestServer := httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\treq, err := http.NewRequest(http.MethodGet, tokenPath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"X-Forwarded-For\", validForwardedFor)\n\treq.Header.Set(xForwardedProto, \"https\")\n\treq.RemoteAddr = \"127.0.0.1:123\"\n\treq.SetBasicAuth(username, password)\n\trr := httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusUnauthorized, rr.Code)\n\tassert.NotContains(t, rr.Body.String(), \"login from IP 127.0.0.1 not allowed\")\n\n\treq.RemoteAddr = testIP\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\n\treq.RemoteAddr = \"10.8.0.2\"\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = testIP\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tcookie := rr.Header().Get(\"Set-Cookie\")\n\tassert.NotEmpty(t, cookie)\n\treq.Header.Set(\"Cookie\", cookie)\n\tparsedToken, err := jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx := req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform := make(url.Values)\n\tform.Set(\"username\", username)\n\tform.Set(\"password\", password)\n\tform.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseAdminPath))\n\treq, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = testIP\n\treq.Header.Set(\"Cookie\", cookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = validForwardedFor\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tloginCookie := rr.Header().Get(\"Set-Cookie\")\n\tassert.NotEmpty(t, loginCookie)\n\treq.Header.Set(\"Cookie\", loginCookie)\n\tparsedToken, err = jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseAdminPath))\n\treq, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = testIP\n\treq.Header.Set(\"Cookie\", loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"X-Forwarded-For\", validForwardedFor)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.NotContains(t, cookie, \"Secure\")\n\n\t// The login cookie is invalidated after a successful login, the same request will fail\n\treq, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = testIP\n\treq.Header.Set(\"Cookie\", loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"X-Forwarded-For\", validForwardedFor)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = validForwardedFor\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tloginCookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.NotEmpty(t, loginCookie)\n\treq.Header.Set(\"Cookie\", loginCookie)\n\tparsedToken, err = jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseAdminPath))\n\treq, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = testIP\n\treq.Header.Set(\"Cookie\", loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"X-Forwarded-For\", validForwardedFor)\n\treq.Header.Set(xForwardedProto, \"https\")\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.Contains(t, cookie, \"Secure\")\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = validForwardedFor\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\tloginCookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.NotEmpty(t, loginCookie)\n\treq.Header.Set(\"Cookie\", loginCookie)\n\tparsedToken, err = jwt.VerifyRequest(server.csrfTokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, \"\", webBaseAdminPath))\n\treq, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq.RemoteAddr = testIP\n\treq.Header.Set(\"Cookie\", loginCookie)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"X-Forwarded-For\", validForwardedFor)\n\treq.Header.Set(xForwardedProto, \"http\")\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tassert.NotContains(t, cookie, \"Secure\")\n\n\terr = dataprovider.DeleteAdmin(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestRecoverer(t *testing.T) {\n\trecoveryPath := \"/recovery\"\n\tb := Binding{\n\t\tAddress: \"\",\n\t\tPort: 8080,\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: false,\n\t\tEnableRESTAPI: true,\n\t}\n\tserver := newHttpdServer(b, \"../static\", \"\", CorsConfig{}, \"../openapi\")\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\tserver.router.Get(recoveryPath, func(_ http.ResponseWriter, _ *http.Request) {\n\t\tpanic(\"panic\")\n\t})\n\ttestServer := httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\treq, err := http.NewRequest(http.MethodGet, recoveryPath, nil)\n\tassert.NoError(t, err)\n\trr := httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())\n\n\tserver.router = chi.NewRouter()\n\tserver.router.Use(middleware.Recoverer)\n\tserver.router.Get(recoveryPath, func(_ http.ResponseWriter, _ *http.Request) {\n\t\tpanic(\"panic\")\n\t})\n\ttestServer = httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\treq, err = http.NewRequest(http.MethodGet, recoveryPath, nil)\n\tassert.NoError(t, err)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())\n}\n\nfunc TestStreamJSONArray(t *testing.T) {\n\tdataGetter := func(_, _ int) ([]byte, int, error) {\n\t\treturn nil, 0, nil\n\t}\n\trr := httptest.NewRecorder()\n\tstreamJSONArray(rr, 10, dataGetter)\n\tassert.Equal(t, `[]`, rr.Body.String())\n\n\tdata := []int{}\n\tfor i := 0; i < 10; i++ {\n\t\tdata = append(data, i)\n\t}\n\n\tdataGetter = func(_, offset int) ([]byte, int, error) {\n\t\tif offset >= len(data) {\n\t\t\treturn nil, 0, nil\n\t\t}\n\t\tval := data[offset]\n\t\tdata, err := json.Marshal([]int{val})\n\t\treturn data, 1, err\n\t}\n\n\trr = httptest.NewRecorder()\n\tstreamJSONArray(rr, 1, dataGetter)\n\tassert.Equal(t, `[0,1,2,3,4,5,6,7,8,9]`, rr.Body.String())\n}\n\nfunc TestCompressorAbortHandler(t *testing.T) {\n\tdefer func() {\n\t\trcv := recover()\n\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t}()\n\n\tconnection := newConnection(\n\t\tcommon.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, \"\", \"\", dataprovider.User{}),\n\t\tnil,\n\t\tnil,\n\t)\n\tshare := &dataprovider.Share{}\n\trenderCompressedFiles(&failingWriter{}, connection, \"\", nil, share)\n}\n\nfunc TestStreamDataAbortHandler(t *testing.T) {\n\tdefer func() {\n\t\trcv := recover()\n\t\tassert.Equal(t, http.ErrAbortHandler, rcv)\n\t}()\n\n\tstreamData(&failingWriter{}, []byte(`[\"a\":\"b\"]`))\n}\n\nfunc TestZipErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tconnection := newConnection(\n\t\tcommon.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, \"\", \"\", user),\n\t\tnil,\n\t\tnil,\n\t)\n\n\ttestDir := filepath.Join(os.TempDir(), \"testDir\")\n\terr := os.MkdirAll(testDir, os.ModePerm)\n\tassert.NoError(t, err)\n\n\twr := zip.NewWriter(&failingWriter{})\n\terr = wr.Close()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"write error\")\n\t}\n\n\terr = addZipEntry(wr, connection, \"/\"+filepath.Base(testDir), \"/\", nil, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"write error\")\n\t}\n\terr = addZipEntry(wr, connection, \"/\"+filepath.Base(testDir), \"/\", nil, 2000)\n\tassert.ErrorIs(t, err, util.ErrRecursionTooDeep)\n\n\terr = addZipEntry(wr, connection, \"/\"+filepath.Base(testDir), path.Join(\"/\", filepath.Base(testDir), \"dir\"), nil, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is outside base dir\")\n\t}\n\n\ttestFilePath := filepath.Join(testDir, \"ziptest.zip\")\n\terr = os.WriteFile(testFilePath, util.GenerateRandomBytes(65535), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = addZipEntry(wr, connection, path.Join(\"/\", filepath.Base(testDir), filepath.Base(testFilePath)),\n\t\t\"/\"+filepath.Base(testDir), nil, 0)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"write error\")\n\t}\n\n\tconnection.User.Permissions[\"/\"] = []string{dataprovider.PermListItems}\n\terr = addZipEntry(wr, connection, path.Join(\"/\", filepath.Base(testDir), filepath.Base(testFilePath)),\n\t\t\"/\"+filepath.Base(testDir), nil, 0)\n\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\t// creating a virtual folder to a missing path stat is ok but readdir fails\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped\"),\n\t\t},\n\t\tVirtualPath: \"/vpath\",\n\t})\n\tconnection.User = user\n\twr = zip.NewWriter(bytes.NewBuffer(make([]byte, 0)))\n\terr = addZipEntry(wr, connection, user.VirtualFolders[0].VirtualPath, \"/\", nil, 0)\n\tassert.Error(t, err)\n\n\tuser.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/\",\n\t\tDeniedPatterns: []string{\"*.zip\"},\n\t})\n\terr = addZipEntry(wr, connection, \"/\"+filepath.Base(testDir), \"/\", nil, 0)\n\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\terr = os.RemoveAll(testDir)\n\tassert.NoError(t, err)\n}\n\nfunc TestWebAdminRedirect(t *testing.T) {\n\tb := Binding{\n\t\tAddress: \"\",\n\t\tPort: 8080,\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: false,\n\t\tEnableRESTAPI: true,\n\t}\n\tserver := newHttpdServer(b, \"../static\", \"\", CorsConfig{}, \"../openapi\")\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\ttestServer := httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\treq, err := http.NewRequest(http.MethodGet, webRootPath, nil)\n\tassert.NoError(t, err)\n\trr := httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\n\treq, err = http.NewRequest(http.MethodGet, webBasePath, nil)\n\tassert.NoError(t, err)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n}\n\nfunc TestParseRangeRequests(t *testing.T) {\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=24-24\"\n\tfileSize := int64(169740)\n\trangeHeader := \"bytes=24-24\"\n\toffset, size, err := parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp := fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 24-24/169740\", resp)\n\trequire.Equal(t, int64(1), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=24-\"\n\trangeHeader = \"bytes=24-\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 24-169739/169740\", resp)\n\trequire.Equal(t, int64(169716), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=-1\"\n\trangeHeader = \"bytes=-1\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 169739-169739/169740\", resp)\n\trequire.Equal(t, int64(1), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=-100\"\n\trangeHeader = \"bytes=-100\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 169640-169739/169740\", resp)\n\trequire.Equal(t, int64(100), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=20-30\"\n\trangeHeader = \"bytes=20-30\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 20-30/169740\", resp)\n\trequire.Equal(t, int64(11), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=20-169739\"\n\trangeHeader = \"bytes=20-169739\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 20-169739/169740\", resp)\n\trequire.Equal(t, int64(169720), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=20-169740\"\n\trangeHeader = \"bytes=20-169740\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 20-169739/169740\", resp)\n\trequire.Equal(t, int64(169720), size)\n\t// curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=20-169741\"\n\trangeHeader = \"bytes=20-169741\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 20-169739/169740\", resp)\n\trequire.Equal(t, int64(169720), size)\n\t//curl --verbose \"http://127.0.0.1:8080/static/css/sb-admin-2.min.css\" -H \"Range: bytes=0-\" > /dev/null\n\trangeHeader = \"bytes=0-\"\n\toffset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.NoError(t, err)\n\tresp = fmt.Sprintf(\"bytes %d-%d/%d\", offset, offset+size-1, fileSize)\n\tassert.Equal(t, \"bytes 0-169739/169740\", resp)\n\trequire.Equal(t, int64(169740), size)\n\t// now test errors\n\trangeHeader = \"bytes=0-a\"\n\t_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.Error(t, err)\n\trangeHeader = \"bytes=\"\n\t_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.Error(t, err)\n\trangeHeader = \"bytes=-\"\n\t_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.Error(t, err)\n\trangeHeader = \"bytes=500-300\"\n\t_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.Error(t, err)\n\trangeHeader = \"bytes=5000000\"\n\t_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)\n\trequire.Error(t, err)\n}\n\nfunc TestRequestHeaderErrors(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.Header.Set(\"If-Unmodified-Since\", \"not a date\")\n\tres := checkIfUnmodifiedSince(req, time.Now())\n\tassert.Equal(t, condNone, res)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)\n\tres = checkIfModifiedSince(req, time.Now())\n\tassert.Equal(t, condNone, res)\n\n\treq, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)\n\tres = checkIfRange(req, time.Now())\n\tassert.Equal(t, condNone, res)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.Header.Set(\"If-Modified-Since\", \"not a date\")\n\tres = checkIfModifiedSince(req, time.Now())\n\tassert.Equal(t, condNone, res)\n\n\treq, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.Header.Set(\"If-Range\", time.Now().Format(http.TimeFormat))\n\tres = checkIfRange(req, time.Time{})\n\tassert.Equal(t, condFalse, res)\n\n\treq.Header.Set(\"If-Range\", \"invalid if range date\")\n\tres = checkIfRange(req, time.Now())\n\tassert.Equal(t, condFalse, res)\n\tmodTime := getFileObjectModTime(time.Time{})\n\tassert.Empty(t, modTime)\n}\n\nfunc TestConnection(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test_httpd_user\",\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.GCSFilesystemProvider,\n\t\t\tGCSConfig: vfs.GCSFsConfig{\n\t\t\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\t\t\tBucket: \"test_bucket_name\",\n\t\t\t\t},\n\t\t\t\tCredentials: kms.NewPlainSecret(\"invalid JSON payload\"),\n\t\t\t},\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tconnection := newConnection(\n\t\tcommon.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, \"\", \"\", user),\n\t\tnil,\n\t\tnil,\n\t)\n\tassert.Empty(t, connection.GetClientVersion())\n\tassert.Empty(t, connection.GetRemoteAddress())\n\tassert.Empty(t, connection.GetCommand())\n\tname := \"missing file name\"\n\t_, err := connection.getFileReader(name, 0, http.MethodGet)\n\tassert.Error(t, err)\n\tconnection.User.FsConfig.Provider = sdk.LocalFilesystemProvider\n\t_, err = connection.getFileReader(name, 0, http.MethodGet)\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n}\n\nfunc TestGetFileWriterErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test_httpd_user\",\n\t\t\tHomeDir: \"invalid\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tconnection := newConnection(\n\t\tcommon.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, \"\", \"\", user),\n\t\tnil,\n\t\tnil,\n\t)\n\t_, err := connection.getFileWriter(\"name\")\n\tassert.Error(t, err)\n\n\tuser.FsConfig.Provider = sdk.S3FilesystemProvider\n\tuser.FsConfig.S3Config = vfs.S3FsConfig{\n\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\tBucket: \"b\",\n\t\t\tRegion: \"us-west-1\",\n\t\t\tAccessKey: \"key\",\n\t\t},\n\t\tAccessSecret: kms.NewPlainSecret(\"secret\"),\n\t}\n\tconnection = newConnection(\n\t\tcommon.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, \"\", \"\", user),\n\t\tnil,\n\t\tnil,\n\t)\n\t_, err = connection.getFileWriter(\"/path\")\n\tassert.Error(t, err)\n}\n\nfunc TestThrottledHandler(t *testing.T) {\n\ttr := &throttledReader{\n\t\tr: io.NopCloser(bytes.NewBuffer(nil)),\n\t}\n\tassert.Equal(t, int64(0), tr.GetTruncatedSize())\n\terr := tr.Close()\n\tassert.NoError(t, err)\n\tassert.Empty(t, tr.GetRealFsPath(\"real path\"))\n\tassert.False(t, tr.SetTimes(\"p\", time.Now(), time.Now()))\n\t_, err = tr.Truncate(\"\", 0)\n\tassert.ErrorIs(t, err, vfs.ErrVfsUnsupported)\n\terr = tr.GetAbortError()\n\tassert.ErrorIs(t, err, common.ErrTransferAborted)\n}\n\nfunc TestHTTPDFile(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test_httpd_user\",\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tconnection := newConnection(\n\t\tcommon.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, \"\", \"\", user),\n\t\tnil,\n\t\tnil,\n\t)\n\n\tfs, err := user.GetFilesystem(\"\")\n\tassert.NoError(t, err)\n\n\tname := \"fileName\"\n\tp := filepath.Join(os.TempDir(), name)\n\terr = os.WriteFile(p, []byte(\"contents\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tfile, err := os.Open(p)\n\tassert.NoError(t, err)\n\terr = file.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, p, p, name, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\thttpdFile := newHTTPDFile(baseTransfer, nil, nil)\n\t// the file is closed, read should fail\n\tbuf := make([]byte, 100)\n\t_, err = httpdFile.Read(buf)\n\tassert.Error(t, err)\n\terr = httpdFile.Close()\n\tassert.Error(t, err)\n\terr = httpdFile.Close()\n\tassert.ErrorIs(t, err, common.ErrTransferClosed)\n\terr = os.Remove(p)\n\tassert.NoError(t, err)\n\n\thttpdFile.writer = file\n\thttpdFile.File = nil\n\thttpdFile.ErrTransfer = nil\n\terr = httpdFile.closeIO()\n\tassert.Error(t, err)\n\tassert.Error(t, httpdFile.ErrTransfer)\n\tassert.Equal(t, err, httpdFile.ErrTransfer)\n\thttpdFile.SignalClose(nil)\n\t_, err = httpdFile.Write(nil)\n\tassert.ErrorIs(t, err, common.ErrQuotaExceeded)\n}\n\nfunc TestChangeUserPwd(t *testing.T) {\n\treq, _ := http.NewRequest(http.MethodPost, webChangeClientPwdPath, nil)\n\terr := doChangeUserPassword(req, \"\", \"\", \"\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"please provide the current password and the new one two times\")\n\t}\n\terr = doChangeUserPassword(req, \"a\", \"b\", \"c\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"the two password fields do not match\")\n\t}\n\terr = doChangeUserPassword(req, \"a\", \"b\", \"b\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), errInvalidTokenClaims.Error())\n\t}\n}\n\nfunc TestWebUserInvalidClaims(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"\",\n\t\t\tPassword: \"pwd\",\n\t\t},\n\t}\n\tc := &jwt.Claims{\n\t\tUsername: user.Username,\n\t\tPermissions: nil,\n\t}\n\tc.Subject = user.GetSignature()\n\tc.SetExpiry(time.Now().Add(10 * time.Minute))\n\tc.Audience = []string{tokenAudienceAPI}\n\ttoken, err := server.tokenAuth.Sign(c)\n\tassert.NoError(t, err)\n\n\treq, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientGetFiles(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientDirsPath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientGetDirContents(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorDirList403)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientDownloadZipPath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleWebClientDownloadZip(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientEditFilePath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientEditFile(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientAddShareGet(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientUpdateShareGet(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, webClientSharePath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientAddSharePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodPost, webClientSharePath+\"/id\", nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientUpdateSharePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientSharesPath+jsonAPISuffix, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tgetAllShares(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n\n\trr = httptest.NewRecorder()\n\treq, _ = http.NewRequest(http.MethodGet, webClientViewPDFPath, nil)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleClientGetPDF(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n}\n\nfunc TestInvalidClaims(t *testing.T) {\n\tserver := httpdServer{}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"\",\n\t\t\tPassword: \"pwd\",\n\t\t},\n\t}\n\tc := &jwt.Claims{\n\t\tUsername: user.Username,\n\t\tPermissions: nil,\n\t}\n\tc.Subject = user.GetSignature()\n\ttoken, err := server.tokenAuth.SignWithParams(c, tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tassert.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tparsedToken, err := jwt.VerifyRequest(server.tokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx := req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, \"\", webBaseClientPath))\n\tform.Set(\"public_keys\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq = req.WithContext(ctx)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleWebClientProfilePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"\",\n\t\tPassword: user.Password,\n\t}\n\tc = &jwt.Claims{\n\t\tUsername: admin.Username,\n\t\tPermissions: nil,\n\t}\n\tc.Subject = admin.GetSignature()\n\ttoken, err = server.tokenAuth.SignWithParams(c, tokenAudienceWebAdmin, \"\", getTokenDuration(tokenAudienceWebAdmin))\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, webAdminProfilePath, nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tparsedToken, err = jwt.VerifyRequest(server.tokenAuth, req, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = req.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\treq = req.WithContext(ctx)\n\n\tform = make(url.Values)\n\tform.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, \"\", webBaseAdminPath))\n\tform.Set(\"allow_api_key_auth\", \"\")\n\treq, err = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\treq = req.WithContext(ctx)\n\treq.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tserver.handleWebAdminProfilePost(rr, req)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)\n}\n\nfunc TestTLSReq(t *testing.T) {\n\treq, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.TLS = &tls.ConnectionState{}\n\tassert.True(t, isTLS(req))\n\treq.TLS = nil\n\tctx := context.WithValue(req.Context(), forwardedProtoKey, \"https\")\n\tassert.True(t, isTLS(req.WithContext(ctx)))\n\tctx = context.WithValue(req.Context(), forwardedProtoKey, \"http\")\n\tassert.False(t, isTLS(req.WithContext(ctx)))\n\tassert.Equal(t, \"context value forwarded proto\", forwardedProtoKey.String())\n}\n\nfunc TestSigningKey(t *testing.T) {\n\tsigningPassphrase := \"test\"\n\tserver1 := httpdServer{\n\t\tsigningPassphrase: signingPassphrase,\n\t}\n\terr := server1.initializeRouter()\n\trequire.NoError(t, err)\n\n\tserver2 := httpdServer{\n\t\tsigningPassphrase: signingPassphrase,\n\t}\n\terr = server2.initializeRouter()\n\trequire.NoError(t, err)\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"\",\n\t\t\tPassword: \"pwd\",\n\t\t},\n\t}\n\tc := &jwt.Claims{\n\t\tUsername: user.Username,\n\t\tPermissions: nil,\n\t}\n\tc.Subject = user.GetSignature()\n\ttoken, err := server1.tokenAuth.SignWithParams(c, tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, token)\n\t_, err = jwt.VerifyToken(server1.tokenAuth, token)\n\tassert.NoError(t, err)\n\t_, err = jwt.VerifyToken(server2.tokenAuth, token)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginLinks(t *testing.T) {\n\tb := Binding{\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: false,\n\t\tEnableRESTAPI: true,\n\t}\n\tassert.False(t, b.showClientLoginURL())\n\tb = Binding{\n\t\tEnableWebAdmin: false,\n\t\tEnableWebClient: true,\n\t\tEnableRESTAPI: true,\n\t}\n\tassert.False(t, b.showAdminLoginURL())\n\tb = Binding{\n\t\tEnableWebAdmin: true,\n\t\tEnableWebClient: true,\n\t\tEnableRESTAPI: true,\n\t}\n\tassert.True(t, b.showAdminLoginURL())\n\tassert.True(t, b.showClientLoginURL())\n\tb.HideLoginURL = 3\n\tassert.False(t, b.showAdminLoginURL())\n\tassert.False(t, b.showClientLoginURL())\n\tb.HideLoginURL = 1\n\tassert.True(t, b.showAdminLoginURL())\n\tassert.False(t, b.showClientLoginURL())\n\tb.HideLoginURL = 2\n\tassert.False(t, b.showAdminLoginURL())\n\tassert.True(t, b.showClientLoginURL())\n}\n\nfunc TestResetCodesCleanup(t *testing.T) {\n\tresetCode := newResetCode(util.GenerateUniqueID(), false)\n\tresetCode.ExpiresAt = time.Now().Add(-1 * time.Minute).UTC()\n\terr := resetCodesMgr.Add(resetCode)\n\tassert.NoError(t, err)\n\tresetCodesMgr.Cleanup()\n\t_, err = resetCodesMgr.Get(resetCode.Code)\n\tassert.Error(t, err)\n}\n\nfunc TestUserCanResetPassword(t *testing.T) {\n\treq, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\treq.RemoteAddr = \"172.16.9.2:55080\"\n\n\tu := dataprovider.User{}\n\tassert.True(t, isUserAllowedToResetPassword(req, &u))\n\tu.Filters.DeniedProtocols = []string{common.ProtocolHTTP}\n\tassert.False(t, isUserAllowedToResetPassword(req, &u))\n\tu.Filters.DeniedProtocols = nil\n\tu.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled}\n\tassert.False(t, isUserAllowedToResetPassword(req, &u))\n\tu.Filters.WebClient = nil\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tassert.False(t, isUserAllowedToResetPassword(req, &u))\n\tu.Filters.DeniedLoginMethods = nil\n\tu.Filters.AllowedIP = []string{\"127.0.0.1/8\"}\n\tassert.False(t, isUserAllowedToResetPassword(req, &u))\n}\n\nfunc TestBrowsableSharePaths(t *testing.T) {\n\tshare := dataprovider.Share{\n\t\tPaths: []string{\"/\"},\n\t\tUsername: defaultAdminUsername,\n\t}\n\t_, err := getUserForShare(share)\n\tif assert.Error(t, err) {\n\t\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t}\n\treq, err := http.NewRequest(http.MethodGet, \"/share\", nil)\n\trequire.NoError(t, err)\n\tname, err := getBrowsableSharedPath(share.Paths[0], req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/\", name)\n\treq, err = http.NewRequest(http.MethodGet, \"/share?path=abc\", nil)\n\trequire.NoError(t, err)\n\tname, err = getBrowsableSharedPath(share.Paths[0], req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/abc\", name)\n\n\tshare.Paths = []string{\"/a/b/c\"}\n\treq, err = http.NewRequest(http.MethodGet, \"/share?path=abc\", nil)\n\trequire.NoError(t, err)\n\tname, err = getBrowsableSharedPath(share.Paths[0], req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/a/b/c/abc\", name)\n\treq, err = http.NewRequest(http.MethodGet, \"/share?path=%2Fabc/d\", nil)\n\trequire.NoError(t, err)\n\tname, err = getBrowsableSharedPath(share.Paths[0], req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/a/b/c/abc/d\", name)\n\n\treq, err = http.NewRequest(http.MethodGet, \"/share?path=%2Fabc%2F..%2F..\", nil)\n\trequire.NoError(t, err)\n\t_, err = getBrowsableSharedPath(share.Paths[0], req)\n\tassert.Error(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, \"/share?path=%2Fabc%2F..\", nil)\n\trequire.NoError(t, err)\n\tname, err = getBrowsableSharedPath(share.Paths[0], req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"/a/b/c\", name)\n\n\tshare = dataprovider.Share{\n\t\tPaths: []string{\"/a\", \"/b\"},\n\t}\n}\n\nfunc TestSecureMiddlewareIntegration(t *testing.T) {\n\tforwardedHostHeader := \"X-Forwarded-Host\"\n\tserver := httpdServer{\n\t\tbinding: Binding{\n\t\t\tProxyAllowed: []string{\"192.168.1.0/24\"},\n\t\t\tSecurity: SecurityConf{\n\t\t\t\tEnabled: true,\n\t\t\t\tAllowedHosts: []string{\"*.sftpgo.com\"},\n\t\t\t\tAllowedHostsAreRegex: true,\n\t\t\t\tHostsProxyHeaders: []string{forwardedHostHeader},\n\t\t\t\tHTTPSProxyHeaders: []HTTPSProxyHeader{\n\t\t\t\t\t{\n\t\t\t\t\t\tKey: xForwardedProto,\n\t\t\t\t\t\tValue: \"https\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tSTSSeconds: 31536000,\n\t\t\t\tSTSIncludeSubdomains: true,\n\t\t\t\tSTSPreload: true,\n\t\t\t\tContentTypeNosniff: true,\n\t\t\t\tCacheControl: \"private\",\n\t\t\t\tCrossOriginOpenerPolicy: \"same-origin\",\n\t\t\t\tCrossOriginResourcePolicy: \"same-site\",\n\t\t\t\tCrossOriginEmbedderPolicy: \"require-corp\",\n\t\t\t\tReferrerPolicy: \"no-referrer\",\n\t\t\t},\n\t\t},\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t\tenableRESTAPI: true,\n\t}\n\tserver.binding.Security.updateProxyHeaders()\n\terr := server.binding.parseAllowedProxy()\n\tassert.NoError(t, err)\n\tassert.Equal(t, []string{forwardedHostHeader, xForwardedProto}, server.binding.Security.proxyHeaders)\n\tassert.Equal(t, map[string]string{xForwardedProto: \"https\"}, server.binding.Security.getHTTPSProxyHeaders())\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\tr.Host = \"127.0.0.1\"\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.Equal(t, \"no-cache, no-store, max-age=0, must-revalidate, private\", rr.Header().Get(\"Cache-Control\"))\n\n\trr = httptest.NewRecorder()\n\tr.Header.Set(forwardedHostHeader, \"www.sftpgo.com\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\t// the header should be removed\n\tassert.Empty(t, r.Header.Get(forwardedHostHeader))\n\n\trr = httptest.NewRecorder()\n\tr.Host = \"test.sftpgo.com\"\n\tr.Header.Set(forwardedHostHeader, \"test.example.com\")\n\tr.RemoteAddr = \"192.168.1.1\"\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\tassert.NotEmpty(t, r.Header.Get(forwardedHostHeader))\n\n\trr = httptest.NewRecorder()\n\tr.Header.Set(forwardedHostHeader, \"www.sftpgo.com\")\n\tr.RemoteAddr = \"192.168.1.1\"\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.NotEmpty(t, r.Header.Get(forwardedHostHeader))\n\tassert.Empty(t, rr.Header().Get(\"Strict-Transport-Security\"))\n\tassert.Equal(t, \"nosniff\", rr.Header().Get(\"X-Content-Type-Options\"))\n\t// now set the X-Forwarded-Proto to https, we should get the Strict-Transport-Security header\n\trr = httptest.NewRecorder()\n\tr.Host = \"test.sftpgo.com\"\n\tr.Header.Set(xForwardedProto, \"https\")\n\tr.RemoteAddr = \"192.168.1.3\"\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.NotEmpty(t, r.Header.Get(forwardedHostHeader))\n\tassert.Equal(t, \"max-age=31536000; includeSubDomains; preload\", rr.Header().Get(\"Strict-Transport-Security\"))\n\tassert.Equal(t, \"nosniff\", rr.Header().Get(\"X-Content-Type-Options\"))\n\tassert.Equal(t, \"require-corp\", rr.Header().Get(\"Cross-Origin-Embedder-Policy\"))\n\tassert.Equal(t, \"same-origin\", rr.Header().Get(\"Cross-Origin-Opener-Policy\"))\n\tassert.Equal(t, \"same-site\", rr.Header().Get(\"Cross-Origin-Resource-Policy\"))\n\tassert.Equal(t, \"no-referrer\", rr.Header().Get(\"Referrer-Policy\"))\n\n\tserver.binding.Security.Enabled = false\n\tserver.binding.Security.updateProxyHeaders()\n\tassert.Len(t, server.binding.Security.proxyHeaders, 0)\n}\n\nfunc TestGetCompressedFileName(t *testing.T) {\n\tusername := \"test\"\n\tres := getCompressedFileName(username, []string{\"single dir\"})\n\trequire.Equal(t, fmt.Sprintf(\"%s-single dir.zip\", username), res)\n\tres = getCompressedFileName(username, []string{\"file1\", \"file2\"})\n\trequire.Equal(t, fmt.Sprintf(\"%s-download.zip\", username), res)\n\tres = getCompressedFileName(username, []string{\"file1.txt\"})\n\trequire.Equal(t, fmt.Sprintf(\"%s-file1.zip\", username), res)\n\t// now files with full paths\n\tres = getCompressedFileName(username, []string{\"/dir/single dir\"})\n\trequire.Equal(t, fmt.Sprintf(\"%s-single dir.zip\", username), res)\n\tres = getCompressedFileName(username, []string{\"/adir/file1\", \"/adir/file2\"})\n\trequire.Equal(t, fmt.Sprintf(\"%s-download.zip\", username), res)\n\tres = getCompressedFileName(username, []string{\"/sub/dir/file1.txt\"})\n\trequire.Equal(t, fmt.Sprintf(\"%s-file1.zip\", username), res)\n}\n\nfunc TestRESTAPIDisabled(t *testing.T) {\n\tserver := httpdServer{\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t\tenableRESTAPI: false,\n\t}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\tassert.False(t, server.enableRESTAPI)\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, healthzPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, tokenPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n}\n\nfunc TestWebAdminSetupWithInstallCode(t *testing.T) {\n\tinstallationCode = \"1234\"\n\t// delete all the admins\n\tadmins, err := dataprovider.GetAdmins(100, 0, dataprovider.OrderASC)\n\tassert.NoError(t, err)\n\tfor _, admin := range admins {\n\t\terr = dataprovider.DeleteAdmin(admin.Username, \"\", \"\", \"\")\n\t\tassert.NoError(t, err)\n\t}\n\t// close the provider and initializes it without creating the default admin\n\tproviderConf := dataprovider.GetProviderConfig()\n\tproviderConf.CreateDefaultAdmin = false\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tserver := httpdServer{\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t\tenableRESTAPI: true,\n\t}\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\tfor _, webURL := range []string{\"/\", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {\n\t\trr := httptest.NewRecorder()\n\t\tr, err := http.NewRequest(http.MethodGet, webURL, nil)\n\t\tassert.NoError(t, err)\n\t\tserver.router.ServeHTTP(rr, r)\n\t\tassert.Equal(t, http.StatusFound, rr.Code)\n\t\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\t}\n\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webAdminSetupPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tcookie := rr.Header().Get(\"Set-Cookie\")\n\tr.Header.Set(\"Cookie\", cookie)\n\tparsedToken, err := jwt.VerifyRequest(server.csrfTokenAuth, r, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx := r.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\tr = r.WithContext(ctx)\n\n\tform := make(url.Values)\n\tcsrfToken := createCSRFToken(rr, r, server.csrfTokenAuth, \"\", webBaseAdminPath)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"install_code\", installationCode+\"5\")\n\tform.Set(\"username\", defaultAdminUsername)\n\tform.Set(\"password\", \"password\")\n\tform.Set(\"confirm_password\", \"password\")\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tr = r.WithContext(ctx)\n\tr.Header.Set(\"Cookie\", cookie)\n\tr.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorSetupInstallCode)\n\n\t_, err = dataprovider.AdminExists(defaultAdminUsername)\n\tassert.Error(t, err)\n\tform.Set(\"install_code\", installationCode)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tr = r.WithContext(ctx)\n\tr.Header.Set(\"Cookie\", cookie)\n\tr.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminMFAPath, rr.Header().Get(\"Location\"))\n\n\t_, err = dataprovider.AdminExists(defaultAdminUsername)\n\tassert.NoError(t, err)\n\n\t// delete the admin and test the installation code resolver\n\terr = dataprovider.DeleteAdmin(defaultAdminUsername, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tSetInstallationCodeResolver(func(_ string) string {\n\t\treturn \"5678\"\n\t})\n\n\tfor _, webURL := range []string{\"/\", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {\n\t\trr = httptest.NewRecorder()\n\t\tr, err = http.NewRequest(http.MethodGet, webURL, nil)\n\t\tassert.NoError(t, err)\n\t\tserver.router.ServeHTTP(rr, r)\n\t\tassert.Equal(t, http.StatusFound, rr.Code)\n\t\tassert.Equal(t, webAdminSetupPath, rr.Header().Get(\"Location\"))\n\t}\n\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminSetupPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tcookie = rr.Header().Get(\"Set-Cookie\")\n\tr.Header.Set(\"Cookie\", cookie)\n\tparsedToken, err = jwt.VerifyRequest(server.csrfTokenAuth, r, jwt.TokenFromCookie)\n\tassert.NoError(t, err)\n\tctx = r.Context()\n\tctx = jwt.NewContext(ctx, parsedToken, err)\n\tr = r.WithContext(ctx)\n\n\tform = make(url.Values)\n\tcsrfToken = createCSRFToken(rr, r, server.csrfTokenAuth, \"\", webBaseAdminPath)\n\tform.Set(csrfFormToken, csrfToken)\n\tform.Set(\"install_code\", installationCode)\n\tform.Set(\"username\", defaultAdminUsername)\n\tform.Set(\"password\", \"password\")\n\tform.Set(\"confirm_password\", \"password\")\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tr = r.WithContext(ctx)\n\tr.Header.Set(\"Cookie\", cookie)\n\tr.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nErrorSetupInstallCode)\n\n\t_, err = dataprovider.AdminExists(defaultAdminUsername)\n\tassert.Error(t, err)\n\tform.Set(\"install_code\", \"5678\")\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tr = r.WithContext(ctx)\n\tr.Header.Set(\"Cookie\", cookie)\n\tr.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminMFAPath, rr.Header().Get(\"Location\"))\n\n\t_, err = dataprovider.AdminExists(defaultAdminUsername)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\tproviderConf.CreateDefaultAdmin = true\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tinstallationCode = \"\"\n\tSetInstallationCodeResolver(nil)\n}\n\nfunc TestDbResetCodeManager(t *testing.T) {\n\tif !isSharedProviderSupported() {\n\t\tt.Skip(\"this test it is not available with this provider\")\n\t}\n\tmgr := newResetCodeManager(1)\n\tresetCode := newResetCode(\"admin\", true)\n\terr := mgr.Add(resetCode)\n\tassert.NoError(t, err)\n\tcodeGet, err := mgr.Get(resetCode.Code)\n\tassert.NoError(t, err)\n\tassert.Equal(t, resetCode, codeGet)\n\terr = mgr.Delete(resetCode.Code)\n\tassert.NoError(t, err)\n\terr = mgr.Delete(resetCode.Code)\n\tif assert.Error(t, err) {\n\t\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t}\n\t_, err = mgr.Get(resetCode.Code)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t// add an expired reset code\n\tresetCode = newResetCode(\"user\", false)\n\tresetCode.ExpiresAt = time.Now().Add(-24 * time.Hour)\n\terr = mgr.Add(resetCode)\n\tassert.NoError(t, err)\n\t_, err = mgr.Get(resetCode.Code)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"reset code expired\")\n\t}\n\tmgr.Cleanup()\n\t_, err = mgr.Get(resetCode.Code)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\n\tdbMgr, ok := mgr.(*dbResetCodeManager)\n\tif assert.True(t, ok) {\n\t\t_, err = dbMgr.decodeData(\"astring\")\n\t\tassert.Error(t, err)\n\t}\n}\n\nfunc TestEventRoleFilter(t *testing.T) {\n\tdefaultVal := \"default\"\n\treq, err := http.NewRequest(http.MethodGet, fsEventsPath+\"?role=role1\", nil)\n\trequire.NoError(t, err)\n\trole := getRoleFilterForEventSearch(req, defaultVal)\n\tassert.Equal(t, defaultVal, role)\n\trole = getRoleFilterForEventSearch(req, \"\")\n\tassert.Equal(t, \"role1\", role)\n}\n\nfunc TestEventsCSV(t *testing.T) {\n\te := fsEvent{\n\t\tStatus: 1,\n\t}\n\tdata := e.getCSVData()\n\tassert.Equal(t, \"OK\", data[5])\n\te.Status = 2\n\tdata = e.getCSVData()\n\tassert.Equal(t, \"KO\", data[5])\n\te.Status = 3\n\tdata = e.getCSVData()\n\tassert.Equal(t, \"Quota exceeded\", data[5])\n}\n\nfunc TestConfigsFromProvider(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc := Conf{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 1234,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPort: 80,\n\t\t\t\tSecurity: SecurityConf{\n\t\t\t\t\tEnabled: true,\n\t\t\t\t\tHTTPSRedirect: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tconfigs := dataprovider.Configs{\n\t\tACME: &dataprovider.ACMEConfigs{\n\t\t\tDomain: \"domain.com\",\n\t\t\tEmail: \"info@domain.com\",\n\t\t\tHTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: 80},\n\t\t\tProtocols: 1,\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tutil.CertsBasePath = \"\"\n\t// crt and key empty\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tutil.CertsBasePath = filepath.Clean(os.TempDir())\n\t// crt not found\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs := c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\tcrtPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+\".crt\")\n\terr = os.WriteFile(crtPath, nil, 0666)\n\tassert.NoError(t, err)\n\t// key not found\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\tkeyPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+\".key\")\n\terr = os.WriteFile(keyPath, nil, 0666)\n\tassert.NoError(t, err)\n\t// acme cert used\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Equal(t, configs.ACME.Domain, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 1)\n\tassert.True(t, c.Bindings[0].EnableHTTPS)\n\tassert.False(t, c.Bindings[1].EnableHTTPS)\n\t// protocols does not match\n\tconfigs.ACME.Protocols = 6\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc.acmeDomain = \"\"\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\n\terr = os.Remove(crtPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\tutil.CertsBasePath = \"\"\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPSRedirect(t *testing.T) {\n\tacmeWebRoot := filepath.Join(os.TempDir(), \"acme\")\n\terr := os.MkdirAll(acmeWebRoot, os.ModePerm)\n\tassert.NoError(t, err)\n\ttokenName := \"token\"\n\terr = os.WriteFile(filepath.Join(acmeWebRoot, tokenName), []byte(\"val\"), 0666)\n\tassert.NoError(t, err)\n\n\tacmeConfig := acme.Configuration{\n\t\tHTTP01Challenge: acme.HTTP01Challenge{WebRoot: acmeWebRoot},\n\t}\n\terr = acme.Initialize(acmeConfig, configDir, true)\n\trequire.NoError(t, err)\n\n\tforwardedHostHeader := \"X-Forwarded-Host\"\n\tserver := httpdServer{\n\t\tbinding: Binding{\n\t\t\tSecurity: SecurityConf{\n\t\t\t\tEnabled: true,\n\t\t\t\tHTTPSRedirect: true,\n\t\t\t\tHostsProxyHeaders: []string{forwardedHostHeader},\n\t\t\t},\n\t\t},\n\t}\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, path.Join(acmeChallengeURI, tokenName), nil)\n\tassert.NoError(t, err)\n\tr.Host = \"localhost\"\n\tr.RequestURI = path.Join(acmeChallengeURI, tokenName)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())\n\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\tr.RequestURI = webAdminLoginPath\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())\n\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\tr.RequestURI = webAdminLoginPath\n\tr.Header.Set(forwardedHostHeader, \"sftpgo.com\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), \"https://sftpgo.com\")\n\n\tserver.binding.Security.HTTPSHost = \"myhost:1044\"\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\tr.RequestURI = webAdminLoginPath\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())\n\tassert.Contains(t, rr.Body.String(), \"https://myhost:1044\")\n\n\terr = os.RemoveAll(acmeWebRoot)\n\tassert.NoError(t, err)\n}\n\nfunc TestDisabledAdminLoginMethods(t *testing.T) {\n\tserver := httpdServer{\n\t\tbinding: Binding{\n\t\t\tAddress: \"\",\n\t\t\tPort: 8080,\n\t\t\tEnableWebAdmin: true,\n\t\t\tEnableWebClient: true,\n\t\t\tEnableRESTAPI: true,\n\t\t\tDisabledLoginMethods: 20,\n\t\t},\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t\tenableRESTAPI: true,\n\t}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\ttestServer := httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\trr := httptest.NewRecorder()\n\treq, err := http.NewRequest(http.MethodGet, tokenPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, defaultAdminUsername, \"forgot-password\"), nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, path.Join(adminPath, defaultAdminUsername, \"reset-password\"), nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, webAdminLoginPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusMethodNotAllowed, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, webAdminResetPwdPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, webAdminForgotPwdPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n}\n\nfunc TestDisabledUserLoginMethods(t *testing.T) {\n\tserver := httpdServer{\n\t\tbinding: Binding{\n\t\t\tAddress: \"\",\n\t\t\tPort: 8080,\n\t\t\tEnableWebAdmin: true,\n\t\t\tEnableWebClient: true,\n\t\t\tEnableRESTAPI: true,\n\t\t\tDisabledLoginMethods: 40,\n\t\t},\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t\tenableRESTAPI: true,\n\t}\n\terr := server.initializeRouter()\n\trequire.NoError(t, err)\n\ttestServer := httptest.NewServer(server.router)\n\tdefer testServer.Close()\n\n\trr := httptest.NewRecorder()\n\treq, err := http.NewRequest(http.MethodGet, userTokenPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, userPath+\"/user/forgot-password\", nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, userPath+\"/user/reset-password\", nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, webClientLoginPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusMethodNotAllowed, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, webClientResetPwdPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\n\trr = httptest.NewRecorder()\n\treq, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, nil)\n\trequire.NoError(t, err)\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n}\n\nfunc TestGetLogEventString(t *testing.T) {\n\tassert.Equal(t, \"Login failed\", getLogEventString(notifier.LogEventTypeLoginFailed))\n\tassert.Equal(t, \"Login with non-existent user\", getLogEventString(notifier.LogEventTypeLoginNoUser))\n\tassert.Equal(t, \"No login tried\", getLogEventString(notifier.LogEventTypeNoLoginTried))\n\tassert.Equal(t, \"Algorithm negotiation failed\", getLogEventString(notifier.LogEventTypeNotNegotiated))\n\tassert.Equal(t, \"Login succeeded\", getLogEventString(notifier.LogEventTypeLoginOK))\n\tassert.Empty(t, getLogEventString(0))\n}\n\nfunc TestUserQuotaUsage(t *testing.T) {\n\tusage := userQuotaUsage{\n\t\tQuotaSize: 100,\n\t}\n\trequire.True(t, usage.HasQuotaInfo())\n\trequire.NotEmpty(t, usage.GetQuotaSize())\n\tproviderConf := dataprovider.GetProviderConfig()\n\tquotaTracking := dataprovider.GetQuotaTracking()\n\tproviderConf.TrackQuota = 0\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\tassert.False(t, usage.HasQuotaInfo())\n\tproviderConf.TrackQuota = quotaTracking\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tusage.QuotaSize = 0\n\tassert.False(t, usage.HasQuotaInfo())\n\tassert.Empty(t, usage.GetQuotaSize())\n\tassert.Equal(t, 0, usage.GetQuotaSizePercentage())\n\tassert.False(t, usage.IsQuotaSizeLow())\n\tassert.False(t, usage.IsDiskQuotaLow())\n\tassert.False(t, usage.IsQuotaLow())\n\tusage.UsedQuotaSize = 9\n\tassert.NotEmpty(t, usage.GetQuotaSize())\n\tusage.QuotaSize = 10\n\tassert.True(t, usage.IsQuotaSizeLow())\n\tassert.True(t, usage.IsDiskQuotaLow())\n\tassert.True(t, usage.IsQuotaLow())\n\tusage.DownloadDataTransfer = 1\n\tassert.True(t, usage.HasQuotaInfo())\n\tassert.True(t, usage.HasTranferQuota())\n\tassert.Empty(t, usage.GetQuotaFiles())\n\tassert.Equal(t, 0, usage.GetQuotaFilesPercentage())\n\tusage.QuotaFiles = 1\n\tassert.NotEmpty(t, usage.GetQuotaFiles())\n\tusage.QuotaFiles = 0\n\tusage.UsedQuotaFiles = 9\n\tassert.NotEmpty(t, usage.GetQuotaFiles())\n\tusage.QuotaFiles = 10\n\tusage.DownloadDataTransfer = 0\n\tassert.True(t, usage.IsQuotaFilesLow())\n\tassert.True(t, usage.IsDiskQuotaLow())\n\tassert.False(t, usage.IsTotalTransferQuotaLow())\n\tassert.False(t, usage.IsUploadTransferQuotaLow())\n\tassert.False(t, usage.IsDownloadTransferQuotaLow())\n\tassert.Equal(t, 0, usage.GetTotalTransferQuotaPercentage())\n\tassert.Equal(t, 0, usage.GetUploadTransferQuotaPercentage())\n\tassert.Equal(t, 0, usage.GetDownloadTransferQuotaPercentage())\n\tassert.Empty(t, usage.GetTotalTransferQuota())\n\tassert.Empty(t, usage.GetUploadTransferQuota())\n\tassert.Empty(t, usage.GetDownloadTransferQuota())\n\tusage.TotalDataTransfer = 3\n\tusage.UsedUploadDataTransfer = 1 * 1048576\n\tassert.NotEmpty(t, usage.GetTotalTransferQuota())\n\tusage.TotalDataTransfer = 0\n\tassert.NotEmpty(t, usage.GetTotalTransferQuota())\n\tassert.NotEmpty(t, usage.GetUploadTransferQuota())\n\tusage.UploadDataTransfer = 2\n\tassert.NotEmpty(t, usage.GetUploadTransferQuota())\n\tusage.UsedDownloadDataTransfer = 1 * 1048576\n\tassert.NotEmpty(t, usage.GetDownloadTransferQuota())\n\tusage.DownloadDataTransfer = 2\n\tassert.NotEmpty(t, usage.GetDownloadTransferQuota())\n\tassert.False(t, usage.IsTransferQuotaLow())\n\tusage.UsedDownloadDataTransfer = 8 * 1048576\n\tusage.TotalDataTransfer = 10\n\tassert.True(t, usage.IsTotalTransferQuotaLow())\n\tassert.True(t, usage.IsTransferQuotaLow())\n\tusage.TotalDataTransfer = 0\n\tusage.UploadDataTransfer = 0\n\tusage.DownloadDataTransfer = 0\n\tassert.False(t, usage.IsTransferQuotaLow())\n\tusage.UploadDataTransfer = 10\n\tusage.UsedUploadDataTransfer = 9 * 1048576\n\tassert.True(t, usage.IsUploadTransferQuotaLow())\n\tassert.True(t, usage.IsTransferQuotaLow())\n\tusage.DownloadDataTransfer = 10\n\tusage.UsedDownloadDataTransfer = 9 * 1048576\n\tassert.True(t, usage.IsDownloadTransferQuotaLow())\n\tassert.True(t, usage.IsTransferQuotaLow())\n}\n\nfunc TestShareRedirectURL(t *testing.T) {\n\tshareID := util.GenerateUniqueID()\n\tbase := path.Join(webClientPubSharesPath, shareID)\n\tnext := path.Join(webClientPubSharesPath, shareID, \"browse\")\n\tok, res := checkShareRedirectURL(next, base)\n\tassert.True(t, ok)\n\tassert.Equal(t, next, res)\n\tnext = path.Join(webClientPubSharesPath, shareID, \"browse\") + \"?a=b\"\n\tok, res = checkShareRedirectURL(next, base)\n\tassert.True(t, ok)\n\tassert.Equal(t, next, res)\n\tnext = path.Join(webClientPubSharesPath, shareID)\n\tok, res = checkShareRedirectURL(next, base)\n\tassert.True(t, ok)\n\tassert.Equal(t, path.Join(base, \"download\"), res)\n\tnext = path.Join(webClientEditFilePath, shareID)\n\tok, res = checkShareRedirectURL(next, base)\n\tassert.False(t, ok)\n\tassert.Empty(t, res)\n\tnext = path.Join(webClientPubSharesPath, shareID) + \"?compress=false&a=b\"\n\tok, res = checkShareRedirectURL(next, base)\n\tassert.True(t, ok)\n\tassert.Equal(t, path.Join(base, \"download?compress=false&a=b\"), res)\n\tnext = path.Join(webClientPubSharesPath, shareID) + \"?compress=true&b=c\"\n\tok, res = checkShareRedirectURL(next, base)\n\tassert.True(t, ok)\n\tassert.Equal(t, path.Join(base, \"download?compress=true&b=c\"), res)\n\tok, res = checkShareRedirectURL(\"http://foo\\x7f.com/ab\", \"http://foo\\x7f.com/\")\n\tassert.False(t, ok)\n\tassert.Empty(t, res)\n\tok, res = checkShareRedirectURL(\"http://foo.com/?foo\\nbar\", \"http://foo.com\")\n\tassert.False(t, ok)\n\tassert.Empty(t, res)\n}\n\nfunc TestI18NMessages(t *testing.T) {\n\tmsg := i18nListDirMsg(http.StatusForbidden)\n\trequire.Equal(t, util.I18nErrorDirList403, msg)\n\tmsg = i18nListDirMsg(http.StatusInternalServerError)\n\trequire.Equal(t, util.I18nErrorDirListGeneric, msg)\n\tmsg = i18nFsMsg(http.StatusForbidden)\n\trequire.Equal(t, util.I18nError403Message, msg)\n\tmsg = i18nFsMsg(http.StatusInternalServerError)\n\trequire.Equal(t, util.I18nErrorFsGeneric, msg)\n}\n\nfunc TestI18NErrors(t *testing.T) {\n\terr := util.NewValidationError(\"error text\")\n\terrI18n := util.NewI18nError(err, util.I18nError500Message)\n\tassert.ErrorIs(t, errI18n, util.ErrValidation)\n\tassert.Equal(t, err.Error(), errI18n.Error())\n\tassert.Equal(t, util.I18nError500Message, getI18NErrorString(errI18n, \"\"))\n\tassert.Equal(t, util.I18nError500Message, errI18n.Message)\n\tassert.Equal(t, \"{}\", errI18n.Args())\n\tvar e1 *util.ValidationError\n\tassert.ErrorAs(t, errI18n, &e1)\n\tvar e2 *util.I18nError\n\tassert.ErrorAs(t, errI18n, &e2)\n\terr2 := util.NewI18nError(fs.ErrNotExist, util.I18nError500Message)\n\tassert.ErrorIs(t, err2, &util.I18nError{})\n\tassert.ErrorIs(t, err2, fs.ErrNotExist)\n\tassert.NotErrorIs(t, err2, fs.ErrExist)\n\tassert.Equal(t, util.I18nError403Message, getI18NErrorString(fs.ErrClosed, util.I18nError403Message))\n\terrorString := getI18NErrorString(nil, util.I18nError500Message)\n\tassert.Equal(t, util.I18nError500Message, errorString)\n\terrI18nWrap := util.NewI18nError(errI18n, util.I18nError404Message)\n\tassert.Equal(t, util.I18nError500Message, errI18nWrap.Message)\n\terrI18n = util.NewI18nError(err, util.I18nError500Message, util.I18nErrorArgs(map[string]any{\"a\": \"b\"}))\n\tassert.Equal(t, util.I18nError500Message, errI18n.Message)\n\tassert.Equal(t, `{\"a\":\"b\"}`, errI18n.Args())\n}\n\nfunc TestConvertEnabledLoginMethods(t *testing.T) {\n\tb := Binding{\n\t\tEnabledLoginMethods: 0,\n\t\tDisabledLoginMethods: 1,\n\t}\n\tb.convertLoginMethods()\n\tassert.Equal(t, 1, b.DisabledLoginMethods)\n\tb.DisabledLoginMethods = 0\n\tb.EnabledLoginMethods = 1\n\tb.convertLoginMethods()\n\tassert.Equal(t, 14, b.DisabledLoginMethods)\n\tb.DisabledLoginMethods = 0\n\tb.EnabledLoginMethods = 2\n\tb.convertLoginMethods()\n\tassert.Equal(t, 13, b.DisabledLoginMethods)\n\tb.DisabledLoginMethods = 0\n\tb.EnabledLoginMethods = 3\n\tb.convertLoginMethods()\n\tassert.Equal(t, 12, b.DisabledLoginMethods)\n\tb.DisabledLoginMethods = 0\n\tb.EnabledLoginMethods = 4\n\tb.convertLoginMethods()\n\tassert.Equal(t, 11, b.DisabledLoginMethods)\n\tb.DisabledLoginMethods = 0\n\tb.EnabledLoginMethods = 7\n\tb.convertLoginMethods()\n\tassert.Equal(t, 8, b.DisabledLoginMethods)\n\tb.DisabledLoginMethods = 0\n\tb.EnabledLoginMethods = 15\n\tb.convertLoginMethods()\n\tassert.Equal(t, 0, b.DisabledLoginMethods)\n}\n\nfunc TestValidateBaseURL(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tinputURL string\n\t\texpectedURL string\n\t\texpectErr bool\n\t}{\n\t\t{\n\t\t\tname: \"Valid HTTPS URL\",\n\t\t\tinputURL: \"https://sftp.example.com\",\n\t\t\texpectedURL: \"https://sftp.example.com\",\n\t\t\texpectErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Remove trailing slash\",\n\t\t\tinputURL: \"https://sftp.example.com/\",\n\t\t\texpectedURL: \"https://sftp.example.com\",\n\t\t\texpectErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Remove multiple trailing slashes\",\n\t\t\tinputURL: \"http://192.168.1.100:8080///\",\n\t\t\texpectedURL: \"http://192.168.1.100:8080\",\n\t\t\texpectErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Empty BaseURL (optional case)\",\n\t\t\tinputURL: \"\",\n\t\t\texpectedURL: \"\",\n\t\t\texpectErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Unsupported scheme (FTP)\",\n\t\t\tinputURL: \"ftp://files.example.com\",\n\t\t\texpectErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Malformed URL string\",\n\t\t\tinputURL: \"not-a-url\",\n\t\t\texpectErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Missing Host\",\n\t\t\tinputURL: \"https://\",\n\t\t\texpectErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Preserve path without trailing slash\",\n\t\t\tinputURL: \"https://example.com/sftp/\",\n\t\t\texpectedURL: \"https://example.com/sftp\",\n\t\t\texpectErr: false,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tb := &Binding{\n\t\t\t\tBaseURL: tt.inputURL,\n\t\t\t}\n\n\t\t\terr := b.validateBaseURL()\n\n\t\t\tif (err != nil) != tt.expectErr {\n\t\t\t\tt.Errorf(\"validateBaseURL() error = %v, expectErr %v\", err, tt.expectErr)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif !tt.expectErr && b.BaseURL != tt.expectedURL {\n\t\t\t\tt.Errorf(\"validateBaseURL() got = %v, want %v\", b.BaseURL, tt.expectedURL)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc getCSRFTokenFromBody(body io.Reader) (string, error) {\n\tdoc, err := html.Parse(body)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar csrfToken string\n\tvar f func(*html.Node)\n\n\tf = func(n *html.Node) {\n\t\tif n.Type == html.ElementNode && n.Data == \"input\" {\n\t\t\tvar name, value string\n\t\t\tfor _, attr := range n.Attr {\n\t\t\t\tif attr.Key == \"value\" {\n\t\t\t\t\tvalue = attr.Val\n\t\t\t\t}\n\t\t\t\tif attr.Key == \"name\" {\n\t\t\t\t\tname = attr.Val\n\t\t\t\t}\n\t\t\t}\n\t\t\tif name == csrfFormToken {\n\t\t\t\tcsrfToken = value\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\n\t\tfor c := n.FirstChild; c != nil; c = c.NextSibling {\n\t\t\tf(c)\n\t\t}\n\t}\n\n\tf(doc)\n\n\tif csrfToken == \"\" {\n\t\treturn \"\", errors.New(\"CSRF token not found\")\n\t}\n\n\treturn csrfToken, nil\n}\n\nfunc isSharedProviderSupported() bool {\n\t// SQLite shares the implementation with other SQL-based provider but it makes no sense\n\t// to use it outside test cases\n\tswitch dataprovider.GetProviderStatus().Driver {\n\tcase dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,\n\t\tdataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n" }, { "path": "internal/httpd/middleware.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tforwardedProtoKey = &contextKey{\"forwarded proto\"}\n\terrInvalidToken = errors.New(\"invalid JWT token\")\n)\n\ntype contextKey struct {\n\tname string\n}\n\nfunc (k *contextKey) String() string {\n\treturn \"context value \" + k.name\n}\n\nfunc validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {\n\ttoken, err := jwt.FromContext(r.Context())\n\n\tvar redirectPath string\n\tif audience == tokenAudienceWebAdmin {\n\t\tredirectPath = webAdminLoginPath\n\t} else {\n\t\tredirectPath = webClientLoginPath\n\t\tif uri := r.RequestURI; strings.HasPrefix(uri, webClientFilesPath) {\n\t\t\tredirectPath += \"?next=\" + url.QueryEscape(uri) //nolint:goconst\n\t\t}\n\t}\n\n\tisAPIToken := (audience == tokenAudienceAPI || audience == tokenAudienceAPIUser)\n\n\tdoRedirect := func(message string, err error) {\n\t\tif isAPIToken {\n\t\t\tsendAPIResponse(w, r, err, message, http.StatusUnauthorized)\n\t\t} else {\n\t\t\thttp.Redirect(w, r, redirectPath, http.StatusFound)\n\t\t}\n\t}\n\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"error getting jwt token: %v\", err)\n\t\tdoRedirect(http.StatusText(http.StatusUnauthorized), err)\n\t\treturn errInvalidToken\n\t}\n\n\tif isTokenInvalidated(r) {\n\t\tlogger.Debug(logSender, \"\", \"the token has been invalidated\")\n\t\tdoRedirect(\"Your token is no longer valid\", nil)\n\t\treturn errInvalidToken\n\t}\n\t// a user with a partial token will be always redirected to the appropriate two factor auth page\n\tif err := checkPartialAuth(w, r, audience, token.Audience); err != nil {\n\t\treturn err\n\t}\n\tif !token.Audience.Contains(audience) {\n\t\tlogger.Debug(logSender, \"\", \"the token is not valid for audience %q\", audience)\n\t\tdoRedirect(\"Your token audience is not valid\", nil)\n\t\treturn errInvalidToken\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := validateIPForToken(token, ipAddr); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"the token with id %q is not valid for the ip address %q\", token.ID, ipAddr)\n\t\tdoRedirect(\"Your token is not valid\", nil)\n\t\treturn err\n\t}\n\tif err := checkTokenSignature(r, token); err != nil {\n\t\tdoRedirect(\"Your token is no longer valid\", nil)\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (s *httpdServer) validateJWTPartialToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {\n\ttoken, err := jwt.FromContext(r.Context())\n\tvar notFoundFunc func(w http.ResponseWriter, r *http.Request, err error)\n\tif audience == tokenAudienceWebAdminPartial {\n\t\tnotFoundFunc = s.renderNotFoundPage\n\t} else {\n\t\tnotFoundFunc = s.renderClientNotFoundPage\n\t}\n\tif err != nil {\n\t\tnotFoundFunc(w, r, nil)\n\t\treturn errInvalidToken\n\t}\n\tif isTokenInvalidated(r) {\n\t\tnotFoundFunc(w, r, nil)\n\t\treturn errInvalidToken\n\t}\n\tif !token.Audience.Contains(audience) {\n\t\tlogger.Debug(logSender, \"\", \"the partial token with id %q is not valid for audience %q\", token.ID, audience)\n\t\tnotFoundFunc(w, r, nil)\n\t\treturn errInvalidToken\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := validateIPForToken(token, ipAddr); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"the partial token with id %q is not valid for the ip address %q\", token.ID, ipAddr)\n\t\tnotFoundFunc(w, r, nil)\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc (s *httpdServer) jwtAuthenticatorPartial(audience tokenAudience) func(next http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tif err := s.validateJWTPartialToken(w, r, audience); err != nil {\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\t// Token is authenticated, pass it through\n\t\t\tnext.ServeHTTP(w, r)\n\t\t})\n\t}\n}\n\nfunc jwtAuthenticatorAPI(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif err := validateJWTToken(w, r, tokenAudienceAPI); err != nil {\n\t\t\treturn\n\t\t}\n\n\t\t// Token is authenticated, pass it through\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc jwtAuthenticatorAPIUser(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif err := validateJWTToken(w, r, tokenAudienceAPIUser); err != nil {\n\t\t\treturn\n\t\t}\n\n\t\t// Token is authenticated, pass it through\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc jwtAuthenticatorWebAdmin(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif err := validateJWTToken(w, r, tokenAudienceWebAdmin); err != nil {\n\t\t\treturn\n\t\t}\n\n\t\t// Token is authenticated, pass it through\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc jwtAuthenticatorWebClient(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif err := validateJWTToken(w, r, tokenAudienceWebClient); err != nil {\n\t\t\treturn\n\t\t}\n\n\t\t// Token is authenticated, pass it through\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc (s *httpdServer) checkHTTPUserPerm(perm string) func(next http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tclaims, err := jwt.FromContext(r.Context())\n\t\t\tif err != nil {\n\t\t\t\tif isWebRequest(r) {\n\t\t\t\t\ts.renderClientBadRequestPage(w, r, err)\n\t\t\t\t} else {\n\t\t\t\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t\t// for web client perms are negated and not granted\n\t\t\tif claims.HasPerm(perm) {\n\t\t\t\tif isWebRequest(r) {\n\t\t\t\t\ts.renderClientForbiddenPage(w, r, errors.New(\"you don't have permission for this action\"))\n\t\t\t\t} else {\n\t\t\t\t\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tnext.ServeHTTP(w, r)\n\t\t})\n\t}\n}\n\n// checkAuthRequirements checks if the user must set a second factor auth or change the password\nfunc (s *httpdServer) checkAuthRequirements(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tclaims, err := jwt.FromContext(r.Context())\n\t\tif err != nil {\n\t\t\tif isWebRequest(r) {\n\t\t\t\tif isWebClientRequest(r) {\n\t\t\t\t\ts.renderClientBadRequestPage(w, r, err)\n\t\t\t\t} else {\n\t\t\t\t\ts.renderBadRequestPage(w, r, err)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)\n\t\t\t}\n\t\t\treturn\n\t\t}\n\t\tif claims.MustSetTwoFactorAuth || claims.MustChangePassword {\n\t\t\tvar err error\n\t\t\tif claims.MustSetTwoFactorAuth {\n\t\t\t\tif len(claims.RequiredTwoFactorProtocols) > 0 {\n\t\t\t\t\tprotocols := strings.Join(claims.RequiredTwoFactorProtocols, \", \")\n\t\t\t\t\terr = util.NewI18nError(\n\t\t\t\t\t\tutil.NewGenericError(\n\t\t\t\t\t\t\tfmt.Sprintf(\"Two-factor authentication requirements not met, please configure two-factor authentication for the following protocols: %v\",\n\t\t\t\t\t\t\t\tprotocols)),\n\t\t\t\t\t\tutil.I18nError2FARequired,\n\t\t\t\t\t\tutil.I18nErrorArgs(map[string]any{\n\t\t\t\t\t\t\t\"val\": protocols,\n\t\t\t\t\t\t}),\n\t\t\t\t\t)\n\t\t\t\t} else {\n\t\t\t\t\terr = util.NewI18nError(\n\t\t\t\t\t\tutil.NewGenericError(\"Two-factor authentication requirements not met, please configure two-factor authentication\"),\n\t\t\t\t\t\tutil.I18nError2FARequiredGeneric,\n\t\t\t\t\t)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\terr = util.NewI18nError(\n\t\t\t\t\tutil.NewGenericError(\"Password change required. Please set a new password to continue to use your account\"),\n\t\t\t\t\tutil.I18nErrorChangePwdRequired,\n\t\t\t\t)\n\t\t\t}\n\t\t\tif isWebRequest(r) {\n\t\t\t\tif isWebClientRequest(r) {\n\t\t\t\t\ts.renderClientForbiddenPage(w, r, err)\n\t\t\t\t} else {\n\t\t\t\t\ts.renderForbiddenPage(w, r, err)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tsendAPIResponse(w, r, err, \"\", http.StatusForbidden)\n\t\t\t}\n\t\t\treturn\n\t\t}\n\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc (s *httpdServer) requireBuiltinLogin(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif isLoggedInWithOIDC(r) {\n\t\t\terr := util.NewI18nError(\n\t\t\t\tutil.NewGenericError(\"This feature is not available if you are logged in with OpenID\"),\n\t\t\t\tutil.I18nErrorNoOIDCFeature,\n\t\t\t)\n\t\t\tif isWebClientRequest(r) {\n\t\t\t\ts.renderClientForbiddenPage(w, r, err)\n\t\t\t} else {\n\t\t\t\ts.renderForbiddenPage(w, r, err)\n\t\t\t}\n\t\t\treturn\n\t\t}\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc (s *httpdServer) checkPerms(perms ...string) func(next http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tclaims, err := jwt.FromContext(r.Context())\n\t\t\tif err != nil {\n\t\t\t\tif isWebRequest(r) {\n\t\t\t\t\ts.renderBadRequestPage(w, r, err)\n\t\t\t\t} else {\n\t\t\t\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tfor _, perm := range perms {\n\t\t\t\tif !claims.HasPerm(perm) {\n\t\t\t\t\tif isWebRequest(r) {\n\t\t\t\t\t\ts.renderForbiddenPage(w, r, util.NewI18nError(fs.ErrPermission, util.I18nError403Message))\n\t\t\t\t\t} else {\n\t\t\t\t\t\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)\n\t\t\t\t\t}\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tnext.ServeHTTP(w, r)\n\t\t})\n\t}\n}\n\nfunc (s *httpdServer) verifyCSRFHeader(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\ttokenString := r.Header.Get(csrfHeaderToken)\n\t\ttoken, err := jwt.VerifyToken(s.csrfTokenAuth, tokenString)\n\t\tif err != nil || token == nil {\n\t\t\tlogger.Debug(logSender, \"\", \"error validating CSRF header: %v\", err)\n\t\t\tsendAPIResponse(w, r, err, \"Invalid token\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\n\t\tif !token.Audience.Contains(tokenAudienceCSRF) {\n\t\t\tlogger.Debug(logSender, \"\", \"error validating CSRF header token audience\")\n\t\t\tsendAPIResponse(w, r, errors.New(\"the token is not valid\"), \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\n\t\tif err := validateIPForToken(token, util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {\n\t\t\tlogger.Debug(logSender, \"\", \"error validating CSRF header IP audience\")\n\t\t\tsendAPIResponse(w, r, errors.New(\"the token is not valid\"), \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\t\tif err := checkCSRFTokenRef(r, token); err != nil {\n\t\t\tsendAPIResponse(w, r, errors.New(\"the token is not valid\"), \"\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc checkNodeToken(tokenAuth *jwt.Signer) func(next http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tbearer := r.Header.Get(dataprovider.NodeTokenHeader)\n\t\t\tif bearer == \"\" {\n\t\t\t\tnext.ServeHTTP(w, r)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tconst prefix = \"Bearer \"\n\t\t\tif len(bearer) >= len(prefix) && strings.EqualFold(bearer[:len(prefix)], prefix) {\n\t\t\t\tbearer = bearer[len(prefix):]\n\t\t\t}\n\t\t\tif invalidatedJWTTokens.Get(bearer) {\n\t\t\t\tlogger.Debug(logSender, \"\", \"the node token has been invalidated\")\n\t\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"the provided token is not valid\"), \"\", http.StatusUnauthorized)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tclaims, err := dataprovider.AuthenticateNodeToken(bearer)\n\t\t\tif err != nil {\n\t\t\t\tlogger.Debug(logSender, \"\", \"unable to authenticate node token %q: %v\", bearer, err)\n\t\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"the provided token cannot be authenticated\"), \"\", http.StatusUnauthorized)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tdefer invalidatedJWTTokens.Add(bearer, time.Now().Add(2*time.Minute).UTC())\n\n\t\t\tc := &jwt.Claims{\n\t\t\t\tUsername: claims.Username,\n\t\t\t\tPermissions: claims.Permissions,\n\t\t\t\tNodeID: dataprovider.GetNodeName(),\n\t\t\t\tRole: claims.Role,\n\t\t\t}\n\n\t\t\ttoken, err := tokenAuth.SignWithParams(c, tokenAudienceAPI, util.GetIPFromRemoteAddress(r.RemoteAddr), getTokenDuration(tokenAudienceAPI))\n\t\t\tif err != nil {\n\t\t\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tresp := c.BuildTokenResponse(token)\n\t\t\tr.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", resp.Token))\n\n\t\t\tnext.ServeHTTP(w, r)\n\t\t})\n\t}\n}\n\nfunc checkAPIKeyAuth(tokenAuth *jwt.Signer, scope dataprovider.APIKeyScope) func(next http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tapiKey := r.Header.Get(\"X-SFTPGO-API-KEY\")\n\t\t\tif apiKey == \"\" {\n\t\t\t\tnext.ServeHTTP(w, r)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tkeyParams := strings.SplitN(apiKey, \".\", 3)\n\t\t\tif len(keyParams) < 2 {\n\t\t\t\tlogger.Debug(logSender, \"\", \"invalid api key %q\", apiKey)\n\t\t\t\tsendAPIResponse(w, r, errors.New(\"the provided api key is not valid\"), \"\", http.StatusBadRequest)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tkeyID := keyParams[0]\n\t\t\tkey := keyParams[1]\n\t\t\tapiUser := \"\"\n\t\t\tif len(keyParams) > 2 {\n\t\t\t\tapiUser = keyParams[2]\n\t\t\t}\n\n\t\t\tk, err := dataprovider.APIKeyExists(keyID)\n\t\t\tif err != nil {\n\t\t\t\thandleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), util.NewRecordNotFoundError(\"invalid api key\")) //nolint:errcheck\n\t\t\t\tlogger.Debug(logSender, \"\", \"invalid api key %q: %v\", apiKey, err)\n\t\t\t\tsendAPIResponse(w, r, errors.New(\"the provided api key is not valid\"), \"\", http.StatusBadRequest)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif k.Scope != scope {\n\t\t\t\thandleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\t\t\t\tlogger.Debug(logSender, \"\", \"unable to authenticate api key %q: invalid scope: got %d, wanted: %d\",\n\t\t\t\t\tapiKey, k.Scope, scope)\n\t\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"the provided api key is invalid for this request\"), \"\", http.StatusForbidden)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif err := k.Authenticate(key); err != nil {\n\t\t\t\thandleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\t\t\t\tlogger.Debug(logSender, \"\", \"unable to authenticate api key %q: %v\", apiKey, err)\n\t\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"the provided api key cannot be authenticated\"), \"\", http.StatusUnauthorized)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif scope == dataprovider.APIKeyScopeAdmin {\n\t\t\t\tif k.Admin != \"\" {\n\t\t\t\t\tapiUser = k.Admin\n\t\t\t\t}\n\t\t\t\tif err := authenticateAdminWithAPIKey(apiUser, keyID, tokenAuth, r); err != nil {\n\t\t\t\t\thandleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), err) //nolint:errcheck\n\t\t\t\t\tlogger.Debug(logSender, \"\", \"unable to authenticate admin %q associated with api key %q: %v\",\n\t\t\t\t\t\tapiUser, apiKey, err)\n\t\t\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"the admin associated with the provided api key cannot be authenticated\"),\n\t\t\t\t\t\t\"\", http.StatusUnauthorized)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tcommon.DelayLogin(nil)\n\t\t\t} else {\n\t\t\t\tif k.User != \"\" {\n\t\t\t\t\tapiUser = k.User\n\t\t\t\t}\n\t\t\t\tif err := authenticateUserWithAPIKey(apiUser, keyID, tokenAuth, r); err != nil {\n\t\t\t\t\tlogger.Debug(logSender, \"\", \"unable to authenticate user %q associated with api key %q: %v\",\n\t\t\t\t\t\tapiUser, apiKey, err)\n\t\t\t\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},\n\t\t\t\t\t\tdataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err, r)\n\t\t\t\t\tcode := http.StatusUnauthorized\n\t\t\t\t\tif errors.Is(err, common.ErrInternalFailure) {\n\t\t\t\t\t\tcode = http.StatusInternalServerError\n\t\t\t\t\t}\n\t\t\t\t\tsendAPIResponse(w, r, errors.New(\"the user associated with the provided api key cannot be authenticated\"),\n\t\t\t\t\t\t\"\", code)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},\n\t\t\t\t\tdataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil, r)\n\t\t\t}\n\t\t\tdataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck\n\n\t\t\tnext.ServeHTTP(w, r)\n\t\t})\n\t}\n}\n\nfunc forbidAPIKeyAuthentication(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tclaims, err := jwt.FromContext(r.Context())\n\t\tif err != nil || claims.Username == \"\" {\n\t\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\t\treturn\n\t\t}\n\t\tif claims.APIKeyID != \"\" {\n\t\t\tsendAPIResponse(w, r, nil, \"API key authentication is not allowed\", http.StatusForbidden)\n\t\t\treturn\n\t\t}\n\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc authenticateAdminWithAPIKey(username, keyID string, tokenAuth *jwt.Signer, r *http.Request) error {\n\tif username == \"\" {\n\t\treturn errors.New(\"the provided key is not associated with any admin and no username was provided\")\n\t}\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !admin.Filters.AllowAPIKeyAuth {\n\t\treturn fmt.Errorf(\"API key authentication disabled for admin %q\", admin.Username)\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := admin.CanLogin(ipAddr); err != nil {\n\t\treturn err\n\t}\n\tc := &jwt.Claims{\n\t\tUsername: admin.Username,\n\t\tPermissions: admin.Permissions,\n\t\tRole: admin.Role,\n\t\tAPIKeyID: keyID,\n\t}\n\tc.Subject = admin.GetSignature()\n\n\ttoken, err := tokenAuth.SignWithParams(c, tokenAudienceAPI, ipAddr, getTokenDuration(tokenAudienceAPI))\n\tif err != nil {\n\t\treturn err\n\t}\n\tresp := c.BuildTokenResponse(token)\n\tr.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", resp.Token))\n\tdataprovider.UpdateAdminLastLogin(&admin)\n\tcommon.DelayLogin(nil)\n\treturn nil\n}\n\nfunc authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwt.Signer, r *http.Request) error {\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tprotocol := common.ProtocolHTTP\n\tif username == \"\" {\n\t\terr := errors.New(\"the provided key is not associated with any user and no username was provided\")\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\treturn err\n\t}\n\tif err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {\n\t\treturn err\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(username, \"\")\n\tif err != nil {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\treturn err\n\t}\n\tif !user.Filters.AllowAPIKeyAuth {\n\t\terr := fmt.Errorf(\"API key authentication disabled for user %q\", user.Username)\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\treturn err\n\t}\n\tif err := user.CheckLoginConditions(); err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, xid.New().String())\n\tif err := checkHTTPClientUser(&user, r, connectionID, true, false); err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\treturn err\n\t}\n\tdefer user.CloseFs() //nolint:errcheck\n\terr = user.CheckFsRoot(connectionID)\n\tif err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\treturn common.ErrInternalFailure\n\t}\n\tc := &jwt.Claims{\n\t\tUsername: user.Username,\n\t\tPermissions: user.Filters.WebClient,\n\t\tRole: user.Role,\n\t\tAPIKeyID: keyID,\n\t}\n\tc.Subject = user.GetSignature()\n\n\ttoken, err := tokenAuth.SignWithParams(c, tokenAudienceAPIUser, ipAddr, getTokenDuration(tokenAudienceAPIUser))\n\tif err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\treturn err\n\t}\n\tresp := c.BuildTokenResponse(token)\n\tr.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", resp.Token))\n\tdataprovider.UpdateLastLogin(&user)\n\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil, r)\n\n\treturn nil\n}\n\nfunc checkPartialAuth(w http.ResponseWriter, r *http.Request, audience string, tokenAudience []string) error {\n\tif audience == tokenAudienceWebAdmin && slices.Contains(tokenAudience, tokenAudienceWebAdminPartial) {\n\t\thttp.Redirect(w, r, webAdminTwoFactorPath, http.StatusFound)\n\t\treturn errInvalidToken\n\t}\n\tif audience == tokenAudienceWebClient && slices.Contains(tokenAudience, tokenAudienceWebClientPartial) {\n\t\thttp.Redirect(w, r, webClientTwoFactorPath, http.StatusFound)\n\t\treturn errInvalidToken\n\t}\n\treturn nil\n}\n\nfunc cacheControlMiddleware(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tw.Header().Set(\"Cache-Control\", \"no-cache, no-store, max-age=0, must-revalidate, private\")\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc cleanCacheControlMiddleware(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tw.Header().Del(\"Cache-Control\")\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n" }, { "path": "internal/httpd/oauth2.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"sync\"\n\t\"time\"\n\n\t\"golang.org/x/oauth2\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\toauth2Mgr oauth2Manager\n)\n\nfunc newOAuth2Manager(isShared int) oauth2Manager {\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"using provider OAuth2 manager\")\n\t\treturn &dbOAuth2Manager{}\n\t}\n\tlogger.Info(logSender, \"\", \"using memory OAuth2 manager\")\n\treturn &memoryOAuth2Manager{\n\t\tpendingAuths: make(map[string]oauth2PendingAuth),\n\t}\n}\n\ntype oauth2PendingAuth struct {\n\tState string `json:\"state\"`\n\tProvider int `json:\"provider\"`\n\tClientID string `json:\"client_id\"`\n\tClientSecret *kms.Secret `json:\"client_secret\"`\n\tRedirectURL string `json:\"redirect_url\"`\n\tIssuedAt int64 `json:\"issued_at\"`\n\tVerifier string `json:\"verifier\"`\n}\n\nfunc newOAuth2PendingAuth(provider int, redirectURL, clientID string, clientSecret *kms.Secret) oauth2PendingAuth {\n\treturn oauth2PendingAuth{\n\t\tState: util.GenerateOpaqueString(),\n\t\tProvider: provider,\n\t\tClientID: clientID,\n\t\tClientSecret: clientSecret,\n\t\tRedirectURL: redirectURL,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tVerifier: oauth2.GenerateVerifier(),\n\t}\n}\n\ntype oauth2Manager interface {\n\taddPendingAuth(pendingAuth oauth2PendingAuth)\n\tremovePendingAuth(state string)\n\tgetPendingAuth(state string) (oauth2PendingAuth, error)\n\tcleanup()\n}\n\ntype memoryOAuth2Manager struct {\n\tmu sync.RWMutex\n\tpendingAuths map[string]oauth2PendingAuth\n}\n\nfunc (o *memoryOAuth2Manager) addPendingAuth(pendingAuth oauth2PendingAuth) {\n\to.mu.Lock()\n\tdefer o.mu.Unlock()\n\n\to.pendingAuths[pendingAuth.State] = pendingAuth\n}\n\nfunc (o *memoryOAuth2Manager) removePendingAuth(state string) {\n\to.mu.Lock()\n\tdefer o.mu.Unlock()\n\n\tdelete(o.pendingAuths, state)\n}\n\nfunc (o *memoryOAuth2Manager) getPendingAuth(state string) (oauth2PendingAuth, error) {\n\to.mu.RLock()\n\tdefer o.mu.RUnlock()\n\n\tauthReq, ok := o.pendingAuths[state]\n\tif !ok {\n\t\treturn oauth2PendingAuth{}, errors.New(\"oauth2: no auth request found for the specified state\")\n\t}\n\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - authReq.IssuedAt\n\tif diff > authStateValidity {\n\t\treturn oauth2PendingAuth{}, errors.New(\"oauth2: auth request is too old\")\n\t}\n\treturn authReq, nil\n}\n\nfunc (o *memoryOAuth2Manager) cleanup() {\n\to.mu.Lock()\n\tdefer o.mu.Unlock()\n\n\tfor k, auth := range o.pendingAuths {\n\t\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - auth.IssuedAt\n\t\t// remove old pending auth requests\n\t\tif diff < 0 || diff > authStateValidity {\n\t\t\tdelete(o.pendingAuths, k)\n\t\t}\n\t}\n}\n\ntype dbOAuth2Manager struct{}\n\nfunc (o *dbOAuth2Manager) addPendingAuth(pendingAuth oauth2PendingAuth) {\n\tif err := pendingAuth.ClientSecret.Encrypt(); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to encrypt oauth2 secret: %v\", err)\n\t\treturn\n\t}\n\tsession := dataprovider.Session{\n\t\tKey: pendingAuth.State,\n\t\tData: pendingAuth,\n\t\tType: dataprovider.SessionTypeOAuth2Auth,\n\t\tTimestamp: pendingAuth.IssuedAt + authStateValidity,\n\t}\n\tdataprovider.AddSharedSession(session) //nolint:errcheck\n}\n\nfunc (o *dbOAuth2Manager) removePendingAuth(state string) {\n\tdataprovider.DeleteSharedSession(state, dataprovider.SessionTypeOAuth2Auth) //nolint:errcheck\n}\n\nfunc (o *dbOAuth2Manager) getPendingAuth(state string) (oauth2PendingAuth, error) {\n\tsession, err := dataprovider.GetSharedSession(state, dataprovider.SessionTypeOAuth2Auth)\n\tif err != nil {\n\t\treturn oauth2PendingAuth{}, errors.New(\"oauth2: unable to get the auth request for the specified state\")\n\t}\n\tif session.Timestamp < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\t// expired\n\t\treturn oauth2PendingAuth{}, errors.New(\"oauth2: auth request is too old\")\n\t}\n\treturn o.decodePendingAuthData(session.Data)\n}\n\nfunc (o *dbOAuth2Manager) decodePendingAuthData(data any) (oauth2PendingAuth, error) {\n\tif val, ok := data.([]byte); ok {\n\t\tauthReq := oauth2PendingAuth{}\n\t\terr := json.Unmarshal(val, &authReq)\n\t\tif err != nil {\n\t\t\treturn authReq, err\n\t\t}\n\t\terr = authReq.ClientSecret.TryDecrypt()\n\t\treturn authReq, err\n\t}\n\tlogger.Error(logSender, \"\", \"invalid oauth2 auth request data type %T\", data)\n\treturn oauth2PendingAuth{}, errors.New(\"oauth2: invalid auth request data\")\n}\n\nfunc (o *dbOAuth2Manager) cleanup() {\n\tdataprovider.CleanupSharedSessions(dataprovider.SessionTypeOAuth2Auth, time.Now()) //nolint:errcheck\n}\n" }, { "path": "internal/httpd/oauth2_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/xid\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc TestMemoryOAuth2Manager(t *testing.T) {\n\tmgr := newOAuth2Manager(0)\n\tm, ok := mgr.(*memoryOAuth2Manager)\n\trequire.True(t, ok)\n\trequire.Len(t, m.pendingAuths, 0)\n\t_, err := m.getPendingAuth(xid.New().String())\n\trequire.Error(t, err)\n\tassert.Contains(t, err.Error(), \"no auth request found\")\n\tauth := newOAuth2PendingAuth(1, \"https://...\", \"cid\", kms.NewPlainSecret(\"mysecret\"))\n\tm.addPendingAuth(auth)\n\trequire.Len(t, m.pendingAuths, 1)\n\ta, err := m.getPendingAuth(auth.State)\n\tassert.NoError(t, err)\n\tassert.Equal(t, auth.State, a.State)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, a.ClientSecret.GetStatus())\n\tm.removePendingAuth(auth.State)\n\t_, err = m.getPendingAuth(auth.State)\n\trequire.Error(t, err)\n\tassert.Contains(t, err.Error(), \"no auth request found\")\n\trequire.Len(t, m.pendingAuths, 0)\n\tstate := xid.New().String()\n\tauth = oauth2PendingAuth{\n\t\tState: state,\n\t\tProvider: 1,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t}\n\tm.addPendingAuth(auth)\n\tauth = oauth2PendingAuth{\n\t\tState: xid.New().String(),\n\t\tProvider: 1,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-10 * time.Minute)),\n\t}\n\tm.addPendingAuth(auth)\n\trequire.Len(t, m.pendingAuths, 2)\n\t_, err = m.getPendingAuth(auth.State)\n\trequire.Error(t, err)\n\tassert.Contains(t, err.Error(), \"auth request is too old\")\n\tm.cleanup()\n\trequire.Len(t, m.pendingAuths, 1)\n\tm.removePendingAuth(state)\n\trequire.Len(t, m.pendingAuths, 0)\n}\n\nfunc TestDbOAuth2Manager(t *testing.T) {\n\tif !isSharedProviderSupported() {\n\t\tt.Skip(\"this test it is not available with this provider\")\n\t}\n\tmgr := newOAuth2Manager(1)\n\tm, ok := mgr.(*dbOAuth2Manager)\n\trequire.True(t, ok)\n\t_, err := m.getPendingAuth(xid.New().String())\n\trequire.Error(t, err)\n\tauth := newOAuth2PendingAuth(1, \"https://...\", \"client_id\", kms.NewPlainSecret(\"my db secret\"))\n\tm.addPendingAuth(auth)\n\ta, err := m.getPendingAuth(auth.State)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusPlain, a.ClientSecret.GetStatus())\n\tsession, err := dataprovider.GetSharedSession(auth.State, dataprovider.SessionTypeOAuth2Auth)\n\tassert.NoError(t, err)\n\tauthReq := oauth2PendingAuth{}\n\terr = json.Unmarshal(session.Data.([]byte), &authReq)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, authReq.ClientSecret.GetStatus())\n\tm.cleanup()\n\t_, err = m.getPendingAuth(auth.State)\n\tassert.NoError(t, err)\n\tm.removePendingAuth(auth.State)\n\t_, err = m.getPendingAuth(auth.State)\n\tassert.Error(t, err)\n\tauth = oauth2PendingAuth{\n\t\tState: xid.New().String(),\n\t\tProvider: 1,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-10 * time.Minute)),\n\t\tClientSecret: kms.NewPlainSecret(\"db secret\"),\n\t}\n\tm.addPendingAuth(auth)\n\t_, err = m.getPendingAuth(auth.State)\n\tassert.Error(t, err)\n\t_, err = dataprovider.GetSharedSession(auth.State, dataprovider.SessionTypeOAuth2Auth)\n\tassert.NoError(t, err)\n\tm.cleanup()\n\t_, err = dataprovider.GetSharedSession(auth.State, dataprovider.SessionTypeOAuth2Auth)\n\tassert.Error(t, err)\n\t_, err = m.decodePendingAuthData(\"not a byte array\")\n\trequire.Error(t, err)\n\tassert.Contains(t, err.Error(), \"invalid auth request data\")\n\t_, err = m.decodePendingAuthData([]byte(\"{not a json\"))\n\trequire.Error(t, err)\n\t// adding a request with a non plain secret will fail\n\tauth = oauth2PendingAuth{\n\t\tState: xid.New().String(),\n\t\tProvider: 1,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-10 * time.Minute)),\n\t\tClientSecret: kms.NewPlainSecret(\"db secret\"),\n\t}\n\tauth.ClientSecret.SetStatus(sdkkms.SecretStatusSecretBox)\n\tm.addPendingAuth(auth)\n\t_, err = dataprovider.GetSharedSession(auth.State, dataprovider.SessionTypeOAuth2Auth)\n\tassert.Error(t, err)\n\tasJSON, err := json.Marshal(auth)\n\tassert.NoError(t, err)\n\t_, err = m.decodePendingAuthData(asJSON)\n\tassert.Error(t, err)\n}\n" }, { "path": "internal/httpd/oidc.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/coreos/go-oidc/v3/oidc\"\n\t\"github.com/rs/xid\"\n\t\"golang.org/x/oauth2\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\toidcCookieKey = \"oidc\"\n\tadminRoleFieldValue = \"admin\"\n\tauthStateValidity = 2 * 60 * 1000 // 2 minutes\n\ttokenUpdateInterval = 3 * 60 * 1000 // 3 minutes\n\ttokenDeleteInterval = 2 * 3600 * 1000 // 2 hours\n)\n\nvar (\n\toidcTokenKey = &contextKey{\"OIDC token key\"}\n\toidcGeneratedToken = &contextKey{\"OIDC generated token\"}\n)\n\n// OAuth2Config defines an interface for OAuth2 methods, so we can mock them\ntype OAuth2Config interface {\n\tAuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string\n\tExchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)\n\tTokenSource(ctx context.Context, t *oauth2.Token) oauth2.TokenSource\n}\n\n// OIDCTokenVerifier defines an interface for OpenID token verifier, so we can mock them\ntype OIDCTokenVerifier interface {\n\tVerify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error)\n}\n\n// OIDC defines the OpenID Connect configuration\ntype OIDC struct {\n\t// ClientID is the application's ID\n\tClientID string `json:\"client_id\" mapstructure:\"client_id\"`\n\t// ClientSecret is the application's secret\n\tClientSecret string `json:\"client_secret\" mapstructure:\"client_secret\"`\n\tClientSecretFile string `json:\"client_secret_file\" mapstructure:\"client_secret_file\"`\n\t// ConfigURL is the identifier for the service.\n\t// SFTPGo will try to retrieve the provider configuration on startup and then\n\t// will refuse to start if it fails to connect to the specified URL\n\tConfigURL string `json:\"config_url\" mapstructure:\"config_url\"`\n\t// RedirectBaseURL is the base URL to redirect to after OpenID authentication.\n\t// The suffix \"/web/oidc/redirect\" will be added to this base URL, adding also the\n\t// \"web_root\" if configured\n\tRedirectBaseURL string `json:\"redirect_base_url\" mapstructure:\"redirect_base_url\"`\n\t// ID token claims field to map to the SFTPGo username\n\tUsernameField string `json:\"username_field\" mapstructure:\"username_field\"`\n\t// Optional ID token claims field to map to a SFTPGo role.\n\t// If the defined ID token claims field is set to \"admin\" the authenticated user\n\t// is mapped to an SFTPGo admin.\n\t// You don't need to specify this field if you want to use OpenID only for the\n\t// Web Client UI\n\tRoleField string `json:\"role_field\" mapstructure:\"role_field\"`\n\t// If set, the `RoleField` is ignored and the SFTPGo role is assumed based on\n\t// the login link used\n\tImplicitRoles bool `json:\"implicit_roles\" mapstructure:\"implicit_roles\"`\n\t// Scopes required by the OAuth provider to retrieve information about the authenticated user.\n\t// The \"openid\" scope is required.\n\t// Refer to your OAuth provider documentation for more information about this\n\tScopes []string `json:\"scopes\" mapstructure:\"scopes\"`\n\t// Custom token claims fields to pass to the pre-login hook\n\tCustomFields []string `json:\"custom_fields\" mapstructure:\"custom_fields\"`\n\t// InsecureSkipSignatureCheck causes SFTPGo to skip JWT signature validation.\n\t// It's intended for special cases where providers, such as Azure, use the \"none\"\n\t// algorithm. Skipping the signature validation can cause security issues\n\tInsecureSkipSignatureCheck bool `json:\"insecure_skip_signature_check\" mapstructure:\"insecure_skip_signature_check\"`\n\t// Debug enables the OIDC debug mode. In debug mode, the received id_token will be logged\n\t// at the debug level\n\tDebug bool `json:\"debug\" mapstructure:\"debug\"`\n\tprovider *oidc.Provider\n\tverifier OIDCTokenVerifier\n\tproviderLogoutURL string\n\toauth2Config OAuth2Config\n}\n\nfunc (o *OIDC) isEnabled() bool {\n\treturn o.provider != nil\n}\n\nfunc (o *OIDC) hasRoles() bool {\n\treturn o.isEnabled() && (o.RoleField != \"\" || o.ImplicitRoles)\n}\n\nfunc (o *OIDC) getForcedRole(audience string) string {\n\tif !o.ImplicitRoles {\n\t\treturn \"\"\n\t}\n\tif audience == tokenAudienceWebAdmin {\n\t\treturn adminRoleFieldValue\n\t}\n\treturn \"\"\n}\n\nfunc (o *OIDC) getRedirectURL() string {\n\turl := o.RedirectBaseURL\n\tif strings.HasSuffix(o.RedirectBaseURL, \"/\") {\n\t\turl = strings.TrimSuffix(o.RedirectBaseURL, \"/\")\n\t}\n\turl += webOIDCRedirectPath\n\tlogger.Debug(logSender, \"\", \"oidc redirect URL: %q\", url)\n\treturn url\n}\n\nfunc (o *OIDC) initialize() error {\n\tif o.ConfigURL == \"\" {\n\t\treturn nil\n\t}\n\tif o.UsernameField == \"\" {\n\t\treturn errors.New(\"oidc: username field cannot be empty\")\n\t}\n\tif o.RedirectBaseURL == \"\" {\n\t\treturn errors.New(\"oidc: redirect base URL cannot be empty\")\n\t}\n\tif !slices.Contains(o.Scopes, oidc.ScopeOpenID) {\n\t\treturn fmt.Errorf(\"oidc: required scope %q is not set\", oidc.ScopeOpenID)\n\t}\n\tif o.ClientSecretFile != \"\" {\n\t\tsecret, err := util.ReadConfigFromFile(o.ClientSecretFile, configurationDir)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\to.ClientSecret = secret\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)\n\tdefer cancel()\n\n\tprovider, err := oidc.NewProvider(ctx, o.ConfigURL)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"oidc: unable to initialize provider for URL %q: %w\", o.ConfigURL, err)\n\t}\n\tclaims := make(map[string]any)\n\t// we cannot get an error here because the response body was already parsed as JSON\n\t// on provider creation\n\tprovider.Claims(&claims) //nolint:errcheck\n\tendSessionEndPoint, ok := claims[\"end_session_endpoint\"]\n\tif ok {\n\t\tif val, ok := endSessionEndPoint.(string); ok {\n\t\t\to.providerLogoutURL = val\n\t\t\tlogger.Debug(logSender, \"\", \"oidc end session endpoint %q\", o.providerLogoutURL)\n\t\t}\n\t}\n\to.provider = provider\n\to.verifier = nil\n\to.oauth2Config = &oauth2.Config{\n\t\tClientID: o.ClientID,\n\t\tClientSecret: o.ClientSecret,\n\t\tEndpoint: o.provider.Endpoint(),\n\t\tRedirectURL: o.getRedirectURL(),\n\t\tScopes: o.Scopes,\n\t}\n\n\treturn nil\n}\n\nfunc (o *OIDC) getVerifier(ctx context.Context) OIDCTokenVerifier {\n\tif o.verifier != nil {\n\t\treturn o.verifier\n\t}\n\treturn o.provider.VerifierContext(ctx, &oidc.Config{\n\t\tClientID: o.ClientID,\n\t\tInsecureSkipSignatureCheck: o.InsecureSkipSignatureCheck,\n\t})\n}\n\ntype oidcPendingAuth struct {\n\tState string `json:\"state\"`\n\tNonce string `json:\"nonce\"`\n\tAudience tokenAudience `json:\"audience\"`\n\tIssuedAt int64 `json:\"issued_at\"`\n\tVerifier string `json:\"verifier\"`\n}\n\nfunc newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {\n\treturn oidcPendingAuth{\n\t\tState: util.GenerateOpaqueString(),\n\t\tNonce: util.GenerateOpaqueString(),\n\t\tAudience: audience,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tVerifier: oauth2.GenerateVerifier(),\n\t}\n}\n\ntype oidcToken struct {\n\tAccessToken string `json:\"access_token\"`\n\tTokenType string `json:\"token_type,omitempty\"`\n\tRefreshToken string `json:\"refresh_token,omitempty\"`\n\tExpiresAt int64 `json:\"expires_at,omitempty\"`\n\tSessionID string `json:\"session_id\"`\n\tIDToken string `json:\"id_token\"`\n\tNonce string `json:\"nonce\"`\n\tUsername string `json:\"username\"`\n\tPermissions []string `json:\"permissions\"`\n\tHideUserPageSections int `json:\"hide_user_page_sections,omitempty\"`\n\tMustSetTwoFactorAuth bool `json:\"must_set_2fa,omitempty\"`\n\tMustChangePassword bool `json:\"must_change_password,omitempty\"`\n\tRequiredTwoFactorProtocols []string `json:\"required_two_factor_protocols,omitempty\"`\n\tTokenRole string `json:\"token_role,omitempty\"` // SFTPGo role name\n\tRole any `json:\"role\"` // oidc user role: SFTPGo user or admin\n\tCustomFields *map[string]any `json:\"custom_fields,omitempty\"`\n\tCookie string `json:\"cookie\"`\n\tUsedAt int64 `json:\"used_at\"`\n}\n\nfunc (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField string, customFields []string,\n\tforcedRole string,\n) error {\n\tgetClaimsFields := func() []string {\n\t\tkeys := make([]string, 0, len(claims))\n\t\tfor k := range claims {\n\t\t\tkeys = append(keys, k)\n\t\t}\n\t\treturn keys\n\t}\n\n\tvar username string\n\tval, ok := getOIDCFieldFromClaims(claims, usernameField)\n\tif ok {\n\t\tusername, ok = val.(string)\n\t}\n\tif !ok || username == \"\" {\n\t\tlogger.Warn(logSender, \"\", \"username field %q not found, empty or not a string, claims fields: %+v\",\n\t\t\tusernameField, getClaimsFields())\n\t\treturn errors.New(\"no username field\")\n\t}\n\tt.Username = username\n\tif forcedRole != \"\" {\n\t\tt.Role = forcedRole\n\t} else {\n\t\tt.getRoleFromField(claims, roleField)\n\t}\n\tt.CustomFields = nil\n\tif len(customFields) > 0 {\n\t\tfor _, field := range customFields {\n\t\t\tif val, ok := getOIDCFieldFromClaims(claims, field); ok {\n\t\t\t\tif t.CustomFields == nil {\n\t\t\t\t\tcustomFields := make(map[string]any)\n\t\t\t\t\tt.CustomFields = &customFields\n\t\t\t\t}\n\t\t\t\tlogger.Debug(logSender, \"\", \"custom field %q found in token claims\", field)\n\t\t\t\t(*t.CustomFields)[field] = val\n\t\t\t} else {\n\t\t\t\tlogger.Info(logSender, \"\", \"custom field %q not found in token claims\", field)\n\t\t\t}\n\t\t}\n\t}\n\tsid, ok := claims[\"sid\"].(string)\n\tif ok {\n\t\tt.SessionID = sid\n\t}\n\treturn nil\n}\n\nfunc (t *oidcToken) getRoleFromField(claims map[string]any, roleField string) {\n\trole, ok := getOIDCFieldFromClaims(claims, roleField)\n\tif ok {\n\t\tt.Role = role\n\t}\n}\n\nfunc (t *oidcToken) isAdmin() bool {\n\tswitch v := t.Role.(type) {\n\tcase string:\n\t\treturn v == adminRoleFieldValue\n\tcase []any:\n\t\tfor _, s := range v {\n\t\t\tif val, ok := s.(string); ok && val == adminRoleFieldValue {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t\treturn false\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc (t *oidcToken) isExpired() bool {\n\tif t.ExpiresAt == 0 {\n\t\treturn false\n\t}\n\treturn t.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now())\n}\n\nfunc (t *oidcToken) refresh(ctx context.Context, config OAuth2Config, verifier OIDCTokenVerifier, r *http.Request) error {\n\tif t.RefreshToken == \"\" {\n\t\tlogger.Debug(logSender, \"\", \"refresh token not set, unable to refresh cookie %q\", t.Cookie)\n\t\treturn errors.New(\"refresh token not set\")\n\t}\n\toauth2Token := oauth2.Token{\n\t\tAccessToken: t.AccessToken,\n\t\tTokenType: t.TokenType,\n\t\tRefreshToken: t.RefreshToken,\n\t}\n\tif t.ExpiresAt > 0 {\n\t\toauth2Token.Expiry = util.GetTimeFromMsecSinceEpoch(t.ExpiresAt)\n\t}\n\n\tnewToken, err := config.TokenSource(ctx, &oauth2Token).Token()\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to refresh token for cookie %q: %v\", t.Cookie, err)\n\t\treturn err\n\t}\n\trawIDToken, ok := newToken.Extra(\"id_token\").(string)\n\tif !ok {\n\t\tlogger.Debug(logSender, \"\", \"the refreshed token has no id token, cookie %q\", t.Cookie)\n\t\treturn errors.New(\"the refreshed token has no id token\")\n\t}\n\n\tt.AccessToken = newToken.AccessToken\n\tt.TokenType = newToken.TokenType\n\tt.RefreshToken = newToken.RefreshToken\n\tt.IDToken = rawIDToken\n\tif !newToken.Expiry.IsZero() {\n\t\tt.ExpiresAt = util.GetTimeAsMsSinceEpoch(newToken.Expiry)\n\t} else {\n\t\tt.ExpiresAt = 0\n\t}\n\tidToken, err := verifier.Verify(ctx, rawIDToken)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to verify refreshed id token for cookie %q: %v\", t.Cookie, err)\n\t\treturn err\n\t}\n\tif idToken.Nonce != \"\" && idToken.Nonce != t.Nonce {\n\t\tlogger.Warn(logSender, \"\", \"unable to verify refreshed id token for cookie %q: nonce mismatch, expected: %q, actual: %q\",\n\t\t\tt.Cookie, t.Nonce, idToken.Nonce)\n\t\treturn errors.New(\"the refreshed token nonce mismatch\")\n\t}\n\tclaims := make(map[string]any)\n\terr = idToken.Claims(&claims)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to get refreshed id token claims for cookie %q: %v\", t.Cookie, err)\n\t\treturn err\n\t}\n\tsid, ok := claims[\"sid\"].(string)\n\tif ok {\n\t\tt.SessionID = sid\n\t}\n\terr = t.refreshUser(r)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to refresh user after token refresh for cookie %q: %v\", t.Cookie, err)\n\t\treturn err\n\t}\n\tlogger.Debug(logSender, \"\", \"oidc token refreshed for user %q, cookie %q\", t.Username, t.Cookie)\n\toidcMgr.addToken(*t)\n\n\treturn nil\n}\n\nfunc (t *oidcToken) refreshUser(r *http.Request) error {\n\tif t.isAdmin() {\n\t\tadmin, err := dataprovider.AdminExists(t.Username)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := admin.CanLogin(util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tt.Permissions = admin.Permissions\n\t\tt.TokenRole = admin.Role\n\t\tt.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections\n\t\treturn nil\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(t.Username, \"\")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif err := user.CheckLoginConditions(); err != nil {\n\t\treturn err\n\t}\n\tif err := checkHTTPClientUser(&user, r, xid.New().String(), true, false); err != nil {\n\t\treturn err\n\t}\n\tt.Permissions = user.Filters.WebClient\n\tt.TokenRole = user.Role\n\tt.MustSetTwoFactorAuth = user.MustSetSecondFactor()\n\tt.MustChangePassword = user.MustChangePassword()\n\tt.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols\n\treturn nil\n}\n\nfunc (t *oidcToken) getUser(r *http.Request) error {\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tparams := common.EventParams{\n\t\tName: t.Username,\n\t\tIP: ipAddr,\n\t\tProtocol: common.ProtocolOIDC,\n\t\tTimestamp: time.Now(),\n\t\tStatus: 1,\n\t}\n\tif t.isAdmin() {\n\t\tparams.Event = common.IDPLoginAdmin\n\t\t_, admin, err := common.HandleIDPLoginEvent(params, t.CustomFields)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif admin == nil {\n\t\t\ta, err := dataprovider.AdminExists(t.Username)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tadmin = &a\n\t\t}\n\t\tif err := admin.CanLogin(ipAddr); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tt.Permissions = admin.Permissions\n\t\tt.TokenRole = admin.Role\n\t\tt.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections\n\t\tdataprovider.UpdateAdminLastLogin(admin)\n\t\tcommon.DelayLogin(nil)\n\t\treturn nil\n\t}\n\tparams.Event = common.IDPLoginUser\n\tuser, _, err := common.HandleIDPLoginEvent(params, t.CustomFields)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif user == nil {\n\t\tu, err := dataprovider.GetUserAfterIDPAuth(t.Username, ipAddr, common.ProtocolOIDC, t.CustomFields)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser = &u\n\t}\n\tif err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil {\n\t\tupdateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)\n\t\treturn fmt.Errorf(\"access denied: %w\", err)\n\t}\n\tif err := user.CheckLoginConditions(); err != nil {\n\t\tupdateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)\n\t\treturn err\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", common.ProtocolOIDC, xid.New().String())\n\tif err := checkHTTPClientUser(user, r, connectionID, true, true); err != nil {\n\t\tupdateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)\n\t\treturn err\n\t}\n\tdefer user.CloseFs() //nolint:errcheck\n\terr = user.CheckFsRoot(connectionID)\n\tif err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root: %v\", err)\n\t\tupdateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure, r)\n\t\treturn err\n\t}\n\tupdateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil, r)\n\tdataprovider.UpdateLastLogin(user)\n\tt.Permissions = user.Filters.WebClient\n\tt.TokenRole = user.Role\n\tt.MustSetTwoFactorAuth = user.MustSetSecondFactor()\n\tt.MustChangePassword = user.MustChangePassword()\n\tt.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols\n\treturn nil\n}\n\nfunc (s *httpdServer) validateOIDCToken(w http.ResponseWriter, r *http.Request, isAdmin bool) (oidcToken, error) {\n\tdoRedirect := func() {\n\t\tremoveOIDCCookie(w, r)\n\t\tif isAdmin {\n\t\t\thttp.Redirect(w, r, webAdminLoginPath, http.StatusFound)\n\t\t\treturn\n\t\t}\n\t\thttp.Redirect(w, r, webClientLoginPath, http.StatusFound)\n\t}\n\n\tcookie, err := r.Cookie(oidcCookieKey)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"no oidc cookie, redirecting to login page\")\n\t\tdoRedirect()\n\t\treturn oidcToken{}, errInvalidToken\n\t}\n\ttoken, err := oidcMgr.getToken(cookie.Value)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"error getting oidc token associated with cookie %q: %v\", cookie.Value, err)\n\t\tdoRedirect()\n\t\treturn oidcToken{}, errInvalidToken\n\t}\n\tif token.isExpired() {\n\t\tlogger.Debug(logSender, \"\", \"oidc token associated with cookie %q is expired\", token.Cookie)\n\t\tctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)\n\t\tdefer cancel()\n\n\t\tif err = token.refresh(ctx, s.binding.OIDC.oauth2Config, s.binding.OIDC.getVerifier(ctx), r); err != nil {\n\t\t\tsetFlashMessage(w, r, newFlashMessage(\"Your OpenID token is expired, please log-in again\", util.I18nOIDCTokenExpired))\n\t\t\tdoRedirect()\n\t\t\treturn oidcToken{}, errInvalidToken\n\t\t}\n\t} else {\n\t\toidcMgr.updateTokenUsage(token)\n\t}\n\tif isAdmin {\n\t\tif !token.isAdmin() {\n\t\t\tlogger.Debug(logSender, \"\", \"oidc token associated with cookie %q is not valid for admin users\", token.Cookie)\n\t\t\tsetFlashMessage(w, r, newFlashMessage(\n\t\t\t\t\"Your OpenID token is not valid for the SFTPGo Web Admin UI. Please logout from your OpenID server and log-in as an SFTPGo admin\",\n\t\t\t\tutil.I18nOIDCTokenInvalidAdmin,\n\t\t\t))\n\t\t\tdoRedirect()\n\t\t\treturn oidcToken{}, errInvalidToken\n\t\t}\n\t\treturn token, nil\n\t}\n\tif token.isAdmin() {\n\t\tlogger.Debug(logSender, \"\", \"oidc token associated with cookie %q is valid for admin users\", token.Cookie)\n\t\tsetFlashMessage(w, r, newFlashMessage(\n\t\t\t\"Your OpenID token is not valid for the SFTPGo Web Client UI. Please logout from your OpenID server and log-in as an SFTPGo user\",\n\t\t\tutil.I18nOIDCTokenInvalidUser,\n\t\t))\n\t\tdoRedirect()\n\t\treturn oidcToken{}, errInvalidToken\n\t}\n\treturn token, nil\n}\n\nfunc (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\tif canSkipOIDCValidation(r) {\n\t\t\t\tnext.ServeHTTP(w, r)\n\t\t\t\treturn\n\t\t\t}\n\t\t\ttoken, err := s.validateOIDCToken(w, r, audience == tokenAudienceWebAdmin)\n\t\t\tif err != nil {\n\t\t\t\treturn\n\t\t\t}\n\t\t\tclaims := jwt.Claims{\n\t\t\t\tUsername: dataprovider.ConvertName(token.Username),\n\t\t\t\tPermissions: token.Permissions,\n\t\t\t\tRole: token.TokenRole,\n\t\t\t\tHideUserPageSections: token.HideUserPageSections,\n\t\t\t}\n\t\t\tclaims.ID = token.Cookie\n\t\t\tif audience == tokenAudienceWebClient {\n\t\t\t\tclaims.MustSetTwoFactorAuth = token.MustSetTwoFactorAuth\n\t\t\t\tclaims.MustChangePassword = token.MustChangePassword\n\t\t\t\tclaims.RequiredTwoFactorProtocols = token.RequiredTwoFactorProtocols\n\t\t\t}\n\t\t\ttokenString, err := s.tokenAuth.SignWithParams(&claims, audience, util.GetIPFromRemoteAddress(r.RemoteAddr),\n\t\t\t\tgetTokenDuration(audience))\n\t\t\tif err != nil {\n\t\t\t\tsetFlashMessage(w, r, newFlashMessage(\"Unable to create cookie\", util.I18nError500Message))\n\t\t\t\tif audience == tokenAudienceWebAdmin {\n\t\t\t\t\thttp.Redirect(w, r, webAdminLoginPath, http.StatusFound)\n\t\t\t\t} else {\n\t\t\t\t\thttp.Redirect(w, r, webClientLoginPath, http.StatusFound)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t\tctx := context.WithValue(r.Context(), oidcTokenKey, token.Cookie)\n\t\t\tctx = context.WithValue(ctx, oidcGeneratedToken, tokenString)\n\n\t\t\tnext.ServeHTTP(w, r.WithContext(ctx))\n\t\t})\n\t}\n}\n\nfunc (s *httpdServer) handleWebAdminOIDCLogin(w http.ResponseWriter, r *http.Request) {\n\ts.oidcLoginRedirect(w, r, tokenAudienceWebAdmin)\n}\n\nfunc (s *httpdServer) handleWebClientOIDCLogin(w http.ResponseWriter, r *http.Request) {\n\ts.oidcLoginRedirect(w, r, tokenAudienceWebClient)\n}\n\nfunc (s *httpdServer) oidcLoginRedirect(w http.ResponseWriter, r *http.Request, audience tokenAudience) {\n\tpendingAuth := newOIDCPendingAuth(audience)\n\toidcMgr.addPendingAuth(pendingAuth)\n\thttp.Redirect(w, r, s.binding.OIDC.oauth2Config.AuthCodeURL(pendingAuth.State,\n\t\toidc.Nonce(pendingAuth.Nonce), oauth2.S256ChallengeOption(pendingAuth.Verifier)), http.StatusFound)\n}\n\nfunc (s *httpdServer) debugTokenClaims(claims map[string]any, rawIDToken string) {\n\tif s.binding.OIDC.Debug {\n\t\tif claims == nil {\n\t\t\tlogger.Debug(logSender, \"\", \"raw id token %q\", rawIDToken)\n\t\t} else {\n\t\t\tlogger.Debug(logSender, \"\", \"raw id token %q, parsed claims %+v\", rawIDToken, claims)\n\t\t}\n\t}\n}\n\nfunc (s *httpdServer) handleOIDCRedirect(w http.ResponseWriter, r *http.Request) {\n\tstate := r.URL.Query().Get(\"state\")\n\tauthReq, err := oidcMgr.getPendingAuth(state)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"oidc authentication state did not match\")\n\t\toidcMgr.removePendingAuth(state)\n\t\ts.renderClientMessagePage(w, r, util.I18nInvalidAuthReqTitle, http.StatusBadRequest,\n\t\t\tutil.NewI18nError(err, util.I18nInvalidAuth), \"\")\n\t\treturn\n\t}\n\toidcMgr.removePendingAuth(state)\n\n\tdoRedirect := func() {\n\t\tif authReq.Audience == tokenAudienceWebAdmin {\n\t\t\thttp.Redirect(w, r, webAdminLoginPath, http.StatusFound)\n\t\t\treturn\n\t\t}\n\t\thttp.Redirect(w, r, webClientLoginPath, http.StatusFound)\n\t}\n\tdoLogout := func(rawIDToken string) {\n\t\ts.logoutFromOIDCOP(rawIDToken)\n\t}\n\n\tctx, cancel := context.WithTimeout(r.Context(), 20*time.Second)\n\tdefer cancel()\n\n\toauth2Token, err := s.binding.OIDC.oauth2Config.Exchange(ctx, r.URL.Query().Get(\"code\"),\n\t\toauth2.VerifierOption(authReq.Verifier))\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"failed to exchange oidc token: %v\", err)\n\t\tsetFlashMessage(w, r, newFlashMessage(\"Failed to exchange OpenID token\", util.I18nOIDCErrTokenExchange))\n\t\tdoRedirect()\n\t\treturn\n\t}\n\trawIDToken, ok := oauth2Token.Extra(\"id_token\").(string)\n\tif !ok {\n\t\tlogger.Debug(logSender, \"\", \"no id_token field in OAuth2 OpenID token\")\n\t\tsetFlashMessage(w, r, newFlashMessage(\"No id_token field in OAuth2 OpenID token\", util.I18nOIDCTokenInvalid))\n\t\tdoRedirect()\n\t\treturn\n\t}\n\ts.debugTokenClaims(nil, rawIDToken)\n\tidToken, err := s.binding.OIDC.getVerifier(ctx).Verify(ctx, rawIDToken)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"failed to verify oidc token: %v\", err)\n\t\tsetFlashMessage(w, r, newFlashMessage(\"Failed to verify OpenID token\", util.I18nOIDCTokenInvalid))\n\t\tdoRedirect()\n\t\tdoLogout(rawIDToken)\n\t\treturn\n\t}\n\tif idToken.Nonce != authReq.Nonce {\n\t\tlogger.Debug(logSender, \"\", \"oidc authentication nonce did not match\")\n\t\tsetFlashMessage(w, r, newFlashMessage(\"OpenID authentication nonce did not match\", util.I18nOIDCTokenInvalid))\n\t\tdoRedirect()\n\t\tdoLogout(rawIDToken)\n\t\treturn\n\t}\n\n\tclaims := make(map[string]any)\n\terr = idToken.Claims(&claims)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get oidc token claims: %v\", err)\n\t\tsetFlashMessage(w, r, newFlashMessage(\"Unable to get OpenID token claims\", util.I18nOIDCTokenInvalid))\n\t\tdoRedirect()\n\t\tdoLogout(rawIDToken)\n\t\treturn\n\t}\n\ts.debugTokenClaims(claims, rawIDToken)\n\ttoken := oidcToken{\n\t\tAccessToken: oauth2Token.AccessToken,\n\t\tTokenType: oauth2Token.TokenType,\n\t\tRefreshToken: oauth2Token.RefreshToken,\n\t\tIDToken: rawIDToken,\n\t\tNonce: idToken.Nonce,\n\t\tCookie: util.GenerateOpaqueString(),\n\t}\n\tif !oauth2Token.Expiry.IsZero() {\n\t\ttoken.ExpiresAt = util.GetTimeAsMsSinceEpoch(oauth2Token.Expiry)\n\t}\n\terr = token.parseClaims(claims, s.binding.OIDC.UsernameField, s.binding.OIDC.RoleField,\n\t\ts.binding.OIDC.CustomFields, s.binding.OIDC.getForcedRole(authReq.Audience))\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to parse oidc token claims: %v\", err)\n\t\tsetFlashMessage(w, r, newFlashMessage(fmt.Sprintf(\"Unable to parse OpenID token claims: %v\", err), util.I18nOIDCTokenInvalid))\n\t\tdoRedirect()\n\t\tdoLogout(rawIDToken)\n\t\treturn\n\t}\n\tswitch authReq.Audience {\n\tcase tokenAudienceWebAdmin:\n\t\tif !token.isAdmin() {\n\t\t\tlogger.Debug(logSender, \"\", \"wrong oidc token role, the mapped user is not an SFTPGo admin\")\n\t\t\tsetFlashMessage(w, r, newFlashMessage(\n\t\t\t\t\"Wrong OpenID role, the logged in user is not an SFTPGo admin\",\n\t\t\t\tutil.I18nOIDCTokenInvalidRoleAdmin))\n\t\t\tdoRedirect()\n\t\t\tdoLogout(rawIDToken)\n\t\t\treturn\n\t\t}\n\tcase tokenAudienceWebClient:\n\t\tif token.isAdmin() {\n\t\t\tlogger.Debug(logSender, \"\", \"wrong oidc token role, the mapped user is an SFTPGo admin\")\n\t\t\tsetFlashMessage(w, r, newFlashMessage(\n\t\t\t\t\"Wrong OpenID role, the logged in user is an SFTPGo admin\",\n\t\t\t\tutil.I18nOIDCTokenInvalidRoleUser,\n\t\t\t))\n\t\t\tdoRedirect()\n\t\t\tdoLogout(rawIDToken)\n\t\t\treturn\n\t\t}\n\t}\n\terr = token.getUser(r)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get the sftpgo user associated with oidc token: %v\", err)\n\t\tsetFlashMessage(w, r, newFlashMessage(\"Unable to get the user associated with the OpenID token\", util.I18nOIDCErrGetUser))\n\t\tdoRedirect()\n\t\tdoLogout(rawIDToken)\n\t\treturn\n\t}\n\n\tloginOIDCUser(w, r, token)\n}\n\nfunc loginOIDCUser(w http.ResponseWriter, r *http.Request, token oidcToken) {\n\toidcMgr.addToken(token)\n\n\tcookie := http.Cookie{\n\t\tName: oidcCookieKey,\n\t\tValue: token.Cookie,\n\t\tPath: \"/\",\n\t\tHttpOnly: true,\n\t\tSecure: isTLS(r),\n\t\tSameSite: http.SameSiteLaxMode,\n\t}\n\t// we don't set a cookie expiration so we can refresh the token without setting a new cookie\n\t// the cookie will be invalidated on browser close\n\thttp.SetCookie(w, &cookie)\n\tw.Header().Add(\"Cache-Control\", `no-cache=\"Set-Cookie\"`)\n\tif token.isAdmin() {\n\t\thttp.Redirect(w, r, webUsersPath, http.StatusFound)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webClientFilesPath, http.StatusFound)\n}\n\nfunc (s *httpdServer) logoutOIDCUser(w http.ResponseWriter, r *http.Request) {\n\tif oidcKey, ok := r.Context().Value(oidcTokenKey).(string); ok {\n\t\tremoveOIDCCookie(w, r)\n\t\ttoken, err := oidcMgr.getToken(oidcKey)\n\t\tif err == nil {\n\t\t\ts.logoutFromOIDCOP(token.IDToken)\n\t\t}\n\t\toidcMgr.removeToken(oidcKey)\n\t}\n}\n\nfunc (s *httpdServer) logoutFromOIDCOP(idToken string) {\n\tif s.binding.OIDC.providerLogoutURL == \"\" {\n\t\tlogger.Debug(logSender, \"\", \"oidc: provider logout URL not set, unable to logout from the OP\")\n\t\treturn\n\t}\n\tgo s.doOIDCFromLogout(idToken)\n}\n\nfunc (s *httpdServer) doOIDCFromLogout(idToken string) {\n\tlogoutURL, err := url.Parse(s.binding.OIDC.providerLogoutURL)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"oidc: unable to parse logout URL: %v\", err)\n\t\treturn\n\t}\n\tquery := logoutURL.Query()\n\tif idToken != \"\" {\n\t\tquery.Set(\"id_token_hint\", idToken)\n\t}\n\tlogoutURL.RawQuery = query.Encode()\n\tresp, err := httpclient.RetryableGet(logoutURL.String())\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"oidc: error calling logout URL %q: %v\", logoutURL.String(), err)\n\t\treturn\n\t}\n\tdefer resp.Body.Close()\n\tlogger.Debug(logSender, \"\", \"oidc: logout url response code %v\", resp.StatusCode)\n}\n\nfunc removeOIDCCookie(w http.ResponseWriter, r *http.Request) {\n\thttp.SetCookie(w, &http.Cookie{\n\t\tName: oidcCookieKey,\n\t\tValue: \"\",\n\t\tPath: \"/\",\n\t\tExpires: time.Unix(0, 0),\n\t\tMaxAge: -1,\n\t\tHttpOnly: true,\n\t\tSecure: isTLS(r),\n\t\tSameSite: http.SameSiteLaxMode,\n\t})\n}\n\n// canSkipOIDCValidation returns true if there is no OIDC cookie but a jwt cookie is set\n// and so we check if the user is logged in using a built-in user\nfunc canSkipOIDCValidation(r *http.Request) bool {\n\t_, err := r.Cookie(oidcCookieKey)\n\tif err != nil {\n\t\t_, err = r.Cookie(jwt.CookieKey)\n\t\treturn err == nil\n\t}\n\treturn false\n}\n\nfunc isLoggedInWithOIDC(r *http.Request) bool {\n\t_, ok := r.Context().Value(oidcTokenKey).(string)\n\treturn ok\n}\n\nfunc getOIDCFieldFromClaims(claims map[string]any, fieldName string) (any, bool) {\n\tif fieldName == \"\" {\n\t\treturn nil, false\n\t}\n\tval, ok := claims[fieldName]\n\tif ok {\n\t\treturn val, true\n\t}\n\tif !strings.Contains(fieldName, \".\") {\n\t\treturn nil, false\n\t}\n\n\tgetStructValue := func(outer any, field string) (any, bool) {\n\t\tswitch v := outer.(type) {\n\t\tcase map[string]any:\n\t\t\tres, ok := v[field]\n\t\t\treturn res, ok\n\t\t}\n\t\treturn nil, false\n\t}\n\n\tfor idx, field := range strings.Split(fieldName, \".\") {\n\t\tif idx == 0 {\n\t\t\tval, ok = getStructValue(claims, field)\n\t\t} else {\n\t\t\tval, ok = getStructValue(val, field)\n\t\t}\n\t\tif !ok {\n\t\t\treturn nil, false\n\t\t}\n\t}\n\n\treturn val, ok\n}\n" }, { "path": "internal/httpd/oidc_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"testing\"\n\t\"time\"\n\t\"unsafe\"\n\n\t\"github.com/coreos/go-oidc/v3/oidc\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/oauth2\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\toidcMockAddr = \"127.0.0.1:11111\"\n)\n\ntype mockTokenSource struct {\n\ttoken *oauth2.Token\n\terr error\n}\n\nfunc (t *mockTokenSource) Token() (*oauth2.Token, error) {\n\treturn t.token, t.err\n}\n\ntype mockOAuth2Config struct {\n\ttokenSource *mockTokenSource\n\tauthCodeURL string\n\ttoken *oauth2.Token\n\terr error\n}\n\nfunc (c *mockOAuth2Config) AuthCodeURL(_ string, _ ...oauth2.AuthCodeOption) string {\n\treturn c.authCodeURL\n}\n\nfunc (c *mockOAuth2Config) Exchange(_ context.Context, _ string, _ ...oauth2.AuthCodeOption) (*oauth2.Token, error) {\n\treturn c.token, c.err\n}\n\nfunc (c *mockOAuth2Config) TokenSource(_ context.Context, _ *oauth2.Token) oauth2.TokenSource {\n\treturn c.tokenSource\n}\n\ntype mockOIDCVerifier struct {\n\ttoken *oidc.IDToken\n\terr error\n}\n\nfunc (v *mockOIDCVerifier) Verify(_ context.Context, _ string) (*oidc.IDToken, error) {\n\treturn v.token, v.err\n}\n\n// hack because the field is unexported\nfunc setIDTokenClaims(idToken *oidc.IDToken, claims []byte) {\n\tpointerVal := reflect.ValueOf(idToken)\n\tval := reflect.Indirect(pointerVal)\n\tmember := val.FieldByName(\"claims\")\n\tptr := unsafe.Pointer(member.UnsafeAddr())\n\trealPtr := (*[]byte)(ptr)\n\t*realPtr = claims\n}\n\nfunc TestOIDCInitialization(t *testing.T) {\n\tconfig := OIDC{}\n\terr := config.initialize()\n\tassert.NoError(t, err)\n\tsecret := \"jRsmE0SWnuZjP7djBqNq0mrf8QN77j2c\"\n\tconfig = OIDC{\n\t\tClientID: \"sftpgo-client\",\n\t\tClientSecret: util.GenerateUniqueID(),\n\t\tConfigURL: fmt.Sprintf(\"http://%v/\", oidcMockAddr),\n\t\tRedirectBaseURL: \"http://127.0.0.1:8081/\",\n\t\tUsernameField: \"preferred_username\",\n\t\tRoleField: \"sftpgo_role\",\n\t}\n\terr = config.initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"oidc: required scope \\\"openid\\\" is not set\")\n\t}\n\tconfig.Scopes = []string{oidc.ScopeOpenID}\n\tconfig.ClientSecretFile = \"missing file\"\n\terr = config.initialize()\n\tassert.ErrorIs(t, err, fs.ErrNotExist)\n\tsecretFile := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tdefer os.Remove(secretFile)\n\terr = os.WriteFile(secretFile, []byte(secret), 0600)\n\tassert.NoError(t, err)\n\tconfig.ClientSecretFile = secretFile\n\terr = config.initialize()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"oidc: unable to initialize provider\")\n\t}\n\tassert.Equal(t, secret, config.ClientSecret)\n\tconfig.ConfigURL = fmt.Sprintf(\"http://%v/auth/realms/sftpgo\", oidcMockAddr)\n\terr = config.initialize()\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"http://127.0.0.1:8081\"+webOIDCRedirectPath, config.getRedirectURL())\n}\n\nfunc TestOIDCLoginLogout(t *testing.T) {\n\ttokenValidationMode = 2\n\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\tserver := getTestOIDCServer()\n\terr := server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webOIDCRedirectPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nInvalidAuth)\n\n\texpiredAuthReq := oidcPendingAuth{\n\t\tState: util.GenerateOpaqueString(),\n\t\tNonce: util.GenerateOpaqueString(),\n\t\tAudience: tokenAudienceWebClient,\n\t\tIssuedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-10 * time.Minute)),\n\t}\n\toidcMgr.addPendingAuth(expiredAuthReq)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+expiredAuthReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusBadRequest, rr.Code)\n\tassert.Contains(t, rr.Body.String(), util.I18nInvalidAuth)\n\toidcMgr.removePendingAuth(expiredAuthReq.State)\n\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\terr: common.ErrGenericFailure,\n\t}\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: common.ErrGenericFailure,\n\t}\n\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminOIDCLoginPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webOIDCRedirectPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 1)\n\tvar state string\n\tfor k := range oidcMgr.pendingAuths {\n\t\tstate = k\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+state, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// now the same for the web client\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientOIDCLoginPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webOIDCRedirectPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 1)\n\tfor k := range oidcMgr.pendingAuths {\n\t\tstate = k\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+state, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// now return an OAuth2 token without the id_token\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\ttoken: &oauth2.Token{\n\t\t\tAccessToken: \"123\",\n\t\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t\t},\n\t\terr: nil,\n\t}\n\tauthReq := newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// now fail to verify the id token\n\ttoken := &oauth2.Token{\n\t\tAccessToken: \"123\",\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\ttoken = token.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\ttoken: token,\n\t\terr: nil,\n\t}\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// id token nonce does not match\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: &oidc.IDToken{},\n\t}\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// null id token claims\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: &oidc.IDToken{\n\t\t\tNonce: authReq.Nonce,\n\t\t},\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// invalid id token claims: no username\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken := &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"aud\": \"my_client_id\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// invalid id token clamims: username not a string\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"aud\": \"my_client_id\",\"preferred_username\": 1}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// invalid audience\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"test\",\"sftpgo_role\":\"admin\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// invalid audience\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"test\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// mapped user not found\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"test\",\"sftpgo_role\":\"admin\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\t// admin login ok\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"admin\",\"sftpgo_role\":\"admin\",\"sid\":\"sid123\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webUsersPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 1)\n\t// admin profile is not available\n\tvar tokenCookie string\n\tfor k := range oidcMgr.tokens {\n\t\ttokenCookie = k\n\t}\n\toidcToken, err := oidcMgr.getToken(tokenCookie)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"sid123\", oidcToken.SessionID)\n\tassert.True(t, oidcToken.isAdmin())\n\tassert.False(t, oidcToken.isExpired())\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webAdminProfilePath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusForbidden, rr.Code)\n\t// the admin can access the allowed pages\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// try with an invalid cookie\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, xid.New().String()))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\t// Web Client is not available with an admin token\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\t// logout the admin user\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 0)\n\t// now login and logout a user\n\tusername := \"test_oidc_user\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"pwd\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tFilters: dataprovider.UserFilters{\n\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\tWebClient: []string{sdk.WebClientSharesDisabled},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"test_oidc_user\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 1)\n\t// user profile is not available\n\tfor k := range oidcMgr.tokens {\n\t\ttokenCookie = k\n\t}\n\toidcToken, err = oidcMgr.getToken(tokenCookie)\n\tassert.NoError(t, err)\n\tassert.Empty(t, oidcToken.SessionID)\n\tassert.False(t, oidcToken.isAdmin())\n\tassert.False(t, oidcToken.isExpired())\n\tif assert.Len(t, oidcToken.Permissions, 1) {\n\t\tassert.Equal(t, sdk.WebClientSharesDisabled, oidcToken.Permissions[0])\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientProfilePath, nil)\n\tassert.NoError(t, err)\n\tr.RequestURI = webClientProfilePath\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// the user can access the allowed pages\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\t// try with an invalid cookie\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, xid.New().String()))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\t// Web Admin is not available with a client cookie\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\t// logout the user\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 0)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\ttokenValidationMode = 0\n}\n\nfunc TestOIDCRefreshToken(t *testing.T) {\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\tr, err := http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\ttoken := oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tAccessToken: xid.New().String(),\n\t\tTokenType: \"Bearer\",\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-1 * time.Minute)),\n\t\tNonce: xid.New().String(),\n\t\tRole: adminRoleFieldValue,\n\t\tUsername: defaultAdminUsername,\n\t}\n\tconfig := mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{\n\t\t\terr: common.ErrGenericFailure,\n\t\t},\n\t}\n\tverifier := mockOIDCVerifier{\n\t\terr: common.ErrGenericFailure,\n\t}\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"refresh token not set\")\n\t}\n\ttoken.RefreshToken = xid.New().String()\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tassert.ErrorIs(t, err, common.ErrGenericFailure)\n\n\tnewToken := &oauth2.Token{\n\t\tAccessToken: xid.New().String(),\n\t\tRefreshToken: xid.New().String(),\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tconfig = mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{\n\t\t\ttoken: newToken,\n\t\t},\n\t}\n\tverifier = mockOIDCVerifier{\n\t\ttoken: &oidc.IDToken{},\n\t}\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"the refreshed token has no id token\")\n\t}\n\tnewToken = newToken.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tnewToken.Expiry = time.Time{}\n\tconfig = mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{\n\t\t\ttoken: newToken,\n\t\t},\n\t}\n\tverifier = mockOIDCVerifier{\n\t\terr: common.ErrGenericFailure,\n\t}\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tassert.ErrorIs(t, err, common.ErrGenericFailure)\n\n\tnewToken = newToken.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tnewToken.Expiry = time.Now().Add(5 * time.Minute)\n\tconfig = mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{\n\t\t\ttoken: newToken,\n\t\t},\n\t}\n\tverifier = mockOIDCVerifier{\n\t\ttoken: &oidc.IDToken{\n\t\t\tNonce: xid.New().String(), // nonce is different from the expected one\n\t\t},\n\t}\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"the refreshed token nonce mismatch\")\n\t}\n\tverifier = mockOIDCVerifier{\n\t\ttoken: &oidc.IDToken{\n\t\t\tNonce: \"\", // empty token is fine on refresh but claims are not set\n\t\t},\n\t}\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"oidc: claims not set\")\n\t}\n\tidToken := &oidc.IDToken{\n\t\tNonce: token.Nonce,\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"sid\":\"id_token_sid\"}`))\n\tverifier = mockOIDCVerifier{\n\t\ttoken: idToken,\n\t}\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tassert.NoError(t, err)\n\tassert.Len(t, token.Permissions, 1)\n\ttoken.Role = nil\n\t// user does not exist\n\terr = token.refresh(context.Background(), &config, &verifier, r)\n\tassert.Error(t, err)\n\trequire.Len(t, oidcMgr.tokens, 1)\n\toidcMgr.removeToken(token.Cookie)\n\trequire.Len(t, oidcMgr.tokens, 0)\n}\n\nfunc TestOIDCRefreshUser(t *testing.T) {\n\ttoken := oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tAccessToken: xid.New().String(),\n\t\tTokenType: \"Bearer\",\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Minute)),\n\t\tNonce: xid.New().String(),\n\t\tRole: adminRoleFieldValue,\n\t\tUsername: \"missing username\",\n\t}\n\tr, err := http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\terr = token.refreshUser(r)\n\tassert.Error(t, err)\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"test_oidc_admin_refresh\",\n\t\tPassword: \"p\",\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t\tStatus: 0,\n\t\tFilters: dataprovider.AdminFilters{\n\t\t\tPreferences: dataprovider.AdminPreferences{\n\t\t\t\tHideUserPageSections: 1 + 2 + 4,\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\ttoken.Username = admin.Username\n\terr = token.refreshUser(r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is disabled\")\n\t}\n\n\tadmin.Status = 1\n\terr = dataprovider.UpdateAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = token.refreshUser(r)\n\tassert.NoError(t, err)\n\tassert.Equal(t, admin.Permissions, token.Permissions)\n\tassert.Equal(t, admin.Filters.Preferences.HideUserPageSections, token.HideUserPageSections)\n\n\terr = dataprovider.DeleteAdmin(admin.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tusername := \"test_oidc_user_refresh_token\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"p\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 0,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tFilters: dataprovider.UserFilters{\n\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\tDeniedProtocols: []string{common.ProtocolHTTP},\n\t\t\t\tWebClient: []string{sdk.WebClientSharesDisabled, sdk.WebClientWriteDisabled},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tr, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\ttoken.Role = nil\n\ttoken.Username = username\n\tassert.False(t, token.isAdmin())\n\terr = token.refreshUser(r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is disabled\")\n\t}\n\tuser, err = dataprovider.UserExists(username, \"\")\n\tassert.NoError(t, err)\n\tuser.Status = 1\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = token.refreshUser(r)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"protocol HTTP is not allowed\")\n\t}\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolFTP}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = token.refreshUser(r)\n\tassert.NoError(t, err)\n\tassert.Equal(t, user.Filters.WebClient, token.Permissions)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestValidateOIDCToken(t *testing.T) {\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\tserver := getTestOIDCServer()\n\terr := server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tassert.NoError(t, err)\n\t_, err = server.validateOIDCToken(rr, r, false)\n\tassert.ErrorIs(t, err, errInvalidToken)\n\t// expired token and refresh error\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{\n\t\t\terr: common.ErrGenericFailure,\n\t\t},\n\t}\n\ttoken := oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tAccessToken: xid.New().String(),\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-2 * time.Minute)),\n\t}\n\toidcMgr.addToken(token)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, token.Cookie))\n\t_, err = server.validateOIDCToken(rr, r, false)\n\tassert.ErrorIs(t, err, errInvalidToken)\n\toidcMgr.removeToken(token.Cookie)\n\tassert.Len(t, oidcMgr.tokens, 0)\n\n\tserver.tokenAuth.SetSigner(&failingJoseSigner{})\n\ttoken = oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tAccessToken: util.GenerateUniqueID(),\n\t}\n\toidcMgr.addToken(token)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, token.Cookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\toidcMgr.removeToken(token.Cookie)\n\tassert.Len(t, oidcMgr.tokens, 0)\n\n\ttoken = oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tAccessToken: xid.New().String(),\n\t\tRole: \"admin\",\n\t}\n\toidcMgr.addToken(token)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, token.Cookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\toidcMgr.removeToken(token.Cookie)\n\tassert.Len(t, oidcMgr.tokens, 0)\n}\n\nfunc TestSkipOIDCAuth(t *testing.T) {\n\tserver := getTestOIDCServer()\n\terr := server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\tclaims := jwt.NewClaims(tokenAudienceWebClient, \"\", getTokenDuration(tokenAudienceWebClient))\n\tclaims.Username = \"user\"\n\ttokenString, err := server.tokenAuth.Sign(claims)\n\tassert.NoError(t, err)\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", jwt.CookieKey, tokenString))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n}\n\nfunc TestOIDCLogoutErrors(t *testing.T) {\n\tserver := getTestOIDCServer()\n\tassert.Empty(t, server.binding.OIDC.providerLogoutURL)\n\tserver.logoutFromOIDCOP(\"\")\n\tserver.binding.OIDC.providerLogoutURL = \"http://foo\\x7f.com/\"\n\tserver.doOIDCFromLogout(\"\")\n\tserver.binding.OIDC.providerLogoutURL = \"http://127.0.0.1:11234\"\n\tserver.doOIDCFromLogout(\"\")\n}\n\nfunc TestOIDCToken(t *testing.T) {\n\tadmin := dataprovider.Admin{\n\t\tUsername: \"test_oidc_admin\",\n\t\tPassword: \"p\",\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t\tStatus: 0,\n\t}\n\terr := dataprovider.AddAdmin(&admin, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\ttoken := oidcToken{\n\t\tUsername: admin.Username,\n\t}\n\t// role not initialized, user with the specified username does not exist\n\treq, err := http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\terr = token.getUser(req)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\ttoken.Role = \"admin\"\n\treq, err = http.NewRequest(http.MethodGet, webUsersPath, nil)\n\tassert.NoError(t, err)\n\terr = token.getUser(req)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is disabled\")\n\t}\n\terr = dataprovider.DeleteAdmin(admin.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tusername := \"test_oidc_user\"\n\ttoken.Username = username\n\ttoken.Role = \"\"\n\terr = token.getUser(req)\n\tif assert.Error(t, err) {\n\t\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t}\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"p\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 0,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tFilters: dataprovider.UserFilters{\n\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\tDeniedProtocols: []string{common.ProtocolHTTP},\n\t\t\t\tDeniedLoginMethods: []string{dataprovider.LoginMethodPassword},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = token.getUser(req)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is disabled\")\n\t}\n\tuser, err = dataprovider.UserExists(username, \"\")\n\tassert.NoError(t, err)\n\tuser.Status = 1\n\tuser.Password = \"np\"\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = token.getUser(req)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"protocol HTTP is not allowed\")\n\t}\n\n\tuser.Filters.DeniedProtocols = nil\n\tuser.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: \"127.0.0.1:8022\",\n\t\t\tUsername: username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(\"np\"),\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = token.getUser(req)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"SFTP loop\")\n\t}\n\n\tcommon.Config.PostConnectHook = fmt.Sprintf(\"http://%v/404\", oidcMockAddr)\n\n\terr = token.getUser(req)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"access denied\")\n\t}\n\n\tcommon.Config.PostConnectHook = \"\"\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestOIDCImplicitRoles(t *testing.T) {\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\n\tserver := getTestOIDCServer()\n\tserver.binding.OIDC.ImplicitRoles = true\n\terr := server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\tauthReq := newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\ttoken := &oauth2.Token{\n\t\tAccessToken: \"1234\",\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\ttoken = token.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\ttoken: token,\n\t}\n\tidToken := &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"admin\",\"sid\":\"sid456\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webUsersPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 1)\n\tvar tokenCookie string\n\tfor k := range oidcMgr.tokens {\n\t\ttokenCookie = k\n\t}\n\t// Web Client is not available with an admin token\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\t// logout the admin user\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webAdminLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 0)\n\t// now login and logout a user\n\tusername := \"test_oidc_implicit_user\"\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: \"pwd\",\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t\tFilters: dataprovider.UserFilters{\n\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\tWebClient: []string{sdk.WebClientSharesDisabled},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"test_oidc_implicit_user\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 1)\n\tfor k := range oidcMgr.tokens {\n\t\ttokenCookie = k\n\t}\n\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webClientLogoutPath, nil)\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 0)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestMemoryOIDCManager(t *testing.T) {\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\tauthReq := newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\trequire.Len(t, oidcMgr.pendingAuths, 1)\n\t_, err := oidcMgr.getPendingAuth(authReq.State)\n\tassert.NoError(t, err)\n\toidcMgr.removePendingAuth(authReq.State)\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\tauthReq.IssuedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-600 * time.Second))\n\toidcMgr.addPendingAuth(authReq)\n\trequire.Len(t, oidcMgr.pendingAuths, 1)\n\t_, err = oidcMgr.getPendingAuth(authReq.State)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"too old\")\n\t}\n\toidcMgr.cleanup()\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\n\ttoken := oidcToken{\n\t\tAccessToken: xid.New().String(),\n\t\tNonce: xid.New().String(),\n\t\tSessionID: xid.New().String(),\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tUsername: xid.New().String(),\n\t\tRole: \"admin\",\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t}\n\trequire.Len(t, oidcMgr.tokens, 0)\n\toidcMgr.addToken(token)\n\trequire.Len(t, oidcMgr.tokens, 1)\n\t_, err = oidcMgr.getToken(xid.New().String())\n\tassert.Error(t, err)\n\tstoredToken, err := oidcMgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\ttoken.UsedAt = 0 // ensure we don't modify the stored token\n\tassert.Greater(t, storedToken.UsedAt, int64(0))\n\ttoken.UsedAt = storedToken.UsedAt\n\tassert.Equal(t, token, storedToken)\n\t// the usage will not be updated, it is recent\n\toidcMgr.updateTokenUsage(storedToken)\n\tstoredToken, err = oidcMgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\tassert.Equal(t, token, storedToken)\n\tusedAt := util.GetTimeAsMsSinceEpoch(time.Now().Add(-5 * time.Minute))\n\tstoredToken.UsedAt = usedAt\n\toidcMgr.tokens[token.Cookie] = storedToken\n\tstoredToken, err = oidcMgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\tassert.Equal(t, usedAt, storedToken.UsedAt)\n\ttoken.UsedAt = storedToken.UsedAt\n\tassert.Equal(t, token, storedToken)\n\toidcMgr.updateTokenUsage(storedToken)\n\tstoredToken, err = oidcMgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\tassert.Greater(t, storedToken.UsedAt, usedAt)\n\ttoken.UsedAt = storedToken.UsedAt\n\tassert.Equal(t, token, storedToken)\n\tstoredToken.UsedAt = util.GetTimeAsMsSinceEpoch(time.Now()) - tokenDeleteInterval - 1\n\toidcMgr.tokens[token.Cookie] = storedToken\n\tstoredToken, err = oidcMgr.getToken(token.Cookie)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"token is too old\")\n\t}\n\toidcMgr.removeToken(xid.New().String())\n\trequire.Len(t, oidcMgr.tokens, 1)\n\toidcMgr.removeToken(token.Cookie)\n\trequire.Len(t, oidcMgr.tokens, 0)\n\toidcMgr.addToken(token)\n\tusedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-6 * time.Hour))\n\ttoken.UsedAt = usedAt\n\toidcMgr.tokens[token.Cookie] = token\n\tnewToken := oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t}\n\toidcMgr.addToken(newToken)\n\toidcMgr.cleanup()\n\trequire.Len(t, oidcMgr.tokens, 1)\n\t_, err = oidcMgr.getToken(token.Cookie)\n\tassert.Error(t, err)\n\t_, err = oidcMgr.getToken(newToken.Cookie)\n\tassert.NoError(t, err)\n\toidcMgr.removeToken(newToken.Cookie)\n\trequire.Len(t, oidcMgr.tokens, 0)\n}\n\nfunc TestOIDCEvMgrIntegration(t *testing.T) {\n\tproviderConf := dataprovider.GetProviderConfig()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\tnewProviderConf := providerConf\n\tnewProviderConf.NamingRules = 5\n\terr = dataprovider.Initialize(newProviderConf, configDir, true)\n\tassert.NoError(t, err)\n\t// add a special chars to check json replacer\n\tusername := `test_'oidc_eventmanager`\n\tu := map[string]any{\n\t\t\"username\": \"{{.Name}}\",\n\t\t\"status\": 1,\n\t\t\"home_dir\": filepath.Join(os.TempDir(), \"{{.IDPFieldcustom1.sub}}\"),\n\t\t\"permissions\": map[string][]string{\n\t\t\t\"/\": {dataprovider.PermAny},\n\t\t},\n\t\t\"description\": \"{{.IDPFieldcustom2}}\",\n\t}\n\tuserTmpl, err := json.Marshal(u)\n\trequire.NoError(t, err)\n\ta := map[string]any{\n\t\t\"username\": \"{{.Name}}\",\n\t\t\"status\": 1,\n\t\t\"permissions\": []string{dataprovider.PermAdminAny},\n\t}\n\tadminTmpl, err := json.Marshal(a)\n\trequire.NoError(t, err)\n\n\taction := &dataprovider.BaseEventAction{\n\t\tName: \"a\",\n\t\tType: dataprovider.ActionTypeIDPAccountCheck,\n\t\tOptions: dataprovider.BaseEventActionOptions{\n\t\t\tIDPConfig: dataprovider.EventActionIDPAccountCheck{\n\t\t\t\tMode: 0,\n\t\t\t\tTemplateUser: string(userTmpl),\n\t\t\t\tTemplateAdmin: string(adminTmpl),\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddEventAction(action, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\trule := &dataprovider.EventRule{\n\t\tName: \"r\",\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerIDPLogin,\n\t\tConditions: dataprovider.EventConditions{\n\t\t\tIDPLoginEvent: 0,\n\t\t},\n\t\tActions: []dataprovider.EventAction{\n\t\t\t{\n\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\tName: action.Name,\n\t\t\t\t},\n\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\tExecuteSync: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\terr = dataprovider.AddEventRule(rule, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\tserver := getTestOIDCServer()\n\tserver.binding.OIDC.ImplicitRoles = true\n\tserver.binding.OIDC.CustomFields = []string{\"custom1.sub\", \"custom2\"}\n\terr = server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\t// login a user with OIDC\n\t_, err = dataprovider.UserExists(username, \"\")\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\tauthReq := newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\ttoken := &oauth2.Token{\n\t\tAccessToken: \"1234\",\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\ttoken = token.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\ttoken: token,\n\t}\n\tidToken := &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"`+util.JSONEscape(username)+`\",\"custom1\":{\"sub\":\"val1\"},\"custom2\":\"desc\"}`)) //nolint:goconst\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\tuser, err := dataprovider.UserExists(username, \"\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Join(os.TempDir(), \"val1\"), user.GetHomeDir())\n\tassert.Equal(t, \"desc\", user.Description)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t// login an admin with OIDC\n\t_, err = dataprovider.AdminExists(username)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"`+util.JSONEscape(username)+`\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webUsersPath, rr.Header().Get(\"Location\"))\n\n\t_, err = dataprovider.AdminExists(username)\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteAdmin(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// set invalid templates and try again\n\taction.Options.IDPConfig.TemplateUser = `{}`\n\taction.Options.IDPConfig.TemplateAdmin = `{}`\n\terr = dataprovider.UpdateEventAction(action, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tfor _, audience := range []string{tokenAudienceWebAdmin, tokenAudienceWebClient} {\n\t\tauthReq = newOIDCPendingAuth(audience)\n\t\toidcMgr.addPendingAuth(authReq)\n\t\tidToken = &oidc.IDToken{\n\t\t\tNonce: authReq.Nonce,\n\t\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t\t}\n\t\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"`+util.JSONEscape(username)+`\"}`))\n\t\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\t\terr: nil,\n\t\t\ttoken: idToken,\n\t\t}\n\t\trr = httptest.NewRecorder()\n\t\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\t\tassert.NoError(t, err)\n\t\tserver.router.ServeHTTP(rr, r)\n\t\tassert.Equal(t, http.StatusFound, rr.Code)\n\t}\n\tfor k := range oidcMgr.tokens {\n\t\toidcMgr.removeToken(k)\n\t}\n\n\terr = dataprovider.DeleteEventRule(rule.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteEventAction(action.Name, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestOIDCPreLoginHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\tusername := \"test_oidc_user_prelogin\"\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tpreLoginPath := filepath.Join(os.TempDir(), \"prelogin.sh\")\n\tproviderConf := dataprovider.GetProviderConfig()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tnewProviderConf := providerConf\n\tnewProviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(newProviderConf, configDir, true)\n\tassert.NoError(t, err)\n\tserver := getTestOIDCServer()\n\tserver.binding.OIDC.CustomFields = []string{\"field1\", \"field2\"}\n\terr = server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\n\t_, err = dataprovider.UserExists(username, \"\")\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\t// now login with OIDC\n\tauthReq := newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\ttoken := &oauth2.Token{\n\t\tAccessToken: \"1234\",\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\ttoken = token.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\ttoken: token,\n\t}\n\tidToken := &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"`+username+`\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientFilesPath, rr.Header().Get(\"Location\"))\n\t_, err = dataprovider.UserExists(username, \"\")\n\tassert.NoError(t, err)\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(u.HomeDir)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, true), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tauthReq = newOIDCPendingAuth(tokenAudienceWebClient)\n\toidcMgr.addPendingAuth(authReq)\n\tidToken = &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"`+username+`\",\"field1\":\"value1\",\"field2\":\"value2\",\"field3\":\"value3\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webClientLoginPath, rr.Header().Get(\"Location\"))\n\t_, err = dataprovider.UserExists(username, \"\")\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\tif assert.Len(t, oidcMgr.tokens, 1) {\n\t\tfor k := range oidcMgr.tokens {\n\t\t\toidcMgr.removeToken(k)\n\t\t}\n\t}\n\trequire.Len(t, oidcMgr.pendingAuths, 0)\n\trequire.Len(t, oidcMgr.tokens, 0)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestOIDCIsAdmin(t *testing.T) {\n\ttype test struct {\n\t\tinput any\n\t\twant bool\n\t}\n\n\temptySlice := make([]any, 0)\n\n\ttests := []test{\n\t\t{input: \"admin\", want: true},\n\t\t{input: append(emptySlice, \"admin\"), want: true},\n\t\t{input: append(emptySlice, \"user\", \"admin\"), want: true},\n\t\t{input: \"user\", want: false},\n\t\t{input: emptySlice, want: false},\n\t\t{input: append(emptySlice, 1), want: false},\n\t\t{input: 1, want: false},\n\t\t{input: nil, want: false},\n\t\t{input: map[string]string{\"admin\": \"admin\"}, want: false},\n\t}\n\tfor _, tc := range tests {\n\t\ttoken := oidcToken{\n\t\t\tRole: tc.input,\n\t\t}\n\t\tassert.Equal(t, tc.want, token.isAdmin(), \"%v should return %t\", tc.input, tc.want)\n\t}\n}\n\nfunc TestParseAdminRole(t *testing.T) {\n\tclaims := make(map[string]any)\n\trawClaims := []byte(`{\n\t\t\"sub\": \"35666371\",\n\t\t\"email\": \"example@example.com\",\n\t\t\"preferred_username\": \"Sally\",\n\t\t\"name\": \"Sally Tyler\",\n\t\t\"updated_at\": \"2018-04-13T22:08:45Z\",\n\t\t\"given_name\": \"Sally\",\n\t\t\"family_name\": \"Tyler\",\n\t\t\"params\": {\n\t\t \"sftpgo_role\": \"admin\",\n\t\t \"subparams\": {\n\t\t\t\"sftpgo_role\": \"admin\",\n\t\t\t\"inner\": {\n\t\t\t\t\"sftpgo_role\": [\"user\",\"admin\"]\n\t\t\t}\n\t\t }\n\t\t},\n\t\t\"at_hash\": \"lPLhxI2wjEndc-WfyroDZA\",\n\t\t\"rt_hash\": \"mCmxPtA04N-55AxlEUbq-A\",\n\t\t\"aud\": \"78d1d040-20c9-0136-5146-067351775fae92920\",\n\t\t\"exp\": 1523664997,\n\t\t\"iat\": 1523657797\n\t }`)\n\terr := json.Unmarshal(rawClaims, &claims)\n\tassert.NoError(t, err)\n\n\ttype test struct {\n\t\tinput string\n\t\twant bool\n\t\tval any\n\t}\n\n\ttests := []test{\n\t\t{input: \"\", want: false},\n\t\t{input: \"sftpgo_role\", want: false},\n\t\t{input: \"params.sftpgo_role\", want: true, val: \"admin\"},\n\t\t{input: \"params.subparams.sftpgo_role\", want: true, val: \"admin\"},\n\t\t{input: \"params.subparams.inner.sftpgo_role\", want: true, val: []any{\"user\", \"admin\"}},\n\t\t{input: \"email\", want: false},\n\t\t{input: \"missing\", want: false},\n\t\t{input: \"params.email\", want: false},\n\t\t{input: \"missing.sftpgo_role\", want: false},\n\t\t{input: \"params\", want: false},\n\t\t{input: \"params.subparams.inner.sftpgo_role.missing\", want: false},\n\t}\n\n\tfor _, tc := range tests {\n\t\ttoken := oidcToken{}\n\t\ttoken.getRoleFromField(claims, tc.input)\n\t\tassert.Equal(t, tc.want, token.isAdmin(), \"%q should return %t\", tc.input, tc.want)\n\t\tif tc.want {\n\t\t\tassert.Equal(t, tc.val, token.Role)\n\t\t}\n\t}\n}\n\nfunc TestOIDCWithLoginFormsDisabled(t *testing.T) {\n\toidcMgr, ok := oidcMgr.(*memoryOIDCManager)\n\trequire.True(t, ok)\n\n\tserver := getTestOIDCServer()\n\tserver.binding.OIDC.ImplicitRoles = true\n\tserver.binding.DisabledLoginMethods = 12\n\tserver.binding.EnableWebAdmin = true\n\tserver.binding.EnableWebClient = true\n\terr := server.binding.OIDC.initialize()\n\tassert.NoError(t, err)\n\terr = server.initializeRouter()\n\trequire.NoError(t, err)\n\t// login with an admin user\n\tauthReq := newOIDCPendingAuth(tokenAudienceWebAdmin)\n\toidcMgr.addPendingAuth(authReq)\n\ttoken := &oauth2.Token{\n\t\tAccessToken: \"1234\",\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\ttoken = token.WithExtra(map[string]any{\n\t\t\"id_token\": \"id_token_val\",\n\t})\n\tserver.binding.OIDC.oauth2Config = &mockOAuth2Config{\n\t\ttokenSource: &mockTokenSource{},\n\t\tauthCodeURL: webOIDCRedirectPath,\n\t\ttoken: token,\n\t}\n\tidToken := &oidc.IDToken{\n\t\tNonce: authReq.Nonce,\n\t\tExpiry: time.Now().Add(5 * time.Minute),\n\t}\n\tsetIDTokenClaims(idToken, []byte(`{\"preferred_username\":\"admin\",\"sid\":\"sid456\"}`))\n\tserver.binding.OIDC.verifier = &mockOIDCVerifier{\n\t\terr: nil,\n\t\ttoken: idToken,\n\t}\n\trr := httptest.NewRecorder()\n\tr, err := http.NewRequest(http.MethodGet, webOIDCRedirectPath+\"?state=\"+authReq.State, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusFound, rr.Code)\n\tassert.Equal(t, webUsersPath, rr.Header().Get(\"Location\"))\n\tvar tokenCookie string\n\tfor k := range oidcMgr.tokens {\n\t\ttokenCookie = k\n\t}\n\t// we should be able to create admins without setting a password\n\tadminUsername := \"testAdmin\"\n\tform := make(url.Values)\n\tform.Set(csrfFormToken, createCSRFToken(rr, r, server.csrfTokenAuth, tokenCookie, webBaseAdminPath))\n\tform.Set(\"username\", adminUsername)\n\tform.Set(\"password\", \"\")\n\tform.Set(\"status\", \"1\")\n\tform.Set(\"permissions\", \"*\")\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminPath, bytes.NewBuffer([]byte(form.Encode())))\n\tassert.NoError(t, err)\n\tr.Header.Set(\"Cookie\", fmt.Sprintf(\"%v=%v\", oidcCookieKey, tokenCookie))\n\tr.Header.Set(\"Content-Type\", \"application/x-www-form-urlencoded\")\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusSeeOther, rr.Code)\n\t_, err = dataprovider.AdminExists(adminUsername)\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteAdmin(adminUsername, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// login and password related routes are disabled\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminLoginPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusMethodNotAllowed, rr.Code)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webAdminTwoFactorPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webClientLoginPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusMethodNotAllowed, rr.Code)\n\trr = httptest.NewRecorder()\n\tr, err = http.NewRequest(http.MethodPost, webClientForgotPwdPath, nil)\n\tassert.NoError(t, err)\n\tserver.router.ServeHTTP(rr, r)\n\tassert.Equal(t, http.StatusNotFound, rr.Code)\n}\n\nfunc TestDbOIDCManager(t *testing.T) {\n\tif !isSharedProviderSupported() {\n\t\tt.Skip(\"this test it is not available with this provider\")\n\t}\n\tmgr := newOIDCManager(1)\n\tpendingAuth := newOIDCPendingAuth(tokenAudienceWebAdmin)\n\tmgr.addPendingAuth(pendingAuth)\n\tauthReq, err := mgr.getPendingAuth(pendingAuth.State)\n\tassert.NoError(t, err)\n\tassert.Equal(t, pendingAuth, authReq)\n\tpendingAuth.IssuedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour))\n\tmgr.addPendingAuth(pendingAuth)\n\t_, err = mgr.getPendingAuth(pendingAuth.State)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"auth request is too old\")\n\t}\n\tmgr.removePendingAuth(pendingAuth.State)\n\t_, err = mgr.getPendingAuth(pendingAuth.State)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to get the auth request for the specified state\")\n\t}\n\tmgr.addPendingAuth(pendingAuth)\n\t_, err = mgr.getPendingAuth(pendingAuth.State)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"auth request is too old\")\n\t}\n\tmgr.cleanup()\n\t_, err = mgr.getPendingAuth(pendingAuth.State)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to get the auth request for the specified state\")\n\t}\n\n\ttoken := oidcToken{\n\t\tCookie: util.GenerateOpaqueString(),\n\t\tAccessToken: xid.New().String(),\n\t\tTokenType: \"Bearer\",\n\t\tRefreshToken: xid.New().String(),\n\t\tExpiresAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-2 * time.Minute)),\n\t\tSessionID: xid.New().String(),\n\t\tIDToken: xid.New().String(),\n\t\tNonce: xid.New().String(),\n\t\tUsername: xid.New().String(),\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t\tRole: \"admin\",\n\t}\n\tmgr.addToken(token)\n\ttokenGet, err := mgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\tassert.Greater(t, tokenGet.UsedAt, int64(0))\n\ttoken.UsedAt = tokenGet.UsedAt\n\tassert.Equal(t, token, tokenGet)\n\ttime.Sleep(100 * time.Millisecond)\n\tmgr.updateTokenUsage(token)\n\t// no change\n\ttokenGet, err = mgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\tassert.Equal(t, token.UsedAt, tokenGet.UsedAt)\n\ttokenGet.UsedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour))\n\ttokenGet.RefreshToken = xid.New().String()\n\tmgr.updateTokenUsage(tokenGet)\n\ttokenGet, err = mgr.getToken(token.Cookie)\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, tokenGet.RefreshToken)\n\tassert.NotEqual(t, token.RefreshToken, tokenGet.RefreshToken)\n\tassert.Greater(t, tokenGet.UsedAt, token.UsedAt)\n\tmgr.removeToken(token.Cookie)\n\ttokenGet, err = mgr.getToken(token.Cookie)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to get the token for the specified session\")\n\t}\n\t// add an expired token\n\ttoken.UsedAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour))\n\tsession := dataprovider.Session{\n\t\tKey: token.Cookie,\n\t\tData: token,\n\t\tType: dataprovider.SessionTypeOIDCToken,\n\t\tTimestamp: token.UsedAt + tokenDeleteInterval,\n\t}\n\terr = dataprovider.AddSharedSession(session)\n\tassert.NoError(t, err)\n\t_, err = mgr.getToken(token.Cookie)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"token is too old\")\n\t}\n\tmgr.cleanup()\n\t_, err = mgr.getToken(token.Cookie)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to get the token for the specified session\")\n\t}\n\t// adding a session without a key should fail\n\tsession.Key = \"\"\n\terr = dataprovider.AddSharedSession(session)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to save a session with an empty key\")\n\t}\n\tsession.Key = xid.New().String()\n\tsession.Type = 1000\n\terr = dataprovider.AddSharedSession(session)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"invalid session type\")\n\t}\n\n\tdbMgr, ok := mgr.(*dbOIDCManager)\n\tif assert.True(t, ok) {\n\t\t_, err = dbMgr.decodePendingAuthData(2)\n\t\tassert.Error(t, err)\n\t\t_, err = dbMgr.decodeTokenData(true)\n\t\tassert.Error(t, err)\n\t}\n}\n\nfunc getTestOIDCServer() *httpdServer {\n\treturn &httpdServer{\n\t\tbinding: Binding{\n\t\t\tOIDC: OIDC{\n\t\t\t\tClientID: \"sftpgo-client\",\n\t\t\t\tClientSecret: \"jRsmE0SWnuZjP7djBqNq0mrf8QN77j2c\",\n\t\t\t\tConfigURL: fmt.Sprintf(\"http://%v/auth/realms/sftpgo\", oidcMockAddr),\n\t\t\t\tRedirectBaseURL: \"http://127.0.0.1:8081/\",\n\t\t\t\tUsernameField: \"preferred_username\",\n\t\t\t\tRoleField: \"sftpgo_role\",\n\t\t\t\tImplicitRoles: false,\n\t\t\t\tScopes: []string{oidc.ScopeOpenID, \"profile\", \"email\"},\n\t\t\t\tCustomFields: nil,\n\t\t\t\tDebug: true,\n\t\t\t},\n\t\t},\n\t\tenableWebAdmin: true,\n\t\tenableWebClient: true,\n\t}\n}\n\nfunc getPreLoginScriptContent(user dataprovider.User, nonJSONResponse bool) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tif nonJSONResponse {\n\t\tcontent = append(content, []byte(\"echo 'text response'\\n\")...)\n\t\treturn content\n\t}\n\tif len(user.Username) > 0 {\n\t\tu, _ := json.Marshal(user)\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo '%v'\\n\", string(u)))...)\n\t}\n\treturn content\n}\n" }, { "path": "internal/httpd/oidcmanager.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\toidcMgr oidcManager\n)\n\nfunc newOIDCManager(isShared int) oidcManager {\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"using provider OIDC manager\")\n\t\treturn &dbOIDCManager{}\n\t}\n\tlogger.Info(logSender, \"\", \"using memory OIDC manager\")\n\treturn &memoryOIDCManager{\n\t\tpendingAuths: make(map[string]oidcPendingAuth),\n\t\ttokens: make(map[string]oidcToken),\n\t}\n}\n\ntype oidcManager interface {\n\taddPendingAuth(pendingAuth oidcPendingAuth)\n\tremovePendingAuth(state string)\n\tgetPendingAuth(state string) (oidcPendingAuth, error)\n\taddToken(token oidcToken)\n\tgetToken(cookie string) (oidcToken, error)\n\tremoveToken(cookie string)\n\tupdateTokenUsage(token oidcToken)\n\tcleanup()\n}\n\ntype memoryOIDCManager struct {\n\tauthMutex sync.RWMutex\n\tpendingAuths map[string]oidcPendingAuth\n\ttokenMutex sync.RWMutex\n\ttokens map[string]oidcToken\n}\n\nfunc (o *memoryOIDCManager) addPendingAuth(pendingAuth oidcPendingAuth) {\n\to.authMutex.Lock()\n\to.pendingAuths[pendingAuth.State] = pendingAuth\n\to.authMutex.Unlock()\n}\n\nfunc (o *memoryOIDCManager) removePendingAuth(state string) {\n\to.authMutex.Lock()\n\tdefer o.authMutex.Unlock()\n\n\tdelete(o.pendingAuths, state)\n}\n\nfunc (o *memoryOIDCManager) getPendingAuth(state string) (oidcPendingAuth, error) {\n\to.authMutex.RLock()\n\tdefer o.authMutex.RUnlock()\n\n\tauthReq, ok := o.pendingAuths[state]\n\tif !ok {\n\t\treturn oidcPendingAuth{}, errors.New(\"oidc: no auth request found for the specified state\")\n\t}\n\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - authReq.IssuedAt\n\tif diff > authStateValidity {\n\t\treturn oidcPendingAuth{}, errors.New(\"oidc: auth request is too old\")\n\t}\n\treturn authReq, nil\n}\n\nfunc (o *memoryOIDCManager) addToken(token oidcToken) {\n\to.tokenMutex.Lock()\n\ttoken.UsedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\to.tokens[token.Cookie] = token\n\to.tokenMutex.Unlock()\n}\n\nfunc (o *memoryOIDCManager) getToken(cookie string) (oidcToken, error) {\n\to.tokenMutex.RLock()\n\tdefer o.tokenMutex.RUnlock()\n\n\ttoken, ok := o.tokens[cookie]\n\tif !ok {\n\t\treturn oidcToken{}, errors.New(\"oidc: no token found for the specified session\")\n\t}\n\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - token.UsedAt\n\tif diff > tokenDeleteInterval {\n\t\treturn oidcToken{}, errors.New(\"oidc: token is too old\")\n\t}\n\treturn token, nil\n}\n\nfunc (o *memoryOIDCManager) removeToken(cookie string) {\n\to.tokenMutex.Lock()\n\tdefer o.tokenMutex.Unlock()\n\n\tdelete(o.tokens, cookie)\n}\n\nfunc (o *memoryOIDCManager) updateTokenUsage(token oidcToken) {\n\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - token.UsedAt\n\tif diff > tokenUpdateInterval {\n\t\to.addToken(token)\n\t}\n}\n\nfunc (o *memoryOIDCManager) cleanup() {\n\to.cleanupAuthRequests()\n\to.cleanupTokens()\n}\n\nfunc (o *memoryOIDCManager) cleanupAuthRequests() {\n\to.authMutex.Lock()\n\tdefer o.authMutex.Unlock()\n\n\tfor k, auth := range o.pendingAuths {\n\t\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - auth.IssuedAt\n\t\t// remove old pending auth requests\n\t\tif diff < 0 || diff > authStateValidity {\n\t\t\tdelete(o.pendingAuths, k)\n\t\t}\n\t}\n}\n\nfunc (o *memoryOIDCManager) cleanupTokens() {\n\to.tokenMutex.Lock()\n\tdefer o.tokenMutex.Unlock()\n\n\tfor k, token := range o.tokens {\n\t\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - token.UsedAt\n\t\t// remove tokens unused from more than tokenDeleteInterval\n\t\tif diff > tokenDeleteInterval {\n\t\t\tdelete(o.tokens, k)\n\t\t}\n\t}\n}\n\ntype dbOIDCManager struct{}\n\nfunc (o *dbOIDCManager) addPendingAuth(pendingAuth oidcPendingAuth) {\n\tsession := dataprovider.Session{\n\t\tKey: pendingAuth.State,\n\t\tData: pendingAuth,\n\t\tType: dataprovider.SessionTypeOIDCAuth,\n\t\tTimestamp: pendingAuth.IssuedAt + authStateValidity,\n\t}\n\tdataprovider.AddSharedSession(session) //nolint:errcheck\n}\n\nfunc (o *dbOIDCManager) removePendingAuth(state string) {\n\tdataprovider.DeleteSharedSession(state, dataprovider.SessionTypeOIDCAuth) //nolint:errcheck\n}\n\nfunc (o *dbOIDCManager) getPendingAuth(state string) (oidcPendingAuth, error) {\n\tsession, err := dataprovider.GetSharedSession(state, dataprovider.SessionTypeOIDCAuth)\n\tif err != nil {\n\t\treturn oidcPendingAuth{}, errors.New(\"oidc: unable to get the auth request for the specified state\")\n\t}\n\tif session.Timestamp < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\t// expired\n\t\treturn oidcPendingAuth{}, errors.New(\"oidc: auth request is too old\")\n\t}\n\treturn o.decodePendingAuthData(session.Data)\n}\n\nfunc (o *dbOIDCManager) decodePendingAuthData(data any) (oidcPendingAuth, error) {\n\tif val, ok := data.([]byte); ok {\n\t\tauthReq := oidcPendingAuth{}\n\t\terr := json.Unmarshal(val, &authReq)\n\t\treturn authReq, err\n\t}\n\tlogger.Error(logSender, \"\", \"invalid oidc auth request data type %T\", data)\n\treturn oidcPendingAuth{}, errors.New(\"oidc: invalid auth request data\")\n}\n\nfunc (o *dbOIDCManager) addToken(token oidcToken) {\n\ttoken.UsedAt = util.GetTimeAsMsSinceEpoch(time.Now())\n\tsession := dataprovider.Session{\n\t\tKey: token.Cookie,\n\t\tData: token,\n\t\tType: dataprovider.SessionTypeOIDCToken,\n\t\tTimestamp: token.UsedAt + tokenDeleteInterval,\n\t}\n\tdataprovider.AddSharedSession(session) //nolint:errcheck\n}\n\nfunc (o *dbOIDCManager) removeToken(cookie string) {\n\tdataprovider.DeleteSharedSession(cookie, dataprovider.SessionTypeOIDCToken) //nolint:errcheck\n}\n\nfunc (o *dbOIDCManager) updateTokenUsage(token oidcToken) {\n\tdiff := util.GetTimeAsMsSinceEpoch(time.Now()) - token.UsedAt\n\tif diff > tokenUpdateInterval {\n\t\to.addToken(token)\n\t}\n}\n\nfunc (o *dbOIDCManager) getToken(cookie string) (oidcToken, error) {\n\tsession, err := dataprovider.GetSharedSession(cookie, dataprovider.SessionTypeOIDCToken)\n\tif err != nil {\n\t\treturn oidcToken{}, errors.New(\"oidc: unable to get the token for the specified session\")\n\t}\n\tif session.Timestamp < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\t// expired\n\t\treturn oidcToken{}, errors.New(\"oidc: token is too old\")\n\t}\n\treturn o.decodeTokenData(session.Data)\n}\n\nfunc (o *dbOIDCManager) decodeTokenData(data any) (oidcToken, error) {\n\tif val, ok := data.([]byte); ok {\n\t\ttoken := oidcToken{}\n\t\terr := json.Unmarshal(val, &token)\n\t\treturn token, err\n\t}\n\tlogger.Error(logSender, \"\", \"invalid oidc token data type %T\", data)\n\treturn oidcToken{}, errors.New(\"oidc: invalid token data\")\n}\n\nfunc (o *dbOIDCManager) cleanup() {\n\tdataprovider.CleanupSharedSessions(dataprovider.SessionTypeOIDCAuth, time.Now()) //nolint:errcheck\n\tdataprovider.CleanupSharedSessions(dataprovider.SessionTypeOIDCToken, time.Now()) //nolint:errcheck\n}\n" }, { "path": "internal/httpd/resetcode.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/json\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\tresetCodeLifespan = 10 * time.Minute\n\tresetCodesMgr resetCodeManager\n)\n\ntype resetCodeManager interface {\n\tAdd(code *resetCode) error\n\tGet(code string) (*resetCode, error)\n\tDelete(code string) error\n\tCleanup()\n}\n\nfunc newResetCodeManager(isShared int) resetCodeManager {\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"using provider reset code manager\")\n\t\treturn &dbResetCodeManager{}\n\t}\n\tlogger.Info(logSender, \"\", \"using memory reset code manager\")\n\treturn &memoryResetCodeManager{}\n}\n\ntype resetCode struct {\n\tCode string `json:\"code\"`\n\tUsername string `json:\"username\"`\n\tIsAdmin bool `json:\"is_admin\"`\n\tExpiresAt time.Time `json:\"expires_at\"`\n}\n\nfunc newResetCode(username string, isAdmin bool) *resetCode {\n\treturn &resetCode{\n\t\tCode: util.GenerateUniqueID(),\n\t\tUsername: username,\n\t\tIsAdmin: isAdmin,\n\t\tExpiresAt: time.Now().Add(resetCodeLifespan).UTC(),\n\t}\n}\n\nfunc (c *resetCode) isExpired() bool {\n\treturn c.ExpiresAt.Before(time.Now().UTC())\n}\n\ntype memoryResetCodeManager struct {\n\tresetCodes sync.Map\n}\n\nfunc (m *memoryResetCodeManager) Add(code *resetCode) error {\n\tm.resetCodes.Store(code.Code, code)\n\treturn nil\n}\n\nfunc (m *memoryResetCodeManager) Get(code string) (*resetCode, error) {\n\tc, ok := m.resetCodes.Load(code)\n\tif !ok {\n\t\treturn nil, util.NewRecordNotFoundError(\"reset code not found\")\n\t}\n\treturn c.(*resetCode), nil\n}\n\nfunc (m *memoryResetCodeManager) Delete(code string) error {\n\tm.resetCodes.Delete(code)\n\treturn nil\n}\n\nfunc (m *memoryResetCodeManager) Cleanup() {\n\tm.resetCodes.Range(func(key, value any) bool {\n\t\tc, ok := value.(*resetCode)\n\t\tif !ok || c.isExpired() {\n\t\t\tm.resetCodes.Delete(key)\n\t\t}\n\t\treturn true\n\t})\n}\n\ntype dbResetCodeManager struct{}\n\nfunc (m *dbResetCodeManager) Add(code *resetCode) error {\n\tsession := dataprovider.Session{\n\t\tKey: code.Code,\n\t\tData: code,\n\t\tType: dataprovider.SessionTypeResetCode,\n\t\tTimestamp: util.GetTimeAsMsSinceEpoch(code.ExpiresAt),\n\t}\n\treturn dataprovider.AddSharedSession(session)\n}\n\nfunc (m *dbResetCodeManager) Get(code string) (*resetCode, error) {\n\tsession, err := dataprovider.GetSharedSession(code, dataprovider.SessionTypeResetCode)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif session.Timestamp < util.GetTimeAsMsSinceEpoch(time.Now()) {\n\t\t// expired\n\t\treturn nil, util.NewRecordNotFoundError(\"reset code expired\")\n\t}\n\treturn m.decodeData(session.Data)\n}\n\nfunc (m *dbResetCodeManager) decodeData(data any) (*resetCode, error) {\n\tif val, ok := data.([]byte); ok {\n\t\tc := &resetCode{}\n\t\terr := json.Unmarshal(val, c)\n\t\treturn c, err\n\t}\n\tlogger.Error(logSender, \"\", \"invalid reset code data type %T\", data)\n\treturn nil, util.NewRecordNotFoundError(\"invalid reset code\")\n}\n\nfunc (m *dbResetCodeManager) Delete(code string) error {\n\treturn dataprovider.DeleteSharedSession(code, dataprovider.SessionTypeResetCode)\n}\n\nfunc (m *dbResetCodeManager) Cleanup() {\n\tdataprovider.CleanupSharedSessions(dataprovider.SessionTypeResetCode, time.Now()) //nolint:errcheck\n}\n" }, { "path": "internal/httpd/resources.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !bundle\n\npackage httpd\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/go-chi/chi/v5\"\n)\n\nfunc serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) {\n\tfileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex)\n}\n" }, { "path": "internal/httpd/resources_embedded.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build bundle\n\npackage httpd\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/go-chi/chi/v5\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/bundle\"\n)\n\nfunc serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) {\n\tswitch path {\n\tcase webStaticFilesPath:\n\t\tfileServer(router, path, bundle.GetStaticFs(), disableDirectoryIndex)\n\tcase webOpenAPIPath:\n\t\tfileServer(router, path, bundle.GetOpenAPIFs(), disableDirectoryIndex)\n\tdefault:\n\t\tfileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex)\n\t}\n}\n" }, { "path": "internal/httpd/server.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-chi/render\"\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/rs/cors\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/unrolled/secure\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tjsonAPISuffix = \"/json\"\n)\n\nvar (\n\tcompressor = middleware.NewCompressor(5)\n\txForwardedProto = http.CanonicalHeaderKey(\"X-Forwarded-Proto\")\n)\n\ntype httpdServer struct {\n\tbinding Binding\n\tstaticFilesPath string\n\topenAPIPath string\n\tenableWebAdmin bool\n\tenableWebClient bool\n\tenableRESTAPI bool\n\trenderOpenAPI bool\n\tisShared int\n\trouter *chi.Mux\n\ttokenAuth *jwt.Signer\n\tcsrfTokenAuth *jwt.Signer\n\tsigningPassphrase string\n\tcors CorsConfig\n}\n\nfunc newHttpdServer(b Binding, staticFilesPath, signingPassphrase string, cors CorsConfig,\n\topenAPIPath string,\n) *httpdServer {\n\tif openAPIPath == \"\" {\n\t\tb.RenderOpenAPI = false\n\t}\n\treturn &httpdServer{\n\t\tbinding: b,\n\t\tstaticFilesPath: staticFilesPath,\n\t\topenAPIPath: openAPIPath,\n\t\tenableWebAdmin: b.EnableWebAdmin,\n\t\tenableWebClient: b.EnableWebClient,\n\t\tenableRESTAPI: b.EnableRESTAPI,\n\t\trenderOpenAPI: b.RenderOpenAPI,\n\t\tsigningPassphrase: signingPassphrase,\n\t\tcors: cors,\n\t}\n}\n\nfunc (s *httpdServer) setShared(value int) {\n\ts.isShared = value\n}\n\nfunc (s *httpdServer) listenAndServe() error {\n\tif err := s.initializeRouter(); err != nil {\n\t\treturn err\n\t}\n\thttpServer := &http.Server{\n\t\tHandler: s.router,\n\t\tReadHeaderTimeout: 30 * time.Second,\n\t\tIdleTimeout: 60 * time.Second,\n\t\tMaxHeaderBytes: 1 << 16, // 64KB\n\t\tErrorLog: log.New(&logger.StdLoggerWrapper{Sender: logSender}, \"\", 0),\n\t}\n\tif certMgr != nil && s.binding.EnableHTTPS {\n\t\tcertID := common.DefaultTLSKeyPaidID\n\t\tif getConfigPath(s.binding.CertificateFile, \"\") != \"\" && getConfigPath(s.binding.CertificateKeyFile, \"\") != \"\" {\n\t\t\tcertID = s.binding.GetAddress()\n\t\t}\n\t\tconfig := &tls.Config{\n\t\t\tGetCertificate: certMgr.GetCertificateFunc(certID),\n\t\t\tMinVersion: util.GetTLSVersion(s.binding.MinTLSVersion),\n\t\t\tNextProtos: util.GetALPNProtocols(s.binding.Protocols),\n\t\t\tCipherSuites: util.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),\n\t\t}\n\t\thttpServer.TLSConfig = config\n\t\tlogger.Debug(logSender, \"\", \"configured TLS cipher suites for binding %q: %v, certID: %v\",\n\t\t\ts.binding.GetAddress(), httpServer.TLSConfig.CipherSuites, certID)\n\t\tif s.binding.isMutualTLSEnabled() {\n\t\t\thttpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs()\n\t\t\thttpServer.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert\n\t\t\thttpServer.TLSConfig.VerifyConnection = s.verifyTLSConnection\n\t\t}\n\t\treturn util.HTTPListenAndServe(httpServer, s.binding.Address, s.binding.Port, true,\n\t\t\ts.binding.listenerWrapper(), logSender)\n\t}\n\treturn util.HTTPListenAndServe(httpServer, s.binding.Address, s.binding.Port, false,\n\t\ts.binding.listenerWrapper(), logSender)\n}\n\nfunc (s *httpdServer) verifyTLSConnection(state tls.ConnectionState) error {\n\tif certMgr != nil {\n\t\tvar clientCrt *x509.Certificate\n\t\tvar clientCrtName string\n\t\tif len(state.PeerCertificates) > 0 {\n\t\t\tclientCrt = state.PeerCertificates[0]\n\t\t\tclientCrtName = clientCrt.Subject.String()\n\t\t}\n\t\tif len(state.VerifiedChains) == 0 {\n\t\t\tlogger.Warn(logSender, \"\", \"TLS connection cannot be verified: unable to get verification chain\")\n\t\t\treturn errors.New(\"TLS connection cannot be verified: unable to get verification chain\")\n\t\t}\n\t\tfor _, verifiedChain := range state.VerifiedChains {\n\t\t\tvar caCrt *x509.Certificate\n\t\t\tif len(verifiedChain) > 0 {\n\t\t\t\tcaCrt = verifiedChain[len(verifiedChain)-1]\n\t\t\t}\n\t\t\tif certMgr.IsRevoked(clientCrt, caCrt) {\n\t\t\t\tlogger.Debug(logSender, \"\", \"tls handshake error, client certificate %q has been revoked\", clientCrtName)\n\t\t\t\treturn common.ErrCrtRevoked\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (s *httpdServer) refreshCookie(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\ts.checkCookieExpiration(w, r)\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc (s *httpdServer) renderClientLoginPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := loginPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18nLoginTitle,\n\t\tCurrentURL: webClientLoginPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, rand.Text(), webBaseClientPath),\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t\tFormDisabled: s.binding.isWebClientLoginFormDisabled(),\n\t\tCheckRedirect: true,\n\t}\n\tif next := r.URL.Query().Get(\"next\"); strings.HasPrefix(next, webClientFilesPath) {\n\t\tdata.CurrentURL += \"?next=\" + url.QueryEscape(next)\n\t}\n\tif s.binding.showAdminLoginURL() {\n\t\tdata.AltLoginURL = webAdminLoginPath\n\t\tdata.AltLoginName = s.binding.webAdminBranding().ShortName\n\t}\n\tif smtp.IsEnabled() && !data.FormDisabled {\n\t\tdata.ForgotPwdURL = webClientForgotPwdPath\n\t}\n\tif s.binding.OIDC.isEnabled() && !s.binding.isWebClientOIDCLoginDisabled() {\n\t\tdata.OpenIDLoginURL = webClientOIDCLoginPath\n\t}\n\trenderClientTemplate(w, templateCommonLogin, data)\n}\n\nfunc (s *httpdServer) handleWebClientLogout(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tremoveCookie(w, r, webBaseClientPath)\n\ts.logoutOIDCUser(w, r)\n\n\thttp.Redirect(w, r, webClientLoginPath, http.StatusFound)\n}\n\nfunc (s *httpdServer) handleWebClientChangePwdPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderClientChangePasswordPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr := doChangeUserPassword(r, strings.TrimSpace(r.Form.Get(\"current_password\")),\n\t\tstrings.TrimSpace(r.Form.Get(\"new_password1\")), strings.TrimSpace(r.Form.Get(\"new_password2\")))\n\tif err != nil {\n\t\ts.renderClientChangePasswordPage(w, r, util.NewI18nError(err, util.I18nErrorChangePwdGeneric))\n\t\treturn\n\t}\n\ts.handleWebClientLogout(w, r)\n}\n\nfunc (s *httpdServer) handleClientWebLogin(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tif !dataprovider.HasAdmin() {\n\t\thttp.Redirect(w, r, webAdminSetupPath, http.StatusFound)\n\t\treturn\n\t}\n\tmsg := getFlashMessage(w, r)\n\ts.renderClientLoginPage(w, r, msg.getI18nError())\n}\n\nfunc (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tprotocol := common.ProtocolHTTP\n\tusername := strings.TrimSpace(r.Form.Get(\"username\"))\n\tpassword := r.Form.Get(\"password\")\n\tif username == \"\" || password == \"\" {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)\n\t\ts.renderClientLoginPage(w, r,\n\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\ts.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t}\n\n\tif err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\ts.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message))\n\t\treturn\n\t}\n\n\tuser, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol)\n\tif err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\ts.renderClientLoginPage(w, r,\n\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, xid.New().String())\n\tif err := checkHTTPClientUser(&user, r, connectionID, true, false); err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\ts.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nError403Message))\n\t\treturn\n\t}\n\n\tdefer user.CloseFs() //nolint:errcheck\n\terr = user.CheckFsRoot(connectionID)\n\tif err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root: %v\", err)\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\ts.renderClientLoginPage(w, r, util.NewI18nError(err, util.I18nErrorFsGeneric))\n\t\treturn\n\t}\n\ts.loginUser(w, r, &user, connectionID, ipAddr, false, s.renderClientLoginPage)\n}\n\nfunc (s *httpdServer) handleWebClientPasswordResetPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderClientResetPwdPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tnewPassword := strings.TrimSpace(r.Form.Get(\"password\"))\n\tconfirmPassword := strings.TrimSpace(r.Form.Get(\"confirm_password\"))\n\t_, user, err := handleResetPassword(r, strings.TrimSpace(r.Form.Get(\"code\")),\n\t\tnewPassword, confirmPassword, false)\n\tif err != nil {\n\t\ts.renderClientResetPwdPage(w, r, util.NewI18nError(err, util.I18nErrorChangePwdGeneric))\n\t\treturn\n\t}\n\tconnectionID := fmt.Sprintf(\"%v_%v\", getProtocolFromRequest(r), xid.New().String())\n\tif err := checkHTTPClientUser(user, r, connectionID, true, false); err != nil {\n\t\ts.renderClientResetPwdPage(w, r, util.NewI18nError(err, util.I18nErrorLoginAfterReset))\n\t\treturn\n\t}\n\n\tdefer user.CloseFs() //nolint:errcheck\n\terr = user.CheckFsRoot(connectionID)\n\tif err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root: %v\", err)\n\t\ts.renderClientResetPwdPage(w, r, util.NewI18nError(err, util.I18nErrorLoginAfterReset))\n\t\treturn\n\t}\n\ts.loginUser(w, r, user, connectionID, ipAddr, false, s.renderClientResetPwdPage)\n}\n\nfunc (s *httpdServer) handleWebClientTwoFactorRecoveryPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\ts.renderNotFoundPage(w, r, nil)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderClientTwoFactorRecoveryPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tusername := claims.Username\n\trecoveryCode := strings.TrimSpace(r.Form.Get(\"recovery_code\"))\n\tif username == \"\" || recoveryCode == \"\" {\n\t\ts.renderClientTwoFactorRecoveryPage(w, r,\n\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientTwoFactorRecoveryPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tuser, userMerged, err := dataprovider.GetUserVariants(username, \"\")\n\tif err != nil {\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\thandleDefenderEventLoginFailed(ipAddr, err) //nolint:errcheck\n\t\t}\n\t\ts.renderClientTwoFactorRecoveryPage(w, r,\n\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif !userMerged.Filters.TOTPConfig.Enabled || !slices.Contains(userMerged.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) {\n\t\ts.renderClientTwoFactorPage(w, r, util.NewI18nError(\n\t\t\tutil.NewValidationError(\"two factory authentication is not enabled\"), util.I18n2FADisabled))\n\t\treturn\n\t}\n\tfor idx, code := range user.Filters.RecoveryCodes {\n\t\tif err := code.Secret.Decrypt(); err != nil {\n\t\t\ts.renderClientInternalServerErrorPage(w, r, fmt.Errorf(\"unable to decrypt recovery code: %w\", err))\n\t\t\treturn\n\t\t}\n\t\tif code.Secret.GetPayload() == recoveryCode {\n\t\t\tif code.Used {\n\t\t\t\ts.renderClientTwoFactorRecoveryPage(w, r,\n\t\t\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\t\t\treturn\n\t\t\t}\n\t\t\tuser.Filters.RecoveryCodes[idx].Used = true\n\t\t\terr = dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, ipAddr, user.Role)\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"unable to set the recovery code %q as used: %v\", recoveryCode, err)\n\t\t\t\ts.renderClientInternalServerErrorPage(w, r, errors.New(\"unable to set the recovery code as used\"))\n\t\t\t\treturn\n\t\t\t}\n\t\t\tconnectionID := fmt.Sprintf(\"%v_%v\", getProtocolFromRequest(r), xid.New().String())\n\t\t\ts.loginUser(w, r, &userMerged, connectionID, ipAddr, true,\n\t\t\t\ts.renderClientTwoFactorRecoveryPage)\n\t\t\treturn\n\t\t}\n\t}\n\thandleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\ts.renderClientTwoFactorRecoveryPage(w, r,\n\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n}\n\nfunc (s *httpdServer) handleWebClientTwoFactorPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\ts.renderNotFoundPage(w, r, nil)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tusername := claims.Username\n\tpasscode := strings.TrimSpace(r.Form.Get(\"passcode\"))\n\tif username == \"\" || passcode == \"\" {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)\n\t\ts.renderClientTwoFactorPage(w, r,\n\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\ts.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(username, \"\")\n\tif err != nil {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\ts.renderClientTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\ts.renderClientTwoFactorPage(w, r, util.NewI18nError(common.ErrInternalFailure, util.I18n2FADisabled))\n\t\treturn\n\t}\n\terr = user.Filters.TOTPConfig.Secret.Decrypt()\n\tif err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\ts.renderClientInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tmatch, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode,\n\t\tuser.Filters.TOTPConfig.Secret.GetPayload())\n\tif !match || err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r)\n\t\ts.renderClientTwoFactorPage(w, r,\n\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tconnectionID := fmt.Sprintf(\"%s_%s\", getProtocolFromRequest(r), xid.New().String())\n\ts.loginUser(w, r, &user, connectionID, ipAddr, true, s.renderClientTwoFactorPage)\n}\n\nfunc (s *httpdServer) handleWebAdminTwoFactorRecoveryPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\ts.renderNotFoundPage(w, r, nil)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderTwoFactorRecoveryPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tusername := claims.Username\n\trecoveryCode := strings.TrimSpace(r.Form.Get(\"recovery_code\"))\n\tif username == \"\" || recoveryCode == \"\" {\n\t\ts.renderTwoFactorRecoveryPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderTwoFactorRecoveryPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\thandleDefenderEventLoginFailed(ipAddr, err) //nolint:errcheck\n\t\t}\n\t\ts.renderTwoFactorRecoveryPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif !admin.Filters.TOTPConfig.Enabled {\n\t\ts.renderTwoFactorRecoveryPage(w, r, util.NewI18nError(util.NewValidationError(\"two factory authentication is not enabled\"), util.I18n2FADisabled))\n\t\treturn\n\t}\n\tfor idx, code := range admin.Filters.RecoveryCodes {\n\t\tif err := code.Secret.Decrypt(); err != nil {\n\t\t\ts.renderInternalServerErrorPage(w, r, fmt.Errorf(\"unable to decrypt recovery code: %w\", err))\n\t\t\treturn\n\t\t}\n\t\tif code.Secret.GetPayload() == recoveryCode {\n\t\t\tif code.Used {\n\t\t\t\ts.renderTwoFactorRecoveryPage(w, r,\n\t\t\t\t\tutil.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\t\t\treturn\n\t\t\t}\n\t\t\tadmin.Filters.RecoveryCodes[idx].Used = true\n\t\t\terr = dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, ipAddr, admin.Role)\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"unable to set the recovery code %q as used: %v\", recoveryCode, err)\n\t\t\t\ts.renderInternalServerErrorPage(w, r, errors.New(\"unable to set the recovery code as used\"))\n\t\t\t\treturn\n\t\t\t}\n\t\t\ts.loginAdmin(w, r, &admin, true, s.renderTwoFactorRecoveryPage, ipAddr)\n\t\t\treturn\n\t\t}\n\t}\n\thandleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\ts.renderTwoFactorRecoveryPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n}\n\nfunc (s *httpdServer) handleWebAdminTwoFactorPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\ts.renderNotFoundPage(w, r, nil)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tusername := claims.Username\n\tpasscode := strings.TrimSpace(r.Form.Get(\"passcode\"))\n\tif username == \"\" || passcode == \"\" {\n\t\ts.renderTwoFactorPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\thandleDefenderEventLoginFailed(ipAddr, err) //nolint:errcheck\n\t\ts.renderTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err != nil {\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\thandleDefenderEventLoginFailed(ipAddr, err) //nolint:errcheck\n\t\t}\n\t\ts.renderTwoFactorPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif !admin.Filters.TOTPConfig.Enabled {\n\t\ts.renderTwoFactorPage(w, r, util.NewI18nError(common.ErrInternalFailure, util.I18n2FADisabled))\n\t\treturn\n\t}\n\terr = admin.Filters.TOTPConfig.Secret.Decrypt()\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tmatch, err := mfa.ValidateTOTPPasscode(admin.Filters.TOTPConfig.ConfigName, passcode,\n\t\tadmin.Filters.TOTPConfig.Secret.GetPayload())\n\tif !match || err != nil {\n\t\thandleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials) //nolint:errcheck\n\t\ts.renderTwoFactorPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\ts.loginAdmin(w, r, &admin, true, s.renderTwoFactorPage, ipAddr)\n}\n\nfunc (s *httpdServer) handleWebAdminLoginPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderAdminLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tusername := strings.TrimSpace(r.Form.Get(\"username\"))\n\tpassword := strings.TrimSpace(r.Form.Get(\"password\"))\n\tif username == \"\" || password == \"\" {\n\t\ts.renderAdminLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderAdminLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tadmin, err := dataprovider.CheckAdminAndPass(username, password, ipAddr)\n\tif err != nil {\n\t\thandleDefenderEventLoginFailed(ipAddr, err) //nolint:errcheck\n\t\ts.renderAdminLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\ts.loginAdmin(w, r, &admin, false, s.renderAdminLoginPage, ipAddr)\n}\n\nfunc (s *httpdServer) renderAdminLoginPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := loginPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18nLoginTitle,\n\t\tCurrentURL: webAdminLoginPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, rand.Text(), webBaseAdminPath),\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t\tFormDisabled: s.binding.isWebAdminLoginFormDisabled(),\n\t\tCheckRedirect: false,\n\t}\n\tif s.binding.showClientLoginURL() {\n\t\tdata.AltLoginURL = webClientLoginPath\n\t\tdata.AltLoginName = s.binding.webClientBranding().ShortName\n\t}\n\tif smtp.IsEnabled() && !data.FormDisabled {\n\t\tdata.ForgotPwdURL = webAdminForgotPwdPath\n\t}\n\tif s.binding.OIDC.hasRoles() && !s.binding.isWebAdminOIDCLoginDisabled() {\n\t\tdata.OpenIDLoginURL = webAdminOIDCLoginPath\n\t}\n\trenderAdminTemplate(w, templateCommonLogin, data)\n}\n\nfunc (s *httpdServer) handleWebAdminLogin(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tif !dataprovider.HasAdmin() {\n\t\thttp.Redirect(w, r, webAdminSetupPath, http.StatusFound)\n\t\treturn\n\t}\n\tmsg := getFlashMessage(w, r)\n\ts.renderAdminLoginPage(w, r, msg.getI18nError())\n}\n\nfunc (s *httpdServer) handleWebAdminLogout(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tremoveCookie(w, r, webBaseAdminPath)\n\ts.logoutOIDCUser(w, r)\n\n\thttp.Redirect(w, r, webAdminLoginPath, http.StatusFound)\n}\n\nfunc (s *httpdServer) handleWebAdminChangePwdPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderChangePasswordPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr = doChangeAdminPassword(r, strings.TrimSpace(r.Form.Get(\"current_password\")),\n\t\tstrings.TrimSpace(r.Form.Get(\"new_password1\")), strings.TrimSpace(r.Form.Get(\"new_password2\")))\n\tif err != nil {\n\t\ts.renderChangePasswordPage(w, r, util.NewI18nError(err, util.I18nErrorChangePwdGeneric))\n\t\treturn\n\t}\n\ts.handleWebAdminLogout(w, r)\n}\n\nfunc (s *httpdServer) handleWebAdminPasswordResetPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderResetPwdPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tnewPassword := strings.TrimSpace(r.Form.Get(\"password\"))\n\tconfirmPassword := strings.TrimSpace(r.Form.Get(\"confirm_password\"))\n\tadmin, _, err := handleResetPassword(r, strings.TrimSpace(r.Form.Get(\"code\")),\n\t\tnewPassword, confirmPassword, true)\n\tif err != nil {\n\t\ts.renderResetPwdPage(w, r, util.NewI18nError(err, util.I18nErrorChangePwdGeneric))\n\t\treturn\n\t}\n\n\ts.loginAdmin(w, r, admin, false, s.renderResetPwdPage, ipAddr)\n}\n\nfunc (s *httpdServer) handleWebAdminSetupPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tif dataprovider.HasAdmin() {\n\t\ts.renderBadRequestPage(w, r, errors.New(\"an admin user already exists\"))\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderAdminSetupPage(w, r, \"\", util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tusername := strings.TrimSpace(r.Form.Get(\"username\"))\n\tpassword := strings.TrimSpace(r.Form.Get(\"password\"))\n\tconfirmPassword := strings.TrimSpace(r.Form.Get(\"confirm_password\"))\n\tinstallCode := strings.TrimSpace(r.Form.Get(\"install_code\"))\n\tif installationCode != \"\" && installCode != resolveInstallationCode() {\n\t\ts.renderAdminSetupPage(w, r, username,\n\t\t\tutil.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"%v mismatch\", installationCodeHint)),\n\t\t\t\tutil.I18nErrorSetupInstallCode),\n\t\t)\n\t\treturn\n\t}\n\tif username == \"\" {\n\t\ts.renderAdminSetupPage(w, r, username,\n\t\t\tutil.NewI18nError(util.NewValidationError(\"please set a username\"), util.I18nError500Message))\n\t\treturn\n\t}\n\tif password == \"\" {\n\t\ts.renderAdminSetupPage(w, r, username,\n\t\t\tutil.NewI18nError(util.NewValidationError(\"please set a password\"), util.I18nError500Message))\n\t\treturn\n\t}\n\tif password != confirmPassword {\n\t\ts.renderAdminSetupPage(w, r, username,\n\t\t\tutil.NewI18nError(errors.New(\"the two password fields do not match\"), util.I18nErrorChangePwdNoMatch))\n\t\treturn\n\t}\n\tadmin := dataprovider.Admin{\n\t\tUsername: username,\n\t\tPassword: password,\n\t\tStatus: 1,\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t}\n\terr = dataprovider.AddAdmin(&admin, username, ipAddr, \"\")\n\tif err != nil {\n\t\ts.renderAdminSetupPage(w, r, username, util.NewI18nError(err, util.I18nError500Message))\n\t\treturn\n\t}\n\ts.loginAdmin(w, r, &admin, false, nil, ipAddr)\n}\n\nfunc (s *httpdServer) loginUser(\n\tw http.ResponseWriter, r *http.Request, user *dataprovider.User, connectionID, ipAddr string,\n\tisSecondFactorAuth bool, errorFunc func(w http.ResponseWriter, r *http.Request, err *util.I18nError),\n) {\n\tc := &jwt.Claims{\n\t\tUsername: user.Username,\n\t\tPermissions: user.Filters.WebClient,\n\t\tRole: user.Role,\n\t\tMustSetTwoFactorAuth: user.MustSetSecondFactor(),\n\t\tMustChangePassword: user.MustChangePassword(),\n\t\tRequiredTwoFactorProtocols: user.Filters.TwoFactorAuthProtocols,\n\t}\n\tc.Subject = user.GetSignature()\n\n\taudience := tokenAudienceWebClient\n\tif user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) &&\n\t\tuser.CanManageMFA() && !isSecondFactorAuth {\n\t\taudience = tokenAudienceWebClientPartial\n\t}\n\n\terr := createAndSetCookie(w, r, c, s.tokenAuth, audience, ipAddr)\n\tif err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"unable to set user login cookie %v\", err)\n\t\tupdateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\terrorFunc(w, r, util.NewI18nError(err, util.I18nError500Message))\n\t\treturn\n\t}\n\tinvalidateToken(r)\n\tif audience == tokenAudienceWebClientPartial {\n\t\tredirectPath := webClientTwoFactorPath\n\t\tif next := r.URL.Query().Get(\"next\"); strings.HasPrefix(next, webClientFilesPath) {\n\t\t\tredirectPath += \"?next=\" + url.QueryEscape(next)\n\t\t}\n\t\thttp.Redirect(w, r, redirectPath, http.StatusFound)\n\t\treturn\n\t}\n\tupdateLoginMetrics(user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\tdataprovider.UpdateLastLogin(user)\n\tif next := r.URL.Query().Get(\"next\"); strings.HasPrefix(next, webClientFilesPath) {\n\t\thttp.Redirect(w, r, next, http.StatusFound)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webClientFilesPath, http.StatusFound)\n}\n\nfunc (s *httpdServer) loginAdmin(\n\tw http.ResponseWriter, r *http.Request, admin *dataprovider.Admin,\n\tisSecondFactorAuth bool, errorFunc func(w http.ResponseWriter, r *http.Request, err *util.I18nError),\n\tipAddr string,\n) {\n\tc := &jwt.Claims{\n\t\tUsername: admin.Username,\n\t\tPermissions: admin.Permissions,\n\t\tRole: admin.Role,\n\t\tHideUserPageSections: admin.Filters.Preferences.HideUserPageSections,\n\t\tMustSetTwoFactorAuth: admin.Filters.RequireTwoFactor && !admin.Filters.TOTPConfig.Enabled,\n\t\tMustChangePassword: admin.Filters.RequirePasswordChange,\n\t}\n\tc.Subject = admin.GetSignature()\n\n\taudience := tokenAudienceWebAdmin\n\tif admin.Filters.TOTPConfig.Enabled && admin.CanManageMFA() && !isSecondFactorAuth {\n\t\taudience = tokenAudienceWebAdminPartial\n\t}\n\n\terr := createAndSetCookie(w, r, c, s.tokenAuth, audience, ipAddr)\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to set admin login cookie %v\", err)\n\t\tif errorFunc == nil {\n\t\t\ts.renderAdminSetupPage(w, r, admin.Username, util.NewI18nError(err, util.I18nError500Message))\n\t\t\treturn\n\t\t}\n\t\terrorFunc(w, r, util.NewI18nError(err, util.I18nError500Message))\n\t\treturn\n\t}\n\tinvalidateToken(r)\n\tif audience == tokenAudienceWebAdminPartial {\n\t\thttp.Redirect(w, r, webAdminTwoFactorPath, http.StatusFound)\n\t\treturn\n\t}\n\tdataprovider.UpdateAdminLastLogin(admin)\n\tcommon.DelayLogin(nil)\n\tredirectURL := webUsersPath\n\tif errorFunc == nil {\n\t\tredirectURL = webAdminMFAPath\n\t}\n\thttp.Redirect(w, r, redirectURL, http.StatusFound)\n}\n\nfunc (s *httpdServer) logout(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tinvalidateToken(r)\n\tsendAPIResponse(w, r, nil, \"Your token has been invalidated\", http.StatusOK)\n}\n\nfunc (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tusername, password, ok := r.BasicAuth()\n\tprotocol := common.ProtocolHTTP\n\tif !ok {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)\n\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\treturn\n\t}\n\tif username == \"\" || strings.TrimSpace(password) == \"\" {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, common.ErrNoCredentials, r)\n\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\treturn\n\t}\n\tif err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {\n\t\tupdateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},\n\t\t\tdataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden)\n\t\treturn\n\t}\n\tuser, err := dataprovider.CheckUserAndPass(username, password, ipAddr, protocol)\n\tif err != nil {\n\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\tsendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),\n\t\t\thttp.StatusUnauthorized)\n\t\treturn\n\t}\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, xid.New().String())\n\tif err := checkHTTPClientUser(&user, r, connectionID, true, false); err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusForbidden), http.StatusForbidden)\n\t\treturn\n\t}\n\n\tif user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.TOTPConfig.Protocols, common.ProtocolHTTP) {\n\t\tpasscode := r.Header.Get(otpHeaderCode)\n\t\tif passcode == \"\" {\n\t\t\tlogger.Debug(logSender, \"\", \"TOTP enabled for user %q and not passcode provided, authentication refused\", user.Username)\n\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r)\n\t\t\tsendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),\n\t\t\t\thttp.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t\terr = user.Filters.TOTPConfig.Secret.Decrypt()\n\t\tif err != nil {\n\t\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"unable to decrypt TOTP secret: %w\", err), http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)\n\t\t\treturn\n\t\t}\n\t\tmatch, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode,\n\t\t\tuser.Filters.TOTPConfig.Secret.GetPayload())\n\t\tif !match || err != nil {\n\t\t\tlogger.Debug(logSender, \"invalid passcode for user %q, match? %v, err: %v\", user.Username, match, err)\n\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, dataprovider.ErrInvalidCredentials, r)\n\t\t\tsendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),\n\t\t\t\thttp.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t}\n\n\tdefer user.CloseFs() //nolint:errcheck\n\terr = user.CheckFsRoot(connectionID)\n\tif err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root: %v\", err)\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)\n\t\treturn\n\t}\n\n\ts.generateAndSendUserToken(w, r, ipAddr, user)\n}\n\nfunc (s *httpdServer) generateAndSendUserToken(w http.ResponseWriter, r *http.Request, ipAddr string, user dataprovider.User) {\n\tc := &jwt.Claims{\n\t\tUsername: user.Username,\n\t\tPermissions: user.Filters.WebClient,\n\t\tRole: user.Role,\n\t\tMustSetTwoFactorAuth: user.MustSetSecondFactor(),\n\t\tMustChangePassword: user.MustChangePassword(),\n\t\tRequiredTwoFactorProtocols: user.Filters.TwoFactorAuthProtocols,\n\t}\n\tc.Subject = user.GetSignature()\n\n\ttoken, err := s.tokenAuth.SignWithParams(c, tokenAudienceAPIUser, ipAddr, getTokenDuration(tokenAudienceAPIUser))\n\tif err != nil {\n\t\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)\n\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)\n\t\treturn\n\t}\n\tupdateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)\n\tdataprovider.UpdateLastLogin(&user)\n\n\trender.JSON(w, r, c.BuildTokenResponse(token))\n}\n\nfunc (s *httpdServer) getToken(w http.ResponseWriter, r *http.Request) {\n\tusername, password, ok := r.BasicAuth()\n\tif !ok {\n\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tadmin, err := dataprovider.CheckAdminAndPass(username, password, ipAddr)\n\tif err != nil {\n\t\thandleDefenderEventLoginFailed(ipAddr, err) //nolint:errcheck\n\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\tsendAPIResponse(w, r, dataprovider.ErrInvalidCredentials, http.StatusText(http.StatusUnauthorized),\n\t\t\thttp.StatusUnauthorized)\n\t\treturn\n\t}\n\tif admin.Filters.TOTPConfig.Enabled {\n\t\tpasscode := r.Header.Get(otpHeaderCode)\n\t\tif passcode == \"\" {\n\t\t\tlogger.Debug(logSender, \"\", \"TOTP enabled for admin %q and not passcode provided, authentication refused\", admin.Username)\n\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\t\terr = handleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials)\n\t\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t\terr = admin.Filters.TOTPConfig.Secret.Decrypt()\n\t\tif err != nil {\n\t\t\tsendAPIResponse(w, r, fmt.Errorf(\"unable to decrypt TOTP secret: %w\", err),\n\t\t\t\thttp.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)\n\t\t\treturn\n\t\t}\n\t\tmatch, err := mfa.ValidateTOTPPasscode(admin.Filters.TOTPConfig.ConfigName, passcode,\n\t\t\tadmin.Filters.TOTPConfig.Secret.GetPayload())\n\t\tif !match || err != nil {\n\t\t\tlogger.Debug(logSender, \"invalid passcode for admin %q, match? %v, err: %v\", admin.Username, match, err)\n\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, basicRealm)\n\t\t\terr = handleDefenderEventLoginFailed(ipAddr, dataprovider.ErrInvalidCredentials)\n\t\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusUnauthorized),\n\t\t\t\thttp.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t}\n\n\ts.generateAndSendToken(w, r, admin, ipAddr)\n}\n\nfunc (s *httpdServer) generateAndSendToken(w http.ResponseWriter, r *http.Request, admin dataprovider.Admin, ip string) {\n\tc := &jwt.Claims{\n\t\tUsername: admin.Username,\n\t\tPermissions: admin.Permissions,\n\t\tRole: admin.Role,\n\t\tMustSetTwoFactorAuth: admin.Filters.RequireTwoFactor && !admin.Filters.TOTPConfig.Enabled,\n\t\tMustChangePassword: admin.Filters.RequirePasswordChange,\n\t}\n\tc.Subject = admin.GetSignature()\n\n\ttoken, err := s.tokenAuth.SignWithParams(c, tokenAudienceAPI, ip, getTokenDuration(tokenAudienceAPI))\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)\n\t\treturn\n\t}\n\n\tdataprovider.UpdateAdminLastLogin(&admin)\n\tcommon.DelayLogin(nil)\n\trender.JSON(w, r, c.BuildTokenResponse(token))\n}\n\nfunc (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Request) {\n\tif _, ok := r.Context().Value(oidcTokenKey).(string); ok {\n\t\treturn\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\treturn\n\t}\n\tif claims.Username == \"\" || claims.Subject == \"\" {\n\t\treturn\n\t}\n\tif time.Until(claims.Expiry.Time()) > cookieRefreshThreshold {\n\t\treturn\n\t}\n\tif (time.Since(claims.IssuedAt.Time()) + cookieTokenDuration) > maxTokenDuration {\n\t\treturn\n\t}\n\tif claims.Audience.Contains(tokenAudienceWebClient) {\n\t\ts.refreshClientToken(w, r, claims)\n\t} else {\n\t\ts.refreshAdminToken(w, r, claims)\n\t}\n}\n\nfunc (s *httpdServer) refreshClientToken(w http.ResponseWriter, r *http.Request, tokenClaims *jwt.Claims) {\n\tuser, err := dataprovider.GetUserWithGroupSettings(tokenClaims.Username, \"\")\n\tif err != nil {\n\t\treturn\n\t}\n\tif user.GetSignature() != tokenClaims.Subject {\n\t\tlogger.Debug(logSender, \"\", \"signature mismatch for user %q, unable to refresh cookie\", user.Username)\n\t\treturn\n\t}\n\tif err := user.CheckLoginConditions(); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to refresh cookie for user %q: %v\", user.Username, err)\n\t\treturn\n\t}\n\tif err := checkHTTPClientUser(&user, r, xid.New().String(), true, false); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to refresh cookie for user %q: %v\", user.Username, err)\n\t\treturn\n\t}\n\n\ttokenClaims.Permissions = user.Filters.WebClient\n\ttokenClaims.Role = user.Role\n\tlogger.Debug(logSender, \"\", \"cookie refreshed for user %q\", user.Username)\n\tcreateAndSetCookie(w, r, tokenClaims, s.tokenAuth, tokenAudienceWebClient, util.GetIPFromRemoteAddress(r.RemoteAddr)) //nolint:errcheck\n}\n\nfunc (s *httpdServer) refreshAdminToken(w http.ResponseWriter, r *http.Request, tokenClaims *jwt.Claims) {\n\tadmin, err := dataprovider.AdminExists(tokenClaims.Username)\n\tif err != nil {\n\t\treturn\n\t}\n\tif admin.GetSignature() != tokenClaims.Subject {\n\t\tlogger.Debug(logSender, \"\", \"signature mismatch for admin %q, unable to refresh cookie\", admin.Username)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := admin.CanLogin(ipAddr); err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to refresh cookie for admin %q, err: %v\", admin.Username, err)\n\t\treturn\n\t}\n\ttokenClaims.Permissions = admin.Permissions\n\ttokenClaims.Role = admin.Role\n\ttokenClaims.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections\n\tlogger.Debug(logSender, \"\", \"cookie refreshed for admin %q\", admin.Username)\n\tcreateAndSetCookie(w, r, tokenClaims, s.tokenAuth, tokenAudienceWebAdmin, ipAddr) //nolint:errcheck\n}\n\nfunc (s *httpdServer) updateContextFromCookie(r *http.Request) *http.Request {\n\t_, err := jwt.FromContext(r.Context())\n\tif err != nil {\n\t\t_, err = r.Cookie(jwt.CookieKey)\n\t\tif err != nil {\n\t\t\treturn r\n\t\t}\n\t\ttoken, err := jwt.VerifyRequest(s.tokenAuth, r, jwt.TokenFromCookie)\n\t\tctx := jwt.NewContext(r.Context(), token, err)\n\t\treturn r.WithContext(ctx)\n\t}\n\treturn r\n}\n\nfunc (s *httpdServer) parseHeaders(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tresponseControllerDeadlines(\n\t\t\thttp.NewResponseController(w),\n\t\t\ttime.Now().Add(60*time.Second),\n\t\t\ttime.Now().Add(60*time.Second),\n\t\t)\n\t\tw.Header().Set(\"Server\", version.GetServerVersion(\"/\", false))\n\t\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\t\tvar ip net.IP\n\t\tisUnixSocket := filepath.IsAbs(s.binding.Address)\n\t\tif !isUnixSocket {\n\t\t\tip = net.ParseIP(ipAddr)\n\t\t}\n\t\tareHeadersAllowed := false\n\t\tif isUnixSocket || ip != nil {\n\t\t\tfor _, allow := range s.binding.allowHeadersFrom {\n\t\t\t\tif allow(ip) {\n\t\t\t\t\tparsedIP := util.GetRealIP(r, s.binding.ClientIPProxyHeader, s.binding.ClientIPHeaderDepth)\n\t\t\t\t\tif parsedIP != \"\" {\n\t\t\t\t\t\tipAddr = parsedIP\n\t\t\t\t\t\tr.RemoteAddr = ipAddr\n\t\t\t\t\t}\n\t\t\t\t\tif forwardedProto := r.Header.Get(xForwardedProto); forwardedProto != \"\" {\n\t\t\t\t\t\tctx := context.WithValue(r.Context(), forwardedProtoKey, forwardedProto)\n\t\t\t\t\t\tr = r.WithContext(ctx)\n\t\t\t\t\t}\n\t\t\t\t\tareHeadersAllowed = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif !areHeadersAllowed {\n\t\t\tfor idx := range s.binding.Security.proxyHeaders {\n\t\t\t\tr.Header.Del(s.binding.Security.proxyHeaders[idx])\n\t\t\t}\n\t\t}\n\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc (s *httpdServer) checkConnection(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\t\tcommon.Connections.AddClientConnection(ipAddr)\n\t\tdefer common.Connections.RemoveClientConnection(ipAddr)\n\n\t\tif err := common.Connections.IsNewConnectionAllowed(ipAddr, common.ProtocolHTTP); err != nil {\n\t\t\tlogger.Log(logger.LevelDebug, common.ProtocolHTTP, \"\", \"connection not allowed from ip %q: %v\", ipAddr, err)\n\t\t\ts.sendForbiddenResponse(w, r, util.NewI18nError(err, util.I18nErrorConnectionForbidden))\n\t\t\treturn\n\t\t}\n\t\tif common.IsBanned(ipAddr, common.ProtocolHTTP) {\n\t\t\ts.sendForbiddenResponse(w, r, util.NewI18nError(\n\t\t\t\tutil.NewGenericError(\"your IP address is blocked\"),\n\t\t\t\tutil.I18nErrorIPForbidden),\n\t\t\t)\n\t\t\treturn\n\t\t}\n\t\tif delay, err := common.LimitRate(common.ProtocolHTTP, ipAddr); err != nil {\n\t\t\tdelay += 499999999 * time.Nanosecond\n\t\t\tw.Header().Set(\"Retry-After\", fmt.Sprintf(\"%.0f\", delay.Seconds()))\n\t\t\tw.Header().Set(\"X-Retry-In\", delay.String())\n\t\t\ts.sendTooManyRequestResponse(w, r, err)\n\t\t\treturn\n\t\t}\n\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc (s *httpdServer) sendTooManyRequestResponse(w http.ResponseWriter, r *http.Request, err error) {\n\tif (s.enableWebAdmin || s.enableWebClient) && isWebRequest(r) {\n\t\tr = s.updateContextFromCookie(r)\n\t\tif s.enableWebClient && (isWebClientRequest(r) || !s.enableWebAdmin) {\n\t\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\t\tutil.NewI18nError(errors.New(http.StatusText(http.StatusTooManyRequests)), util.I18nError429Message), \"\")\n\t\t\treturn\n\t\t}\n\t\ts.renderMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(errors.New(http.StatusText(http.StatusTooManyRequests)), util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, http.StatusText(http.StatusTooManyRequests), http.StatusTooManyRequests)\n}\n\nfunc (s *httpdServer) sendForbiddenResponse(w http.ResponseWriter, r *http.Request, err error) {\n\tif (s.enableWebAdmin || s.enableWebClient) && isWebRequest(r) {\n\t\tr = s.updateContextFromCookie(r)\n\t\tif s.enableWebClient && (isWebClientRequest(r) || !s.enableWebAdmin) {\n\t\t\ts.renderClientForbiddenPage(w, r, err)\n\t\t\treturn\n\t\t}\n\t\ts.renderForbiddenPage(w, r, err)\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, err, \"\", http.StatusForbidden)\n}\n\nfunc (s *httpdServer) badHostHandler(w http.ResponseWriter, r *http.Request) {\n\thost := r.Host\n\tfor _, header := range s.binding.Security.HostsProxyHeaders {\n\t\tif h := r.Header.Get(header); h != \"\" {\n\t\t\thost = h\n\t\t\tbreak\n\t\t}\n\t}\n\tlogger.Debug(logSender, \"\", \"the host %q is not allowed\", host)\n\ts.sendForbiddenResponse(w, r, util.NewI18nError(\n\t\tutil.NewGenericError(http.StatusText(http.StatusForbidden)),\n\t\tutil.I18nErrorConnectionForbidden,\n\t))\n}\n\nfunc (s *httpdServer) notFoundHandler(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tif (s.enableWebAdmin || s.enableWebClient) && isWebRequest(r) {\n\t\tr = s.updateContextFromCookie(r)\n\t\tif s.enableWebClient && (isWebClientRequest(r) || !s.enableWebAdmin) {\n\t\t\ts.renderClientNotFoundPage(w, r, nil)\n\t\t\treturn\n\t\t}\n\t\ts.renderNotFoundPage(w, r, nil)\n\t\treturn\n\t}\n\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusNotFound), http.StatusNotFound)\n}\n\nfunc (s *httpdServer) redirectToWebPath(w http.ResponseWriter, r *http.Request, webPath string) {\n\tif dataprovider.HasAdmin() {\n\t\thttp.Redirect(w, r, webPath, http.StatusFound)\n\t\treturn\n\t}\n\tif s.enableWebAdmin {\n\t\thttp.Redirect(w, r, webAdminSetupPath, http.StatusFound)\n\t}\n}\n\n// The StripSlashes causes infinite redirects at the root path if used with http.FileServer.\n// We also don't strip paths with more than one trailing slash, see #1434\nfunc (s *httpdServer) mustStripSlash(r *http.Request) bool {\n\turlPath := getURLPath(r)\n\treturn !strings.HasSuffix(urlPath, \"//\") && !strings.HasPrefix(urlPath, webOpenAPIPath) &&\n\t\t!strings.HasPrefix(urlPath, webStaticFilesPath) && !strings.HasPrefix(urlPath, acmeChallengeURI)\n}\n\nfunc (s *httpdServer) mustCheckPath(r *http.Request) bool {\n\turlPath := getURLPath(r)\n\treturn !strings.HasPrefix(urlPath, webStaticFilesPath) && !strings.HasPrefix(urlPath, acmeChallengeURI)\n}\n\nfunc (s *httpdServer) initializeRouter() error {\n\tsigner, err := jwt.NewSigner(jose.HS256, getSigningKey(s.signingPassphrase))\n\tif err != nil {\n\t\treturn err\n\t}\n\tcsrfSigner, err := jwt.NewSigner(jose.HS256, getSigningKey(s.signingPassphrase))\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar hasHTTPSRedirect bool\n\ts.tokenAuth = signer\n\ts.csrfTokenAuth = csrfSigner\n\ts.router = chi.NewRouter()\n\n\ts.router.Use(middleware.RequestID)\n\ts.router.Use(s.parseHeaders)\n\ts.router.Use(logger.NewStructuredLogger(logger.GetLogger()))\n\ts.router.Use(middleware.Recoverer)\n\tif s.binding.Security.Enabled {\n\t\tsecureMiddleware := secure.New(secure.Options{\n\t\t\tAllowedHosts: s.binding.Security.AllowedHosts,\n\t\t\tAllowedHostsAreRegex: s.binding.Security.AllowedHostsAreRegex,\n\t\t\tHostsProxyHeaders: s.binding.Security.HostsProxyHeaders,\n\t\t\tSSLProxyHeaders: s.binding.Security.getHTTPSProxyHeaders(),\n\t\t\tSTSSeconds: s.binding.Security.STSSeconds,\n\t\t\tSTSIncludeSubdomains: s.binding.Security.STSIncludeSubdomains,\n\t\t\tSTSPreload: s.binding.Security.STSPreload,\n\t\t\tContentTypeNosniff: s.binding.Security.ContentTypeNosniff,\n\t\t\tContentSecurityPolicy: s.binding.Security.ContentSecurityPolicy,\n\t\t\tPermissionsPolicy: s.binding.Security.PermissionsPolicy,\n\t\t\tCrossOriginOpenerPolicy: s.binding.Security.CrossOriginOpenerPolicy,\n\t\t\tCrossOriginResourcePolicy: s.binding.Security.CrossOriginResourcePolicy,\n\t\t\tCrossOriginEmbedderPolicy: s.binding.Security.CrossOriginEmbedderPolicy,\n\t\t\tReferrerPolicy: s.binding.Security.ReferrerPolicy,\n\t\t})\n\t\tsecureMiddleware.SetBadHostHandler(http.HandlerFunc(s.badHostHandler))\n\t\tif s.binding.Security.CacheControl == \"private\" {\n\t\t\ts.router.Use(cacheControlMiddleware)\n\t\t}\n\t\ts.router.Use(secureMiddleware.Handler)\n\t\tif s.binding.Security.HTTPSRedirect {\n\t\t\ts.router.Use(s.binding.Security.redirectHandler)\n\t\t\thasHTTPSRedirect = true\n\t\t}\n\t}\n\tif s.cors.Enabled {\n\t\tc := cors.New(cors.Options{\n\t\t\tAllowedOrigins: util.RemoveDuplicates(s.cors.AllowedOrigins, true),\n\t\t\tAllowedMethods: util.RemoveDuplicates(s.cors.AllowedMethods, true),\n\t\t\tAllowedHeaders: util.RemoveDuplicates(s.cors.AllowedHeaders, true),\n\t\t\tExposedHeaders: util.RemoveDuplicates(s.cors.ExposedHeaders, true),\n\t\t\tMaxAge: s.cors.MaxAge,\n\t\t\tAllowCredentials: s.cors.AllowCredentials,\n\t\t\tOptionsPassthrough: s.cors.OptionsPassthrough,\n\t\t\tOptionsSuccessStatus: s.cors.OptionsSuccessStatus,\n\t\t\tAllowPrivateNetwork: s.cors.AllowPrivateNetwork,\n\t\t})\n\t\ts.router.Use(c.Handler)\n\t}\n\ts.router.Use(middleware.Maybe(s.checkConnection, s.mustCheckPath))\n\ts.router.Use(middleware.GetHead)\n\ts.router.Use(middleware.Maybe(middleware.StripSlashes, s.mustStripSlash))\n\n\ts.router.NotFound(s.notFoundHandler)\n\n\ts.router.Get(healthzPath, func(w http.ResponseWriter, r *http.Request) {\n\t\trender.PlainText(w, r, \"ok\")\n\t})\n\n\tif hasHTTPSRedirect {\n\t\tif p := acme.GetHTTP01WebRoot(); p != \"\" {\n\t\t\tserveStaticDir(s.router, acmeChallengeURI, p, true)\n\t\t}\n\t}\n\n\ts.setupRESTAPIRoutes()\n\n\tif s.enableWebAdmin || s.enableWebClient {\n\t\ts.router.Group(func(router chi.Router) {\n\t\t\trouter.Use(cleanCacheControlMiddleware)\n\t\t\trouter.Use(compressor.Handler)\n\t\t\tserveStaticDir(router, webStaticFilesPath, s.staticFilesPath, true)\n\t\t})\n\t\tif s.binding.OIDC.isEnabled() {\n\t\t\ts.router.Get(webOIDCRedirectPath, s.handleOIDCRedirect)\n\t\t}\n\t\tif s.enableWebClient {\n\t\t\ts.router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\ts.redirectToWebPath(w, r, webClientLoginPath)\n\t\t\t})\n\t\t\ts.router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\ts.redirectToWebPath(w, r, webClientLoginPath)\n\t\t\t})\n\t\t} else {\n\t\t\ts.router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\ts.redirectToWebPath(w, r, webAdminLoginPath)\n\t\t\t})\n\t\t\ts.router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\ts.redirectToWebPath(w, r, webAdminLoginPath)\n\t\t\t})\n\t\t}\n\t}\n\n\ts.setupWebClientRoutes()\n\ts.setupWebAdminRoutes()\n\treturn nil\n}\n\nfunc (s *httpdServer) setupRESTAPIRoutes() {\n\tif s.enableRESTAPI {\n\t\tif !s.binding.isAdminTokenEndpointDisabled() {\n\t\t\ts.router.Get(tokenPath, s.getToken)\n\t\t\ts.router.Post(adminPath+\"/{username}/forgot-password\", forgotAdminPassword)\n\t\t\ts.router.Post(adminPath+\"/{username}/reset-password\", resetAdminPassword)\n\t\t}\n\n\t\ts.router.Group(func(router chi.Router) {\n\t\t\trouter.Use(checkNodeToken(s.tokenAuth))\n\t\t\tif !s.binding.isAdminAPIKeyAuthDisabled() {\n\t\t\t\trouter.Use(checkAPIKeyAuth(s.tokenAuth, dataprovider.APIKeyScopeAdmin))\n\t\t\t}\n\t\t\trouter.Use(jwt.Verify(s.tokenAuth, jwt.TokenFromHeader))\n\t\t\trouter.Use(jwtAuthenticatorAPI)\n\n\t\t\trouter.Get(versionPath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\trender.JSON(w, r, version.Get())\n\t\t\t})\n\n\t\t\trouter.With(forbidAPIKeyAuthentication).Get(logoutPath, s.logout)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Get(adminProfilePath, getAdminProfile)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkAuthRequirements).Put(adminProfilePath, updateAdminProfile)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Put(adminPwdPath, changeAdminPassword)\n\t\t\t// admin TOTP APIs\n\t\t\trouter.With(forbidAPIKeyAuthentication).Get(adminTOTPConfigsPath, getTOTPConfigs)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Post(adminTOTPGeneratePath, generateTOTPSecret)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Post(adminTOTPValidatePath, validateTOTPPasscode)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Post(adminTOTPSavePath, saveTOTPConfig)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Get(admin2FARecoveryCodesPath, getRecoveryCodes)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Post(admin2FARecoveryCodesPath, generateRecoveryCodes)\n\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkPerms(dataprovider.PermAdminAny)).\n\t\t\t\tGet(apiKeysPath, getAPIKeys)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkPerms(dataprovider.PermAdminAny)).\n\t\t\t\tPost(apiKeysPath, addAPIKey)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkPerms(dataprovider.PermAdminAny)).\n\t\t\t\tGet(apiKeysPath+\"/{id}\", getAPIKeyByID)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkPerms(dataprovider.PermAdminAny)).\n\t\t\t\tPut(apiKeysPath+\"/{id}\", updateAPIKey)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkPerms(dataprovider.PermAdminAny)).\n\t\t\t\tDelete(apiKeysPath+\"/{id}\", deleteAPIKey)\n\n\t\t\trouter.Group(func(router chi.Router) {\n\t\t\t\trouter.Use(s.checkAuthRequirements)\n\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewServerStatus)).\n\t\t\t\t\tGet(serverStatusPath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\t\t\trender.JSON(w, r, getServicesStatus())\n\t\t\t\t\t})\n\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewConnections)).Get(activeConnectionsPath, getActiveConnections)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminCloseConnections)).\n\t\t\t\t\tDelete(activeConnectionsPath+\"/{connectionID}\", handleCloseConnection)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminQuotaScans)).Get(quotasBasePath+\"/users/scans\", getUsersQuotaScans)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminQuotaScans)).Post(quotasBasePath+\"/users/{username}/scan\", startUserQuotaScan)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminQuotaScans)).Get(quotasBasePath+\"/folders/scans\", getFoldersQuotaScans)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminQuotaScans)).Post(quotasBasePath+\"/folders/{name}/scan\", startFolderQuotaScan)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewUsers)).Get(userPath, getUsers)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAddUsers)).Post(userPath, addUser)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewUsers)).Get(userPath+\"/{username}\", getUserByUsername) //nolint:goconst\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminChangeUsers)).Put(userPath+\"/{username}\", updateUser)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminDeleteUsers)).Delete(userPath+\"/{username}\", deleteUser)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminDisableMFA)).Put(userPath+\"/{username}/2fa/disable\", disableUser2FA) //nolint:goconst\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Get(folderPath, getFolders)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Get(folderPath+\"/{name}\", getFolderByName) //nolint:goconst\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Post(folderPath, addFolder)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Put(folderPath+\"/{name}\", updateFolder)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Delete(folderPath+\"/{name}\", deleteFolder)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Get(groupPath, getGroups)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Get(groupPath+\"/{name}\", getGroupByName)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Post(groupPath, addGroup)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Put(groupPath+\"/{name}\", updateGroup)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Delete(groupPath+\"/{name}\", deleteGroup)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(dumpDataPath, dumpData)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(loadDataPath, loadData)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(loadDataPath, loadDataFromRequest)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminChangeUsers)).Put(quotasBasePath+\"/users/{username}/usage\",\n\t\t\t\t\tupdateUserQuotaUsage)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminChangeUsers)).Put(quotasBasePath+\"/users/{username}/transfer-usage\",\n\t\t\t\t\tupdateUserTransferQuotaUsage)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminChangeUsers)).Put(quotasBasePath+\"/folders/{name}/usage\",\n\t\t\t\t\tupdateFolderQuotaUsage)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewDefender)).Get(defenderHosts, getDefenderHosts)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewDefender)).Get(defenderHosts+\"/{id}\", getDefenderHostByID)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageDefender)).Delete(defenderHosts+\"/{id}\", deleteDefenderHostByID)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(adminPath, getAdmins)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(adminPath, addAdmin)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(adminPath+\"/{username}\", getAdminByUsername)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Put(adminPath+\"/{username}\", updateAdmin)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Delete(adminPath+\"/{username}\", deleteAdmin)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminDisableMFA)).Put(adminPath+\"/{username}/2fa/disable\", disableAdmin2FA)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(retentionChecksPath, getRetentionChecks)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), compressor.Handler).\n\t\t\t\t\tGet(fsEventsPath, searchFsEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), compressor.Handler).\n\t\t\t\t\tGet(providerEventsPath, searchProviderEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), compressor.Handler).\n\t\t\t\t\tGet(logEventsPath, searchLogEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(eventActionsPath, getEventActions)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(eventActionsPath+\"/{name}\", getEventActionByName)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(eventActionsPath, addEventAction)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Put(eventActionsPath+\"/{name}\", updateEventAction)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Delete(eventActionsPath+\"/{name}\", deleteEventAction)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(eventRulesPath, getEventRules)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(eventRulesPath+\"/{name}\", getEventRuleByName)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(eventRulesPath, addEventRule)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Put(eventRulesPath+\"/{name}\", updateEventRule)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Delete(eventRulesPath+\"/{name}\", deleteEventRule)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(eventRulesPath+\"/run/{name}\", runOnDemandRule)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(rolesPath, getRoles)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(rolesPath, addRole)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(rolesPath+\"/{name}\", getRoleByName)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Put(rolesPath+\"/{name}\", updateRole)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Delete(rolesPath+\"/{name}\", deleteRole)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), compressor.Handler).Get(ipListsPath+\"/{type}\", getIPListEntries) //nolint:goconst\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(ipListsPath+\"/{type}\", addIPListEntry)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(ipListsPath+\"/{type}/{ipornet}\", getIPListEntry) //nolint:goconst\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Put(ipListsPath+\"/{type}/{ipornet}\", updateIPListEntry)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Delete(ipListsPath+\"/{type}/{ipornet}\", deleteIPListEntry)\n\t\t\t})\n\t\t})\n\n\t\t// share API available to external users\n\t\ts.router.Get(sharesPath+\"/{id}\", s.downloadFromShare)\n\t\ts.router.Post(sharesPath+\"/{id}\", s.uploadFilesToShare)\n\t\ts.router.Post(sharesPath+\"/{id}/{name}\", s.uploadFileToShare)\n\t\ts.router.With(compressor.Handler).Get(sharesPath+\"/{id}/dirs\", s.readBrowsableShareContents)\n\t\ts.router.Get(sharesPath+\"/{id}/files\", s.downloadBrowsableSharedFile)\n\n\t\tif !s.binding.isUserTokenEndpointDisabled() {\n\t\t\ts.router.Get(userTokenPath, s.getUserToken)\n\t\t\ts.router.Post(userPath+\"/{username}/forgot-password\", forgotUserPassword)\n\t\t\ts.router.Post(userPath+\"/{username}/reset-password\", resetUserPassword)\n\t\t}\n\n\t\ts.router.Group(func(router chi.Router) {\n\t\t\tif !s.binding.isUserAPIKeyAuthDisabled() {\n\t\t\t\trouter.Use(checkAPIKeyAuth(s.tokenAuth, dataprovider.APIKeyScopeUser))\n\t\t\t}\n\t\t\trouter.Use(jwt.Verify(s.tokenAuth, jwt.TokenFromHeader))\n\t\t\trouter.Use(jwtAuthenticatorAPIUser)\n\n\t\t\trouter.With(forbidAPIKeyAuthentication).Get(userLogoutPath, s.logout)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientPasswordChangeDisabled)).\n\t\t\t\tPut(userPwdPath, changeUserPassword)\n\t\t\trouter.With(forbidAPIKeyAuthentication).Get(userProfilePath, getUserProfile)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkAuthRequirements).Put(userProfilePath, updateUserProfile)\n\t\t\t// user TOTP APIs\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientMFADisabled)).\n\t\t\t\tGet(userTOTPConfigsPath, getTOTPConfigs)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientMFADisabled)).\n\t\t\t\tPost(userTOTPGeneratePath, generateTOTPSecret)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientMFADisabled)).\n\t\t\t\tPost(userTOTPValidatePath, validateTOTPPasscode)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientMFADisabled)).\n\t\t\t\tPost(userTOTPSavePath, saveTOTPConfig)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientMFADisabled)).\n\t\t\t\tGet(user2FARecoveryCodesPath, getRecoveryCodes)\n\t\t\trouter.With(forbidAPIKeyAuthentication, s.checkHTTPUserPerm(sdk.WebClientMFADisabled)).\n\t\t\t\tPost(user2FARecoveryCodesPath, generateRecoveryCodes)\n\n\t\t\trouter.With(s.checkAuthRequirements, compressor.Handler).Get(userDirsPath, readUserFolder)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPost(userDirsPath, createUserDir)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPatch(userDirsPath, renameUserFsEntry)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tDelete(userDirsPath, deleteUserDir)\n\t\t\trouter.With(s.checkAuthRequirements).Get(userFilesPath, getUserFile)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPost(userFilesPath, uploadUserFiles)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPatch(userFilesPath, renameUserFsEntry)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tDelete(userFilesPath, deleteUserFile)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPost(userFileActionsPath+\"/move\", renameUserFsEntry)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPost(userFileActionsPath+\"/copy\", copyUserFsEntry)\n\t\t\trouter.With(s.checkAuthRequirements).Post(userStreamZipPath, getUserFilesAsZipStream)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tGet(userSharesPath, getShares)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tPost(userSharesPath, addShare)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tGet(userSharesPath+\"/{id}\", getShareByID)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tPut(userSharesPath+\"/{id}\", updateShare)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tDelete(userSharesPath+\"/{id}\", deleteShare)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPost(userUploadFilePath, uploadUserFile)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled)).\n\t\t\t\tPatch(userFilesDirsMetadataPath, setFileDirMetadata)\n\t\t})\n\n\t\tif s.renderOpenAPI {\n\t\t\ts.router.Group(func(router chi.Router) {\n\t\t\t\trouter.Use(cleanCacheControlMiddleware)\n\t\t\t\trouter.Use(compressor.Handler)\n\t\t\t\tserveStaticDir(router, webOpenAPIPath, s.openAPIPath, false)\n\t\t\t})\n\t\t}\n\t}\n}\n\nfunc (s *httpdServer) setupWebClientRoutes() {\n\tif s.enableWebClient {\n\t\ts.router.Get(webBaseClientPath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\thttp.Redirect(w, r, webClientLoginPath, http.StatusFound)\n\t\t})\n\t\ts.router.With(cleanCacheControlMiddleware).Get(path.Join(webStaticFilesPath, \"branding/webclient/logo.png\"),\n\t\t\tfunc(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\trenderPNGImage(w, r, dbBrandingConfig.getWebClientLogo())\n\t\t\t})\n\t\ts.router.With(cleanCacheControlMiddleware).Get(path.Join(webStaticFilesPath, \"branding/webclient/favicon.png\"),\n\t\t\tfunc(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\trenderPNGImage(w, r, dbBrandingConfig.getWebClientFavicon())\n\t\t\t})\n\t\ts.router.Get(webClientLoginPath, s.handleClientWebLogin)\n\t\tif s.binding.OIDC.isEnabled() && !s.binding.isWebClientOIDCLoginDisabled() {\n\t\t\ts.router.Get(webClientOIDCLoginPath, s.handleWebClientOIDCLogin)\n\t\t}\n\t\tif !s.binding.isWebClientLoginFormDisabled() {\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tPost(webClientLoginPath, s.handleWebClientLoginPost)\n\t\t\ts.router.Get(webClientForgotPwdPath, s.handleWebClientForgotPwd)\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tPost(webClientForgotPwdPath, s.handleWebClientForgotPwdPost)\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tGet(webClientResetPwdPath, s.handleWebClientPasswordReset)\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tPost(webClientResetPwdPath, s.handleWebClientPasswordResetPost)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebClientPartial)).\n\t\t\t\tGet(webClientTwoFactorPath, s.handleWebClientTwoFactor)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebClientPartial)).\n\t\t\t\tPost(webClientTwoFactorPath, s.handleWebClientTwoFactorPost)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebClientPartial)).\n\t\t\t\tGet(webClientTwoFactorRecoveryPath, s.handleWebClientTwoFactorRecovery)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebClientPartial)).\n\t\t\t\tPost(webClientTwoFactorRecoveryPath, s.handleWebClientTwoFactorRecoveryPost)\n\t\t}\n\t\t// share routes available to external users\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/login\", s.handleClientShareLoginGet)\n\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\tPost(webClientPubSharesPath+\"/{id}/login\", s.handleClientShareLoginPost)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/logout\", s.handleClientShareLogout)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}\", s.downloadFromShare)\n\t\ts.router.Post(webClientPubSharesPath+\"/{id}/partial\", s.handleClientSharePartialDownload)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/browse\", s.handleShareGetFiles)\n\t\ts.router.Post(webClientPubSharesPath+\"/{id}/browse/exist\", s.handleClientShareCheckExist)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/download\", s.handleClientSharedFile)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/upload\", s.handleClientUploadToShare)\n\t\ts.router.With(compressor.Handler).Get(webClientPubSharesPath+\"/{id}/dirs\", s.handleShareGetDirContents)\n\t\ts.router.Post(webClientPubSharesPath+\"/{id}\", s.uploadFilesToShare)\n\t\ts.router.Post(webClientPubSharesPath+\"/{id}/{name}\", s.uploadFileToShare)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/viewpdf\", s.handleShareViewPDF)\n\t\ts.router.Get(webClientPubSharesPath+\"/{id}/getpdf\", s.handleShareGetPDF)\n\n\t\ts.router.Group(func(router chi.Router) {\n\t\t\tif s.binding.OIDC.isEnabled() {\n\t\t\t\trouter.Use(s.oidcTokenAuthenticator(tokenAudienceWebClient))\n\t\t\t}\n\t\t\trouter.Use(jwt.Verify(s.tokenAuth, oidcTokenFromContext, jwt.TokenFromCookie))\n\t\t\trouter.Use(jwtAuthenticatorWebClient)\n\n\t\t\trouter.Get(webClientLogoutPath, s.handleWebClientLogout)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).Get(webClientFilesPath, s.handleClientGetFiles)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).Get(webClientViewPDFPath, s.handleClientViewPDF)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).Get(webClientGetPDFPath, s.handleClientGetPDF)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie, s.verifyCSRFHeader).Get(webClientFilePath, getUserFile)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie, s.verifyCSRFHeader).Get(webClientTasksPath+\"/{id}\",\n\t\t\t\tgetWebTask)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientFilePath, uploadUserFile)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientExistPath, s.handleClientCheckExist)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).Get(webClientEditFilePath, s.handleClientEditFile)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tDelete(webClientFilesPath, deleteUserFile)\n\t\t\trouter.With(s.checkAuthRequirements, compressor.Handler, s.refreshCookie).\n\t\t\t\tGet(webClientDirsPath, s.handleClientGetDirContents)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientDirsPath, createUserDir)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tDelete(webClientDirsPath, taskDeleteDir)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientFileActionsPath+\"/move\", taskRenameFsEntry)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientWriteDisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientFileActionsPath+\"/copy\", taskCopyFsEntry)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).\n\t\t\t\tPost(webClientDownloadZipPath, s.handleWebClientDownloadZip)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).Get(webClientPingPath, handlePingRequest)\n\t\t\trouter.With(s.checkAuthRequirements, s.refreshCookie).Get(webClientProfilePath,\n\t\t\t\ts.handleClientGetProfile)\n\t\t\trouter.With(s.checkAuthRequirements).Post(webClientProfilePath, s.handleWebClientProfilePost)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientPasswordChangeDisabled)).\n\t\t\t\tGet(webChangeClientPwdPath, s.handleWebClientChangePwd)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientPasswordChangeDisabled)).\n\t\t\t\tPost(webChangeClientPwdPath, s.handleWebClientChangePwdPost)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.refreshCookie).\n\t\t\t\tGet(webClientMFAPath, s.handleWebClientMFA)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.refreshCookie).\n\t\t\t\tGet(webClientMFAPath+\"/qrcode\", getQRCode)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientTOTPGeneratePath, generateTOTPSecret)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientTOTPValidatePath, validateTOTPPasscode)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientTOTPSavePath, saveTOTPConfig)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.verifyCSRFHeader, s.refreshCookie).\n\t\t\t\tGet(webClientRecoveryCodesPath, getRecoveryCodes)\n\t\t\trouter.With(s.checkHTTPUserPerm(sdk.WebClientMFADisabled), s.verifyCSRFHeader).\n\t\t\t\tPost(webClientRecoveryCodesPath, generateRecoveryCodes)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled), compressor.Handler, s.refreshCookie).\n\t\t\t\tGet(webClientSharesPath+jsonAPISuffix, getAllShares)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled), s.refreshCookie).\n\t\t\t\tGet(webClientSharesPath, s.handleClientGetShares)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled), s.refreshCookie).\n\t\t\t\tGet(webClientSharePath, s.handleClientAddShareGet)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tPost(webClientSharePath, s.handleClientAddSharePost)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled), s.refreshCookie).\n\t\t\t\tGet(webClientSharePath+\"/{id}\", s.handleClientUpdateShareGet)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled)).\n\t\t\t\tPost(webClientSharePath+\"/{id}\", s.handleClientUpdateSharePost)\n\t\t\trouter.With(s.checkAuthRequirements, s.checkHTTPUserPerm(sdk.WebClientSharesDisabled), s.verifyCSRFHeader).\n\t\t\t\tDelete(webClientSharePath+\"/{id}\", deleteShare)\n\t\t})\n\t}\n}\n\nfunc (s *httpdServer) setupWebAdminRoutes() {\n\tif s.enableWebAdmin {\n\t\ts.router.Get(webBaseAdminPath, func(w http.ResponseWriter, r *http.Request) {\n\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\t\t\ts.redirectToWebPath(w, r, webAdminLoginPath)\n\t\t})\n\t\ts.router.With(cleanCacheControlMiddleware).Get(path.Join(webStaticFilesPath, \"branding/webadmin/logo.png\"),\n\t\t\tfunc(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\trenderPNGImage(w, r, dbBrandingConfig.getWebAdminLogo())\n\t\t\t})\n\t\ts.router.With(cleanCacheControlMiddleware).Get(path.Join(webStaticFilesPath, \"branding/webadmin/favicon.png\"),\n\t\t\tfunc(w http.ResponseWriter, r *http.Request) {\n\t\t\t\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\t\t\t\trenderPNGImage(w, r, dbBrandingConfig.getWebAdminFavicon())\n\t\t\t})\n\t\ts.router.Get(webAdminLoginPath, s.handleWebAdminLogin)\n\t\tif s.binding.OIDC.hasRoles() && !s.binding.isWebAdminOIDCLoginDisabled() {\n\t\t\ts.router.Get(webAdminOIDCLoginPath, s.handleWebAdminOIDCLogin)\n\t\t}\n\t\ts.router.Get(webOAuth2RedirectPath, s.handleOAuth2TokenRedirect)\n\t\ts.router.Get(webAdminSetupPath, s.handleWebAdminSetupGet)\n\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\tPost(webAdminSetupPath, s.handleWebAdminSetupPost)\n\t\tif !s.binding.isWebAdminLoginFormDisabled() {\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tPost(webAdminLoginPath, s.handleWebAdminLoginPost)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebAdminPartial)).\n\t\t\t\tGet(webAdminTwoFactorPath, s.handleWebAdminTwoFactor)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebAdminPartial)).\n\t\t\t\tPost(webAdminTwoFactorPath, s.handleWebAdminTwoFactorPost)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebAdminPartial)).\n\t\t\t\tGet(webAdminTwoFactorRecoveryPath, s.handleWebAdminTwoFactorRecovery)\n\t\t\ts.router.With(jwt.Verify(s.tokenAuth, jwt.TokenFromCookie),\n\t\t\t\ts.jwtAuthenticatorPartial(tokenAudienceWebAdminPartial)).\n\t\t\t\tPost(webAdminTwoFactorRecoveryPath, s.handleWebAdminTwoFactorRecoveryPost)\n\t\t\ts.router.Get(webAdminForgotPwdPath, s.handleWebAdminForgotPwd)\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tPost(webAdminForgotPwdPath, s.handleWebAdminForgotPwdPost)\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tGet(webAdminResetPwdPath, s.handleWebAdminPasswordReset)\n\t\t\ts.router.With(jwt.Verify(s.csrfTokenAuth, jwt.TokenFromCookie)).\n\t\t\t\tPost(webAdminResetPwdPath, s.handleWebAdminPasswordResetPost)\n\t\t}\n\n\t\ts.router.Group(func(router chi.Router) {\n\t\t\tif s.binding.OIDC.isEnabled() {\n\t\t\t\trouter.Use(s.oidcTokenAuthenticator(tokenAudienceWebAdmin))\n\t\t\t}\n\t\t\trouter.Use(jwt.Verify(s.tokenAuth, oidcTokenFromContext, jwt.TokenFromCookie))\n\t\t\trouter.Use(jwtAuthenticatorWebAdmin)\n\n\t\t\trouter.Get(webLogoutPath, s.handleWebAdminLogout)\n\t\t\trouter.With(s.refreshCookie, s.checkAuthRequirements, s.requireBuiltinLogin).Get(\n\t\t\t\twebAdminProfilePath, s.handleWebAdminProfile)\n\t\t\trouter.With(s.checkAuthRequirements, s.requireBuiltinLogin).Post(webAdminProfilePath, s.handleWebAdminProfilePost)\n\t\t\trouter.With(s.refreshCookie, s.requireBuiltinLogin).Get(webChangeAdminPwdPath, s.handleWebAdminChangePwd)\n\t\t\trouter.With(s.requireBuiltinLogin).Post(webChangeAdminPwdPath, s.handleWebAdminChangePwdPost)\n\n\t\t\trouter.With(s.refreshCookie, s.requireBuiltinLogin).Get(webAdminMFAPath, s.handleWebAdminMFA)\n\t\t\trouter.With(s.refreshCookie, s.requireBuiltinLogin).Get(webAdminMFAPath+\"/qrcode\", getQRCode)\n\t\t\trouter.With(s.verifyCSRFHeader, s.requireBuiltinLogin).Post(webAdminTOTPGeneratePath, generateTOTPSecret)\n\t\t\trouter.With(s.verifyCSRFHeader, s.requireBuiltinLogin).Post(webAdminTOTPValidatePath, validateTOTPPasscode)\n\t\t\trouter.With(s.verifyCSRFHeader, s.requireBuiltinLogin).Post(webAdminTOTPSavePath, saveTOTPConfig)\n\t\t\trouter.With(s.verifyCSRFHeader, s.requireBuiltinLogin, s.refreshCookie).Get(webAdminRecoveryCodesPath,\n\t\t\t\tgetRecoveryCodes)\n\t\t\trouter.With(s.verifyCSRFHeader, s.requireBuiltinLogin).Post(webAdminRecoveryCodesPath, generateRecoveryCodes)\n\n\t\t\trouter.Group(func(router chi.Router) {\n\t\t\t\trouter.Use(s.checkAuthRequirements)\n\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewUsers), s.refreshCookie).\n\t\t\t\t\tGet(webUsersPath, s.handleGetWebUsers)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewUsers), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webUsersPath+jsonAPISuffix, getAllUsers)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAddUsers), s.refreshCookie).\n\t\t\t\t\tGet(webUserPath, s.handleWebAddUserGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminChangeUsers), s.refreshCookie).\n\t\t\t\t\tGet(webUserPath+\"/{username}\", s.handleWebUpdateUserGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAddUsers)).Post(webUserPath, s.handleWebAddUserPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminChangeUsers)).Post(webUserPath+\"/{username}\",\n\t\t\t\t\ts.handleWebUpdateUserPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups), s.refreshCookie).\n\t\t\t\t\tGet(webGroupsPath, s.handleWebGetGroups)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webGroupsPath+jsonAPISuffix, getAllGroups)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups), s.refreshCookie).\n\t\t\t\t\tGet(webGroupPath, s.handleWebAddGroupGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Post(webGroupPath, s.handleWebAddGroupPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups), s.refreshCookie).\n\t\t\t\t\tGet(webGroupPath+\"/{name}\", s.handleWebUpdateGroupGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups)).Post(webGroupPath+\"/{name}\",\n\t\t\t\t\ts.handleWebUpdateGroupPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageGroups), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webGroupPath+\"/{name}\", deleteGroup)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewConnections), s.refreshCookie).\n\t\t\t\t\tGet(webConnectionsPath, s.handleWebGetConnections)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewConnections), s.refreshCookie).\n\t\t\t\t\tGet(webConnectionsPath+jsonAPISuffix, getActiveConnections)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders), s.refreshCookie).\n\t\t\t\t\tGet(webFoldersPath, s.handleWebGetFolders)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webFoldersPath+jsonAPISuffix, getAllFolders)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders), s.refreshCookie).\n\t\t\t\t\tGet(webFolderPath, s.handleWebAddFolderGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Post(webFolderPath, s.handleWebAddFolderPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewServerStatus), s.refreshCookie).\n\t\t\t\t\tGet(webStatusPath, s.handleWebGetStatus)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminsPath, s.handleGetWebAdmins)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webAdminsPath+jsonAPISuffix, getAllAdmins)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminPath, s.handleWebAddAdminGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminPath+\"/{username}\", s.handleWebUpdateAdminGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminPath, s.handleWebAddAdminPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminPath+\"/{username}\",\n\t\t\t\t\ts.handleWebUpdateAdminPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webAdminPath+\"/{username}\", deleteAdmin)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminDisableMFA), s.verifyCSRFHeader).\n\t\t\t\t\tPut(webAdminPath+\"/{username}/2fa/disable\", disableAdmin2FA)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminCloseConnections), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webConnectionsPath+\"/{connectionID}\", handleCloseConnection)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders), s.refreshCookie).\n\t\t\t\t\tGet(webFolderPath+\"/{name}\", s.handleWebUpdateFolderGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Post(webFolderPath+\"/{name}\",\n\t\t\t\t\ts.handleWebUpdateFolderPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webFolderPath+\"/{name}\", deleteFolder)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminQuotaScans), s.verifyCSRFHeader).\n\t\t\t\t\tPost(webScanVFolderPath+\"/{name}\", startFolderQuotaScan)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminDeleteUsers), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webUserPath+\"/{username}\", deleteUser)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminDisableMFA), s.verifyCSRFHeader).\n\t\t\t\t\tPut(webUserPath+\"/{username}/2fa/disable\", disableUser2FA)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminQuotaScans), s.verifyCSRFHeader).\n\t\t\t\t\tPost(webQuotaScanPath+\"/{username}\", startUserQuotaScan)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(webMaintenancePath, s.handleWebMaintenance)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(webBackupPath, dumpData)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webRestorePath, s.handleWebRestore)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers), s.refreshCookie).\n\t\t\t\t\tGet(webTemplateUser, s.handleWebTemplateUserGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers)).\n\t\t\t\t\tPost(webTemplateUser, s.handleWebTemplateUserPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders), s.refreshCookie).\n\t\t\t\t\tGet(webTemplateFolder, s.handleWebTemplateFolderGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageFolders)).Post(webTemplateFolder, s.handleWebTemplateFolderPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewDefender)).Get(webDefenderPath, s.handleWebDefenderPage)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewDefender)).Get(webDefenderHostsPath, getDefenderHosts)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminManageDefender), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webDefenderHostsPath+\"/{id}\", deleteDefenderHostByID)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventActionsPath+jsonAPISuffix, getAllActions)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventActionsPath, s.handleWebGetEventActions)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventActionPath, s.handleWebAddEventActionGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminEventActionPath,\n\t\t\t\t\ts.handleWebAddEventActionPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventActionPath+\"/{name}\", s.handleWebUpdateEventActionGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminEventActionPath+\"/{name}\",\n\t\t\t\t\ts.handleWebUpdateEventActionPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webAdminEventActionPath+\"/{name}\", deleteEventAction)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventRulesPath+jsonAPISuffix, getAllRules)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventRulesPath, s.handleWebGetEventRules)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventRulePath, s.handleWebAddEventRuleGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminEventRulePath,\n\t\t\t\t\ts.handleWebAddEventRulePost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminEventRulePath+\"/{name}\", s.handleWebUpdateEventRuleGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminEventRulePath+\"/{name}\",\n\t\t\t\t\ts.handleWebUpdateEventRulePost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webAdminEventRulePath+\"/{name}\", deleteEventRule)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader).\n\t\t\t\t\tPost(webAdminEventRulePath+\"/run/{name}\", runOnDemandRule)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminRolesPath, s.handleWebGetRoles)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webAdminRolesPath+jsonAPISuffix, getAllRoles)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminRolePath, s.handleWebAddRoleGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminRolePath, s.handleWebAddRolePost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).\n\t\t\t\t\tGet(webAdminRolePath+\"/{name}\", s.handleWebUpdateRoleGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webAdminRolePath+\"/{name}\",\n\t\t\t\t\ts.handleWebUpdateRolePost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webAdminRolePath+\"/{name}\", deleteRole)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), s.refreshCookie).Get(webEventsPath,\n\t\t\t\t\ts.handleWebGetEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webEventsFsSearchPath, searchFsEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webEventsProviderSearchPath, searchProviderEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminViewEvents), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webEventsLogSearchPath, searchLogEvents)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Get(webIPListsPath, s.handleWebIPListsPage)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), compressor.Handler, s.refreshCookie).\n\t\t\t\t\tGet(webIPListsPath+\"/{type}\", getIPListEntries)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).Get(webIPListPath+\"/{type}\",\n\t\t\t\t\ts.handleWebAddIPListEntryGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webIPListPath+\"/{type}\",\n\t\t\t\t\ts.handleWebAddIPListEntryPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).Get(webIPListPath+\"/{type}/{ipornet}\",\n\t\t\t\t\ts.handleWebUpdateIPListEntryGet)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webIPListPath+\"/{type}/{ipornet}\",\n\t\t\t\t\ts.handleWebUpdateIPListEntryPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader).\n\t\t\t\t\tDelete(webIPListPath+\"/{type}/{ipornet}\", deleteIPListEntry)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.refreshCookie).Get(webConfigsPath, s.handleWebConfigs)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny)).Post(webConfigsPath, s.handleWebConfigsPost)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader, s.refreshCookie).\n\t\t\t\t\tPost(webConfigsPath+\"/smtp/test\", testSMTPConfig)\n\t\t\t\trouter.With(s.checkPerms(dataprovider.PermAdminAny), s.verifyCSRFHeader, s.refreshCookie).\n\t\t\t\t\tPost(webOAuth2TokenPath, s.handleSMTPOAuth2TokenRequestPost)\n\t\t\t})\n\t\t})\n\t}\n}\n" }, { "path": "internal/httpd/token.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"crypto/sha256\"\n\t\"encoding/hex\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc newTokenManager(isShared int) tokenManager {\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"using provider token manager\")\n\t\treturn &dbTokenManager{}\n\t}\n\tlogger.Info(logSender, \"\", \"using memory token manager\")\n\treturn &memoryTokenManager{}\n}\n\ntype tokenManager interface {\n\tAdd(token string, expiresAt time.Time)\n\tGet(token string) bool\n\tCleanup()\n}\n\ntype memoryTokenManager struct {\n\tinvalidatedJWTTokens sync.Map\n}\n\nfunc (m *memoryTokenManager) Add(token string, expiresAt time.Time) {\n\tm.invalidatedJWTTokens.Store(token, expiresAt)\n}\n\nfunc (m *memoryTokenManager) Get(token string) bool {\n\t_, ok := m.invalidatedJWTTokens.Load(token)\n\treturn ok\n}\n\nfunc (m *memoryTokenManager) Cleanup() {\n\tm.invalidatedJWTTokens.Range(func(key, value any) bool {\n\t\texp, ok := value.(time.Time)\n\t\tif !ok || exp.Before(time.Now().UTC()) {\n\t\t\tm.invalidatedJWTTokens.Delete(key)\n\t\t}\n\t\treturn true\n\t})\n}\n\ntype dbTokenManager struct{}\n\nfunc (m *dbTokenManager) getKey(token string) string {\n\tdigest := sha256.Sum256([]byte(token))\n\treturn hex.EncodeToString(digest[:])\n}\n\nfunc (m *dbTokenManager) Add(token string, expiresAt time.Time) {\n\tkey := m.getKey(token)\n\tdata := map[string]string{\n\t\t\"jwt\": token,\n\t}\n\tsession := dataprovider.Session{\n\t\tKey: key,\n\t\tData: data,\n\t\tType: dataprovider.SessionTypeInvalidToken,\n\t\tTimestamp: util.GetTimeAsMsSinceEpoch(expiresAt),\n\t}\n\tdataprovider.AddSharedSession(session) //nolint:errcheck\n}\n\nfunc (m *dbTokenManager) Get(token string) bool {\n\tkey := m.getKey(token)\n\t_, err := dataprovider.GetSharedSession(key, dataprovider.SessionTypeInvalidToken)\n\treturn err == nil\n}\n\nfunc (m *dbTokenManager) Cleanup() {\n\tdataprovider.CleanupSharedSessions(dataprovider.SessionTypeInvalidToken, time.Now()) //nolint:errcheck\n}\n" }, { "path": "internal/httpd/web.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"errors\"\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/unrolled/secure\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\twebDateTimeFormat = \"2006-01-02 15:04:05\" // YYYY-MM-DD HH:MM:SS\n\tredactedSecret = \"[**redacted**]\"\n\tcsrfFormToken = \"_form_token\"\n\tcsrfHeaderToken = \"X-CSRF-TOKEN\"\n\ttemplateCommonDir = \"common\"\n\ttemplateTwoFactor = \"twofactor.html\"\n\ttemplateTwoFactorRecovery = \"twofactor-recovery.html\"\n\ttemplateForgotPassword = \"forgot-password.html\"\n\ttemplateResetPassword = \"reset-password.html\"\n\ttemplateChangePwd = \"changepassword.html\"\n\ttemplateMessage = \"message.html\"\n\ttemplateCommonBase = \"base.html\"\n\ttemplateCommonBaseLogin = \"baselogin.html\"\n\ttemplateCommonLogin = \"login.html\"\n)\n\nvar (\n\terrInvalidTokenClaims = errors.New(\"invalid token claims\")\n)\n\ntype commonBasePage struct {\n\tCSPNonce string\n\tStaticURL string\n\tVersion string\n}\n\ntype loginPage struct {\n\tcommonBasePage\n\tCurrentURL string\n\tError *util.I18nError\n\tCSRFToken string\n\tAltLoginURL string\n\tAltLoginName string\n\tForgotPwdURL string\n\tOpenIDLoginURL string\n\tTitle string\n\tBranding UIBranding\n\tLanguages []string\n\tFormDisabled bool\n\tCheckRedirect bool\n}\n\ntype twoFactorPage struct {\n\tcommonBasePage\n\tCurrentURL string\n\tError *util.I18nError\n\tCSRFToken string\n\tRecoveryURL string\n\tTitle string\n\tBranding UIBranding\n\tLanguages []string\n\tCheckRedirect bool\n}\n\ntype forgotPwdPage struct {\n\tcommonBasePage\n\tCurrentURL string\n\tError *util.I18nError\n\tCSRFToken string\n\tLoginURL string\n\tTitle string\n\tBranding UIBranding\n\tLanguages []string\n\tCheckRedirect bool\n}\n\ntype resetPwdPage struct {\n\tcommonBasePage\n\tCurrentURL string\n\tError *util.I18nError\n\tCSRFToken string\n\tLoginURL string\n\tTitle string\n\tBranding UIBranding\n\tLanguages []string\n\tCheckRedirect bool\n}\n\nfunc getSliceFromDelimitedValues(values, delimiter string) []string {\n\tresult := []string{}\n\tfor v := range strings.SplitSeq(values, delimiter) {\n\t\tcleaned := strings.TrimSpace(v)\n\t\tif cleaned != \"\" {\n\t\t\tresult = append(result, cleaned)\n\t\t}\n\t}\n\treturn result\n}\n\nfunc hasPrefixAndSuffix(key, prefix, suffix string) bool {\n\treturn strings.HasPrefix(key, prefix) && strings.HasSuffix(key, suffix)\n}\n\nfunc getCommonBasePage(r *http.Request) commonBasePage {\n\treturn commonBasePage{\n\t\tCSPNonce: secure.CSPNonce(r.Context()),\n\t\tStaticURL: webStaticFilesPath,\n\t\tVersion: version.GetServerVersion(\" \", true),\n\t}\n}\n\nfunc i18nListDirMsg(status int) string {\n\tif status == http.StatusForbidden {\n\t\treturn util.I18nErrorDirList403\n\t}\n\treturn util.I18nErrorDirListGeneric\n}\n\nfunc i18nFsMsg(status int) string {\n\tif status == http.StatusForbidden {\n\t\treturn util.I18nError403Message\n\t}\n\treturn util.I18nErrorFsGeneric\n}\n\nfunc getI18NErrorString(err error, fallback string) string {\n\tvar errI18n *util.I18nError\n\tif errors.As(err, &errI18n) {\n\t\treturn errI18n.Message\n\t}\n\treturn fallback\n}\n\nfunc getI18nError(err error) *util.I18nError {\n\tvar errI18n *util.I18nError\n\tif err != nil {\n\t\terrI18n = util.NewI18nError(err, util.I18nError500Message)\n\t}\n\treturn errI18n\n}\n\nfunc handlePingRequest(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trender.PlainText(w, r, \"PONG\")\n}\n" }, { "path": "internal/httpd/webadmin.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"html/template\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"sort\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"golang.org/x/oauth2\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\ntype userPageMode int\n\nconst (\n\tuserPageModeAdd userPageMode = iota + 1\n\tuserPageModeUpdate\n\tuserPageModeTemplate\n)\n\ntype folderPageMode int\n\nconst (\n\tfolderPageModeAdd folderPageMode = iota + 1\n\tfolderPageModeUpdate\n\tfolderPageModeTemplate\n)\n\ntype genericPageMode int\n\nconst (\n\tgenericPageModeAdd genericPageMode = iota + 1\n\tgenericPageModeUpdate\n)\n\nconst (\n\ttemplateAdminDir = \"webadmin\"\n\ttemplateBase = \"base.html\"\n\ttemplateFsConfig = \"fsconfig.html\"\n\ttemplateUsers = \"users.html\"\n\ttemplateUser = \"user.html\"\n\ttemplateAdmins = \"admins.html\"\n\ttemplateAdmin = \"admin.html\"\n\ttemplateConnections = \"connections.html\"\n\ttemplateGroups = \"groups.html\"\n\ttemplateGroup = \"group.html\"\n\ttemplateFolders = \"folders.html\"\n\ttemplateFolder = \"folder.html\"\n\ttemplateEventRules = \"eventrules.html\"\n\ttemplateEventRule = \"eventrule.html\"\n\ttemplateEventActions = \"eventactions.html\"\n\ttemplateEventAction = \"eventaction.html\"\n\ttemplateRoles = \"roles.html\"\n\ttemplateRole = \"role.html\"\n\ttemplateEvents = \"events.html\"\n\ttemplateStatus = \"status.html\"\n\ttemplateDefender = \"defender.html\"\n\ttemplateIPLists = \"iplists.html\"\n\ttemplateIPList = \"iplist.html\"\n\ttemplateConfigs = \"configs.html\"\n\ttemplateProfile = \"profile.html\"\n\ttemplateMaintenance = \"maintenance.html\"\n\ttemplateMFA = \"mfa.html\"\n\ttemplateSetup = \"adminsetup.html\"\n\tdefaultQueryLimit = 1000\n\tinversePatternType = \"inverse\"\n)\n\nvar (\n\tadminTemplates = make(map[string]*template.Template)\n)\n\ntype basePage struct {\n\tcommonBasePage\n\tTitle string\n\tCurrentURL string\n\tUsersURL string\n\tUserURL string\n\tUserTemplateURL string\n\tAdminsURL string\n\tAdminURL string\n\tQuotaScanURL string\n\tConnectionsURL string\n\tGroupsURL string\n\tGroupURL string\n\tFoldersURL string\n\tFolderURL string\n\tFolderTemplateURL string\n\tDefenderURL string\n\tIPListsURL string\n\tIPListURL string\n\tEventsURL string\n\tConfigsURL string\n\tLogoutURL string\n\tLoginURL string\n\tProfileURL string\n\tChangePwdURL string\n\tMFAURL string\n\tEventRulesURL string\n\tEventRuleURL string\n\tEventActionsURL string\n\tEventActionURL string\n\tRolesURL string\n\tRoleURL string\n\tFolderQuotaScanURL string\n\tStatusURL string\n\tMaintenanceURL string\n\tCSRFToken string\n\tIsEventManagerPage bool\n\tIsIPManagerPage bool\n\tIsServerManagerPage bool\n\tHasDefender bool\n\tHasSearcher bool\n\tHasExternalLogin bool\n\tLoggedUser *dataprovider.Admin\n\tIsLoggedToShare bool\n\tBranding UIBranding\n\tLanguages []string\n}\n\ntype statusPage struct {\n\tbasePage\n\tStatus *ServicesStatus\n}\n\ntype fsWrapper struct {\n\tvfs.Filesystem\n\tIsUserPage bool\n\tIsGroupPage bool\n\tIsHidden bool\n\tHasUsersBaseDir bool\n\tDirPath string\n}\n\ntype userPage struct {\n\tbasePage\n\tUser *dataprovider.User\n\tRootPerms []string\n\tError *util.I18nError\n\tValidPerms []string\n\tValidLoginMethods []string\n\tValidProtocols []string\n\tTwoFactorProtocols []string\n\tWebClientOptions []string\n\tRootDirPerms []string\n\tMode userPageMode\n\tVirtualFolders []vfs.BaseVirtualFolder\n\tGroups []dataprovider.Group\n\tRoles []dataprovider.Role\n\tCanImpersonate bool\n\tFsWrapper fsWrapper\n\tCanUseTLSCerts bool\n}\n\ntype adminPage struct {\n\tbasePage\n\tAdmin *dataprovider.Admin\n\tGroups []dataprovider.Group\n\tRoles []dataprovider.Role\n\tError *util.I18nError\n\tIsAdd bool\n}\n\ntype profilePage struct {\n\tbasePage\n\tError *util.I18nError\n\tAllowAPIKeyAuth bool\n\tEmail string\n\tDescription string\n}\n\ntype changePasswordPage struct {\n\tbasePage\n\tError *util.I18nError\n}\n\ntype mfaPage struct {\n\tbasePage\n\tTOTPConfigs []string\n\tTOTPConfig dataprovider.AdminTOTPConfig\n\tGenerateTOTPURL string\n\tValidateTOTPURL string\n\tSaveTOTPURL string\n\tRecCodesURL string\n\tRequireTwoFactor bool\n}\n\ntype maintenancePage struct {\n\tbasePage\n\tBackupPath string\n\tRestorePath string\n\tError *util.I18nError\n}\n\ntype defenderHostsPage struct {\n\tbasePage\n\tDefenderHostsURL string\n}\n\ntype ipListsPage struct {\n\tbasePage\n\tIPListsSearchURL string\n\tRateLimitersStatus bool\n\tRateLimitersProtocols string\n\tIsAllowListEnabled bool\n}\n\ntype ipListPage struct {\n\tbasePage\n\tEntry *dataprovider.IPListEntry\n\tError *util.I18nError\n\tMode genericPageMode\n}\n\ntype setupPage struct {\n\tcommonBasePage\n\tCurrentURL string\n\tError *util.I18nError\n\tCSRFToken string\n\tUsername string\n\tHasInstallationCode bool\n\tInstallationCodeHint string\n\tHideSupportLink bool\n\tTitle string\n\tBranding UIBranding\n\tLanguages []string\n\tCheckRedirect bool\n}\n\ntype folderPage struct {\n\tbasePage\n\tFolder vfs.BaseVirtualFolder\n\tError *util.I18nError\n\tMode folderPageMode\n\tFsWrapper fsWrapper\n}\n\ntype groupPage struct {\n\tbasePage\n\tGroup *dataprovider.Group\n\tError *util.I18nError\n\tMode genericPageMode\n\tValidPerms []string\n\tValidLoginMethods []string\n\tValidProtocols []string\n\tTwoFactorProtocols []string\n\tWebClientOptions []string\n\tVirtualFolders []vfs.BaseVirtualFolder\n\tFsWrapper fsWrapper\n}\n\ntype rolePage struct {\n\tbasePage\n\tRole *dataprovider.Role\n\tError *util.I18nError\n\tMode genericPageMode\n}\n\ntype eventActionPage struct {\n\tbasePage\n\tAction dataprovider.BaseEventAction\n\tActionTypes []dataprovider.EnumMapping\n\tFsActions []dataprovider.EnumMapping\n\tHTTPMethods []string\n\tEnabledCommands []string\n\tRedactedSecret string\n\tError *util.I18nError\n\tMode genericPageMode\n}\n\ntype eventRulePage struct {\n\tbasePage\n\tRule dataprovider.EventRule\n\tTriggerTypes []dataprovider.EnumMapping\n\tActions []dataprovider.BaseEventAction\n\tFsEvents []string\n\tProtocols []string\n\tProviderEvents []string\n\tProviderObjects []string\n\tError *util.I18nError\n\tMode genericPageMode\n\tIsShared bool\n}\n\ntype eventsPage struct {\n\tbasePage\n\tFsEventsSearchURL string\n\tProviderEventsSearchURL string\n\tLogEventsSearchURL string\n}\n\ntype configsPage struct {\n\tbasePage\n\tConfigs dataprovider.Configs\n\tConfigSection int\n\tRedactedSecret string\n\tOAuth2TokenURL string\n\tOAuth2RedirectURL string\n\tWebClientBranding UIBranding\n\tError *util.I18nError\n}\n\ntype messagePage struct {\n\tbasePage\n\tError *util.I18nError\n\tSuccess string\n\tText string\n}\n\ntype userTemplateFields struct {\n\tUsername string\n\tPassword string\n\tPublicKeys []string\n\tRequirePwdChange bool\n}\n\nfunc loadAdminTemplates(templatesPath string) {\n\tusersPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateUsers),\n\t}\n\tuserPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateFsConfig),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateUser),\n\t}\n\tadminsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateAdmins),\n\t}\n\tadminPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateAdmin),\n\t}\n\tprofilePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateProfile),\n\t}\n\tchangePwdPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateChangePwd),\n\t}\n\tconnectionsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateConnections),\n\t}\n\tmessagePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateMessage),\n\t}\n\tfoldersPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateFolders),\n\t}\n\tfolderPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateFsConfig),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateFolder),\n\t}\n\tgroupsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateGroups),\n\t}\n\tgroupPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateFsConfig),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateGroup),\n\t}\n\teventRulesPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateEventRules),\n\t}\n\teventRulePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateEventRule),\n\t}\n\teventActionsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateEventActions),\n\t}\n\teventActionPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateEventAction),\n\t}\n\tstatusPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateStatus),\n\t}\n\tloginPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonLogin),\n\t}\n\tmaintenancePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateMaintenance),\n\t}\n\tdefenderPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateDefender),\n\t}\n\tipListsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateIPLists),\n\t}\n\tipListPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateIPList),\n\t}\n\tmfaPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateMFA),\n\t}\n\ttwoFactorPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateTwoFactor),\n\t}\n\ttwoFactorRecoveryPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateTwoFactorRecovery),\n\t}\n\tsetupPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateSetup),\n\t}\n\tforgotPwdPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateForgotPassword),\n\t}\n\tresetPwdPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateResetPassword),\n\t}\n\trolesPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateRoles),\n\t}\n\trolePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateRole),\n\t}\n\teventsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateEvents),\n\t}\n\tconfigsPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateBase),\n\t\tfilepath.Join(templatesPath, templateAdminDir, templateConfigs),\n\t}\n\n\tfsBaseTpl := template.New(\"fsBaseTemplate\").Funcs(template.FuncMap{\n\t\t\"HumanizeBytes\": util.ByteCountSI,\n\t})\n\tusersTmpl := util.LoadTemplate(nil, usersPaths...)\n\tuserTmpl := util.LoadTemplate(fsBaseTpl, userPaths...)\n\tadminsTmpl := util.LoadTemplate(nil, adminsPaths...)\n\tadminTmpl := util.LoadTemplate(nil, adminPaths...)\n\tconnectionsTmpl := util.LoadTemplate(nil, connectionsPaths...)\n\tmessageTmpl := util.LoadTemplate(nil, messagePaths...)\n\tgroupsTmpl := util.LoadTemplate(nil, groupsPaths...)\n\tgroupTmpl := util.LoadTemplate(fsBaseTpl, groupPaths...)\n\tfoldersTmpl := util.LoadTemplate(nil, foldersPaths...)\n\tfolderTmpl := util.LoadTemplate(fsBaseTpl, folderPaths...)\n\teventRulesTmpl := util.LoadTemplate(nil, eventRulesPaths...)\n\teventRuleTmpl := util.LoadTemplate(fsBaseTpl, eventRulePaths...)\n\teventActionsTmpl := util.LoadTemplate(nil, eventActionsPaths...)\n\teventActionTmpl := util.LoadTemplate(nil, eventActionPaths...)\n\tstatusTmpl := util.LoadTemplate(nil, statusPaths...)\n\tloginTmpl := util.LoadTemplate(nil, loginPaths...)\n\tprofileTmpl := util.LoadTemplate(nil, profilePaths...)\n\tchangePwdTmpl := util.LoadTemplate(nil, changePwdPaths...)\n\tmaintenanceTmpl := util.LoadTemplate(nil, maintenancePaths...)\n\tdefenderTmpl := util.LoadTemplate(nil, defenderPaths...)\n\tipListsTmpl := util.LoadTemplate(nil, ipListsPaths...)\n\tipListTmpl := util.LoadTemplate(nil, ipListPaths...)\n\tmfaTmpl := util.LoadTemplate(nil, mfaPaths...)\n\ttwoFactorTmpl := util.LoadTemplate(nil, twoFactorPaths...)\n\ttwoFactorRecoveryTmpl := util.LoadTemplate(nil, twoFactorRecoveryPaths...)\n\tsetupTmpl := util.LoadTemplate(nil, setupPaths...)\n\tforgotPwdTmpl := util.LoadTemplate(nil, forgotPwdPaths...)\n\tresetPwdTmpl := util.LoadTemplate(nil, resetPwdPaths...)\n\trolesTmpl := util.LoadTemplate(nil, rolesPaths...)\n\troleTmpl := util.LoadTemplate(nil, rolePaths...)\n\teventsTmpl := util.LoadTemplate(nil, eventsPaths...)\n\tconfigsTmpl := util.LoadTemplate(nil, configsPaths...)\n\n\tadminTemplates[templateUsers] = usersTmpl\n\tadminTemplates[templateUser] = userTmpl\n\tadminTemplates[templateAdmins] = adminsTmpl\n\tadminTemplates[templateAdmin] = adminTmpl\n\tadminTemplates[templateConnections] = connectionsTmpl\n\tadminTemplates[templateMessage] = messageTmpl\n\tadminTemplates[templateGroups] = groupsTmpl\n\tadminTemplates[templateGroup] = groupTmpl\n\tadminTemplates[templateFolders] = foldersTmpl\n\tadminTemplates[templateFolder] = folderTmpl\n\tadminTemplates[templateEventRules] = eventRulesTmpl\n\tadminTemplates[templateEventRule] = eventRuleTmpl\n\tadminTemplates[templateEventActions] = eventActionsTmpl\n\tadminTemplates[templateEventAction] = eventActionTmpl\n\tadminTemplates[templateStatus] = statusTmpl\n\tadminTemplates[templateCommonLogin] = loginTmpl\n\tadminTemplates[templateProfile] = profileTmpl\n\tadminTemplates[templateChangePwd] = changePwdTmpl\n\tadminTemplates[templateMaintenance] = maintenanceTmpl\n\tadminTemplates[templateDefender] = defenderTmpl\n\tadminTemplates[templateIPLists] = ipListsTmpl\n\tadminTemplates[templateIPList] = ipListTmpl\n\tadminTemplates[templateMFA] = mfaTmpl\n\tadminTemplates[templateTwoFactor] = twoFactorTmpl\n\tadminTemplates[templateTwoFactorRecovery] = twoFactorRecoveryTmpl\n\tadminTemplates[templateSetup] = setupTmpl\n\tadminTemplates[templateForgotPassword] = forgotPwdTmpl\n\tadminTemplates[templateResetPassword] = resetPwdTmpl\n\tadminTemplates[templateRoles] = rolesTmpl\n\tadminTemplates[templateRole] = roleTmpl\n\tadminTemplates[templateEvents] = eventsTmpl\n\tadminTemplates[templateConfigs] = configsTmpl\n}\n\nfunc isEventManagerResource(currentURL string) bool {\n\tif currentURL == webAdminEventRulesPath {\n\t\treturn true\n\t}\n\tif currentURL == webAdminEventActionsPath {\n\t\treturn true\n\t}\n\tif currentURL == webAdminEventRulePath || strings.HasPrefix(currentURL, webAdminEventRulePath+\"/\") {\n\t\treturn true\n\t}\n\tif currentURL == webAdminEventActionPath || strings.HasPrefix(currentURL, webAdminEventActionPath+\"/\") {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc isIPListsResource(currentURL string) bool {\n\tif currentURL == webDefenderPath {\n\t\treturn true\n\t}\n\tif currentURL == webIPListsPath {\n\t\treturn true\n\t}\n\tif strings.HasPrefix(currentURL, webIPListPath+\"/\") {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc isServerManagerResource(currentURL string) bool {\n\treturn currentURL == webEventsPath || currentURL == webStatusPath || currentURL == webMaintenancePath ||\n\t\tcurrentURL == webConfigsPath\n}\n\nfunc (s *httpdServer) getBasePageData(title, currentURL string, w http.ResponseWriter, r *http.Request) basePage {\n\tvar csrfToken string\n\tif currentURL != \"\" {\n\t\tcsrfToken = createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseAdminPath)\n\t}\n\treturn basePage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: title,\n\t\tCurrentURL: currentURL,\n\t\tUsersURL: webUsersPath,\n\t\tUserURL: webUserPath,\n\t\tUserTemplateURL: webTemplateUser,\n\t\tAdminsURL: webAdminsPath,\n\t\tAdminURL: webAdminPath,\n\t\tGroupsURL: webGroupsPath,\n\t\tGroupURL: webGroupPath,\n\t\tFoldersURL: webFoldersPath,\n\t\tFolderURL: webFolderPath,\n\t\tFolderTemplateURL: webTemplateFolder,\n\t\tDefenderURL: webDefenderPath,\n\t\tIPListsURL: webIPListsPath,\n\t\tIPListURL: webIPListPath,\n\t\tEventsURL: webEventsPath,\n\t\tConfigsURL: webConfigsPath,\n\t\tLogoutURL: webLogoutPath,\n\t\tLoginURL: webAdminLoginPath,\n\t\tProfileURL: webAdminProfilePath,\n\t\tChangePwdURL: webChangeAdminPwdPath,\n\t\tMFAURL: webAdminMFAPath,\n\t\tEventRulesURL: webAdminEventRulesPath,\n\t\tEventRuleURL: webAdminEventRulePath,\n\t\tEventActionsURL: webAdminEventActionsPath,\n\t\tEventActionURL: webAdminEventActionPath,\n\t\tRolesURL: webAdminRolesPath,\n\t\tRoleURL: webAdminRolePath,\n\t\tQuotaScanURL: webQuotaScanPath,\n\t\tConnectionsURL: webConnectionsPath,\n\t\tStatusURL: webStatusPath,\n\t\tFolderQuotaScanURL: webScanVFolderPath,\n\t\tMaintenanceURL: webMaintenancePath,\n\t\tLoggedUser: getAdminFromToken(r),\n\t\tIsEventManagerPage: isEventManagerResource(currentURL),\n\t\tIsIPManagerPage: isIPListsResource(currentURL),\n\t\tIsServerManagerPage: isServerManagerResource(currentURL),\n\t\tHasDefender: common.Config.DefenderConfig.Enabled,\n\t\tHasSearcher: plugin.Handler.HasSearcher(),\n\t\tHasExternalLogin: isLoggedInWithOIDC(r),\n\t\tCSRFToken: csrfToken,\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n}\n\nfunc renderAdminTemplate(w http.ResponseWriter, tmplName string, data any) {\n\terr := adminTemplates[tmplName].ExecuteTemplate(w, tmplName, data)\n\tif err != nil {\n\t\thttp.Error(w, err.Error(), http.StatusInternalServerError)\n\t}\n}\n\nfunc (s *httpdServer) renderMessagePageWithString(w http.ResponseWriter, r *http.Request, title string, statusCode int,\n\terr error, message, text string,\n) {\n\tdata := messagePage{\n\t\tbasePage: s.getBasePageData(title, \"\", w, r),\n\t\tError: getI18nError(err),\n\t\tSuccess: message,\n\t\tText: text,\n\t}\n\tw.WriteHeader(statusCode)\n\trenderAdminTemplate(w, templateMessage, data)\n}\n\nfunc (s *httpdServer) renderMessagePage(w http.ResponseWriter, r *http.Request, title string, statusCode int,\n\terr error, message string,\n) {\n\ts.renderMessagePageWithString(w, r, title, statusCode, err, message, \"\")\n}\n\nfunc (s *httpdServer) renderInternalServerErrorPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderMessagePage(w, r, util.I18nError500Title, http.StatusInternalServerError,\n\t\tutil.NewI18nError(err, util.I18nError500Message), \"\")\n}\n\nfunc (s *httpdServer) renderBadRequestPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderMessagePage(w, r, util.I18nError400Title, http.StatusBadRequest,\n\t\tutil.NewI18nError(err, util.I18nError400Message), \"\")\n}\n\nfunc (s *httpdServer) renderForbiddenPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderMessagePage(w, r, util.I18nError403Title, http.StatusForbidden,\n\t\tutil.NewI18nError(err, util.I18nError403Message), \"\")\n}\n\nfunc (s *httpdServer) renderNotFoundPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderMessagePage(w, r, util.I18nError404Title, http.StatusNotFound,\n\t\tutil.NewI18nError(err, util.I18nError404Message), \"\")\n}\n\nfunc (s *httpdServer) renderForgotPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := forgotPwdPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tCurrentURL: webAdminForgotPwdPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, rand.Text(), webBaseAdminPath),\n\t\tLoginURL: webAdminLoginPath,\n\t\tTitle: util.I18nForgotPwdTitle,\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderAdminTemplate(w, templateForgotPassword, data)\n}\n\nfunc (s *httpdServer) renderResetPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := resetPwdPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tCurrentURL: webAdminResetPwdPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseAdminPath),\n\t\tLoginURL: webAdminLoginPath,\n\t\tTitle: util.I18nResetPwdTitle,\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderAdminTemplate(w, templateResetPassword, data)\n}\n\nfunc (s *httpdServer) renderTwoFactorPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := twoFactorPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18n2FATitle,\n\t\tCurrentURL: webAdminTwoFactorPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseAdminPath),\n\t\tRecoveryURL: webAdminTwoFactorRecoveryPath,\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderAdminTemplate(w, templateTwoFactor, data)\n}\n\nfunc (s *httpdServer) renderTwoFactorRecoveryPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := twoFactorPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18n2FATitle,\n\t\tCurrentURL: webAdminTwoFactorRecoveryPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseAdminPath),\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderAdminTemplate(w, templateTwoFactorRecovery, data)\n}\n\nfunc (s *httpdServer) renderMFAPage(w http.ResponseWriter, r *http.Request) {\n\tdata := mfaPage{\n\t\tbasePage: s.getBasePageData(util.I18n2FATitle, webAdminMFAPath, w, r),\n\t\tTOTPConfigs: mfa.GetAvailableTOTPConfigNames(),\n\t\tGenerateTOTPURL: webAdminTOTPGeneratePath,\n\t\tValidateTOTPURL: webAdminTOTPValidatePath,\n\t\tSaveTOTPURL: webAdminTOTPSavePath,\n\t\tRecCodesURL: webAdminRecoveryCodesPath,\n\t}\n\tadmin, err := dataprovider.AdminExists(data.LoggedUser.Username)\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tdata.TOTPConfig = admin.Filters.TOTPConfig\n\tdata.RequireTwoFactor = admin.Filters.RequireTwoFactor\n\trenderAdminTemplate(w, templateMFA, data)\n}\n\nfunc (s *httpdServer) renderProfilePage(w http.ResponseWriter, r *http.Request, err error) {\n\tdata := profilePage{\n\t\tbasePage: s.getBasePageData(util.I18nProfileTitle, webAdminProfilePath, w, r),\n\t\tError: getI18nError(err),\n\t}\n\tadmin, err := dataprovider.AdminExists(data.LoggedUser.Username)\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tdata.AllowAPIKeyAuth = admin.Filters.AllowAPIKeyAuth\n\tdata.Email = admin.Email\n\tdata.Description = admin.Description\n\n\trenderAdminTemplate(w, templateProfile, data)\n}\n\nfunc (s *httpdServer) renderChangePasswordPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := changePasswordPage{\n\t\tbasePage: s.getBasePageData(util.I18nChangePwdTitle, webChangeAdminPwdPath, w, r),\n\t\tError: err,\n\t}\n\n\trenderAdminTemplate(w, templateChangePwd, data)\n}\n\nfunc (s *httpdServer) renderMaintenancePage(w http.ResponseWriter, r *http.Request, err error) {\n\tdata := maintenancePage{\n\t\tbasePage: s.getBasePageData(util.I18nMaintenanceTitle, webMaintenancePath, w, r),\n\t\tBackupPath: webBackupPath,\n\t\tRestorePath: webRestorePath,\n\t\tError: getI18nError(err),\n\t}\n\n\trenderAdminTemplate(w, templateMaintenance, data)\n}\n\nfunc (s *httpdServer) renderConfigsPage(w http.ResponseWriter, r *http.Request, configs dataprovider.Configs,\n\terr error, section int,\n) {\n\tconfigs.SetNilsToEmpty()\n\tif configs.SMTP.Port == 0 {\n\t\tconfigs.SMTP.Port = 587\n\t\tconfigs.SMTP.AuthType = 1\n\t\tconfigs.SMTP.Encryption = 2\n\t}\n\tif configs.ACME.HTTP01Challenge.Port == 0 {\n\t\tconfigs.ACME.HTTP01Challenge.Port = 80\n\t}\n\tdata := configsPage{\n\t\tbasePage: s.getBasePageData(util.I18nConfigsTitle, webConfigsPath, w, r),\n\t\tConfigs: configs,\n\t\tConfigSection: section,\n\t\tRedactedSecret: redactedSecret,\n\t\tOAuth2TokenURL: webOAuth2TokenPath,\n\t\tOAuth2RedirectURL: webOAuth2RedirectPath,\n\t\tWebClientBranding: s.binding.webClientBranding(),\n\t\tError: getI18nError(err),\n\t}\n\n\trenderAdminTemplate(w, templateConfigs, data)\n}\n\nfunc (s *httpdServer) renderAdminSetupPage(w http.ResponseWriter, r *http.Request, username string, err *util.I18nError) {\n\tdata := setupPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18nSetupTitle,\n\t\tCurrentURL: webAdminSetupPath,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, rand.Text(), webBaseAdminPath),\n\t\tUsername: username,\n\t\tHasInstallationCode: installationCode != \"\",\n\t\tInstallationCodeHint: installationCodeHint,\n\t\tHideSupportLink: hideSupportLink,\n\t\tError: err,\n\t\tBranding: s.binding.webAdminBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\n\trenderAdminTemplate(w, templateSetup, data)\n}\n\nfunc (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Request, admin *dataprovider.Admin,\n\terr error, isAdd bool) {\n\tgroups, errGroups := s.getWebGroups(w, r, defaultQueryLimit, true)\n\tif errGroups != nil {\n\t\treturn\n\t}\n\troles, errRoles := s.getWebRoles(w, r, 10, true)\n\tif errRoles != nil {\n\t\treturn\n\t}\n\tcurrentURL := webAdminPath\n\ttitle := util.I18nAddAdminTitle\n\tif !isAdd {\n\t\tcurrentURL = fmt.Sprintf(\"%v/%v\", webAdminPath, url.PathEscape(admin.Username))\n\t\ttitle = util.I18nUpdateAdminTitle\n\t}\n\tdata := adminPage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tAdmin: admin,\n\t\tGroups: groups,\n\t\tRoles: roles,\n\t\tError: getI18nError(err),\n\t\tIsAdd: isAdd,\n\t}\n\n\trenderAdminTemplate(w, templateAdmin, data)\n}\n\nfunc (s *httpdServer) getUserPageTitleAndURL(mode userPageMode, username string) (string, string) {\n\tvar title, currentURL string\n\tswitch mode {\n\tcase userPageModeAdd:\n\t\ttitle = util.I18nAddUserTitle\n\t\tcurrentURL = webUserPath\n\tcase userPageModeUpdate:\n\t\ttitle = util.I18nUpdateUserTitle\n\t\tcurrentURL = fmt.Sprintf(\"%v/%v\", webUserPath, url.PathEscape(username))\n\tcase userPageModeTemplate:\n\t\ttitle = util.I18nTemplateUserTitle\n\t\tcurrentURL = webTemplateUser\n\t}\n\treturn title, currentURL\n}\n\nfunc (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User,\n\tmode userPageMode, err error, admin *dataprovider.Admin,\n) {\n\tuser.SetEmptySecretsIfNil()\n\ttitle, currentURL := s.getUserPageTitleAndURL(mode, user.Username)\n\tif user.Password != \"\" && user.IsPasswordHashed() {\n\t\tswitch mode {\n\t\tcase userPageModeUpdate:\n\t\t\tuser.Password = redactedSecret\n\t\tdefault:\n\t\t\tuser.Password = \"\"\n\t\t}\n\t}\n\tuser.FsConfig.RedactedSecret = redactedSecret\n\tbasePage := s.getBasePageData(title, currentURL, w, r)\n\tif (mode == userPageModeAdd || mode == userPageModeTemplate) && len(user.Groups) == 0 && admin != nil {\n\t\tfor _, group := range admin.Groups {\n\t\t\tuser.Groups = append(user.Groups, sdk.GroupMapping{\n\t\t\t\tName: group.Name,\n\t\t\t\tType: group.Options.GetUserGroupType(),\n\t\t\t})\n\t\t}\n\t}\n\tvar roles []dataprovider.Role\n\tif basePage.LoggedUser.Role == \"\" {\n\t\tvar errRoles error\n\t\troles, errRoles = s.getWebRoles(w, r, 10, true)\n\t\tif errRoles != nil {\n\t\t\treturn\n\t\t}\n\t}\n\tfolders, errFolders := s.getWebVirtualFolders(w, r, defaultQueryLimit, true)\n\tif errFolders != nil {\n\t\treturn\n\t}\n\tgroups, errGroups := s.getWebGroups(w, r, defaultQueryLimit, true)\n\tif errGroups != nil {\n\t\treturn\n\t}\n\tdata := userPage{\n\t\tbasePage: basePage,\n\t\tMode: mode,\n\t\tError: getI18nError(err),\n\t\tUser: user,\n\t\tValidPerms: dataprovider.ValidPerms,\n\t\tValidLoginMethods: dataprovider.ValidLoginMethods,\n\t\tValidProtocols: dataprovider.ValidProtocols,\n\t\tTwoFactorProtocols: dataprovider.MFAProtocols,\n\t\tWebClientOptions: sdk.WebClientOptions,\n\t\tRootDirPerms: user.GetPermissionsForPath(\"/\"),\n\t\tVirtualFolders: folders,\n\t\tGroups: groups,\n\t\tRoles: roles,\n\t\tCanImpersonate: os.Getuid() == 0,\n\t\tCanUseTLSCerts: ftpd.GetStatus().IsActive || webdavd.GetStatus().IsActive,\n\t\tFsWrapper: fsWrapper{\n\t\t\tFilesystem: user.FsConfig,\n\t\t\tIsUserPage: true,\n\t\t\tIsGroupPage: false,\n\t\t\tIsHidden: basePage.LoggedUser.Filters.Preferences.HideFilesystem(),\n\t\t\tHasUsersBaseDir: dataprovider.HasUsersBaseDir(),\n\t\t\tDirPath: user.HomeDir,\n\t\t},\n\t}\n\trenderAdminTemplate(w, templateUser, data)\n}\n\nfunc (s *httpdServer) renderIPListPage(w http.ResponseWriter, r *http.Request, entry dataprovider.IPListEntry,\n\tmode genericPageMode, err error,\n) {\n\tvar title, currentURL string\n\tswitch mode {\n\tcase genericPageModeAdd:\n\t\ttitle = util.I18nAddIPListTitle\n\t\tcurrentURL = fmt.Sprintf(\"%s/%d\", webIPListPath, entry.Type)\n\tcase genericPageModeUpdate:\n\t\ttitle = util.I18nUpdateIPListTitle\n\t\tcurrentURL = fmt.Sprintf(\"%s/%d/%s\", webIPListPath, entry.Type, url.PathEscape(entry.IPOrNet))\n\t}\n\tdata := ipListPage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tError: getI18nError(err),\n\t\tEntry: &entry,\n\t\tMode: mode,\n\t}\n\trenderAdminTemplate(w, templateIPList, data)\n}\n\nfunc (s *httpdServer) renderRolePage(w http.ResponseWriter, r *http.Request, role dataprovider.Role,\n\tmode genericPageMode, err error,\n) {\n\tvar title, currentURL string\n\tswitch mode {\n\tcase genericPageModeAdd:\n\t\ttitle = util.I18nRoleAddTitle\n\t\tcurrentURL = webAdminRolePath\n\tcase genericPageModeUpdate:\n\t\ttitle = util.I18nRoleUpdateTitle\n\t\tcurrentURL = fmt.Sprintf(\"%s/%s\", webAdminRolePath, url.PathEscape(role.Name))\n\t}\n\tdata := rolePage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tError: getI18nError(err),\n\t\tRole: &role,\n\t\tMode: mode,\n\t}\n\trenderAdminTemplate(w, templateRole, data)\n}\n\nfunc (s *httpdServer) renderGroupPage(w http.ResponseWriter, r *http.Request, group dataprovider.Group,\n\tmode genericPageMode, err error,\n) {\n\tfolders, errFolders := s.getWebVirtualFolders(w, r, defaultQueryLimit, true)\n\tif errFolders != nil {\n\t\treturn\n\t}\n\tgroup.SetEmptySecretsIfNil()\n\tgroup.UserSettings.FsConfig.RedactedSecret = redactedSecret\n\tvar title, currentURL string\n\tswitch mode {\n\tcase genericPageModeAdd:\n\t\ttitle = util.I18nAddGroupTitle\n\t\tcurrentURL = webGroupPath\n\tcase genericPageModeUpdate:\n\t\ttitle = util.I18nUpdateGroupTitle\n\t\tcurrentURL = fmt.Sprintf(\"%v/%v\", webGroupPath, url.PathEscape(group.Name))\n\t}\n\tgroup.UserSettings.FsConfig.RedactedSecret = redactedSecret\n\tgroup.UserSettings.FsConfig.SetEmptySecretsIfNil()\n\n\tdata := groupPage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tError: getI18nError(err),\n\t\tGroup: &group,\n\t\tMode: mode,\n\t\tValidPerms: dataprovider.ValidPerms,\n\t\tValidLoginMethods: dataprovider.ValidLoginMethods,\n\t\tValidProtocols: dataprovider.ValidProtocols,\n\t\tTwoFactorProtocols: dataprovider.MFAProtocols,\n\t\tWebClientOptions: sdk.WebClientOptions,\n\t\tVirtualFolders: folders,\n\t\tFsWrapper: fsWrapper{\n\t\t\tFilesystem: group.UserSettings.FsConfig,\n\t\t\tIsUserPage: false,\n\t\t\tIsGroupPage: true,\n\t\t\tHasUsersBaseDir: false,\n\t\t\tDirPath: group.UserSettings.HomeDir,\n\t\t},\n\t}\n\trenderAdminTemplate(w, templateGroup, data)\n}\n\nfunc (s *httpdServer) renderEventActionPage(w http.ResponseWriter, r *http.Request, action dataprovider.BaseEventAction,\n\tmode genericPageMode, err error,\n) {\n\taction.Options.SetEmptySecretsIfNil()\n\tvar title, currentURL string\n\tswitch mode {\n\tcase genericPageModeAdd:\n\t\ttitle = util.I18nAddActionTitle\n\t\tcurrentURL = webAdminEventActionPath\n\tcase genericPageModeUpdate:\n\t\ttitle = util.I18nUpdateActionTitle\n\t\tcurrentURL = fmt.Sprintf(\"%s/%s\", webAdminEventActionPath, url.PathEscape(action.Name))\n\t}\n\tif action.Options.HTTPConfig.Timeout == 0 {\n\t\taction.Options.HTTPConfig.Timeout = 20\n\t}\n\tif action.Options.CmdConfig.Timeout == 0 {\n\t\taction.Options.CmdConfig.Timeout = 20\n\t}\n\tif action.Options.PwdExpirationConfig.Threshold == 0 {\n\t\taction.Options.PwdExpirationConfig.Threshold = 10\n\t}\n\n\tdata := eventActionPage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tAction: action,\n\t\tActionTypes: dataprovider.EventActionTypes,\n\t\tFsActions: dataprovider.FsActionTypes,\n\t\tHTTPMethods: dataprovider.SupportedHTTPActionMethods,\n\t\tEnabledCommands: dataprovider.EnabledActionCommands,\n\t\tRedactedSecret: redactedSecret,\n\t\tError: getI18nError(err),\n\t\tMode: mode,\n\t}\n\trenderAdminTemplate(w, templateEventAction, data)\n}\n\nfunc (s *httpdServer) renderEventRulePage(w http.ResponseWriter, r *http.Request, rule dataprovider.EventRule,\n\tmode genericPageMode, err error,\n) {\n\tactions, errActions := s.getWebEventActions(w, r, defaultQueryLimit, true)\n\tif errActions != nil {\n\t\treturn\n\t}\n\tvar title, currentURL string\n\tswitch mode {\n\tcase genericPageModeAdd:\n\t\ttitle = util.I18nAddRuleTitle\n\t\tcurrentURL = webAdminEventRulePath\n\tcase genericPageModeUpdate:\n\t\ttitle = util.I18nUpdateRuleTitle\n\t\tcurrentURL = fmt.Sprintf(\"%v/%v\", webAdminEventRulePath, url.PathEscape(rule.Name))\n\t}\n\n\tdata := eventRulePage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tRule: rule,\n\t\tTriggerTypes: dataprovider.EventTriggerTypes,\n\t\tActions: actions,\n\t\tFsEvents: dataprovider.SupportedFsEvents,\n\t\tProtocols: dataprovider.SupportedRuleConditionProtocols,\n\t\tProviderEvents: dataprovider.SupportedProviderEvents,\n\t\tProviderObjects: dataprovider.SupporteRuleConditionProviderObjects,\n\t\tError: getI18nError(err),\n\t\tMode: mode,\n\t\tIsShared: s.isShared > 0,\n\t}\n\trenderAdminTemplate(w, templateEventRule, data)\n}\n\nfunc (s *httpdServer) renderFolderPage(w http.ResponseWriter, r *http.Request, folder vfs.BaseVirtualFolder,\n\tmode folderPageMode, err error,\n) {\n\tvar title, currentURL string\n\tswitch mode {\n\tcase folderPageModeAdd:\n\t\ttitle = util.I18nAddFolderTitle\n\t\tcurrentURL = webFolderPath\n\tcase folderPageModeUpdate:\n\t\ttitle = util.I18nUpdateFolderTitle\n\t\tcurrentURL = fmt.Sprintf(\"%v/%v\", webFolderPath, url.PathEscape(folder.Name))\n\tcase folderPageModeTemplate:\n\t\ttitle = util.I18nTemplateFolderTitle\n\t\tcurrentURL = webTemplateFolder\n\t}\n\tfolder.FsConfig.RedactedSecret = redactedSecret\n\tfolder.FsConfig.SetEmptySecretsIfNil()\n\n\tdata := folderPage{\n\t\tbasePage: s.getBasePageData(title, currentURL, w, r),\n\t\tError: getI18nError(err),\n\t\tFolder: folder,\n\t\tMode: mode,\n\t\tFsWrapper: fsWrapper{\n\t\t\tFilesystem: folder.FsConfig,\n\t\t\tIsUserPage: false,\n\t\t\tIsGroupPage: false,\n\t\t\tHasUsersBaseDir: false,\n\t\t\tDirPath: folder.MappedPath,\n\t\t},\n\t}\n\trenderAdminTemplate(w, templateFolder, data)\n}\n\nfunc getFoldersForTemplate(r *http.Request) []string {\n\tvar res []string\n\tfor k := range r.Form {\n\t\tif hasPrefixAndSuffix(k, \"template_folders[\", \"][tpl_foldername]\") {\n\t\t\tr.Form.Add(\"tpl_foldername\", r.Form.Get(k))\n\t\t}\n\t}\n\tfolderNames := r.Form[\"tpl_foldername\"]\n\tfolders := make(map[string]bool)\n\tfor _, name := range folderNames {\n\t\tname = strings.TrimSpace(name)\n\t\tif name == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tif _, ok := folders[name]; ok {\n\t\t\tcontinue\n\t\t}\n\t\tfolders[name] = true\n\t\tres = append(res, name)\n\t}\n\treturn res\n}\n\nfunc getUsersForTemplate(r *http.Request) []userTemplateFields {\n\tvar res []userTemplateFields\n\ttplUsernames := r.Form[\"tpl_username\"]\n\ttplPasswords := r.Form[\"tpl_password\"]\n\ttplPublicKeys := r.Form[\"tpl_public_keys\"]\n\n\tusers := make(map[string]bool)\n\tfor idx := range tplUsernames {\n\t\tusername := tplUsernames[idx]\n\t\tpassword := \"\"\n\t\tpublicKey := \"\"\n\t\tif len(tplPasswords) > idx {\n\t\t\tpassword = strings.TrimSpace(tplPasswords[idx])\n\t\t}\n\t\tif len(tplPublicKeys) > idx {\n\t\t\tpublicKey = strings.TrimSpace(tplPublicKeys[idx])\n\t\t}\n\t\tif username == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tif _, ok := users[username]; ok {\n\t\t\tcontinue\n\t\t}\n\n\t\tusers[username] = true\n\t\tres = append(res, userTemplateFields{\n\t\t\tUsername: username,\n\t\t\tPassword: password,\n\t\t\tPublicKeys: []string{publicKey},\n\t\t\tRequirePwdChange: r.Form.Get(\"tpl_require_password_change\") != \"\",\n\t\t})\n\t}\n\n\treturn res\n}\n\nfunc getVirtualFoldersFromPostFields(r *http.Request) []vfs.VirtualFolder {\n\tvar virtualFolders []vfs.VirtualFolder\n\tfolderPaths := r.Form[\"vfolder_path\"]\n\tfolderNames := r.Form[\"vfolder_name\"]\n\tfolderQuotaSizes := r.Form[\"vfolder_quota_size\"]\n\tfolderQuotaFiles := r.Form[\"vfolder_quota_files\"]\n\tfor idx, p := range folderPaths {\n\t\tname := \"\"\n\t\tif len(folderNames) > idx {\n\t\t\tname = folderNames[idx]\n\t\t}\n\t\tif p != \"\" && name != \"\" {\n\t\t\tvfolder := vfs.VirtualFolder{\n\t\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\t\tName: name,\n\t\t\t\t},\n\t\t\t\tVirtualPath: p,\n\t\t\t\tQuotaFiles: -1,\n\t\t\t\tQuotaSize: -1,\n\t\t\t}\n\t\t\tif len(folderQuotaSizes) > idx {\n\t\t\t\tquotaSize, err := util.ParseBytes(folderQuotaSizes[idx])\n\t\t\t\tif err == nil {\n\t\t\t\t\tvfolder.QuotaSize = quotaSize\n\t\t\t\t}\n\t\t\t}\n\t\t\tif len(folderQuotaFiles) > idx {\n\t\t\t\tquotaFiles, err := strconv.Atoi(folderQuotaFiles[idx])\n\t\t\t\tif err == nil {\n\t\t\t\t\tvfolder.QuotaFiles = quotaFiles\n\t\t\t\t}\n\t\t\t}\n\t\t\tvirtualFolders = append(virtualFolders, vfolder)\n\t\t}\n\t}\n\n\treturn virtualFolders\n}\n\nfunc getSubDirPermissionsFromPostFields(r *http.Request) map[string][]string {\n\tpermissions := make(map[string][]string)\n\n\tfor idx, p := range r.Form[\"sub_perm_path\"] {\n\t\tif p != \"\" {\n\t\t\tpermissions[p] = r.Form[\"sub_perm_permissions\"+strconv.Itoa(idx)]\n\t\t}\n\t}\n\n\treturn permissions\n}\n\nfunc getUserPermissionsFromPostFields(r *http.Request) map[string][]string {\n\tpermissions := getSubDirPermissionsFromPostFields(r)\n\tpermissions[\"/\"] = r.Form[\"permissions\"]\n\n\treturn permissions\n}\n\nfunc getAccessTimeRestrictionsFromPostFields(r *http.Request) []sdk.TimePeriod {\n\tvar result []sdk.TimePeriod\n\n\tdayOfWeeks := r.Form[\"access_time_day_of_week\"]\n\tstarts := r.Form[\"access_time_start\"]\n\tends := r.Form[\"access_time_end\"]\n\n\tfor idx, dayOfWeek := range dayOfWeeks {\n\t\tdayOfWeek = strings.TrimSpace(dayOfWeek)\n\t\tstart := \"\"\n\t\tif len(starts) > idx {\n\t\t\tstart = strings.TrimSpace(starts[idx])\n\t\t}\n\t\tend := \"\"\n\t\tif len(ends) > idx {\n\t\t\tend = strings.TrimSpace(ends[idx])\n\t\t}\n\t\tdayNumber, err := strconv.Atoi(dayOfWeek)\n\t\tif err == nil && start != \"\" && end != \"\" {\n\t\t\tresult = append(result, sdk.TimePeriod{\n\t\t\t\tDayOfWeek: dayNumber,\n\t\t\t\tFrom: start,\n\t\t\t\tTo: end,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn result\n}\n\nfunc getBandwidthLimitsFromPostFields(r *http.Request) ([]sdk.BandwidthLimit, error) {\n\tvar result []sdk.BandwidthLimit\n\tbwSources := r.Form[\"bandwidth_limit_sources\"]\n\tuploadSources := r.Form[\"upload_bandwidth_source\"]\n\tdownloadSources := r.Form[\"download_bandwidth_source\"]\n\n\tfor idx, bwSource := range bwSources {\n\t\tsources := getSliceFromDelimitedValues(bwSource, \",\")\n\t\tif len(sources) > 0 {\n\t\t\tbwLimit := sdk.BandwidthLimit{\n\t\t\t\tSources: sources,\n\t\t\t}\n\t\t\tul := \"\"\n\t\t\tdl := \"\"\n\t\t\tif len(uploadSources) > idx {\n\t\t\t\tul = uploadSources[idx]\n\t\t\t}\n\t\t\tif len(downloadSources) > idx {\n\t\t\t\tdl = downloadSources[idx]\n\t\t\t}\n\t\t\tif ul != \"\" {\n\t\t\t\tbandwidthUL, err := strconv.ParseInt(ul, 10, 64)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn result, fmt.Errorf(\"invalid upload_bandwidth_source%v %q: %w\", idx, ul, err)\n\t\t\t\t}\n\t\t\t\tbwLimit.UploadBandwidth = bandwidthUL\n\t\t\t}\n\t\t\tif dl != \"\" {\n\t\t\t\tbandwidthDL, err := strconv.ParseInt(dl, 10, 64)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn result, fmt.Errorf(\"invalid download_bandwidth_source%v %q: %w\", idx, ul, err)\n\t\t\t\t}\n\t\t\t\tbwLimit.DownloadBandwidth = bandwidthDL\n\t\t\t}\n\t\t\tresult = append(result, bwLimit)\n\t\t}\n\t}\n\n\treturn result, nil\n}\n\nfunc getPatterDenyPolicyFromString(policy string) int {\n\tdenyPolicy := sdk.DenyPolicyDefault\n\tif policy == \"1\" {\n\t\tdenyPolicy = sdk.DenyPolicyHide\n\t}\n\treturn denyPolicy\n}\n\nfunc getFilePatternsFromPostField(r *http.Request) []sdk.PatternsFilter {\n\tvar result []sdk.PatternsFilter\n\tpatternPaths := r.Form[\"pattern_path\"]\n\tpatterns := r.Form[\"patterns\"]\n\tpatternTypes := r.Form[\"pattern_type\"]\n\tpolicies := r.Form[\"pattern_policy\"]\n\n\tallowedPatterns := make(map[string][]string)\n\tdeniedPatterns := make(map[string][]string)\n\tpatternPolicies := make(map[string]string)\n\n\tfor idx := range patternPaths {\n\t\tp := patternPaths[idx]\n\t\tfilters := strings.ReplaceAll(patterns[idx], \" \", \"\")\n\t\tpatternType := patternTypes[idx]\n\t\tpatternPolicy := policies[idx]\n\t\tif p != \"\" && filters != \"\" {\n\t\t\tif patternType == \"allowed\" {\n\t\t\t\tallowedPatterns[p] = append(allowedPatterns[p], strings.Split(filters, \",\")...)\n\t\t\t} else {\n\t\t\t\tdeniedPatterns[p] = append(deniedPatterns[p], strings.Split(filters, \",\")...)\n\t\t\t}\n\t\t\tif patternPolicy != \"\" && patternPolicy != \"0\" {\n\t\t\t\tpatternPolicies[p] = patternPolicy\n\t\t\t}\n\t\t}\n\t}\n\n\tfor dirAllowed, allowPatterns := range allowedPatterns {\n\t\tfilter := sdk.PatternsFilter{\n\t\t\tPath: dirAllowed,\n\t\t\tAllowedPatterns: allowPatterns,\n\t\t\tDenyPolicy: getPatterDenyPolicyFromString(patternPolicies[dirAllowed]),\n\t\t}\n\t\tfor dirDenied, denPatterns := range deniedPatterns {\n\t\t\tif dirAllowed == dirDenied {\n\t\t\t\tfilter.DeniedPatterns = denPatterns\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tresult = append(result, filter)\n\t}\n\tfor dirDenied, denPatterns := range deniedPatterns {\n\t\tfound := false\n\t\tfor _, res := range result {\n\t\t\tif res.Path == dirDenied {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\tresult = append(result, sdk.PatternsFilter{\n\t\t\t\tPath: dirDenied,\n\t\t\t\tDeniedPatterns: denPatterns,\n\t\t\t\tDenyPolicy: getPatterDenyPolicyFromString(patternPolicies[dirDenied]),\n\t\t\t})\n\t\t}\n\t}\n\treturn result\n}\n\nfunc getGroupsFromUserPostFields(r *http.Request) []sdk.GroupMapping {\n\tvar groups []sdk.GroupMapping\n\n\tprimaryGroup := strings.TrimSpace(r.Form.Get(\"primary_group\"))\n\tif primaryGroup != \"\" {\n\t\tgroups = append(groups, sdk.GroupMapping{\n\t\t\tName: primaryGroup,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t})\n\t}\n\tsecondaryGroups := r.Form[\"secondary_groups\"]\n\tfor _, name := range secondaryGroups {\n\t\tgroups = append(groups, sdk.GroupMapping{\n\t\t\tName: strings.TrimSpace(name),\n\t\t\tType: sdk.GroupTypeSecondary,\n\t\t})\n\t}\n\tmembershipGroups := r.Form[\"membership_groups\"]\n\tfor _, name := range membershipGroups {\n\t\tgroups = append(groups, sdk.GroupMapping{\n\t\t\tName: strings.TrimSpace(name),\n\t\t\tType: sdk.GroupTypeMembership,\n\t\t})\n\t}\n\treturn groups\n}\n\nfunc getFiltersFromUserPostFields(r *http.Request) (sdk.BaseUserFilters, error) {\n\tvar filters sdk.BaseUserFilters\n\tbwLimits, err := getBandwidthLimitsFromPostFields(r)\n\tif err != nil {\n\t\treturn filters, err\n\t}\n\tmaxFileSize, err := util.ParseBytes(r.Form.Get(\"max_upload_file_size\"))\n\tif err != nil {\n\t\treturn filters, util.NewI18nError(fmt.Errorf(\"invalid max upload file size: %w\", err), util.I18nErrorInvalidMaxFilesize)\n\t}\n\tdefaultSharesExpiration, err := strconv.Atoi(r.Form.Get(\"default_shares_expiration\"))\n\tif err != nil {\n\t\treturn filters, fmt.Errorf(\"invalid default shares expiration: %w\", err)\n\t}\n\tmaxSharesExpiration, err := strconv.Atoi(r.Form.Get(\"max_shares_expiration\"))\n\tif err != nil {\n\t\treturn filters, fmt.Errorf(\"invalid max shares expiration: %w\", err)\n\t}\n\tpasswordExpiration, err := strconv.Atoi(r.Form.Get(\"password_expiration\"))\n\tif err != nil {\n\t\treturn filters, fmt.Errorf(\"invalid password expiration: %w\", err)\n\t}\n\tpasswordStrength, err := strconv.Atoi(r.Form.Get(\"password_strength\"))\n\tif err != nil {\n\t\treturn filters, fmt.Errorf(\"invalid password strength: %w\", err)\n\t}\n\tif r.Form.Get(\"ftp_security\") == \"1\" {\n\t\tfilters.FTPSecurity = 1\n\t}\n\tfilters.BandwidthLimits = bwLimits\n\tfilters.AllowedIP = getSliceFromDelimitedValues(r.Form.Get(\"allowed_ip\"), \",\")\n\tfilters.DeniedIP = getSliceFromDelimitedValues(r.Form.Get(\"denied_ip\"), \",\")\n\tfilters.DeniedLoginMethods = r.Form[\"denied_login_methods\"]\n\tfilters.DeniedProtocols = r.Form[\"denied_protocols\"]\n\tfilters.TwoFactorAuthProtocols = r.Form[\"required_two_factor_protocols\"]\n\tfilters.FilePatterns = getFilePatternsFromPostField(r)\n\tfilters.TLSUsername = sdk.TLSUsername(strings.TrimSpace(r.Form.Get(\"tls_username\")))\n\tfilters.WebClient = r.Form[\"web_client_options\"]\n\tfilters.DefaultSharesExpiration = defaultSharesExpiration\n\tfilters.MaxSharesExpiration = maxSharesExpiration\n\tfilters.PasswordExpiration = passwordExpiration\n\tfilters.PasswordStrength = passwordStrength\n\tfilters.AccessTime = getAccessTimeRestrictionsFromPostFields(r)\n\thooks := r.Form[\"hooks\"]\n\tif slices.Contains(hooks, \"external_auth_disabled\") {\n\t\tfilters.Hooks.ExternalAuthDisabled = true\n\t}\n\tif slices.Contains(hooks, \"pre_login_disabled\") {\n\t\tfilters.Hooks.PreLoginDisabled = true\n\t}\n\tif slices.Contains(hooks, \"check_password_disabled\") {\n\t\tfilters.Hooks.CheckPasswordDisabled = true\n\t}\n\tfilters.IsAnonymous = r.Form.Get(\"is_anonymous\") != \"\"\n\tfilters.DisableFsChecks = r.Form.Get(\"disable_fs_checks\") != \"\"\n\tfilters.AllowAPIKeyAuth = r.Form.Get(\"allow_api_key_auth\") != \"\"\n\tfilters.StartDirectory = strings.TrimSpace(r.Form.Get(\"start_directory\"))\n\tfilters.MaxUploadFileSize = maxFileSize\n\tfilters.ExternalAuthCacheTime, err = strconv.ParseInt(r.Form.Get(\"external_auth_cache_time\"), 10, 64)\n\tif err != nil {\n\t\treturn filters, fmt.Errorf(\"invalid external auth cache time: %w\", err)\n\t}\n\treturn filters, nil\n}\n\nfunc getSecretFromFormField(r *http.Request, field string) *kms.Secret {\n\tsecret := kms.NewPlainSecret(r.Form.Get(field))\n\tif strings.TrimSpace(secret.GetPayload()) == redactedSecret {\n\t\tsecret.SetStatus(sdkkms.SecretStatusRedacted)\n\t}\n\tif strings.TrimSpace(secret.GetPayload()) == \"\" {\n\t\tsecret.SetStatus(\"\")\n\t}\n\treturn secret\n}\n\nfunc getS3Config(r *http.Request) (vfs.S3FsConfig, error) {\n\tvar err error\n\tconfig := vfs.S3FsConfig{}\n\tconfig.Bucket = strings.TrimSpace(r.Form.Get(\"s3_bucket\"))\n\tconfig.Region = strings.TrimSpace(r.Form.Get(\"s3_region\"))\n\tconfig.AccessKey = strings.TrimSpace(r.Form.Get(\"s3_access_key\"))\n\tconfig.RoleARN = strings.TrimSpace(r.Form.Get(\"s3_role_arn\"))\n\tconfig.AccessSecret = getSecretFromFormField(r, \"s3_access_secret\")\n\tconfig.SSECustomerKey = getSecretFromFormField(r, \"s3_sse_customer_key\")\n\tconfig.Endpoint = strings.TrimSpace(r.Form.Get(\"s3_endpoint\"))\n\tconfig.StorageClass = strings.TrimSpace(r.Form.Get(\"s3_storage_class\"))\n\tconfig.ACL = strings.TrimSpace(r.Form.Get(\"s3_acl\"))\n\tconfig.KeyPrefix = strings.TrimSpace(strings.TrimPrefix(r.Form.Get(\"s3_key_prefix\"), \"/\"))\n\tconfig.UploadPartSize, err = strconv.ParseInt(r.Form.Get(\"s3_upload_part_size\"), 10, 64)\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid s3 upload part size: %w\", err)\n\t}\n\tconfig.UploadConcurrency, err = strconv.Atoi(r.Form.Get(\"s3_upload_concurrency\"))\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid s3 upload concurrency: %w\", err)\n\t}\n\tconfig.DownloadPartSize, err = strconv.ParseInt(r.Form.Get(\"s3_download_part_size\"), 10, 64)\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid s3 download part size: %w\", err)\n\t}\n\tconfig.DownloadConcurrency, err = strconv.Atoi(r.Form.Get(\"s3_download_concurrency\"))\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid s3 download concurrency: %w\", err)\n\t}\n\tconfig.ForcePathStyle = r.Form.Get(\"s3_force_path_style\") != \"\"\n\tconfig.SkipTLSVerify = r.Form.Get(\"s3_skip_tls_verify\") != \"\"\n\tconfig.DownloadPartMaxTime, err = strconv.Atoi(r.Form.Get(\"s3_download_part_max_time\"))\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid s3 download part max time: %w\", err)\n\t}\n\tconfig.UploadPartMaxTime, err = strconv.Atoi(r.Form.Get(\"s3_upload_part_max_time\"))\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid s3 upload part max time: %w\", err)\n\t}\n\treturn config, nil\n}\n\nfunc getGCSConfig(r *http.Request) (vfs.GCSFsConfig, error) {\n\tvar err error\n\tconfig := vfs.GCSFsConfig{}\n\n\tconfig.Bucket = strings.TrimSpace(r.Form.Get(\"gcs_bucket\"))\n\tconfig.StorageClass = strings.TrimSpace(r.Form.Get(\"gcs_storage_class\"))\n\tconfig.ACL = strings.TrimSpace(r.Form.Get(\"gcs_acl\"))\n\tconfig.KeyPrefix = strings.TrimSpace(strings.TrimPrefix(r.Form.Get(\"gcs_key_prefix\"), \"/\"))\n\tuploadPartSize, err := strconv.ParseInt(r.Form.Get(\"gcs_upload_part_size\"), 10, 64)\n\tif err == nil {\n\t\tconfig.UploadPartSize = uploadPartSize\n\t}\n\tuploadPartMaxTime, err := strconv.Atoi(r.Form.Get(\"gcs_upload_part_max_time\"))\n\tif err == nil {\n\t\tconfig.UploadPartMaxTime = uploadPartMaxTime\n\t}\n\tautoCredentials := r.Form.Get(\"gcs_auto_credentials\")\n\tif autoCredentials != \"\" {\n\t\tconfig.AutomaticCredentials = 1\n\t} else {\n\t\tconfig.AutomaticCredentials = 0\n\t}\n\tcredentials, _, err := r.FormFile(\"gcs_credential_file\")\n\tif errors.Is(err, http.ErrMissingFile) {\n\t\treturn config, nil\n\t}\n\tif err != nil {\n\t\treturn config, err\n\t}\n\tdefer credentials.Close()\n\tfileBytes, err := io.ReadAll(credentials)\n\tif err != nil || len(fileBytes) == 0 {\n\t\tif len(fileBytes) == 0 {\n\t\t\terr = errors.New(\"credentials file size must be greater than 0\")\n\t\t}\n\t\treturn config, err\n\t}\n\tconfig.Credentials = kms.NewPlainSecret(util.BytesToString(fileBytes))\n\tconfig.AutomaticCredentials = 0\n\treturn config, err\n}\n\nfunc getSFTPConfig(r *http.Request) (vfs.SFTPFsConfig, error) {\n\tvar err error\n\tconfig := vfs.SFTPFsConfig{}\n\tconfig.Endpoint = strings.TrimSpace(r.Form.Get(\"sftp_endpoint\"))\n\tconfig.Username = strings.TrimSpace(r.Form.Get(\"sftp_username\"))\n\tconfig.Password = getSecretFromFormField(r, \"sftp_password\")\n\tconfig.PrivateKey = getSecretFromFormField(r, \"sftp_private_key\")\n\tconfig.KeyPassphrase = getSecretFromFormField(r, \"sftp_key_passphrase\")\n\tfingerprintsFormValue := r.Form.Get(\"sftp_fingerprints\")\n\tconfig.Fingerprints = getSliceFromDelimitedValues(fingerprintsFormValue, \"\\n\")\n\tconfig.Prefix = strings.TrimSpace(r.Form.Get(\"sftp_prefix\"))\n\tconfig.DisableCouncurrentReads = r.Form.Get(\"sftp_disable_concurrent_reads\") != \"\"\n\tconfig.BufferSize, err = strconv.ParseInt(r.Form.Get(\"sftp_buffer_size\"), 10, 64)\n\tif r.Form.Get(\"sftp_equality_check_mode\") != \"\" {\n\t\tconfig.EqualityCheckMode = 1\n\t} else {\n\t\tconfig.EqualityCheckMode = 0\n\t}\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid SFTP buffer size: %w\", err)\n\t}\n\treturn config, nil\n}\n\nfunc getHTTPFsConfig(r *http.Request) vfs.HTTPFsConfig {\n\tconfig := vfs.HTTPFsConfig{}\n\tconfig.Endpoint = strings.TrimSpace(r.Form.Get(\"http_endpoint\"))\n\tconfig.Username = strings.TrimSpace(r.Form.Get(\"http_username\"))\n\tconfig.SkipTLSVerify = r.Form.Get(\"http_skip_tls_verify\") != \"\"\n\tconfig.Password = getSecretFromFormField(r, \"http_password\")\n\tconfig.APIKey = getSecretFromFormField(r, \"http_api_key\")\n\tif r.Form.Get(\"http_equality_check_mode\") != \"\" {\n\t\tconfig.EqualityCheckMode = 1\n\t} else {\n\t\tconfig.EqualityCheckMode = 0\n\t}\n\treturn config\n}\n\nfunc getAzureConfig(r *http.Request) (vfs.AzBlobFsConfig, error) {\n\tvar err error\n\tconfig := vfs.AzBlobFsConfig{}\n\tconfig.Container = strings.TrimSpace(r.Form.Get(\"az_container\"))\n\tconfig.AccountName = strings.TrimSpace(r.Form.Get(\"az_account_name\"))\n\tconfig.AccountKey = getSecretFromFormField(r, \"az_account_key\")\n\tconfig.SASURL = getSecretFromFormField(r, \"az_sas_url\")\n\tconfig.Endpoint = strings.TrimSpace(r.Form.Get(\"az_endpoint\"))\n\tconfig.KeyPrefix = strings.TrimSpace(strings.TrimPrefix(r.Form.Get(\"az_key_prefix\"), \"/\"))\n\tconfig.AccessTier = strings.TrimSpace(r.Form.Get(\"az_access_tier\"))\n\tconfig.UseEmulator = r.Form.Get(\"az_use_emulator\") != \"\"\n\tconfig.UploadPartSize, err = strconv.ParseInt(r.Form.Get(\"az_upload_part_size\"), 10, 64)\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid azure upload part size: %w\", err)\n\t}\n\tconfig.UploadConcurrency, err = strconv.Atoi(r.Form.Get(\"az_upload_concurrency\"))\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid azure upload concurrency: %w\", err)\n\t}\n\tconfig.DownloadPartSize, err = strconv.ParseInt(r.Form.Get(\"az_download_part_size\"), 10, 64)\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid azure download part size: %w\", err)\n\t}\n\tconfig.DownloadConcurrency, err = strconv.Atoi(r.Form.Get(\"az_download_concurrency\"))\n\tif err != nil {\n\t\treturn config, fmt.Errorf(\"invalid azure download concurrency: %w\", err)\n\t}\n\treturn config, nil\n}\n\nfunc getOsConfigFromPostFields(r *http.Request, readBufferField, writeBufferField string) sdk.OSFsConfig {\n\tconfig := sdk.OSFsConfig{}\n\treadBuffer, err := strconv.Atoi(r.Form.Get(readBufferField))\n\tif err == nil {\n\t\tconfig.ReadBufferSize = readBuffer\n\t}\n\twriteBuffer, err := strconv.Atoi(r.Form.Get(writeBufferField))\n\tif err == nil {\n\t\tconfig.WriteBufferSize = writeBuffer\n\t}\n\treturn config\n}\n\nfunc getFsConfigFromPostFields(r *http.Request) (vfs.Filesystem, error) {\n\tvar fs vfs.Filesystem\n\tfs.Provider = dataprovider.GetProviderFromValue(r.Form.Get(\"fs_provider\"))\n\tswitch fs.Provider {\n\tcase sdk.LocalFilesystemProvider:\n\t\tfs.OSConfig = getOsConfigFromPostFields(r, \"osfs_read_buffer_size\", \"osfs_write_buffer_size\")\n\tcase sdk.S3FilesystemProvider:\n\t\tconfig, err := getS3Config(r)\n\t\tif err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tfs.S3Config = config\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tconfig, err := getAzureConfig(r)\n\t\tif err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tfs.AzBlobConfig = config\n\tcase sdk.GCSFilesystemProvider:\n\t\tconfig, err := getGCSConfig(r)\n\t\tif err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tfs.GCSConfig = config\n\tcase sdk.CryptedFilesystemProvider:\n\t\tfs.CryptConfig.Passphrase = getSecretFromFormField(r, \"crypt_passphrase\")\n\t\tfs.CryptConfig.OSFsConfig = getOsConfigFromPostFields(r, \"cryptfs_read_buffer_size\", \"cryptfs_write_buffer_size\")\n\tcase sdk.SFTPFilesystemProvider:\n\t\tconfig, err := getSFTPConfig(r)\n\t\tif err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tfs.SFTPConfig = config\n\tcase sdk.HTTPFilesystemProvider:\n\t\tfs.HTTPConfig = getHTTPFsConfig(r)\n\t}\n\treturn fs, nil\n}\n\nfunc getAdminHiddenUserPageSections(r *http.Request) int {\n\tvar result int\n\n\tfor _, val := range r.Form[\"user_page_hidden_sections\"] {\n\t\tswitch val {\n\t\tcase \"1\":\n\t\t\tresult++\n\t\tcase \"2\":\n\t\t\tresult += 2\n\t\tcase \"3\":\n\t\t\tresult += 4\n\t\tcase \"4\":\n\t\t\tresult += 8\n\t\tcase \"5\":\n\t\t\tresult += 16\n\t\tcase \"6\":\n\t\t\tresult += 32\n\t\tcase \"7\":\n\t\t\tresult += 64\n\t\t}\n\t}\n\n\treturn result\n}\n\nfunc getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) {\n\tvar admin dataprovider.Admin\n\terr := r.ParseForm()\n\tif err != nil {\n\t\treturn admin, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tstatus, err := strconv.Atoi(r.Form.Get(\"status\"))\n\tif err != nil {\n\t\treturn admin, fmt.Errorf(\"invalid status: %w\", err)\n\t}\n\tadmin.Username = strings.TrimSpace(r.Form.Get(\"username\"))\n\tadmin.Password = strings.TrimSpace(r.Form.Get(\"password\"))\n\tadmin.Permissions = r.Form[\"permissions\"]\n\tadmin.Email = strings.TrimSpace(r.Form.Get(\"email\"))\n\tadmin.Status = status\n\tadmin.Role = strings.TrimSpace(r.Form.Get(\"role\"))\n\tadmin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get(\"allowed_ip\"), \",\")\n\tadmin.Filters.AllowAPIKeyAuth = r.Form.Get(\"allow_api_key_auth\") != \"\"\n\tadmin.Filters.RequireTwoFactor = r.Form.Get(\"require_two_factor\") != \"\"\n\tadmin.Filters.RequirePasswordChange = r.Form.Get(\"require_password_change\") != \"\"\n\tadmin.AdditionalInfo = r.Form.Get(\"additional_info\")\n\tadmin.Description = r.Form.Get(\"description\")\n\tadmin.Filters.Preferences.HideUserPageSections = getAdminHiddenUserPageSections(r)\n\tadmin.Filters.Preferences.DefaultUsersExpiration = 0\n\tif val := r.Form.Get(\"default_users_expiration\"); val != \"\" {\n\t\tdefaultUsersExpiration, err := strconv.Atoi(r.Form.Get(\"default_users_expiration\"))\n\t\tif err != nil {\n\t\t\treturn admin, fmt.Errorf(\"invalid default users expiration: %w\", err)\n\t\t}\n\t\tadmin.Filters.Preferences.DefaultUsersExpiration = defaultUsersExpiration\n\t}\n\tfor k := range r.Form {\n\t\tif hasPrefixAndSuffix(k, \"groups[\", \"][group]\") {\n\t\t\tgroupName := strings.TrimSpace(r.Form.Get(k))\n\t\t\tif groupName != \"\" {\n\t\t\t\tgroup := dataprovider.AdminGroupMapping{\n\t\t\t\t\tName: groupName,\n\t\t\t\t}\n\t\t\t\tbase, _ := strings.CutSuffix(k, \"[group]\")\n\t\t\t\taddAsGroupType := strings.TrimSpace(r.Form.Get(base + \"[group_type]\"))\n\t\t\t\tswitch addAsGroupType {\n\t\t\t\tcase \"1\":\n\t\t\t\t\tgroup.Options.AddToUsersAs = dataprovider.GroupAddToUsersAsPrimary\n\t\t\t\tcase \"2\":\n\t\t\t\t\tgroup.Options.AddToUsersAs = dataprovider.GroupAddToUsersAsSecondary\n\t\t\t\tdefault:\n\t\t\t\t\tgroup.Options.AddToUsersAs = dataprovider.GroupAddToUsersAsMembership\n\t\t\t\t}\n\t\t\t\tadmin.Groups = append(admin.Groups, group)\n\t\t\t}\n\t\t}\n\t}\n\treturn admin, nil\n}\n\nfunc replacePlaceholders(field string, replacements map[string]string) string {\n\tfor k, v := range replacements {\n\t\tfield = strings.ReplaceAll(field, k, v)\n\t}\n\treturn field\n}\n\nfunc getFolderFromTemplate(folder vfs.BaseVirtualFolder, name string) vfs.BaseVirtualFolder {\n\tfolder.Name = name\n\treplacements := make(map[string]string)\n\treplacements[\"%name%\"] = folder.Name\n\n\tfolder.MappedPath = replacePlaceholders(folder.MappedPath, replacements)\n\tfolder.Description = replacePlaceholders(folder.Description, replacements)\n\tswitch folder.FsConfig.Provider {\n\tcase sdk.CryptedFilesystemProvider:\n\t\tfolder.FsConfig.CryptConfig = getCryptFsFromTemplate(folder.FsConfig.CryptConfig, replacements)\n\tcase sdk.S3FilesystemProvider:\n\t\tfolder.FsConfig.S3Config = getS3FsFromTemplate(folder.FsConfig.S3Config, replacements)\n\tcase sdk.GCSFilesystemProvider:\n\t\tfolder.FsConfig.GCSConfig = getGCSFsFromTemplate(folder.FsConfig.GCSConfig, replacements)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tfolder.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(folder.FsConfig.AzBlobConfig, replacements)\n\tcase sdk.SFTPFilesystemProvider:\n\t\tfolder.FsConfig.SFTPConfig = getSFTPFsFromTemplate(folder.FsConfig.SFTPConfig, replacements)\n\tcase sdk.HTTPFilesystemProvider:\n\t\tfolder.FsConfig.HTTPConfig = getHTTPFsFromTemplate(folder.FsConfig.HTTPConfig, replacements)\n\t}\n\n\treturn folder\n}\n\nfunc getCryptFsFromTemplate(fsConfig vfs.CryptFsConfig, replacements map[string]string) vfs.CryptFsConfig {\n\tif fsConfig.Passphrase != nil {\n\t\tif fsConfig.Passphrase.IsPlain() {\n\t\t\tpayload := replacePlaceholders(fsConfig.Passphrase.GetPayload(), replacements)\n\t\t\tfsConfig.Passphrase = kms.NewPlainSecret(payload)\n\t\t}\n\t}\n\treturn fsConfig\n}\n\nfunc getS3FsFromTemplate(fsConfig vfs.S3FsConfig, replacements map[string]string) vfs.S3FsConfig {\n\tfsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)\n\tfsConfig.AccessKey = replacePlaceholders(fsConfig.AccessKey, replacements)\n\tif fsConfig.AccessSecret != nil && fsConfig.AccessSecret.IsPlain() {\n\t\tpayload := replacePlaceholders(fsConfig.AccessSecret.GetPayload(), replacements)\n\t\tfsConfig.AccessSecret = kms.NewPlainSecret(payload)\n\t}\n\tif fsConfig.SSECustomerKey != nil && fsConfig.SSECustomerKey.IsPlain() {\n\t\tpayload := replacePlaceholders(fsConfig.SSECustomerKey.GetPayload(), replacements)\n\t\tfsConfig.SSECustomerKey = kms.NewPlainSecret(payload)\n\t}\n\treturn fsConfig\n}\n\nfunc getGCSFsFromTemplate(fsConfig vfs.GCSFsConfig, replacements map[string]string) vfs.GCSFsConfig {\n\tfsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)\n\treturn fsConfig\n}\n\nfunc getAzBlobFsFromTemplate(fsConfig vfs.AzBlobFsConfig, replacements map[string]string) vfs.AzBlobFsConfig {\n\tfsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)\n\tfsConfig.AccountName = replacePlaceholders(fsConfig.AccountName, replacements)\n\tif fsConfig.AccountKey != nil && fsConfig.AccountKey.IsPlain() {\n\t\tpayload := replacePlaceholders(fsConfig.AccountKey.GetPayload(), replacements)\n\t\tfsConfig.AccountKey = kms.NewPlainSecret(payload)\n\t}\n\treturn fsConfig\n}\n\nfunc getSFTPFsFromTemplate(fsConfig vfs.SFTPFsConfig, replacements map[string]string) vfs.SFTPFsConfig {\n\tfsConfig.Prefix = replacePlaceholders(fsConfig.Prefix, replacements)\n\tfsConfig.Username = replacePlaceholders(fsConfig.Username, replacements)\n\tif fsConfig.Password != nil && fsConfig.Password.IsPlain() {\n\t\tpayload := replacePlaceholders(fsConfig.Password.GetPayload(), replacements)\n\t\tfsConfig.Password = kms.NewPlainSecret(payload)\n\t}\n\treturn fsConfig\n}\n\nfunc getHTTPFsFromTemplate(fsConfig vfs.HTTPFsConfig, replacements map[string]string) vfs.HTTPFsConfig {\n\tfsConfig.Username = replacePlaceholders(fsConfig.Username, replacements)\n\treturn fsConfig\n}\n\nfunc getUserFromTemplate(user dataprovider.User, template userTemplateFields) dataprovider.User {\n\tuser.Username = template.Username\n\tuser.Password = template.Password\n\tuser.PublicKeys = template.PublicKeys\n\tuser.Filters.RequirePasswordChange = template.RequirePwdChange\n\treplacements := make(map[string]string)\n\treplacements[\"%username%\"] = user.Username\n\tif user.Password != \"\" && !user.IsPasswordHashed() {\n\t\tuser.Password = replacePlaceholders(user.Password, replacements)\n\t\treplacements[\"%password%\"] = user.Password\n\t}\n\n\tuser.HomeDir = replacePlaceholders(user.HomeDir, replacements)\n\tvar vfolders []vfs.VirtualFolder\n\tfor _, vfolder := range user.VirtualFolders {\n\t\tvfolder.Name = replacePlaceholders(vfolder.Name, replacements)\n\t\tvfolder.VirtualPath = replacePlaceholders(vfolder.VirtualPath, replacements)\n\t\tvfolders = append(vfolders, vfolder)\n\t}\n\tuser.VirtualFolders = vfolders\n\tuser.Description = replacePlaceholders(user.Description, replacements)\n\tuser.AdditionalInfo = replacePlaceholders(user.AdditionalInfo, replacements)\n\tuser.Filters.StartDirectory = replacePlaceholders(user.Filters.StartDirectory, replacements)\n\n\tswitch user.FsConfig.Provider {\n\tcase sdk.CryptedFilesystemProvider:\n\t\tuser.FsConfig.CryptConfig = getCryptFsFromTemplate(user.FsConfig.CryptConfig, replacements)\n\tcase sdk.S3FilesystemProvider:\n\t\tuser.FsConfig.S3Config = getS3FsFromTemplate(user.FsConfig.S3Config, replacements)\n\tcase sdk.GCSFilesystemProvider:\n\t\tuser.FsConfig.GCSConfig = getGCSFsFromTemplate(user.FsConfig.GCSConfig, replacements)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tuser.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(user.FsConfig.AzBlobConfig, replacements)\n\tcase sdk.SFTPFilesystemProvider:\n\t\tuser.FsConfig.SFTPConfig = getSFTPFsFromTemplate(user.FsConfig.SFTPConfig, replacements)\n\tcase sdk.HTTPFilesystemProvider:\n\t\tuser.FsConfig.HTTPConfig = getHTTPFsFromTemplate(user.FsConfig.HTTPConfig, replacements)\n\t}\n\n\treturn user\n}\n\nfunc getTransferLimits(r *http.Request) (int64, int64, int64, error) {\n\tdataTransferUL, err := strconv.ParseInt(r.Form.Get(\"upload_data_transfer\"), 10, 64)\n\tif err != nil {\n\t\treturn 0, 0, 0, fmt.Errorf(\"invalid upload data transfer: %w\", err)\n\t}\n\tdataTransferDL, err := strconv.ParseInt(r.Form.Get(\"download_data_transfer\"), 10, 64)\n\tif err != nil {\n\t\treturn 0, 0, 0, fmt.Errorf(\"invalid download data transfer: %w\", err)\n\t}\n\tdataTransferTotal, err := strconv.ParseInt(r.Form.Get(\"total_data_transfer\"), 10, 64)\n\tif err != nil {\n\t\treturn 0, 0, 0, fmt.Errorf(\"invalid total data transfer: %w\", err)\n\t}\n\treturn dataTransferUL, dataTransferDL, dataTransferTotal, nil\n}\n\nfunc getQuotaLimits(r *http.Request) (int64, int, error) {\n\tquotaSize, err := util.ParseBytes(r.Form.Get(\"quota_size\"))\n\tif err != nil {\n\t\treturn 0, 0, util.NewI18nError(fmt.Errorf(\"invalid quota size: %w\", err), util.I18nErrorInvalidQuotaSize)\n\t}\n\tquotaFiles, err := strconv.Atoi(r.Form.Get(\"quota_files\"))\n\tif err != nil {\n\t\treturn 0, 0, fmt.Errorf(\"invalid quota files: %w\", err)\n\t}\n\treturn quotaSize, quotaFiles, nil\n}\n\nfunc updateRepeaterFormFields(r *http.Request) {\n\tfor k := range r.Form {\n\t\tif hasPrefixAndSuffix(k, \"public_keys[\", \"][public_key]\") {\n\t\t\tkey := r.Form.Get(k)\n\t\t\tif strings.TrimSpace(key) != \"\" {\n\t\t\t\tr.Form.Add(\"public_keys\", key)\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"tls_certs[\", \"][tls_cert]\") {\n\t\t\tcert := strings.TrimSpace(r.Form.Get(k))\n\t\t\tif cert != \"\" {\n\t\t\t\tr.Form.Add(\"tls_certs\", cert)\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"additional_emails[\", \"][additional_email]\") {\n\t\t\temail := strings.TrimSpace(r.Form.Get(k))\n\t\t\tif email != \"\" {\n\t\t\t\tr.Form.Add(\"additional_emails\", email)\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"virtual_folders[\", \"][vfolder_path]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[vfolder_path]\")\n\t\t\tr.Form.Add(\"vfolder_path\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"vfolder_name\", strings.TrimSpace(r.Form.Get(base+\"[vfolder_name]\")))\n\t\t\tr.Form.Add(\"vfolder_quota_files\", strings.TrimSpace(r.Form.Get(base+\"[vfolder_quota_files]\")))\n\t\t\tr.Form.Add(\"vfolder_quota_size\", strings.TrimSpace(r.Form.Get(base+\"[vfolder_quota_size]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"directory_permissions[\", \"][sub_perm_path]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[sub_perm_path]\")\n\t\t\tr.Form.Add(\"sub_perm_path\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form[\"sub_perm_permissions\"+strconv.Itoa(len(r.Form[\"sub_perm_path\"])-1)] = r.Form[base+\"[sub_perm_permissions][]\"]\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"directory_patterns[\", \"][pattern_path]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[pattern_path]\")\n\t\t\tr.Form.Add(\"pattern_path\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"patterns\", strings.TrimSpace(r.Form.Get(base+\"[patterns]\")))\n\t\t\tr.Form.Add(\"pattern_type\", strings.TrimSpace(r.Form.Get(base+\"[pattern_type]\")))\n\t\t\tr.Form.Add(\"pattern_policy\", strings.TrimSpace(r.Form.Get(base+\"[pattern_policy]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"access_time_restrictions[\", \"][access_time_day_of_week]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[access_time_day_of_week]\")\n\t\t\tr.Form.Add(\"access_time_day_of_week\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"access_time_start\", strings.TrimSpace(r.Form.Get(base+\"[access_time_start]\")))\n\t\t\tr.Form.Add(\"access_time_end\", strings.TrimSpace(r.Form.Get(base+\"[access_time_end]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"src_bandwidth_limits[\", \"][bandwidth_limit_sources]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[bandwidth_limit_sources]\")\n\t\t\tr.Form.Add(\"bandwidth_limit_sources\", r.Form.Get(k))\n\t\t\tr.Form.Add(\"upload_bandwidth_source\", strings.TrimSpace(r.Form.Get(base+\"[upload_bandwidth_source]\")))\n\t\t\tr.Form.Add(\"download_bandwidth_source\", strings.TrimSpace(r.Form.Get(base+\"[download_bandwidth_source]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"template_users[\", \"][tpl_username]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[tpl_username]\")\n\t\t\tr.Form.Add(\"tpl_username\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"tpl_password\", strings.TrimSpace(r.Form.Get(base+\"[tpl_password]\")))\n\t\t\tr.Form.Add(\"tpl_public_keys\", strings.TrimSpace(r.Form.Get(base+\"[tpl_public_keys]\")))\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\nfunc getUserFromPostFields(r *http.Request) (dataprovider.User, error) {\n\tuser := dataprovider.User{}\n\terr := r.ParseMultipartForm(maxRequestSize)\n\tif err != nil {\n\t\treturn user, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tupdateRepeaterFormFields(r)\n\n\tuid, err := strconv.Atoi(r.Form.Get(\"uid\"))\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid uid: %w\", err)\n\t}\n\tgid, err := strconv.Atoi(r.Form.Get(\"gid\"))\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid uid: %w\", err)\n\t}\n\tmaxSessions, err := strconv.Atoi(r.Form.Get(\"max_sessions\"))\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid max sessions: %w\", err)\n\t}\n\tquotaSize, quotaFiles, err := getQuotaLimits(r)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tbandwidthUL, err := strconv.ParseInt(r.Form.Get(\"upload_bandwidth\"), 10, 64)\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid upload bandwidth: %w\", err)\n\t}\n\tbandwidthDL, err := strconv.ParseInt(r.Form.Get(\"download_bandwidth\"), 10, 64)\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid download bandwidth: %w\", err)\n\t}\n\tdataTransferUL, dataTransferDL, dataTransferTotal, err := getTransferLimits(r)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tstatus, err := strconv.Atoi(r.Form.Get(\"status\"))\n\tif err != nil {\n\t\treturn user, fmt.Errorf(\"invalid status: %w\", err)\n\t}\n\texpirationDateMillis := int64(0)\n\texpirationDateString := r.Form.Get(\"expiration_date\")\n\tif strings.TrimSpace(expirationDateString) != \"\" {\n\t\texpirationDate, err := time.Parse(webDateTimeFormat, expirationDateString)\n\t\tif err != nil {\n\t\t\treturn user, err\n\t\t}\n\t\texpirationDateMillis = util.GetTimeAsMsSinceEpoch(expirationDate)\n\t}\n\tfsConfig, err := getFsConfigFromPostFields(r)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tfilters, err := getFiltersFromUserPostFields(r)\n\tif err != nil {\n\t\treturn user, err\n\t}\n\tfilters.TLSCerts = r.Form[\"tls_certs\"]\n\tuser = dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: strings.TrimSpace(r.Form.Get(\"username\")),\n\t\t\tEmail: strings.TrimSpace(r.Form.Get(\"email\")),\n\t\t\tPassword: strings.TrimSpace(r.Form.Get(\"password\")),\n\t\t\tPublicKeys: r.Form[\"public_keys\"],\n\t\t\tHomeDir: strings.TrimSpace(r.Form.Get(\"home_dir\")),\n\t\t\tUID: uid,\n\t\t\tGID: gid,\n\t\t\tPermissions: getUserPermissionsFromPostFields(r),\n\t\t\tMaxSessions: maxSessions,\n\t\t\tQuotaSize: quotaSize,\n\t\t\tQuotaFiles: quotaFiles,\n\t\t\tUploadBandwidth: bandwidthUL,\n\t\t\tDownloadBandwidth: bandwidthDL,\n\t\t\tUploadDataTransfer: dataTransferUL,\n\t\t\tDownloadDataTransfer: dataTransferDL,\n\t\t\tTotalDataTransfer: dataTransferTotal,\n\t\t\tStatus: status,\n\t\t\tExpirationDate: expirationDateMillis,\n\t\t\tAdditionalInfo: r.Form.Get(\"additional_info\"),\n\t\t\tDescription: r.Form.Get(\"description\"),\n\t\t\tRole: strings.TrimSpace(r.Form.Get(\"role\")),\n\t\t},\n\t\tFilters: dataprovider.UserFilters{\n\t\t\tBaseUserFilters: filters,\n\t\t\tRequirePasswordChange: r.Form.Get(\"require_password_change\") != \"\",\n\t\t\tAdditionalEmails: r.Form[\"additional_emails\"],\n\t\t},\n\t\tVirtualFolders: getVirtualFoldersFromPostFields(r),\n\t\tFsConfig: fsConfig,\n\t\tGroups: getGroupsFromUserPostFields(r),\n\t}\n\treturn user, nil\n}\n\nfunc getGroupFromPostFields(r *http.Request) (dataprovider.Group, error) {\n\tgroup := dataprovider.Group{}\n\terr := r.ParseMultipartForm(maxRequestSize)\n\tif err != nil {\n\t\treturn group, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tupdateRepeaterFormFields(r)\n\n\tmaxSessions, err := strconv.Atoi(r.Form.Get(\"max_sessions\"))\n\tif err != nil {\n\t\treturn group, fmt.Errorf(\"invalid max sessions: %w\", err)\n\t}\n\tquotaSize, quotaFiles, err := getQuotaLimits(r)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tbandwidthUL, err := strconv.ParseInt(r.Form.Get(\"upload_bandwidth\"), 10, 64)\n\tif err != nil {\n\t\treturn group, fmt.Errorf(\"invalid upload bandwidth: %w\", err)\n\t}\n\tbandwidthDL, err := strconv.ParseInt(r.Form.Get(\"download_bandwidth\"), 10, 64)\n\tif err != nil {\n\t\treturn group, fmt.Errorf(\"invalid download bandwidth: %w\", err)\n\t}\n\tdataTransferUL, dataTransferDL, dataTransferTotal, err := getTransferLimits(r)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\texpiresIn, err := strconv.Atoi(r.Form.Get(\"expires_in\"))\n\tif err != nil {\n\t\treturn group, fmt.Errorf(\"invalid expires in: %w\", err)\n\t}\n\tfsConfig, err := getFsConfigFromPostFields(r)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tfilters, err := getFiltersFromUserPostFields(r)\n\tif err != nil {\n\t\treturn group, err\n\t}\n\tgroup = dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: strings.TrimSpace(r.Form.Get(\"name\")),\n\t\t\tDescription: r.Form.Get(\"description\"),\n\t\t},\n\t\tUserSettings: dataprovider.GroupUserSettings{\n\t\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\t\tHomeDir: strings.TrimSpace(r.Form.Get(\"home_dir\")),\n\t\t\t\tMaxSessions: maxSessions,\n\t\t\t\tQuotaSize: quotaSize,\n\t\t\t\tQuotaFiles: quotaFiles,\n\t\t\t\tPermissions: getSubDirPermissionsFromPostFields(r),\n\t\t\t\tUploadBandwidth: bandwidthUL,\n\t\t\t\tDownloadBandwidth: bandwidthDL,\n\t\t\t\tUploadDataTransfer: dataTransferUL,\n\t\t\t\tDownloadDataTransfer: dataTransferDL,\n\t\t\t\tTotalDataTransfer: dataTransferTotal,\n\t\t\t\tExpiresIn: expiresIn,\n\t\t\t\tFilters: filters,\n\t\t\t},\n\t\t\tFsConfig: fsConfig,\n\t\t},\n\t\tVirtualFolders: getVirtualFoldersFromPostFields(r),\n\t}\n\treturn group, nil\n}\n\nfunc getKeyValsFromPostFields(r *http.Request, key, val string) []dataprovider.KeyValue {\n\tvar res []dataprovider.KeyValue\n\n\tkeys := r.Form[key]\n\tvalues := r.Form[val]\n\n\tfor idx, k := range keys {\n\t\tv := values[idx]\n\t\tif k != \"\" && v != \"\" {\n\t\t\tres = append(res, dataprovider.KeyValue{\n\t\t\t\tKey: k,\n\t\t\t\tValue: v,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn res\n}\n\nfunc getRenameConfigsFromPostFields(r *http.Request) []dataprovider.RenameConfig {\n\tvar res []dataprovider.RenameConfig\n\tkeys := r.Form[\"fs_rename_source\"]\n\tvalues := r.Form[\"fs_rename_target\"]\n\n\tfor idx, k := range keys {\n\t\tv := values[idx]\n\t\tif k != \"\" && v != \"\" {\n\t\t\topts := r.Form[\"fs_rename_options\"+strconv.Itoa(idx)]\n\t\t\tres = append(res, dataprovider.RenameConfig{\n\t\t\t\tKeyValue: dataprovider.KeyValue{\n\t\t\t\t\tKey: k,\n\t\t\t\t\tValue: v,\n\t\t\t\t},\n\t\t\t\tUpdateModTime: slices.Contains(opts, \"1\"),\n\t\t\t})\n\t\t}\n\t}\n\n\treturn res\n}\n\nfunc getFoldersRetentionFromPostFields(r *http.Request) ([]dataprovider.FolderRetention, error) {\n\tvar res []dataprovider.FolderRetention\n\tpaths := r.Form[\"folder_retention_path\"]\n\tvalues := r.Form[\"folder_retention_val\"]\n\n\tfor idx, p := range paths {\n\t\tif p != \"\" {\n\t\t\tretention, err := strconv.Atoi(values[idx])\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"invalid retention for path %q: %w\", p, err)\n\t\t\t}\n\t\t\topts := r.Form[\"folder_retention_options\"+strconv.Itoa(idx)]\n\t\t\tres = append(res, dataprovider.FolderRetention{\n\t\t\t\tPath: p,\n\t\t\t\tRetention: retention,\n\t\t\t\tDeleteEmptyDirs: slices.Contains(opts, \"1\"),\n\t\t\t})\n\t\t}\n\t}\n\n\treturn res, nil\n}\n\nfunc getHTTPPartsFromPostFields(r *http.Request) []dataprovider.HTTPPart {\n\tvar result []dataprovider.HTTPPart\n\n\tnames := r.Form[\"http_part_name\"]\n\tfiles := r.Form[\"http_part_file\"]\n\theaders := r.Form[\"http_part_headers\"]\n\tbodies := r.Form[\"http_part_body\"]\n\torders := r.Form[\"http_part_order\"]\n\n\tfor idx, partName := range names {\n\t\tif partName != \"\" {\n\t\t\torder, err := strconv.Atoi(orders[idx])\n\t\t\tif err == nil {\n\t\t\t\tfilePath := files[idx]\n\t\t\t\tbody := bodies[idx]\n\t\t\t\tconcatHeaders := getSliceFromDelimitedValues(headers[idx], \"\\n\")\n\t\t\t\tvar headers []dataprovider.KeyValue\n\t\t\t\tfor _, h := range concatHeaders {\n\t\t\t\t\tvalues := strings.SplitN(h, \":\", 2)\n\t\t\t\t\tif len(values) > 1 {\n\t\t\t\t\t\theaders = append(headers, dataprovider.KeyValue{\n\t\t\t\t\t\t\tKey: strings.TrimSpace(values[0]),\n\t\t\t\t\t\t\tValue: strings.TrimSpace(values[1]),\n\t\t\t\t\t\t})\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tresult = append(result, dataprovider.HTTPPart{\n\t\t\t\t\tName: partName,\n\t\t\t\t\tFilepath: filePath,\n\t\t\t\t\tHeaders: headers,\n\t\t\t\t\tBody: body,\n\t\t\t\t\tOrder: order,\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\tsort.Slice(result, func(i, j int) bool {\n\t\treturn result[i].Order < result[j].Order\n\t})\n\treturn result\n}\n\nfunc updateRepeaterFormActionFields(r *http.Request) {\n\tfor k := range r.Form {\n\t\tif hasPrefixAndSuffix(k, \"http_headers[\", \"][http_header_key]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[http_header_key]\")\n\t\t\tr.Form.Add(\"http_header_key\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"http_header_value\", strings.TrimSpace(r.Form.Get(base+\"[http_header_value]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"query_parameters[\", \"][http_query_key]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[http_query_key]\")\n\t\t\tr.Form.Add(\"http_query_key\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"http_query_value\", strings.TrimSpace(r.Form.Get(base+\"[http_query_value]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"multipart_body[\", \"][http_part_name]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[http_part_name]\")\n\t\t\torder, _ := strings.CutPrefix(k, \"multipart_body[\")\n\t\t\torder, _ = strings.CutSuffix(order, \"][http_part_name]\")\n\t\t\tr.Form.Add(\"http_part_name\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"http_part_file\", strings.TrimSpace(r.Form.Get(base+\"[http_part_file]\")))\n\t\t\tr.Form.Add(\"http_part_headers\", strings.TrimSpace(r.Form.Get(base+\"[http_part_headers]\")))\n\t\t\tr.Form.Add(\"http_part_body\", strings.TrimSpace(r.Form.Get(base+\"[http_part_body]\")))\n\t\t\tr.Form.Add(\"http_part_order\", order)\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"env_vars[\", \"][cmd_env_key]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[cmd_env_key]\")\n\t\t\tr.Form.Add(\"cmd_env_key\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"cmd_env_value\", strings.TrimSpace(r.Form.Get(base+\"[cmd_env_value]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"data_retention[\", \"][folder_retention_path]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[folder_retention_path]\")\n\t\t\tr.Form.Add(\"folder_retention_path\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"folder_retention_val\", strings.TrimSpace(r.Form.Get(base+\"[folder_retention_val]\")))\n\t\t\tr.Form[\"folder_retention_options\"+strconv.Itoa(len(r.Form[\"folder_retention_path\"])-1)] =\n\t\t\t\tr.Form[base+\"[folder_retention_options][]\"]\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"fs_rename[\", \"][fs_rename_source]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[fs_rename_source]\")\n\t\t\tr.Form.Add(\"fs_rename_source\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"fs_rename_target\", strings.TrimSpace(r.Form.Get(base+\"[fs_rename_target]\")))\n\t\t\tr.Form[\"fs_rename_options\"+strconv.Itoa(len(r.Form[\"fs_rename_source\"])-1)] =\n\t\t\t\tr.Form[base+\"[fs_rename_options][]\"]\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"fs_copy[\", \"][fs_copy_source]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[fs_copy_source]\")\n\t\t\tr.Form.Add(\"fs_copy_source\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"fs_copy_target\", strings.TrimSpace(r.Form.Get(base+\"[fs_copy_target]\")))\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\nfunc getEventActionOptionsFromPostFields(r *http.Request) (dataprovider.BaseEventActionOptions, error) {\n\tupdateRepeaterFormActionFields(r)\n\thttpTimeout, err := strconv.Atoi(r.Form.Get(\"http_timeout\"))\n\tif err != nil {\n\t\treturn dataprovider.BaseEventActionOptions{}, fmt.Errorf(\"invalid http timeout: %w\", err)\n\t}\n\tcmdTimeout, err := strconv.Atoi(r.Form.Get(\"cmd_timeout\"))\n\tif err != nil {\n\t\treturn dataprovider.BaseEventActionOptions{}, fmt.Errorf(\"invalid command timeout: %w\", err)\n\t}\n\tfoldersRetention, err := getFoldersRetentionFromPostFields(r)\n\tif err != nil {\n\t\treturn dataprovider.BaseEventActionOptions{}, err\n\t}\n\tfsActionType, err := strconv.Atoi(r.Form.Get(\"fs_action_type\"))\n\tif err != nil {\n\t\treturn dataprovider.BaseEventActionOptions{}, fmt.Errorf(\"invalid fs action type: %w\", err)\n\t}\n\tpwdExpirationThreshold, err := strconv.Atoi(r.Form.Get(\"pwd_expiration_threshold\"))\n\tif err != nil {\n\t\treturn dataprovider.BaseEventActionOptions{}, fmt.Errorf(\"invalid password expiration threshold: %w\", err)\n\t}\n\tvar disableThreshold, deleteThreshold int\n\tif val, err := strconv.Atoi(r.Form.Get(\"inactivity_disable_threshold\")); err == nil {\n\t\tdisableThreshold = val\n\t}\n\tif val, err := strconv.Atoi(r.Form.Get(\"inactivity_delete_threshold\")); err == nil {\n\t\tdeleteThreshold = val\n\t}\n\tvar emailAttachments []string\n\tif r.Form.Get(\"email_attachments\") != \"\" {\n\t\temailAttachments = getSliceFromDelimitedValues(r.Form.Get(\"email_attachments\"), \",\")\n\t}\n\tvar cmdArgs []string\n\tif r.Form.Get(\"cmd_arguments\") != \"\" {\n\t\tcmdArgs = getSliceFromDelimitedValues(r.Form.Get(\"cmd_arguments\"), \",\")\n\t}\n\tidpMode := 0\n\tif r.Form.Get(\"idp_mode\") == \"1\" {\n\t\tidpMode = 1\n\t}\n\temailContentType := 0\n\tif r.Form.Get(\"email_content_type\") == \"1\" {\n\t\temailContentType = 1\n\t}\n\toptions := dataprovider.BaseEventActionOptions{\n\t\tHTTPConfig: dataprovider.EventActionHTTPConfig{\n\t\t\tEndpoint: strings.TrimSpace(r.Form.Get(\"http_endpoint\")),\n\t\t\tUsername: strings.TrimSpace(r.Form.Get(\"http_username\")),\n\t\t\tPassword: getSecretFromFormField(r, \"http_password\"),\n\t\t\tHeaders: getKeyValsFromPostFields(r, \"http_header_key\", \"http_header_value\"),\n\t\t\tTimeout: httpTimeout,\n\t\t\tSkipTLSVerify: r.Form.Get(\"http_skip_tls_verify\") != \"\",\n\t\t\tMethod: r.Form.Get(\"http_method\"),\n\t\t\tQueryParameters: getKeyValsFromPostFields(r, \"http_query_key\", \"http_query_value\"),\n\t\t\tBody: r.Form.Get(\"http_body\"),\n\t\t\tParts: getHTTPPartsFromPostFields(r),\n\t\t},\n\t\tCmdConfig: dataprovider.EventActionCommandConfig{\n\t\t\tCmd: strings.TrimSpace(r.Form.Get(\"cmd_path\")),\n\t\t\tArgs: cmdArgs,\n\t\t\tTimeout: cmdTimeout,\n\t\t\tEnvVars: getKeyValsFromPostFields(r, \"cmd_env_key\", \"cmd_env_value\"),\n\t\t},\n\t\tEmailConfig: dataprovider.EventActionEmailConfig{\n\t\t\tRecipients: getSliceFromDelimitedValues(r.Form.Get(\"email_recipients\"), \",\"),\n\t\t\tBcc: getSliceFromDelimitedValues(r.Form.Get(\"email_bcc\"), \",\"),\n\t\t\tSubject: r.Form.Get(\"email_subject\"),\n\t\t\tContentType: emailContentType,\n\t\t\tBody: r.Form.Get(\"email_body\"),\n\t\t\tAttachments: emailAttachments,\n\t\t},\n\t\tRetentionConfig: dataprovider.EventActionDataRetentionConfig{\n\t\t\tFolders: foldersRetention,\n\t\t},\n\t\tFsConfig: dataprovider.EventActionFilesystemConfig{\n\t\t\tType: fsActionType,\n\t\t\tRenames: getRenameConfigsFromPostFields(r),\n\t\t\tDeletes: getSliceFromDelimitedValues(r.Form.Get(\"fs_delete_paths\"), \",\"),\n\t\t\tMkDirs: getSliceFromDelimitedValues(r.Form.Get(\"fs_mkdir_paths\"), \",\"),\n\t\t\tExist: getSliceFromDelimitedValues(r.Form.Get(\"fs_exist_paths\"), \",\"),\n\t\t\tCopy: getKeyValsFromPostFields(r, \"fs_copy_source\", \"fs_copy_target\"),\n\t\t\tCompress: dataprovider.EventActionFsCompress{\n\t\t\t\tName: strings.TrimSpace(r.Form.Get(\"fs_compress_name\")),\n\t\t\t\tPaths: getSliceFromDelimitedValues(r.Form.Get(\"fs_compress_paths\"), \",\"),\n\t\t\t},\n\t\t},\n\t\tPwdExpirationConfig: dataprovider.EventActionPasswordExpiration{\n\t\t\tThreshold: pwdExpirationThreshold,\n\t\t},\n\t\tUserInactivityConfig: dataprovider.EventActionUserInactivity{\n\t\t\tDisableThreshold: disableThreshold,\n\t\t\tDeleteThreshold: deleteThreshold,\n\t\t},\n\t\tIDPConfig: dataprovider.EventActionIDPAccountCheck{\n\t\t\tMode: idpMode,\n\t\t\tTemplateUser: strings.TrimSpace(r.Form.Get(\"idp_user\")),\n\t\t\tTemplateAdmin: strings.TrimSpace(r.Form.Get(\"idp_admin\")),\n\t\t},\n\t}\n\treturn options, nil\n}\n\nfunc getEventActionFromPostFields(r *http.Request) (dataprovider.BaseEventAction, error) {\n\terr := r.ParseForm()\n\tif err != nil {\n\t\treturn dataprovider.BaseEventAction{}, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tactionType, err := strconv.Atoi(r.Form.Get(\"type\"))\n\tif err != nil {\n\t\treturn dataprovider.BaseEventAction{}, fmt.Errorf(\"invalid action type: %w\", err)\n\t}\n\toptions, err := getEventActionOptionsFromPostFields(r)\n\tif err != nil {\n\t\treturn dataprovider.BaseEventAction{}, err\n\t}\n\taction := dataprovider.BaseEventAction{\n\t\tName: strings.TrimSpace(r.Form.Get(\"name\")),\n\t\tDescription: r.Form.Get(\"description\"),\n\t\tType: actionType,\n\t\tOptions: options,\n\t}\n\treturn action, nil\n}\n\nfunc getIDPLoginEventFromPostField(r *http.Request) int {\n\tswitch r.Form.Get(\"idp_login_event\") {\n\tcase \"1\":\n\t\treturn 1\n\tcase \"2\":\n\t\treturn 2\n\tdefault:\n\t\treturn 0\n\t}\n}\n\nfunc getEventRuleConditionsFromPostFields(r *http.Request) (dataprovider.EventConditions, error) {\n\tvar schedules []dataprovider.Schedule\n\tvar names, groupNames, roleNames, fsPaths []dataprovider.ConditionPattern\n\n\tscheduleHours := r.Form[\"schedule_hour\"]\n\tscheduleDayOfWeeks := r.Form[\"schedule_day_of_week\"]\n\tscheduleDayOfMonths := r.Form[\"schedule_day_of_month\"]\n\tscheduleMonths := r.Form[\"schedule_month\"]\n\n\tfor idx, hour := range scheduleHours {\n\t\tif hour != \"\" {\n\t\t\tschedules = append(schedules, dataprovider.Schedule{\n\t\t\t\tHours: hour,\n\t\t\t\tDayOfWeek: scheduleDayOfWeeks[idx],\n\t\t\t\tDayOfMonth: scheduleDayOfMonths[idx],\n\t\t\t\tMonth: scheduleMonths[idx],\n\t\t\t})\n\t\t}\n\t}\n\n\tfor idx, name := range r.Form[\"name_pattern\"] {\n\t\tif name != \"\" {\n\t\t\tnames = append(names, dataprovider.ConditionPattern{\n\t\t\t\tPattern: name,\n\t\t\t\tInverseMatch: r.Form[\"type_name_pattern\"][idx] == inversePatternType,\n\t\t\t})\n\t\t}\n\t}\n\n\tfor idx, name := range r.Form[\"group_name_pattern\"] {\n\t\tif name != \"\" {\n\t\t\tgroupNames = append(groupNames, dataprovider.ConditionPattern{\n\t\t\t\tPattern: name,\n\t\t\t\tInverseMatch: r.Form[\"type_group_name_pattern\"][idx] == inversePatternType,\n\t\t\t})\n\t\t}\n\t}\n\n\tfor idx, name := range r.Form[\"role_name_pattern\"] {\n\t\tif name != \"\" {\n\t\t\troleNames = append(roleNames, dataprovider.ConditionPattern{\n\t\t\t\tPattern: name,\n\t\t\t\tInverseMatch: r.Form[\"type_role_name_pattern\"][idx] == inversePatternType,\n\t\t\t})\n\t\t}\n\t}\n\n\tfor idx, name := range r.Form[\"fs_path_pattern\"] {\n\t\tif name != \"\" {\n\t\t\tfsPaths = append(fsPaths, dataprovider.ConditionPattern{\n\t\t\t\tPattern: name,\n\t\t\t\tInverseMatch: r.Form[\"type_fs_path_pattern\"][idx] == inversePatternType,\n\t\t\t})\n\t\t}\n\t}\n\n\tminFileSize, err := util.ParseBytes(r.Form.Get(\"fs_min_size\"))\n\tif err != nil {\n\t\treturn dataprovider.EventConditions{}, util.NewI18nError(fmt.Errorf(\"invalid min file size: %w\", err), util.I18nErrorInvalidMinSize)\n\t}\n\tmaxFileSize, err := util.ParseBytes(r.Form.Get(\"fs_max_size\"))\n\tif err != nil {\n\t\treturn dataprovider.EventConditions{}, util.NewI18nError(fmt.Errorf(\"invalid max file size: %w\", err), util.I18nErrorInvalidMaxSize)\n\t}\n\tvar eventStatuses []int\n\tfor _, s := range r.Form[\"fs_statuses\"] {\n\t\tstatus, err := strconv.ParseInt(s, 10, 32)\n\t\tif err == nil {\n\t\t\teventStatuses = append(eventStatuses, int(status))\n\t\t}\n\t}\n\tconditions := dataprovider.EventConditions{\n\t\tFsEvents: r.Form[\"fs_events\"],\n\t\tProviderEvents: r.Form[\"provider_events\"],\n\t\tIDPLoginEvent: getIDPLoginEventFromPostField(r),\n\t\tSchedules: schedules,\n\t\tOptions: dataprovider.ConditionOptions{\n\t\t\tNames: names,\n\t\t\tGroupNames: groupNames,\n\t\t\tRoleNames: roleNames,\n\t\t\tFsPaths: fsPaths,\n\t\t\tProtocols: r.Form[\"fs_protocols\"],\n\t\t\tEventStatuses: eventStatuses,\n\t\t\tProviderObjects: r.Form[\"provider_objects\"],\n\t\t\tMinFileSize: minFileSize,\n\t\t\tMaxFileSize: maxFileSize,\n\t\t\tConcurrentExecution: r.Form.Get(\"concurrent_execution\") != \"\",\n\t\t},\n\t}\n\treturn conditions, nil\n}\n\nfunc getEventRuleActionsFromPostFields(r *http.Request) []dataprovider.EventAction {\n\tvar actions []dataprovider.EventAction\n\n\tnames := r.Form[\"action_name\"]\n\torders := r.Form[\"action_order\"]\n\n\tfor idx, name := range names {\n\t\tif name != \"\" {\n\t\t\torder, err := strconv.Atoi(orders[idx])\n\t\t\tif err == nil {\n\t\t\t\toptions := r.Form[\"action_options\"+strconv.Itoa(idx)]\n\t\t\t\tactions = append(actions, dataprovider.EventAction{\n\t\t\t\t\tBaseEventAction: dataprovider.BaseEventAction{\n\t\t\t\t\t\tName: name,\n\t\t\t\t\t},\n\t\t\t\t\tOrder: order + 1,\n\t\t\t\t\tOptions: dataprovider.EventActionOptions{\n\t\t\t\t\t\tIsFailureAction: slices.Contains(options, \"1\"),\n\t\t\t\t\t\tStopOnFailure: slices.Contains(options, \"2\"),\n\t\t\t\t\t\tExecuteSync: slices.Contains(options, \"3\"),\n\t\t\t\t\t},\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\treturn actions\n}\n\nfunc updateRepeaterFormRuleFields(r *http.Request) {\n\tfor k := range r.Form {\n\t\tif hasPrefixAndSuffix(k, \"schedules[\", \"][schedule_hour]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[schedule_hour]\")\n\t\t\tr.Form.Add(\"schedule_hour\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"schedule_day_of_week\", strings.TrimSpace(r.Form.Get(base+\"[schedule_day_of_week]\")))\n\t\t\tr.Form.Add(\"schedule_day_of_month\", strings.TrimSpace(r.Form.Get(base+\"[schedule_day_of_month]\")))\n\t\t\tr.Form.Add(\"schedule_month\", strings.TrimSpace(r.Form.Get(base+\"[schedule_month]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"name_filters[\", \"][name_pattern]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[name_pattern]\")\n\t\t\tr.Form.Add(\"name_pattern\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"type_name_pattern\", strings.TrimSpace(r.Form.Get(base+\"[type_name_pattern]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"group_name_filters[\", \"][group_name_pattern]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[group_name_pattern]\")\n\t\t\tr.Form.Add(\"group_name_pattern\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"type_group_name_pattern\", strings.TrimSpace(r.Form.Get(base+\"[type_group_name_pattern]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"role_name_filters[\", \"][role_name_pattern]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[role_name_pattern]\")\n\t\t\tr.Form.Add(\"role_name_pattern\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"type_role_name_pattern\", strings.TrimSpace(r.Form.Get(base+\"[type_role_name_pattern]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"path_filters[\", \"][fs_path_pattern]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[fs_path_pattern]\")\n\t\t\tr.Form.Add(\"fs_path_pattern\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form.Add(\"type_fs_path_pattern\", strings.TrimSpace(r.Form.Get(base+\"[type_fs_path_pattern]\")))\n\t\t\tcontinue\n\t\t}\n\t\tif hasPrefixAndSuffix(k, \"actions[\", \"][action_name]\") {\n\t\t\tbase, _ := strings.CutSuffix(k, \"[action_name]\")\n\t\t\torder, _ := strings.CutPrefix(k, \"actions[\")\n\t\t\torder, _ = strings.CutSuffix(order, \"][action_name]\")\n\t\t\tr.Form.Add(\"action_name\", strings.TrimSpace(r.Form.Get(k)))\n\t\t\tr.Form[\"action_options\"+strconv.Itoa(len(r.Form[\"action_name\"])-1)] = r.Form[base+\"[action_options][]\"]\n\t\t\tr.Form.Add(\"action_order\", order)\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\nfunc getEventRuleFromPostFields(r *http.Request) (dataprovider.EventRule, error) {\n\terr := r.ParseForm()\n\tif err != nil {\n\t\treturn dataprovider.EventRule{}, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tupdateRepeaterFormRuleFields(r)\n\tstatus, err := strconv.Atoi(r.Form.Get(\"status\"))\n\tif err != nil {\n\t\treturn dataprovider.EventRule{}, fmt.Errorf(\"invalid status: %w\", err)\n\t}\n\ttrigger, err := strconv.Atoi(r.Form.Get(\"trigger\"))\n\tif err != nil {\n\t\treturn dataprovider.EventRule{}, fmt.Errorf(\"invalid trigger: %w\", err)\n\t}\n\tconditions, err := getEventRuleConditionsFromPostFields(r)\n\tif err != nil {\n\t\treturn dataprovider.EventRule{}, err\n\t}\n\trule := dataprovider.EventRule{\n\t\tName: strings.TrimSpace(r.Form.Get(\"name\")),\n\t\tStatus: status,\n\t\tDescription: r.Form.Get(\"description\"),\n\t\tTrigger: trigger,\n\t\tConditions: conditions,\n\t\tActions: getEventRuleActionsFromPostFields(r),\n\t}\n\treturn rule, nil\n}\n\nfunc getRoleFromPostFields(r *http.Request) (dataprovider.Role, error) {\n\terr := r.ParseForm()\n\tif err != nil {\n\t\treturn dataprovider.Role{}, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\n\treturn dataprovider.Role{\n\t\tName: strings.TrimSpace(r.Form.Get(\"name\")),\n\t\tDescription: r.Form.Get(\"description\"),\n\t}, nil\n}\n\nfunc getIPListEntryFromPostFields(r *http.Request, listType dataprovider.IPListType) (dataprovider.IPListEntry, error) {\n\terr := r.ParseForm()\n\tif err != nil {\n\t\treturn dataprovider.IPListEntry{}, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tvar mode int\n\tif listType == dataprovider.IPListTypeDefender {\n\t\tmode, err = strconv.Atoi(r.Form.Get(\"mode\"))\n\t\tif err != nil {\n\t\t\treturn dataprovider.IPListEntry{}, fmt.Errorf(\"invalid mode: %w\", err)\n\t\t}\n\t} else {\n\t\tmode = 1\n\t}\n\tprotocols := 0\n\tfor _, proto := range r.Form[\"protocols\"] {\n\t\tp, err := strconv.Atoi(proto)\n\t\tif err == nil {\n\t\t\tprotocols += p\n\t\t}\n\t}\n\n\treturn dataprovider.IPListEntry{\n\t\tIPOrNet: strings.TrimSpace(r.Form.Get(\"ipornet\")),\n\t\tMode: mode,\n\t\tProtocols: protocols,\n\t\tDescription: r.Form.Get(\"description\"),\n\t}, nil\n}\n\nfunc getSFTPConfigsFromPostFields(r *http.Request) *dataprovider.SFTPDConfigs {\n\treturn &dataprovider.SFTPDConfigs{\n\t\tHostKeyAlgos: r.Form[\"sftp_host_key_algos\"],\n\t\tPublicKeyAlgos: r.Form[\"sftp_pub_key_algos\"],\n\t\tKexAlgorithms: r.Form[\"sftp_kex_algos\"],\n\t\tCiphers: r.Form[\"sftp_ciphers\"],\n\t\tMACs: r.Form[\"sftp_macs\"],\n\t}\n}\n\nfunc getACMEConfigsFromPostFields(r *http.Request) *dataprovider.ACMEConfigs {\n\tport, err := strconv.Atoi(r.Form.Get(\"acme_port\"))\n\tif err != nil {\n\t\tport = 80\n\t}\n\tvar protocols int\n\tfor _, val := range r.Form[\"acme_protocols\"] {\n\t\tswitch val {\n\t\tcase \"1\":\n\t\t\tprotocols++\n\t\tcase \"2\":\n\t\t\tprotocols += 2\n\t\tcase \"3\":\n\t\t\tprotocols += 4\n\t\t}\n\t}\n\n\treturn &dataprovider.ACMEConfigs{\n\t\tDomain: strings.TrimSpace(r.Form.Get(\"acme_domain\")),\n\t\tEmail: strings.TrimSpace(r.Form.Get(\"acme_email\")),\n\t\tHTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: port},\n\t\tProtocols: protocols,\n\t}\n}\n\nfunc getSMTPConfigsFromPostFields(r *http.Request) *dataprovider.SMTPConfigs {\n\tport, err := strconv.Atoi(r.Form.Get(\"smtp_port\"))\n\tif err != nil {\n\t\tport = 587\n\t}\n\tauthType, err := strconv.Atoi(r.Form.Get(\"smtp_auth\"))\n\tif err != nil {\n\t\tauthType = 0\n\t}\n\tencryption, err := strconv.Atoi(r.Form.Get(\"smtp_encryption\"))\n\tif err != nil {\n\t\tencryption = 0\n\t}\n\tdebug := 0\n\tif r.Form.Get(\"smtp_debug\") != \"\" {\n\t\tdebug = 1\n\t}\n\toauth2Provider := 0\n\tif r.Form.Get(\"smtp_oauth2_provider\") == \"1\" {\n\t\toauth2Provider = 1\n\t}\n\treturn &dataprovider.SMTPConfigs{\n\t\tHost: strings.TrimSpace(r.Form.Get(\"smtp_host\")),\n\t\tPort: port,\n\t\tFrom: strings.TrimSpace(r.Form.Get(\"smtp_from\")),\n\t\tUser: strings.TrimSpace(r.Form.Get(\"smtp_username\")),\n\t\tPassword: getSecretFromFormField(r, \"smtp_password\"),\n\t\tAuthType: authType,\n\t\tEncryption: encryption,\n\t\tDomain: strings.TrimSpace(r.Form.Get(\"smtp_domain\")),\n\t\tDebug: debug,\n\t\tOAuth2: dataprovider.SMTPOAuth2{\n\t\t\tProvider: oauth2Provider,\n\t\t\tTenant: strings.TrimSpace(r.Form.Get(\"smtp_oauth2_tenant\")),\n\t\t\tClientID: strings.TrimSpace(r.Form.Get(\"smtp_oauth2_client_id\")),\n\t\t\tClientSecret: getSecretFromFormField(r, \"smtp_oauth2_client_secret\"),\n\t\t\tRefreshToken: getSecretFromFormField(r, \"smtp_oauth2_refresh_token\"),\n\t\t},\n\t}\n}\n\nfunc getImageInputBytes(r *http.Request, fieldName, removeFieldName string, defaultVal []byte) ([]byte, error) {\n\tvar result []byte\n\tremove := r.Form.Get(removeFieldName)\n\tif remove == \"\" || remove == \"0\" {\n\t\tresult = defaultVal\n\t}\n\tf, _, err := r.FormFile(fieldName)\n\tif err != nil {\n\t\tif errors.Is(err, http.ErrMissingFile) {\n\t\t\treturn result, nil\n\t\t}\n\t\treturn nil, err\n\t}\n\tdefer f.Close()\n\n\treturn io.ReadAll(f)\n}\n\nfunc getBrandingConfigFromPostFields(r *http.Request, config *dataprovider.BrandingConfigs) (\n\t*dataprovider.BrandingConfigs, error,\n) {\n\tif config == nil {\n\t\tconfig = &dataprovider.BrandingConfigs{}\n\t}\n\tadminLogo, err := getImageInputBytes(r, \"branding_webadmin_logo\", \"branding_webadmin_logo_remove\", config.WebAdmin.Logo)\n\tif err != nil {\n\t\treturn nil, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tadminFavicon, err := getImageInputBytes(r, \"branding_webadmin_favicon\", \"branding_webadmin_favicon_remove\",\n\t\tconfig.WebAdmin.Favicon)\n\tif err != nil {\n\t\treturn nil, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tclientLogo, err := getImageInputBytes(r, \"branding_webclient_logo\", \"branding_webclient_logo_remove\",\n\t\tconfig.WebClient.Logo)\n\tif err != nil {\n\t\treturn nil, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tclientFavicon, err := getImageInputBytes(r, \"branding_webclient_favicon\", \"branding_webclient_favicon_remove\",\n\t\tconfig.WebClient.Favicon)\n\tif err != nil {\n\t\treturn nil, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\n\tbranding := &dataprovider.BrandingConfigs{\n\t\tWebAdmin: dataprovider.BrandingConfig{\n\t\t\tName: strings.TrimSpace(r.Form.Get(\"branding_webadmin_name\")),\n\t\t\tShortName: strings.TrimSpace(r.Form.Get(\"branding_webadmin_short_name\")),\n\t\t\tLogo: adminLogo,\n\t\t\tFavicon: adminFavicon,\n\t\t\tDisclaimerName: strings.TrimSpace(r.Form.Get(\"branding_webadmin_disclaimer_name\")),\n\t\t\tDisclaimerURL: strings.TrimSpace(r.Form.Get(\"branding_webadmin_disclaimer_url\")),\n\t\t},\n\t\tWebClient: dataprovider.BrandingConfig{\n\t\t\tName: strings.TrimSpace(r.Form.Get(\"branding_webclient_name\")),\n\t\t\tShortName: strings.TrimSpace(r.Form.Get(\"branding_webclient_short_name\")),\n\t\t\tLogo: clientLogo,\n\t\t\tFavicon: clientFavicon,\n\t\t\tDisclaimerName: strings.TrimSpace(r.Form.Get(\"branding_webclient_disclaimer_name\")),\n\t\t\tDisclaimerURL: strings.TrimSpace(r.Form.Get(\"branding_webclient_disclaimer_url\")),\n\t\t},\n\t}\n\treturn branding, nil\n}\n\nfunc (s *httpdServer) handleWebAdminForgotPwd(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tif !smtp.IsEnabled() {\n\t\ts.renderNotFoundPage(w, r, errors.New(\"this page does not exist\"))\n\t\treturn\n\t}\n\ts.renderForgotPwdPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebAdminForgotPwdPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr = handleForgotPassword(r, r.Form.Get(\"username\"), true)\n\tif err != nil {\n\t\ts.renderForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorPwdResetGeneric))\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminResetPwdPath, http.StatusFound)\n}\n\nfunc (s *httpdServer) handleWebAdminPasswordReset(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tif !smtp.IsEnabled() {\n\t\ts.renderNotFoundPage(w, r, errors.New(\"this page does not exist\"))\n\t\treturn\n\t}\n\ts.renderResetPwdPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebAdminTwoFactor(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderTwoFactorPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebAdminTwoFactorRecovery(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderTwoFactorRecoveryPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebAdminMFA(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderMFAPage(w, r)\n}\n\nfunc (s *httpdServer) handleWebAdminProfile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderProfilePage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebAdminChangePwd(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderChangePasswordPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebAdminProfilePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderProfilePage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderProfilePage(w, r, util.NewI18nError(err, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tadmin, err := dataprovider.AdminExists(claims.Username)\n\tif err != nil {\n\t\ts.renderProfilePage(w, r, err)\n\t\treturn\n\t}\n\tadmin.Filters.AllowAPIKeyAuth = r.Form.Get(\"allow_api_key_auth\") != \"\"\n\tadmin.Email = r.Form.Get(\"email\")\n\tadmin.Description = r.Form.Get(\"description\")\n\terr = dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, ipAddr, admin.Role)\n\tif err != nil {\n\t\ts.renderProfilePage(w, r, err)\n\t\treturn\n\t}\n\ts.renderMessagePage(w, r, util.I18nProfileTitle, http.StatusOK, nil, util.I18nProfileUpdated)\n}\n\nfunc (s *httpdServer) handleWebMaintenance(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderMaintenancePage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebRestore(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, MaxRestoreSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\terr = r.ParseMultipartForm(MaxRestoreSize)\n\tif err != nil {\n\t\ts.renderMaintenancePage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\trestoreMode, err := strconv.Atoi(r.Form.Get(\"mode\"))\n\tif err != nil {\n\t\ts.renderMaintenancePage(w, r, err)\n\t\treturn\n\t}\n\tscanQuota, err := strconv.Atoi(r.Form.Get(\"quota\"))\n\tif err != nil {\n\t\ts.renderMaintenancePage(w, r, err)\n\t\treturn\n\t}\n\tbackupFile, _, err := r.FormFile(\"backup_file\")\n\tif err != nil {\n\t\ts.renderMaintenancePage(w, r, util.NewI18nError(err, util.I18nErrorBackupFile))\n\t\treturn\n\t}\n\tdefer backupFile.Close()\n\n\tbackupContent, err := io.ReadAll(backupFile)\n\tif err != nil || len(backupContent) == 0 {\n\t\tif len(backupContent) == 0 {\n\t\t\terr = errors.New(\"backup file size must be greater than 0\")\n\t\t}\n\t\ts.renderMaintenancePage(w, r, util.NewI18nError(err, util.I18nErrorBackupFile))\n\t\treturn\n\t}\n\n\tif err := restoreBackup(backupContent, \"\", scanQuota, restoreMode, claims.Username, ipAddr, claims.Role); err != nil {\n\t\ts.renderMaintenancePage(w, r, util.NewI18nError(err, util.I18nErrorRestore))\n\t\treturn\n\t}\n\n\ts.renderMessagePage(w, r, util.I18nMaintenanceTitle, http.StatusOK, nil, util.I18nBackupOK)\n}\n\nfunc getAllAdmins(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, nil, util.I18nErrorInvalidToken, http.StatusForbidden)\n\t\treturn\n\t}\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetAdmins(limit, offset, dataprovider.OrderASC)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleGetWebAdmins(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := s.getBasePageData(util.I18nAdminsTitle, webAdminsPath, w, r)\n\trenderAdminTemplate(w, templateAdmins, data)\n}\n\nfunc (s *httpdServer) handleWebAdminSetupGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tif dataprovider.HasAdmin() {\n\t\thttp.Redirect(w, r, webAdminLoginPath, http.StatusFound)\n\t\treturn\n\t}\n\ts.renderAdminSetupPage(w, r, \"\", nil)\n}\n\nfunc (s *httpdServer) handleWebAddAdminGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tadmin := &dataprovider.Admin{\n\t\tStatus: 1,\n\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t}\n\ts.renderAddUpdateAdminPage(w, r, admin, nil, true)\n}\n\nfunc (s *httpdServer) handleWebUpdateAdminGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tusername := getURLParam(r, \"username\")\n\tadmin, err := dataprovider.AdminExists(username)\n\tif err == nil {\n\t\ts.renderAddUpdateAdminPage(w, r, &admin, nil, false)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebAddAdminPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tadmin, err := getAdminFromPostFields(r)\n\tif err != nil {\n\t\ts.renderAddUpdateAdminPage(w, r, &admin, err, true)\n\t\treturn\n\t}\n\tif admin.Password == \"\" {\n\t\t// Administrators can be used with OpenID Connect or for authentication\n\t\t// via API key, in these cases the password is not necessary, we create\n\t\t// a non-usable one. This feature is only useful for WebAdmin, in REST\n\t\t// API you can create an unusable password externally.\n\t\tadmin.Password = util.GenerateUniqueID()\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr = dataprovider.AddAdmin(&admin, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderAddUpdateAdminPage(w, r, &admin, err, true)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tusername := getURLParam(r, \"username\")\n\tadmin, err := dataprovider.AdminExists(username)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\n\tupdatedAdmin, err := getAdminFromPostFields(r)\n\tif err != nil {\n\t\ts.renderAddUpdateAdminPage(w, r, &updatedAdmin, err, false)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedAdmin.ID = admin.ID\n\tupdatedAdmin.Username = admin.Username\n\tif updatedAdmin.Password == \"\" {\n\t\tupdatedAdmin.Password = admin.Password\n\t}\n\tupdatedAdmin.Filters.TOTPConfig = admin.Filters.TOTPConfig\n\tupdatedAdmin.Filters.RecoveryCodes = admin.Filters.RecoveryCodes\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderAddUpdateAdminPage(w, r, &updatedAdmin, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken), false)\n\t\treturn\n\t}\n\tif username == claims.Username {\n\t\tif !util.SlicesEqual(admin.Permissions, updatedAdmin.Permissions) {\n\t\t\ts.renderAddUpdateAdminPage(w, r, &updatedAdmin,\n\t\t\t\tutil.NewI18nError(errors.New(\"you cannot change your permissions\"),\n\t\t\t\t\tutil.I18nErrorAdminSelfPerms,\n\t\t\t\t), false)\n\t\t\treturn\n\t\t}\n\t\tif updatedAdmin.Status == 0 {\n\t\t\ts.renderAddUpdateAdminPage(w, r, &updatedAdmin,\n\t\t\t\tutil.NewI18nError(errors.New(\"you cannot disable yourself\"),\n\t\t\t\t\tutil.I18nErrorAdminSelfDisable,\n\t\t\t\t), false)\n\t\t\treturn\n\t\t}\n\t\tif updatedAdmin.Role != claims.Role {\n\t\t\ts.renderAddUpdateAdminPage(w, r, &updatedAdmin,\n\t\t\t\tutil.NewI18nError(\n\t\t\t\t\terrors.New(\"you cannot add/change your role\"),\n\t\t\t\t\tutil.I18nErrorAdminSelfRole,\n\t\t\t\t), false)\n\t\t\treturn\n\t\t}\n\t\tupdatedAdmin.Filters.RequirePasswordChange = admin.Filters.RequirePasswordChange\n\t\tupdatedAdmin.Filters.RequireTwoFactor = admin.Filters.RequireTwoFactor\n\t}\n\terr = dataprovider.UpdateAdmin(&updatedAdmin, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderAddUpdateAdminPage(w, r, &updatedAdmin, err, false)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebDefenderPage(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tdata := defenderHostsPage{\n\t\tbasePage: s.getBasePageData(util.I18nDefenderTitle, webDefenderPath, w, r),\n\t\tDefenderHostsURL: webDefenderHostsPath,\n\t}\n\n\trenderAdminTemplate(w, templateDefender, data)\n}\n\nfunc getAllUsers(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, nil, util.I18nErrorInvalidToken, http.StatusForbidden)\n\t\treturn\n\t}\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetUsers(limit, offset, dataprovider.OrderASC, claims.Role)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleGetWebUsers(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tdata := s.getBasePageData(util.I18nUsersTitle, webUsersPath, w, r)\n\trenderAdminTemplate(w, templateUsers, data)\n}\n\nfunc (s *httpdServer) handleWebTemplateFolderGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tif r.URL.Query().Get(\"from\") != \"\" {\n\t\tname := r.URL.Query().Get(\"from\")\n\t\tfolder, err := dataprovider.GetFolderByName(name)\n\t\tif err == nil {\n\t\t\tfolder.FsConfig.SetEmptySecrets()\n\t\t\ts.renderFolderPage(w, r, folder, folderPageModeTemplate, nil)\n\t\t} else if errors.Is(err, util.ErrNotFound) {\n\t\t\ts.renderNotFoundPage(w, r, err)\n\t\t} else {\n\t\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\t}\n\t} else {\n\t\tfolder := vfs.BaseVirtualFolder{}\n\t\ts.renderFolderPage(w, r, folder, folderPageModeTemplate, nil)\n\t}\n}\n\nfunc (s *httpdServer) handleWebTemplateFolderPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\ttemplateFolder := vfs.BaseVirtualFolder{}\n\terr = r.ParseMultipartForm(maxRequestSize)\n\tif err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateFolderTitle, http.StatusBadRequest, util.NewI18nError(err, util.I18nErrorInvalidForm), \"\")\n\t\treturn\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\n\ttemplateFolder.MappedPath = r.Form.Get(\"mapped_path\")\n\ttemplateFolder.Description = r.Form.Get(\"description\")\n\tfsConfig, err := getFsConfigFromPostFields(r)\n\tif err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateFolderTitle, http.StatusBadRequest, err, \"\")\n\t\treturn\n\t}\n\ttemplateFolder.FsConfig = fsConfig\n\n\tvar dump dataprovider.BackupData\n\n\tfoldersFields := getFoldersForTemplate(r)\n\tfor _, tmpl := range foldersFields {\n\t\tf := getFolderFromTemplate(templateFolder, tmpl)\n\t\tif err := dataprovider.ValidateFolder(&f); err != nil {\n\t\t\ts.renderMessagePage(w, r, util.I18nTemplateFolderTitle, http.StatusBadRequest, err, \"\")\n\t\t\treturn\n\t\t}\n\t\tdump.Folders = append(dump.Folders, f)\n\t}\n\n\tif len(dump.Folders) == 0 {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateFolderTitle, http.StatusBadRequest,\n\t\t\tutil.NewI18nError(\n\t\t\t\terrors.New(\"no valid folder defined, unable to complete the requested action\"),\n\t\t\t\tutil.I18nErrorFolderTemplate,\n\t\t\t), \"\")\n\t\treturn\n\t}\n\tif err = RestoreFolders(dump.Folders, \"\", 1, 0, claims.Username, ipAddr, claims.Role); err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateFolderTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webFoldersPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebTemplateUserGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ttokenAdmin := getAdminFromToken(r)\n\tadmin, err := dataprovider.AdminExists(tokenAdmin.Username)\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, fmt.Errorf(\"unable to get the admin %q: %w\", tokenAdmin.Username, err))\n\t\treturn\n\t}\n\tif r.URL.Query().Get(\"from\") != \"\" {\n\t\tusername := r.URL.Query().Get(\"from\")\n\t\tuser, err := dataprovider.UserExists(username, admin.Role)\n\t\tif err == nil {\n\t\t\tuser.SetEmptySecrets()\n\t\t\tuser.PublicKeys = nil\n\t\t\tuser.Email = \"\"\n\t\t\tuser.Filters.AdditionalEmails = nil\n\t\t\tuser.Description = \"\"\n\t\t\tif user.ExpirationDate == 0 && admin.Filters.Preferences.DefaultUsersExpiration > 0 {\n\t\t\t\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(admin.Filters.Preferences.DefaultUsersExpiration)))\n\t\t\t}\n\t\t\ts.renderUserPage(w, r, &user, userPageModeTemplate, nil, &admin)\n\t\t} else if errors.Is(err, util.ErrNotFound) {\n\t\t\ts.renderNotFoundPage(w, r, err)\n\t\t} else {\n\t\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\t}\n\t} else {\n\t\tuser := dataprovider.User{BaseUser: sdk.BaseUser{\n\t\t\tStatus: 1,\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t}}\n\t\tif admin.Filters.Preferences.DefaultUsersExpiration > 0 {\n\t\t\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(admin.Filters.Preferences.DefaultUsersExpiration)))\n\t\t}\n\t\ts.renderUserPage(w, r, &user, userPageModeTemplate, nil, &admin)\n\t}\n}\n\nfunc (s *httpdServer) handleWebTemplateUserPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\ttemplateUser, err := getUserFromPostFields(r)\n\tif err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateUserTitle, http.StatusBadRequest, err, \"\")\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\n\tvar dump dataprovider.BackupData\n\n\tuserTmplFields := getUsersForTemplate(r)\n\tfor _, tmpl := range userTmplFields {\n\t\tu := getUserFromTemplate(templateUser, tmpl)\n\t\tif err := dataprovider.ValidateUser(&u); err != nil {\n\t\t\ts.renderMessagePage(w, r, util.I18nTemplateUserTitle, http.StatusBadRequest, err, \"\")\n\t\t\treturn\n\t\t}\n\t\tif claims.Role != \"\" {\n\t\t\tu.Role = claims.Role\n\t\t}\n\t\tdump.Users = append(dump.Users, u)\n\t}\n\n\tif len(dump.Users) == 0 {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateUserTitle,\n\t\t\thttp.StatusBadRequest, util.NewI18nError(\n\t\t\t\terrors.New(\"no valid user defined, unable to complete the requested action\"),\n\t\t\t\tutil.I18nErrorUserTemplate,\n\t\t\t), \"\")\n\t\treturn\n\t}\n\tif err = RestoreUsers(dump.Users, \"\", 1, 0, claims.Username, ipAddr, claims.Role); err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nTemplateUserTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webUsersPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebAddUserGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ttokenAdmin := getAdminFromToken(r)\n\tadmin, err := dataprovider.AdminExists(tokenAdmin.Username)\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, fmt.Errorf(\"unable to get the admin %q: %w\", tokenAdmin.Username, err))\n\t\treturn\n\t}\n\tuser := dataprovider.User{BaseUser: sdk.BaseUser{\n\t\tStatus: 1,\n\t\tPermissions: map[string][]string{\n\t\t\t\"/\": {dataprovider.PermAny},\n\t\t}},\n\t}\n\tif admin.Filters.Preferences.DefaultUsersExpiration > 0 {\n\t\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(admin.Filters.Preferences.DefaultUsersExpiration)))\n\t}\n\ts.renderUserPage(w, r, &user, userPageModeAdd, nil, &admin)\n}\n\nfunc (s *httpdServer) handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tusername := getURLParam(r, \"username\")\n\tuser, err := dataprovider.UserExists(username, claims.Role)\n\tif err == nil {\n\t\ts.renderUserPage(w, r, &user, userPageModeUpdate, nil, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebAddUserPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tuser, err := getUserFromPostFields(r)\n\tif err != nil {\n\t\ts.renderUserPage(w, r, &user, userPageModeAdd, err, nil)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tuser = getUserFromTemplate(user, userTemplateFields{\n\t\tUsername: user.Username,\n\t\tPassword: user.Password,\n\t\tPublicKeys: user.PublicKeys,\n\t\tRequirePwdChange: user.Filters.RequirePasswordChange,\n\t})\n\tif claims.Role != \"\" {\n\t\tuser.Role = claims.Role\n\t}\n\tuser.Filters.RecoveryCodes = nil\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: false,\n\t}\n\terr = dataprovider.AddUser(&user, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderUserPage(w, r, &user, userPageModeAdd, err, nil)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webUsersPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateUserPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tusername := getURLParam(r, \"username\")\n\tuser, err := dataprovider.UserExists(username, claims.Role)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tupdatedUser, err := getUserFromPostFields(r)\n\tif err != nil {\n\t\ts.renderUserPage(w, r, &user, userPageModeUpdate, err, nil)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedUser.ID = user.ID\n\tupdatedUser.Username = user.Username\n\tupdatedUser.Filters.RecoveryCodes = user.Filters.RecoveryCodes\n\tupdatedUser.Filters.TOTPConfig = user.Filters.TOTPConfig\n\tupdatedUser.LastPasswordChange = user.LastPasswordChange\n\tupdatedUser.SetEmptySecretsIfNil()\n\tif updatedUser.Password == redactedSecret {\n\t\tupdatedUser.Password = user.Password\n\t}\n\tupdateEncryptedSecrets(&updatedUser.FsConfig, &user.FsConfig)\n\n\tupdatedUser = getUserFromTemplate(updatedUser, userTemplateFields{\n\t\tUsername: updatedUser.Username,\n\t\tPassword: updatedUser.Password,\n\t\tPublicKeys: updatedUser.PublicKeys,\n\t\tRequirePwdChange: updatedUser.Filters.RequirePasswordChange,\n\t})\n\tif claims.Role != \"\" {\n\t\tupdatedUser.Role = claims.Role\n\t}\n\n\terr = dataprovider.UpdateUser(&updatedUser, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderUserPage(w, r, &updatedUser, userPageModeUpdate, err, nil)\n\t\treturn\n\t}\n\tif r.Form.Get(\"disconnect\") != \"\" {\n\t\tdisconnectUser(user.Username, claims.Username, claims.Role)\n\t}\n\thttp.Redirect(w, r, webUsersPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebGetStatus(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tdata := statusPage{\n\t\tbasePage: s.getBasePageData(util.I18nStatusTitle, webStatusPath, w, r),\n\t\tStatus: getServicesStatus(),\n\t}\n\trenderAdminTemplate(w, templateStatus, data)\n}\n\nfunc (s *httpdServer) handleWebGetConnections(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\n\tdata := s.getBasePageData(util.I18nSessionsTitle, webConnectionsPath, w, r)\n\trenderAdminTemplate(w, templateConnections, data)\n}\n\nfunc (s *httpdServer) handleWebAddFolderGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderFolderPage(w, r, vfs.BaseVirtualFolder{}, folderPageModeAdd, nil)\n}\n\nfunc (s *httpdServer) handleWebAddFolderPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tfolder := vfs.BaseVirtualFolder{}\n\terr = r.ParseMultipartForm(maxRequestSize)\n\tif err != nil {\n\t\ts.renderFolderPage(w, r, folder, folderPageModeAdd, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tfolder.MappedPath = strings.TrimSpace(r.Form.Get(\"mapped_path\"))\n\tfolder.Name = strings.TrimSpace(r.Form.Get(\"name\"))\n\tfolder.Description = r.Form.Get(\"description\")\n\tfsConfig, err := getFsConfigFromPostFields(r)\n\tif err != nil {\n\t\ts.renderFolderPage(w, r, folder, folderPageModeAdd, err)\n\t\treturn\n\t}\n\tfolder.FsConfig = fsConfig\n\tfolder = getFolderFromTemplate(folder, folder.Name)\n\n\terr = dataprovider.AddFolder(&folder, claims.Username, ipAddr, claims.Role)\n\tif err == nil {\n\t\thttp.Redirect(w, r, webFoldersPath, http.StatusSeeOther)\n\t} else {\n\t\ts.renderFolderPage(w, r, folder, folderPageModeAdd, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateFolderGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tname := getURLParam(r, \"name\")\n\tfolder, err := dataprovider.GetFolderByName(name)\n\tif err == nil {\n\t\ts.renderFolderPage(w, r, folder, folderPageModeUpdate, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateFolderPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\tfolder, err := dataprovider.GetFolderByName(name)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\n\terr = r.ParseMultipartForm(maxRequestSize)\n\tif err != nil {\n\t\ts.renderFolderPage(w, r, folder, folderPageModeUpdate, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tfsConfig, err := getFsConfigFromPostFields(r)\n\tif err != nil {\n\t\ts.renderFolderPage(w, r, folder, folderPageModeUpdate, err)\n\t\treturn\n\t}\n\tupdatedFolder := vfs.BaseVirtualFolder{\n\t\tMappedPath: strings.TrimSpace(r.Form.Get(\"mapped_path\")),\n\t\tDescription: r.Form.Get(\"description\"),\n\t}\n\tupdatedFolder.ID = folder.ID\n\tupdatedFolder.Name = folder.Name\n\tupdatedFolder.FsConfig = fsConfig\n\tupdatedFolder.FsConfig.SetEmptySecretsIfNil()\n\tupdateEncryptedSecrets(&updatedFolder.FsConfig, &folder.FsConfig)\n\n\tupdatedFolder = getFolderFromTemplate(updatedFolder, updatedFolder.Name)\n\n\terr = dataprovider.UpdateFolder(&updatedFolder, folder.Users, folder.Groups, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderFolderPage(w, r, updatedFolder, folderPageModeUpdate, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webFoldersPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) getWebVirtualFolders(w http.ResponseWriter, r *http.Request, limit int, minimal bool) ([]vfs.BaseVirtualFolder, error) {\n\tfolders := make([]vfs.BaseVirtualFolder, 0, 50)\n\tfor {\n\t\tf, err := dataprovider.GetFolders(limit, len(folders), dataprovider.OrderASC, minimal)\n\t\tif err != nil {\n\t\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\t\treturn folders, err\n\t\t}\n\t\tfolders = append(folders, f...)\n\t\tif len(f) < limit {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn folders, nil\n}\n\nfunc getAllFolders(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetFolders(limit, offset, dataprovider.OrderASC, false)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleWebGetFolders(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := s.getBasePageData(util.I18nFoldersTitle, webFoldersPath, w, r)\n\trenderAdminTemplate(w, templateFolders, data)\n}\n\nfunc (s *httpdServer) getWebGroups(w http.ResponseWriter, r *http.Request, limit int, minimal bool) ([]dataprovider.Group, error) {\n\tgroups := make([]dataprovider.Group, 0, 50)\n\tfor {\n\t\tf, err := dataprovider.GetGroups(limit, len(groups), dataprovider.OrderASC, minimal)\n\t\tif err != nil {\n\t\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\t\treturn groups, err\n\t\t}\n\t\tgroups = append(groups, f...)\n\t\tif len(f) < limit {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn groups, nil\n}\n\nfunc getAllGroups(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetGroups(limit, offset, dataprovider.OrderASC, false)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleWebGetGroups(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := s.getBasePageData(util.I18nGroupsTitle, webGroupsPath, w, r)\n\trenderAdminTemplate(w, templateGroups, data)\n}\n\nfunc (s *httpdServer) handleWebAddGroupGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderGroupPage(w, r, dataprovider.Group{}, genericPageModeAdd, nil)\n}\n\nfunc (s *httpdServer) handleWebAddGroupPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tgroup, err := getGroupFromPostFields(r)\n\tif err != nil {\n\t\ts.renderGroupPage(w, r, group, genericPageModeAdd, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr = dataprovider.AddGroup(&group, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderGroupPage(w, r, group, genericPageModeAdd, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webGroupsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateGroupGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tname := getURLParam(r, \"name\")\n\tgroup, err := dataprovider.GroupExists(name)\n\tif err == nil {\n\t\ts.renderGroupPage(w, r, group, genericPageModeUpdate, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateGroupPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\tgroup, err := dataprovider.GroupExists(name)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tupdatedGroup, err := getGroupFromPostFields(r)\n\tif err != nil {\n\t\ts.renderGroupPage(w, r, group, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedGroup.ID = group.ID\n\tupdatedGroup.Name = group.Name\n\tupdatedGroup.SetEmptySecretsIfNil()\n\n\tupdateEncryptedSecrets(&updatedGroup.UserSettings.FsConfig, &group.UserSettings.FsConfig)\n\n\terr = dataprovider.UpdateGroup(&updatedGroup, group.Users, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderGroupPage(w, r, updatedGroup, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webGroupsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) getWebEventActions(w http.ResponseWriter, r *http.Request, limit int, minimal bool,\n) ([]dataprovider.BaseEventAction, error) {\n\tactions := make([]dataprovider.BaseEventAction, 0, limit)\n\tfor {\n\t\tres, err := dataprovider.GetEventActions(limit, len(actions), dataprovider.OrderASC, minimal)\n\t\tif err != nil {\n\t\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\t\treturn actions, err\n\t\t}\n\t\tactions = append(actions, res...)\n\t\tif len(res) < limit {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn actions, nil\n}\n\nfunc getAllActions(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetEventActions(limit, offset, dataprovider.OrderASC, false)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleWebGetEventActions(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := s.getBasePageData(util.I18nActionsTitle, webAdminEventActionsPath, w, r)\n\trenderAdminTemplate(w, templateEventActions, data)\n}\n\nfunc (s *httpdServer) handleWebAddEventActionGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\taction := dataprovider.BaseEventAction{\n\t\tType: dataprovider.ActionTypeHTTP,\n\t}\n\ts.renderEventActionPage(w, r, action, genericPageModeAdd, nil)\n}\n\nfunc (s *httpdServer) handleWebAddEventActionPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\taction, err := getEventActionFromPostFields(r)\n\tif err != nil {\n\t\ts.renderEventActionPage(w, r, action, genericPageModeAdd, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tif err = dataprovider.AddEventAction(&action, claims.Username, ipAddr, claims.Role); err != nil {\n\t\ts.renderEventActionPage(w, r, action, genericPageModeAdd, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminEventActionsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateEventActionGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tname := getURLParam(r, \"name\")\n\taction, err := dataprovider.EventActionExists(name)\n\tif err == nil {\n\t\ts.renderEventActionPage(w, r, action, genericPageModeUpdate, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateEventActionPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\taction, err := dataprovider.EventActionExists(name)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tupdatedAction, err := getEventActionFromPostFields(r)\n\tif err != nil {\n\t\ts.renderEventActionPage(w, r, updatedAction, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedAction.ID = action.ID\n\tupdatedAction.Name = action.Name\n\tupdatedAction.Options.SetEmptySecretsIfNil()\n\tswitch updatedAction.Type {\n\tcase dataprovider.ActionTypeHTTP:\n\t\tif updatedAction.Options.HTTPConfig.Password.IsNotPlainAndNotEmpty() {\n\t\t\tupdatedAction.Options.HTTPConfig.Password = action.Options.HTTPConfig.Password\n\t\t}\n\t}\n\terr = dataprovider.UpdateEventAction(&updatedAction, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderEventActionPage(w, r, updatedAction, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminEventActionsPath, http.StatusSeeOther)\n}\n\nfunc getAllRules(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetEventRules(limit, offset, dataprovider.OrderASC)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleWebGetEventRules(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := s.getBasePageData(util.I18nRulesTitle, webAdminEventRulesPath, w, r)\n\trenderAdminTemplate(w, templateEventRules, data)\n}\n\nfunc (s *httpdServer) handleWebAddEventRuleGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trule := dataprovider.EventRule{\n\t\tStatus: 1,\n\t\tTrigger: dataprovider.EventTriggerFsEvent,\n\t}\n\ts.renderEventRulePage(w, r, rule, genericPageModeAdd, nil)\n}\n\nfunc (s *httpdServer) handleWebAddEventRulePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\trule, err := getEventRuleFromPostFields(r)\n\tif err != nil {\n\t\ts.renderEventRulePage(w, r, rule, genericPageModeAdd, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\terr = verifyCSRFToken(r, s.csrfTokenAuth)\n\tif err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tif err = dataprovider.AddEventRule(&rule, claims.Username, ipAddr, claims.Role); err != nil {\n\t\ts.renderEventRulePage(w, r, rule, genericPageModeAdd, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminEventRulesPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateEventRuleGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tname := getURLParam(r, \"name\")\n\trule, err := dataprovider.EventRuleExists(name)\n\tif err == nil {\n\t\ts.renderEventRulePage(w, r, rule, genericPageModeUpdate, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateEventRulePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tname := getURLParam(r, \"name\")\n\trule, err := dataprovider.EventRuleExists(name)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tupdatedRule, err := getEventRuleFromPostFields(r)\n\tif err != nil {\n\t\ts.renderEventRulePage(w, r, updatedRule, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedRule.ID = rule.ID\n\tupdatedRule.Name = rule.Name\n\terr = dataprovider.UpdateEventRule(&updatedRule, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderEventRulePage(w, r, updatedRule, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminEventRulesPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) getWebRoles(w http.ResponseWriter, r *http.Request, limit int, minimal bool) ([]dataprovider.Role, error) {\n\troles := make([]dataprovider.Role, 0, 10)\n\tfor {\n\t\tres, err := dataprovider.GetRoles(limit, len(roles), dataprovider.OrderASC, minimal)\n\t\tif err != nil {\n\t\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\t\treturn roles, err\n\t\t}\n\t\troles = append(roles, res...)\n\t\tif len(res) < limit {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn roles, nil\n}\n\nfunc getAllRoles(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tresults, err := dataprovider.GetRoles(limit, offset, dataprovider.OrderASC, false)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\treturn data, len(results), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleWebGetRoles(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tdata := s.getBasePageData(util.I18nRolesTitle, webAdminRolesPath, w, r)\n\n\trenderAdminTemplate(w, templateRoles, data)\n}\n\nfunc (s *httpdServer) handleWebAddRoleGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderRolePage(w, r, dataprovider.Role{}, genericPageModeAdd, nil)\n}\n\nfunc (s *httpdServer) handleWebAddRolePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trole, err := getRoleFromPostFields(r)\n\tif err != nil {\n\t\ts.renderRolePage(w, r, role, genericPageModeAdd, err)\n\t\treturn\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr = dataprovider.AddRole(&role, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderRolePage(w, r, role, genericPageModeAdd, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminRolesPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateRoleGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trole, err := dataprovider.RoleExists(getURLParam(r, \"name\"))\n\tif err == nil {\n\t\ts.renderRolePage(w, r, role, genericPageModeUpdate, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateRolePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\trole, err := dataprovider.RoleExists(getURLParam(r, \"name\"))\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\n\tupdatedRole, err := getRoleFromPostFields(r)\n\tif err != nil {\n\t\ts.renderRolePage(w, r, role, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedRole.ID = role.ID\n\tupdatedRole.Name = role.Name\n\terr = dataprovider.UpdateRole(&updatedRole, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderRolePage(w, r, updatedRole, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webAdminRolesPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebGetEvents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := eventsPage{\n\t\tbasePage: s.getBasePageData(util.I18nEventsTitle, webEventsPath, w, r),\n\t\tFsEventsSearchURL: webEventsFsSearchPath,\n\t\tProviderEventsSearchURL: webEventsProviderSearchPath,\n\t\tLogEventsSearchURL: webEventsLogSearchPath,\n\t}\n\trenderAdminTemplate(w, templateEvents, data)\n}\n\nfunc (s *httpdServer) handleWebIPListsPage(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\trtlStatus, rtlProtocols := common.Config.GetRateLimitersStatus()\n\tdata := ipListsPage{\n\t\tbasePage: s.getBasePageData(util.I18nIPListsTitle, webIPListsPath, w, r),\n\t\tRateLimitersStatus: rtlStatus,\n\t\tRateLimitersProtocols: strings.Join(rtlProtocols, \", \"),\n\t\tIsAllowListEnabled: common.Config.IsAllowListEnabled(),\n\t}\n\n\trenderAdminTemplate(w, templateIPLists, data)\n}\n\nfunc (s *httpdServer) handleWebAddIPListEntryGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlistType, _, err := getIPListPathParams(r)\n\tif err != nil {\n\t\ts.renderBadRequestPage(w, r, err)\n\t\treturn\n\t}\n\ts.renderIPListPage(w, r, dataprovider.IPListEntry{Type: listType}, genericPageModeAdd, nil)\n}\n\nfunc (s *httpdServer) handleWebAddIPListEntryPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlistType, _, err := getIPListPathParams(r)\n\tif err != nil {\n\t\ts.renderBadRequestPage(w, r, err)\n\t\treturn\n\t}\n\tentry, err := getIPListEntryFromPostFields(r, listType)\n\tif err != nil {\n\t\ts.renderIPListPage(w, r, entry, genericPageModeAdd, err)\n\t\treturn\n\t}\n\tentry.Type = listType\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\terr = dataprovider.AddIPListEntry(&entry, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderIPListPage(w, r, entry, genericPageModeAdd, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webIPListsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebUpdateIPListEntryGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tlistType, ipOrNet, err := getIPListPathParams(r)\n\tif err != nil {\n\t\ts.renderBadRequestPage(w, r, err)\n\t\treturn\n\t}\n\tentry, err := dataprovider.IPListEntryExists(ipOrNet, listType)\n\tif err == nil {\n\t\ts.renderIPListPage(w, r, entry, genericPageModeUpdate, nil)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleWebUpdateIPListEntryPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tlistType, ipOrNet, err := getIPListPathParams(r)\n\tif err != nil {\n\t\ts.renderBadRequestPage(w, r, err)\n\t\treturn\n\t}\n\tentry, err := dataprovider.IPListEntryExists(ipOrNet, listType)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tupdatedEntry, err := getIPListEntryFromPostFields(r, listType)\n\tif err != nil {\n\t\ts.renderIPListPage(w, r, entry, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedEntry.Type = listType\n\tupdatedEntry.IPOrNet = ipOrNet\n\terr = dataprovider.UpdateIPListEntry(&updatedEntry, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderIPListPage(w, r, entry, genericPageModeUpdate, err)\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webIPListsPath, http.StatusSeeOther)\n}\n\nfunc (s *httpdServer) handleWebConfigs(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\ts.renderConfigsPage(w, r, configs, nil, 0)\n}\n\nfunc (s *httpdServer) handleWebConfigsPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\ts.renderInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\terr = r.ParseMultipartForm(maxRequestSize)\n\tif err != nil {\n\t\ts.renderBadRequestPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tdefer r.MultipartForm.RemoveAll() //nolint:errcheck\n\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tvar configSection int\n\tswitch r.Form.Get(\"form_action\") {\n\tcase \"sftp_submit\":\n\t\tconfigSection = 1\n\t\tsftpConfigs := getSFTPConfigsFromPostFields(r)\n\t\tconfigs.SFTPD = sftpConfigs\n\tcase \"acme_submit\":\n\t\tconfigSection = 2\n\t\tacmeConfigs := getACMEConfigsFromPostFields(r)\n\t\tconfigs.ACME = acmeConfigs\n\t\tif err := acme.GetCertificatesForConfig(acmeConfigs, configurationDir); err != nil {\n\t\t\tlogger.Info(logSender, \"\", \"unable to get ACME certificates: %v\", err)\n\t\t\ts.renderConfigsPage(w, r, configs, util.NewI18nError(err, util.I18nErrorACMEGeneric), configSection)\n\t\t\treturn\n\t\t}\n\tcase \"smtp_submit\":\n\t\tconfigSection = 3\n\t\tsmtpConfigs := getSMTPConfigsFromPostFields(r)\n\t\tupdateSMTPSecrets(smtpConfigs, configs.SMTP)\n\t\tconfigs.SMTP = smtpConfigs\n\tcase \"branding_submit\":\n\t\tconfigSection = 4\n\t\tbrandingConfigs, err := getBrandingConfigFromPostFields(r, configs.Branding)\n\t\tconfigs.Branding = brandingConfigs\n\t\tif err != nil {\n\t\t\tlogger.Info(logSender, \"\", \"unable to get branding config: %v\", err)\n\t\t\ts.renderConfigsPage(w, r, configs, err, configSection)\n\t\t\treturn\n\t\t}\n\tdefault:\n\t\ts.renderBadRequestPage(w, r, errors.New(\"unsupported form action\"))\n\t\treturn\n\t}\n\n\terr = dataprovider.UpdateConfigs(&configs, claims.Username, ipAddr, claims.Role)\n\tif err != nil {\n\t\ts.renderConfigsPage(w, r, configs, err, configSection)\n\t\treturn\n\t}\n\tpostConfigsUpdate(configSection, configs)\n\ts.renderMessagePage(w, r, util.I18nConfigsTitle, http.StatusOK, nil, util.I18nConfigsOK)\n}\n\nfunc postConfigsUpdate(section int, configs dataprovider.Configs) {\n\tswitch section {\n\tcase 3:\n\t\terr := configs.SMTP.TryDecrypt()\n\t\tif err == nil {\n\t\t\tsmtp.Activate(configs.SMTP)\n\t\t} else {\n\t\t\tlogger.Error(logSender, \"\", \"unable to decrypt SMTP configuration, cannot activate configuration: %v\", err)\n\t\t}\n\tcase 4:\n\t\tdbBrandingConfig.Set(configs.Branding)\n\t}\n}\n\nfunc (s *httpdServer) handleOAuth2TokenRedirect(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tstateToken := r.URL.Query().Get(\"state\")\n\n\tstate, err := verifyOAuth2Token(s.csrfTokenAuth, stateToken, util.GetIPFromRemoteAddress(r.RemoteAddr))\n\tif err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nOAuth2ErrorTitle, http.StatusBadRequest, err, \"\")\n\t\treturn\n\t}\n\n\tpendingAuth, err := oauth2Mgr.getPendingAuth(state)\n\tif err != nil {\n\t\toauth2Mgr.removePendingAuth(state)\n\t\ts.renderMessagePage(w, r, util.I18nOAuth2ErrorTitle, http.StatusInternalServerError,\n\t\t\tutil.NewI18nError(err, util.I18nOAuth2ErrorValidateState), \"\")\n\t\treturn\n\t}\n\toauth2Mgr.removePendingAuth(state)\n\n\toauth2Config := smtp.OAuth2Config{\n\t\tProvider: pendingAuth.Provider,\n\t\tClientID: pendingAuth.ClientID,\n\t\tClientSecret: pendingAuth.ClientSecret.GetPayload(),\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)\n\tdefer cancel()\n\n\tcfg := oauth2Config.GetOAuth2()\n\tcfg.RedirectURL = pendingAuth.RedirectURL\n\ttoken, err := cfg.Exchange(ctx, r.URL.Query().Get(\"code\"), oauth2.VerifierOption(pendingAuth.Verifier))\n\tif err != nil {\n\t\ts.renderMessagePage(w, r, util.I18nOAuth2ErrorTitle, http.StatusInternalServerError,\n\t\t\tutil.NewI18nError(err, util.I18nOAuth2ErrTokenExchange), \"\")\n\t\treturn\n\t}\n\tif token.RefreshToken == \"\" {\n\t\terrTxt := \"the OAuth2 provider returned an empty token. \" +\n\t\t\t\"Some providers only return the token when the user first authorizes. \" +\n\t\t\t\"If you have already registered SFTPGo with this user in the past, revoke access and try again. \" +\n\t\t\t\"This way you will invalidate the previous token\"\n\t\ts.renderMessagePage(w, r, util.I18nOAuth2ErrorTitle, http.StatusBadRequest,\n\t\t\tutil.NewI18nError(errors.New(errTxt), util.I18nOAuth2ErrNoRefreshToken), \"\")\n\t\treturn\n\t}\n\ts.renderMessagePageWithString(w, r, util.I18nOAuth2Title, http.StatusOK, nil, util.I18nOAuth2OK,\n\t\tfmt.Sprintf(\"%q\", token.RefreshToken))\n}\n\nfunc updateSMTPSecrets(newConfigs, currentConfigs *dataprovider.SMTPConfigs) {\n\tif currentConfigs == nil {\n\t\tcurrentConfigs = &dataprovider.SMTPConfigs{}\n\t}\n\tif newConfigs.Password.IsNotPlainAndNotEmpty() {\n\t\tnewConfigs.Password = currentConfigs.Password\n\t}\n\tif newConfigs.OAuth2.ClientSecret.IsNotPlainAndNotEmpty() {\n\t\tnewConfigs.OAuth2.ClientSecret = currentConfigs.OAuth2.ClientSecret\n\t}\n\tif newConfigs.OAuth2.RefreshToken.IsNotPlainAndNotEmpty() {\n\t\tnewConfigs.OAuth2.RefreshToken = currentConfigs.OAuth2.RefreshToken\n\t}\n}\n" }, { "path": "internal/httpd/webclient.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"html/template\"\n\t\"io\"\n\t\"math\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/jwt\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/smtp\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\ttemplateClientDir = \"webclient\"\n\ttemplateClientBase = \"base.html\"\n\ttemplateClientFiles = \"files.html\"\n\ttemplateClientProfile = \"profile.html\"\n\ttemplateClientMFA = \"mfa.html\"\n\ttemplateClientEditFile = \"editfile.html\"\n\ttemplateClientShare = \"share.html\"\n\ttemplateClientShares = \"shares.html\"\n\ttemplateClientViewPDF = \"viewpdf.html\"\n\ttemplateShareLogin = \"sharelogin.html\"\n\ttemplateShareDownload = \"sharedownload.html\"\n\ttemplateUploadToShare = \"shareupload.html\"\n)\n\n// condResult is the result of an HTTP request precondition check.\n// See https://tools.ietf.org/html/rfc7232 section 3.\ntype condResult int\n\nconst (\n\tcondNone condResult = iota\n\tcondTrue\n\tcondFalse\n)\n\nvar (\n\tclientTemplates = make(map[string]*template.Template)\n\tunixEpochTime = time.Unix(0, 0)\n)\n\n// isZeroTime reports whether t is obviously unspecified (either zero or Unix()=0).\nfunc isZeroTime(t time.Time) bool {\n\treturn t.IsZero() || t.Equal(unixEpochTime)\n}\n\ntype baseClientPage struct {\n\tcommonBasePage\n\tTitle string\n\tCurrentURL string\n\tFilesURL string\n\tSharesURL string\n\tShareURL string\n\tProfileURL string\n\tPingURL string\n\tChangePwdURL string\n\tLogoutURL string\n\tLoginURL string\n\tEditURL string\n\tMFAURL string\n\tCSRFToken string\n\tLoggedUser *dataprovider.User\n\tIsLoggedToShare bool\n\tBranding UIBranding\n\tLanguages []string\n}\n\ntype dirMapping struct {\n\tDirName string\n\tHref string\n}\n\ntype viewPDFPage struct {\n\tcommonBasePage\n\tTitle string\n\tURL string\n\tBranding UIBranding\n\tLanguages []string\n}\n\ntype editFilePage struct {\n\tbaseClientPage\n\tCurrentDir string\n\tFileURL string\n\tPath string\n\tName string\n\tReadOnly bool\n\tData string\n}\n\ntype filesPage struct {\n\tbaseClientPage\n\tCurrentDir string\n\tDirsURL string\n\tFileActionsURL string\n\tCheckExistURL string\n\tDownloadURL string\n\tViewPDFURL string\n\tFileURL string\n\tTasksURL string\n\tCanAddFiles bool\n\tCanCreateDirs bool\n\tCanRename bool\n\tCanDelete bool\n\tCanDownload bool\n\tCanShare bool\n\tCanCopy bool\n\tShareUploadBaseURL string\n\tError *util.I18nError\n\tPaths []dirMapping\n\tQuotaUsage *userQuotaUsage\n\tKeepAliveInterval int\n}\n\ntype shareLoginPage struct {\n\tcommonBasePage\n\tCurrentURL string\n\tError *util.I18nError\n\tCSRFToken string\n\tTitle string\n\tBranding UIBranding\n\tLanguages []string\n\tCheckRedirect bool\n}\n\ntype shareDownloadPage struct {\n\tbaseClientPage\n\tDownloadLink string\n}\n\ntype shareUploadPage struct {\n\tbaseClientPage\n\tShare *dataprovider.Share\n\tUploadBasePath string\n}\n\ntype clientMessagePage struct {\n\tbaseClientPage\n\tError *util.I18nError\n\tSuccess string\n\tText string\n}\n\ntype clientProfilePage struct {\n\tbaseClientPage\n\tPublicKeys []string\n\tTLSCerts []string\n\tCanSubmit bool\n\tAllowAPIKeyAuth bool\n\tEmail string\n\tAdditionalEmails []string\n\tAdditionalEmailsString string\n\tDescription string\n\tError *util.I18nError\n}\n\ntype changeClientPasswordPage struct {\n\tbaseClientPage\n\tError *util.I18nError\n}\n\ntype clientMFAPage struct {\n\tbaseClientPage\n\tTOTPConfigs []string\n\tTOTPConfig dataprovider.UserTOTPConfig\n\tGenerateTOTPURL string\n\tValidateTOTPURL string\n\tSaveTOTPURL string\n\tRecCodesURL string\n\tProtocols []string\n\tRequiredProtocols []string\n}\n\ntype clientSharesPage struct {\n\tbaseClientPage\n\tBasePublicSharesURL string\n\tBaseURL string\n}\n\ntype clientSharePage struct {\n\tbaseClientPage\n\tShare *dataprovider.Share\n\tError *util.I18nError\n\tIsAdd bool\n}\n\ntype userQuotaUsage struct {\n\tQuotaSize int64\n\tQuotaFiles int\n\tUsedQuotaSize int64\n\tUsedQuotaFiles int\n\tUploadDataTransfer int64\n\tDownloadDataTransfer int64\n\tTotalDataTransfer int64\n\tUsedUploadDataTransfer int64\n\tUsedDownloadDataTransfer int64\n}\n\nfunc (u *userQuotaUsage) HasQuotaInfo() bool {\n\tif dataprovider.GetQuotaTracking() == 0 {\n\t\treturn false\n\t}\n\tif u.HasDiskQuota() {\n\t\treturn true\n\t}\n\treturn u.HasTranferQuota()\n}\n\nfunc (u *userQuotaUsage) HasDiskQuota() bool {\n\tif u.QuotaSize > 0 || u.UsedQuotaSize > 0 {\n\t\treturn true\n\t}\n\treturn u.QuotaFiles > 0 || u.UsedQuotaFiles > 0\n}\n\nfunc (u *userQuotaUsage) HasTranferQuota() bool {\n\tif u.TotalDataTransfer > 0 || u.UploadDataTransfer > 0 || u.DownloadDataTransfer > 0 {\n\t\treturn true\n\t}\n\treturn u.UsedDownloadDataTransfer > 0 || u.UsedUploadDataTransfer > 0\n}\n\nfunc (u *userQuotaUsage) GetQuotaSize() string {\n\tif u.QuotaSize > 0 {\n\t\treturn fmt.Sprintf(\"%s/%s\", util.ByteCountIEC(u.UsedQuotaSize), util.ByteCountIEC(u.QuotaSize))\n\t}\n\tif u.UsedQuotaSize > 0 {\n\t\treturn util.ByteCountIEC(u.UsedQuotaSize)\n\t}\n\treturn \"\"\n}\n\nfunc (u *userQuotaUsage) GetQuotaFiles() string {\n\tif u.QuotaFiles > 0 {\n\t\treturn fmt.Sprintf(\"%d/%d\", u.UsedQuotaFiles, u.QuotaFiles)\n\t}\n\tif u.UsedQuotaFiles > 0 {\n\t\treturn strconv.FormatInt(int64(u.UsedQuotaFiles), 10)\n\t}\n\treturn \"\"\n}\n\nfunc (u *userQuotaUsage) GetQuotaSizePercentage() int {\n\tif u.QuotaSize > 0 {\n\t\treturn int(math.Round(100 * float64(u.UsedQuotaSize) / float64(u.QuotaSize)))\n\t}\n\treturn 0\n}\n\nfunc (u *userQuotaUsage) GetQuotaFilesPercentage() int {\n\tif u.QuotaFiles > 0 {\n\t\treturn int(math.Round(100 * float64(u.UsedQuotaFiles) / float64(u.QuotaFiles)))\n\t}\n\treturn 0\n}\n\nfunc (u *userQuotaUsage) IsQuotaSizeLow() bool {\n\treturn u.GetQuotaSizePercentage() > 85\n}\n\nfunc (u *userQuotaUsage) IsQuotaFilesLow() bool {\n\treturn u.GetQuotaFilesPercentage() > 85\n}\n\nfunc (u *userQuotaUsage) IsDiskQuotaLow() bool {\n\treturn u.IsQuotaSizeLow() || u.IsQuotaFilesLow()\n}\n\nfunc (u *userQuotaUsage) GetTotalTransferQuota() string {\n\ttotal := u.UsedUploadDataTransfer + u.UsedDownloadDataTransfer\n\tif u.TotalDataTransfer > 0 {\n\t\treturn fmt.Sprintf(\"%s/%s\", util.ByteCountIEC(total), util.ByteCountIEC(u.TotalDataTransfer*1048576))\n\t}\n\tif total > 0 {\n\t\treturn util.ByteCountIEC(total)\n\t}\n\treturn \"\"\n}\n\nfunc (u *userQuotaUsage) GetUploadTransferQuota() string {\n\tif u.UploadDataTransfer > 0 {\n\t\treturn fmt.Sprintf(\"%s/%s\", util.ByteCountIEC(u.UsedUploadDataTransfer),\n\t\t\tutil.ByteCountIEC(u.UploadDataTransfer*1048576))\n\t}\n\tif u.UsedUploadDataTransfer > 0 {\n\t\treturn util.ByteCountIEC(u.UsedUploadDataTransfer)\n\t}\n\treturn \"\"\n}\n\nfunc (u *userQuotaUsage) GetDownloadTransferQuota() string {\n\tif u.DownloadDataTransfer > 0 {\n\t\treturn fmt.Sprintf(\"%s/%s\", util.ByteCountIEC(u.UsedDownloadDataTransfer),\n\t\t\tutil.ByteCountIEC(u.DownloadDataTransfer*1048576))\n\t}\n\tif u.UsedDownloadDataTransfer > 0 {\n\t\treturn util.ByteCountIEC(u.UsedDownloadDataTransfer)\n\t}\n\treturn \"\"\n}\n\nfunc (u *userQuotaUsage) GetTotalTransferQuotaPercentage() int {\n\tif u.TotalDataTransfer > 0 {\n\t\treturn int(math.Round(100 * float64(u.UsedDownloadDataTransfer+u.UsedUploadDataTransfer) / float64(u.TotalDataTransfer*1048576)))\n\t}\n\treturn 0\n}\n\nfunc (u *userQuotaUsage) GetUploadTransferQuotaPercentage() int {\n\tif u.UploadDataTransfer > 0 {\n\t\treturn int(math.Round(100 * float64(u.UsedUploadDataTransfer) / float64(u.UploadDataTransfer*1048576)))\n\t}\n\treturn 0\n}\n\nfunc (u *userQuotaUsage) GetDownloadTransferQuotaPercentage() int {\n\tif u.DownloadDataTransfer > 0 {\n\t\treturn int(math.Round(100 * float64(u.UsedDownloadDataTransfer) / float64(u.DownloadDataTransfer*1048576)))\n\t}\n\treturn 0\n}\n\nfunc (u *userQuotaUsage) IsTotalTransferQuotaLow() bool {\n\tif u.TotalDataTransfer > 0 {\n\t\treturn u.GetTotalTransferQuotaPercentage() > 85\n\t}\n\treturn false\n}\n\nfunc (u *userQuotaUsage) IsUploadTransferQuotaLow() bool {\n\tif u.UploadDataTransfer > 0 {\n\t\treturn u.GetUploadTransferQuotaPercentage() > 85\n\t}\n\treturn false\n}\n\nfunc (u *userQuotaUsage) IsDownloadTransferQuotaLow() bool {\n\tif u.DownloadDataTransfer > 0 {\n\t\treturn u.GetDownloadTransferQuotaPercentage() > 85\n\t}\n\treturn false\n}\n\nfunc (u *userQuotaUsage) IsTransferQuotaLow() bool {\n\treturn u.IsTotalTransferQuotaLow() || u.IsUploadTransferQuotaLow() || u.IsDownloadTransferQuotaLow()\n}\n\nfunc (u *userQuotaUsage) IsQuotaLow() bool {\n\treturn u.IsDiskQuotaLow() || u.IsTransferQuotaLow()\n}\n\nfunc newUserQuotaUsage(u *dataprovider.User) *userQuotaUsage {\n\treturn &userQuotaUsage{\n\t\tQuotaSize: u.QuotaSize,\n\t\tQuotaFiles: u.QuotaFiles,\n\t\tUsedQuotaSize: u.UsedQuotaSize,\n\t\tUsedQuotaFiles: u.UsedQuotaFiles,\n\t\tTotalDataTransfer: u.TotalDataTransfer,\n\t\tUploadDataTransfer: u.UploadDataTransfer,\n\t\tDownloadDataTransfer: u.DownloadDataTransfer,\n\t\tUsedUploadDataTransfer: u.UsedUploadDataTransfer,\n\t\tUsedDownloadDataTransfer: u.UsedDownloadDataTransfer,\n\t}\n}\n\nfunc getFileObjectURL(baseDir, name, baseWebPath string) string {\n\treturn fmt.Sprintf(\"%v?path=%v&_=%v\", baseWebPath, url.QueryEscape(path.Join(baseDir, name)), time.Now().UTC().Unix())\n}\n\nfunc getFileObjectModTime(t time.Time) int64 {\n\tif isZeroTime(t) {\n\t\treturn 0\n\t}\n\treturn t.UnixMilli()\n}\n\nfunc loadClientTemplates(templatesPath string) {\n\tfilesPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientFiles),\n\t}\n\teditFilePath := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientEditFile),\n\t}\n\tsharesPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientShares),\n\t}\n\tsharePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientShare),\n\t}\n\tprofilePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientProfile),\n\t}\n\tchangePwdPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateChangePwd),\n\t}\n\tloginPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonLogin),\n\t}\n\tmessagePaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateMessage),\n\t}\n\tmfaPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientMFA),\n\t}\n\ttwoFactorPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateTwoFactor),\n\t}\n\ttwoFactorRecoveryPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateTwoFactorRecovery),\n\t}\n\tforgotPwdPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateForgotPassword),\n\t}\n\tresetPwdPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateResetPassword),\n\t}\n\tviewPDFPaths := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientViewPDF),\n\t}\n\tshareLoginPath := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBaseLogin),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateShareLogin),\n\t}\n\tshareUploadPath := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateUploadToShare),\n\t}\n\tshareDownloadPath := []string{\n\t\tfilepath.Join(templatesPath, templateCommonDir, templateCommonBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateClientBase),\n\t\tfilepath.Join(templatesPath, templateClientDir, templateShareDownload),\n\t}\n\n\tfilesTmpl := util.LoadTemplate(nil, filesPaths...)\n\tprofileTmpl := util.LoadTemplate(nil, profilePaths...)\n\tchangePwdTmpl := util.LoadTemplate(nil, changePwdPaths...)\n\tloginTmpl := util.LoadTemplate(nil, loginPaths...)\n\tmessageTmpl := util.LoadTemplate(nil, messagePaths...)\n\tmfaTmpl := util.LoadTemplate(nil, mfaPaths...)\n\ttwoFactorTmpl := util.LoadTemplate(nil, twoFactorPaths...)\n\ttwoFactorRecoveryTmpl := util.LoadTemplate(nil, twoFactorRecoveryPaths...)\n\teditFileTmpl := util.LoadTemplate(nil, editFilePath...)\n\tshareLoginTmpl := util.LoadTemplate(nil, shareLoginPath...)\n\tsharesTmpl := util.LoadTemplate(nil, sharesPaths...)\n\tshareTmpl := util.LoadTemplate(nil, sharePaths...)\n\tforgotPwdTmpl := util.LoadTemplate(nil, forgotPwdPaths...)\n\tresetPwdTmpl := util.LoadTemplate(nil, resetPwdPaths...)\n\tviewPDFTmpl := util.LoadTemplate(nil, viewPDFPaths...)\n\tshareUploadTmpl := util.LoadTemplate(nil, shareUploadPath...)\n\tshareDownloadTmpl := util.LoadTemplate(nil, shareDownloadPath...)\n\n\tclientTemplates[templateClientFiles] = filesTmpl\n\tclientTemplates[templateClientProfile] = profileTmpl\n\tclientTemplates[templateChangePwd] = changePwdTmpl\n\tclientTemplates[templateCommonLogin] = loginTmpl\n\tclientTemplates[templateMessage] = messageTmpl\n\tclientTemplates[templateClientMFA] = mfaTmpl\n\tclientTemplates[templateTwoFactor] = twoFactorTmpl\n\tclientTemplates[templateTwoFactorRecovery] = twoFactorRecoveryTmpl\n\tclientTemplates[templateClientEditFile] = editFileTmpl\n\tclientTemplates[templateClientShares] = sharesTmpl\n\tclientTemplates[templateClientShare] = shareTmpl\n\tclientTemplates[templateForgotPassword] = forgotPwdTmpl\n\tclientTemplates[templateResetPassword] = resetPwdTmpl\n\tclientTemplates[templateClientViewPDF] = viewPDFTmpl\n\tclientTemplates[templateShareLogin] = shareLoginTmpl\n\tclientTemplates[templateUploadToShare] = shareUploadTmpl\n\tclientTemplates[templateShareDownload] = shareDownloadTmpl\n}\n\nfunc (s *httpdServer) getBaseClientPageData(title, currentURL string, w http.ResponseWriter, r *http.Request) baseClientPage {\n\tvar csrfToken string\n\tif currentURL != \"\" {\n\t\tcsrfToken = createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseClientPath)\n\t}\n\n\tdata := baseClientPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: title,\n\t\tCurrentURL: currentURL,\n\t\tFilesURL: webClientFilesPath,\n\t\tSharesURL: webClientSharesPath,\n\t\tShareURL: webClientSharePath,\n\t\tProfileURL: webClientProfilePath,\n\t\tPingURL: webClientPingPath,\n\t\tChangePwdURL: webChangeClientPwdPath,\n\t\tLogoutURL: webClientLogoutPath,\n\t\tEditURL: webClientEditFilePath,\n\t\tMFAURL: webClientMFAPath,\n\t\tCSRFToken: csrfToken,\n\t\tLoggedUser: getUserFromToken(r),\n\t\tIsLoggedToShare: false,\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\tif !strings.HasPrefix(r.RequestURI, webClientPubSharesPath) {\n\t\tdata.LoginURL = webClientLoginPath\n\t}\n\treturn data\n}\n\nfunc (s *httpdServer) renderClientForgotPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := forgotPwdPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tCurrentURL: webClientForgotPwdPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, rand.Text(), webBaseClientPath),\n\t\tLoginURL: webClientLoginPath,\n\t\tTitle: util.I18nForgotPwdTitle,\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderClientTemplate(w, templateForgotPassword, data)\n}\n\nfunc (s *httpdServer) renderClientResetPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := resetPwdPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tCurrentURL: webClientResetPwdPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseClientPath),\n\t\tLoginURL: webClientLoginPath,\n\t\tTitle: util.I18nResetPwdTitle,\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderClientTemplate(w, templateResetPassword, data)\n}\n\nfunc (s *httpdServer) renderShareLoginPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := shareLoginPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18nShareLoginTitle,\n\t\tCurrentURL: r.RequestURI,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, rand.Text(), webBaseClientPath),\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t\tCheckRedirect: false,\n\t}\n\trenderClientTemplate(w, templateShareLogin, data)\n}\n\nfunc renderClientTemplate(w http.ResponseWriter, tmplName string, data any) {\n\terr := clientTemplates[tmplName].ExecuteTemplate(w, tmplName, data)\n\tif err != nil {\n\t\thttp.Error(w, err.Error(), http.StatusInternalServerError)\n\t}\n}\n\nfunc (s *httpdServer) renderClientMessagePage(w http.ResponseWriter, r *http.Request, title string, statusCode int, err error, message string) {\n\tdata := clientMessagePage{\n\t\tbaseClientPage: s.getBaseClientPageData(title, \"\", w, r),\n\t\tError: getI18nError(err),\n\t\tSuccess: message,\n\t}\n\tw.WriteHeader(statusCode)\n\trenderClientTemplate(w, templateMessage, data)\n}\n\nfunc (s *httpdServer) renderClientInternalServerErrorPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderClientMessagePage(w, r, util.I18nError500Title, http.StatusInternalServerError,\n\t\tutil.NewI18nError(err, util.I18nError500Message), \"\")\n}\n\nfunc (s *httpdServer) renderClientBadRequestPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderClientMessagePage(w, r, util.I18nError400Title, http.StatusBadRequest,\n\t\tutil.NewI18nError(err, util.I18nError400Message), \"\")\n}\n\nfunc (s *httpdServer) renderClientForbiddenPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderClientMessagePage(w, r, util.I18nError403Title, http.StatusForbidden,\n\t\tutil.NewI18nError(err, util.I18nError403Message), \"\")\n}\n\nfunc (s *httpdServer) renderClientNotFoundPage(w http.ResponseWriter, r *http.Request, err error) {\n\ts.renderClientMessagePage(w, r, util.I18nError404Title, http.StatusNotFound,\n\t\tutil.NewI18nError(err, util.I18nError404Message), \"\")\n}\n\nfunc (s *httpdServer) renderClientTwoFactorPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := twoFactorPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18n2FATitle,\n\t\tCurrentURL: webClientTwoFactorPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseClientPath),\n\t\tRecoveryURL: webClientTwoFactorRecoveryPath,\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\tif next := r.URL.Query().Get(\"next\"); strings.HasPrefix(next, webClientFilesPath) {\n\t\tdata.CurrentURL += \"?next=\" + url.QueryEscape(next)\n\t}\n\trenderClientTemplate(w, templateTwoFactor, data)\n}\n\nfunc (s *httpdServer) renderClientTwoFactorRecoveryPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := twoFactorPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: util.I18n2FATitle,\n\t\tCurrentURL: webClientTwoFactorRecoveryPath,\n\t\tError: err,\n\t\tCSRFToken: createCSRFToken(w, r, s.csrfTokenAuth, \"\", webBaseClientPath),\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderClientTemplate(w, templateTwoFactorRecovery, data)\n}\n\nfunc (s *httpdServer) renderClientMFAPage(w http.ResponseWriter, r *http.Request) {\n\tdata := clientMFAPage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18n2FATitle, webClientMFAPath, w, r),\n\t\tTOTPConfigs: mfa.GetAvailableTOTPConfigNames(),\n\t\tGenerateTOTPURL: webClientTOTPGeneratePath,\n\t\tValidateTOTPURL: webClientTOTPValidatePath,\n\t\tSaveTOTPURL: webClientTOTPSavePath,\n\t\tRecCodesURL: webClientRecoveryCodesPath,\n\t\tProtocols: dataprovider.MFAProtocols,\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(data.LoggedUser.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tdata.TOTPConfig = user.Filters.TOTPConfig\n\tdata.RequiredProtocols = user.Filters.TwoFactorAuthProtocols\n\trenderClientTemplate(w, templateClientMFA, data)\n}\n\nfunc (s *httpdServer) renderEditFilePage(w http.ResponseWriter, r *http.Request, fileName, fileData string, readOnly bool) {\n\ttitle := util.I18nViewFileTitle\n\tif !readOnly {\n\t\ttitle = util.I18nEditFileTitle\n\t}\n\tdata := editFilePage{\n\t\tbaseClientPage: s.getBaseClientPageData(title, webClientEditFilePath, w, r),\n\t\tPath: fileName,\n\t\tName: path.Base(fileName),\n\t\tCurrentDir: path.Dir(fileName),\n\t\tFileURL: webClientFilePath,\n\t\tReadOnly: readOnly,\n\t\tData: fileData,\n\t}\n\n\trenderClientTemplate(w, templateClientEditFile, data)\n}\n\nfunc (s *httpdServer) renderAddUpdateSharePage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share,\n\terr *util.I18nError, isAdd bool) {\n\tcurrentURL := webClientSharePath\n\ttitle := util.I18nShareAddTitle\n\tif !isAdd {\n\t\tcurrentURL = fmt.Sprintf(\"%v/%v\", webClientSharePath, url.PathEscape(share.ShareID))\n\t\ttitle = util.I18nShareUpdateTitle\n\t}\n\tif share.IsPasswordHashed() {\n\t\tshare.Password = redactedSecret\n\t}\n\tdata := clientSharePage{\n\t\tbaseClientPage: s.getBaseClientPageData(title, currentURL, w, r),\n\t\tShare: share,\n\t\tError: err,\n\t\tIsAdd: isAdd,\n\t}\n\n\trenderClientTemplate(w, templateClientShare, data)\n}\n\nfunc getDirMapping(dirName, baseWebPath string) []dirMapping {\n\tpaths := []dirMapping{}\n\tif dirName != \"/\" {\n\t\tpaths = append(paths, dirMapping{\n\t\t\tDirName: path.Base(dirName),\n\t\t\tHref: getFileObjectURL(\"/\", dirName, baseWebPath),\n\t\t})\n\t\tfor {\n\t\t\tdirName = path.Dir(dirName)\n\t\t\tif dirName == \"/\" || dirName == \".\" {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tpaths = append([]dirMapping{{\n\t\t\t\tDirName: path.Base(dirName),\n\t\t\t\tHref: getFileObjectURL(\"/\", dirName, baseWebPath)},\n\t\t\t}, paths...)\n\t\t}\n\t}\n\treturn paths\n}\n\nfunc (s *httpdServer) renderSharedFilesPage(w http.ResponseWriter, r *http.Request, dirName string,\n\terr *util.I18nError, share dataprovider.Share,\n) {\n\tcurrentURL := path.Join(webClientPubSharesPath, share.ShareID, \"browse\")\n\tbaseData := s.getBaseClientPageData(util.I18nSharedFilesTitle, currentURL, w, r)\n\tbaseData.FilesURL = currentURL\n\tbaseSharePath := path.Join(webClientPubSharesPath, share.ShareID)\n\tbaseData.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, \"logout\")\n\tbaseData.IsLoggedToShare = share.Password != \"\"\n\n\tdata := filesPage{\n\t\tbaseClientPage: baseData,\n\t\tError: err,\n\t\tCurrentDir: url.QueryEscape(dirName),\n\t\tDownloadURL: path.Join(baseSharePath, \"partial\"),\n\t\t// dirName must be escaped because the router expects the full path as single argument\n\t\tShareUploadBaseURL: path.Join(baseSharePath, url.PathEscape(dirName)),\n\t\tViewPDFURL: path.Join(baseSharePath, \"viewpdf\"),\n\t\tDirsURL: path.Join(baseSharePath, \"dirs\"),\n\t\tFileURL: \"\",\n\t\tFileActionsURL: \"\",\n\t\tCheckExistURL: path.Join(baseSharePath, \"browse\", \"exist\"),\n\t\tTasksURL: \"\",\n\t\tCanAddFiles: share.Scope == dataprovider.ShareScopeReadWrite,\n\t\tCanCreateDirs: false,\n\t\tCanRename: false,\n\t\tCanDelete: false,\n\t\tCanDownload: share.Scope != dataprovider.ShareScopeWrite,\n\t\tCanShare: false,\n\t\tCanCopy: false,\n\t\tPaths: getDirMapping(dirName, currentURL),\n\t\tQuotaUsage: newUserQuotaUsage(&dataprovider.User{}),\n\t\tKeepAliveInterval: int(cookieRefreshThreshold / time.Millisecond),\n\t}\n\trenderClientTemplate(w, templateClientFiles, data)\n}\n\nfunc (s *httpdServer) renderShareDownloadPage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share,\n\tdownloadLink string,\n) {\n\tdata := shareDownloadPage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18nShareDownloadTitle, \"\", w, r),\n\t\tDownloadLink: downloadLink,\n\t}\n\tdata.LogoutURL = \"\"\n\tif share.Password != \"\" {\n\t\tdata.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, \"logout\")\n\t}\n\n\trenderClientTemplate(w, templateShareDownload, data)\n}\n\nfunc (s *httpdServer) renderUploadToSharePage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share) {\n\tcurrentURL := path.Join(webClientPubSharesPath, share.ShareID, \"upload\")\n\tdata := shareUploadPage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18nShareUploadTitle, currentURL, w, r),\n\t\tShare: share,\n\t\tUploadBasePath: path.Join(webClientPubSharesPath, share.ShareID),\n\t}\n\tdata.LogoutURL = \"\"\n\tif share.Password != \"\" {\n\t\tdata.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, \"logout\")\n\t}\n\trenderClientTemplate(w, templateUploadToShare, data)\n}\n\nfunc (s *httpdServer) renderFilesPage(w http.ResponseWriter, r *http.Request, dirName string,\n\terr *util.I18nError, user *dataprovider.User) {\n\tdata := filesPage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18nFilesTitle, webClientFilesPath, w, r),\n\t\tError: err,\n\t\tCurrentDir: url.QueryEscape(dirName),\n\t\tDownloadURL: webClientDownloadZipPath,\n\t\tViewPDFURL: webClientViewPDFPath,\n\t\tDirsURL: webClientDirsPath,\n\t\tFileURL: webClientFilePath,\n\t\tFileActionsURL: webClientFileActionsPath,\n\t\tCheckExistURL: webClientExistPath,\n\t\tTasksURL: webClientTasksPath,\n\t\tCanAddFiles: user.CanAddFilesFromWeb(dirName),\n\t\tCanCreateDirs: user.CanAddDirsFromWeb(dirName),\n\t\tCanRename: user.CanRenameFromWeb(dirName, dirName),\n\t\tCanDelete: user.CanDeleteFromWeb(dirName),\n\t\tCanDownload: user.HasPerm(dataprovider.PermDownload, dirName),\n\t\tCanShare: user.CanManageShares(),\n\t\tCanCopy: user.CanCopyFromWeb(dirName, dirName),\n\t\tShareUploadBaseURL: \"\",\n\t\tPaths: getDirMapping(dirName, webClientFilesPath),\n\t\tQuotaUsage: newUserQuotaUsage(user),\n\t\tKeepAliveInterval: int(cookieRefreshThreshold / time.Millisecond),\n\t}\n\trenderClientTemplate(w, templateClientFiles, data)\n}\n\nfunc (s *httpdServer) renderClientProfilePage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := clientProfilePage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18nProfileTitle, webClientProfilePath, w, r),\n\t\tError: err,\n\t}\n\tuser, userMerged, errUser := dataprovider.GetUserVariants(data.LoggedUser.Username, \"\")\n\tif errUser != nil {\n\t\ts.renderClientInternalServerErrorPage(w, r, errUser)\n\t\treturn\n\t}\n\tdata.PublicKeys = user.PublicKeys\n\tdata.TLSCerts = user.Filters.TLSCerts\n\tdata.AllowAPIKeyAuth = user.Filters.AllowAPIKeyAuth\n\tdata.Email = user.Email\n\tdata.AdditionalEmails = user.Filters.AdditionalEmails\n\tdata.AdditionalEmailsString = strings.Join(data.AdditionalEmails, \", \")\n\tdata.Description = user.Description\n\tdata.CanSubmit = userMerged.CanUpdateProfile()\n\trenderClientTemplate(w, templateClientProfile, data)\n}\n\nfunc (s *httpdServer) renderClientChangePasswordPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {\n\tdata := changeClientPasswordPage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18nChangePwdTitle, webChangeClientPwdPath, w, r),\n\t\tError: err,\n\t}\n\n\trenderClientTemplate(w, templateChangePwd, data)\n}\n\nfunc (s *httpdServer) handleWebClientDownloadZip(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxMultipartMem)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderClientBadRequestPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError500Title, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nErrorGetUser), \"\")\n\t\treturn\n\t}\n\n\tconnID := xid.New().String()\n\tprotocol := getProtocolFromRequest(r)\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, connID)\n\tif err := checkHTTPClientUser(&user, r, connectionID, false, false); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, err)\n\t\treturn\n\t}\n\tbaseConn := common.NewBaseConnection(connID, protocol, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tfiles := r.Form.Get(\"files\")\n\tvar filesList []string\n\terr = json.Unmarshal(util.StringToBytes(files), &filesList)\n\tif err != nil {\n\t\ts.renderClientBadRequestPage(w, r, err)\n\t\treturn\n\t}\n\n\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=\\\"%s\\\"\",\n\t\tgetCompressedFileName(connection.GetUsername(), filesList)))\n\trenderCompressedFiles(w, connection, name, filesList, nil)\n}\n\nfunc (s *httpdServer) handleClientSharePartialDownload(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxMultipartMem)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderClientBadRequestPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\ttransferQuota := connection.GetTransferQuota()\n\tif !transferQuota.HasDownloadSpace() {\n\t\terr = util.NewI18nError(connection.GetReadQuotaExceededError(), util.I18nErrorQuotaRead)\n\t\tconnection.Log(logger.LevelInfo, \"denying share read due to quota limits\")\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getMappedStatusCode(err), err, \"\")\n\t\treturn\n\t}\n\tfiles := r.Form.Get(\"files\")\n\tvar filesList []string\n\terr = json.Unmarshal(util.StringToBytes(files), &filesList)\n\tif err != nil {\n\t\ts.renderClientBadRequestPage(w, r, err)\n\t\treturn\n\t}\n\n\tdataprovider.UpdateShareLastUse(&share, 1) //nolint:errcheck\n\tw.Header().Set(\"Content-Disposition\", fmt.Sprintf(\"attachment; filename=\\\"%s\\\"\",\n\t\tgetCompressedFileName(fmt.Sprintf(\"share-%s\", share.Name), filesList)))\n\trenderCompressedFiles(w, connection, name, filesList, &share)\n}\n\nfunc (s *httpdServer) handleShareGetDirContents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\tsendAPIResponse(w, r, err, getI18NErrorString(err, util.I18nError500Message), getRespStatus(err))\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, getI18NErrorString(err, util.I18nError500Message), getRespStatus(err))\n\t\treturn\n\t}\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, getI18NErrorString(err, util.I18nError429Message), http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tlister, err := connection.ReadDir(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, getI18NErrorString(err, util.I18nErrorDirListGeneric), getMappedStatusCode(err))\n\t\treturn\n\t}\n\tdefer lister.Close()\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tcontents, err := lister.Next(limit)\n\t\tif errors.Is(err, io.EOF) {\n\t\t\terr = nil\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tresults := make([]map[string]any, 0, len(contents))\n\t\tfor idx, info := range contents {\n\t\t\tif !info.Mode().IsDir() && !info.Mode().IsRegular() {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tres := make(map[string]any)\n\t\t\tres[\"id\"] = offset + idx + 1\n\t\t\tif info.IsDir() {\n\t\t\t\tres[\"type\"] = \"1\"\n\t\t\t\tres[\"size\"] = \"\"\n\t\t\t} else {\n\t\t\t\tres[\"type\"] = \"2\"\n\t\t\t\tres[\"size\"] = info.Size()\n\t\t\t}\n\t\t\tres[\"meta\"] = fmt.Sprintf(\"%v_%v\", res[\"type\"], info.Name())\n\t\t\tres[\"name\"] = info.Name()\n\t\t\tres[\"url\"] = getFileObjectURL(share.GetRelativePath(name), info.Name(),\n\t\t\t\tpath.Join(webClientPubSharesPath, share.ShareID, \"browse\"))\n\t\t\tres[\"last_modified\"] = getFileObjectModTime(info.ModTime())\n\t\t\tresults = append(results, res)\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\tcount := limit\n\t\tif len(results) == 0 {\n\t\t\tcount = 0\n\t\t}\n\t\treturn data, count, err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleClientUploadToShare(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeWrite, dataprovider.ShareScopeReadWrite}\n\tshare, _, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif share.Scope == dataprovider.ShareScopeReadWrite {\n\t\thttp.Redirect(w, r, path.Join(webClientPubSharesPath, share.ShareID, \"browse\"), http.StatusFound)\n\t\treturn\n\t}\n\ts.renderUploadToSharePage(w, r, &share)\n}\n\nfunc (s *httpdServer) handleShareGetFiles(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderSharedFilesPage(w, r, path.Dir(share.GetRelativePath(name)),\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), share)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tvar info os.FileInfo\n\tif name == \"/\" {\n\t\tinfo = vfs.NewFileInfo(name, true, 0, time.Unix(0, 0), false)\n\t} else {\n\t\tinfo, err = connection.Stat(name, 1)\n\t}\n\tif err != nil {\n\t\ts.renderSharedFilesPage(w, r, path.Dir(share.GetRelativePath(name)),\n\t\t\tutil.NewI18nError(err, i18nFsMsg(getRespStatus(err))), share)\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\ts.renderSharedFilesPage(w, r, share.GetRelativePath(name), nil, share)\n\t\treturn\n\t}\n\tdataprovider.UpdateShareLastUse(&share, 1) //nolint:errcheck\n\tif status, err := downloadFile(w, r, connection, name, info, false, &share); err != nil {\n\t\tdataprovider.UpdateShareLastUse(&share, -1) //nolint:errcheck\n\t\tif status > 0 {\n\t\t\ts.renderSharedFilesPage(w, r, path.Dir(share.GetRelativePath(name)),\n\t\t\t\tutil.NewI18nError(err, i18nFsMsg(getRespStatus(err))), share)\n\t\t}\n\t}\n}\n\nfunc (s *httpdServer) handleShareViewPDF(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, _, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tname := util.CleanPath(r.URL.Query().Get(\"path\"))\n\tdata := viewPDFPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: path.Base(name),\n\t\tURL: fmt.Sprintf(\"%s?path=%s&_=%d\", path.Join(webClientPubSharesPath, share.ShareID, \"getpdf\"),\n\t\t\turl.QueryEscape(name), time.Now().UTC().Unix()),\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderClientTemplate(w, templateClientViewPDF, data)\n}\n\nfunc (s *httpdServer) handleShareGetPDF(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead, dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, getRespStatus(err), err, \"\")\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tinfo, err := connection.Stat(name, 1)\n\tif err != nil {\n\t\tstatus := getRespStatus(err)\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, status,\n\t\t\tutil.NewI18nError(err, i18nFsMsg(status)), \"\")\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\ts.renderClientBadRequestPage(w, r, util.NewI18nError(fmt.Errorf(\"%q is not a file\", name), util.I18nErrorPDFMessage))\n\t\treturn\n\t}\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tif err := s.ensurePDF(w, r, name, connection); err != nil {\n\t\treturn\n\t}\n\tdataprovider.UpdateShareLastUse(&share, 1) //nolint:errcheck\n\tif _, err := downloadFile(w, r, connection, name, info, true, &share); err != nil {\n\t\tdataprovider.UpdateShareLastUse(&share, -1) //nolint:errcheck\n\t}\n}\n\nfunc (s *httpdServer) handleClientGetDirContents(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, nil, util.I18nErrorDirList403, http.StatusForbidden)\n\t\treturn\n\t}\n\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\tsendAPIResponse(w, r, nil, util.I18nErrorDirListUser, getRespStatus(err))\n\t\treturn\n\t}\n\n\tconnID := xid.New().String()\n\tprotocol := getProtocolFromRequest(r)\n\tconnectionID := fmt.Sprintf(\"%s_%s\", protocol, connID)\n\tif err := checkHTTPClientUser(&user, r, connectionID, false, false); err != nil {\n\t\tsendAPIResponse(w, r, err, getI18NErrorString(err, util.I18nErrorDirList403), http.StatusForbidden)\n\t\treturn\n\t}\n\tbaseConn := common.NewBaseConnection(connID, protocol, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, util.I18nErrorDirList429, http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tlister, err := connection.ReadDir(name)\n\tif err != nil {\n\t\tstatusCode := getMappedStatusCode(err)\n\t\tsendAPIResponse(w, r, err, i18nListDirMsg(statusCode), statusCode)\n\t\treturn\n\t}\n\tdefer lister.Close()\n\n\tdirTree := r.URL.Query().Get(\"dirtree\") == \"1\"\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tcontents, err := lister.Next(limit)\n\t\tif errors.Is(err, io.EOF) {\n\t\t\terr = nil\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tresults := make([]map[string]any, 0, len(contents))\n\t\tfor idx, info := range contents {\n\t\t\tres := make(map[string]any)\n\t\t\tres[\"id\"] = offset + idx + 1\n\t\t\tres[\"url\"] = getFileObjectURL(name, info.Name(), webClientFilesPath)\n\t\t\tif info.IsDir() {\n\t\t\t\tres[\"type\"] = \"1\"\n\t\t\t\tres[\"size\"] = \"\"\n\t\t\t\tres[\"dir_path\"] = url.QueryEscape(path.Join(name, info.Name()))\n\t\t\t} else {\n\t\t\t\tif dirTree {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tres[\"type\"] = \"2\"\n\t\t\t\tif info.Mode()&os.ModeSymlink != 0 {\n\t\t\t\t\tres[\"size\"] = \"\"\n\t\t\t\t} else {\n\t\t\t\t\tres[\"size\"] = info.Size()\n\t\t\t\t\tif info.Size() < httpdMaxEditFileSize {\n\t\t\t\t\t\tres[\"edit_url\"] = strings.Replace(res[\"url\"].(string), webClientFilesPath, webClientEditFilePath, 1)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tres[\"meta\"] = fmt.Sprintf(\"%v_%v\", res[\"type\"], info.Name())\n\t\t\tres[\"name\"] = info.Name()\n\t\t\tres[\"last_modified\"] = getFileObjectModTime(info.ModTime())\n\t\t\tresults = append(results, res)\n\t\t}\n\t\tdata, err := json.Marshal(results)\n\t\tcount := limit\n\t\tif len(results) == 0 {\n\t\t\tcount = 0\n\t\t}\n\t\treturn data, count, err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleClientGetFiles(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError500Title, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nErrorGetUser), \"\")\n\t\treturn\n\t}\n\n\tconnID := xid.New().String()\n\tprotocol := getProtocolFromRequest(r)\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, connID)\n\tif err := checkHTTPClientUser(&user, r, connectionID, false, false); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, err)\n\t\treturn\n\t}\n\tbaseConn := common.NewBaseConnection(connID, protocol, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tvar info os.FileInfo\n\tif name == \"/\" {\n\t\tinfo = vfs.NewFileInfo(name, true, 0, time.Unix(0, 0), false)\n\t} else {\n\t\tinfo, err = connection.Stat(name, 0)\n\t}\n\tif err != nil {\n\t\ts.renderFilesPage(w, r, path.Dir(name), util.NewI18nError(err, i18nFsMsg(getRespStatus(err))), &user)\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\ts.renderFilesPage(w, r, name, nil, &user)\n\t\treturn\n\t}\n\tif status, err := downloadFile(w, r, connection, name, info, false, nil); err != nil && status != 0 {\n\t\tif status > 0 {\n\t\t\tif status == http.StatusRequestedRangeNotSatisfiable {\n\t\t\t\ts.renderClientMessagePage(w, r, util.I18nError416Title, status,\n\t\t\t\t\tutil.NewI18nError(err, util.I18nError416Message), \"\")\n\t\t\t\treturn\n\t\t\t}\n\t\t\ts.renderFilesPage(w, r, path.Dir(name), util.NewI18nError(err, i18nFsMsg(status)), &user)\n\t\t}\n\t}\n}\n\nfunc (s *httpdServer) handleClientEditFile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError500Title, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nErrorGetUser), \"\")\n\t\treturn\n\t}\n\n\tconnID := xid.New().String()\n\tprotocol := getProtocolFromRequest(r)\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, connID)\n\tif err := checkHTTPClientUser(&user, r, connectionID, false, false); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, err)\n\t\treturn\n\t}\n\tbaseConn := common.NewBaseConnection(connID, protocol, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tinfo, err := connection.Stat(name, 0)\n\tif err != nil {\n\t\tstatus := getRespStatus(err)\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorEditorTitle, status, util.NewI18nError(err, i18nFsMsg(status)), \"\")\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorEditorTitle, http.StatusBadRequest,\n\t\t\tutil.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"The path %q does not point to a file\", name)),\n\t\t\t\tutil.I18nErrorEditDir,\n\t\t\t), \"\")\n\t\treturn\n\t}\n\tif info.Size() > httpdMaxEditFileSize {\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorEditorTitle, http.StatusBadRequest,\n\t\t\tutil.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"The file size %v for %q exceeds the maximum allowed size\",\n\t\t\t\t\tutil.ByteCountIEC(info.Size()), name)),\n\t\t\t\tutil.I18nErrorEditSize,\n\t\t\t), \"\")\n\t\treturn\n\t}\n\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\treader, err := connection.getFileReader(name, 0, r.Method)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorEditorTitle, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nError500Message), \"\")\n\t\treturn\n\t}\n\tdefer reader.Close()\n\n\tvar b bytes.Buffer\n\t_, err = io.Copy(&b, reader)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorEditorTitle, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nError500Message), \"\")\n\t\treturn\n\t}\n\n\ts.renderEditFilePage(w, r, name, b.String(), !user.CanAddFilesFromWeb(path.Dir(name)))\n}\n\nfunc (s *httpdServer) handleClientAddShareGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError500Title, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nErrorGetUser), \"\")\n\t\treturn\n\t}\n\tshare := &dataprovider.Share{Scope: dataprovider.ShareScopeRead}\n\tif user.Filters.DefaultSharesExpiration > 0 {\n\t\tshare.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(user.Filters.DefaultSharesExpiration)))\n\t} else if user.Filters.MaxSharesExpiration > 0 {\n\t\tshare.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(24 * time.Hour * time.Duration(user.Filters.MaxSharesExpiration)))\n\t}\n\tdirName := \"/\"\n\tif _, ok := r.URL.Query()[\"path\"]; ok {\n\t\tdirName = util.CleanPath(r.URL.Query().Get(\"path\"))\n\t}\n\n\tif _, ok := r.URL.Query()[\"files\"]; ok {\n\t\tfiles := r.URL.Query().Get(\"files\")\n\t\tvar filesList []string\n\t\terr := json.Unmarshal(util.StringToBytes(files), &filesList)\n\t\tif err != nil {\n\t\t\ts.renderClientBadRequestPage(w, r, err)\n\t\t\treturn\n\t\t}\n\t\tfor _, f := range filesList {\n\t\t\tif f != \"\" {\n\t\t\t\tshare.Paths = append(share.Paths, path.Join(dirName, f))\n\t\t\t}\n\t\t}\n\t}\n\n\ts.renderAddUpdateSharePage(w, r, share, nil, true)\n}\n\nfunc (s *httpdServer) handleClientUpdateShareGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tshareID := getURLParam(r, \"id\")\n\tshare, err := dataprovider.ShareExists(shareID, claims.Username)\n\tif err == nil {\n\t\ts.renderAddUpdateSharePage(w, r, &share, nil, false)\n\t} else if errors.Is(err, util.ErrNotFound) {\n\t\ts.renderClientNotFoundPage(w, r, err)\n\t} else {\n\t\ts.renderClientInternalServerErrorPage(w, r, err)\n\t}\n}\n\nfunc (s *httpdServer) handleClientAddSharePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tshare, err := getShareFromPostFields(r)\n\tif err != nil {\n\t\ts.renderAddUpdateSharePage(w, r, share, util.NewI18nError(err, util.I18nError500Message), true)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tshare.ID = 0\n\tshare.ShareID = util.GenerateUniqueID()\n\tshare.LastUseAt = 0\n\tshare.Username = claims.Username\n\tif share.Password == \"\" {\n\t\tif slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {\n\t\t\ts.renderAddUpdateSharePage(w, r, share,\n\t\t\t\tutil.NewI18nError(util.NewValidationError(\"You are not allowed to share files/folders without password\"), util.I18nErrorShareNoPwd),\n\t\t\t\ttrue)\n\t\t\treturn\n\t\t}\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderAddUpdateSharePage(w, r, share, util.NewI18nError(err, util.I18nErrorGetUser), true)\n\t\treturn\n\t}\n\tif err := user.CheckMaxShareExpiration(util.GetTimeFromMsecSinceEpoch(share.ExpiresAt)); err != nil {\n\t\ts.renderAddUpdateSharePage(w, r, share, util.NewI18nError(\n\t\t\terr,\n\t\t\tutil.I18nErrorShareExpirationOutOfRange,\n\t\t\tutil.I18nErrorArgs(\n\t\t\t\tmap[string]any{\n\t\t\t\t\t\"val\": time.Now().Add(24 * time.Hour * time.Duration(user.Filters.MaxSharesExpiration+1)).UnixMilli(),\n\t\t\t\t\t\"formatParams\": map[string]string{\n\t\t\t\t\t\t\"year\": \"numeric\",\n\t\t\t\t\t\t\"month\": \"numeric\",\n\t\t\t\t\t\t\"day\": \"numeric\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t),\n\t\t), true)\n\t\treturn\n\t}\n\terr = dataprovider.AddShare(share, claims.Username, ipAddr, claims.Role)\n\tif err == nil {\n\t\thttp.Redirect(w, r, webClientSharesPath, http.StatusSeeOther)\n\t} else {\n\t\ts.renderAddUpdateSharePage(w, r, share, util.NewI18nError(err, util.I18nErrorShareGeneric), true)\n\t}\n}\n\nfunc (s *httpdServer) handleClientUpdateSharePost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tshareID := getURLParam(r, \"id\")\n\tshare, err := dataprovider.ShareExists(shareID, claims.Username)\n\tif errors.Is(err, util.ErrNotFound) {\n\t\ts.renderClientNotFoundPage(w, r, err)\n\t\treturn\n\t} else if err != nil {\n\t\ts.renderClientInternalServerErrorPage(w, r, err)\n\t\treturn\n\t}\n\tupdatedShare, err := getShareFromPostFields(r)\n\tif err != nil {\n\t\ts.renderAddUpdateSharePage(w, r, updatedShare, util.NewI18nError(err, util.I18nError500Message), false)\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tupdatedShare.ShareID = shareID\n\tupdatedShare.Username = claims.Username\n\tif updatedShare.Password == redactedSecret {\n\t\tupdatedShare.Password = share.Password\n\t}\n\tif updatedShare.Password == \"\" {\n\t\tif slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {\n\t\t\ts.renderAddUpdateSharePage(w, r, updatedShare,\n\t\t\t\tutil.NewI18nError(util.NewValidationError(\"You are not allowed to share files/folders without password\"), util.I18nErrorShareNoPwd),\n\t\t\t\tfalse)\n\t\t\treturn\n\t\t}\n\t}\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderAddUpdateSharePage(w, r, updatedShare, util.NewI18nError(err, util.I18nErrorGetUser), false)\n\t\treturn\n\t}\n\tif err := user.CheckMaxShareExpiration(util.GetTimeFromMsecSinceEpoch(updatedShare.ExpiresAt)); err != nil {\n\t\ts.renderAddUpdateSharePage(w, r, updatedShare, util.NewI18nError(\n\t\t\terr,\n\t\t\tutil.I18nErrorShareExpirationOutOfRange,\n\t\t\tutil.I18nErrorArgs(\n\t\t\t\tmap[string]any{\n\t\t\t\t\t\"val\": time.Now().Add(24 * time.Hour * time.Duration(user.Filters.MaxSharesExpiration+1)).UnixMilli(),\n\t\t\t\t\t\"formatParams\": map[string]string{\n\t\t\t\t\t\t\"year\": \"numeric\",\n\t\t\t\t\t\t\"month\": \"numeric\",\n\t\t\t\t\t\t\"day\": \"numeric\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t),\n\t\t), false)\n\t\treturn\n\t}\n\terr = dataprovider.UpdateShare(updatedShare, claims.Username, ipAddr, claims.Role)\n\tif err == nil {\n\t\thttp.Redirect(w, r, webClientSharesPath, http.StatusSeeOther)\n\t} else {\n\t\ts.renderAddUpdateSharePage(w, r, updatedShare, util.NewI18nError(err, util.I18nErrorShareGeneric), false)\n\t}\n}\n\nfunc getAllShares(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, nil, util.I18nErrorInvalidToken, http.StatusForbidden)\n\t\treturn\n\t}\n\n\tdataGetter := func(limit, offset int) ([]byte, int, error) {\n\t\tshares, err := dataprovider.GetShares(limit, offset, dataprovider.OrderASC, claims.Username)\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\tdata, err := json.Marshal(shares)\n\t\treturn data, len(shares), err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc (s *httpdServer) handleClientGetShares(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\tdata := clientSharesPage{\n\t\tbaseClientPage: s.getBaseClientPageData(util.I18nSharesTitle, webClientSharesPath, w, r),\n\t\tBasePublicSharesURL: webClientPubSharesPath,\n\t\tBaseURL: s.binding.BaseURL,\n\t}\n\trenderClientTemplate(w, templateClientShares, data)\n}\n\nfunc (s *httpdServer) handleClientGetProfile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderClientProfilePage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebClientChangePwd(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderClientChangePasswordPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebClientProfilePost(w http.ResponseWriter, r *http.Request) { //nolint:gocyclo\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderClientProfilePage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tuser, userMerged, err := dataprovider.GetUserVariants(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientProfilePage(w, r, util.NewI18nError(err, util.I18nErrorGetUser))\n\t\treturn\n\t}\n\tif !userMerged.CanUpdateProfile() {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(\n\t\t\terrors.New(\"you are not allowed to change anything\"),\n\t\t\tutil.I18nErrorNoPermissions,\n\t\t))\n\t\treturn\n\t}\n\tif userMerged.CanManagePublicKeys() {\n\t\tfor k := range r.Form {\n\t\t\tif hasPrefixAndSuffix(k, \"public_keys[\", \"][public_key]\") {\n\t\t\t\tr.Form.Add(\"public_keys\", r.Form.Get(k))\n\t\t\t}\n\t\t}\n\t\tuser.PublicKeys = r.Form[\"public_keys\"]\n\t}\n\tif userMerged.CanManageTLSCerts() {\n\t\tfor k := range r.Form {\n\t\t\tif hasPrefixAndSuffix(k, \"tls_certs[\", \"][tls_cert]\") {\n\t\t\t\tr.Form.Add(\"tls_certs\", r.Form.Get(k))\n\t\t\t}\n\t\t}\n\t\tuser.Filters.TLSCerts = r.Form[\"tls_certs\"]\n\t}\n\tif userMerged.CanChangeAPIKeyAuth() {\n\t\tuser.Filters.AllowAPIKeyAuth = r.Form.Get(\"allow_api_key_auth\") != \"\"\n\t}\n\tif userMerged.CanChangeInfo() {\n\t\tuser.Email = strings.TrimSpace(r.Form.Get(\"email\"))\n\t\tuser.Description = r.Form.Get(\"description\")\n\t\tfor k := range r.Form {\n\t\t\tif hasPrefixAndSuffix(k, \"additional_emails[\", \"][additional_email]\") {\n\t\t\t\temail := strings.TrimSpace(r.Form.Get(k))\n\t\t\t\tif email != \"\" {\n\t\t\t\t\tr.Form.Add(\"additional_emails\", email)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tuser.Filters.AdditionalEmails = r.Form[\"additional_emails\"]\n\t}\n\terr = dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, ipAddr, user.Role)\n\tif err != nil {\n\t\ts.renderClientProfilePage(w, r, util.NewI18nError(err, util.I18nError500Message))\n\t\treturn\n\t}\n\ts.renderClientMessagePage(w, r, util.I18nProfileTitle, http.StatusOK, nil, util.I18nProfileUpdated)\n}\n\nfunc (s *httpdServer) handleWebClientMFA(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderClientMFAPage(w, r)\n}\n\nfunc (s *httpdServer) handleWebClientTwoFactor(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderClientTwoFactorPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebClientTwoFactorRecovery(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\ts.renderClientTwoFactorRecoveryPage(w, r, nil)\n}\n\nfunc getShareFromPostFields(r *http.Request) (*dataprovider.Share, error) {\n\tshare := &dataprovider.Share{}\n\tif err := r.ParseForm(); err != nil {\n\t\treturn share, util.NewI18nError(err, util.I18nErrorInvalidForm)\n\t}\n\tfor k := range r.Form {\n\t\tif hasPrefixAndSuffix(k, \"paths[\", \"][path]\") {\n\t\t\tr.Form.Add(\"paths\", r.Form.Get(k))\n\t\t}\n\t}\n\n\tshare.Name = strings.TrimSpace(r.Form.Get(\"name\"))\n\tshare.Description = r.Form.Get(\"description\")\n\tfor _, p := range r.Form[\"paths\"] {\n\t\tif strings.TrimSpace(p) != \"\" {\n\t\t\tshare.Paths = append(share.Paths, p)\n\t\t}\n\t}\n\tshare.Password = strings.TrimSpace(r.Form.Get(\"password\"))\n\tshare.AllowFrom = getSliceFromDelimitedValues(r.Form.Get(\"allowed_ip\"), \",\")\n\tscope, err := strconv.Atoi(r.Form.Get(\"scope\"))\n\tif err != nil {\n\t\treturn share, util.NewI18nError(err, util.I18nErrorShareScope)\n\t}\n\tshare.Scope = dataprovider.ShareScope(scope)\n\tmaxTokens, err := strconv.Atoi(r.Form.Get(\"max_tokens\"))\n\tif err != nil {\n\t\treturn share, util.NewI18nError(err, util.I18nErrorShareMaxTokens)\n\t}\n\tshare.MaxTokens = maxTokens\n\texpirationDateMillis := int64(0)\n\texpirationDateString := strings.TrimSpace(r.Form.Get(\"expiration_date\"))\n\tif expirationDateString != \"\" {\n\t\texpirationDate, err := time.Parse(webDateTimeFormat, expirationDateString)\n\t\tif err != nil {\n\t\t\treturn share, util.NewI18nError(err, util.I18nErrorShareExpiration)\n\t\t}\n\t\texpirationDateMillis = util.GetTimeAsMsSinceEpoch(expirationDate)\n\t}\n\tshare.ExpiresAt = expirationDateMillis\n\treturn share, nil\n}\n\nfunc (s *httpdServer) handleWebClientForgotPwd(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tif !smtp.IsEnabled() {\n\t\ts.renderClientNotFoundPage(w, r, errors.New(\"this page does not exist\"))\n\t\treturn\n\t}\n\ts.renderClientForgotPwdPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleWebClientForgotPwdPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\n\terr := r.ParseForm()\n\tif err != nil {\n\t\ts.renderClientForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tusername := strings.TrimSpace(r.Form.Get(\"username\"))\n\terr = handleForgotPassword(r, username, false)\n\tif err != nil {\n\t\ts.renderClientForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorPwdResetGeneric))\n\t\treturn\n\t}\n\thttp.Redirect(w, r, webClientResetPwdPath, http.StatusFound)\n}\n\nfunc (s *httpdServer) handleWebClientPasswordReset(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tif !smtp.IsEnabled() {\n\t\ts.renderClientNotFoundPage(w, r, errors.New(\"this page does not exist\"))\n\t\treturn\n\t}\n\ts.renderClientResetPwdPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleClientViewPDF(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tname := r.URL.Query().Get(\"path\")\n\tif name == \"\" {\n\t\ts.renderClientBadRequestPage(w, r, errors.New(\"no file specified\"))\n\t\treturn\n\t}\n\tname = util.CleanPath(name)\n\tdata := viewPDFPage{\n\t\tcommonBasePage: getCommonBasePage(r),\n\t\tTitle: path.Base(name),\n\t\tURL: fmt.Sprintf(\"%s?path=%s&_=%d\", webClientGetPDFPath, url.QueryEscape(name), time.Now().UTC().Unix()),\n\t\tBranding: s.binding.webClientBranding(),\n\t\tLanguages: s.binding.languages(),\n\t}\n\trenderClientTemplate(w, templateClientViewPDF, data)\n}\n\nfunc (s *httpdServer) handleClientGetPDF(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\ts.renderClientForbiddenPage(w, r, util.NewI18nError(errInvalidTokenClaims, util.I18nErrorInvalidToken))\n\t\treturn\n\t}\n\tname := r.URL.Query().Get(\"path\")\n\tif name == \"\" {\n\t\ts.renderClientBadRequestPage(w, r, util.NewI18nError(errors.New(\"no file specified\"), util.I18nError400Message))\n\t\treturn\n\t}\n\tname = util.CleanPath(name)\n\tuser, err := dataprovider.GetUserWithGroupSettings(claims.Username, \"\")\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError500Title, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nErrorGetUser), \"\")\n\t\treturn\n\t}\n\n\tconnID := xid.New().String()\n\tprotocol := getProtocolFromRequest(r)\n\tconnectionID := fmt.Sprintf(\"%v_%v\", protocol, connID)\n\tif err := checkHTTPClientUser(&user, r, connectionID, false, false); err != nil {\n\t\ts.renderClientForbiddenPage(w, r, err)\n\t\treturn\n\t}\n\tbaseConn := common.NewBaseConnection(connID, protocol, util.GetHTTPLocalAddress(r), r.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nError429Title, http.StatusTooManyRequests,\n\t\t\tutil.NewI18nError(err, util.I18nError429Message), \"\")\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tinfo, err := connection.Stat(name, 0)\n\tif err != nil {\n\t\tstatus := getRespStatus(err)\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorPDFTitle, status, util.NewI18nError(err, i18nFsMsg(status)), \"\")\n\t\treturn\n\t}\n\tif info.IsDir() {\n\t\ts.renderClientBadRequestPage(w, r, util.NewI18nError(fmt.Errorf(\"%q is not a file\", name), util.I18nErrorPDFMessage))\n\t\treturn\n\t}\n\tconnection.User.CheckFsRoot(connection.ID) //nolint:errcheck\n\tif err := s.ensurePDF(w, r, name, connection); err != nil {\n\t\treturn\n\t}\n\tdownloadFile(w, r, connection, name, info, true, nil) //nolint:errcheck\n}\n\nfunc (s *httpdServer) ensurePDF(w http.ResponseWriter, r *http.Request, name string, connection *Connection) error {\n\treader, err := connection.getFileReader(name, 0, r.Method)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorPDFTitle,\n\t\t\tgetRespStatus(err), util.NewI18nError(err, util.I18nError500Message), \"\")\n\t\treturn err\n\t}\n\tdefer reader.Close()\n\n\tvar b bytes.Buffer\n\t_, err = io.CopyN(&b, reader, 128)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nErrorPDFTitle, getRespStatus(err),\n\t\t\tutil.NewI18nError(err, util.I18nErrorPDFMessage), \"\")\n\t\treturn err\n\t}\n\tif ctype := http.DetectContentType(b.Bytes()); ctype != \"application/pdf\" {\n\t\tconnection.Log(logger.LevelDebug, \"detected %q content type, expected PDF, file %q\", ctype, name)\n\t\terr := fmt.Errorf(\"the file %q does not look like a PDF\", name)\n\t\ts.renderClientBadRequestPage(w, r, util.NewI18nError(err, util.I18nErrorPDFMessage))\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (s *httpdServer) handleClientShareLoginGet(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\ts.renderShareLoginPage(w, r, nil)\n}\n\nfunc (s *httpdServer) handleClientShareLoginPost(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tif err := r.ParseForm(); err != nil {\n\t\ts.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))\n\t\treturn\n\t}\n\tif err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {\n\t\ts.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))\n\t\treturn\n\t}\n\tinvalidateToken(r)\n\tshareID := getURLParam(r, \"id\")\n\tshare, err := dataprovider.ShareExists(shareID, \"\")\n\tif err != nil {\n\t\ts.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tmatch, err := share.CheckCredentials(strings.TrimSpace(r.Form.Get(\"share_password\")))\n\tif !match || err != nil {\n\t\ts.renderShareLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))\n\t\treturn\n\t}\n\tnext := path.Clean(r.URL.Query().Get(\"next\"))\n\tbaseShareURL := path.Join(webClientPubSharesPath, share.ShareID)\n\tisRedirect, redirectTo := checkShareRedirectURL(next, baseShareURL)\n\tc := &jwt.Claims{\n\t\tUsername: shareID,\n\t}\n\tif isRedirect {\n\t\tc.Ref = next\n\t}\n\terr = createAndSetCookie(w, r, c, s.tokenAuth, tokenAudienceWebShare, ipAddr)\n\tif err != nil {\n\t\ts.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nError500Message))\n\t\treturn\n\t}\n\tif isRedirect {\n\t\thttp.Redirect(w, r, redirectTo, http.StatusFound)\n\t\treturn\n\t}\n\ts.renderClientMessagePage(w, r, util.I18nSharedFilesTitle, http.StatusOK, nil, util.I18nShareLoginOK)\n}\n\nfunc (s *httpdServer) handleClientShareLogout(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\n\tshareID := getURLParam(r, \"id\")\n\tctx, claims, err := s.getShareClaims(r, shareID)\n\tif err != nil {\n\t\ts.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, http.StatusForbidden,\n\t\t\tutil.NewI18nError(err, util.I18nErrorInvalidToken), \"\")\n\t\treturn\n\t}\n\tremoveCookie(w, r.WithContext(ctx), webBaseClientPath)\n\n\tredirectURL := path.Join(webClientPubSharesPath, shareID, fmt.Sprintf(\"login?next=%s\", url.QueryEscape(claims.Ref)))\n\thttp.Redirect(w, r, redirectURL, http.StatusFound)\n}\n\nfunc (s *httpdServer) handleClientSharedFile(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead}\n\tshare, _, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tquery := \"\"\n\tif r.URL.RawQuery != \"\" {\n\t\tquery = \"?\" + r.URL.RawQuery\n\t}\n\ts.renderShareDownloadPage(w, r, &share, path.Join(webClientPubSharesPath, share.ShareID)+query)\n}\n\nfunc (s *httpdServer) handleClientCheckExist(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\n\tdoCheckExist(w, r, connection, name)\n}\n\nfunc (s *httpdServer) handleClientShareCheckExist(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tvalidScopes := []dataprovider.ShareScope{dataprovider.ShareScopeReadWrite}\n\tshare, connection, err := s.checkPublicShare(w, r, validScopes)\n\tif err != nil {\n\t\treturn\n\t}\n\tif err := validateBrowsableShare(share, connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", getRespStatus(err))\n\t\treturn\n\t}\n\tname, err := getBrowsableSharedPath(share.Paths[0], r)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tif err = common.Connections.Add(connection); err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to add connection\", http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tdoCheckExist(w, r, connection, name)\n}\n\ntype filesToCheck struct {\n\tFiles []string `json:\"files\"`\n}\n\nfunc doCheckExist(w http.ResponseWriter, r *http.Request, connection *Connection, name string) {\n\tvar filesList filesToCheck\n\terr := render.DecodeJSON(r.Body, &filesList)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tif len(filesList.Files) == 0 {\n\t\tsendAPIResponse(w, r, errors.New(\"files to be checked are mandatory\"), \"\", http.StatusBadRequest)\n\t\treturn\n\t}\n\n\tlister, err := connection.ListDir(name)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to get directory contents\", getMappedStatusCode(err))\n\t\treturn\n\t}\n\tdefer lister.Close()\n\n\tdataGetter := func(limit, _ int) ([]byte, int, error) {\n\t\tcontents, err := lister.Next(limit)\n\t\tif errors.Is(err, io.EOF) {\n\t\t\terr = nil\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, 0, err\n\t\t}\n\t\texisting := make([]map[string]any, 0)\n\t\tfor _, info := range contents {\n\t\t\tif slices.Contains(filesList.Files, info.Name()) {\n\t\t\t\tres := make(map[string]any)\n\t\t\t\tres[\"name\"] = info.Name()\n\t\t\t\tif info.IsDir() {\n\t\t\t\t\tres[\"type\"] = \"1\"\n\t\t\t\t\tres[\"size\"] = \"\"\n\t\t\t\t} else {\n\t\t\t\t\tres[\"type\"] = \"2\"\n\t\t\t\t\tres[\"size\"] = info.Size()\n\t\t\t\t}\n\t\t\t\texisting = append(existing, res)\n\t\t\t}\n\t\t}\n\t\tdata, err := json.Marshal(existing)\n\t\tcount := limit\n\t\tif len(existing) == 0 {\n\t\t\tcount = 0\n\t\t}\n\t\treturn data, count, err\n\t}\n\n\tstreamJSONArray(w, defaultQueryLimit, dataGetter)\n}\n\nfunc checkShareRedirectURL(next, base string) (bool, string) {\n\tif !strings.HasPrefix(next, base) {\n\t\treturn false, \"\"\n\t}\n\tif next == base {\n\t\treturn true, path.Join(next, \"download\")\n\t}\n\tbaseURL, err := url.Parse(base)\n\tif err != nil {\n\t\treturn false, \"\"\n\t}\n\tnextURL, err := url.Parse(next)\n\tif err != nil {\n\t\treturn false, \"\"\n\t}\n\tif nextURL.Path == baseURL.Path {\n\t\tredirectURL := nextURL.JoinPath(\"download\")\n\t\treturn true, redirectURL.String()\n\t}\n\treturn true, next\n}\n\nfunc getWebTask(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)\n\tclaims, err := jwt.FromContext(r.Context())\n\tif err != nil || claims.Username == \"\" {\n\t\tsendAPIResponse(w, r, err, \"Invalid token claims\", http.StatusBadRequest)\n\t\treturn\n\t}\n\ttaskID := getURLParam(r, \"id\")\n\n\ttask, err := webTaskMgr.Get(taskID)\n\tif err != nil {\n\t\tsendAPIResponse(w, r, err, \"Unable to get task\", getMappedStatusCode(err))\n\t\treturn\n\t}\n\tif task.User != claims.Username {\n\t\tsendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)\n\t\treturn\n\t}\n\trender.JSON(w, r, task)\n}\n\nfunc taskDeleteDir(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tname := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\ttask := webTaskData{\n\t\tID: connection.GetID(),\n\t\tUser: connection.GetUsername(),\n\t\tPath: name,\n\t\tTimestamp: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tStatus: 0,\n\t}\n\tif err := webTaskMgr.Add(task); err != nil {\n\t\tcommon.Connections.Remove(connection.GetID())\n\t\tsendAPIResponse(w, r, nil, \"Unable to create task\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\tgo executeDeleteTask(connection, task)\n\tsendAPIResponse(w, r, nil, task.ID, http.StatusAccepted)\n}\n\nfunc taskRenameFsEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\toldName := connection.User.GetCleanedPath(r.URL.Query().Get(\"path\"))\n\tnewName := connection.User.GetCleanedPath(r.URL.Query().Get(\"target\"))\n\ttask := webTaskData{\n\t\tID: connection.GetID(),\n\t\tUser: connection.GetUsername(),\n\t\tPath: oldName,\n\t\tTarget: newName,\n\t\tTimestamp: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tStatus: 0,\n\t}\n\tif err := webTaskMgr.Add(task); err != nil {\n\t\tcommon.Connections.Remove(connection.GetID())\n\t\tsendAPIResponse(w, r, nil, \"Unable to create task\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\tgo executeRenameTask(connection, task)\n\tsendAPIResponse(w, r, nil, task.ID, http.StatusAccepted)\n}\n\nfunc taskCopyFsEntry(w http.ResponseWriter, r *http.Request) {\n\tr.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)\n\tconnection, err := getUserConnection(w, r)\n\tif err != nil {\n\t\treturn\n\t}\n\tsource := r.URL.Query().Get(\"path\")\n\ttarget := r.URL.Query().Get(\"target\")\n\tcopyFromSource := strings.HasSuffix(source, \"/\")\n\tcopyInTarget := strings.HasSuffix(target, \"/\")\n\tsource = connection.User.GetCleanedPath(source)\n\ttarget = connection.User.GetCleanedPath(target)\n\tif copyFromSource {\n\t\tsource += \"/\"\n\t}\n\tif copyInTarget {\n\t\ttarget += \"/\"\n\t}\n\ttask := webTaskData{\n\t\tID: connection.GetID(),\n\t\tUser: connection.GetUsername(),\n\t\tPath: source,\n\t\tTarget: target,\n\t\tTimestamp: util.GetTimeAsMsSinceEpoch(time.Now()),\n\t\tStatus: 0,\n\t}\n\tif err := webTaskMgr.Add(task); err != nil {\n\t\tcommon.Connections.Remove(connection.GetID())\n\t\tsendAPIResponse(w, r, nil, \"Unable to create task\", http.StatusInternalServerError)\n\t\treturn\n\t}\n\tgo executeCopyTask(connection, task)\n\tsendAPIResponse(w, r, nil, task.ID, http.StatusAccepted)\n}\n\nfunc executeDeleteTask(conn *Connection, task webTaskData) {\n\tdone := make(chan bool)\n\n\tdefer func() {\n\t\tclose(done)\n\t\tcommon.Connections.Remove(conn.GetID())\n\t}()\n\n\tgo keepAliveTask(task, done, 2*time.Minute)\n\n\tstatus := http.StatusOK\n\tif err := conn.RemoveAll(task.Path); err != nil {\n\t\tstatus = getMappedStatusCode(err)\n\t}\n\n\ttask.Timestamp = util.GetTimeAsMsSinceEpoch(time.Now())\n\ttask.Status = status\n\terr := webTaskMgr.Add(task)\n\tconn.Log(logger.LevelDebug, \"delete task finished, status: %d, update task err: %v\", status, err)\n}\n\nfunc executeRenameTask(conn *Connection, task webTaskData) {\n\tdone := make(chan bool)\n\n\tdefer func() {\n\t\tclose(done)\n\t\tcommon.Connections.Remove(conn.GetID())\n\t}()\n\n\tgo keepAliveTask(task, done, 2*time.Minute)\n\n\tstatus := http.StatusOK\n\n\tif !conn.IsSameResource(task.Path, task.Target) {\n\t\tif err := conn.Copy(task.Path, task.Target); err != nil {\n\t\t\tstatus = getMappedStatusCode(err)\n\t\t\ttask.Timestamp = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\ttask.Status = status\n\t\t\terr = webTaskMgr.Add(task)\n\t\t\tconn.Log(logger.LevelDebug, \"copy step for rename task finished, status: %d, update task err: %v\", status, err)\n\t\t\treturn\n\t\t}\n\t\tif err := conn.RemoveAll(task.Path); err != nil {\n\t\t\tstatus = getMappedStatusCode(err)\n\t\t}\n\t} else {\n\t\tif err := conn.Rename(task.Path, task.Target); err != nil {\n\t\t\tstatus = getMappedStatusCode(err)\n\t\t}\n\t}\n\n\ttask.Timestamp = util.GetTimeAsMsSinceEpoch(time.Now())\n\ttask.Status = status\n\terr := webTaskMgr.Add(task)\n\tconn.Log(logger.LevelDebug, \"rename task finished, status: %d, update task err: %v\", status, err)\n}\n\nfunc executeCopyTask(conn *Connection, task webTaskData) {\n\tdone := make(chan bool)\n\n\tdefer func() {\n\t\tclose(done)\n\t\tcommon.Connections.Remove(conn.GetID())\n\t}()\n\n\tgo keepAliveTask(task, done, 2*time.Minute)\n\n\tstatus := http.StatusOK\n\tif err := conn.Copy(task.Path, task.Target); err != nil {\n\t\tstatus = getMappedStatusCode(err)\n\t}\n\n\ttask.Timestamp = util.GetTimeAsMsSinceEpoch(time.Now())\n\ttask.Status = status\n\terr := webTaskMgr.Add(task)\n\tconn.Log(logger.LevelDebug, \"copy task finished, status: %d, update task err: %v\", status, err)\n}\n\nfunc keepAliveTask(task webTaskData, done chan bool, interval time.Duration) {\n\tticker := time.NewTicker(interval)\n\tdefer func() {\n\t\tticker.Stop()\n\t}()\n\n\tfor {\n\t\tselect {\n\t\tcase <-done:\n\t\t\treturn\n\t\tcase <-ticker.C:\n\t\t\ttask.Timestamp = util.GetTimeAsMsSinceEpoch(time.Now())\n\t\t\terr := webTaskMgr.Add(task)\n\t\t\tlogger.Debug(logSender, task.ID, \"task timestamp updated, err: %v\", err)\n\t\t}\n\t}\n}\n" }, { "path": "internal/httpd/webtask.go", "content": "// Copyright (C) 2024 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\twebTaskMgr webTaskManager\n)\n\nfunc newWebTaskManager(isShared int) webTaskManager {\n\tif isShared == 1 {\n\t\tlogger.Info(logSender, \"\", \"using provider task manager\")\n\t\treturn &dbTaskManager{}\n\t}\n\tlogger.Info(logSender, \"\", \"using memory task manager\")\n\treturn &memoryTaskManager{}\n}\n\ntype webTaskManager interface {\n\tAdd(data webTaskData) error\n\tGet(ID string) (webTaskData, error)\n\tCleanup()\n}\n\ntype webTaskData struct {\n\tID string `json:\"id\"`\n\tUser string `json:\"user\"`\n\tPath string `json:\"path\"`\n\tTarget string `json:\"target\"`\n\tTimestamp int64 `json:\"ts\"`\n\tStatus int `json:\"status\"` // 0 in progress or http status code (200 ok, 403 and so on)\n}\n\ntype memoryTaskManager struct {\n\ttasks sync.Map\n}\n\nfunc (m *memoryTaskManager) Add(data webTaskData) error {\n\tm.tasks.Store(data.ID, &data)\n\treturn nil\n}\n\nfunc (m *memoryTaskManager) Get(ID string) (webTaskData, error) {\n\tdata, ok := m.tasks.Load(ID)\n\tif !ok {\n\t\treturn webTaskData{}, util.NewRecordNotFoundError(fmt.Sprintf(\"task for ID %q not found\", ID))\n\t}\n\treturn *data.(*webTaskData), nil\n}\n\nfunc (m *memoryTaskManager) Cleanup() {\n\tm.tasks.Range(func(key, value any) bool {\n\t\tdata := value.(*webTaskData)\n\t\tif data.Timestamp < util.GetTimeAsMsSinceEpoch(time.Now().Add(-5*time.Minute)) {\n\t\t\tm.tasks.Delete(key)\n\t\t}\n\t\treturn true\n\t})\n}\n\ntype dbTaskManager struct{}\n\nfunc (m *dbTaskManager) Add(data webTaskData) error {\n\tsession := dataprovider.Session{\n\t\tKey: data.ID,\n\t\tData: data,\n\t\tType: dataprovider.SessionTypeWebTask,\n\t\tTimestamp: data.Timestamp,\n\t}\n\treturn dataprovider.AddSharedSession(session)\n}\n\nfunc (m *dbTaskManager) Get(ID string) (webTaskData, error) {\n\tsess, err := dataprovider.GetSharedSession(ID, dataprovider.SessionTypeWebTask)\n\tif err != nil {\n\t\treturn webTaskData{}, err\n\t}\n\td := sess.Data.([]byte)\n\tvar data webTaskData\n\terr = json.Unmarshal(d, &data)\n\treturn data, err\n}\n\nfunc (m *dbTaskManager) Cleanup() {\n\tdataprovider.CleanupSharedSessions(dataprovider.SessionTypeWebTask, time.Now().Add(-5*time.Minute)) //nolint:errcheck\n}\n" }, { "path": "internal/httpd/webtask_test.go", "content": "// Copyright (C) 2024 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpd\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/rs/xid\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc TestMemoryWebTaskManager(t *testing.T) {\n\tmgr := newWebTaskManager(0)\n\tm, ok := mgr.(*memoryTaskManager)\n\trequire.True(t, ok)\n\ttask := webTaskData{\n\t\tID: xid.New().String(),\n\t\tUser: defeaultUsername,\n\t\tTimestamp: time.Now().Add(-1 * time.Hour).UnixMilli(),\n\t\tStatus: 0,\n\t}\n\ttask1 := webTaskData{\n\t\tID: xid.New().String(),\n\t\tUser: defeaultUsername,\n\t\tTimestamp: time.Now().UnixMilli(),\n\t\tStatus: 0,\n\t}\n\terr := m.Add(task)\n\trequire.NoError(t, err)\n\terr = m.Add(task1)\n\trequire.NoError(t, err)\n\ttaskGet, err := m.Get(task.ID)\n\trequire.NoError(t, err)\n\trequire.Equal(t, task, taskGet)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.ErrorIs(t, err, util.ErrNotFound)\n\ttaskGet, err = m.Get(task1.ID)\n\trequire.NoError(t, err)\n\trequire.Equal(t, task1, taskGet)\n\ttask1.Timestamp = time.Now().Add(-1 * time.Hour).UnixMilli()\n\terr = m.Add(task1)\n\trequire.NoError(t, err)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.ErrorIs(t, err, util.ErrNotFound)\n\t// test keep alive task\n\toldMgr := webTaskMgr\n\twebTaskMgr = mgr\n\n\tdone := make(chan bool)\n\tgo keepAliveTask(task, done, 50*time.Millisecond)\n\n\ttime.Sleep(120 * time.Millisecond)\n\tclose(done)\n\ttaskGet, err = m.Get(task.ID)\n\trequire.NoError(t, err)\n\tassert.Greater(t, taskGet.Timestamp, task.Timestamp)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.NoError(t, err)\n\terr = m.Add(task)\n\trequire.NoError(t, err)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.ErrorIs(t, err, util.ErrNotFound)\n\n\twebTaskMgr = oldMgr\n}\n\nfunc TestDbWebTaskManager(t *testing.T) {\n\tif !isSharedProviderSupported() {\n\t\tt.Skip(\"this test it is not available with this provider\")\n\t}\n\tmgr := newWebTaskManager(1)\n\tm, ok := mgr.(*dbTaskManager)\n\trequire.True(t, ok)\n\n\ttask := webTaskData{\n\t\tID: xid.New().String(),\n\t\tUser: defeaultUsername,\n\t\tTimestamp: time.Now().Add(-1 * time.Hour).UnixMilli(),\n\t\tStatus: 0,\n\t}\n\terr := m.Add(task)\n\trequire.NoError(t, err)\n\ttaskGet, err := m.Get(task.ID)\n\trequire.NoError(t, err)\n\trequire.Equal(t, task, taskGet)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.ErrorIs(t, err, util.ErrNotFound)\n\terr = m.Add(task)\n\trequire.NoError(t, err)\n\t// test keep alive task\n\toldMgr := webTaskMgr\n\twebTaskMgr = mgr\n\n\tdone := make(chan bool)\n\tgo keepAliveTask(task, done, 50*time.Millisecond)\n\n\ttime.Sleep(120 * time.Millisecond)\n\tclose(done)\n\ttaskGet, err = m.Get(task.ID)\n\trequire.NoError(t, err)\n\tassert.Greater(t, taskGet.Timestamp, task.Timestamp)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.NoError(t, err)\n\terr = m.Add(task)\n\trequire.NoError(t, err)\n\tm.Cleanup()\n\t_, err = m.Get(task.ID)\n\trequire.ErrorIs(t, err, util.ErrNotFound)\n\n\twebTaskMgr = oldMgr\n}\n" }, { "path": "internal/httpdtest/httpdtest.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package httpdtest provides utilities for testing the supported REST API.\npackage httpdtest\n\nimport (\n\t\"bytes\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"path\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/go-chi/render\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\ttokenPath = \"/api/v2/token\"\n\tactiveConnectionsPath = \"/api/v2/connections\"\n\tquotasBasePath = \"/api/v2/quotas\"\n\tquotaScanPath = \"/api/v2/quotas/users/scans\"\n\tquotaScanVFolderPath = \"/api/v2/quotas/folders/scans\"\n\tuserPath = \"/api/v2/users\"\n\tgroupPath = \"/api/v2/groups\"\n\tversionPath = \"/api/v2/version\"\n\tfolderPath = \"/api/v2/folders\"\n\tserverStatusPath = \"/api/v2/status\"\n\tdumpDataPath = \"/api/v2/dumpdata\"\n\tloadDataPath = \"/api/v2/loaddata\"\n\tdefenderHosts = \"/api/v2/defender/hosts\"\n\tadminPath = \"/api/v2/admins\"\n\tadminPwdPath = \"/api/v2/admin/changepwd\"\n\tapiKeysPath = \"/api/v2/apikeys\"\n\tretentionChecksPath = \"/api/v2/retention/users/checks\"\n\teventActionsPath = \"/api/v2/eventactions\"\n\teventRulesPath = \"/api/v2/eventrules\"\n\trolesPath = \"/api/v2/roles\"\n\tipListsPath = \"/api/v2/iplists\"\n)\n\nconst (\n\tdefaultTokenAuthUser = \"admin\"\n\tdefaultTokenAuthPass = \"password\"\n)\n\nvar (\n\thttpBaseURL = \"http://127.0.0.1:8080\"\n\tjwtToken = \"\"\n)\n\n// SetBaseURL sets the base url to use for HTTP requests.\n// Default URL is \"http://127.0.0.1:8080\"\nfunc SetBaseURL(url string) {\n\thttpBaseURL = url\n}\n\n// SetJWTToken sets the JWT token to use\nfunc SetJWTToken(token string) {\n\tjwtToken = token\n}\n\nfunc sendHTTPRequest(method, url string, body io.Reader, contentType, token string) (*http.Response, error) {\n\treq, err := http.NewRequest(method, url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif contentType != \"\" {\n\t\treq.Header.Set(\"Content-Type\", \"application/json\")\n\t}\n\tif token != \"\" {\n\t\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %v\", token))\n\t}\n\treturn httpclient.GetHTTPClient().Do(req)\n}\n\nfunc buildURLRelativeToBase(paths ...string) string {\n\t// we need to use path.Join and not filepath.Join\n\t// since filepath.Join will use backslash separator on Windows\n\tp := path.Join(paths...)\n\treturn fmt.Sprintf(\"%s/%s\", strings.TrimRight(httpBaseURL, \"/\"), strings.TrimLeft(p, \"/\"))\n}\n\n// GetToken tries to return a JWT token\nfunc GetToken(username, password string) (string, map[string]any, error) {\n\treq, err := http.NewRequest(http.MethodGet, buildURLRelativeToBase(tokenPath), nil)\n\tif err != nil {\n\t\treturn \"\", nil, err\n\t}\n\treq.SetBasicAuth(username, password)\n\tresp, err := httpclient.GetHTTPClient().Do(req)\n\tif err != nil {\n\t\treturn \"\", nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\terr = checkResponse(resp.StatusCode, http.StatusOK)\n\tif err != nil {\n\t\treturn \"\", nil, err\n\t}\n\tresponseHolder := make(map[string]any)\n\terr = render.DecodeJSON(resp.Body, &responseHolder)\n\tif err != nil {\n\t\treturn \"\", nil, err\n\t}\n\treturn responseHolder[\"access_token\"].(string), responseHolder, nil\n}\n\nfunc getDefaultToken() string {\n\tif jwtToken != \"\" {\n\t\treturn jwtToken\n\t}\n\ttoken, _, err := GetToken(defaultTokenAuthUser, defaultTokenAuthPass)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\treturn token\n}\n\n// AddUser adds a new user and checks the received HTTP Status code against expectedStatusCode.\nfunc AddUser(user dataprovider.User, expectedStatusCode int) (dataprovider.User, []byte, error) {\n\tvar newUser dataprovider.User\n\tvar body []byte\n\tuserAsJSON, _ := json.Marshal(user)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(userPath), bytes.NewBuffer(userAsJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newUser, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newUser, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newUser)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\terr = checkUser(&user, &newUser)\n\t}\n\treturn newUser, body, err\n}\n\n// UpdateUserWithJSON update a user using the provided JSON as POST body\nfunc UpdateUserWithJSON(user dataprovider.User, expectedStatusCode int, disconnect string, userAsJSON []byte) (dataprovider.User, []byte, error) {\n\tvar newUser dataprovider.User\n\tvar body []byte\n\turl, err := addUpdateUserQueryParams(buildURLRelativeToBase(userPath, url.PathEscape(user.Username)), disconnect)\n\tif err != nil {\n\t\treturn user, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodPut, url.String(), bytes.NewBuffer(userAsJSON), \"application/json\",\n\t\tgetDefaultToken())\n\tif err != nil {\n\t\treturn user, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newUser, body, err\n\t}\n\tif err == nil {\n\t\tnewUser, body, err = GetUserByUsername(user.Username, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkUser(&user, &newUser)\n\t}\n\treturn newUser, body, err\n}\n\n// UpdateUser updates an existing user and checks the received HTTP Status code against expectedStatusCode.\nfunc UpdateUser(user dataprovider.User, expectedStatusCode int, disconnect string) (dataprovider.User, []byte, error) {\n\tuserAsJSON, _ := json.Marshal(user)\n\treturn UpdateUserWithJSON(user, expectedStatusCode, disconnect, userAsJSON)\n}\n\n// RemoveUser removes an existing user and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveUser(user dataprovider.User, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(userPath, url.PathEscape(user.Username)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetUserByUsername gets a user by username and checks the received HTTP Status code against expectedStatusCode.\nfunc GetUserByUsername(username string, expectedStatusCode int) (dataprovider.User, []byte, error) {\n\tvar user dataprovider.User\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(userPath, url.PathEscape(username)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn user, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &user)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn user, body, err\n}\n\n// GetUsers returns a list of users and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetUsers(limit, offset int64, expectedStatusCode int) ([]dataprovider.User, []byte, error) {\n\tvar users []dataprovider.User\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(userPath), limit, offset)\n\tif err != nil {\n\t\treturn users, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn users, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &users)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn users, body, err\n}\n\n// AddGroup adds a new group and checks the received HTTP Status code against expectedStatusCode.\nfunc AddGroup(group dataprovider.Group, expectedStatusCode int) (dataprovider.Group, []byte, error) {\n\tvar newGroup dataprovider.Group\n\tvar body []byte\n\tasJSON, _ := json.Marshal(group)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(groupPath), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newGroup, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newGroup, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newGroup)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\tgroup.UserSettings.Filters.TLSCerts = nil\n\t\terr = checkGroup(group, newGroup)\n\t}\n\treturn newGroup, body, err\n}\n\n// UpdateGroup updates an existing group and checks the received HTTP Status code against expectedStatusCode\nfunc UpdateGroup(group dataprovider.Group, expectedStatusCode int) (dataprovider.Group, []byte, error) {\n\tvar newGroup dataprovider.Group\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(group)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(groupPath, url.PathEscape(group.Name)),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newGroup, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newGroup, body, err\n\t}\n\tif err == nil {\n\t\tnewGroup, body, err = GetGroupByName(group.Name, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkGroup(group, newGroup)\n\t}\n\treturn newGroup, body, err\n}\n\n// RemoveGroup removes an existing group and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveGroup(group dataprovider.Group, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(groupPath, url.PathEscape(group.Name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetGroupByName gets a group by name and checks the received HTTP Status code against expectedStatusCode.\nfunc GetGroupByName(name string, expectedStatusCode int) (dataprovider.Group, []byte, error) {\n\tvar group dataprovider.Group\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(groupPath, url.PathEscape(name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn group, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &group)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn group, body, err\n}\n\n// GetGroups returns a list of groups and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetGroups(limit, offset int64, expectedStatusCode int) ([]dataprovider.Group, []byte, error) {\n\tvar groups []dataprovider.Group\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(groupPath), limit, offset)\n\tif err != nil {\n\t\treturn groups, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn groups, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &groups)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn groups, body, err\n}\n\n// AddRole adds a new role and checks the received HTTP Status code against expectedStatusCode.\nfunc AddRole(role dataprovider.Role, expectedStatusCode int) (dataprovider.Role, []byte, error) {\n\tvar newRole dataprovider.Role\n\tvar body []byte\n\tasJSON, _ := json.Marshal(role)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(rolesPath), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newRole, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newRole, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newRole)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\terr = checkRole(role, newRole)\n\t}\n\treturn newRole, body, err\n}\n\n// UpdateRole updates an existing role and checks the received HTTP Status code against expectedStatusCode\nfunc UpdateRole(role dataprovider.Role, expectedStatusCode int) (dataprovider.Role, []byte, error) {\n\tvar newRole dataprovider.Role\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(role)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(rolesPath, url.PathEscape(role.Name)),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newRole, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newRole, body, err\n\t}\n\tif err == nil {\n\t\tnewRole, body, err = GetRoleByName(role.Name, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkRole(role, newRole)\n\t}\n\treturn newRole, body, err\n}\n\n// RemoveRole removes an existing role and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveRole(role dataprovider.Role, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(rolesPath, url.PathEscape(role.Name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetRoleByName gets a role by name and checks the received HTTP Status code against expectedStatusCode.\nfunc GetRoleByName(name string, expectedStatusCode int) (dataprovider.Role, []byte, error) {\n\tvar role dataprovider.Role\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(rolesPath, url.PathEscape(name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn role, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &role)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn role, body, err\n}\n\n// GetRoles returns a list of roles and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetRoles(limit, offset int64, expectedStatusCode int) ([]dataprovider.Role, []byte, error) {\n\tvar roles []dataprovider.Role\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(rolesPath), limit, offset)\n\tif err != nil {\n\t\treturn roles, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn roles, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &roles)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn roles, body, err\n}\n\n// AddIPListEntry adds a new IP list entry and checks the received HTTP Status code against expectedStatusCode.\nfunc AddIPListEntry(entry dataprovider.IPListEntry, expectedStatusCode int) (dataprovider.IPListEntry, []byte, error) {\n\tvar newEntry dataprovider.IPListEntry\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(entry)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(ipListsPath, strconv.Itoa(int(entry.Type))),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newEntry, body, err\n\t}\n\tdefer resp.Body.Close()\n\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newEntry, body, err\n\t}\n\tif err == nil {\n\t\tnewEntry, body, err = GetIPListEntry(entry.IPOrNet, entry.Type, http.StatusOK)\n\t}\n\tif err == nil {\n\t\terr = checkIPListEntry(entry, newEntry)\n\t}\n\treturn newEntry, body, err\n}\n\n// UpdateIPListEntry updates an existing IP list entry and checks the received HTTP Status code against expectedStatusCode\nfunc UpdateIPListEntry(entry dataprovider.IPListEntry, expectedStatusCode int) (dataprovider.IPListEntry, []byte, error) {\n\tvar newEntry dataprovider.IPListEntry\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(entry)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(ipListsPath, fmt.Sprintf(\"%d\", entry.Type),\n\t\turl.PathEscape(entry.IPOrNet)), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newEntry, body, err\n\t}\n\tdefer resp.Body.Close()\n\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newEntry, body, err\n\t}\n\tif err == nil {\n\t\tnewEntry, body, err = GetIPListEntry(entry.IPOrNet, entry.Type, http.StatusOK)\n\t}\n\tif err == nil {\n\t\terr = checkIPListEntry(entry, newEntry)\n\t}\n\treturn newEntry, body, err\n}\n\n// RemoveIPListEntry removes an existing IP list entry and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveIPListEntry(entry dataprovider.IPListEntry, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(ipListsPath, fmt.Sprintf(\"%d\", entry.Type),\n\t\turl.PathEscape(entry.IPOrNet)), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetIPListEntry returns an IP list entry matching the specified parameters, if exists,\n// and checks the received HTTP Status code against expectedStatusCode.\nfunc GetIPListEntry(ipOrNet string, listType dataprovider.IPListType, expectedStatusCode int,\n) (dataprovider.IPListEntry, []byte, error) {\n\tvar entry dataprovider.IPListEntry\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(ipListsPath, fmt.Sprintf(\"%d\", listType), url.PathEscape(ipOrNet)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn entry, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &entry)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn entry, body, err\n}\n\n// GetIPListEntries returns a list of IP list entries and checks the received HTTP Status code against expectedStatusCode.\nfunc GetIPListEntries(listType dataprovider.IPListType, filter, from, order string, limit int64,\n\texpectedStatusCode int,\n) ([]dataprovider.IPListEntry, []byte, error) {\n\tvar entries []dataprovider.IPListEntry\n\tvar body []byte\n\n\turl, err := url.Parse(buildURLRelativeToBase(ipListsPath, strconv.Itoa(int(listType))))\n\tif err != nil {\n\t\treturn entries, body, err\n\t}\n\tq := url.Query()\n\tq.Add(\"filter\", filter)\n\tq.Add(\"from\", from)\n\tq.Add(\"order\", order)\n\tif limit > 0 {\n\t\tq.Add(\"limit\", strconv.FormatInt(limit, 10))\n\t}\n\turl.RawQuery = q.Encode()\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn entries, body, err\n\t}\n\tdefer resp.Body.Close()\n\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &entries)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn entries, body, err\n}\n\n// AddAdmin adds a new admin and checks the received HTTP Status code against expectedStatusCode.\nfunc AddAdmin(admin dataprovider.Admin, expectedStatusCode int) (dataprovider.Admin, []byte, error) {\n\tvar newAdmin dataprovider.Admin\n\tvar body []byte\n\tasJSON, _ := json.Marshal(admin)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(adminPath), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newAdmin, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newAdmin, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newAdmin)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\terr = checkAdmin(&admin, &newAdmin)\n\t}\n\treturn newAdmin, body, err\n}\n\n// UpdateAdmin updates an existing admin and checks the received HTTP Status code against expectedStatusCode\nfunc UpdateAdmin(admin dataprovider.Admin, expectedStatusCode int) (dataprovider.Admin, []byte, error) {\n\tvar newAdmin dataprovider.Admin\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(admin)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(adminPath, url.PathEscape(admin.Username)),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newAdmin, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newAdmin, body, err\n\t}\n\tif err == nil {\n\t\tnewAdmin, body, err = GetAdminByUsername(admin.Username, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkAdmin(&admin, &newAdmin)\n\t}\n\treturn newAdmin, body, err\n}\n\n// RemoveAdmin removes an existing admin and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveAdmin(admin dataprovider.Admin, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(adminPath, url.PathEscape(admin.Username)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetAdminByUsername gets an admin by username and checks the received HTTP Status code against expectedStatusCode.\nfunc GetAdminByUsername(username string, expectedStatusCode int) (dataprovider.Admin, []byte, error) {\n\tvar admin dataprovider.Admin\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(adminPath, url.PathEscape(username)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn admin, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &admin)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn admin, body, err\n}\n\n// GetAdmins returns a list of admins and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetAdmins(limit, offset int64, expectedStatusCode int) ([]dataprovider.Admin, []byte, error) {\n\tvar admins []dataprovider.Admin\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(adminPath), limit, offset)\n\tif err != nil {\n\t\treturn admins, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn admins, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &admins)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn admins, body, err\n}\n\n// ChangeAdminPassword changes the password for an existing admin\nfunc ChangeAdminPassword(currentPassword, newPassword string, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\n\tpwdChange := make(map[string]string)\n\tpwdChange[\"current_password\"] = currentPassword\n\tpwdChange[\"new_password\"] = newPassword\n\n\tasJSON, _ := json.Marshal(&pwdChange)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(adminPwdPath),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tbody, _ = getResponseBody(resp)\n\n\treturn body, err\n}\n\n// GetAPIKeys returns a list of API keys and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetAPIKeys(limit, offset int64, expectedStatusCode int) ([]dataprovider.APIKey, []byte, error) {\n\tvar apiKeys []dataprovider.APIKey\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(apiKeysPath), limit, offset)\n\tif err != nil {\n\t\treturn apiKeys, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn apiKeys, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &apiKeys)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn apiKeys, body, err\n}\n\n// AddAPIKey adds a new API key and checks the received HTTP Status code against expectedStatusCode.\nfunc AddAPIKey(apiKey dataprovider.APIKey, expectedStatusCode int) (dataprovider.APIKey, []byte, error) {\n\tvar newAPIKey dataprovider.APIKey\n\tvar body []byte\n\tasJSON, _ := json.Marshal(apiKey)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(apiKeysPath), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newAPIKey, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newAPIKey, body, err\n\t}\n\tif err != nil {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newAPIKey, body, err\n\t}\n\tresponse := make(map[string]string)\n\terr = render.DecodeJSON(resp.Body, &response)\n\tif err == nil {\n\t\tnewAPIKey, body, err = GetAPIKeyByID(resp.Header.Get(\"X-Object-ID\"), http.StatusOK)\n\t}\n\tif err == nil {\n\t\terr = checkAPIKey(&apiKey, &newAPIKey)\n\t}\n\tnewAPIKey.Key = response[\"key\"]\n\n\treturn newAPIKey, body, err\n}\n\n// UpdateAPIKey updates an existing API key and checks the received HTTP Status code against expectedStatusCode\nfunc UpdateAPIKey(apiKey dataprovider.APIKey, expectedStatusCode int) (dataprovider.APIKey, []byte, error) {\n\tvar newAPIKey dataprovider.APIKey\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(apiKey)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(apiKeysPath, url.PathEscape(apiKey.KeyID)),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newAPIKey, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newAPIKey, body, err\n\t}\n\tif err == nil {\n\t\tnewAPIKey, body, err = GetAPIKeyByID(apiKey.KeyID, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkAPIKey(&apiKey, &newAPIKey)\n\t}\n\treturn newAPIKey, body, err\n}\n\n// RemoveAPIKey removes an existing API key and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveAPIKey(apiKey dataprovider.APIKey, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(apiKeysPath, url.PathEscape(apiKey.KeyID)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetAPIKeyByID gets a API key by ID and checks the received HTTP Status code against expectedStatusCode.\nfunc GetAPIKeyByID(keyID string, expectedStatusCode int) (dataprovider.APIKey, []byte, error) {\n\tvar apiKey dataprovider.APIKey\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(apiKeysPath, url.PathEscape(keyID)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn apiKey, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &apiKey)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn apiKey, body, err\n}\n\n// AddEventAction adds a new event action\nfunc AddEventAction(action dataprovider.BaseEventAction, expectedStatusCode int) (dataprovider.BaseEventAction, []byte, error) {\n\tvar newAction dataprovider.BaseEventAction\n\tvar body []byte\n\tasJSON, _ := json.Marshal(action)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(eventActionsPath), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newAction, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newAction, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newAction)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\terr = checkEventAction(action, newAction)\n\t}\n\treturn newAction, body, err\n}\n\n// UpdateEventAction updates an existing event action\nfunc UpdateEventAction(action dataprovider.BaseEventAction, expectedStatusCode int) (dataprovider.BaseEventAction, []byte, error) {\n\tvar newAction dataprovider.BaseEventAction\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(action)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(eventActionsPath, url.PathEscape(action.Name)),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newAction, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newAction, body, err\n\t}\n\tif err == nil {\n\t\tnewAction, body, err = GetEventActionByName(action.Name, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkEventAction(action, newAction)\n\t}\n\treturn newAction, body, err\n}\n\n// RemoveEventAction removes an existing action and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveEventAction(action dataprovider.BaseEventAction, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(eventActionsPath, url.PathEscape(action.Name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetEventActionByName gets an event action by name and checks the received HTTP Status code against expectedStatusCode.\nfunc GetEventActionByName(name string, expectedStatusCode int) (dataprovider.BaseEventAction, []byte, error) {\n\tvar action dataprovider.BaseEventAction\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(eventActionsPath, url.PathEscape(name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn action, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &action)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn action, body, err\n}\n\n// GetEventActions returns a list of event actions and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetEventActions(limit, offset int64, expectedStatusCode int) ([]dataprovider.BaseEventAction, []byte, error) {\n\tvar actions []dataprovider.BaseEventAction\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(eventActionsPath), limit, offset)\n\tif err != nil {\n\t\treturn actions, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn actions, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &actions)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn actions, body, err\n}\n\n// AddEventRule adds a new event rule\nfunc AddEventRule(rule dataprovider.EventRule, expectedStatusCode int) (dataprovider.EventRule, []byte, error) {\n\tvar newRule dataprovider.EventRule\n\tvar body []byte\n\tasJSON, _ := json.Marshal(rule)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(eventRulesPath), bytes.NewBuffer(asJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newRule, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newRule, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newRule)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\terr = checkEventRule(rule, newRule)\n\t}\n\treturn newRule, body, err\n}\n\n// UpdateEventRule updates an existing event rule\nfunc UpdateEventRule(rule dataprovider.EventRule, expectedStatusCode int) (dataprovider.EventRule, []byte, error) {\n\tvar newRule dataprovider.EventRule\n\tvar body []byte\n\n\tasJSON, _ := json.Marshal(rule)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(eventRulesPath, url.PathEscape(rule.Name)),\n\t\tbytes.NewBuffer(asJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newRule, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn newRule, body, err\n\t}\n\tif err == nil {\n\t\tnewRule, body, err = GetEventRuleByName(rule.Name, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkEventRule(rule, newRule)\n\t}\n\treturn newRule, body, err\n}\n\n// RemoveEventRule removes an existing rule and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveEventRule(rule dataprovider.EventRule, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(eventRulesPath, url.PathEscape(rule.Name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetEventRuleByName gets an event rule by name and checks the received HTTP Status code against expectedStatusCode.\nfunc GetEventRuleByName(name string, expectedStatusCode int) (dataprovider.EventRule, []byte, error) {\n\tvar rule dataprovider.EventRule\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(eventRulesPath, url.PathEscape(name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn rule, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &rule)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn rule, body, err\n}\n\n// GetEventRules returns a list of event rules and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\nfunc GetEventRules(limit, offset int64, expectedStatusCode int) ([]dataprovider.EventRule, []byte, error) {\n\tvar rules []dataprovider.EventRule\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(eventRulesPath), limit, offset)\n\tif err != nil {\n\t\treturn rules, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn rules, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &rules)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn rules, body, err\n}\n\n// RunOnDemandRule executes the specified on demand rule\nfunc RunOnDemandRule(name string, expectedStatusCode int) ([]byte, error) {\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(eventRulesPath, \"run\", url.PathEscape(name)),\n\t\tnil, \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\tb, err := getResponseBody(resp)\n\tif err != nil {\n\t\treturn b, err\n\t}\n\tif err := checkResponse(resp.StatusCode, expectedStatusCode); err != nil {\n\t\treturn b, err\n\t}\n\treturn b, nil\n}\n\n// GetQuotaScans gets active quota scans for users and checks the received HTTP Status code against expectedStatusCode.\nfunc GetQuotaScans(expectedStatusCode int) ([]common.ActiveQuotaScan, []byte, error) {\n\tvar quotaScans []common.ActiveQuotaScan\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(quotaScanPath), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn quotaScans, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, "aScans)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn quotaScans, body, err\n}\n\n// StartQuotaScan starts a new quota scan for the given user and checks the received HTTP Status code against expectedStatusCode.\nfunc StartQuotaScan(user dataprovider.User, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(quotasBasePath, \"users\", user.Username, \"scan\"),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// UpdateQuotaUsage updates the user used quota limits and checks the received\n// HTTP Status code against expectedStatusCode.\nfunc UpdateQuotaUsage(user dataprovider.User, mode string, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tuserAsJSON, _ := json.Marshal(user)\n\turl, err := addModeQueryParam(buildURLRelativeToBase(quotasBasePath, \"users\", user.Username, \"usage\"), mode)\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodPut, url.String(), bytes.NewBuffer(userAsJSON), \"application/json\",\n\t\tgetDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// UpdateTransferQuotaUsage updates the user used transfer quota limits and checks the received\n// HTTP Status code against expectedStatusCode.\nfunc UpdateTransferQuotaUsage(user dataprovider.User, mode string, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tuserAsJSON, _ := json.Marshal(user)\n\turl, err := addModeQueryParam(buildURLRelativeToBase(quotasBasePath, \"users\", user.Username, \"transfer-usage\"), mode)\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodPut, url.String(), bytes.NewBuffer(userAsJSON), \"application/json\",\n\t\tgetDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetRetentionChecks returns the active retention checks\nfunc GetRetentionChecks(expectedStatusCode int) ([]common.ActiveRetentionChecks, []byte, error) {\n\tvar checks []common.ActiveRetentionChecks\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(retentionChecksPath), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn checks, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &checks)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn checks, body, err\n}\n\n// GetConnections returns status and stats for active SFTP/SCP connections\nfunc GetConnections(expectedStatusCode int) ([]common.ConnectionStatus, []byte, error) {\n\tvar connections []common.ConnectionStatus\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(activeConnectionsPath), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn connections, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &connections)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn connections, body, err\n}\n\n// CloseConnection closes an active connection identified by connectionID\nfunc CloseConnection(connectionID string, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(activeConnectionsPath, connectionID),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tbody, _ = getResponseBody(resp)\n\treturn body, err\n}\n\n// AddFolder adds a new folder and checks the received HTTP Status code against expectedStatusCode\nfunc AddFolder(folder vfs.BaseVirtualFolder, expectedStatusCode int) (vfs.BaseVirtualFolder, []byte, error) {\n\tvar newFolder vfs.BaseVirtualFolder\n\tvar body []byte\n\tfolderAsJSON, _ := json.Marshal(folder)\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(folderPath), bytes.NewBuffer(folderAsJSON),\n\t\t\"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn newFolder, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusCreated {\n\t\tbody, _ = getResponseBody(resp)\n\t\treturn newFolder, body, err\n\t}\n\tif err == nil {\n\t\terr = render.DecodeJSON(resp.Body, &newFolder)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\tif err == nil {\n\t\terr = checkFolder(&folder, &newFolder)\n\t}\n\treturn newFolder, body, err\n}\n\n// UpdateFolder updates an existing folder and checks the received HTTP Status code against expectedStatusCode.\nfunc UpdateFolder(folder vfs.BaseVirtualFolder, expectedStatusCode int) (vfs.BaseVirtualFolder, []byte, error) {\n\tvar updatedFolder vfs.BaseVirtualFolder\n\tvar body []byte\n\n\tfolderAsJSON, _ := json.Marshal(folder)\n\tresp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(folderPath, url.PathEscape(folder.Name)),\n\t\tbytes.NewBuffer(folderAsJSON), \"application/json\", getDefaultToken())\n\tif err != nil {\n\t\treturn updatedFolder, body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif expectedStatusCode != http.StatusOK {\n\t\treturn updatedFolder, body, err\n\t}\n\tif err == nil {\n\t\tupdatedFolder, body, err = GetFolderByName(folder.Name, expectedStatusCode)\n\t}\n\tif err == nil {\n\t\terr = checkFolder(&folder, &updatedFolder)\n\t}\n\treturn updatedFolder, body, err\n}\n\n// RemoveFolder removes an existing user and checks the received HTTP Status code against expectedStatusCode.\nfunc RemoveFolder(folder vfs.BaseVirtualFolder, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(folderPath, url.PathEscape(folder.Name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetFolderByName gets a folder by name and checks the received HTTP Status code against expectedStatusCode.\nfunc GetFolderByName(name string, expectedStatusCode int) (vfs.BaseVirtualFolder, []byte, error) {\n\tvar folder vfs.BaseVirtualFolder\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(folderPath, url.PathEscape(name)),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn folder, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &folder)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn folder, body, err\n}\n\n// GetFolders returns a list of folders and checks the received HTTP Status code against expectedStatusCode.\n// The number of results can be limited specifying a limit.\n// Some results can be skipped specifying an offset.\n// The results can be filtered specifying a folder path, the folder path filter is an exact match\nfunc GetFolders(limit int64, offset int64, expectedStatusCode int) ([]vfs.BaseVirtualFolder, []byte, error) {\n\tvar folders []vfs.BaseVirtualFolder\n\tvar body []byte\n\turl, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(folderPath), limit, offset)\n\tif err != nil {\n\t\treturn folders, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn folders, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &folders)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn folders, body, err\n}\n\n// GetFoldersQuotaScans gets active quota scans for folders and checks the received HTTP Status code against expectedStatusCode.\nfunc GetFoldersQuotaScans(expectedStatusCode int) ([]common.ActiveVirtualFolderQuotaScan, []byte, error) {\n\tvar quotaScans []common.ActiveVirtualFolderQuotaScan\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(quotaScanVFolderPath), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn quotaScans, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, "aScans)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn quotaScans, body, err\n}\n\n// StartFolderQuotaScan start a new quota scan for the given folder and checks the received HTTP Status code against expectedStatusCode.\nfunc StartFolderQuotaScan(folder vfs.BaseVirtualFolder, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(quotasBasePath, \"folders\", folder.Name, \"scan\"),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// UpdateFolderQuotaUsage updates the folder used quota limits and checks the received HTTP Status code against expectedStatusCode.\nfunc UpdateFolderQuotaUsage(folder vfs.BaseVirtualFolder, mode string, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tfolderAsJSON, _ := json.Marshal(folder)\n\turl, err := addModeQueryParam(buildURLRelativeToBase(quotasBasePath, \"folders\", folder.Name, \"usage\"), mode)\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodPut, url.String(), bytes.NewBuffer(folderAsJSON), \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// GetVersion returns version details\nfunc GetVersion(expectedStatusCode int) (version.Info, []byte, error) {\n\tvar appVersion version.Info\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(versionPath), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn appVersion, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &appVersion)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn appVersion, body, err\n}\n\n// GetStatus returns the server status\nfunc GetStatus(expectedStatusCode int) (httpd.ServicesStatus, []byte, error) {\n\tvar response httpd.ServicesStatus\n\tvar body []byte\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(serverStatusPath), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && (expectedStatusCode == http.StatusOK) {\n\t\terr = render.DecodeJSON(resp.Body, &response)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn response, body, err\n}\n\n// GetDefenderHosts returns hosts that are banned or for which some violations have been detected\nfunc GetDefenderHosts(expectedStatusCode int) ([]dataprovider.DefenderEntry, []byte, error) {\n\tvar response []dataprovider.DefenderEntry\n\tvar body []byte\n\turl, err := url.Parse(buildURLRelativeToBase(defenderHosts))\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &response)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn response, body, err\n}\n\n// GetDefenderHostByIP returns the host with the given IP, if it exists\nfunc GetDefenderHostByIP(ip string, expectedStatusCode int) (dataprovider.DefenderEntry, []byte, error) {\n\tvar host dataprovider.DefenderEntry\n\tvar body []byte\n\tid := hex.EncodeToString([]byte(ip))\n\tresp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(defenderHosts, id),\n\t\tnil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn host, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &host)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn host, body, err\n}\n\n// RemoveDefenderHostByIP removes the host with the given IP from the defender list\nfunc RemoveDefenderHostByIP(ip string, expectedStatusCode int) ([]byte, error) {\n\tvar body []byte\n\tid := hex.EncodeToString([]byte(ip))\n\tresp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(defenderHosts, id), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn body, err\n\t}\n\tdefer resp.Body.Close()\n\tbody, _ = getResponseBody(resp)\n\treturn body, checkResponse(resp.StatusCode, expectedStatusCode)\n}\n\n// Dumpdata requests a backup to outputFile.\n// outputFile is relative to the configured backups_path\nfunc Dumpdata(outputFile, outputData, indent string, expectedStatusCode int, scopes ...string) (map[string]any, []byte, error) {\n\tvar response map[string]any\n\tvar body []byte\n\turl, err := url.Parse(buildURLRelativeToBase(dumpDataPath))\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tq := url.Query()\n\tif outputData != \"\" {\n\t\tq.Add(\"output-data\", outputData)\n\t}\n\tif outputFile != \"\" {\n\t\tq.Add(\"output-file\", outputFile)\n\t}\n\tif indent != \"\" {\n\t\tq.Add(\"indent\", indent)\n\t}\n\tif len(scopes) > 0 {\n\t\tq.Add(\"scopes\", strings.Join(scopes, \",\"))\n\t}\n\turl.RawQuery = q.Encode()\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &response)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn response, body, err\n}\n\n// Loaddata restores a backup.\nfunc Loaddata(inputFile, scanQuota, mode string, expectedStatusCode int) (map[string]any, []byte, error) {\n\tvar response map[string]any\n\tvar body []byte\n\turl, err := url.Parse(buildURLRelativeToBase(loadDataPath))\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tq := url.Query()\n\tq.Add(\"input-file\", inputFile)\n\tif scanQuota != \"\" {\n\t\tq.Add(\"scan-quota\", scanQuota)\n\t}\n\tif mode != \"\" {\n\t\tq.Add(\"mode\", mode)\n\t}\n\turl.RawQuery = q.Encode()\n\tresp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &response)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn response, body, err\n}\n\n// LoaddataFromPostBody restores a backup\nfunc LoaddataFromPostBody(data []byte, scanQuota, mode string, expectedStatusCode int) (map[string]any, []byte, error) {\n\tvar response map[string]any\n\tvar body []byte\n\turl, err := url.Parse(buildURLRelativeToBase(loadDataPath))\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tq := url.Query()\n\tif scanQuota != \"\" {\n\t\tq.Add(\"scan-quota\", scanQuota)\n\t}\n\tif mode != \"\" {\n\t\tq.Add(\"mode\", mode)\n\t}\n\turl.RawQuery = q.Encode()\n\tresp, err := sendHTTPRequest(http.MethodPost, url.String(), bytes.NewReader(data), \"\", getDefaultToken())\n\tif err != nil {\n\t\treturn response, body, err\n\t}\n\tdefer resp.Body.Close()\n\terr = checkResponse(resp.StatusCode, expectedStatusCode)\n\tif err == nil && expectedStatusCode == http.StatusOK {\n\t\terr = render.DecodeJSON(resp.Body, &response)\n\t} else {\n\t\tbody, _ = getResponseBody(resp)\n\t}\n\treturn response, body, err\n}\n\nfunc checkResponse(actual int, expected int) error {\n\tif expected != actual {\n\t\treturn fmt.Errorf(\"wrong status code: got %v want %v\", actual, expected)\n\t}\n\treturn nil\n}\n\nfunc getResponseBody(resp *http.Response) ([]byte, error) {\n\treturn io.ReadAll(resp.Body)\n}\n\nfunc checkEventAction(expected, actual dataprovider.BaseEventAction) error {\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual action ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"action ID mismatch\")\n\t\t}\n\t}\n\tif dataprovider.ConvertName(expected.Name) != actual.Name {\n\t\treturn errors.New(\"name mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif expected.Type != actual.Type {\n\t\treturn errors.New(\"type mismatch\")\n\t}\n\tif expected.Options.PwdExpirationConfig.Threshold != actual.Options.PwdExpirationConfig.Threshold {\n\t\treturn errors.New(\"password expiration threshold mismatch\")\n\t}\n\tif expected.Options.UserInactivityConfig.DisableThreshold != actual.Options.UserInactivityConfig.DisableThreshold {\n\t\treturn errors.New(\"user inactivity disable threshold mismatch\")\n\t}\n\tif expected.Options.UserInactivityConfig.DeleteThreshold != actual.Options.UserInactivityConfig.DeleteThreshold {\n\t\treturn errors.New(\"user inactivity delete threshold mismatch\")\n\t}\n\tif err := compareEventActionIDPConfigFields(expected.Options.IDPConfig, actual.Options.IDPConfig); err != nil {\n\t\treturn err\n\t}\n\tif err := compareEventActionCmdConfigFields(expected.Options.CmdConfig, actual.Options.CmdConfig); err != nil {\n\t\treturn err\n\t}\n\tif err := compareEventActionEmailConfigFields(expected.Options.EmailConfig, actual.Options.EmailConfig); err != nil {\n\t\treturn err\n\t}\n\tif err := compareEventActionDataRetentionFields(expected.Options.RetentionConfig, actual.Options.RetentionConfig); err != nil {\n\t\treturn err\n\t}\n\tif err := compareEventActionFsConfigFields(expected.Options.FsConfig, actual.Options.FsConfig); err != nil {\n\t\treturn err\n\t}\n\treturn compareEventActionHTTPConfigFields(expected.Options.HTTPConfig, actual.Options.HTTPConfig)\n}\n\nfunc checkEventSchedules(expected, actual []dataprovider.Schedule) error {\n\tif len(expected) != len(actual) {\n\t\treturn errors.New(\"schedules mismatch\")\n\t}\n\tfor _, ex := range expected {\n\t\tfound := false\n\t\tfor _, ac := range actual {\n\t\t\tif ac.DayOfMonth == ex.DayOfMonth && ac.DayOfWeek == ex.DayOfWeek && ac.Hours == ex.Hours && ac.Month == ex.Month {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"schedules content mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareConditionPatternOptions(expected, actual []dataprovider.ConditionPattern) error {\n\tif len(expected) != len(actual) {\n\t\treturn errors.New(\"condition pattern mismatch\")\n\t}\n\tfor _, ex := range expected {\n\t\tfound := false\n\t\tfor _, ac := range actual {\n\t\t\tif ac.Pattern == ex.Pattern && ac.InverseMatch == ex.InverseMatch {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"condition pattern content mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc checkEventConditionOptions(expected, actual dataprovider.ConditionOptions) error { //nolint:gocyclo\n\tif err := compareConditionPatternOptions(expected.Names, actual.Names); err != nil {\n\t\treturn errors.New(\"condition names mismatch\")\n\t}\n\tif err := compareConditionPatternOptions(expected.GroupNames, actual.GroupNames); err != nil {\n\t\treturn errors.New(\"condition group names mismatch\")\n\t}\n\tif err := compareConditionPatternOptions(expected.RoleNames, actual.RoleNames); err != nil {\n\t\treturn errors.New(\"condition role names mismatch\")\n\t}\n\tif err := compareConditionPatternOptions(expected.FsPaths, actual.FsPaths); err != nil {\n\t\treturn errors.New(\"condition fs_paths mismatch\")\n\t}\n\tif len(expected.Protocols) != len(actual.Protocols) {\n\t\treturn errors.New(\"condition protocols mismatch\")\n\t}\n\tfor _, v := range expected.Protocols {\n\t\tif !slices.Contains(actual.Protocols, v) {\n\t\t\treturn errors.New(\"condition protocols content mismatch\")\n\t\t}\n\t}\n\tif len(expected.EventStatuses) != len(actual.EventStatuses) {\n\t\treturn errors.New(\"condition statuses mismatch\")\n\t}\n\tfor _, v := range expected.EventStatuses {\n\t\tif !slices.Contains(actual.EventStatuses, v) {\n\t\t\treturn errors.New(\"condition statuses content mismatch\")\n\t\t}\n\t}\n\tif len(expected.ProviderObjects) != len(actual.ProviderObjects) {\n\t\treturn errors.New(\"condition provider objects mismatch\")\n\t}\n\tfor _, v := range expected.ProviderObjects {\n\t\tif !slices.Contains(actual.ProviderObjects, v) {\n\t\t\treturn errors.New(\"condition provider objects content mismatch\")\n\t\t}\n\t}\n\tif expected.MinFileSize != actual.MinFileSize {\n\t\treturn errors.New(\"condition min file size mismatch\")\n\t}\n\tif expected.MaxFileSize != actual.MaxFileSize {\n\t\treturn errors.New(\"condition max file size mismatch\")\n\t}\n\treturn nil\n}\n\nfunc checkEventConditions(expected, actual dataprovider.EventConditions) error {\n\tif len(expected.FsEvents) != len(actual.FsEvents) {\n\t\treturn errors.New(\"fs events mismatch\")\n\t}\n\tfor _, v := range expected.FsEvents {\n\t\tif !slices.Contains(actual.FsEvents, v) {\n\t\t\treturn errors.New(\"fs events content mismatch\")\n\t\t}\n\t}\n\tif len(expected.ProviderEvents) != len(actual.ProviderEvents) {\n\t\treturn errors.New(\"provider events mismatch\")\n\t}\n\tfor _, v := range expected.ProviderEvents {\n\t\tif !slices.Contains(actual.ProviderEvents, v) {\n\t\t\treturn errors.New(\"provider events content mismatch\")\n\t\t}\n\t}\n\tif err := checkEventConditionOptions(expected.Options, actual.Options); err != nil {\n\t\treturn err\n\t}\n\tif expected.IDPLoginEvent != actual.IDPLoginEvent {\n\t\treturn errors.New(\"IDP login event mismatch\")\n\t}\n\n\treturn checkEventSchedules(expected.Schedules, actual.Schedules)\n}\n\nfunc checkEventRuleActions(expected, actual []dataprovider.EventAction) error {\n\tif len(expected) != len(actual) {\n\t\treturn errors.New(\"actions mismatch\")\n\t}\n\tfor _, ex := range expected {\n\t\tfound := false\n\t\tfor _, ac := range actual {\n\t\t\tif ex.Name == ac.Name && ex.Order == ac.Order && ex.Options.ExecuteSync == ac.Options.ExecuteSync &&\n\t\t\t\tex.Options.IsFailureAction == ac.Options.IsFailureAction && ex.Options.StopOnFailure == ac.Options.StopOnFailure {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"actions contents mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc checkEventRule(expected, actual dataprovider.EventRule) error {\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual group ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"group ID mismatch\")\n\t\t}\n\t}\n\tif dataprovider.ConvertName(expected.Name) != actual.Name {\n\t\treturn errors.New(\"name mismatch\")\n\t}\n\tif expected.Status != actual.Status {\n\t\treturn errors.New(\"status mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif actual.CreatedAt == 0 {\n\t\treturn errors.New(\"created_at unset\")\n\t}\n\tif actual.UpdatedAt == 0 {\n\t\treturn errors.New(\"updated_at unset\")\n\t}\n\tif expected.Trigger != actual.Trigger {\n\t\treturn errors.New(\"trigger mismatch\")\n\t}\n\tif err := checkEventConditions(expected.Conditions, actual.Conditions); err != nil {\n\t\treturn err\n\t}\n\treturn checkEventRuleActions(expected.Actions, actual.Actions)\n}\n\nfunc checkIPListEntry(expected, actual dataprovider.IPListEntry) error {\n\tif expected.IPOrNet != actual.IPOrNet {\n\t\treturn errors.New(\"ipornet mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif expected.Type != actual.Type {\n\t\treturn errors.New(\"type mismatch\")\n\t}\n\tif expected.Mode != actual.Mode {\n\t\treturn errors.New(\"mode mismatch\")\n\t}\n\tif expected.Protocols != actual.Protocols {\n\t\treturn errors.New(\"protocols mismatch\")\n\t}\n\tif actual.CreatedAt == 0 {\n\t\treturn errors.New(\"created_at unset\")\n\t}\n\tif actual.UpdatedAt == 0 {\n\t\treturn errors.New(\"updated_at unset\")\n\t}\n\treturn nil\n}\n\nfunc checkRole(expected, actual dataprovider.Role) error {\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual role ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"role ID mismatch\")\n\t\t}\n\t}\n\tif dataprovider.ConvertName(expected.Name) != actual.Name {\n\t\treturn errors.New(\"name mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif actual.CreatedAt == 0 {\n\t\treturn errors.New(\"created_at unset\")\n\t}\n\tif actual.UpdatedAt == 0 {\n\t\treturn errors.New(\"updated_at unset\")\n\t}\n\treturn nil\n}\n\nfunc checkGroup(expected, actual dataprovider.Group) error {\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual group ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"group ID mismatch\")\n\t\t}\n\t}\n\tif dataprovider.ConvertName(expected.Name) != actual.Name {\n\t\treturn errors.New(\"name mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif actual.CreatedAt == 0 {\n\t\treturn errors.New(\"created_at unset\")\n\t}\n\tif actual.UpdatedAt == 0 {\n\t\treturn errors.New(\"updated_at unset\")\n\t}\n\tif err := compareEqualGroupSettingsFields(expected.UserSettings.BaseGroupUserSettings,\n\t\tactual.UserSettings.BaseGroupUserSettings); err != nil {\n\t\treturn err\n\t}\n\tif err := compareVirtualFolders(expected.VirtualFolders, actual.VirtualFolders); err != nil {\n\t\treturn err\n\t}\n\tif err := compareUserFilters(expected.UserSettings.Filters, actual.UserSettings.Filters); err != nil {\n\t\treturn err\n\t}\n\treturn compareFsConfig(&expected.UserSettings.FsConfig, &actual.UserSettings.FsConfig)\n}\n\nfunc checkFolder(expected *vfs.BaseVirtualFolder, actual *vfs.BaseVirtualFolder) error {\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual folder ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"folder ID mismatch\")\n\t\t}\n\t}\n\tif dataprovider.ConvertName(expected.Name) != actual.Name {\n\t\treturn errors.New(\"name mismatch\")\n\t}\n\tif expected.MappedPath != actual.MappedPath {\n\t\treturn errors.New(\"mapped path mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\treturn compareFsConfig(&expected.FsConfig, &actual.FsConfig)\n}\n\nfunc checkAPIKey(expected, actual *dataprovider.APIKey) error {\n\tif actual.Key != \"\" {\n\t\treturn errors.New(\"key must not be visible\")\n\t}\n\tif actual.KeyID == \"\" {\n\t\treturn errors.New(\"actual key_id cannot be empty\")\n\t}\n\tif expected.Name != actual.Name {\n\t\treturn errors.New(\"name mismatch\")\n\t}\n\tif expected.Scope != actual.Scope {\n\t\treturn errors.New(\"scope mismatch\")\n\t}\n\tif actual.CreatedAt == 0 {\n\t\treturn errors.New(\"created_at cannot be 0\")\n\t}\n\tif actual.UpdatedAt == 0 {\n\t\treturn errors.New(\"updated_at cannot be 0\")\n\t}\n\tif expected.ExpiresAt != actual.ExpiresAt {\n\t\treturn errors.New(\"expires_at mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif expected.User != actual.User {\n\t\treturn errors.New(\"user mismatch\")\n\t}\n\tif expected.Admin != actual.Admin {\n\t\treturn errors.New(\"admin mismatch\")\n\t}\n\n\treturn nil\n}\n\nfunc checkAdmin(expected, actual *dataprovider.Admin) error {\n\tif actual.Password != \"\" {\n\t\treturn errors.New(\"admin password must not be visible\")\n\t}\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual admin ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"admin ID mismatch\")\n\t\t}\n\t}\n\tif expected.CreatedAt > 0 {\n\t\tif expected.CreatedAt != actual.CreatedAt {\n\t\t\treturn fmt.Errorf(\"created_at mismatch %v != %v\", expected.CreatedAt, actual.CreatedAt)\n\t\t}\n\t}\n\tif err := compareAdminEqualFields(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif len(expected.Permissions) != len(actual.Permissions) {\n\t\treturn errors.New(\"permissions mismatch\")\n\t}\n\tfor _, p := range expected.Permissions {\n\t\tif !slices.Contains(actual.Permissions, p) {\n\t\t\treturn errors.New(\"permissions content mismatch\")\n\t\t}\n\t}\n\tif err := compareAdminFilters(expected.Filters, actual.Filters); err != nil {\n\t\treturn err\n\t}\n\treturn compareAdminGroups(expected, actual)\n}\n\nfunc compareAdminFilters(expected, actual dataprovider.AdminFilters) error {\n\tif expected.AllowAPIKeyAuth != actual.AllowAPIKeyAuth {\n\t\treturn errors.New(\"allow_api_key_auth mismatch\")\n\t}\n\tif len(expected.AllowList) != len(actual.AllowList) {\n\t\treturn errors.New(\"allow list mismatch\")\n\t}\n\tfor _, v := range expected.AllowList {\n\t\tif !slices.Contains(actual.AllowList, v) {\n\t\t\treturn errors.New(\"allow list content mismatch\")\n\t\t}\n\t}\n\tif expected.Preferences.HideUserPageSections != actual.Preferences.HideUserPageSections {\n\t\treturn errors.New(\"hide user page sections mismatch\")\n\t}\n\tif expected.Preferences.DefaultUsersExpiration != actual.Preferences.DefaultUsersExpiration {\n\t\treturn errors.New(\"default users expiration mismatch\")\n\t}\n\tif expected.RequirePasswordChange != actual.RequirePasswordChange {\n\t\treturn errors.New(\"require password change mismatch\")\n\t}\n\tif expected.RequireTwoFactor != actual.RequireTwoFactor {\n\t\treturn errors.New(\"require two factor mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareAdminEqualFields(expected *dataprovider.Admin, actual *dataprovider.Admin) error {\n\tif dataprovider.ConvertName(expected.Username) != actual.Username {\n\t\treturn errors.New(\"sername mismatch\")\n\t}\n\tif expected.Email != actual.Email {\n\t\treturn errors.New(\"email mismatch\")\n\t}\n\tif expected.Status != actual.Status {\n\t\treturn errors.New(\"status mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif expected.AdditionalInfo != actual.AdditionalInfo {\n\t\treturn errors.New(\"additional info mismatch\")\n\t}\n\tif expected.Role != actual.Role {\n\t\treturn errors.New(\"role mismatch\")\n\t}\n\treturn nil\n}\n\nfunc checkUser(expected *dataprovider.User, actual *dataprovider.User) error {\n\tif actual.Password != \"\" {\n\t\treturn errors.New(\"user password must not be visible\")\n\t}\n\tif expected.ID <= 0 {\n\t\tif actual.ID <= 0 {\n\t\t\treturn errors.New(\"actual user ID must be > 0\")\n\t\t}\n\t} else {\n\t\tif actual.ID != expected.ID {\n\t\t\treturn errors.New(\"user ID mismatch\")\n\t\t}\n\t}\n\tif expected.CreatedAt > 0 {\n\t\tif expected.CreatedAt != actual.CreatedAt {\n\t\t\treturn fmt.Errorf(\"created_at mismatch %v != %v\", expected.CreatedAt, actual.CreatedAt)\n\t\t}\n\t}\n\n\tif expected.Email != actual.Email {\n\t\treturn errors.New(\"email mismatch\")\n\t}\n\tif !slices.Equal(expected.Filters.AdditionalEmails, actual.Filters.AdditionalEmails) {\n\t\treturn errors.New(\"additional emails mismatch\")\n\t}\n\tif expected.Filters.RequirePasswordChange != actual.Filters.RequirePasswordChange {\n\t\treturn errors.New(\"require_password_change mismatch\")\n\t}\n\tif err := compareUserPermissions(expected.Permissions, actual.Permissions); err != nil {\n\t\treturn err\n\t}\n\tif err := compareUserFilters(expected.Filters.BaseUserFilters, actual.Filters.BaseUserFilters); err != nil {\n\t\treturn err\n\t}\n\tif err := compareFsConfig(&expected.FsConfig, &actual.FsConfig); err != nil {\n\t\treturn err\n\t}\n\tif err := compareUserGroups(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := compareVirtualFolders(expected.VirtualFolders, actual.VirtualFolders); err != nil {\n\t\treturn err\n\t}\n\treturn compareEqualsUserFields(expected, actual)\n}\n\nfunc compareUserPermissions(expected map[string][]string, actual map[string][]string) error {\n\tif len(expected) != len(actual) {\n\t\treturn errors.New(\"permissions mismatch\")\n\t}\n\tfor dir, perms := range expected {\n\t\tif actualPerms, ok := actual[dir]; ok {\n\t\t\tfor _, v := range actualPerms {\n\t\t\t\tif !slices.Contains(perms, v) {\n\t\t\t\t\treturn errors.New(\"permissions contents mismatch\")\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\treturn errors.New(\"permissions directories mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareAdminGroups(expected *dataprovider.Admin, actual *dataprovider.Admin) error {\n\tif len(actual.Groups) != len(expected.Groups) {\n\t\treturn errors.New(\"groups len mismatch\")\n\t}\n\tfor _, g := range actual.Groups {\n\t\tfound := false\n\t\tfor _, g1 := range expected.Groups {\n\t\t\tif g1.Name == g.Name {\n\t\t\t\tfound = true\n\t\t\t\tif g1.Options.AddToUsersAs != g.Options.AddToUsersAs {\n\t\t\t\t\treturn fmt.Errorf(\"add to users as field mismatch for group %s\", g.Name)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"groups mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareUserGroups(expected *dataprovider.User, actual *dataprovider.User) error {\n\tif len(actual.Groups) != len(expected.Groups) {\n\t\treturn errors.New(\"groups len mismatch\")\n\t}\n\tfor _, g := range actual.Groups {\n\t\tfound := false\n\t\tfor _, g1 := range expected.Groups {\n\t\t\tif g1.Name == g.Name {\n\t\t\t\tfound = true\n\t\t\t\tif g1.Type != g.Type {\n\t\t\t\t\treturn fmt.Errorf(\"type mismatch for group %s\", g.Name)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"groups mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareVirtualFolders(expected []vfs.VirtualFolder, actual []vfs.VirtualFolder) error {\n\tif len(actual) != len(expected) {\n\t\treturn errors.New(\"virtual folders len mismatch\")\n\t}\n\tfor _, v := range actual {\n\t\tfound := false\n\t\tfor _, v1 := range expected {\n\t\t\tif path.Clean(v.VirtualPath) == path.Clean(v1.VirtualPath) {\n\t\t\t\tif dataprovider.ConvertName(v1.Name) != v.Name {\n\t\t\t\t\treturn errors.New(\"virtual folder name mismatch\")\n\t\t\t\t}\n\t\t\t\tif v.QuotaSize != v1.QuotaSize {\n\t\t\t\t\treturn errors.New(\"vfolder quota size mismatch\")\n\t\t\t\t}\n\t\t\t\tif (v.QuotaFiles) != (v1.QuotaFiles) {\n\t\t\t\t\treturn errors.New(\"vfolder quota files mismatch\")\n\t\t\t\t}\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"virtual folders mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareFsConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error {\n\tif expected.Provider != actual.Provider {\n\t\treturn errors.New(\"fs provider mismatch\")\n\t}\n\tif expected.OSConfig.ReadBufferSize != actual.OSConfig.ReadBufferSize {\n\t\treturn fmt.Errorf(\"read buffer size mismatch\")\n\t}\n\tif expected.OSConfig.WriteBufferSize != actual.OSConfig.WriteBufferSize {\n\t\treturn fmt.Errorf(\"write buffer size mismatch\")\n\t}\n\tif err := compareS3Config(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := compareGCSConfig(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := compareAzBlobConfig(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := checkEncryptedSecret(expected.CryptConfig.Passphrase, actual.CryptConfig.Passphrase); err != nil {\n\t\treturn err\n\t}\n\tif expected.CryptConfig.ReadBufferSize != actual.CryptConfig.ReadBufferSize {\n\t\treturn fmt.Errorf(\"crypt read buffer size mismatch\")\n\t}\n\tif expected.CryptConfig.WriteBufferSize != actual.CryptConfig.WriteBufferSize {\n\t\treturn fmt.Errorf(\"crypt write buffer size mismatch\")\n\t}\n\tif err := compareSFTPFsConfig(expected, actual); err != nil {\n\t\treturn err\n\t}\n\treturn compareHTTPFsConfig(expected, actual)\n}\n\nfunc compareS3Config(expected *vfs.Filesystem, actual *vfs.Filesystem) error { //nolint:gocyclo\n\tif expected.S3Config.Bucket != actual.S3Config.Bucket {\n\t\treturn errors.New(\"fs S3 bucket mismatch\")\n\t}\n\tif expected.S3Config.Region != actual.S3Config.Region {\n\t\treturn errors.New(\"fs S3 region mismatch\")\n\t}\n\tif expected.S3Config.AccessKey != actual.S3Config.AccessKey {\n\t\treturn errors.New(\"fs S3 access key mismatch\")\n\t}\n\tif expected.S3Config.RoleARN != actual.S3Config.RoleARN {\n\t\treturn errors.New(\"fs S3 role ARN mismatch\")\n\t}\n\tif err := checkEncryptedSecret(expected.S3Config.AccessSecret, actual.S3Config.AccessSecret); err != nil {\n\t\treturn fmt.Errorf(\"fs S3 access secret mismatch: %v\", err)\n\t}\n\tif err := checkEncryptedSecret(expected.S3Config.SSECustomerKey, actual.S3Config.SSECustomerKey); err != nil {\n\t\treturn fmt.Errorf(\"fs S3 SSE customer key mismatch: %v\", err)\n\t}\n\tif expected.S3Config.Endpoint != actual.S3Config.Endpoint {\n\t\treturn errors.New(\"fs S3 endpoint mismatch\")\n\t}\n\tif expected.S3Config.StorageClass != actual.S3Config.StorageClass {\n\t\treturn errors.New(\"fs S3 storage class mismatch\")\n\t}\n\tif expected.S3Config.ACL != actual.S3Config.ACL {\n\t\treturn errors.New(\"fs S3 ACL mismatch\")\n\t}\n\tif expected.S3Config.UploadPartSize != actual.S3Config.UploadPartSize {\n\t\treturn errors.New(\"fs S3 upload part size mismatch\")\n\t}\n\tif expected.S3Config.UploadConcurrency != actual.S3Config.UploadConcurrency {\n\t\treturn errors.New(\"fs S3 upload concurrency mismatch\")\n\t}\n\tif expected.S3Config.DownloadPartSize != actual.S3Config.DownloadPartSize {\n\t\treturn errors.New(\"fs S3 download part size mismatch\")\n\t}\n\tif expected.S3Config.DownloadConcurrency != actual.S3Config.DownloadConcurrency {\n\t\treturn errors.New(\"fs S3 download concurrency mismatch\")\n\t}\n\tif expected.S3Config.ForcePathStyle != actual.S3Config.ForcePathStyle {\n\t\treturn errors.New(\"fs S3 force path style mismatch\")\n\t}\n\tif expected.S3Config.SkipTLSVerify != actual.S3Config.SkipTLSVerify {\n\t\treturn errors.New(\"fs S3 skip TLS verify mismatch\")\n\t}\n\tif expected.S3Config.DownloadPartMaxTime != actual.S3Config.DownloadPartMaxTime {\n\t\treturn errors.New(\"fs S3 download part max time mismatch\")\n\t}\n\tif expected.S3Config.UploadPartMaxTime != actual.S3Config.UploadPartMaxTime {\n\t\treturn errors.New(\"fs S3 upload part max time mismatch\")\n\t}\n\tif expected.S3Config.KeyPrefix != actual.S3Config.KeyPrefix &&\n\t\texpected.S3Config.KeyPrefix+\"/\" != actual.S3Config.KeyPrefix {\n\t\treturn errors.New(\"fs S3 key prefix mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareGCSConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error {\n\tif expected.GCSConfig.Bucket != actual.GCSConfig.Bucket {\n\t\treturn errors.New(\"GCS bucket mismatch\")\n\t}\n\tif expected.GCSConfig.StorageClass != actual.GCSConfig.StorageClass {\n\t\treturn errors.New(\"GCS storage class mismatch\")\n\t}\n\tif expected.GCSConfig.ACL != actual.GCSConfig.ACL {\n\t\treturn errors.New(\"GCS ACL mismatch\")\n\t}\n\tif expected.GCSConfig.KeyPrefix != actual.GCSConfig.KeyPrefix &&\n\t\texpected.GCSConfig.KeyPrefix+\"/\" != actual.GCSConfig.KeyPrefix {\n\t\treturn errors.New(\"GCS key prefix mismatch\")\n\t}\n\tif expected.GCSConfig.AutomaticCredentials != actual.GCSConfig.AutomaticCredentials {\n\t\treturn errors.New(\"GCS automatic credentials mismatch\")\n\t}\n\tif expected.GCSConfig.UploadPartSize != actual.GCSConfig.UploadPartSize {\n\t\treturn errors.New(\"GCS upload part size mismatch\")\n\t}\n\tif expected.GCSConfig.UploadPartMaxTime != actual.GCSConfig.UploadPartMaxTime {\n\t\treturn errors.New(\"GCS upload part max time mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareHTTPFsConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error {\n\tif expected.HTTPConfig.Endpoint != actual.HTTPConfig.Endpoint {\n\t\treturn errors.New(\"HTTPFs endpoint mismatch\")\n\t}\n\tif expected.HTTPConfig.Username != actual.HTTPConfig.Username {\n\t\treturn errors.New(\"HTTPFs username mismatch\")\n\t}\n\tif expected.HTTPConfig.SkipTLSVerify != actual.HTTPConfig.SkipTLSVerify {\n\t\treturn errors.New(\"HTTPFs skip_tls_verify mismatch\")\n\t}\n\tif expected.SFTPConfig.EqualityCheckMode != actual.SFTPConfig.EqualityCheckMode {\n\t\treturn errors.New(\"HTTPFs equality_check_mode mismatch\")\n\t}\n\tif err := checkEncryptedSecret(expected.HTTPConfig.Password, actual.HTTPConfig.Password); err != nil {\n\t\treturn fmt.Errorf(\"HTTPFs password mismatch: %v\", err)\n\t}\n\tif err := checkEncryptedSecret(expected.HTTPConfig.APIKey, actual.HTTPConfig.APIKey); err != nil {\n\t\treturn fmt.Errorf(\"HTTPFs API key mismatch: %v\", err)\n\t}\n\treturn nil\n}\n\nfunc compareSFTPFsConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error {\n\tif expected.SFTPConfig.Endpoint != actual.SFTPConfig.Endpoint {\n\t\treturn errors.New(\"SFTPFs endpoint mismatch\")\n\t}\n\tif expected.SFTPConfig.Username != actual.SFTPConfig.Username {\n\t\treturn errors.New(\"SFTPFs username mismatch\")\n\t}\n\tif expected.SFTPConfig.DisableCouncurrentReads != actual.SFTPConfig.DisableCouncurrentReads {\n\t\treturn errors.New(\"SFTPFs disable_concurrent_reads mismatch\")\n\t}\n\tif expected.SFTPConfig.BufferSize != actual.SFTPConfig.BufferSize {\n\t\treturn errors.New(\"SFTPFs buffer_size mismatch\")\n\t}\n\tif expected.SFTPConfig.EqualityCheckMode != actual.SFTPConfig.EqualityCheckMode {\n\t\treturn errors.New(\"SFTPFs equality_check_mode mismatch\")\n\t}\n\tif err := checkEncryptedSecret(expected.SFTPConfig.Password, actual.SFTPConfig.Password); err != nil {\n\t\treturn fmt.Errorf(\"SFTPFs password mismatch: %v\", err)\n\t}\n\tif err := checkEncryptedSecret(expected.SFTPConfig.PrivateKey, actual.SFTPConfig.PrivateKey); err != nil {\n\t\treturn fmt.Errorf(\"SFTPFs private key mismatch: %v\", err)\n\t}\n\tif err := checkEncryptedSecret(expected.SFTPConfig.KeyPassphrase, actual.SFTPConfig.KeyPassphrase); err != nil {\n\t\treturn fmt.Errorf(\"SFTPFs private key passphrase mismatch: %v\", err)\n\t}\n\tif expected.SFTPConfig.Prefix != actual.SFTPConfig.Prefix {\n\t\tif expected.SFTPConfig.Prefix != \"\" && actual.SFTPConfig.Prefix != \"/\" {\n\t\t\treturn errors.New(\"SFTPFs prefix mismatch\")\n\t\t}\n\t}\n\tif len(expected.SFTPConfig.Fingerprints) != len(actual.SFTPConfig.Fingerprints) {\n\t\treturn errors.New(\"SFTPFs fingerprints mismatch\")\n\t}\n\tfor _, value := range actual.SFTPConfig.Fingerprints {\n\t\tif !slices.Contains(expected.SFTPConfig.Fingerprints, value) {\n\t\t\treturn errors.New(\"SFTPFs fingerprints mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareAzBlobConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error {\n\tif expected.AzBlobConfig.Container != actual.AzBlobConfig.Container {\n\t\treturn errors.New(\"azure Blob container mismatch\")\n\t}\n\tif expected.AzBlobConfig.AccountName != actual.AzBlobConfig.AccountName {\n\t\treturn errors.New(\"azure Blob account name mismatch\")\n\t}\n\tif err := checkEncryptedSecret(expected.AzBlobConfig.AccountKey, actual.AzBlobConfig.AccountKey); err != nil {\n\t\treturn fmt.Errorf(\"azure Blob account key mismatch: %v\", err)\n\t}\n\tif expected.AzBlobConfig.Endpoint != actual.AzBlobConfig.Endpoint {\n\t\treturn errors.New(\"azure Blob endpoint mismatch\")\n\t}\n\tif err := checkEncryptedSecret(expected.AzBlobConfig.SASURL, actual.AzBlobConfig.SASURL); err != nil {\n\t\treturn fmt.Errorf(\"azure Blob SAS URL mismatch: %v\", err)\n\t}\n\tif expected.AzBlobConfig.UploadPartSize != actual.AzBlobConfig.UploadPartSize {\n\t\treturn errors.New(\"azure Blob upload part size mismatch\")\n\t}\n\tif expected.AzBlobConfig.UploadConcurrency != actual.AzBlobConfig.UploadConcurrency {\n\t\treturn errors.New(\"azure Blob upload concurrency mismatch\")\n\t}\n\tif expected.AzBlobConfig.DownloadPartSize != actual.AzBlobConfig.DownloadPartSize {\n\t\treturn errors.New(\"azure Blob download part size mismatch\")\n\t}\n\tif expected.AzBlobConfig.DownloadConcurrency != actual.AzBlobConfig.DownloadConcurrency {\n\t\treturn errors.New(\"azure Blob download concurrency mismatch\")\n\t}\n\tif expected.AzBlobConfig.KeyPrefix != actual.AzBlobConfig.KeyPrefix &&\n\t\texpected.AzBlobConfig.KeyPrefix+\"/\" != actual.AzBlobConfig.KeyPrefix {\n\t\treturn errors.New(\"azure Blob key prefix mismatch\")\n\t}\n\tif expected.AzBlobConfig.UseEmulator != actual.AzBlobConfig.UseEmulator {\n\t\treturn errors.New(\"azure Blob use emulator mismatch\")\n\t}\n\tif expected.AzBlobConfig.AccessTier != actual.AzBlobConfig.AccessTier {\n\t\treturn errors.New(\"azure Blob access tier mismatch\")\n\t}\n\treturn nil\n}\n\nfunc areSecretEquals(expected, actual *kms.Secret) bool {\n\tif expected == nil && actual == nil {\n\t\treturn true\n\t}\n\tif expected != nil && expected.IsEmpty() && actual == nil {\n\t\treturn true\n\t}\n\tif actual != nil && actual.IsEmpty() && expected == nil {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc checkEncryptedSecret(expected, actual *kms.Secret) error {\n\tif areSecretEquals(expected, actual) {\n\t\treturn nil\n\t}\n\tif expected == nil && actual != nil && !actual.IsEmpty() {\n\t\treturn errors.New(\"secret mismatch\")\n\t}\n\tif actual == nil && expected != nil && !expected.IsEmpty() {\n\t\treturn errors.New(\"secret mismatch\")\n\t}\n\tif expected.IsPlain() && actual.IsEncrypted() {\n\t\tif actual.GetPayload() == \"\" {\n\t\t\treturn errors.New(\"invalid secret payload\")\n\t\t}\n\t\tif actual.GetAdditionalData() != \"\" {\n\t\t\treturn errors.New(\"invalid secret additional data\")\n\t\t}\n\t\tif actual.GetKey() != \"\" {\n\t\t\treturn errors.New(\"invalid secret key\")\n\t\t}\n\t} else {\n\t\tif expected.GetStatus() != actual.GetStatus() || expected.GetPayload() != actual.GetPayload() {\n\t\t\treturn errors.New(\"secret mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareUserFilterSubStructs(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {\n\tfor _, IPMask := range expected.AllowedIP {\n\t\tif !slices.Contains(actual.AllowedIP, IPMask) {\n\t\t\treturn errors.New(\"allowed IP contents mismatch\")\n\t\t}\n\t}\n\tfor _, IPMask := range expected.DeniedIP {\n\t\tif !slices.Contains(actual.DeniedIP, IPMask) {\n\t\t\treturn errors.New(\"denied IP contents mismatch\")\n\t\t}\n\t}\n\tfor _, method := range expected.DeniedLoginMethods {\n\t\tif !slices.Contains(actual.DeniedLoginMethods, method) {\n\t\t\treturn errors.New(\"denied login methods contents mismatch\")\n\t\t}\n\t}\n\tfor _, protocol := range expected.DeniedProtocols {\n\t\tif !slices.Contains(actual.DeniedProtocols, protocol) {\n\t\t\treturn errors.New(\"denied protocols contents mismatch\")\n\t\t}\n\t}\n\tfor _, options := range expected.WebClient {\n\t\tif !slices.Contains(actual.WebClient, options) {\n\t\t\treturn errors.New(\"web client options contents mismatch\")\n\t\t}\n\t}\n\n\tif len(expected.TLSCerts) != len(actual.TLSCerts) {\n\t\treturn errors.New(\"TLS certs mismatch\")\n\t}\n\tfor _, cert := range expected.TLSCerts {\n\t\tif !slices.Contains(actual.TLSCerts, cert) {\n\t\t\treturn errors.New(\"TLS certs content mismatch\")\n\t\t}\n\t}\n\n\treturn compareUserFiltersEqualFields(expected, actual)\n}\n\nfunc compareUserFiltersEqualFields(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {\n\tif expected.Hooks.ExternalAuthDisabled != actual.Hooks.ExternalAuthDisabled {\n\t\treturn errors.New(\"external_auth_disabled hook mismatch\")\n\t}\n\tif expected.Hooks.PreLoginDisabled != actual.Hooks.PreLoginDisabled {\n\t\treturn errors.New(\"pre_login_disabled hook mismatch\")\n\t}\n\tif expected.Hooks.CheckPasswordDisabled != actual.Hooks.CheckPasswordDisabled {\n\t\treturn errors.New(\"check_password_disabled hook mismatch\")\n\t}\n\tif expected.DisableFsChecks != actual.DisableFsChecks {\n\t\treturn errors.New(\"disable_fs_checks mismatch\")\n\t}\n\tif expected.StartDirectory != actual.StartDirectory {\n\t\treturn errors.New(\"start_directory mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareBaseUserFilters(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error { //nolint:gocyclo\n\tif len(expected.AllowedIP) != len(actual.AllowedIP) {\n\t\treturn errors.New(\"allowed IP mismatch\")\n\t}\n\tif len(expected.DeniedIP) != len(actual.DeniedIP) {\n\t\treturn errors.New(\"denied IP mismatch\")\n\t}\n\tif len(expected.DeniedLoginMethods) != len(actual.DeniedLoginMethods) {\n\t\treturn errors.New(\"denied login methods mismatch\")\n\t}\n\tif len(expected.DeniedProtocols) != len(actual.DeniedProtocols) {\n\t\treturn errors.New(\"denied protocols mismatch\")\n\t}\n\tif expected.MaxUploadFileSize != actual.MaxUploadFileSize {\n\t\treturn errors.New(\"max upload file size mismatch\")\n\t}\n\tif expected.TLSUsername != actual.TLSUsername {\n\t\treturn errors.New(\"TLSUsername mismatch\")\n\t}\n\tif len(expected.WebClient) != len(actual.WebClient) {\n\t\treturn errors.New(\"WebClient filter mismatch\")\n\t}\n\tif expected.AllowAPIKeyAuth != actual.AllowAPIKeyAuth {\n\t\treturn errors.New(\"allow_api_key_auth mismatch\")\n\t}\n\tif expected.ExternalAuthCacheTime != actual.ExternalAuthCacheTime {\n\t\treturn errors.New(\"external_auth_cache_time mismatch\")\n\t}\n\tif expected.FTPSecurity != actual.FTPSecurity {\n\t\treturn errors.New(\"ftp_security mismatch\")\n\t}\n\tif expected.IsAnonymous != actual.IsAnonymous {\n\t\treturn errors.New(\"is_anonymous mismatch\")\n\t}\n\tif expected.DefaultSharesExpiration != actual.DefaultSharesExpiration {\n\t\treturn errors.New(\"default_shares_expiration mismatch\")\n\t}\n\tif expected.MaxSharesExpiration != actual.MaxSharesExpiration {\n\t\treturn errors.New(\"max_shares_expiration mismatch\")\n\t}\n\tif expected.PasswordExpiration != actual.PasswordExpiration {\n\t\treturn errors.New(\"password_expiration mismatch\")\n\t}\n\tif expected.PasswordStrength != actual.PasswordStrength {\n\t\treturn errors.New(\"password_strength mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareUserFilters(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {\n\tif err := compareBaseUserFilters(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := compareUserFilterSubStructs(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := compareUserBandwidthLimitFilters(expected, actual); err != nil {\n\t\treturn err\n\t}\n\tif err := compareAccessTimeFilters(expected, actual); err != nil {\n\t\treturn err\n\t}\n\treturn compareUserFilePatternsFilters(expected, actual)\n}\n\nfunc checkFilterMatch(expected []string, actual []string) bool {\n\tif len(expected) != len(actual) {\n\t\treturn false\n\t}\n\tfor _, e := range expected {\n\t\tif !slices.Contains(actual, strings.ToLower(e)) {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\nfunc compareAccessTimeFilters(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {\n\tif len(expected.AccessTime) != len(actual.AccessTime) {\n\t\treturn errors.New(\"access time filters mismatch\")\n\t}\n\n\tfor idx, p := range expected.AccessTime {\n\t\tif actual.AccessTime[idx].DayOfWeek != p.DayOfWeek {\n\t\t\treturn errors.New(\"access time day of week mismatch\")\n\t\t}\n\t\tif actual.AccessTime[idx].From != p.From {\n\t\t\treturn errors.New(\"access time from mismatch\")\n\t\t}\n\t\tif actual.AccessTime[idx].To != p.To {\n\t\t\treturn errors.New(\"access time to mismatch\")\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc compareUserBandwidthLimitFilters(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {\n\tif len(expected.BandwidthLimits) != len(actual.BandwidthLimits) {\n\t\treturn errors.New(\"bandwidth limits filters mismatch\")\n\t}\n\n\tfor idx, l := range expected.BandwidthLimits {\n\t\tif actual.BandwidthLimits[idx].UploadBandwidth != l.UploadBandwidth {\n\t\t\treturn errors.New(\"bandwidth filters upload_bandwidth mismatch\")\n\t\t}\n\t\tif actual.BandwidthLimits[idx].DownloadBandwidth != l.DownloadBandwidth {\n\t\t\treturn errors.New(\"bandwidth filters download_bandwidth mismatch\")\n\t\t}\n\t\tif len(actual.BandwidthLimits[idx].Sources) != len(l.Sources) {\n\t\t\treturn errors.New(\"bandwidth filters sources mismatch\")\n\t\t}\n\t\tfor _, source := range actual.BandwidthLimits[idx].Sources {\n\t\t\tif !slices.Contains(l.Sources, source) {\n\t\t\t\treturn errors.New(\"bandwidth filters source mismatch\")\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc compareUserFilePatternsFilters(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {\n\tif len(expected.FilePatterns) != len(actual.FilePatterns) {\n\t\treturn errors.New(\"file patterns mismatch\")\n\t}\n\tfor _, f := range expected.FilePatterns {\n\t\tfound := false\n\t\tfor _, f1 := range actual.FilePatterns {\n\t\t\tif path.Clean(f.Path) == path.Clean(f1.Path) && f.DenyPolicy == f1.DenyPolicy {\n\t\t\t\tif !checkFilterMatch(f.AllowedPatterns, f1.AllowedPatterns) ||\n\t\t\t\t\t!checkFilterMatch(f.DeniedPatterns, f1.DeniedPatterns) {\n\t\t\t\t\treturn errors.New(\"file patterns contents mismatch\")\n\t\t\t\t}\n\t\t\t\tfound = true\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"file patterns contents mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareRenameConfigs(expected, actual []dataprovider.RenameConfig) error {\n\tif len(expected) != len(actual) {\n\t\treturn errors.New(\"rename configs mismatch\")\n\t}\n\tfor _, ex := range expected {\n\t\tfound := false\n\t\tfor _, ac := range actual {\n\t\t\tif ac.Key == ex.Key && ac.Value == ex.Value && ac.UpdateModTime == ex.UpdateModTime {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"rename configs mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareKeyValues(expected, actual []dataprovider.KeyValue) error {\n\tif len(expected) != len(actual) {\n\t\treturn errors.New(\"key values mismatch\")\n\t}\n\tfor _, ex := range expected {\n\t\tfound := false\n\t\tfor _, ac := range actual {\n\t\t\tif ac.Key == ex.Key && ac.Value == ex.Value {\n\t\t\t\tfound = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"key values mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareHTTPparts(expected, actual []dataprovider.HTTPPart) error {\n\tfor _, p1 := range expected {\n\t\tfound := false\n\t\tfor _, p2 := range actual {\n\t\t\tif p1.Name == p2.Name {\n\t\t\t\tfound = true\n\t\t\t\tif err := compareKeyValues(p1.Headers, p2.Headers); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"http headers mismatch for part %q\", p1.Name)\n\t\t\t\t}\n\t\t\t\tif p1.Body != p2.Body || p1.Filepath != p2.Filepath {\n\t\t\t\t\treturn fmt.Errorf(\"http part %q mismatch\", p1.Name)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn fmt.Errorf(\"expected http part %q not found\", p1.Name)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareEventActionHTTPConfigFields(expected, actual dataprovider.EventActionHTTPConfig) error {\n\tif expected.Endpoint != actual.Endpoint {\n\t\treturn errors.New(\"http endpoint mismatch\")\n\t}\n\tif expected.Username != actual.Username {\n\t\treturn errors.New(\"http username mismatch\")\n\t}\n\tif err := checkEncryptedSecret(expected.Password, actual.Password); err != nil {\n\t\treturn err\n\t}\n\tif err := compareKeyValues(expected.Headers, actual.Headers); err != nil {\n\t\treturn errors.New(\"http headers mismatch\")\n\t}\n\tif expected.Timeout != actual.Timeout {\n\t\treturn errors.New(\"http timeout mismatch\")\n\t}\n\tif expected.SkipTLSVerify != actual.SkipTLSVerify {\n\t\treturn errors.New(\"http skip TLS verify mismatch\")\n\t}\n\tif expected.Method != actual.Method {\n\t\treturn errors.New(\"http method mismatch\")\n\t}\n\tif err := compareKeyValues(expected.QueryParameters, actual.QueryParameters); err != nil {\n\t\treturn errors.New(\"http query parameters mismatch\")\n\t}\n\tif expected.Body != actual.Body {\n\t\treturn errors.New(\"http body mismatch\")\n\t}\n\tif len(expected.Parts) != len(actual.Parts) {\n\t\treturn errors.New(\"http parts mismatch\")\n\t}\n\treturn compareHTTPparts(expected.Parts, actual.Parts)\n}\n\nfunc compareEventActionEmailConfigFields(expected, actual dataprovider.EventActionEmailConfig) error {\n\tif len(expected.Recipients) != len(actual.Recipients) {\n\t\treturn errors.New(\"email recipients mismatch\")\n\t}\n\tfor _, v := range expected.Recipients {\n\t\tif !slices.Contains(actual.Recipients, v) {\n\t\t\treturn errors.New(\"email recipients content mismatch\")\n\t\t}\n\t}\n\tif len(expected.Bcc) != len(actual.Bcc) {\n\t\treturn errors.New(\"email bcc mismatch\")\n\t}\n\tfor _, v := range expected.Bcc {\n\t\tif !slices.Contains(actual.Bcc, v) {\n\t\t\treturn errors.New(\"email bcc content mismatch\")\n\t\t}\n\t}\n\tif expected.Subject != actual.Subject {\n\t\treturn errors.New(\"email subject mismatch\")\n\t}\n\tif expected.ContentType != actual.ContentType {\n\t\treturn errors.New(\"email content type mismatch\")\n\t}\n\tif expected.Body != actual.Body {\n\t\treturn errors.New(\"email body mismatch\")\n\t}\n\tif len(expected.Attachments) != len(actual.Attachments) {\n\t\treturn errors.New(\"email attachments mismatch\")\n\t}\n\tfor _, v := range expected.Attachments {\n\t\tif !slices.Contains(actual.Attachments, v) {\n\t\t\treturn errors.New(\"email attachments content mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareEventActionFsCompressFields(expected, actual dataprovider.EventActionFsCompress) error {\n\tif expected.Name != actual.Name {\n\t\treturn errors.New(\"fs compress name mismatch\")\n\t}\n\tif len(expected.Paths) != len(actual.Paths) {\n\t\treturn errors.New(\"fs compress paths mismatch\")\n\t}\n\tfor _, v := range expected.Paths {\n\t\tif !slices.Contains(actual.Paths, v) {\n\t\t\treturn errors.New(\"fs compress paths content mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareEventActionFsConfigFields(expected, actual dataprovider.EventActionFilesystemConfig) error {\n\tif expected.Type != actual.Type {\n\t\treturn errors.New(\"fs type mismatch\")\n\t}\n\tif err := compareRenameConfigs(expected.Renames, actual.Renames); err != nil {\n\t\treturn errors.New(\"fs renames mismatch\")\n\t}\n\tif err := compareKeyValues(expected.Copy, actual.Copy); err != nil {\n\t\treturn errors.New(\"fs copy mismatch\")\n\t}\n\tif len(expected.Deletes) != len(actual.Deletes) {\n\t\treturn errors.New(\"fs deletes mismatch\")\n\t}\n\tfor _, v := range expected.Deletes {\n\t\tif !slices.Contains(actual.Deletes, v) {\n\t\t\treturn errors.New(\"fs deletes content mismatch\")\n\t\t}\n\t}\n\tif len(expected.MkDirs) != len(actual.MkDirs) {\n\t\treturn errors.New(\"fs mkdirs mismatch\")\n\t}\n\tfor _, v := range expected.MkDirs {\n\t\tif !slices.Contains(actual.MkDirs, v) {\n\t\t\treturn errors.New(\"fs mkdir content mismatch\")\n\t\t}\n\t}\n\tif len(expected.Exist) != len(actual.Exist) {\n\t\treturn errors.New(\"fs exist mismatch\")\n\t}\n\tfor _, v := range expected.Exist {\n\t\tif !slices.Contains(actual.Exist, v) {\n\t\t\treturn errors.New(\"fs exist content mismatch\")\n\t\t}\n\t}\n\treturn compareEventActionFsCompressFields(expected.Compress, actual.Compress)\n}\n\nfunc compareEventActionIDPConfigFields(expected, actual dataprovider.EventActionIDPAccountCheck) error {\n\tif expected.Mode != actual.Mode {\n\t\treturn errors.New(\"mode mismatch\")\n\t}\n\tif expected.TemplateAdmin != actual.TemplateAdmin {\n\t\treturn errors.New(\"admin template mismatch\")\n\t}\n\tif expected.TemplateUser != actual.TemplateUser {\n\t\treturn errors.New(\"user template mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareEventActionCmdConfigFields(expected, actual dataprovider.EventActionCommandConfig) error {\n\tif expected.Cmd != actual.Cmd {\n\t\treturn errors.New(\"command mismatch\")\n\t}\n\tif expected.Timeout != actual.Timeout {\n\t\treturn errors.New(\"cmd timeout mismatch\")\n\t}\n\tif len(expected.Args) != len(actual.Args) {\n\t\treturn errors.New(\"cmd args mismatch\")\n\t}\n\tfor _, v := range expected.Args {\n\t\tif !slices.Contains(actual.Args, v) {\n\t\t\treturn errors.New(\"cmd args content mismatch\")\n\t\t}\n\t}\n\tif err := compareKeyValues(expected.EnvVars, actual.EnvVars); err != nil {\n\t\treturn errors.New(\"cmd env vars mismatch\")\n\t}\n\treturn nil\n}\n\nfunc compareEventActionDataRetentionFields(expected, actual dataprovider.EventActionDataRetentionConfig) error {\n\tif len(expected.Folders) != len(actual.Folders) {\n\t\treturn errors.New(\"retention folders mismatch\")\n\t}\n\tfor _, f1 := range expected.Folders {\n\t\tfound := false\n\t\tfor _, f2 := range actual.Folders {\n\t\t\tif f1.Path == f2.Path {\n\t\t\t\tfound = true\n\t\t\t\tif f1.Retention != f2.Retention {\n\t\t\t\t\treturn fmt.Errorf(\"retention mismatch for folder %s\", f1.Path)\n\t\t\t\t}\n\t\t\t\tif f1.DeleteEmptyDirs != f2.DeleteEmptyDirs {\n\t\t\t\t\treturn fmt.Errorf(\"delete_empty_dirs mismatch for folder %s\", f1.Path)\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !found {\n\t\t\treturn errors.New(\"retention folders mismatch\")\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc compareEqualGroupSettingsFields(expected sdk.BaseGroupUserSettings, actual sdk.BaseGroupUserSettings) error {\n\tif expected.HomeDir != actual.HomeDir {\n\t\treturn errors.New(\"home dir mismatch\")\n\t}\n\tif expected.MaxSessions != actual.MaxSessions {\n\t\treturn errors.New(\"MaxSessions mismatch\")\n\t}\n\tif expected.QuotaSize != actual.QuotaSize {\n\t\treturn errors.New(\"QuotaSize mismatch\")\n\t}\n\tif expected.QuotaFiles != actual.QuotaFiles {\n\t\treturn errors.New(\"QuotaFiles mismatch\")\n\t}\n\tif expected.UploadBandwidth != actual.UploadBandwidth {\n\t\treturn errors.New(\"UploadBandwidth mismatch\")\n\t}\n\tif expected.DownloadBandwidth != actual.DownloadBandwidth {\n\t\treturn errors.New(\"DownloadBandwidth mismatch\")\n\t}\n\tif expected.UploadDataTransfer != actual.UploadDataTransfer {\n\t\treturn errors.New(\"upload_data_transfer mismatch\")\n\t}\n\tif expected.DownloadDataTransfer != actual.DownloadDataTransfer {\n\t\treturn errors.New(\"download_data_transfer mismatch\")\n\t}\n\tif expected.TotalDataTransfer != actual.TotalDataTransfer {\n\t\treturn errors.New(\"total_data_transfer mismatch\")\n\t}\n\tif expected.ExpiresIn != actual.ExpiresIn {\n\t\treturn errors.New(\"expires_in mismatch\")\n\t}\n\treturn compareUserPermissions(expected.Permissions, actual.Permissions)\n}\n\nfunc compareEqualsUserFields(expected *dataprovider.User, actual *dataprovider.User) error {\n\tif dataprovider.ConvertName(expected.Username) != actual.Username {\n\t\treturn errors.New(\"username mismatch\")\n\t}\n\tif expected.HomeDir != actual.HomeDir {\n\t\treturn errors.New(\"home dir mismatch\")\n\t}\n\tif expected.UID != actual.UID {\n\t\treturn errors.New(\"UID mismatch\")\n\t}\n\tif expected.GID != actual.GID {\n\t\treturn errors.New(\"GID mismatch\")\n\t}\n\tif expected.MaxSessions != actual.MaxSessions {\n\t\treturn errors.New(\"MaxSessions mismatch\")\n\t}\n\tif len(expected.Permissions) != len(actual.Permissions) {\n\t\treturn errors.New(\"permissions mismatch\")\n\t}\n\tif expected.UploadBandwidth != actual.UploadBandwidth {\n\t\treturn errors.New(\"UploadBandwidth mismatch\")\n\t}\n\tif expected.DownloadBandwidth != actual.DownloadBandwidth {\n\t\treturn errors.New(\"DownloadBandwidth mismatch\")\n\t}\n\tif expected.Status != actual.Status {\n\t\treturn errors.New(\"status mismatch\")\n\t}\n\tif expected.ExpirationDate != actual.ExpirationDate {\n\t\treturn errors.New(\"ExpirationDate mismatch\")\n\t}\n\tif expected.AdditionalInfo != actual.AdditionalInfo {\n\t\treturn errors.New(\"AdditionalInfo mismatch\")\n\t}\n\tif expected.Description != actual.Description {\n\t\treturn errors.New(\"description mismatch\")\n\t}\n\tif expected.Role != actual.Role {\n\t\treturn errors.New(\"role mismatch\")\n\t}\n\treturn compareQuotaUserFields(expected, actual)\n}\n\nfunc compareQuotaUserFields(expected *dataprovider.User, actual *dataprovider.User) error {\n\tif expected.QuotaSize != actual.QuotaSize {\n\t\treturn errors.New(\"QuotaSize mismatch\")\n\t}\n\tif expected.QuotaFiles != actual.QuotaFiles {\n\t\treturn errors.New(\"QuotaFiles mismatch\")\n\t}\n\tif expected.UploadDataTransfer != actual.UploadDataTransfer {\n\t\treturn errors.New(\"upload_data_transfer mismatch\")\n\t}\n\tif expected.DownloadDataTransfer != actual.DownloadDataTransfer {\n\t\treturn errors.New(\"download_data_transfer mismatch\")\n\t}\n\tif expected.TotalDataTransfer != actual.TotalDataTransfer {\n\t\treturn errors.New(\"total_data_transfer mismatch\")\n\t}\n\treturn nil\n}\n\nfunc addLimitAndOffsetQueryParams(rawurl string, limit, offset int64) (*url.URL, error) {\n\turl, err := url.Parse(rawurl)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tq := url.Query()\n\tif limit > 0 {\n\t\tq.Add(\"limit\", strconv.FormatInt(limit, 10))\n\t}\n\tif offset > 0 {\n\t\tq.Add(\"offset\", strconv.FormatInt(offset, 10))\n\t}\n\turl.RawQuery = q.Encode()\n\treturn url, err\n}\n\nfunc addModeQueryParam(rawurl, mode string) (*url.URL, error) {\n\turl, err := url.Parse(rawurl)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tq := url.Query()\n\tif len(mode) > 0 {\n\t\tq.Add(\"mode\", mode)\n\t}\n\turl.RawQuery = q.Encode()\n\treturn url, err\n}\n\nfunc addUpdateUserQueryParams(rawurl, disconnect string) (*url.URL, error) {\n\turl, err := url.Parse(rawurl)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tq := url.Query()\n\tif disconnect != \"\" {\n\t\tq.Add(\"disconnect\", disconnect)\n\t}\n\turl.RawQuery = q.Encode()\n\treturn url, err\n}\n" }, { "path": "internal/httpdtest/httpfsimpl.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage httpdtest\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"mime\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-chi/render\"\n\t\"github.com/shirou/gopsutil/v3/disk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tstatPath = \"/api/v1/stat\"\n\topenPath = \"/api/v1/open\"\n\tcreatePath = \"/api/v1/create\"\n\trenamePath = \"/api/v1/rename\"\n\tremovePath = \"/api/v1/remove\"\n\tmkdirPath = \"/api/v1/mkdir\"\n\tchmodPath = \"/api/v1/chmod\"\n\tchtimesPath = \"/api/v1/chtimes\"\n\ttruncatePath = \"/api/v1/truncate\"\n\treaddirPath = \"/api/v1/readdir\"\n\tdirsizePath = \"/api/v1/dirsize\"\n\tmimetypePath = \"/api/v1/mimetype\"\n\tstatvfsPath = \"/api/v1/statvfs\"\n)\n\n// HTTPFsCallbacks defines additional callbacks to customize the HTTPfs responses\ntype HTTPFsCallbacks struct {\n\tReaddir func(string) []os.FileInfo\n}\n\n// StartTestHTTPFs starts a test HTTP service that implements httpfs\n// and listens on the specified port\nfunc StartTestHTTPFs(port int, callbacks *HTTPFsCallbacks) error {\n\tfs := httpFsImpl{\n\t\tport: port,\n\t\tcallbacks: callbacks,\n\t}\n\n\treturn fs.Run()\n}\n\n// StartTestHTTPFsOverUnixSocket starts a test HTTP service that implements httpfs\n// and listens on the specified UNIX domain socket path\nfunc StartTestHTTPFsOverUnixSocket(socketPath string) error {\n\tfs := httpFsImpl{\n\t\tunixSocketPath: socketPath,\n\t}\n\treturn fs.Run()\n}\n\ntype httpFsImpl struct {\n\trouter *chi.Mux\n\tbasePath string\n\tport int\n\tunixSocketPath string\n\tcallbacks *HTTPFsCallbacks\n}\n\ntype apiResponse struct {\n\tError string `json:\"error,omitempty\"`\n\tMessage string `json:\"message,omitempty\"`\n}\n\nfunc (fs *httpFsImpl) sendAPIResponse(w http.ResponseWriter, r *http.Request, err error, message string, code int) {\n\tvar errorString string\n\tif err != nil {\n\t\terrorString = err.Error()\n\t}\n\tresp := apiResponse{\n\t\tError: errorString,\n\t\tMessage: message,\n\t}\n\tctx := context.WithValue(r.Context(), render.StatusCtxKey, code)\n\trender.JSON(w, r.WithContext(ctx), resp)\n}\n\nfunc (fs *httpFsImpl) getUsername(r *http.Request) (string, error) {\n\tusername, _, ok := r.BasicAuth()\n\tif !ok || username == \"\" {\n\t\treturn \"\", os.ErrPermission\n\t}\n\trootPath := filepath.Join(fs.basePath, username)\n\t_, err := os.Stat(rootPath)\n\tif errors.Is(err, os.ErrNotExist) {\n\t\terr = os.MkdirAll(rootPath, os.ModePerm)\n\t\tif err != nil {\n\t\t\treturn username, err\n\t\t}\n\t}\n\treturn username, nil\n}\n\nfunc (fs *httpFsImpl) getRespStatus(err error) int {\n\tif errors.Is(err, os.ErrPermission) {\n\t\treturn http.StatusForbidden\n\t}\n\tif errors.Is(err, os.ErrNotExist) {\n\t\treturn http.StatusNotFound\n\t}\n\n\treturn http.StatusInternalServerError\n}\n\nfunc (fs *httpFsImpl) stat(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tinfo, err := os.Stat(fsPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\trender.JSON(w, r, getStatFromInfo(info))\n}\n\nfunc (fs *httpFsImpl) open(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tvar offset int64\n\tif r.URL.Query().Has(\"offset\") {\n\t\toffset, err = strconv.ParseInt(r.URL.Query().Get(\"offset\"), 10, 64)\n\t\tif err != nil {\n\t\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tf, err := os.Open(fsPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tdefer f.Close()\n\n\tif offset > 0 {\n\t\t_, err = f.Seek(offset, io.SeekStart)\n\t\tif err != nil {\n\t\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t}\n\tctype := mime.TypeByExtension(filepath.Ext(name))\n\tif ctype != \"\" {\n\t\tctype = \"application/octet-stream\"\n\t}\n\tw.Header().Set(\"Content-Type\", ctype)\n\t_, err = io.Copy(w, f)\n\tif err != nil {\n\t\tpanic(http.ErrAbortHandler)\n\t}\n}\n\nfunc (fs *httpFsImpl) create(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tflags := os.O_RDWR | os.O_CREATE | os.O_TRUNC\n\tif r.URL.Query().Has(\"flags\") {\n\t\topenFlags, err := strconv.ParseInt(r.URL.Query().Get(\"flags\"), 10, 32)\n\t\tif err != nil {\n\t\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t\tif openFlags > 0 {\n\t\t\tflags = int(openFlags)\n\t\t}\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tf, err := os.OpenFile(fsPath, flags, 0666)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tdefer f.Close()\n\n\t_, err = io.Copy(f, r.Body)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"upload OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) rename(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\ttarget := r.URL.Query().Get(\"target\")\n\tif target == \"\" {\n\t\tfs.sendAPIResponse(w, r, nil, \"target path cannot be empty\", http.StatusBadRequest)\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tsourcePath := filepath.Join(fs.basePath, username, name)\n\ttargetPath := filepath.Join(fs.basePath, username, target)\n\terr = os.Rename(sourcePath, targetPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"rename OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) remove(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\terr = os.Remove(fsPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"remove OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) mkdir(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\terr = os.Mkdir(fsPath, os.ModePerm)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"mkdir OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) chmod(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tmode, err := strconv.ParseUint(r.URL.Query().Get(\"mode\"), 10, 32)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\terr = os.Chmod(fsPath, os.FileMode(mode))\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"chmod OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) chtimes(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tatime, err := time.Parse(time.RFC3339, r.URL.Query().Get(\"access_time\"))\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tmtime, err := time.Parse(time.RFC3339, r.URL.Query().Get(\"modification_time\"))\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\terr = os.Chtimes(fsPath, atime, mtime)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"chtimes OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) truncate(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tsize, err := strconv.ParseInt(r.URL.Query().Get(\"size\"), 10, 64)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\terr = os.Truncate(fsPath, size)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tfs.sendAPIResponse(w, r, nil, \"chmod OK\", http.StatusOK)\n}\n\nfunc (fs *httpFsImpl) readdir(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tf, err := os.Open(fsPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tlist, err := f.Readdir(-1)\n\tf.Close()\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tresult := make([]map[string]any, 0, len(list))\n\tfor _, fi := range list {\n\t\tresult = append(result, getStatFromInfo(fi))\n\t}\n\tif fs.callbacks != nil && fs.callbacks.Readdir != nil {\n\t\tfor _, fi := range fs.callbacks.Readdir(name) {\n\t\t\tresult = append(result, getStatFromInfo(fi))\n\t\t}\n\t}\n\trender.JSON(w, r, result)\n}\n\nfunc (fs *httpFsImpl) dirsize(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tinfo, err := os.Stat(fsPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tnumFiles := 0\n\tsize := int64(0)\n\tif info.IsDir() {\n\t\terr = filepath.Walk(fsPath, func(_ string, info os.FileInfo, err error) error {\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif info != nil && info.Mode().IsRegular() {\n\t\t\t\tsize += info.Size()\n\t\t\t\tnumFiles++\n\t\t\t}\n\t\t\treturn err\n\t\t})\n\t\tif err != nil {\n\t\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\t\treturn\n\t\t}\n\t}\n\trender.JSON(w, r, map[string]any{\n\t\t\"files\": numFiles,\n\t\t\"size\": size,\n\t})\n}\n\nfunc (fs *httpFsImpl) mimetype(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tf, err := os.OpenFile(fsPath, os.O_RDONLY, 0)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tdefer f.Close()\n\tvar buf [512]byte\n\tn, err := io.ReadFull(f, buf[:])\n\tif err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tctype := http.DetectContentType(buf[:n])\n\trender.JSON(w, r, map[string]any{\n\t\t\"mime\": ctype,\n\t})\n}\n\nfunc (fs *httpFsImpl) statvfs(w http.ResponseWriter, r *http.Request) {\n\tusername, err := fs.getUsername(r)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\tname := getNameURLParam(r)\n\tfsPath := filepath.Join(fs.basePath, username, name)\n\tusage, err := disk.Usage(fsPath)\n\tif err != nil {\n\t\tfs.sendAPIResponse(w, r, err, \"\", fs.getRespStatus(err))\n\t\treturn\n\t}\n\t// we assume block size = 4096\n\tbsize := uint64(4096)\n\tblocks := usage.Total / bsize\n\tbfree := usage.Free / bsize\n\tfiles := usage.InodesTotal\n\tffree := usage.InodesFree\n\tif files == 0 {\n\t\t// these assumptions are wrong but still better than returning 0\n\t\tfiles = blocks / 4\n\t\tffree = bfree / 4\n\t}\n\trender.JSON(w, r, map[string]any{\n\t\t\"bsize\": bsize,\n\t\t\"frsize\": bsize,\n\t\t\"blocks\": blocks,\n\t\t\"bfree\": bfree,\n\t\t\"bavail\": bfree,\n\t\t\"files\": files,\n\t\t\"ffree\": ffree,\n\t\t\"favail\": ffree,\n\t\t\"namemax\": 255,\n\t})\n}\n\nfunc (fs *httpFsImpl) configureRouter() {\n\tfs.router = chi.NewRouter()\n\tfs.router.Use(middleware.Recoverer)\n\n\tfs.router.Get(statPath+\"/{name}\", fs.stat) //nolint:goconst\n\tfs.router.Get(openPath+\"/{name}\", fs.open)\n\tfs.router.Post(createPath+\"/{name}\", fs.create)\n\tfs.router.Patch(renamePath+\"/{name}\", fs.rename)\n\tfs.router.Delete(removePath+\"/{name}\", fs.remove)\n\tfs.router.Post(mkdirPath+\"/{name}\", fs.mkdir)\n\tfs.router.Patch(chmodPath+\"/{name}\", fs.chmod)\n\tfs.router.Patch(chtimesPath+\"/{name}\", fs.chtimes)\n\tfs.router.Patch(truncatePath+\"/{name}\", fs.truncate)\n\tfs.router.Get(readdirPath+\"/{name}\", fs.readdir)\n\tfs.router.Get(dirsizePath+\"/{name}\", fs.dirsize)\n\tfs.router.Get(mimetypePath+\"/{name}\", fs.mimetype)\n\tfs.router.Get(statvfsPath+\"/{name}\", fs.statvfs)\n}\n\nfunc (fs *httpFsImpl) Run() error {\n\tfs.basePath = filepath.Join(os.TempDir(), \"httpfs\")\n\tif err := os.RemoveAll(fs.basePath); err != nil {\n\t\treturn err\n\t}\n\tif err := os.MkdirAll(fs.basePath, os.ModePerm); err != nil {\n\t\treturn err\n\t}\n\tfs.configureRouter()\n\n\thttpServer := http.Server{\n\t\tAddr: fmt.Sprintf(\":%d\", fs.port),\n\t\tHandler: fs.router,\n\t\tReadTimeout: 60 * time.Second,\n\t\tWriteTimeout: 60 * time.Second,\n\t\tIdleTimeout: 120 * time.Second,\n\t\tMaxHeaderBytes: 1 << 16, // 64KB\n\t}\n\n\tif fs.unixSocketPath == \"\" {\n\t\treturn httpServer.ListenAndServe()\n\t}\n\terr := os.Remove(fs.unixSocketPath)\n\tif err != nil && !os.IsNotExist(err) {\n\t\treturn err\n\t}\n\tlistener, err := net.Listen(\"unix\", fs.unixSocketPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn httpServer.Serve(listener)\n}\n\nfunc getStatFromInfo(info os.FileInfo) map[string]any {\n\treturn map[string]any{\n\t\t\"name\": info.Name(),\n\t\t\"size\": info.Size(),\n\t\t\"mode\": info.Mode(),\n\t\t\"last_modified\": info.ModTime(),\n\t}\n}\n\nfunc getNameURLParam(r *http.Request) string {\n\tv := chi.URLParam(r, \"name\")\n\tunescaped, err := url.PathUnescape(v)\n\tif err != nil {\n\t\treturn util.CleanPath(v)\n\t}\n\treturn util.CleanPath(unescaped)\n}\n" }, { "path": "internal/jwt/jwt.go", "content": "// Copyright (C) 2025 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package jwt provides functionality for creating, parsing, and validating\n// JSON Web Tokens (JWT) used in authentication and authorization workflows.\npackage jwt\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n\t\"github.com/rs/xid\"\n)\n\nconst (\n\tCookieKey = \"jwt\"\n)\n\nvar (\n\tTokenCtxKey = &contextKey{\"Token\"}\n\tErrorCtxKey = &contextKey{\"Error\"}\n)\n\n// contextKey is a value for use with context.WithValue. It's used as\n// a pointer so it fits in an interface{} without allocation. This technique\n// for defining context keys was copied from Go 1.7's new use of context in net/http.\ntype contextKey struct {\n\tname string\n}\n\nfunc (k *contextKey) String() string {\n\treturn \"jwt context value \" + k.name\n}\n\nfunc NewClaims(audience, ip string, duration time.Duration) *Claims {\n\tnow := time.Now()\n\tclaims := &Claims{}\n\tclaims.IssuedAt = jwt.NewNumericDate(now)\n\tclaims.NotBefore = jwt.NewNumericDate(now.Add(-10 * time.Second))\n\tclaims.Expiry = jwt.NewNumericDate(now.Add(duration))\n\tclaims.Audience = []string{audience, ip}\n\treturn claims\n}\n\ntype Claims struct {\n\tjwt.Claims\n\tUsername string `json:\"username,omitempty\"`\n\tPermissions []string `json:\"permissions,omitempty\"`\n\tRole string `json:\"role,omitempty\"`\n\tAPIKeyID string `json:\"api_key,omitempty\"`\n\tNodeID string `json:\"node_id,omitempty\"`\n\tMustSetTwoFactorAuth bool `json:\"2fa_required,omitempty\"`\n\tMustChangePassword bool `json:\"chpwd,omitempty\"`\n\tRequiredTwoFactorProtocols []string `json:\"2fa_protos,omitempty\"`\n\tHideUserPageSections int `json:\"hus,omitempty\"`\n\tRef string `json:\"ref,omitempty\"`\n}\n\nfunc (c *Claims) SetIssuedAt(t time.Time) {\n\tc.IssuedAt = jwt.NewNumericDate(t)\n}\n\nfunc (c *Claims) SetNotBefore(t time.Time) {\n\tc.NotBefore = jwt.NewNumericDate(t)\n}\n\nfunc (c *Claims) SetExpiry(t time.Time) {\n\tc.Expiry = jwt.NewNumericDate(t)\n}\n\nfunc (c *Claims) HasPerm(perm string) bool {\n\tfor _, p := range c.Permissions {\n\t\tif p == \"*\" || p == perm {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (c *Claims) HasAnyAudience(audiences []string) bool {\n\tfor _, a := range c.Audience {\n\t\tif slices.Contains(audiences, a) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc (c *Claims) GenerateTokenResponse(signer *Signer) (TokenResponse, error) {\n\ttoken, err := signer.Sign(c)\n\tif err != nil {\n\t\treturn TokenResponse{}, err\n\t}\n\treturn c.BuildTokenResponse(token), nil\n}\n\nfunc (c *Claims) BuildTokenResponse(token string) TokenResponse {\n\treturn TokenResponse{Token: token, Expiry: c.Expiry.Time().UTC().Format(time.RFC3339)}\n}\n\ntype TokenResponse struct {\n\tToken string `json:\"access_token\"`\n\tExpiry string `json:\"expires_at\"`\n}\n\nfunc NewSigner(algo jose.SignatureAlgorithm, key any) (*Signer, error) {\n\topts := (&jose.SignerOptions{}).WithType(\"JWT\")\n\tsigner, err := jose.NewSigner(jose.SigningKey{Algorithm: algo, Key: key}, opts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &Signer{\n\t\tsigner: signer,\n\t\talgo: []jose.SignatureAlgorithm{algo},\n\t\tkey: key,\n\t}, nil\n}\n\ntype Signer struct {\n\talgo []jose.SignatureAlgorithm\n\tsigner jose.Signer\n\tkey any\n}\n\nfunc (s *Signer) Sign(claims *Claims) (string, error) {\n\tif claims.ID == \"\" {\n\t\tclaims.ID = xid.New().String()\n\t}\n\tif claims.IssuedAt == nil {\n\t\tclaims.IssuedAt = jwt.NewNumericDate(time.Now())\n\t}\n\tif claims.NotBefore == nil {\n\t\tclaims.NotBefore = jwt.NewNumericDate(time.Now().Add(-10 * time.Second))\n\t}\n\tif claims.Expiry == nil {\n\t\treturn \"\", errors.New(\"expiration must be set\")\n\t}\n\tif len(claims.Audience) == 0 {\n\t\treturn \"\", errors.New(\"audience must be set\")\n\t}\n\n\treturn jwt.Signed(s.signer).Claims(claims).Serialize()\n}\n\nfunc (s *Signer) Signer() jose.Signer {\n\treturn s.signer\n}\n\nfunc (s *Signer) SetSigner(signer jose.Signer) {\n\ts.signer = signer\n}\n\nfunc (s *Signer) SignWithParams(claims *Claims, audience, ip string, duration time.Duration) (string, error) {\n\tclaims.Expiry = jwt.NewNumericDate(time.Now().Add(duration))\n\tclaims.Audience = []string{audience, ip}\n\treturn s.Sign(claims)\n}\n\nfunc NewContext(ctx context.Context, claims *Claims, err error) context.Context {\n\tctx = context.WithValue(ctx, TokenCtxKey, claims)\n\tctx = context.WithValue(ctx, ErrorCtxKey, err)\n\treturn ctx\n}\n\nfunc FromContext(ctx context.Context) (*Claims, error) {\n\tval := ctx.Value(TokenCtxKey)\n\ttoken, ok := val.(*Claims)\n\tif !ok && val != nil {\n\t\treturn nil, fmt.Errorf(\"invalid type for TokenCtxKey: %T\", val)\n\t}\n\n\tvalErr := ctx.Value(ErrorCtxKey)\n\terr, ok := valErr.(error)\n\tif !ok && valErr != nil {\n\t\treturn nil, fmt.Errorf(\"invalid type for ErrorCtxKey: %T\", valErr)\n\t}\n\tif token == nil {\n\t\treturn nil, errors.New(\"no token found\")\n\t}\n\n\treturn token, err\n}\n\nfunc Verify(s *Signer, findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler {\n\treturn func(next http.Handler) http.Handler {\n\t\thfn := func(w http.ResponseWriter, r *http.Request) {\n\t\t\tctx := r.Context()\n\t\t\ttoken, err := VerifyRequest(s, r, findTokenFns...)\n\t\t\tctx = NewContext(ctx, token, err)\n\t\t\tnext.ServeHTTP(w, r.WithContext(ctx))\n\t\t}\n\t\treturn http.HandlerFunc(hfn)\n\t}\n}\n\nfunc VerifyRequest(s *Signer, r *http.Request, findTokenFns ...func(r *http.Request) string) (*Claims, error) {\n\tvar tokenString string\n\tfor _, fn := range findTokenFns {\n\t\ttokenString = fn(r)\n\t\tif tokenString != \"\" {\n\t\t\tbreak\n\t\t}\n\t}\n\tif tokenString == \"\" {\n\t\treturn nil, errors.New(\"no token found\")\n\t}\n\treturn VerifyToken(s, tokenString)\n}\n\nfunc VerifyToken(s *Signer, payload string) (*Claims, error) {\n\treturn VerifyTokenWithKey(payload, s.algo, s.key)\n}\n\nfunc VerifyTokenWithKey(payload string, algo []jose.SignatureAlgorithm, key any) (*Claims, error) {\n\ttoken, err := jwt.ParseSigned(payload, algo)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar claims Claims\n\terr = token.Claims(key, &claims)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif err := claims.ValidateWithLeeway(jwt.Expected{Time: time.Now()}, 30*time.Second); err != nil {\n\t\treturn nil, err\n\t}\n\treturn &claims, nil\n}\n\n// TokenFromCookie tries to retrieve the token string from a cookie named\n// \"jwt\".\nfunc TokenFromCookie(r *http.Request) string {\n\tcookie, err := r.Cookie(CookieKey)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\treturn cookie.Value\n}\n\n// TokenFromHeader tries to retrieve the token string from the\n// \"Authorization\" request header: \"Authorization: BEARER T\".\nfunc TokenFromHeader(r *http.Request) string {\n\t// Get token from authorization header.\n\tbearer := r.Header.Get(\"Authorization\")\n\tconst prefix = \"Bearer \"\n\tif len(bearer) >= len(prefix) && strings.EqualFold(bearer[:len(prefix)], prefix) {\n\t\treturn bearer[len(prefix):]\n\t}\n\treturn \"\"\n}\n" }, { "path": "internal/jwt/jwt_test.go", "content": "package jwt\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/go-jose/go-jose/v4\"\n\t\"github.com/go-jose/go-jose/v4/jwt\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype failingJoseSigner struct{}\n\nfunc (s *failingJoseSigner) Sign(payload []byte) (*jose.JSONWebSignature, error) {\n\treturn nil, errors.New(\"sign test error\")\n}\n\nfunc (s *failingJoseSigner) Options() jose.SignerOptions {\n\treturn jose.SignerOptions{}\n}\n\nfunc TestJWTToken(t *testing.T) {\n\ts, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tusername := util.GenerateUniqueID()\n\tclaims := Claims{\n\t\tUsername: username,\n\t\tClaims: jwt.Claims{\n\t\t\tAudience: jwt.Audience{\"test\"},\n\t\t\tExpiry: jwt.NewNumericDate(time.Now().Add(5 * time.Minute)),\n\t\t\tNotBefore: jwt.NewNumericDate(time.Now()),\n\t\t\tIssuedAt: jwt.NewNumericDate(time.Now()),\n\t\t},\n\t}\n\ttoken, err := s.Sign(&claims)\n\trequire.NoError(t, err)\n\trequire.NotEmpty(t, token)\n\n\tparsed, err := VerifyToken(s, token)\n\trequire.NoError(t, err)\n\trequire.Equal(t, username, parsed.Username)\n\n\tja1, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\n\ttoken, err = ja1.Sign(&claims)\n\trequire.NoError(t, err)\n\trequire.NotEmpty(t, token)\n\t_, err = VerifyToken(s, token)\n\trequire.Error(t, err)\n\t_, err = VerifyToken(ja1, token)\n\trequire.NoError(t, err)\n}\n\nfunc TestClaims(t *testing.T) {\n\tclaims := NewClaims(util.GenerateUniqueID(), \"\", 10*time.Minute)\n\ts, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\ttoken, err := s.Sign(claims)\n\trequire.NoError(t, err)\n\tassert.NotEmpty(t, token)\n\tassert.NotNil(t, claims.Expiry)\n\tassert.NotNil(t, claims.IssuedAt)\n\tassert.NotNil(t, claims.NotBefore)\n\n\tclaims = &Claims{\n\t\tPermissions: []string{\"myperm\"},\n\t}\n\tclaims.SetExpiry(time.Now().Add(1 * time.Minute))\n\tclaims.Audience = []string{\"testaudience\"}\n\t_, err = s.Sign(claims)\n\tassert.NoError(t, err)\n\tassert.NotNil(t, claims.IssuedAt)\n\tassert.NotNil(t, claims.NotBefore)\n\tassert.True(t, claims.HasAnyAudience([]string{util.GenerateUniqueID(), util.GenerateUniqueID(), \"testaudience\"}))\n\tassert.False(t, claims.HasAnyAudience([]string{util.GenerateUniqueID()}))\n\tassert.True(t, claims.HasPerm(\"myperm\"))\n\tassert.False(t, claims.HasPerm(util.GenerateUniqueID()))\n\tresp, err := claims.GenerateTokenResponse(s)\n\trequire.NoError(t, err)\n\tassert.NotEmpty(t, resp.Token)\n\tassert.Equal(t, claims.Expiry.Time().UTC().Format(time.RFC3339), resp.Expiry)\n\tclaims.SetIssuedAt(time.Now())\n\tclaims.SetNotBefore(time.Now().Add(10 * time.Minute))\n\ttoken, err = s.SignWithParams(claims, util.GenerateUniqueID(), \"127.0.0.1\", time.Minute)\n\tassert.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.ErrorContains(t, err, \"nbf\")\n\tclaims = &Claims{}\n\t_, err = s.Sign(claims)\n\tassert.ErrorContains(t, err, \"expiration must be set\")\n\tclaims.SetExpiry(time.Now())\n\t_, err = s.Sign(claims)\n\tassert.ErrorContains(t, err, \"audience must be set\")\n\tclaims = &Claims{}\n\t_, err = s.SignWithParams(claims, util.GenerateUniqueID(), \"\", time.Minute)\n\tassert.NoError(t, err)\n}\n\nfunc TestClaimsPermissions(t *testing.T) {\n\tc := Claims{\n\t\tPermissions: []string{\"*\"},\n\t}\n\tassert.True(t, c.HasPerm(util.GenerateUniqueID()))\n\tc.Permissions = []string{\"list\"}\n\tassert.False(t, c.HasPerm(util.GenerateUniqueID()))\n\tassert.True(t, c.HasPerm(\"list\"))\n}\n\nfunc TestErrors(t *testing.T) {\n\ts, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\t_, err = VerifyToken(s, util.GenerateUniqueID())\n\tassert.Error(t, err)\n\tclaims := &Claims{}\n\tclaims.SetExpiry(time.Now().Add(-1 * time.Minute))\n\ttoken, err := jwt.Signed(s.Signer()).Claims(claims).Serialize()\n\tassert.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.ErrorContains(t, err, \"exp\")\n\tclaims.SetExpiry(time.Now().Add(2 * time.Minute))\n\tclaims.SetIssuedAt(time.Now().Add(1 * time.Minute))\n\ttoken, err = jwt.Signed(s.Signer()).Claims(claims).Serialize()\n\tassert.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.ErrorContains(t, err, \"iat\")\n\tclaims.SetIssuedAt(time.Now())\n\tclaims.SetNotBefore(time.Now().Add(1 * time.Minute))\n\ttoken, err = jwt.Signed(s.Signer()).Claims(claims).Serialize()\n\tassert.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.ErrorContains(t, err, \"nbf\")\n\n\ts.SetSigner(&failingJoseSigner{})\n\tclaims = NewClaims(util.GenerateUniqueID(), \"\", time.Minute)\n\t_, err = s.Sign(claims)\n\tassert.Error(t, err)\n\t_, err = claims.GenerateTokenResponse(s)\n\tassert.Error(t, err)\n\t// Wrong algorithm\n\t_, err = NewSigner(\"PS256\", util.GenerateRandomBytes(32))\n\tassert.Error(t, err)\n}\n\nfunc TestTokenFromRequest(t *testing.T) {\n\tclaims := NewClaims(util.GenerateUniqueID(), \"\", 10*time.Minute)\n\ts, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\ttoken, err := s.Sign(claims)\n\trequire.NoError(t, err)\n\tassert.NotEmpty(t, token)\n\treq, err := http.NewRequest(http.MethodGet, \"/\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Cookie\", fmt.Sprintf(\"jwt=%s\", token))\n\tcookie := TokenFromCookie(req)\n\tassert.Equal(t, token, cookie)\n\treq, err = http.NewRequest(http.MethodGet, \"/\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", token))\n\t_, err = VerifyRequest(s, req, TokenFromHeader)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Authorization\", token)\n\tassert.Empty(t, TokenFromHeader(req))\n\tassert.Empty(t, TokenFromCookie(req))\n\t_, err = VerifyRequest(s, req, TokenFromCookie)\n\tassert.ErrorContains(t, err, \"no token found\")\n}\n\nfunc TestContext(t *testing.T) {\n\tclaims := &Claims{\n\t\tUsername: util.GenerateUniqueID(),\n\t}\n\ts, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\ttoken, err := s.SignWithParams(claims, util.GenerateUniqueID(), \"\", time.Minute)\n\trequire.NoError(t, err)\n\n\treq, err := http.NewRequest(http.MethodGet, \"/\", nil)\n\trequire.NoError(t, err)\n\treq.Header.Set(\"Authorization\", fmt.Sprintf(\"Bearer %s\", token))\n\n\th := Verify(s, TokenFromHeader)\n\twrapped := h(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\ttoken, err := FromContext(r.Context())\n\t\tassert.Nil(t, err)\n\t\tassert.Equal(t, claims.Username, token.Username)\n\t\tw.WriteHeader(http.StatusOK)\n\t}))\n\trr := httptest.NewRecorder()\n\twrapped.ServeHTTP(rr, req)\n\tassert.Equal(t, http.StatusOK, rr.Code)\n\n\t_, err = FromContext(context.Background())\n\tassert.ErrorContains(t, err, \"no token found\")\n\n\tctx := NewContext(context.Background(), &Claims{}, fs.ErrClosed)\n\t_, err = FromContext(ctx)\n\tassert.Equal(t, fs.ErrClosed, err)\n\n\tctx = context.WithValue(context.Background(), TokenCtxKey, \"1\")\n\t_, err = FromContext(ctx)\n\tassert.ErrorContains(t, err, \"invalid type for TokenCtxKey\")\n\n\tctx = context.WithValue(context.Background(), ErrorCtxKey, 2)\n\t_, err = FromContext(ctx)\n\tassert.ErrorContains(t, err, \"invalid type for ErrorCtxKey\")\n\tclaims = NewClaims(util.GenerateUniqueID(), \"127.1.1.1\", time.Minute)\n\t_, err = s.Sign(claims)\n\trequire.NoError(t, err)\n\tctx = context.WithValue(context.Background(), TokenCtxKey, claims)\n\tclaimsFromContext, err := FromContext(ctx)\n\tassert.NoError(t, err)\n\tassert.Equal(t, claims, claimsFromContext)\n\n\tassert.Equal(t, \"jwt context value Token\", TokenCtxKey.String())\n}\n\nfunc TestValidationLeeway(t *testing.T) {\n\ts, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))\n\trequire.NoError(t, err)\n\tclaims := &Claims{}\n\tclaims.Audience = []string{util.GenerateUniqueID()}\n\tclaims.SetIssuedAt(time.Now().Add(10 * time.Second)) // issued at in the future\n\tclaims.SetExpiry(time.Now().Add(10 * time.Second))\n\ttoken, err := s.Sign(claims)\n\trequire.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.NoError(t, err)\n\n\tclaims = &Claims{}\n\tclaims.Audience = []string{util.GenerateUniqueID()}\n\tclaims.SetExpiry(time.Now().Add(-10 * time.Second)) // expired\n\ttoken, err = s.Sign(claims)\n\trequire.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.NoError(t, err)\n\n\tclaims = &Claims{}\n\tclaims.Audience = []string{util.GenerateUniqueID()}\n\tclaims.SetExpiry(time.Now().Add(30 * time.Second))\n\tclaims.SetNotBefore(time.Now().Add(10 * time.Second)) // not before in the future\n\ttoken, err = s.Sign(claims)\n\trequire.NoError(t, err)\n\t_, err = VerifyToken(s, token)\n\tassert.NoError(t, err)\n}\n" }, { "path": "internal/kms/basesecret.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage kms\n\nimport (\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n)\n\n// BaseSecret defines the base struct shared among all the secret providers\ntype BaseSecret struct {\n\tStatus sdkkms.SecretStatus `json:\"status,omitempty\"`\n\tPayload string `json:\"payload,omitempty\"`\n\tKey string `json:\"key,omitempty\"`\n\tAdditionalData string `json:\"additional_data,omitempty\"`\n\t// 1 means encrypted using a master key\n\tMode int `json:\"mode,omitempty\"`\n}\n\n// GetStatus returns the secret's status\nfunc (s *BaseSecret) GetStatus() sdkkms.SecretStatus {\n\treturn s.Status\n}\n\n// GetPayload returns the secret's payload\nfunc (s *BaseSecret) GetPayload() string {\n\treturn s.Payload\n}\n\n// GetKey returns the secret's key\nfunc (s *BaseSecret) GetKey() string {\n\treturn s.Key\n}\n\n// GetMode returns the encryption mode\nfunc (s *BaseSecret) GetMode() int {\n\treturn s.Mode\n}\n\n// GetAdditionalData returns the secret's additional data\nfunc (s *BaseSecret) GetAdditionalData() string {\n\treturn s.AdditionalData\n}\n\n// SetKey sets the secret's key\nfunc (s *BaseSecret) SetKey(value string) {\n\ts.Key = value\n}\n\n// SetAdditionalData sets the secret's additional data\nfunc (s *BaseSecret) SetAdditionalData(value string) {\n\ts.AdditionalData = value\n}\n\n// SetStatus sets the secret's status\nfunc (s *BaseSecret) SetStatus(value sdkkms.SecretStatus) {\n\ts.Status = value\n}\n\nfunc (s *BaseSecret) isEmpty() bool {\n\tif s.Status != \"\" {\n\t\treturn false\n\t}\n\tif s.Payload != \"\" {\n\t\treturn false\n\t}\n\tif s.Key != \"\" {\n\t\treturn false\n\t}\n\tif s.AdditionalData != \"\" {\n\t\treturn false\n\t}\n\treturn true\n}\n" }, { "path": "internal/kms/builtin.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage kms\n\nimport (\n\t\"crypto/aes\"\n\t\"crypto/cipher\"\n\t\"crypto/rand\"\n\t\"crypto/sha256\"\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"io\"\n\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nvar (\n\terrMalformedCiphertext = errors.New(\"malformed ciphertext\")\n)\n\ntype builtinSecret struct {\n\tBaseSecret\n}\n\nfunc init() {\n\tRegisterSecretProvider(sdkkms.SchemeBuiltin, sdkkms.SecretStatusAES256GCM, newBuiltinSecret)\n}\n\nfunc newBuiltinSecret(base BaseSecret, _, _ string) SecretProvider {\n\treturn &builtinSecret{\n\t\tBaseSecret: base,\n\t}\n}\n\nfunc (s *builtinSecret) Name() string {\n\treturn \"Builtin\"\n}\n\nfunc (s *builtinSecret) IsEncrypted() bool {\n\treturn s.Status == sdkkms.SecretStatusAES256GCM\n}\n\nfunc (s *builtinSecret) deriveKey(key []byte) []byte {\n\tvar combined []byte\n\tcombined = append(combined, key...)\n\tif s.AdditionalData != \"\" {\n\t\tcombined = append(combined, []byte(s.AdditionalData)...)\n\t}\n\tcombined = append(combined, key...)\n\thash := sha256.Sum256(combined)\n\treturn hash[:]\n}\n\nfunc (s *builtinSecret) Encrypt() error {\n\tif s.Payload == \"\" {\n\t\treturn ErrInvalidSecret\n\t}\n\tswitch s.Status {\n\tcase sdkkms.SecretStatusPlain:\n\t\tkey := make([]byte, 32)\n\t\tif _, err := io.ReadFull(rand.Reader, key); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tblock, err := aes.NewCipher(s.deriveKey(key))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgcm, err := cipher.NewGCM(block)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tnonce := make([]byte, gcm.NonceSize())\n\t\tif _, err = io.ReadFull(rand.Reader, nonce); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvar aad []byte\n\t\tif s.AdditionalData != \"\" {\n\t\t\taad = []byte(s.AdditionalData)\n\t\t}\n\t\tciphertext := gcm.Seal(nonce, nonce, []byte(s.Payload), aad)\n\t\ts.Key = hex.EncodeToString(key)\n\t\ts.Payload = hex.EncodeToString(ciphertext)\n\t\ts.Status = sdkkms.SecretStatusAES256GCM\n\t\treturn nil\n\tdefault:\n\t\treturn ErrWrongSecretStatus\n\t}\n}\n\nfunc (s *builtinSecret) Decrypt() error {\n\tswitch s.Status {\n\tcase sdkkms.SecretStatusAES256GCM:\n\t\tencrypted, err := hex.DecodeString(s.Payload)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tkey, err := hex.DecodeString(s.Key)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tblock, err := aes.NewCipher(s.deriveKey(key))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgcm, err := cipher.NewGCM(block)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tnonceSize := gcm.NonceSize()\n\t\tif len(encrypted) < nonceSize {\n\t\t\treturn errMalformedCiphertext\n\t\t}\n\t\tnonce, ciphertext := encrypted[:nonceSize], encrypted[nonceSize:]\n\t\tvar aad []byte\n\t\tif s.AdditionalData != \"\" {\n\t\t\taad = []byte(s.AdditionalData)\n\t\t}\n\t\tplaintext, err := gcm.Open(nil, nonce, ciphertext, aad)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ts.Status = sdkkms.SecretStatusPlain\n\t\ts.Payload = util.BytesToString(plaintext)\n\t\ts.Key = \"\"\n\t\ts.AdditionalData = \"\"\n\t\treturn nil\n\tdefault:\n\t\treturn ErrWrongSecretStatus\n\t}\n}\n\nfunc (s *builtinSecret) Clone() SecretProvider {\n\tbaseSecret := BaseSecret{\n\t\tStatus: s.Status,\n\t\tPayload: s.Payload,\n\t\tKey: s.Key,\n\t\tAdditionalData: s.AdditionalData,\n\t\tMode: s.Mode,\n\t}\n\treturn newBuiltinSecret(baseSecret, \"\", \"\")\n}\n" }, { "path": "internal/kms/kms.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package kms provides Key Management Services support\npackage kms\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"strings\"\n\t\"sync\"\n\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// SecretProvider defines the interface for a KMS secrets provider\ntype SecretProvider interface {\n\tName() string\n\tEncrypt() error\n\tDecrypt() error\n\tIsEncrypted() bool\n\tGetStatus() sdkkms.SecretStatus\n\tGetPayload() string\n\tGetKey() string\n\tGetAdditionalData() string\n\tGetMode() int\n\tSetKey(string)\n\tSetAdditionalData(string)\n\tSetStatus(sdkkms.SecretStatus)\n\tClone() SecretProvider\n}\n\nconst (\n\tlogSender = \"kms\"\n)\n\n// Configuration defines the KMS configuration\ntype Configuration struct {\n\tSecrets Secrets `json:\"secrets\" mapstructure:\"secrets\"`\n}\n\n// Secrets define the KMS configuration for encryption/decryption\ntype Secrets struct {\n\tURL string `json:\"url\" mapstructure:\"url\"`\n\tMasterKeyPath string `json:\"master_key_path\" mapstructure:\"master_key_path\"`\n\tMasterKeyString string `json:\"master_key\" mapstructure:\"master_key\"`\n\tmasterKey string\n}\n\ntype registeredSecretProvider struct {\n\tencryptedStatus sdkkms.SecretStatus\n\tnewFn func(base BaseSecret, url, masterKey string) SecretProvider\n}\n\nvar (\n\t// ErrWrongSecretStatus defines the error to return if the secret status is not appropriate\n\t// for the request operation\n\tErrWrongSecretStatus = errors.New(\"wrong secret status\")\n\t// ErrInvalidSecret defines the error to return if a secret is not valid\n\tErrInvalidSecret = errors.New(\"invalid secret\")\n\tvalidSecretStatuses = []string{sdkkms.SecretStatusPlain, sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox,\n\t\tsdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusAzureKeyVault,\n\t\tsdkkms.SecretStatusOracleKeyVault, sdkkms.SecretStatusRedacted}\n\tconfig Configuration\n\tsecretProviders = make(map[string]registeredSecretProvider)\n)\n\n// RegisterSecretProvider register a new secret provider\nfunc RegisterSecretProvider(scheme string, encryptedStatus sdkkms.SecretStatus,\n\tfn func(base BaseSecret, url, masterKey string) SecretProvider,\n) {\n\tsecretProviders[scheme] = registeredSecretProvider{\n\t\tencryptedStatus: encryptedStatus,\n\t\tnewFn: fn,\n\t}\n}\n\n// NewSecret builds a new Secret using the provided arguments\nfunc NewSecret(status sdkkms.SecretStatus, payload, key, data string) *Secret {\n\treturn config.newSecret(status, payload, key, data)\n}\n\n// NewEmptySecret returns an empty secret\nfunc NewEmptySecret() *Secret {\n\treturn NewSecret(\"\", \"\", \"\", \"\")\n}\n\n// NewPlainSecret stores the give payload in a plain text secret\nfunc NewPlainSecret(payload string) *Secret {\n\treturn NewSecret(sdkkms.SecretStatusPlain, strings.TrimSpace(payload), \"\", \"\")\n}\n\n// Initialize configures the KMS support\nfunc (c *Configuration) Initialize() error {\n\tif c.Secrets.MasterKeyPath != \"\" {\n\t\tmKey, err := util.ReadConfigFromFile(c.Secrets.MasterKeyPath, \"\")\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tc.Secrets.masterKey = mKey\n\t} else if c.Secrets.MasterKeyString != \"\" {\n\t\tc.Secrets.masterKey = c.Secrets.MasterKeyString\n\t}\n\tconfig = *c\n\tif config.Secrets.URL == \"\" {\n\t\tconfig.Secrets.URL = sdkkms.SchemeLocal + \"://\"\n\t}\n\tfor k, v := range secretProviders {\n\t\tlogger.Info(logSender, \"\", \"secret provider registered for scheme: %q, encrypted status: %q\",\n\t\t\tk, v.encryptedStatus)\n\t}\n\treturn nil\n}\n\nfunc (c *Configuration) newSecret(status sdkkms.SecretStatus, payload, key, data string) *Secret {\n\tbase := BaseSecret{\n\t\tStatus: status,\n\t\tKey: key,\n\t\tPayload: payload,\n\t\tAdditionalData: data,\n\t}\n\treturn &Secret{\n\t\tprovider: c.getSecretProvider(base),\n\t}\n}\n\nfunc (c *Configuration) getSecretProvider(base BaseSecret) SecretProvider {\n\tfor k, v := range secretProviders {\n\t\tif strings.HasPrefix(c.Secrets.URL, k) {\n\t\t\treturn v.newFn(base, c.Secrets.URL, c.Secrets.masterKey)\n\t\t}\n\t}\n\tlogger.Warn(logSender, \"\", \"no secret provider registered for URL %v, fallback to local provider\", c.Secrets.URL)\n\treturn NewLocalSecret(base, c.Secrets.URL, c.Secrets.masterKey)\n}\n\n// Secret defines the struct used to store confidential data\ntype Secret struct {\n\tsync.RWMutex\n\tprovider SecretProvider\n}\n\n// MarshalJSON return the JSON encoding of the Secret object\nfunc (s *Secret) MarshalJSON() ([]byte, error) {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn json.Marshal(&BaseSecret{\n\t\tStatus: s.provider.GetStatus(),\n\t\tPayload: s.provider.GetPayload(),\n\t\tKey: s.provider.GetKey(),\n\t\tAdditionalData: s.provider.GetAdditionalData(),\n\t\tMode: s.provider.GetMode(),\n\t})\n}\n\n// UnmarshalJSON parses the JSON-encoded data and stores the result\n// in the Secret object\nfunc (s *Secret) UnmarshalJSON(data []byte) error {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\tbaseSecret := BaseSecret{}\n\terr := json.Unmarshal(data, &baseSecret)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif baseSecret.isEmpty() {\n\t\ts.provider = config.getSecretProvider(baseSecret)\n\t\treturn nil\n\t}\n\n\tif baseSecret.Status == sdkkms.SecretStatusPlain || baseSecret.Status == sdkkms.SecretStatusRedacted {\n\t\ts.provider = config.getSecretProvider(baseSecret)\n\t\treturn nil\n\t}\n\n\tfor _, v := range secretProviders {\n\t\tif v.encryptedStatus == baseSecret.Status {\n\t\t\ts.provider = v.newFn(baseSecret, config.Secrets.URL, config.Secrets.masterKey)\n\t\t\treturn nil\n\t\t}\n\t}\n\tlogger.Error(logSender, \"\", \"no provider registered for status %q\", baseSecret.Status)\n\treturn ErrInvalidSecret\n}\n\n// IsEqual returns true if all the secrets fields are equal\nfunc (s *Secret) IsEqual(other *Secret) bool {\n\tif s.GetStatus() != other.GetStatus() {\n\t\treturn false\n\t}\n\tif s.GetPayload() != other.GetPayload() {\n\t\treturn false\n\t}\n\tif s.GetKey() != other.GetKey() {\n\t\treturn false\n\t}\n\tif s.GetAdditionalData() != other.GetAdditionalData() {\n\t\treturn false\n\t}\n\tif s.GetMode() != other.GetMode() {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// Clone returns a copy of the secret object\nfunc (s *Secret) Clone() *Secret {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn &Secret{\n\t\tprovider: s.provider.Clone(),\n\t}\n}\n\n// IsEncrypted returns true if the secret is encrypted\n// This isn't a pointer receiver because we don't want to pass\n// a pointer to html template\nfunc (s *Secret) IsEncrypted() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.IsEncrypted()\n}\n\n// IsPlain returns true if the secret is in plain text\nfunc (s *Secret) IsPlain() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetStatus() == sdkkms.SecretStatusPlain\n}\n\n// IsNotPlainAndNotEmpty returns true if the secret is not plain and not empty.\n// This is an utility method, we update the secret for an existing user\n// if it is empty or plain\nfunc (s *Secret) IsNotPlainAndNotEmpty() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn !s.IsPlain() && !s.IsEmpty()\n}\n\n// IsRedacted returns true if the secret is redacted\nfunc (s *Secret) IsRedacted() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetStatus() == sdkkms.SecretStatusRedacted\n}\n\n// GetPayload returns the secret payload\nfunc (s *Secret) GetPayload() string {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetPayload()\n}\n\n// GetAdditionalData returns the secret additional data\nfunc (s *Secret) GetAdditionalData() string {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetAdditionalData()\n}\n\n// GetStatus returns the secret status\nfunc (s *Secret) GetStatus() sdkkms.SecretStatus {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetStatus()\n}\n\n// GetKey returns the secret key\nfunc (s *Secret) GetKey() string {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetKey()\n}\n\n// GetMode returns the secret mode\nfunc (s *Secret) GetMode() int {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\treturn s.provider.GetMode()\n}\n\n// SetAdditionalData sets the given additional data\nfunc (s *Secret) SetAdditionalData(value string) {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\ts.provider.SetAdditionalData(value)\n}\n\n// SetStatus sets the status for this secret\nfunc (s *Secret) SetStatus(value sdkkms.SecretStatus) {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\ts.provider.SetStatus(value)\n}\n\n// SetKey sets the key for this secret\nfunc (s *Secret) SetKey(value string) {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\ts.provider.SetKey(value)\n}\n\n// IsEmpty returns true if all fields are empty\nfunc (s *Secret) IsEmpty() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\tif s.provider.GetStatus() != \"\" {\n\t\treturn false\n\t}\n\tif s.provider.GetPayload() != \"\" {\n\t\treturn false\n\t}\n\tif s.provider.GetKey() != \"\" {\n\t\treturn false\n\t}\n\tif s.provider.GetAdditionalData() != \"\" {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// IsValid returns true if the secret is not empty and valid\nfunc (s *Secret) IsValid() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\tif !s.IsValidInput() {\n\t\treturn false\n\t}\n\tswitch s.provider.GetStatus() {\n\tcase sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox:\n\t\tif len(s.provider.GetKey()) != 64 {\n\t\t\treturn false\n\t\t}\n\tcase sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusVaultTransit:\n\t\tkey := s.provider.GetKey()\n\t\tif key != \"\" && len(key) != 64 {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn true\n}\n\n// IsValidInput returns true if the secret is a valid user input\nfunc (s *Secret) IsValidInput() bool {\n\ts.RLock()\n\tdefer s.RUnlock()\n\n\tif !isSecretStatusValid(s.provider.GetStatus()) {\n\t\treturn false\n\t}\n\tif s.provider.GetPayload() == \"\" {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// Hide hides info to decrypt data\nfunc (s *Secret) Hide() {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\ts.provider.SetKey(\"\")\n\ts.provider.SetAdditionalData(\"\")\n}\n\n// Encrypt encrypts a plain text Secret object\nfunc (s *Secret) Encrypt() error {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\treturn s.provider.Encrypt()\n}\n\n// Decrypt decrypts a Secret object\nfunc (s *Secret) Decrypt() error {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\treturn s.provider.Decrypt()\n}\n\n// TryDecrypt decrypts a Secret object if encrypted.\n// It returns a nil error if the object is not encrypted\nfunc (s *Secret) TryDecrypt() error {\n\ts.Lock()\n\tdefer s.Unlock()\n\n\tif s.provider.IsEncrypted() {\n\t\treturn s.provider.Decrypt()\n\t}\n\treturn nil\n}\n\nfunc isSecretStatusValid(status string) bool {\n\tfor idx := range validSecretStatuses {\n\t\tif validSecretStatuses[idx] == status {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n" }, { "path": "internal/kms/local.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage kms\n\nimport (\n\t\"context\"\n\t\"crypto/sha256\"\n\t\"encoding/base64\"\n\t\"encoding/hex\"\n\t\"io\"\n\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"gocloud.dev/secrets/localsecrets\"\n\t\"golang.org/x/crypto/hkdf\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nfunc init() {\n\tRegisterSecretProvider(sdkkms.SchemeLocal, sdkkms.SecretStatusSecretBox, NewLocalSecret)\n}\n\ntype localSecret struct {\n\tBaseSecret\n\tmasterKey string\n}\n\n// NewLocalSecret returns a SecretProvider that use a locally provided symmetric key\nfunc NewLocalSecret(base BaseSecret, _, masterKey string) SecretProvider {\n\treturn &localSecret{\n\t\tBaseSecret: base,\n\t\tmasterKey: masterKey,\n\t}\n}\n\nfunc (s *localSecret) Name() string {\n\treturn \"Local\"\n}\n\nfunc (s *localSecret) IsEncrypted() bool {\n\treturn s.Status == sdkkms.SecretStatusSecretBox\n}\n\nfunc (s *localSecret) Encrypt() error {\n\tif s.Status != sdkkms.SecretStatusPlain {\n\t\treturn ErrWrongSecretStatus\n\t}\n\tif s.Payload == \"\" {\n\t\treturn ErrInvalidSecret\n\t}\n\tsecretKey, err := localsecrets.NewRandomKey()\n\tif err != nil {\n\t\treturn err\n\t}\n\tkey, err := s.deriveKey(secretKey[:], false)\n\tif err != nil {\n\t\treturn err\n\t}\n\tkeeper := localsecrets.NewKeeper(key)\n\tdefer keeper.Close()\n\n\tciphertext, err := keeper.Encrypt(context.Background(), []byte(s.Payload))\n\tif err != nil {\n\t\treturn err\n\t}\n\ts.Key = hex.EncodeToString(secretKey[:])\n\ts.Payload = base64.StdEncoding.EncodeToString(ciphertext)\n\ts.Status = sdkkms.SecretStatusSecretBox\n\ts.Mode = s.getEncryptionMode()\n\treturn nil\n}\n\nfunc (s *localSecret) Decrypt() error {\n\tif !s.IsEncrypted() {\n\t\treturn ErrWrongSecretStatus\n\t}\n\tencrypted, err := base64.StdEncoding.DecodeString(s.Payload)\n\tif err != nil {\n\t\treturn err\n\t}\n\tsecretKey, err := hex.DecodeString(s.Key)\n\tif err != nil {\n\t\treturn err\n\t}\n\tkey, err := s.deriveKey(secretKey[:], true)\n\tif err != nil {\n\t\treturn err\n\t}\n\tkeeper := localsecrets.NewKeeper(key)\n\tdefer keeper.Close()\n\n\tplaintext, err := keeper.Decrypt(context.Background(), encrypted)\n\tif err != nil {\n\t\treturn err\n\t}\n\ts.Status = sdkkms.SecretStatusPlain\n\ts.Payload = util.BytesToString(plaintext)\n\ts.Key = \"\"\n\ts.AdditionalData = \"\"\n\ts.Mode = 0\n\treturn nil\n}\n\nfunc (s *localSecret) deriveKey(key []byte, isForDecryption bool) ([32]byte, error) {\n\tvar masterKey []byte\n\tif s.masterKey == \"\" || (isForDecryption && s.Mode == 0) {\n\t\tvar combined []byte\n\t\tcombined = append(combined, key...)\n\t\tif s.AdditionalData != \"\" {\n\t\t\tcombined = append(combined, []byte(s.AdditionalData)...)\n\t\t}\n\t\tcombined = append(combined, key...)\n\t\thash := sha256.Sum256(combined)\n\t\tmasterKey = hash[:]\n\t} else {\n\t\tmasterKey = []byte(s.masterKey)\n\t}\n\tvar derivedKey [32]byte\n\tvar info []byte\n\tif s.AdditionalData != \"\" {\n\t\tinfo = []byte(s.AdditionalData)\n\t}\n\tkdf := hkdf.New(sha256.New, masterKey, key, info)\n\tif _, err := io.ReadFull(kdf, derivedKey[:]); err != nil {\n\t\treturn derivedKey, err\n\t}\n\treturn derivedKey, nil\n}\n\nfunc (s *localSecret) getEncryptionMode() int {\n\tif s.masterKey == \"\" {\n\t\treturn 0\n\t}\n\treturn 1\n}\n\nfunc (s *localSecret) Clone() SecretProvider {\n\tbaseSecret := BaseSecret{\n\t\tStatus: s.Status,\n\t\tPayload: s.Payload,\n\t\tKey: s.Key,\n\t\tAdditionalData: s.AdditionalData,\n\t\tMode: s.Mode,\n\t}\n\treturn NewLocalSecret(baseSecret, \"\", s.masterKey)\n}\n" }, { "path": "internal/logger/hclog.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage logger\n\nimport (\n\t\"io\"\n\t\"log\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/rs/zerolog\"\n)\n\n// HCLogAdapter is an adapter for hclog.Logger\ntype HCLogAdapter struct {\n\thclog.Logger\n}\n\n// Log emits a message and key/value pairs at a provided log level\nfunc (l *HCLogAdapter) Log(level hclog.Level, msg string, args ...any) {\n\t// Workaround to avoid logging plugin arguments that may contain sensitive data.\n\t// Check everytime we update go-plugin library.\n\tif msg == \"starting plugin\" {\n\t\treturn\n\t}\n\tvar ev *zerolog.Event\n\tswitch level {\n\tcase hclog.Info:\n\t\tev = logger.Info()\n\tcase hclog.Warn:\n\t\tev = logger.Warn()\n\tcase hclog.Error:\n\t\tev = logger.Error()\n\tdefault:\n\t\tev = logger.Debug()\n\t}\n\tev.Timestamp().Str(\"sender\", l.Name())\n\taddKeysAndValues(ev, args...)\n\tev.Msg(msg)\n}\n\n// Trace emits a message and key/value pairs at the TRACE level\nfunc (l *HCLogAdapter) Trace(msg string, args ...any) {\n\tl.Log(hclog.Debug, msg, args...)\n}\n\n// Debug emits a message and key/value pairs at the DEBUG level\nfunc (l *HCLogAdapter) Debug(msg string, args ...any) {\n\tl.Log(hclog.Debug, msg, args...)\n}\n\n// Info emits a message and key/value pairs at the INFO level\nfunc (l *HCLogAdapter) Info(msg string, args ...any) {\n\tl.Log(hclog.Info, msg, args...)\n}\n\n// Warn emits a message and key/value pairs at the WARN level\nfunc (l *HCLogAdapter) Warn(msg string, args ...any) {\n\tl.Log(hclog.Warn, msg, args...)\n}\n\n// Error emits a message and key/value pairs at the ERROR level\nfunc (l *HCLogAdapter) Error(msg string, args ...any) {\n\tl.Log(hclog.Error, msg, args...)\n}\n\n// With creates a sub-logger\nfunc (l *HCLogAdapter) With(args ...any) hclog.Logger {\n\treturn &HCLogAdapter{Logger: l.Logger.With(args...)}\n}\n\n// Named creates a logger that will prepend the name string on the front of all messages\nfunc (l *HCLogAdapter) Named(name string) hclog.Logger {\n\treturn &HCLogAdapter{Logger: l.Logger.Named(name)}\n}\n\n// StandardLogger returns a value that conforms to the stdlib log.Logger interface\nfunc (l *HCLogAdapter) StandardLogger(_ *hclog.StandardLoggerOptions) *log.Logger {\n\treturn log.New(&StdLoggerWrapper{Sender: l.Name()}, \"\", 0)\n}\n\n// StandardWriter returns a value that conforms to io.Writer, which can be passed into log.SetOutput()\nfunc (l *HCLogAdapter) StandardWriter(_ *hclog.StandardLoggerOptions) io.Writer {\n\treturn &StdLoggerWrapper{Sender: l.Name()}\n}\n" }, { "path": "internal/logger/lego.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage logger\n\nimport \"fmt\"\n\nconst (\n\tlegoLogSender = \"lego\"\n)\n\n// LegoAdapter is an adapter for lego.StdLogger\ntype LegoAdapter struct {\n\tLogToConsole bool\n}\n\n// Fatal emits a log at Error level\nfunc (l *LegoAdapter) Fatal(args ...any) {\n\tif l.LogToConsole {\n\t\tErrorToConsole(\"%s\", fmt.Sprint(args...))\n\t\treturn\n\t}\n\tLog(LevelError, legoLogSender, \"\", \"%s\", fmt.Sprint(args...))\n}\n\n// Fatalln is the same as Fatal\nfunc (l *LegoAdapter) Fatalln(args ...any) {\n\tl.Fatal(args...)\n}\n\n// Fatalf emits a log at Error level\nfunc (l *LegoAdapter) Fatalf(format string, args ...any) {\n\tif l.LogToConsole {\n\t\tErrorToConsole(format, args...)\n\t\treturn\n\t}\n\tLog(LevelError, legoLogSender, \"\", format, args...)\n}\n\n// Print emits a log at Info level\nfunc (l *LegoAdapter) Print(args ...any) {\n\tif l.LogToConsole {\n\t\tInfoToConsole(\"%s\", fmt.Sprint(args...))\n\t\treturn\n\t}\n\tLog(LevelInfo, legoLogSender, \"\", \"%s\", fmt.Sprint(args...))\n}\n\n// Println is the same as Print\nfunc (l *LegoAdapter) Println(args ...any) {\n\tl.Print(args...)\n}\n\n// Printf emits a log at Info level\nfunc (l *LegoAdapter) Printf(format string, args ...any) {\n\tif l.LogToConsole {\n\t\tInfoToConsole(format, args...)\n\t\treturn\n\t}\n\tLog(LevelInfo, legoLogSender, \"\", format, args...)\n}\n" }, { "path": "internal/logger/logger.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package logger provides logging capabilities.\n// It is a wrapper around zerolog for logging and lumberjack for log rotation.\n// Logs are written to the specified log file.\n// Logging on the console is provided to print initialization info, errors and warnings.\n// The package provides a request logger to log the HTTP requests for REST API too.\n// The request logger uses chi.middleware.RequestLogger,\n// chi.middleware.LogFormatter and chi.middleware.LogEntry to build a structured\n// logger using zerolog\npackage logger\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"time\"\n\n\t\"github.com/rs/zerolog\"\n\tlumberjack \"gopkg.in/natefinch/lumberjack.v2\"\n)\n\nconst (\n\tdateFormat = \"2006-01-02T15:04:05.000\" // YYYY-MM-DDTHH:MM:SS.ZZZ\n)\n\n// LogLevel defines log levels.\ntype LogLevel uint8\n\n// defines our own log levels, just in case we'll change logger in future\nconst (\n\tLevelDebug LogLevel = iota\n\tLevelInfo\n\tLevelWarn\n\tLevelError\n)\n\nvar (\n\tlogger zerolog.Logger\n\tconsoleLogger zerolog.Logger\n\trollingLogger *lumberjack.Logger\n)\n\nfunc init() {\n\tzerolog.TimeFieldFormat = dateFormat\n}\n\n// GetLogger get the configured logger instance\nfunc GetLogger() *zerolog.Logger {\n\treturn &logger\n}\n\n// InitLogger configures the logger using the given parameters\nfunc InitLogger(logFilePath string, logMaxSize int, logMaxBackups int, logMaxAge int, logCompress, logUTCTime bool,\n\tlevel zerolog.Level,\n) {\n\tSetLogTime(logUTCTime)\n\tif isLogFilePathValid(logFilePath) {\n\t\tlogDir := filepath.Dir(logFilePath)\n\t\tif _, err := os.Stat(logDir); errors.Is(err, fs.ErrNotExist) {\n\t\t\terr = os.MkdirAll(logDir, os.ModePerm)\n\t\t\tif err != nil {\n\t\t\t\tfmt.Printf(\"unable to create log dir %q: %v\", logDir, err)\n\t\t\t}\n\t\t}\n\t\trollingLogger = &lumberjack.Logger{\n\t\t\tFilename: logFilePath,\n\t\t\tMaxSize: logMaxSize,\n\t\t\tMaxBackups: logMaxBackups,\n\t\t\tMaxAge: logMaxAge,\n\t\t\tCompress: logCompress,\n\t\t\tLocalTime: !logUTCTime,\n\t\t}\n\t\tlogger = zerolog.New(rollingLogger)\n\t\tEnableConsoleLogger(level)\n\t} else {\n\t\tlogger = zerolog.New(&logSyncWrapper{\n\t\t\toutput: os.Stdout,\n\t\t})\n\t\tconsoleLogger = zerolog.Nop()\n\t}\n\tlogger = logger.Level(level)\n}\n\n// InitStdErrLogger configures the logger to write to stderr\nfunc InitStdErrLogger(level zerolog.Level) {\n\tlogger = zerolog.New(&logSyncWrapper{\n\t\toutput: os.Stderr,\n\t}).Level(level)\n\tconsoleLogger = zerolog.Nop()\n}\n\n// DisableLogger disable the main logger.\n// ConsoleLogger will not be affected\nfunc DisableLogger() {\n\tlogger = zerolog.Nop()\n\trollingLogger = nil\n}\n\n// EnableConsoleLogger enables the console logger\nfunc EnableConsoleLogger(level zerolog.Level) {\n\tconsoleOutput := zerolog.ConsoleWriter{\n\t\tOut: os.Stdout,\n\t\tTimeFormat: dateFormat,\n\t}\n\tconsoleLogger = zerolog.New(consoleOutput).With().Timestamp().Logger().Level(level)\n}\n\n// RotateLogFile closes the existing log file and immediately create a new one\nfunc RotateLogFile() error {\n\tif rollingLogger != nil {\n\t\treturn rollingLogger.Rotate()\n\t}\n\treturn errors.New(\"logging to file is disabled\")\n}\n\n// SetLogTime sets logging time related setting\nfunc SetLogTime(utc bool) {\n\tif utc {\n\t\tzerolog.TimestampFunc = func() time.Time {\n\t\t\treturn time.Now().UTC()\n\t\t}\n\t} else {\n\t\tzerolog.TimestampFunc = time.Now\n\t}\n}\n\n// Log logs at the specified level for the specified sender\nfunc Log(level LogLevel, sender string, connectionID string, format string, v ...any) {\n\tvar ev *zerolog.Event\n\tswitch level {\n\tcase LevelDebug:\n\t\tev = logger.Debug()\n\tcase LevelInfo:\n\t\tev = logger.Info()\n\tcase LevelWarn:\n\t\tev = logger.Warn()\n\tdefault:\n\t\tev = logger.Error()\n\t}\n\tev.Timestamp().Str(\"sender\", sender)\n\tif connectionID != \"\" {\n\t\tev.Str(\"connection_id\", connectionID)\n\t}\n\tev.Msg(fmt.Sprintf(format, v...))\n}\n\n// Debug logs at debug level for the specified sender\nfunc Debug(sender, connectionID, format string, v ...any) {\n\tLog(LevelDebug, sender, connectionID, format, v...)\n}\n\n// Info logs at info level for the specified sender\nfunc Info(sender, connectionID, format string, v ...any) {\n\tLog(LevelInfo, sender, connectionID, format, v...)\n}\n\n// Warn logs at warn level for the specified sender\nfunc Warn(sender, connectionID, format string, v ...any) {\n\tLog(LevelWarn, sender, connectionID, format, v...)\n}\n\n// Error logs at error level for the specified sender\nfunc Error(sender, connectionID, format string, v ...any) {\n\tLog(LevelError, sender, connectionID, format, v...)\n}\n\n// DebugToConsole logs at debug level to stdout\nfunc DebugToConsole(format string, v ...any) {\n\tconsoleLogger.Debug().Msg(fmt.Sprintf(format, v...))\n}\n\n// InfoToConsole logs at info level to stdout\nfunc InfoToConsole(format string, v ...any) {\n\tconsoleLogger.Info().Msg(fmt.Sprintf(format, v...))\n}\n\n// WarnToConsole logs at info level to stdout\nfunc WarnToConsole(format string, v ...any) {\n\tconsoleLogger.Warn().Msg(fmt.Sprintf(format, v...))\n}\n\n// ErrorToConsole logs at error level to stdout\nfunc ErrorToConsole(format string, v ...any) {\n\tconsoleLogger.Error().Msg(fmt.Sprintf(format, v...))\n}\n\n// TransferLog logs uploads or downloads\nfunc TransferLog(operation, path string, elapsed int64, size int64, user, connectionID, protocol, localAddr,\n\tremoteAddr, ftpMode string, err error,\n) {\n\tvar ev *zerolog.Event\n\tif err != nil {\n\t\tev = logger.Error()\n\t} else {\n\t\tev = logger.Info()\n\t}\n\tev.\n\t\tTimestamp().\n\t\tStr(\"sender\", operation).\n\t\tStr(\"local_addr\", localAddr).\n\t\tStr(\"remote_addr\", remoteAddr).\n\t\tInt64(\"elapsed_ms\", elapsed).\n\t\tInt64(\"size_bytes\", size).\n\t\tStr(\"username\", user).\n\t\tStr(\"file_path\", path).\n\t\tStr(\"connection_id\", connectionID).\n\t\tStr(\"protocol\", protocol)\n\tif ftpMode != \"\" {\n\t\tev.Str(\"ftp_mode\", ftpMode)\n\t}\n\tev.AnErr(\"error\", err).Send()\n}\n\n// CommandLog logs an SFTP/SCP/SSH command\nfunc CommandLog(command, path, target, user, fileMode, connectionID, protocol string, uid, gid int, atime, mtime,\n\tsshCommand string, size int64, localAddr, remoteAddr string, elapsed int64) {\n\tlogger.Info().\n\t\tTimestamp().\n\t\tStr(\"sender\", command).\n\t\tStr(\"local_addr\", localAddr).\n\t\tStr(\"remote_addr\", remoteAddr).\n\t\tStr(\"username\", user).\n\t\tStr(\"file_path\", path).\n\t\tStr(\"target_path\", target).\n\t\tStr(\"filemode\", fileMode).\n\t\tInt(\"uid\", uid).\n\t\tInt(\"gid\", gid).\n\t\tStr(\"access_time\", atime).\n\t\tStr(\"modification_time\", mtime).\n\t\tInt64(\"size\", size).\n\t\tInt64(\"elapsed\", elapsed).\n\t\tStr(\"ssh_command\", sshCommand).\n\t\tStr(\"connection_id\", connectionID).\n\t\tStr(\"protocol\", protocol).\n\t\tSend()\n}\n\n// ConnectionFailedLog logs failed attempts to initialize a connection.\n// A connection can fail for an authentication error or other errors such as\n// a client abort or a time out if the login does not happen in two minutes.\n// These logs are useful for better integration with Fail2ban and similar tools.\nfunc ConnectionFailedLog(user, ip, loginType, protocol, errorString string) {\n\tlogger.Debug().\n\t\tTimestamp().\n\t\tStr(\"sender\", \"connection_failed\").\n\t\tStr(\"client_ip\", ip).\n\t\tStr(\"username\", user).\n\t\tStr(\"login_type\", loginType).\n\t\tStr(\"protocol\", protocol).\n\t\tStr(\"error\", errorString).\n\t\tSend()\n}\n\n// LoginLog logs successful logins.\nfunc LoginLog(user, ip, loginMethod, protocol, connectionID, clientVersion string, encrypted bool, info string) {\n\tev := logger.Info()\n\tev.Timestamp().\n\t\tStr(\"sender\", \"login\").\n\t\tStr(\"ip\", ip).\n\t\tStr(\"username\", user).\n\t\tStr(\"method\", loginMethod).\n\t\tStr(\"protocol\", protocol)\n\tif connectionID != \"\" {\n\t\tev.Str(\"connection_id\", connectionID)\n\t}\n\tev.Str(\"client\", clientVersion).\n\t\tBool(\"encrypted\", encrypted)\n\tif info != \"\" {\n\t\tev.Str(\"info\", info)\n\t}\n\tev.Send()\n}\n\nfunc isLogFilePathValid(logFilePath string) bool {\n\tcleanInput := filepath.Clean(logFilePath)\n\tif cleanInput == \".\" || cleanInput == \"..\" {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// StdLoggerWrapper is a wrapper for standard logger compatibility\ntype StdLoggerWrapper struct {\n\tSender string\n}\n\n// Write implements the io.Writer interface. This is useful to set as a writer\n// for the standard library log.\nfunc (l *StdLoggerWrapper) Write(p []byte) (n int, err error) {\n\tn = len(p)\n\tif n > 0 && p[n-1] == '\\n' {\n\t\t// Trim CR added by stdlog.\n\t\tp = p[0 : n-1]\n\t}\n\n\tLog(LevelError, l.Sender, \"\", \"%s\", p)\n\treturn\n}\n\n// LeveledLogger is a logger that accepts a message string and a variadic number of key-value pairs\ntype LeveledLogger struct {\n\tSender string\n\tadditionalKeyVals []any\n}\n\nfunc addKeysAndValues(ev *zerolog.Event, keysAndValues ...any) {\n\tkvLen := len(keysAndValues)\n\tif kvLen%2 != 0 {\n\t\textra := keysAndValues[kvLen-1]\n\t\tkeysAndValues = append(keysAndValues[:kvLen-1], \"EXTRA_VALUE_AT_END\", extra)\n\t}\n\tfor i := 0; i < len(keysAndValues); i += 2 {\n\t\tkey, val := keysAndValues[i], keysAndValues[i+1]\n\t\tif keyStr, ok := key.(string); ok && keyStr != \"timestamp\" {\n\t\t\tev.Str(keyStr, fmt.Sprintf(\"%v\", val))\n\t\t}\n\t}\n}\n\n// Error logs at error level for the specified sender\nfunc (l *LeveledLogger) Error(msg string, keysAndValues ...any) {\n\tev := logger.Error()\n\tev.Timestamp().Str(\"sender\", l.Sender)\n\tif len(l.additionalKeyVals) > 0 {\n\t\taddKeysAndValues(ev, l.additionalKeyVals...)\n\t}\n\taddKeysAndValues(ev, keysAndValues...)\n\tev.Msg(msg)\n}\n\n// Info logs at info level for the specified sender\nfunc (l *LeveledLogger) Info(msg string, keysAndValues ...any) {\n\tev := logger.Info()\n\tev.Timestamp().Str(\"sender\", l.Sender)\n\tif len(l.additionalKeyVals) > 0 {\n\t\taddKeysAndValues(ev, l.additionalKeyVals...)\n\t}\n\taddKeysAndValues(ev, keysAndValues...)\n\tev.Msg(msg)\n}\n\n// Debug logs at debug level for the specified sender\nfunc (l *LeveledLogger) Debug(msg string, keysAndValues ...any) {\n\tev := logger.Debug()\n\tev.Timestamp().Str(\"sender\", l.Sender)\n\tif len(l.additionalKeyVals) > 0 {\n\t\taddKeysAndValues(ev, l.additionalKeyVals...)\n\t}\n\taddKeysAndValues(ev, keysAndValues...)\n\tev.Msg(msg)\n}\n\n// Warn logs at warn level for the specified sender\nfunc (l *LeveledLogger) Warn(msg string, keysAndValues ...any) {\n\tev := logger.Warn()\n\tev.Timestamp().Str(\"sender\", l.Sender)\n\tif len(l.additionalKeyVals) > 0 {\n\t\taddKeysAndValues(ev, l.additionalKeyVals...)\n\t}\n\taddKeysAndValues(ev, keysAndValues...)\n\tev.Msg(msg)\n}\n\n// Panic logs the panic at error level for the specified sender\nfunc (l *LeveledLogger) Panic(msg string, keysAndValues ...any) {\n\tl.Error(msg, keysAndValues...)\n}\n" }, { "path": "internal/logger/mail.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage logger\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/wneessen/go-mail/log\"\n)\n\nconst (\n\tmailLogSender = \"smtpclient\"\n)\n\n// MailAdapter is an adapter for mail.Logger\ntype MailAdapter struct {\n\tConnectionID string\n}\n\n// Errorf emits a log at Error level\nfunc (l *MailAdapter) Errorf(logMsg log.Log) {\n\tformat := l.getFormatString(&logMsg)\n\tErrorToConsole(format, logMsg.Messages...)\n\tLog(LevelError, mailLogSender, l.ConnectionID, format, logMsg.Messages...)\n}\n\n// Warnf emits a log at Warn level\nfunc (l *MailAdapter) Warnf(logMsg log.Log) {\n\tformat := l.getFormatString(&logMsg)\n\tWarnToConsole(format, logMsg.Messages...)\n\tLog(LevelWarn, mailLogSender, l.ConnectionID, format, logMsg.Messages...)\n}\n\n// Infof emits a log at Info level\nfunc (l *MailAdapter) Infof(logMsg log.Log) {\n\tformat := l.getFormatString(&logMsg)\n\tInfoToConsole(format, logMsg.Messages...)\n\tLog(LevelInfo, mailLogSender, l.ConnectionID, format, logMsg.Messages...)\n}\n\n// Debugf emits a log at Debug level\nfunc (l *MailAdapter) Debugf(logMsg log.Log) {\n\tformat := l.getFormatString(&logMsg)\n\tDebugToConsole(format, logMsg.Messages...)\n\tLog(LevelDebug, mailLogSender, l.ConnectionID, format, logMsg.Messages...)\n}\n\nfunc (*MailAdapter) getFormatString(logMsg *log.Log) string {\n\tp := \"C <-- S:\"\n\tif logMsg.Direction == log.DirClientToServer {\n\t\tp = \"C --> S:\"\n\t}\n\treturn fmt.Sprintf(\"%s %s\", p, logMsg.Format)\n}\n" }, { "path": "internal/logger/request_logger.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage logger\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n)\n\n// StructuredLogger defines a simple wrapper around zerolog logger.\n// It implements chi.middleware.LogFormatter interface\ntype StructuredLogger struct {\n\tLogger *zerolog.Logger\n}\n\n// StructuredLoggerEntry defines a log entry.\n// It implements chi.middleware.LogEntry interface\ntype StructuredLoggerEntry struct {\n\t// The zerolog logger\n\tLogger *zerolog.Logger\n\t// fields to write in the log\n\tfields map[string]any\n}\n\n// NewStructuredLogger returns a chi.middleware.RequestLogger using our StructuredLogger.\n// This structured logger is called by the chi.middleware.Logger handler to log each HTTP request\nfunc NewStructuredLogger(logger *zerolog.Logger) func(next http.Handler) http.Handler {\n\treturn middleware.RequestLogger(&StructuredLogger{logger})\n}\n\n// NewLogEntry creates a new log entry for an HTTP request\nfunc (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {\n\tscheme := \"http\"\n\tcipherSuite := \"\"\n\tif r.TLS != nil {\n\t\tscheme = \"https\"\n\t\tcipherSuite = tls.CipherSuiteName(r.TLS.CipherSuite)\n\t}\n\n\tfields := map[string]any{\n\t\t\"local_addr\": getLocalAddress(r),\n\t\t\"remote_addr\": r.RemoteAddr,\n\t\t\"proto\": r.Proto,\n\t\t\"method\": r.Method,\n\t\t\"user_agent\": r.UserAgent(),\n\t\t\"uri\": fmt.Sprintf(\"%s://%s%s\", scheme, r.Host, r.RequestURI),\n\t\t\"cipher_suite\": cipherSuite,\n\t}\n\n\treqID := middleware.GetReqID(r.Context())\n\tif reqID != \"\" {\n\t\tfields[\"request_id\"] = reqID\n\t}\n\n\treturn &StructuredLoggerEntry{Logger: l.Logger, fields: fields}\n}\n\n// Write logs a new entry at the end of the HTTP request\nfunc (l *StructuredLoggerEntry) Write(status, bytes int, _ http.Header, elapsed time.Duration, _ any) {\n\tmetric.HTTPRequestServed(status)\n\tvar ev *zerolog.Event\n\tif status >= http.StatusInternalServerError {\n\t\tev = l.Logger.Error()\n\t} else if status >= http.StatusBadRequest {\n\t\tev = l.Logger.Warn()\n\t} else {\n\t\tev = l.Logger.Debug()\n\t}\n\tev.\n\t\tTimestamp().\n\t\tStr(\"sender\", \"httpd\").\n\t\tFields(l.fields).\n\t\tInt(\"resp_status\", status).\n\t\tInt(\"resp_size\", bytes).\n\t\tInt64(\"elapsed_ms\", elapsed.Nanoseconds()/1000000).\n\t\tSend()\n}\n\n// Panic logs panics\nfunc (l *StructuredLoggerEntry) Panic(v any, stack []byte) {\n\tl.Logger.Error().\n\t\tTimestamp().\n\t\tStr(\"sender\", \"httpd\").\n\t\tFields(l.fields).\n\t\tStr(\"stack\", string(stack)).\n\t\tStr(\"panic\", fmt.Sprintf(\"%+v\", v)).\n\t\tSend()\n}\n\nfunc getLocalAddress(r *http.Request) string {\n\tif r == nil {\n\t\treturn \"\"\n\t}\n\tlocalAddr, ok := r.Context().Value(http.LocalAddrContextKey).(net.Addr)\n\tif ok {\n\t\treturn localAddr.String()\n\t}\n\treturn \"\"\n}\n" }, { "path": "internal/logger/slog.go", "content": "// Copyright (C) 2025 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage logger\n\nimport (\n\t\"context\"\n\t\"log/slog\"\n\t\"slices\"\n\n\t\"github.com/rs/zerolog\"\n)\n\n// slogAdapter is an adapter for slog.Handler\ntype slogAdapter struct {\n\tsender string\n\tattrs []slog.Attr\n}\n\n// NewSlogAdapter creates a slog.Handler adapter\nfunc NewSlogAdapter(sender string, attrs []slog.Attr) *slogAdapter {\n\treturn &slogAdapter{\n\t\tsender: sender,\n\t\tattrs: attrs,\n\t}\n}\n\nfunc (l *slogAdapter) Enabled(ctx context.Context, level slog.Level) bool {\n\t// Log level is handled by our implementation\n\treturn true\n}\n\nfunc (l *slogAdapter) Handle(ctx context.Context, r slog.Record) error {\n\tvar ev *zerolog.Event\n\tswitch r.Level {\n\tcase slog.LevelDebug:\n\t\tev = logger.Debug()\n\tcase slog.LevelInfo:\n\t\tev = logger.Info()\n\tcase slog.LevelWarn:\n\t\tev = logger.Warn()\n\tcase slog.LevelError:\n\t\tev = logger.Error()\n\tdefault:\n\t\tev = logger.Debug()\n\t}\n\n\tev.Timestamp()\n\tif l.sender != \"\" {\n\t\tev.Str(\"sender\", l.sender)\n\t}\n\n\taddSlogAttr := func(a slog.Attr) {\n\t\tif a.Key == \"time\" {\n\t\t\treturn\n\t\t}\n\t\tev.Any(a.Key, a.Value.Any())\n\t}\n\n\tfor _, a := range l.attrs {\n\t\taddSlogAttr(a)\n\t}\n\n\tr.Attrs(func(a slog.Attr) bool {\n\t\taddSlogAttr(a)\n\t\treturn true\n\t})\n\n\tev.Msg(r.Message)\n\n\treturn nil\n}\n\nfunc (l *slogAdapter) WithAttrs(attrs []slog.Attr) slog.Handler {\n\tnewHandler := *l\n\tnewHandler.attrs = slices.Concat(l.attrs, attrs)\n\treturn &newHandler\n}\n\nfunc (l *slogAdapter) WithGroup(name string) slog.Handler {\n\tnewHandler := *l\n\tif name != \"\" {\n\t\tnewHandler.sender = name\n\t}\n\treturn &newHandler\n}\n" }, { "path": "internal/logger/sync_wrapper.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage logger\n\nimport (\n\t\"os\"\n\t\"sync\"\n)\n\ntype logSyncWrapper struct {\n\tsync.Mutex\n\toutput *os.File\n}\n\nfunc (l *logSyncWrapper) Write(b []byte) (n int, err error) {\n\tl.Lock()\n\tdefer l.Unlock()\n\treturn l.output.Write(b)\n}\n" }, { "path": "internal/metric/metric.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nometrics\n\n// Package metric provides Prometheus metrics support\npackage metric\n\nimport (\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/prometheus/client_golang/prometheus\"\n\t\"github.com/prometheus/client_golang/prometheus/promauto\"\n\t\"github.com/prometheus/client_golang/prometheus/promhttp\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tloginMethodPublicKey = \"publickey\"\n\tloginMethodKeyboardInteractive = \"keyboard-interactive\"\n\tloginMethodKeyAndPassword = \"publickey+password\"\n\tloginMethodKeyAndKeyboardInt = \"publickey+keyboard-interactive\"\n\tloginMethodTLSCertificate = \"TLSCertificate\"\n\tloginMethodTLSCertificateAndPwd = \"TLSCertificate+password\"\n\tloginMethodIDP = \"IDP\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"+metrics\")\n}\n\nvar (\n\t// dataproviderAvailability is the metric that reports the availability for the configured data provider\n\tdataproviderAvailability = promauto.NewGauge(prometheus.GaugeOpts{\n\t\tName: \"sftpgo_dataprovider_availability\",\n\t\tHelp: \"Availability for the configured data provider, 1 means OK, 0 KO\",\n\t})\n\n\t// activeConnections is the metric that reports the total number of active connections\n\tactiveConnections = promauto.NewGauge(prometheus.GaugeOpts{\n\t\tName: \"sftpgo_active_connections\",\n\t\tHelp: \"Total number of logged in users\",\n\t})\n\n\t// totalUploads is the metric that reports the total number of successful uploads\n\ttotalUploads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_uploads_total\",\n\t\tHelp: \"The total number of successful uploads\",\n\t})\n\n\t// totalDownloads is the metric that reports the total number of successful downloads\n\ttotalDownloads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_downloads_total\",\n\t\tHelp: \"The total number of successful downloads\",\n\t})\n\n\t// totalUploadErrors is the metric that reports the total number of upload errors\n\ttotalUploadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_upload_errors_total\",\n\t\tHelp: \"The total number of upload errors\",\n\t})\n\n\t// totalDownloadErrors is the metric that reports the total number of download errors\n\ttotalDownloadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_download_errors_total\",\n\t\tHelp: \"The total number of download errors\",\n\t})\n\n\t// totalUploadSize is the metric that reports the total uploads size as bytes\n\ttotalUploadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_upload_size\",\n\t\tHelp: \"The total upload size as bytes, partial uploads are included\",\n\t})\n\n\t// totalDownloadSize is the metric that reports the total downloads size as bytes\n\ttotalDownloadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_download_size\",\n\t\tHelp: \"The total download size as bytes, partial downloads are included\",\n\t})\n\n\t// totalSSHCommands is the metric that reports the total number of executed SSH commands\n\ttotalSSHCommands = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_ssh_commands_total\",\n\t\tHelp: \"The total number of executed SSH commands\",\n\t})\n\n\t// totalSSHCommandErrors is the metric that reports the total number of SSH command errors\n\ttotalSSHCommandErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_ssh_command_errors_total\",\n\t\tHelp: \"The total number of SSH command errors\",\n\t})\n\n\t// totalLoginAttempts is the metric that reports the total number of login attempts\n\ttotalLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts\",\n\t})\n\n\t// totalNoAuthTried is te metric that reports the total number of clients disconnected\n\t// for inactivity before trying to login\n\ttotalNoAuthTried = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_no_auth_total\",\n\t\tHelp: \"The total number of clients disconnected for inactivity before trying to login\",\n\t})\n\n\t// totalLoginOK is the metric that reports the total number of successful logins\n\ttotalLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_login_ok_total\",\n\t\tHelp: \"The total number of successful logins\",\n\t})\n\n\t// totalLoginFailed is the metric that reports the total number of failed logins\n\ttotalLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_login_ko_total\",\n\t\tHelp: \"The total number of failed logins\",\n\t})\n\n\t// totalPasswordLoginAttempts is the metric that reports the total number of login attempts\n\t// using a password\n\ttotalPasswordLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_password_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using a password\",\n\t})\n\n\t// totalPasswordLoginOK is the metric that reports the total number of successful logins\n\t// using a password\n\ttotalPasswordLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_password_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using a password\",\n\t})\n\n\t// totalPasswordLoginFailed is the metric that reports the total number of failed logins\n\t// using a password\n\ttotalPasswordLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_password_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using a password\",\n\t})\n\n\t// totalKeyLoginAttempts is the metric that reports the total number of login attempts\n\t// using a public key\n\ttotalKeyLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_public_key_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using a public key\",\n\t})\n\n\t// totalKeyLoginOK is the metric that reports the total number of successful logins\n\t// using a public key\n\ttotalKeyLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_public_key_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using a public key\",\n\t})\n\n\t// totalKeyLoginFailed is the metric that reports the total number of failed logins\n\t// using a public key\n\ttotalKeyLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_public_key_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using a public key\",\n\t})\n\n\t// totalTLSCertLoginAttempts is the metric that reports the total number of login attempts\n\t// using a TLS certificate\n\ttotalTLSCertLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_tls_cert_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using a TLS certificate\",\n\t})\n\n\t// totalTLSCertLoginOK is the metric that reports the total number of successful logins\n\t// using a TLS certificate\n\ttotalTLSCertLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_tls_cert_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using a TLS certificate\",\n\t})\n\n\t// totalTLSCertLoginFailed is the metric that reports the total number of failed logins\n\t// using a TLS certificate\n\ttotalTLSCertLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_tls_cert_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using a TLS certificate\",\n\t})\n\n\t// totalTLSCertAndPwdLoginAttempts is the metric that reports the total number of login attempts\n\t// using a TLS certificate+password\n\ttotalTLSCertAndPwdLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_tls_cert_and_pwd_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using a TLS certificate+password\",\n\t})\n\n\t// totalTLSCertLoginOK is the metric that reports the total number of successful logins\n\t// using a TLS certificate+password\n\ttotalTLSCertAndPwdLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_tls_cert_and_pwd_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using a TLS certificate+password\",\n\t})\n\n\t// totalTLSCertAndPwdLoginFailed is the metric that reports the total number of failed logins\n\t// using a TLS certificate+password\n\ttotalTLSCertAndPwdLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_tls_cert_and_pwd_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using a TLS certificate+password\",\n\t})\n\n\t// totalInteractiveLoginAttempts is the metric that reports the total number of login attempts\n\t// using keyboard interactive authentication\n\ttotalInteractiveLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_keyboard_interactive_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using keyboard interactive authentication\",\n\t})\n\n\t// totalInteractiveLoginOK is the metric that reports the total number of successful logins\n\t// using keyboard interactive authentication\n\ttotalInteractiveLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_keyboard_interactive_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using keyboard interactive authentication\",\n\t})\n\n\t// totalInteractiveLoginFailed is the metric that reports the total number of failed logins\n\t// using keyboard interactive authentication\n\ttotalInteractiveLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_keyboard_interactive_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using keyboard interactive authentication\",\n\t})\n\n\t// totalKeyAndPasswordLoginAttempts is the metric that reports the total number of\n\t// login attempts using public key + password multi steps auth\n\ttotalKeyAndPasswordLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_key_and_password_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using public key + password\",\n\t})\n\n\t// totalKeyAndPasswordLoginOK is the metric that reports the total number of\n\t// successful logins using public key + password multi steps auth\n\ttotalKeyAndPasswordLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_key_and_password_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using public key + password\",\n\t})\n\n\t// totalKeyAndPasswordLoginFailed is the metric that reports the total number of\n\t// failed logins using public key + password multi steps auth\n\ttotalKeyAndPasswordLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_key_and_password_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using public key + password\",\n\t})\n\n\t// totalKeyAndKeyIntLoginAttempts is the metric that reports the total number of\n\t// login attempts using public key + keyboard interactive multi steps auth\n\ttotalKeyAndKeyIntLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_key_and_keyboard_int_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using public key + keyboard interactive\",\n\t})\n\n\t// totalKeyAndKeyIntLoginOK is the metric that reports the total number of\n\t// successful logins using public key + keyboard interactive multi steps auth\n\ttotalKeyAndKeyIntLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_key_and_keyboard_int_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using public key + keyboard interactive\",\n\t})\n\n\t// totalKeyAndKeyIntLoginFailed is the metric that reports the total number of\n\t// failed logins using public key + keyboard interactive multi steps auth\n\ttotalKeyAndKeyIntLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_key_and_keyboard_int_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using public key + keyboard interactive\",\n\t})\n\n\t// totalIDPLoginAttempts is the metric that reports the total number of\n\t// login attempts using identity providers\n\ttotalIDPLoginAttempts = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_idp_login_attempts_total\",\n\t\tHelp: \"The total number of login attempts using Identity Providers\",\n\t})\n\n\t// totalIDPLoginOK is the metric that reports the total number of\n\t// successful logins using identity providers\n\ttotalIDPLoginOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_idp_login_ok_total\",\n\t\tHelp: \"The total number of successful logins using Identity Providers\",\n\t})\n\n\t// totalIDPLoginFailed is the metric that reports the total number of\n\t// failed logins using identity providers\n\ttotalIDPLoginFailed = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_idp_login_ko_total\",\n\t\tHelp: \"The total number of failed logins using Identity Providers\",\n\t})\n\n\ttotalHTTPRequests = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_http_req_total\",\n\t\tHelp: \"The total number of HTTP requests served\",\n\t})\n\n\ttotalHTTPOK = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_http_req_ok_total\",\n\t\tHelp: \"The total number of HTTP requests served with 2xx status code\",\n\t})\n\n\ttotalHTTPClientErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_http_client_errors_total\",\n\t\tHelp: \"The total number of HTTP requests served with 4xx status code\",\n\t})\n\n\ttotalHTTPServerErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_http_server_errors_total\",\n\t\tHelp: \"The total number of HTTP requests served with 5xx status code\",\n\t})\n\n\t// totalS3Uploads is the metric that reports the total number of successful S3 uploads\n\ttotalS3Uploads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_uploads_total\",\n\t\tHelp: \"The total number of successful S3 uploads\",\n\t})\n\n\t// totalS3Downloads is the metric that reports the total number of successful S3 downloads\n\ttotalS3Downloads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_downloads_total\",\n\t\tHelp: \"The total number of successful S3 downloads\",\n\t})\n\n\t// totalS3UploadErrors is the metric that reports the total number of S3 upload errors\n\ttotalS3UploadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_upload_errors_total\",\n\t\tHelp: \"The total number of S3 upload errors\",\n\t})\n\n\t// totalS3DownloadErrors is the metric that reports the total number of S3 download errors\n\ttotalS3DownloadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_download_errors_total\",\n\t\tHelp: \"The total number of S3 download errors\",\n\t})\n\n\t// totalS3UploadSize is the metric that reports the total S3 uploads size as bytes\n\ttotalS3UploadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_upload_size\",\n\t\tHelp: \"The total S3 upload size as bytes, partial uploads are included\",\n\t})\n\n\t// totalS3DownloadSize is the metric that reports the total S3 downloads size as bytes\n\ttotalS3DownloadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_download_size\",\n\t\tHelp: \"The total S3 download size as bytes, partial downloads are included\",\n\t})\n\n\t// totalS3ListObjects is the metric that reports the total successful S3 list objects requests\n\ttotalS3ListObjects = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_list_objects\",\n\t\tHelp: \"The total number of successful S3 list objects requests\",\n\t})\n\n\t// totalS3CopyObject is the metric that reports the total successful S3 copy object requests\n\ttotalS3CopyObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_copy_object\",\n\t\tHelp: \"The total number of successful S3 copy object requests\",\n\t})\n\n\t// totalS3DeleteObject is the metric that reports the total successful S3 delete object requests\n\ttotalS3DeleteObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_delete_object\",\n\t\tHelp: \"The total number of successful S3 delete object requests\",\n\t})\n\n\t// totalS3ListObjectsError is the metric that reports the total S3 list objects errors\n\ttotalS3ListObjectsErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_list_objects_errors\",\n\t\tHelp: \"The total number of S3 list objects errors\",\n\t})\n\n\t// totalS3CopyObjectErrors is the metric that reports the total S3 copy object errors\n\ttotalS3CopyObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_copy_object_errors\",\n\t\tHelp: \"The total number of S3 copy object errors\",\n\t})\n\n\t// totalS3DeleteObjectErrors is the metric that reports the total S3 delete object errors\n\ttotalS3DeleteObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_delete_object_errors\",\n\t\tHelp: \"The total number of S3 delete object errors\",\n\t})\n\n\t// totalS3HeadObject is the metric that reports the total successful S3 head object requests\n\ttotalS3HeadObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_head_object\",\n\t\tHelp: \"The total number of successful S3 head object requests\",\n\t})\n\n\t// totalS3HeadObjectErrors is the metric that reports the total S3 head object errors\n\ttotalS3HeadObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_s3_head_object_errors\",\n\t\tHelp: \"The total number of S3 head object errors\",\n\t})\n\n\t// totalGCSUploads is the metric that reports the total number of successful GCS uploads\n\ttotalGCSUploads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_uploads_total\",\n\t\tHelp: \"The total number of successful GCS uploads\",\n\t})\n\n\t// totalGCSDownloads is the metric that reports the total number of successful GCS downloads\n\ttotalGCSDownloads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_downloads_total\",\n\t\tHelp: \"The total number of successful GCS downloads\",\n\t})\n\n\t// totalGCSUploadErrors is the metric that reports the total number of GCS upload errors\n\ttotalGCSUploadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_upload_errors_total\",\n\t\tHelp: \"The total number of GCS upload errors\",\n\t})\n\n\t// totalGCSDownloadErrors is the metric that reports the total number of GCS download errors\n\ttotalGCSDownloadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_download_errors_total\",\n\t\tHelp: \"The total number of GCS download errors\",\n\t})\n\n\t// totalGCSUploadSize is the metric that reports the total GCS uploads size as bytes\n\ttotalGCSUploadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_upload_size\",\n\t\tHelp: \"The total GCS upload size as bytes, partial uploads are included\",\n\t})\n\n\t// totalGCSDownloadSize is the metric that reports the total GCS downloads size as bytes\n\ttotalGCSDownloadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_download_size\",\n\t\tHelp: \"The total GCS download size as bytes, partial downloads are included\",\n\t})\n\n\t// totalGCSListObjects is the metric that reports the total successful GCS list objects requests\n\ttotalGCSListObjects = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_list_objects\",\n\t\tHelp: \"The total number of successful GCS list objects requests\",\n\t})\n\n\t// totalGCSCopyObject is the metric that reports the total successful GCS copy object requests\n\ttotalGCSCopyObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_copy_object\",\n\t\tHelp: \"The total number of successful GCS copy object requests\",\n\t})\n\n\t// totalGCSDeleteObject is the metric that reports the total successful GCS delete object requests\n\ttotalGCSDeleteObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_delete_object\",\n\t\tHelp: \"The total number of successful GCS delete object requests\",\n\t})\n\n\t// totalGCSListObjectsError is the metric that reports the total GCS list objects errors\n\ttotalGCSListObjectsErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_list_objects_errors\",\n\t\tHelp: \"The total number of GCS list objects errors\",\n\t})\n\n\t// totalGCSCopyObjectErrors is the metric that reports the total GCS copy object errors\n\ttotalGCSCopyObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_copy_object_errors\",\n\t\tHelp: \"The total number of GCS copy object errors\",\n\t})\n\n\t// totalGCSDeleteObjectErrors is the metric that reports the total GCS delete object errors\n\ttotalGCSDeleteObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_delete_object_errors\",\n\t\tHelp: \"The total number of GCS delete object errors\",\n\t})\n\n\t// totalGCSHeadObject is the metric that reports the total successful GCS head object requests\n\ttotalGCSHeadObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_head_object\",\n\t\tHelp: \"The total number of successful GCS head object requests\",\n\t})\n\n\t// totalGCSHeadObjectErrors is the metric that reports the total GCS head object errors\n\ttotalGCSHeadObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_gcs_head_object_errors\",\n\t\tHelp: \"The total number of GCS head object errors\",\n\t})\n\n\t// totalAZUploads is the metric that reports the total number of successful Azure uploads\n\ttotalAZUploads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_uploads_total\",\n\t\tHelp: \"The total number of successful Azure uploads\",\n\t})\n\n\t// totalAZDownloads is the metric that reports the total number of successful Azure downloads\n\ttotalAZDownloads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_downloads_total\",\n\t\tHelp: \"The total number of successful Azure downloads\",\n\t})\n\n\t// totalAZUploadErrors is the metric that reports the total number of Azure upload errors\n\ttotalAZUploadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_upload_errors_total\",\n\t\tHelp: \"The total number of Azure upload errors\",\n\t})\n\n\t// totalAZDownloadErrors is the metric that reports the total number of Azure download errors\n\ttotalAZDownloadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_download_errors_total\",\n\t\tHelp: \"The total number of Azure download errors\",\n\t})\n\n\t// totalAZUploadSize is the metric that reports the total Azure uploads size as bytes\n\ttotalAZUploadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_upload_size\",\n\t\tHelp: \"The total Azure upload size as bytes, partial uploads are included\",\n\t})\n\n\t// totalAZDownloadSize is the metric that reports the total Azure downloads size as bytes\n\ttotalAZDownloadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_download_size\",\n\t\tHelp: \"The total Azure download size as bytes, partial downloads are included\",\n\t})\n\n\t// totalAZListObjects is the metric that reports the total successful Azure list objects requests\n\ttotalAZListObjects = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_list_objects\",\n\t\tHelp: \"The total number of successful Azure list objects requests\",\n\t})\n\n\t// totalAZCopyObject is the metric that reports the total successful Azure copy object requests\n\ttotalAZCopyObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_copy_object\",\n\t\tHelp: \"The total number of successful Azure copy object requests\",\n\t})\n\n\t// totalAZDeleteObject is the metric that reports the total successful Azure delete object requests\n\ttotalAZDeleteObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_delete_object\",\n\t\tHelp: \"The total number of successful Azure delete object requests\",\n\t})\n\n\t// totalAZListObjectsError is the metric that reports the total Azure list objects errors\n\ttotalAZListObjectsErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_list_objects_errors\",\n\t\tHelp: \"The total number of Azure list objects errors\",\n\t})\n\n\t// totalAZCopyObjectErrors is the metric that reports the total Azure copy object errors\n\ttotalAZCopyObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_copy_object_errors\",\n\t\tHelp: \"The total number of Azure copy object errors\",\n\t})\n\n\t// totalAZDeleteObjectErrors is the metric that reports the total Azure delete object errors\n\ttotalAZDeleteObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_delete_object_errors\",\n\t\tHelp: \"The total number of Azure delete object errors\",\n\t})\n\n\t// totalAZHeadObject is the metric that reports the total successful Azure head object requests\n\ttotalAZHeadObject = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_head_object\",\n\t\tHelp: \"The total number of successful Azure head object requests\",\n\t})\n\n\t// totalAZHeadObjectErrors is the metric that reports the total Azure head object errors\n\ttotalAZHeadObjectErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_az_head_object_errors\",\n\t\tHelp: \"The total number of Azure head object errors\",\n\t})\n\n\t// totalSFTPFsUploads is the metric that reports the total number of successful SFTPFs uploads\n\ttotalSFTPFsUploads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_sftpfs_uploads_total\",\n\t\tHelp: \"The total number of successful SFTPFs uploads\",\n\t})\n\n\t// totalSFTPFsDownloads is the metric that reports the total number of successful SFTPFs downloads\n\ttotalSFTPFsDownloads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_sftpfs_downloads_total\",\n\t\tHelp: \"The total number of successful SFTPFs downloads\",\n\t})\n\n\t// totalSFTPFsUploadErrors is the metric that reports the total number of SFTPFs upload errors\n\ttotalSFTPFsUploadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_sftpfs_upload_errors_total\",\n\t\tHelp: \"The total number of SFTPFs upload errors\",\n\t})\n\n\t// totalSFTPFsDownloadErrors is the metric that reports the total number of SFTPFs download errors\n\ttotalSFTPFsDownloadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_sftpfs_download_errors_total\",\n\t\tHelp: \"The total number of SFTPFs download errors\",\n\t})\n\n\t// totalSFTPFsUploadSize is the metric that reports the total SFTPFs uploads size as bytes\n\ttotalSFTPFsUploadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_sftpfs_upload_size\",\n\t\tHelp: \"The total SFTPFs upload size as bytes, partial uploads are included\",\n\t})\n\n\t// totalSFTPFsDownloadSize is the metric that reports the total SFTPFs downloads size as bytes\n\ttotalSFTPFsDownloadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_sftpfs_download_size\",\n\t\tHelp: \"The total SFTPFs download size as bytes, partial downloads are included\",\n\t})\n\n\t// totalHTTPFsUploads is the metric that reports the total number of successful HTTPFs uploads\n\ttotalHTTPFsUploads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_httpfs_uploads_total\",\n\t\tHelp: \"The total number of successful HTTPFs uploads\",\n\t})\n\n\t// totalHTTPFsDownloads is the metric that reports the total number of successful HTTPFs downloads\n\ttotalHTTPFsDownloads = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_httpfs_downloads_total\",\n\t\tHelp: \"The total number of successful HTTPFs downloads\",\n\t})\n\n\t// totalHTTPFsUploadErrors is the metric that reports the total number of HTTPFs upload errors\n\ttotalHTTPFsUploadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_httpfs_upload_errors_total\",\n\t\tHelp: \"The total number of HTTPFs upload errors\",\n\t})\n\n\t// totalHTTPFsDownloadErrors is the metric that reports the total number of HTTPFs download errors\n\ttotalHTTPFsDownloadErrors = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_httpfs_download_errors_total\",\n\t\tHelp: \"The total number of HTTPFs download errors\",\n\t})\n\n\t// totalHTTPFsUploadSize is the metric that reports the total HTTPFs uploads size as bytes\n\ttotalHTTPFsUploadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_httpfs_upload_size\",\n\t\tHelp: \"The total HTTPFs upload size as bytes, partial uploads are included\",\n\t})\n\n\t// totalHTTPFsDownloadSize is the metric that reports the total HTTPFs downloads size as bytes\n\ttotalHTTPFsDownloadSize = promauto.NewCounter(prometheus.CounterOpts{\n\t\tName: \"sftpgo_httpfs_download_size\",\n\t\tHelp: \"The total HTTPFs download size as bytes, partial downloads are included\",\n\t})\n)\n\n// AddMetricsEndpoint publishes metrics to the specified endpoint\nfunc AddMetricsEndpoint(metricsPath string, handler chi.Router) {\n\thandler.Handle(metricsPath, promhttp.Handler())\n}\n\n// TransferCompleted updates metrics after an upload or a download\nfunc TransferCompleted(bytesSent, bytesReceived int64, transferKind int, err error, isSFTPFs bool) {\n\tif transferKind == 0 {\n\t\t// upload\n\t\tif err == nil {\n\t\t\ttotalUploads.Inc()\n\t\t} else {\n\t\t\ttotalUploadErrors.Inc()\n\t\t}\n\t} else {\n\t\t// download\n\t\tif err == nil {\n\t\t\ttotalDownloads.Inc()\n\t\t} else {\n\t\t\ttotalDownloadErrors.Inc()\n\t\t}\n\t}\n\tif bytesReceived > 0 {\n\t\ttotalUploadSize.Add(float64(bytesReceived))\n\t}\n\tif bytesSent > 0 {\n\t\ttotalDownloadSize.Add(float64(bytesSent))\n\t}\n\tif isSFTPFs {\n\t\tsftpFsTransferCompleted(bytesSent, bytesReceived, transferKind, err)\n\t}\n}\n\n// S3TransferCompleted updates metrics after an S3 upload or a download\nfunc S3TransferCompleted(bytes int64, transferKind int, err error) {\n\tif transferKind == 0 {\n\t\t// upload\n\t\tif err == nil {\n\t\t\ttotalS3Uploads.Inc()\n\t\t} else {\n\t\t\ttotalS3UploadErrors.Inc()\n\t\t}\n\t\ttotalS3UploadSize.Add(float64(bytes))\n\t} else {\n\t\t// download\n\t\tif err == nil {\n\t\t\ttotalS3Downloads.Inc()\n\t\t} else {\n\t\t\ttotalS3DownloadErrors.Inc()\n\t\t}\n\t\ttotalS3DownloadSize.Add(float64(bytes))\n\t}\n}\n\n// S3ListObjectsCompleted updates metrics after an S3 list objects request terminates\nfunc S3ListObjectsCompleted(err error) {\n\tif err == nil {\n\t\ttotalS3ListObjects.Inc()\n\t} else {\n\t\ttotalS3ListObjectsErrors.Inc()\n\t}\n}\n\n// S3CopyObjectCompleted updates metrics after an S3 copy object request terminates\nfunc S3CopyObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalS3CopyObject.Inc()\n\t} else {\n\t\ttotalS3CopyObjectErrors.Inc()\n\t}\n}\n\n// S3DeleteObjectCompleted updates metrics after an S3 delete object request terminates\nfunc S3DeleteObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalS3DeleteObject.Inc()\n\t} else {\n\t\ttotalS3DeleteObjectErrors.Inc()\n\t}\n}\n\n// S3HeadObjectCompleted updates metrics after a S3 head object request terminates\nfunc S3HeadObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalS3HeadObject.Inc()\n\t} else {\n\t\ttotalS3HeadObjectErrors.Inc()\n\t}\n}\n\n// GCSTransferCompleted updates metrics after a GCS upload or a download\nfunc GCSTransferCompleted(bytes int64, transferKind int, err error) {\n\tif transferKind == 0 {\n\t\t// upload\n\t\tif err == nil {\n\t\t\ttotalGCSUploads.Inc()\n\t\t} else {\n\t\t\ttotalGCSUploadErrors.Inc()\n\t\t}\n\t\ttotalGCSUploadSize.Add(float64(bytes))\n\t} else {\n\t\t// download\n\t\tif err == nil {\n\t\t\ttotalGCSDownloads.Inc()\n\t\t} else {\n\t\t\ttotalGCSDownloadErrors.Inc()\n\t\t}\n\t\ttotalGCSDownloadSize.Add(float64(bytes))\n\t}\n}\n\n// GCSListObjectsCompleted updates metrics after a GCS list objects request terminates\nfunc GCSListObjectsCompleted(err error) {\n\tif err == nil {\n\t\ttotalGCSListObjects.Inc()\n\t} else {\n\t\ttotalGCSListObjectsErrors.Inc()\n\t}\n}\n\n// GCSCopyObjectCompleted updates metrics after a GCS copy object request terminates\nfunc GCSCopyObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalGCSCopyObject.Inc()\n\t} else {\n\t\ttotalGCSCopyObjectErrors.Inc()\n\t}\n}\n\n// GCSDeleteObjectCompleted updates metrics after a GCS delete object request terminates\nfunc GCSDeleteObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalGCSDeleteObject.Inc()\n\t} else {\n\t\ttotalGCSDeleteObjectErrors.Inc()\n\t}\n}\n\n// GCSHeadObjectCompleted updates metrics after a GCS head object request terminates\nfunc GCSHeadObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalGCSHeadObject.Inc()\n\t} else {\n\t\ttotalGCSHeadObjectErrors.Inc()\n\t}\n}\n\n// AZTransferCompleted updates metrics after a Azure upload or a download\nfunc AZTransferCompleted(bytes int64, transferKind int, err error) {\n\tif transferKind == 0 {\n\t\t// upload\n\t\tif err == nil {\n\t\t\ttotalAZUploads.Inc()\n\t\t} else {\n\t\t\ttotalAZUploadErrors.Inc()\n\t\t}\n\t\ttotalAZUploadSize.Add(float64(bytes))\n\t} else {\n\t\t// download\n\t\tif err == nil {\n\t\t\ttotalAZDownloads.Inc()\n\t\t} else {\n\t\t\ttotalAZDownloadErrors.Inc()\n\t\t}\n\t\ttotalAZDownloadSize.Add(float64(bytes))\n\t}\n}\n\n// AZListObjectsCompleted updates metrics after a Azure list objects request terminates\nfunc AZListObjectsCompleted(err error) {\n\tif err == nil {\n\t\ttotalAZListObjects.Inc()\n\t} else {\n\t\ttotalAZListObjectsErrors.Inc()\n\t}\n}\n\n// AZCopyObjectCompleted updates metrics after a Azure copy object request terminates\nfunc AZCopyObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalAZCopyObject.Inc()\n\t} else {\n\t\ttotalAZCopyObjectErrors.Inc()\n\t}\n}\n\n// AZDeleteObjectCompleted updates metrics after a Azure delete object request terminates\nfunc AZDeleteObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalAZDeleteObject.Inc()\n\t} else {\n\t\ttotalAZDeleteObjectErrors.Inc()\n\t}\n}\n\n// AZHeadObjectCompleted updates metrics after a Azure head object request terminates\nfunc AZHeadObjectCompleted(err error) {\n\tif err == nil {\n\t\ttotalAZHeadObject.Inc()\n\t} else {\n\t\ttotalAZHeadObjectErrors.Inc()\n\t}\n}\n\n// sftpFsTransferCompleted updates metrics after an SFTPFs upload or a download\nfunc sftpFsTransferCompleted(bytesSent, bytesReceived int64, transferKind int, err error) {\n\tif transferKind == 0 {\n\t\t// upload\n\t\tif err == nil {\n\t\t\ttotalSFTPFsUploads.Inc()\n\t\t} else {\n\t\t\ttotalSFTPFsUploadErrors.Inc()\n\t\t}\n\t} else {\n\t\t// download\n\t\tif err == nil {\n\t\t\ttotalSFTPFsDownloads.Inc()\n\t\t} else {\n\t\t\ttotalSFTPFsDownloadErrors.Inc()\n\t\t}\n\t}\n\tif bytesReceived > 0 {\n\t\ttotalSFTPFsUploadSize.Add(float64(bytesReceived))\n\t}\n\tif bytesSent > 0 {\n\t\ttotalSFTPFsDownloadSize.Add(float64(bytesSent))\n\t}\n}\n\n// HTTPFsTransferCompleted updates metrics after an HTTPFs upload or a download\nfunc HTTPFsTransferCompleted(bytes int64, transferKind int, err error) {\n\tif transferKind == 0 {\n\t\t// upload\n\t\tif err == nil {\n\t\t\ttotalHTTPFsUploads.Inc()\n\t\t} else {\n\t\t\ttotalHTTPFsUploadErrors.Inc()\n\t\t}\n\t\ttotalHTTPFsUploadSize.Add(float64(bytes))\n\t} else {\n\t\t// download\n\t\tif err == nil {\n\t\t\ttotalHTTPFsDownloads.Inc()\n\t\t} else {\n\t\t\ttotalHTTPFsDownloadErrors.Inc()\n\t\t}\n\t\ttotalHTTPFsDownloadSize.Add(float64(bytes))\n\t}\n}\n\n// SSHCommandCompleted update metrics after an SSH command terminates\nfunc SSHCommandCompleted(err error) {\n\tif err == nil {\n\t\ttotalSSHCommands.Inc()\n\t} else {\n\t\ttotalSSHCommandErrors.Inc()\n\t}\n}\n\n// UpdateDataProviderAvailability updates the metric for the data provider availability\nfunc UpdateDataProviderAvailability(err error) {\n\tif err == nil {\n\t\tdataproviderAvailability.Set(1)\n\t} else {\n\t\tdataproviderAvailability.Set(0)\n\t}\n}\n\n// AddLoginAttempt increments the metrics for login attempts\nfunc AddLoginAttempt(authMethod string) {\n\ttotalLoginAttempts.Inc()\n\tswitch authMethod {\n\tcase loginMethodPublicKey:\n\t\ttotalKeyLoginAttempts.Inc()\n\tcase loginMethodKeyboardInteractive:\n\t\ttotalInteractiveLoginAttempts.Inc()\n\tcase loginMethodKeyAndPassword:\n\t\ttotalKeyAndPasswordLoginAttempts.Inc()\n\tcase loginMethodKeyAndKeyboardInt:\n\t\ttotalKeyAndKeyIntLoginAttempts.Inc()\n\tcase loginMethodTLSCertificate:\n\t\ttotalTLSCertLoginAttempts.Inc()\n\tcase loginMethodTLSCertificateAndPwd:\n\t\ttotalTLSCertAndPwdLoginAttempts.Inc()\n\tcase loginMethodIDP:\n\t\ttotalIDPLoginAttempts.Inc()\n\tdefault:\n\t\ttotalPasswordLoginAttempts.Inc()\n\t}\n}\n\nfunc incLoginOK(authMethod string) {\n\ttotalLoginOK.Inc()\n\tswitch authMethod {\n\tcase loginMethodPublicKey:\n\t\ttotalKeyLoginOK.Inc()\n\tcase loginMethodKeyboardInteractive:\n\t\ttotalInteractiveLoginOK.Inc()\n\tcase loginMethodKeyAndPassword:\n\t\ttotalKeyAndPasswordLoginOK.Inc()\n\tcase loginMethodKeyAndKeyboardInt:\n\t\ttotalKeyAndKeyIntLoginOK.Inc()\n\tcase loginMethodTLSCertificate:\n\t\ttotalTLSCertLoginOK.Inc()\n\tcase loginMethodTLSCertificateAndPwd:\n\t\ttotalTLSCertAndPwdLoginOK.Inc()\n\tcase loginMethodIDP:\n\t\ttotalIDPLoginOK.Inc()\n\tdefault:\n\t\ttotalPasswordLoginOK.Inc()\n\t}\n}\n\nfunc incLoginFailed(authMethod string) {\n\ttotalLoginFailed.Inc()\n\tswitch authMethod {\n\tcase loginMethodPublicKey:\n\t\ttotalKeyLoginFailed.Inc()\n\tcase loginMethodKeyboardInteractive:\n\t\ttotalInteractiveLoginFailed.Inc()\n\tcase loginMethodKeyAndPassword:\n\t\ttotalKeyAndPasswordLoginFailed.Inc()\n\tcase loginMethodKeyAndKeyboardInt:\n\t\ttotalKeyAndKeyIntLoginFailed.Inc()\n\tcase loginMethodTLSCertificate:\n\t\ttotalTLSCertLoginFailed.Inc()\n\tcase loginMethodTLSCertificateAndPwd:\n\t\ttotalTLSCertAndPwdLoginFailed.Inc()\n\tcase loginMethodIDP:\n\t\ttotalIDPLoginFailed.Inc()\n\tdefault:\n\t\ttotalPasswordLoginFailed.Inc()\n\t}\n}\n\n// AddLoginResult increments the metrics for login results\nfunc AddLoginResult(authMethod string, err error) {\n\tif err == nil {\n\t\tincLoginOK(authMethod)\n\t} else {\n\t\tincLoginFailed(authMethod)\n\t}\n}\n\n// AddNoAuthTried increments the metric for clients disconnected\n// for inactivity before trying to login\nfunc AddNoAuthTried() {\n\ttotalNoAuthTried.Inc()\n}\n\n// HTTPRequestServed increments the metrics for HTTP requests\nfunc HTTPRequestServed(status int) {\n\ttotalHTTPRequests.Inc()\n\tif status >= 200 && status < 300 {\n\t\ttotalHTTPOK.Inc()\n\t} else if status >= 400 && status < 500 {\n\t\ttotalHTTPClientErrors.Inc()\n\t} else if status >= 500 {\n\t\ttotalHTTPServerErrors.Inc()\n\t}\n}\n\n// UpdateActiveConnectionsSize sets the metric for active connections\nfunc UpdateActiveConnectionsSize(size int) {\n\tactiveConnections.Set(float64(size))\n}\n" }, { "path": "internal/metric/metric_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nometrics\n\npackage metric\n\nimport (\n\t\"github.com/go-chi/chi/v5\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-metrics\")\n}\n\n// AddMetricsEndpoint publishes metrics to the specified endpoint\nfunc AddMetricsEndpoint(_ string, _ chi.Router) {}\n\n// TransferCompleted updates metrics after an upload or a download\nfunc TransferCompleted(_, _ int64, _ int, _ error, _ bool) {}\n\n// S3TransferCompleted updates metrics after an S3 upload or a download\nfunc S3TransferCompleted(_ int64, _ int, _ error) {}\n\n// S3ListObjectsCompleted updates metrics after an S3 list objects request terminates\nfunc S3ListObjectsCompleted(_ error) {}\n\n// S3CopyObjectCompleted updates metrics after an S3 copy object request terminates\nfunc S3CopyObjectCompleted(_ error) {}\n\n// S3DeleteObjectCompleted updates metrics after an S3 delete object request terminates\nfunc S3DeleteObjectCompleted(_ error) {}\n\n// S3HeadBucketCompleted updates metrics after an S3 head bucket request terminates\nfunc S3HeadBucketCompleted(_ error) {}\n\n// GCSTransferCompleted updates metrics after a GCS upload or a download\nfunc GCSTransferCompleted(_ int64, _ int, _ error) {}\n\n// GCSListObjectsCompleted updates metrics after a GCS list objects request terminates\nfunc GCSListObjectsCompleted(_ error) {}\n\n// GCSCopyObjectCompleted updates metrics after a GCS copy object request terminates\nfunc GCSCopyObjectCompleted(_ error) {}\n\n// GCSDeleteObjectCompleted updates metrics after a GCS delete object request terminates\nfunc GCSDeleteObjectCompleted(_ error) {}\n\n// GCSHeadBucketCompleted updates metrics after a GCS head bucket request terminates\nfunc GCSHeadBucketCompleted(_ error) {}\n\n// HTTPFsTransferCompleted updates metrics after an HTTPFs upload or a download\nfunc HTTPFsTransferCompleted(_ int64, _ int, _ error) {}\n\n// SSHCommandCompleted update metrics after an SSH command terminates\nfunc SSHCommandCompleted(_ error) {}\n\n// UpdateDataProviderAvailability updates the metric for the data provider availability\nfunc UpdateDataProviderAvailability(_ error) {}\n\n// AddLoginAttempt increments the metrics for login attempts\nfunc AddLoginAttempt(_ string) {}\n\n// AddLoginResult increments the metrics for login results\nfunc AddLoginResult(_ string, _ error) {}\n\n// AddNoAuthTried increments the metric for clients disconnected\n// for inactivity before trying to login\nfunc AddNoAuthTried() {}\n\n// HTTPRequestServed increments the metrics for HTTP requests\nfunc HTTPRequestServed(_ int) {}\n\n// UpdateActiveConnectionsSize sets the metric for active connections\nfunc UpdateActiveConnectionsSize(_ int) {}\n" }, { "path": "internal/mfa/mfa.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package mfa provides supports for Multi-Factor authentication modules\npackage mfa\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"image/png\"\n\t\"time\"\n\n\t\"github.com/pquerna/otp\"\n)\n\nvar (\n\ttotpConfigs []*TOTPConfig\n\tserviceStatus ServiceStatus\n)\n\n// ServiceStatus defines the service status\ntype ServiceStatus struct {\n\tIsActive bool `json:\"is_active\"`\n\tTOTPConfigs []TOTPConfig `json:\"totp_configs\"`\n}\n\n// GetStatus returns the service status\nfunc GetStatus() ServiceStatus {\n\treturn serviceStatus\n}\n\n// Config defines configuration parameters for Multi-Factor authentication modules\ntype Config struct {\n\t// Time-based one time passwords configurations\n\tTOTP []TOTPConfig `json:\"totp\" mapstructure:\"totp\"`\n}\n\n// Initialize configures the MFA support\nfunc (c *Config) Initialize() error {\n\ttotpConfigs = nil\n\tserviceStatus.IsActive = false\n\tserviceStatus.TOTPConfigs = nil\n\ttotp := make(map[string]bool)\n\tfor _, totpConfig := range c.TOTP {\n\t\ttotpConfig := totpConfig //pin\n\t\tif err := totpConfig.validate(); err != nil {\n\t\t\ttotpConfigs = nil\n\t\t\treturn fmt.Errorf(\"invalid TOTP config %+v: %v\", totpConfig, err)\n\t\t}\n\t\tif _, ok := totp[totpConfig.Name]; ok {\n\t\t\ttotpConfigs = nil\n\t\t\treturn fmt.Errorf(\"totp: duplicate configuration name %q\", totpConfig.Name)\n\t\t}\n\t\ttotp[totpConfig.Name] = true\n\t\ttotpConfigs = append(totpConfigs, &totpConfig)\n\t\tserviceStatus.IsActive = true\n\t\tserviceStatus.TOTPConfigs = append(serviceStatus.TOTPConfigs, totpConfig)\n\t}\n\tstartCleanupTicker(2 * time.Minute)\n\treturn nil\n}\n\n// GetAvailableTOTPConfigs returns the available TOTP configs\nfunc GetAvailableTOTPConfigs() []*TOTPConfig {\n\treturn totpConfigs\n}\n\n// GetAvailableTOTPConfigNames returns the available TOTP config names\nfunc GetAvailableTOTPConfigNames() []string {\n\tvar result []string\n\tfor _, c := range totpConfigs {\n\t\tresult = append(result, c.Name)\n\t}\n\treturn result\n}\n\n// ValidateTOTPPasscode validates a TOTP passcode using the given secret and configName\nfunc ValidateTOTPPasscode(configName, passcode, secret string) (bool, error) {\n\tfor _, config := range totpConfigs {\n\t\tif config.Name == configName {\n\t\t\treturn config.validatePasscode(passcode, secret)\n\t\t}\n\t}\n\n\treturn false, fmt.Errorf(\"totp: no configuration %q\", configName)\n}\n\n// GenerateTOTPSecret generates a new TOTP secret and QR code for the given username\n// using the configuration with configName\nfunc GenerateTOTPSecret(configName, username string) (string, *otp.Key, []byte, error) {\n\tfor _, config := range totpConfigs {\n\t\tif config.Name == configName {\n\t\t\tkey, qrCode, err := config.generate(username, 200, 200)\n\t\t\treturn configName, key, qrCode, err\n\t\t}\n\t}\n\n\treturn \"\", nil, nil, fmt.Errorf(\"totp: no configuration %q\", configName)\n}\n\n// GenerateQRCodeFromURL generates a QR code from a TOTP URL\nfunc GenerateQRCodeFromURL(url string, width, height int) ([]byte, error) {\n\tkey, err := otp.NewKeyFromURL(url)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar buf bytes.Buffer\n\timg, err := key.Image(width, height)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\terr = png.Encode(&buf, img)\n\treturn buf.Bytes(), err\n}\n\n// the ticker cannot be started/stopped from multiple goroutines\nfunc startCleanupTicker(duration time.Duration) {\n\tstopCleanupTicker()\n\tcleanupTicker = time.NewTicker(duration)\n\tcleanupDone = make(chan bool)\n\n\tgo func() {\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-cleanupDone:\n\t\t\t\treturn\n\t\t\tcase <-cleanupTicker.C:\n\t\t\t\tcleanupUsedPasscodes()\n\t\t\t}\n\t\t}\n\t}()\n}\n\nfunc stopCleanupTicker() {\n\tif cleanupTicker != nil {\n\t\tcleanupTicker.Stop()\n\t\tcleanupDone <- true\n\t\tcleanupTicker = nil\n\t}\n}\n" }, { "path": "internal/mfa/mfa_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage mfa\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/pquerna/otp\"\n\t\"github.com/pquerna/otp/totp\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n)\n\nfunc TestMFAConfig(t *testing.T) {\n\tconfig := Config{\n\t\tTOTP: []TOTPConfig{\n\t\t\t{},\n\t\t},\n\t}\n\tconfigName1 := \"config1\"\n\tconfigName2 := \"config2\"\n\tconfigName3 := \"config3\"\n\terr := config.Initialize()\n\tassert.Error(t, err)\n\tconfig.TOTP[0].Name = configName1\n\terr = config.Initialize()\n\tassert.Error(t, err)\n\tconfig.TOTP[0].Issuer = \"issuer\"\n\terr = config.Initialize()\n\tassert.Error(t, err)\n\tconfig.TOTP[0].Algo = TOTPAlgoSHA1\n\terr = config.Initialize()\n\tassert.NoError(t, err)\n\tconfig.TOTP = append(config.TOTP, TOTPConfig{\n\t\tName: configName1,\n\t\tIssuer: \"SFTPGo\",\n\t\tAlgo: TOTPAlgoSHA512,\n\t})\n\terr = config.Initialize()\n\tassert.Error(t, err)\n\tconfig.TOTP[1].Name = configName2\n\terr = config.Initialize()\n\tassert.NoError(t, err)\n\tassert.Len(t, GetAvailableTOTPConfigs(), 2)\n\tassert.Len(t, GetAvailableTOTPConfigNames(), 2)\n\tconfig.TOTP = append(config.TOTP, TOTPConfig{\n\t\tName: configName3,\n\t\tIssuer: \"SFTPGo\",\n\t\tAlgo: TOTPAlgoSHA256,\n\t})\n\terr = config.Initialize()\n\tassert.NoError(t, err)\n\tassert.Len(t, GetAvailableTOTPConfigs(), 3)\n\tif assert.Len(t, GetAvailableTOTPConfigNames(), 3) {\n\t\tassert.Contains(t, GetAvailableTOTPConfigNames(), configName1)\n\t\tassert.Contains(t, GetAvailableTOTPConfigNames(), configName2)\n\t\tassert.Contains(t, GetAvailableTOTPConfigNames(), configName3)\n\t}\n\tstatus := GetStatus()\n\tassert.True(t, status.IsActive)\n\tif assert.Len(t, status.TOTPConfigs, 3) {\n\t\tassert.Equal(t, configName1, status.TOTPConfigs[0].Name)\n\t\tassert.Equal(t, configName2, status.TOTPConfigs[1].Name)\n\t\tassert.Equal(t, configName3, status.TOTPConfigs[2].Name)\n\t}\n\t// now generate some secrets and validate some passcodes\n\t_, _, _, err = GenerateTOTPSecret(\"\", \"\") //nolint:dogsled\n\tassert.Error(t, err)\n\tmatch, err := ValidateTOTPPasscode(\"\", \"\", \"\")\n\tassert.Error(t, err)\n\tassert.False(t, match)\n\tcfgName, key, _, err := GenerateTOTPSecret(configName1, \"user1\")\n\tassert.NoError(t, err)\n\tassert.NotEmpty(t, key.Secret())\n\tassert.Equal(t, configName1, cfgName)\n\tpasscode, err := generatePasscode(key.Secret(), otp.AlgorithmSHA1)\n\tassert.NoError(t, err)\n\tmatch, err = ValidateTOTPPasscode(configName1, passcode, key.Secret())\n\tassert.NoError(t, err)\n\tassert.True(t, match)\n\tmatch, err = ValidateTOTPPasscode(configName1, passcode, key.Secret())\n\tassert.ErrorIs(t, err, errPasscodeUsed)\n\tassert.False(t, match)\n\n\tpasscode, err = generatePasscode(key.Secret(), otp.AlgorithmSHA256)\n\tassert.NoError(t, err)\n\t// config1 uses sha1 algo\n\tmatch, err = ValidateTOTPPasscode(configName1, passcode, key.Secret())\n\tassert.NoError(t, err)\n\tassert.False(t, match)\n\t// config3 use the expected algo\n\tmatch, err = ValidateTOTPPasscode(configName3, passcode, key.Secret())\n\tassert.NoError(t, err)\n\tassert.True(t, match)\n\n\tstopCleanupTicker()\n}\n\nfunc TestGenerateQRCodeFromURL(t *testing.T) {\n\t_, err := GenerateQRCodeFromURL(\"http://foo\\x7f.cloud\", 200, 200)\n\tassert.Error(t, err)\n\tconfig := TOTPConfig{\n\t\tName: \"config name\",\n\t\tIssuer: \"SFTPGo\",\n\t\tAlgo: TOTPAlgoSHA256,\n\t}\n\tkey, qrCode, err := config.generate(\"a\", 150, 150)\n\trequire.NoError(t, err)\n\n\tqrCode1, err := GenerateQRCodeFromURL(key.URL(), 150, 150)\n\trequire.NoError(t, err)\n\tassert.Equal(t, qrCode, qrCode1)\n\t_, err = GenerateQRCodeFromURL(key.URL(), 10, 10)\n\tassert.Error(t, err)\n}\n\nfunc TestCleanupPasscodes(t *testing.T) {\n\tusedPasscodes.Store(\"key\", time.Now().Add(-24*time.Hour).UTC())\n\tstartCleanupTicker(30 * time.Millisecond)\n\tassert.Eventually(t, func() bool {\n\t\t_, ok := usedPasscodes.Load(\"key\")\n\t\treturn !ok\n\t}, 1000*time.Millisecond, 100*time.Millisecond)\n\tstopCleanupTicker()\n}\n\nfunc TestTOTPGenerateErrors(t *testing.T) {\n\tconfig := TOTPConfig{\n\t\tName: \"name\",\n\t\tIssuer: \"\",\n\t\talgo: otp.AlgorithmSHA1,\n\t}\n\t// issuer cannot be empty\n\t_, _, err := config.generate(\"username\", 200, 200) //nolint:dogsled\n\tassert.Error(t, err)\n\tconfig.Issuer = \"issuer\"\n\t// we cannot encode an image smaller than 45x45\n\t_, _, err = config.generate(\"username\", 30, 30) //nolint:dogsled\n\tassert.Error(t, err)\n}\n\nfunc generatePasscode(secret string, algo otp.Algorithm) (string, error) {\n\treturn totp.GenerateCodeCustom(secret, time.Now(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: algo,\n\t})\n}\n" }, { "path": "internal/mfa/totp.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage mfa\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"image/png\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/pquerna/otp\"\n\t\"github.com/pquerna/otp/totp\"\n)\n\n// TOTPHMacAlgo is the enumerable for the possible HMAC algorithms for Time-based one time passwords\ntype TOTPHMacAlgo = string\n\n// supported TOTP HMAC algorithms\nconst (\n\tTOTPAlgoSHA1 TOTPHMacAlgo = \"sha1\"\n\tTOTPAlgoSHA256 TOTPHMacAlgo = \"sha256\"\n\tTOTPAlgoSHA512 TOTPHMacAlgo = \"sha512\"\n)\n\nvar (\n\tcleanupTicker *time.Ticker\n\tcleanupDone chan bool\n\tusedPasscodes sync.Map\n\terrPasscodeUsed = errors.New(\"this passcode was already used\")\n)\n\n// TOTPConfig defines the configuration for a Time-based one time password\ntype TOTPConfig struct {\n\tName string `json:\"name\" mapstructure:\"name\"`\n\tIssuer string `json:\"issuer\" mapstructure:\"issuer\"`\n\tAlgo TOTPHMacAlgo `json:\"algo\" mapstructure:\"algo\"`\n\talgo otp.Algorithm\n}\n\nfunc (c *TOTPConfig) validate() error {\n\tif c.Name == \"\" {\n\t\treturn errors.New(\"totp: name is mandatory\")\n\t}\n\tif c.Issuer == \"\" {\n\t\treturn errors.New(\"totp: issuer is mandatory\")\n\t}\n\tswitch c.Algo {\n\tcase TOTPAlgoSHA1:\n\t\tc.algo = otp.AlgorithmSHA1\n\tcase TOTPAlgoSHA256:\n\t\tc.algo = otp.AlgorithmSHA256\n\tcase TOTPAlgoSHA512:\n\t\tc.algo = otp.AlgorithmSHA512\n\tdefault:\n\t\treturn fmt.Errorf(\"unsupported totp algo %q\", c.Algo)\n\t}\n\treturn nil\n}\n\n// validatePasscode validates a TOTP passcode\nfunc (c *TOTPConfig) validatePasscode(passcode, secret string) (bool, error) {\n\tkey := fmt.Sprintf(\"%v_%v\", secret, passcode)\n\tif _, ok := usedPasscodes.Load(key); ok {\n\t\treturn false, errPasscodeUsed\n\t}\n\tmatch, err := totp.ValidateCustom(passcode, secret, time.Now().UTC(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: c.algo,\n\t})\n\tif match && err == nil {\n\t\tusedPasscodes.Store(key, time.Now().Add(1*time.Minute).UTC())\n\t}\n\treturn match, err\n}\n\n// generate generates a new TOTP secret and QR code for the given username\nfunc (c *TOTPConfig) generate(username string, qrCodeWidth, qrCodeHeight int) (*otp.Key, []byte, error) {\n\tkey, err := totp.Generate(totp.GenerateOpts{\n\t\tIssuer: c.Issuer,\n\t\tAccountName: username,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: c.algo,\n\t})\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tvar buf bytes.Buffer\n\timg, err := key.Image(qrCodeWidth, qrCodeHeight)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\terr = png.Encode(&buf, img)\n\treturn key, buf.Bytes(), err\n}\n\nfunc cleanupUsedPasscodes() {\n\tusedPasscodes.Range(func(key, value any) bool {\n\t\texp, ok := value.(time.Time)\n\t\tif !ok || exp.Before(time.Now().UTC()) {\n\t\t\tusedPasscodes.Delete(key)\n\t\t}\n\t\treturn true\n\t})\n}\n" }, { "path": "internal/plugin/auth.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage plugin\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/hashicorp/go-plugin\"\n\t\"github.com/sftpgo/sdk/plugin/auth\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// Supported auth scopes\nconst (\n\tAuthScopePassword = 1\n\tAuthScopePublicKey = 2\n\tAuthScopeKeyboardInteractive = 4\n\tAuthScopeTLSCertificate = 8\n)\n\n// KeyboardAuthRequest defines the request for a keyboard interactive authentication step\ntype KeyboardAuthRequest struct {\n\tRequestID string `json:\"request_id\"`\n\tStep int `json:\"step\"`\n\tUsername string `json:\"username,omitempty\"`\n\tIP string `json:\"ip,omitempty\"`\n\tPassword string `json:\"password,omitempty\"`\n\tAnswers []string `json:\"answers,omitempty\"`\n\tQuestions []string `json:\"questions,omitempty\"`\n}\n\n// KeyboardAuthResponse defines the response for a keyboard interactive authentication step\ntype KeyboardAuthResponse struct {\n\tInstruction string `json:\"instruction\"`\n\tQuestions []string `json:\"questions\"`\n\tEchos []bool `json:\"echos\"`\n\tAuthResult int `json:\"auth_result\"`\n\tCheckPwd int `json:\"check_password\"`\n}\n\n// Validate returns an error if the KeyboardAuthResponse is invalid\nfunc (r *KeyboardAuthResponse) Validate() error {\n\tif len(r.Questions) == 0 {\n\t\terr := errors.New(\"interactive auth error: response does not contain questions\")\n\t\treturn err\n\t}\n\tif len(r.Questions) != len(r.Echos) {\n\t\terr := fmt.Errorf(\"interactive auth error: response questions don't match echos: %v %v\",\n\t\t\tlen(r.Questions), len(r.Echos))\n\t\treturn err\n\t}\n\treturn nil\n}\n\n// AuthConfig defines configuration parameters for auth plugins\ntype AuthConfig struct {\n\t// Scope defines the scope for the authentication plugin.\n\t// - 1 means passwords only\n\t// - 2 means public keys only\n\t// - 4 means keyboard interactive only\n\t// - 8 means TLS certificates only\n\t// you can combine the scopes, for example 3 means password and public key, 5 password and keyboard\n\t// interactive and so on\n\tScope int `json:\"scope\" mapstructure:\"scope\"`\n}\n\nfunc (c *AuthConfig) validate() error {\n\tauthScopeMax := AuthScopePassword + AuthScopePublicKey + AuthScopeKeyboardInteractive + AuthScopeTLSCertificate\n\tif c.Scope == 0 || c.Scope > authScopeMax {\n\t\treturn fmt.Errorf(\"invalid auth scope: %v\", c.Scope)\n\t}\n\treturn nil\n}\n\ntype authPlugin struct {\n\tconfig Config\n\tservice auth.Authenticator\n\tclient *plugin.Client\n}\n\nfunc newAuthPlugin(config Config) (*authPlugin, error) {\n\tp := &authPlugin{\n\t\tconfig: config,\n\t}\n\tif err := p.initialize(); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to create auth plugin: %v, config %+v\", err, config)\n\t\treturn nil, err\n\t}\n\treturn p, nil\n}\n\nfunc (p *authPlugin) initialize() error {\n\tkillProcess(p.config.Cmd)\n\tlogger.Debug(logSender, \"\", \"create new auth plugin %q\", p.config.Cmd)\n\tif err := p.config.AuthOptions.validate(); err != nil {\n\t\treturn fmt.Errorf(\"invalid options for auth plugin %q: %v\", p.config.Cmd, err)\n\t}\n\n\tsecureConfig, err := p.config.getSecureConfig()\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := plugin.NewClient(&plugin.ClientConfig{\n\t\tHandshakeConfig: auth.Handshake,\n\t\tPlugins: auth.PluginMap,\n\t\tCmd: p.config.getCommand(),\n\t\tSkipHostEnv: true,\n\t\tAllowedProtocols: []plugin.Protocol{\n\t\t\tplugin.ProtocolGRPC,\n\t\t},\n\t\tAutoMTLS: p.config.AutoMTLS,\n\t\tSecureConfig: secureConfig,\n\t\tManaged: false,\n\t\tLogger: &logger.HCLogAdapter{\n\t\t\tLogger: hclog.New(&hclog.LoggerOptions{\n\t\t\t\tName: fmt.Sprintf(\"%v.%v\", logSender, auth.PluginName),\n\t\t\t\tLevel: pluginsLogLevel,\n\t\t\t\tDisableTime: true,\n\t\t\t}),\n\t\t},\n\t})\n\trpcClient, err := client.Client()\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get rpc client for auth plugin %q: %v\", p.config.Cmd, err)\n\t\treturn err\n\t}\n\traw, err := rpcClient.Dispense(auth.PluginName)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get plugin %v from rpc client for command %q: %v\",\n\t\t\tauth.PluginName, p.config.Cmd, err)\n\t\treturn err\n\t}\n\n\tp.service = raw.(auth.Authenticator)\n\tp.client = client\n\n\treturn nil\n}\n\nfunc (p *authPlugin) exited() bool {\n\treturn p.client.Exited()\n}\n\nfunc (p *authPlugin) cleanup() {\n\tp.client.Kill()\n}\n\nfunc (p *authPlugin) checkUserAndPass(username, password, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\treturn p.service.CheckUserAndPass(username, password, ip, protocol, userAsJSON)\n}\n\nfunc (p *authPlugin) checkUserAndTLSCertificate(username, tlsCert, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\treturn p.service.CheckUserAndTLSCert(username, tlsCert, ip, protocol, userAsJSON)\n}\n\nfunc (p *authPlugin) checkUserAndPublicKey(username, pubKey, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\treturn p.service.CheckUserAndPublicKey(username, pubKey, ip, protocol, userAsJSON)\n}\n\nfunc (p *authPlugin) checkUserAndKeyboardInteractive(username, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\treturn p.service.CheckUserAndKeyboardInteractive(username, ip, protocol, userAsJSON)\n}\n\nfunc (p *authPlugin) sendKeyboardIteractiveRequest(req *KeyboardAuthRequest) (*KeyboardAuthResponse, error) {\n\tinstructions, questions, echos, authResult, checkPassword, err := p.service.SendKeyboardAuthRequest(\n\t\treq.RequestID, req.Username, req.Password, req.IP, req.Answers, req.Questions, int32(req.Step))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &KeyboardAuthResponse{\n\t\tInstruction: instructions,\n\t\tQuestions: questions,\n\t\tEchos: echos,\n\t\tAuthResult: authResult,\n\t\tCheckPwd: checkPassword,\n\t}, nil\n}\n" }, { "path": "internal/plugin/ipfilter.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage plugin\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/hashicorp/go-plugin\"\n\t\"github.com/sftpgo/sdk/plugin/ipfilter\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\ntype ipFilterPlugin struct {\n\tconfig Config\n\tfilter ipfilter.Filter\n\tclient *plugin.Client\n}\n\nfunc newIPFilterPlugin(config Config) (*ipFilterPlugin, error) {\n\tp := &ipFilterPlugin{\n\t\tconfig: config,\n\t}\n\tif err := p.initialize(); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to create IP filter plugin: %v, config %+v\", err, config)\n\t\treturn nil, err\n\t}\n\treturn p, nil\n}\n\nfunc (p *ipFilterPlugin) exited() bool {\n\treturn p.client.Exited()\n}\n\nfunc (p *ipFilterPlugin) cleanup() {\n\tp.client.Kill()\n}\n\nfunc (p *ipFilterPlugin) initialize() error {\n\tlogger.Debug(logSender, \"\", \"create new IP filter plugin %q\", p.config.Cmd)\n\tkillProcess(p.config.Cmd)\n\tsecureConfig, err := p.config.getSecureConfig()\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := plugin.NewClient(&plugin.ClientConfig{\n\t\tHandshakeConfig: ipfilter.Handshake,\n\t\tPlugins: ipfilter.PluginMap,\n\t\tCmd: p.config.getCommand(),\n\t\tSkipHostEnv: true,\n\t\tAllowedProtocols: []plugin.Protocol{\n\t\t\tplugin.ProtocolGRPC,\n\t\t},\n\t\tAutoMTLS: p.config.AutoMTLS,\n\t\tSecureConfig: secureConfig,\n\t\tManaged: false,\n\t\tLogger: &logger.HCLogAdapter{\n\t\t\tLogger: hclog.New(&hclog.LoggerOptions{\n\t\t\t\tName: fmt.Sprintf(\"%v.%v\", logSender, ipfilter.PluginName),\n\t\t\t\tLevel: pluginsLogLevel,\n\t\t\t\tDisableTime: true,\n\t\t\t}),\n\t\t},\n\t})\n\trpcClient, err := client.Client()\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get rpc client for plugin %q: %v\", p.config.Cmd, err)\n\t\treturn err\n\t}\n\traw, err := rpcClient.Dispense(ipfilter.PluginName)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get plugin %v from rpc client for command %q: %v\",\n\t\t\tipfilter.PluginName, p.config.Cmd, err)\n\t\treturn err\n\t}\n\n\tp.client = client\n\tp.filter = raw.(ipfilter.Filter)\n\n\treturn nil\n}\n" }, { "path": "internal/plugin/kms.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage plugin\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"slices\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/hashicorp/go-plugin\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\tkmsplugin \"github.com/sftpgo/sdk/plugin/kms\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\nvar (\n\tvalidKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit,\n\t\tsdkkms.SchemeAzureKeyVault, sdkkms.SchemeOracleKeyVault}\n\tvalidKMSEncryptedStatuses = []string{sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP,\n\t\tsdkkms.SecretStatusAzureKeyVault, sdkkms.SecretStatusOracleKeyVault}\n)\n\n// KMSConfig defines configuration parameters for kms plugins\ntype KMSConfig struct {\n\tScheme string `json:\"scheme\" mapstructure:\"scheme\"`\n\tEncryptedStatus string `json:\"encrypted_status\" mapstructure:\"encrypted_status\"`\n}\n\nfunc (c *KMSConfig) validate() error {\n\tif !slices.Contains(validKMSSchemes, c.Scheme) {\n\t\treturn fmt.Errorf(\"invalid kms scheme: %v\", c.Scheme)\n\t}\n\tif !slices.Contains(validKMSEncryptedStatuses, c.EncryptedStatus) {\n\t\treturn fmt.Errorf(\"invalid kms encrypted status: %v\", c.EncryptedStatus)\n\t}\n\treturn nil\n}\n\ntype kmsPlugin struct {\n\tconfig Config\n\tservice kmsplugin.Service\n\tclient *plugin.Client\n}\n\nfunc newKMSPlugin(config Config) (*kmsPlugin, error) {\n\tp := &kmsPlugin{\n\t\tconfig: config,\n\t}\n\tif err := p.initialize(); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to create kms plugin: %v, config %+v\", err, config)\n\t\treturn nil, err\n\t}\n\treturn p, nil\n}\n\nfunc (p *kmsPlugin) initialize() error {\n\tkillProcess(p.config.Cmd)\n\tlogger.Debug(logSender, \"\", \"create new kms plugin %q\", p.config.Cmd)\n\tif err := p.config.KMSOptions.validate(); err != nil {\n\t\treturn fmt.Errorf(\"invalid options for kms plugin %q: %v\", p.config.Cmd, err)\n\t}\n\tsecureConfig, err := p.config.getSecureConfig()\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := plugin.NewClient(&plugin.ClientConfig{\n\t\tHandshakeConfig: kmsplugin.Handshake,\n\t\tPlugins: kmsplugin.PluginMap,\n\t\tCmd: p.config.getCommand(),\n\t\tSkipHostEnv: true,\n\t\tAllowedProtocols: []plugin.Protocol{\n\t\t\tplugin.ProtocolGRPC,\n\t\t},\n\t\tAutoMTLS: p.config.AutoMTLS,\n\t\tSecureConfig: secureConfig,\n\t\tManaged: false,\n\t\tLogger: &logger.HCLogAdapter{\n\t\t\tLogger: hclog.New(&hclog.LoggerOptions{\n\t\t\t\tName: fmt.Sprintf(\"%v.%v\", logSender, kmsplugin.PluginName),\n\t\t\t\tLevel: pluginsLogLevel,\n\t\t\t\tDisableTime: true,\n\t\t\t}),\n\t\t},\n\t})\n\trpcClient, err := client.Client()\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get rpc client for kms plugin %q: %v\", p.config.Cmd, err)\n\t\treturn err\n\t}\n\traw, err := rpcClient.Dispense(kmsplugin.PluginName)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get plugin %v from rpc client for command %q: %v\",\n\t\t\tkmsplugin.PluginName, p.config.Cmd, err)\n\t\treturn err\n\t}\n\n\tp.client = client\n\tp.service = raw.(kmsplugin.Service)\n\n\treturn nil\n}\n\nfunc (p *kmsPlugin) exited() bool {\n\treturn p.client.Exited()\n}\n\nfunc (p *kmsPlugin) cleanup() {\n\tp.client.Kill()\n}\n\nfunc (p *kmsPlugin) Encrypt(secret kms.BaseSecret, url string, masterKey string) (string, string, int32, error) {\n\treturn p.service.Encrypt(secret.Payload, secret.AdditionalData, url, masterKey)\n}\n\nfunc (p *kmsPlugin) Decrypt(secret kms.BaseSecret, url string, masterKey string) (string, error) {\n\treturn p.service.Decrypt(secret.Payload, secret.Key, secret.AdditionalData, secret.Mode, url, masterKey)\n}\n\ntype kmsPluginSecretProvider struct {\n\tkms.BaseSecret\n\tURL string\n\tMasterKey string\n\tconfig *Config\n}\n\nfunc (s *kmsPluginSecretProvider) Name() string {\n\treturn fmt.Sprintf(\"KMSPlugin_%v_%v_%v\", filepath.Base(s.config.Cmd), s.config.KMSOptions.Scheme, s.config.kmsID)\n}\n\nfunc (s *kmsPluginSecretProvider) IsEncrypted() bool {\n\treturn s.Status == s.config.KMSOptions.EncryptedStatus\n}\n\nfunc (s *kmsPluginSecretProvider) Encrypt() error {\n\tif s.Status != sdkkms.SecretStatusPlain {\n\t\treturn kms.ErrWrongSecretStatus\n\t}\n\tif s.Payload == \"\" {\n\t\treturn kms.ErrInvalidSecret\n\t}\n\n\tpayload, key, mode, err := Handler.kmsEncrypt(s.BaseSecret, s.URL, s.MasterKey, s.config.kmsID)\n\tif err != nil {\n\t\treturn err\n\t}\n\ts.Status = s.config.KMSOptions.EncryptedStatus\n\ts.Payload = payload\n\ts.Key = key\n\ts.Mode = int(mode)\n\n\treturn nil\n}\n\nfunc (s *kmsPluginSecretProvider) Decrypt() error {\n\tif !s.IsEncrypted() {\n\t\treturn kms.ErrWrongSecretStatus\n\t}\n\tpayload, err := Handler.kmsDecrypt(s.BaseSecret, s.URL, s.MasterKey, s.config.kmsID)\n\tif err != nil {\n\t\treturn err\n\t}\n\ts.Status = sdkkms.SecretStatusPlain\n\ts.Payload = payload\n\ts.Key = \"\"\n\ts.AdditionalData = \"\"\n\ts.Mode = 0\n\n\treturn nil\n}\n\nfunc (s *kmsPluginSecretProvider) Clone() kms.SecretProvider {\n\tbaseSecret := kms.BaseSecret{\n\t\tStatus: s.Status,\n\t\tPayload: s.Payload,\n\t\tKey: s.Key,\n\t\tAdditionalData: s.AdditionalData,\n\t\tMode: s.Mode,\n\t}\n\treturn s.config.newKMSPluginSecretProvider(baseSecret, s.URL, s.MasterKey)\n}\n" }, { "path": "internal/plugin/notifier.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage plugin\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/hashicorp/go-plugin\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// NotifierConfig defines configuration parameters for notifiers plugins\ntype NotifierConfig struct {\n\tFsEvents []string `json:\"fs_events\" mapstructure:\"fs_events\"`\n\tProviderEvents []string `json:\"provider_events\" mapstructure:\"provider_events\"`\n\tProviderObjects []string `json:\"provider_objects\" mapstructure:\"provider_objects\"`\n\tLogEvents []int `json:\"log_events\" mapstructure:\"log_events\"`\n\tRetryMaxTime int `json:\"retry_max_time\" mapstructure:\"retry_max_time\"`\n\tRetryQueueMaxSize int `json:\"retry_queue_max_size\" mapstructure:\"retry_queue_max_size\"`\n}\n\nfunc (c *NotifierConfig) hasActions() bool {\n\tif len(c.FsEvents) > 0 {\n\t\treturn true\n\t}\n\tif len(c.ProviderEvents) > 0 && len(c.ProviderObjects) > 0 {\n\t\treturn true\n\t}\n\tif len(c.LogEvents) > 0 {\n\t\treturn true\n\t}\n\treturn false\n}\n\ntype notifierPlugin struct {\n\tconfig Config\n\tnotifier notifier.Notifier\n\tclient *plugin.Client\n\tmu sync.RWMutex\n\tfsEvents []*notifier.FsEvent\n\tproviderEvents []*notifier.ProviderEvent\n\tlogEvents []*notifier.LogEvent\n}\n\nfunc newNotifierPlugin(config Config) (*notifierPlugin, error) {\n\tp := ¬ifierPlugin{\n\t\tconfig: config,\n\t}\n\tif err := p.initialize(); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to create notifier plugin: %v, config %+v\", err, config)\n\t\treturn nil, err\n\t}\n\treturn p, nil\n}\n\nfunc (p *notifierPlugin) exited() bool {\n\treturn p.client.Exited()\n}\n\nfunc (p *notifierPlugin) cleanup() {\n\tp.client.Kill()\n}\n\nfunc (p *notifierPlugin) initialize() error {\n\tkillProcess(p.config.Cmd)\n\tlogger.Debug(logSender, \"\", \"create new notifier plugin %q\", p.config.Cmd)\n\tif !p.config.NotifierOptions.hasActions() {\n\t\treturn fmt.Errorf(\"no actions defined for the notifier plugin %q\", p.config.Cmd)\n\t}\n\tsecureConfig, err := p.config.getSecureConfig()\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := plugin.NewClient(&plugin.ClientConfig{\n\t\tHandshakeConfig: notifier.Handshake,\n\t\tPlugins: notifier.PluginMap,\n\t\tCmd: p.config.getCommand(),\n\t\tSkipHostEnv: true,\n\t\tAllowedProtocols: []plugin.Protocol{\n\t\t\tplugin.ProtocolGRPC,\n\t\t},\n\t\tAutoMTLS: p.config.AutoMTLS,\n\t\tSecureConfig: secureConfig,\n\t\tManaged: false,\n\t\tLogger: &logger.HCLogAdapter{\n\t\t\tLogger: hclog.New(&hclog.LoggerOptions{\n\t\t\t\tName: fmt.Sprintf(\"%s.%s\", logSender, notifier.PluginName),\n\t\t\t\tLevel: pluginsLogLevel,\n\t\t\t\tDisableTime: true,\n\t\t\t}),\n\t\t},\n\t})\n\trpcClient, err := client.Client()\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get rpc client for plugin %q: %v\", p.config.Cmd, err)\n\t\treturn err\n\t}\n\traw, err := rpcClient.Dispense(notifier.PluginName)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get plugin %v from rpc client for command %q: %v\",\n\t\t\tnotifier.PluginName, p.config.Cmd, err)\n\t\treturn err\n\t}\n\n\tp.client = client\n\tp.notifier = raw.(notifier.Notifier)\n\n\treturn nil\n}\n\nfunc (p *notifierPlugin) queueSize() int {\n\tp.mu.RLock()\n\tdefer p.mu.RUnlock()\n\n\treturn len(p.providerEvents) + len(p.fsEvents) + len(p.logEvents)\n}\n\nfunc (p *notifierPlugin) queueFsEvent(ev *notifier.FsEvent) {\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\n\tp.fsEvents = append(p.fsEvents, ev)\n}\n\nfunc (p *notifierPlugin) queueProviderEvent(ev *notifier.ProviderEvent) {\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\n\tp.providerEvents = append(p.providerEvents, ev)\n}\n\nfunc (p *notifierPlugin) queueLogEvent(ev *notifier.LogEvent) {\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\n\tp.logEvents = append(p.logEvents, ev)\n}\n\nfunc (p *notifierPlugin) canQueueEvent(timestamp int64) bool {\n\tif p.config.NotifierOptions.RetryMaxTime == 0 {\n\t\treturn false\n\t}\n\tif time.Now().After(time.Unix(0, timestamp).Add(time.Duration(p.config.NotifierOptions.RetryMaxTime) * time.Second)) {\n\t\tlogger.Warn(logSender, \"\", \"dropping too late event for plugin %v, event timestamp: %v\",\n\t\t\tp.config.Cmd, time.Unix(0, timestamp))\n\t\treturn false\n\t}\n\tif p.config.NotifierOptions.RetryQueueMaxSize > 0 {\n\t\treturn p.queueSize() < p.config.NotifierOptions.RetryQueueMaxSize\n\t}\n\treturn true\n}\n\nfunc (p *notifierPlugin) notifyFsAction(event *notifier.FsEvent) {\n\tif !slices.Contains(p.config.NotifierOptions.FsEvents, event.Action) {\n\t\treturn\n\t}\n\tp.sendFsEvent(event)\n}\n\nfunc (p *notifierPlugin) notifyProviderAction(event *notifier.ProviderEvent, object Renderer) {\n\tif !slices.Contains(p.config.NotifierOptions.ProviderEvents, event.Action) ||\n\t\t!slices.Contains(p.config.NotifierOptions.ProviderObjects, event.ObjectType) {\n\t\treturn\n\t}\n\tp.sendProviderEvent(event, object)\n}\n\nfunc (p *notifierPlugin) notifyLogEvent(event *notifier.LogEvent) {\n\tp.sendLogEvent(event)\n}\n\nfunc (p *notifierPlugin) sendFsEvent(ev *notifier.FsEvent) {\n\tgo func(event *notifier.FsEvent) {\n\t\tHandler.addTask()\n\t\tdefer Handler.removeTask()\n\n\t\tif err := p.notifier.NotifyFsEvent(event); err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to send fs action notification to plugin %v: %v\", p.config.Cmd, err)\n\t\t\tif p.canQueueEvent(event.Timestamp) {\n\t\t\t\tp.queueFsEvent(event)\n\t\t\t}\n\t\t}\n\t}(ev)\n}\n\nfunc (p *notifierPlugin) sendProviderEvent(ev *notifier.ProviderEvent, object Renderer) {\n\tgo func(event *notifier.ProviderEvent) {\n\t\tHandler.addTask()\n\t\tdefer Handler.removeTask()\n\n\t\tif object != nil {\n\t\t\tobjectAsJSON, err := object.RenderAsJSON(event.Action != \"delete\")\n\t\t\tif err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"unable to render user as json for action %q: %v\", event.Action, err)\n\t\t\t} else {\n\t\t\t\tevent.ObjectData = objectAsJSON\n\t\t\t}\n\t\t}\n\n\t\tif err := p.notifier.NotifyProviderEvent(event); err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to send user action notification to plugin %v: %v\", p.config.Cmd, err)\n\t\t\tif p.canQueueEvent(event.Timestamp) {\n\t\t\t\tp.queueProviderEvent(event)\n\t\t\t}\n\t\t}\n\t}(ev)\n}\n\nfunc (p *notifierPlugin) sendLogEvent(ev *notifier.LogEvent) {\n\tgo func(event *notifier.LogEvent) {\n\t\tHandler.addTask()\n\t\tdefer Handler.removeTask()\n\n\t\tif err := p.notifier.NotifyLogEvent(event); err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to send log event to plugin %v: %v\", p.config.Cmd, err)\n\t\t\tif p.canQueueEvent(event.Timestamp) {\n\t\t\t\tp.queueLogEvent(event)\n\t\t\t}\n\t\t}\n\t}(ev)\n}\n\nfunc (p *notifierPlugin) sendQueuedEvents() {\n\tqueueSize := p.queueSize()\n\tif queueSize == 0 {\n\t\treturn\n\t}\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\n\tlogger.Debug(logSender, \"\", \"send queued events for notifier %q, events size: %v\", p.config.Cmd, queueSize)\n\n\tfor _, ev := range p.fsEvents {\n\t\tp.sendFsEvent(ev)\n\t}\n\tp.fsEvents = nil\n\n\tfor _, ev := range p.providerEvents {\n\t\tp.sendProviderEvent(ev, nil)\n\t}\n\tp.providerEvents = nil\n\n\tfor _, ev := range p.logEvents {\n\t\tp.sendLogEvent(ev)\n\t}\n\tp.logEvents = nil\n\n\tlogger.Debug(logSender, \"\", \"%d queued events sent for notifier %q,\", queueSize, p.config.Cmd)\n}\n" }, { "path": "internal/plugin/plugin.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package plugin provides support for the SFTPGo plugin system\npackage plugin\n\nimport (\n\t\"crypto/sha256\"\n\t\"crypto/x509\"\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/hashicorp/go-plugin\"\n\t\"github.com/sftpgo/sdk/plugin/auth\"\n\t\"github.com/sftpgo/sdk/plugin/eventsearcher\"\n\t\"github.com/sftpgo/sdk/plugin/ipfilter\"\n\tkmsplugin \"github.com/sftpgo/sdk/plugin/kms\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tlogSender = \"plugins\"\n)\n\nvar (\n\t// Handler defines the plugins manager\n\tHandler Manager\n\tpluginsLogLevel = hclog.Debug\n\t// ErrNoSearcher defines the error to return for events searches if no plugin is configured\n\tErrNoSearcher = errors.New(\"no events searcher plugin defined\")\n)\n\n// Renderer defines the interface for generic objects rendering\ntype Renderer interface {\n\tRenderAsJSON(reload bool) ([]byte, error)\n}\n\n// Config defines a plugin configuration\ntype Config struct {\n\t// Plugin type\n\tType string `json:\"type\" mapstructure:\"type\"`\n\t// NotifierOptions defines options for notifiers plugins\n\tNotifierOptions NotifierConfig `json:\"notifier_options\" mapstructure:\"notifier_options\"`\n\t// KMSOptions defines options for a KMS plugin\n\tKMSOptions KMSConfig `json:\"kms_options\" mapstructure:\"kms_options\"`\n\t// AuthOptions defines options for authentication plugins\n\tAuthOptions AuthConfig `json:\"auth_options\" mapstructure:\"auth_options\"`\n\t// Path to the plugin executable\n\tCmd string `json:\"cmd\" mapstructure:\"cmd\"`\n\t// Args to pass to the plugin executable\n\tArgs []string `json:\"args\" mapstructure:\"args\"`\n\t// SHA256 checksum for the plugin executable.\n\t// If not empty it will be used to verify the integrity of the executable\n\tSHA256Sum string `json:\"sha256sum\" mapstructure:\"sha256sum\"`\n\t// If enabled the client and the server automatically negotiate mTLS for\n\t// transport authentication. This ensures that only the original client will\n\t// be allowed to connect to the server, and all other connections will be\n\t// rejected. The client will also refuse to connect to any server that isn't\n\t// the original instance started by the client.\n\tAutoMTLS bool `json:\"auto_mtls\" mapstructure:\"auto_mtls\"`\n\t// EnvPrefix defines the prefix for env vars to pass from the SFTPGo process\n\t// environment to the plugin. Set to \"none\" to not pass any environment\n\t// variable, set to \"*\" to pass all environment variables. If empty, the\n\t// prefix is returned as the plugin name in uppercase with \"-\" replaced with\n\t// \"_\" and a trailing \"_\". For example if the plugin name is\n\t// sftpgo-plugin-eventsearch the prefix will be SFTPGO_PLUGIN_EVENTSEARCH_\n\tEnvPrefix string `json:\"env_prefix\" mapstructure:\"env_prefix\"`\n\t// Additional environment variable names to pass from the SFTPGo process\n\t// environment to the plugin.\n\tEnvVars []string `json:\"env_vars\" mapstructure:\"env_vars\"`\n\t// unique identifier for kms plugins\n\tkmsID int\n}\n\nfunc (c *Config) getSecureConfig() (*plugin.SecureConfig, error) {\n\tif c.SHA256Sum != \"\" {\n\t\tchecksum, err := hex.DecodeString(c.SHA256Sum)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"invalid sha256 hash %q: %w\", c.SHA256Sum, err)\n\t\t}\n\t\treturn &plugin.SecureConfig{\n\t\t\tChecksum: checksum,\n\t\t\tHash: sha256.New(),\n\t\t}, nil\n\t}\n\treturn nil, nil\n}\n\nfunc (c *Config) getEnvVarPrefix() string {\n\tif c.EnvPrefix == \"none\" {\n\t\treturn \"\"\n\t}\n\tif c.EnvPrefix != \"\" {\n\t\treturn c.EnvPrefix\n\t}\n\n\tbaseName := filepath.Base(c.Cmd)\n\tname := strings.TrimSuffix(baseName, filepath.Ext(baseName))\n\tprefix := strings.ToUpper(name) + \"_\"\n\treturn strings.ReplaceAll(prefix, \"-\", \"_\")\n}\n\nfunc (c *Config) getCommand() *exec.Cmd {\n\tcmd := exec.Command(c.Cmd, c.Args...)\n\tcmd.Env = []string{}\n\n\tif envVarPrefix := c.getEnvVarPrefix(); envVarPrefix != \"\" {\n\t\tif envVarPrefix == \"*\" {\n\t\t\tlogger.Debug(logSender, \"\", \"sharing all the environment variables with plugin %q\", c.Cmd)\n\t\t\tcmd.Env = append(cmd.Env, os.Environ()...)\n\t\t\treturn cmd\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"adding env vars with prefix %q for plugin %q\", envVarPrefix, c.Cmd)\n\t\tfor _, val := range os.Environ() {\n\t\t\tif strings.HasPrefix(val, envVarPrefix) {\n\t\t\t\tcmd.Env = append(cmd.Env, val)\n\t\t\t}\n\t\t}\n\t}\n\tlogger.Debug(logSender, \"\", \"additional env vars for plugin %q: %+v\", c.Cmd, c.EnvVars)\n\tfor _, key := range c.EnvVars {\n\t\tcmd.Env = append(cmd.Env, fmt.Sprintf(\"%s=%s\", key, os.Getenv(key)))\n\t}\n\treturn cmd\n}\n\nfunc (c *Config) newKMSPluginSecretProvider(base kms.BaseSecret, url, masterKey string) kms.SecretProvider {\n\treturn &kmsPluginSecretProvider{\n\t\tBaseSecret: base,\n\t\tURL: url,\n\t\tMasterKey: masterKey,\n\t\tconfig: c,\n\t}\n}\n\n// Manager handles enabled plugins\ntype Manager struct {\n\tclosed atomic.Bool\n\tdone chan bool\n\t// List of configured plugins\n\tConfigs []Config `json:\"plugins\" mapstructure:\"plugins\"`\n\tnotifLock sync.RWMutex\n\tnotifiers []*notifierPlugin\n\tkmsLock sync.RWMutex\n\tkms []*kmsPlugin\n\tauthLock sync.RWMutex\n\tauths []*authPlugin\n\tsearcherLock sync.RWMutex\n\tsearcher *searcherPlugin\n\tipFilterLock sync.RWMutex\n\tfilter *ipFilterPlugin\n\tauthScopes int\n\thasSearcher bool\n\thasNotifiers bool\n\thasAuths bool\n\thasIPFilter bool\n\tconcurrencyGuard chan struct{}\n}\n\n// Initialize initializes the configured plugins\nfunc Initialize(configs []Config, logLevel string) error {\n\tlogger.Debug(logSender, \"\", \"initialize\")\n\tHandler = Manager{\n\t\tConfigs: configs,\n\t\tdone: make(chan bool),\n\t\tauthScopes: -1,\n\t\tconcurrencyGuard: make(chan struct{}, 250),\n\t}\n\tHandler.closed.Store(false)\n\tsetLogLevel(logLevel)\n\tif len(configs) == 0 {\n\t\treturn nil\n\t}\n\n\tif err := Handler.validateConfigs(); err != nil {\n\t\treturn err\n\t}\n\tif err := initializePlugins(); err != nil {\n\t\treturn err\n\t}\n\n\tstartCheckTicker()\n\treturn nil\n}\n\nfunc initializePlugins() error {\n\tkmsID := 0\n\tfor idx, config := range Handler.Configs {\n\t\tswitch config.Type {\n\t\tcase notifier.PluginName:\n\t\t\tplugin, err := newNotifierPlugin(config)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tHandler.notifiers = append(Handler.notifiers, plugin)\n\t\tcase kmsplugin.PluginName:\n\t\t\tplugin, err := newKMSPlugin(config)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tHandler.kms = append(Handler.kms, plugin)\n\t\t\tHandler.Configs[idx].kmsID = kmsID\n\t\t\tkmsID++\n\t\t\tkms.RegisterSecretProvider(config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus,\n\t\t\t\tHandler.Configs[idx].newKMSPluginSecretProvider)\n\t\t\tlogger.Info(logSender, \"\", \"registered secret provider for scheme %q, encrypted status %q\",\n\t\t\t\tconfig.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus)\n\t\tcase auth.PluginName:\n\t\t\tplugin, err := newAuthPlugin(config)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tHandler.auths = append(Handler.auths, plugin)\n\t\t\tif Handler.authScopes == -1 {\n\t\t\t\tHandler.authScopes = config.AuthOptions.Scope\n\t\t\t} else {\n\t\t\t\tHandler.authScopes |= config.AuthOptions.Scope\n\t\t\t}\n\t\tcase eventsearcher.PluginName:\n\t\t\tplugin, err := newSearcherPlugin(config)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tHandler.searcher = plugin\n\t\tcase ipfilter.PluginName:\n\t\t\tplugin, err := newIPFilterPlugin(config)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tHandler.filter = plugin\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"unsupported plugin type: %v\", config.Type)\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (m *Manager) validateConfigs() error {\n\tkmsSchemes := make(map[string]bool)\n\tkmsEncryptions := make(map[string]bool)\n\tm.hasSearcher = false\n\tm.hasNotifiers = false\n\tm.hasAuths = false\n\tm.hasIPFilter = false\n\n\tfor _, config := range m.Configs {\n\t\tswitch config.Type {\n\t\tcase kmsplugin.PluginName:\n\t\t\tif _, ok := kmsSchemes[config.KMSOptions.Scheme]; ok {\n\t\t\t\treturn fmt.Errorf(\"invalid KMS configuration, duplicated scheme %q\", config.KMSOptions.Scheme)\n\t\t\t}\n\t\t\tif _, ok := kmsEncryptions[config.KMSOptions.EncryptedStatus]; ok {\n\t\t\t\treturn fmt.Errorf(\"invalid KMS configuration, duplicated encrypted status %q\", config.KMSOptions.EncryptedStatus)\n\t\t\t}\n\t\t\tkmsSchemes[config.KMSOptions.Scheme] = true\n\t\t\tkmsEncryptions[config.KMSOptions.EncryptedStatus] = true\n\t\tcase eventsearcher.PluginName:\n\t\t\tif m.hasSearcher {\n\t\t\t\treturn errors.New(\"only one eventsearcher plugin can be defined\")\n\t\t\t}\n\t\t\tm.hasSearcher = true\n\t\tcase notifier.PluginName:\n\t\t\tm.hasNotifiers = true\n\t\tcase auth.PluginName:\n\t\t\tm.hasAuths = true\n\t\tcase ipfilter.PluginName:\n\t\t\tm.hasIPFilter = true\n\t\t}\n\t}\n\treturn nil\n}\n\n// HasAuthenticators returns true if there is at least an auth plugin\nfunc (m *Manager) HasAuthenticators() bool {\n\treturn m.hasAuths\n}\n\n// HasNotifiers returns true if there is at least a notifier plugin\nfunc (m *Manager) HasNotifiers() bool {\n\treturn m.hasNotifiers\n}\n\n// NotifyFsEvent sends the fs event notifications using any defined notifier plugins\nfunc (m *Manager) NotifyFsEvent(event *notifier.FsEvent) {\n\tm.notifLock.RLock()\n\tdefer m.notifLock.RUnlock()\n\n\tfor _, n := range m.notifiers {\n\t\tn.notifyFsAction(event)\n\t}\n}\n\n// NotifyProviderEvent sends the provider event notifications using any defined notifier plugins\nfunc (m *Manager) NotifyProviderEvent(event *notifier.ProviderEvent, object Renderer) {\n\tm.notifLock.RLock()\n\tdefer m.notifLock.RUnlock()\n\n\tfor _, n := range m.notifiers {\n\t\tn.notifyProviderAction(event, object)\n\t}\n}\n\n// NotifyLogEvent sends the log event notifications using any defined notifier plugins\nfunc (m *Manager) NotifyLogEvent(event notifier.LogEventType, protocol, username, ip, role string, err error) {\n\tif !m.hasNotifiers {\n\t\treturn\n\t}\n\tm.notifLock.RLock()\n\tdefer m.notifLock.RUnlock()\n\n\tvar e *notifier.LogEvent\n\n\tfor _, n := range m.notifiers {\n\t\tif slices.Contains(n.config.NotifierOptions.LogEvents, int(event)) {\n\t\t\tif e == nil {\n\t\t\t\tmessage := \"\"\n\t\t\t\tif err != nil {\n\t\t\t\t\tmessage = strings.Trim(err.Error(), \"\\x00\")\n\t\t\t\t}\n\n\t\t\t\te = ¬ifier.LogEvent{\n\t\t\t\t\tTimestamp: time.Now().UnixNano(),\n\t\t\t\t\tEvent: event,\n\t\t\t\t\tProtocol: protocol,\n\t\t\t\t\tUsername: username,\n\t\t\t\t\tIP: ip,\n\t\t\t\t\tMessage: message,\n\t\t\t\t\tRole: role,\n\t\t\t\t}\n\t\t\t}\n\t\t\tn.notifyLogEvent(e)\n\t\t}\n\t}\n}\n\n// HasSearcher returns true if an event searcher plugin is defined\nfunc (m *Manager) HasSearcher() bool {\n\treturn m.hasSearcher\n}\n\n// SearchFsEvents returns the filesystem events matching the specified filters\nfunc (m *Manager) SearchFsEvents(searchFilters *eventsearcher.FsEventSearch) ([]byte, error) {\n\tif !m.hasSearcher {\n\t\treturn nil, ErrNoSearcher\n\t}\n\tm.searcherLock.RLock()\n\tplugin := m.searcher\n\tm.searcherLock.RUnlock()\n\n\treturn plugin.searchear.SearchFsEvents(searchFilters)\n}\n\n// SearchProviderEvents returns the provider events matching the specified filters\nfunc (m *Manager) SearchProviderEvents(searchFilters *eventsearcher.ProviderEventSearch) ([]byte, error) {\n\tif !m.hasSearcher {\n\t\treturn nil, ErrNoSearcher\n\t}\n\tm.searcherLock.RLock()\n\tplugin := m.searcher\n\tm.searcherLock.RUnlock()\n\n\treturn plugin.searchear.SearchProviderEvents(searchFilters)\n}\n\n// SearchLogEvents returns the log events matching the specified filters\nfunc (m *Manager) SearchLogEvents(searchFilters *eventsearcher.LogEventSearch) ([]byte, error) {\n\tif !m.hasSearcher {\n\t\treturn nil, ErrNoSearcher\n\t}\n\tm.searcherLock.RLock()\n\tplugin := m.searcher\n\tm.searcherLock.RUnlock()\n\n\treturn plugin.searchear.SearchLogEvents(searchFilters)\n}\n\n// IsIPBanned returns true if the IP filter plugin does not allow the specified ip.\n// If no IP filter plugin is defined this method returns false\nfunc (m *Manager) IsIPBanned(ip, protocol string) bool {\n\tif !m.hasIPFilter {\n\t\treturn false\n\t}\n\n\tm.ipFilterLock.RLock()\n\tplugin := m.filter\n\tm.ipFilterLock.RUnlock()\n\n\tif plugin.exited() {\n\t\tlogger.Warn(logSender, \"\", \"ip filter plugin is not active, cannot check ip %q\", ip)\n\t\treturn false\n\t}\n\n\treturn plugin.filter.CheckIP(ip, protocol) != nil\n}\n\n// ReloadFilter sends a reload request to the IP filter plugin\nfunc (m *Manager) ReloadFilter() {\n\tif !m.hasIPFilter {\n\t\treturn\n\t}\n\tm.ipFilterLock.RLock()\n\tplugin := m.filter\n\tm.ipFilterLock.RUnlock()\n\n\tif err := plugin.filter.Reload(); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to reload IP filter plugin: %v\", err)\n\t}\n}\n\nfunc (m *Manager) kmsEncrypt(secret kms.BaseSecret, url string, masterKey string, kmsID int) (string, string, int32, error) {\n\tm.kmsLock.RLock()\n\tplugin := m.kms[kmsID]\n\tm.kmsLock.RUnlock()\n\n\treturn plugin.Encrypt(secret, url, masterKey)\n}\n\nfunc (m *Manager) kmsDecrypt(secret kms.BaseSecret, url string, masterKey string, kmsID int) (string, error) {\n\tm.kmsLock.RLock()\n\tplugin := m.kms[kmsID]\n\tm.kmsLock.RUnlock()\n\n\treturn plugin.Decrypt(secret, url, masterKey)\n}\n\n// HasAuthScope returns true if there is an auth plugin that support the specified scope\nfunc (m *Manager) HasAuthScope(scope int) bool {\n\tif m.authScopes == -1 {\n\t\treturn false\n\t}\n\treturn m.authScopes&scope != 0\n}\n\n// Authenticate tries to authenticate the specified user using an external plugin\nfunc (m *Manager) Authenticate(username, password, ip, protocol string, pkey string,\n\ttlsCert *x509.Certificate, authScope int, userAsJSON []byte,\n) ([]byte, error) {\n\tswitch authScope {\n\tcase AuthScopePassword:\n\t\treturn m.checkUserAndPass(username, password, ip, protocol, userAsJSON)\n\tcase AuthScopePublicKey:\n\t\treturn m.checkUserAndPublicKey(username, pkey, ip, protocol, userAsJSON)\n\tcase AuthScopeKeyboardInteractive:\n\t\treturn m.checkUserAndKeyboardInteractive(username, ip, protocol, userAsJSON)\n\tcase AuthScopeTLSCertificate:\n\t\tcert, err := util.EncodeTLSCertToPem(tlsCert)\n\t\tif err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to encode tls certificate to pem: %v\", err)\n\t\t\treturn nil, fmt.Errorf(\"unable to encode tls cert to pem: %w\", err)\n\t\t}\n\t\treturn m.checkUserAndTLSCert(username, cert, ip, protocol, userAsJSON)\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unsupported auth scope: %v\", authScope)\n\t}\n}\n\n// ExecuteKeyboardInteractiveStep executes a keyboard interactive step\nfunc (m *Manager) ExecuteKeyboardInteractiveStep(req *KeyboardAuthRequest) (*KeyboardAuthResponse, error) {\n\tvar plugin *authPlugin\n\n\tm.authLock.Lock()\n\tfor _, p := range m.auths {\n\t\tif p.config.AuthOptions.Scope&AuthScopePassword != 0 {\n\t\t\tplugin = p\n\t\t\tbreak\n\t\t}\n\t}\n\tm.authLock.Unlock()\n\n\tif plugin == nil {\n\t\treturn nil, errors.New(\"no auth plugin configured for keyaboard interactive authentication step\")\n\t}\n\n\treturn plugin.sendKeyboardIteractiveRequest(req)\n}\n\nfunc (m *Manager) checkUserAndPass(username, password, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\tvar plugin *authPlugin\n\n\tm.authLock.Lock()\n\tfor _, p := range m.auths {\n\t\tif p.config.AuthOptions.Scope&AuthScopePassword != 0 {\n\t\t\tplugin = p\n\t\t\tbreak\n\t\t}\n\t}\n\tm.authLock.Unlock()\n\n\tif plugin == nil {\n\t\treturn nil, errors.New(\"no auth plugin configured for password checking\")\n\t}\n\n\treturn plugin.checkUserAndPass(username, password, ip, protocol, userAsJSON)\n}\n\nfunc (m *Manager) checkUserAndPublicKey(username, pubKey, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\tvar plugin *authPlugin\n\n\tm.authLock.Lock()\n\tfor _, p := range m.auths {\n\t\tif p.config.AuthOptions.Scope&AuthScopePublicKey != 0 {\n\t\t\tplugin = p\n\t\t\tbreak\n\t\t}\n\t}\n\tm.authLock.Unlock()\n\n\tif plugin == nil {\n\t\treturn nil, errors.New(\"no auth plugin configured for public key checking\")\n\t}\n\n\treturn plugin.checkUserAndPublicKey(username, pubKey, ip, protocol, userAsJSON)\n}\n\nfunc (m *Manager) checkUserAndTLSCert(username, tlsCert, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\tvar plugin *authPlugin\n\n\tm.authLock.Lock()\n\tfor _, p := range m.auths {\n\t\tif p.config.AuthOptions.Scope&AuthScopeTLSCertificate != 0 {\n\t\t\tplugin = p\n\t\t\tbreak\n\t\t}\n\t}\n\tm.authLock.Unlock()\n\n\tif plugin == nil {\n\t\treturn nil, errors.New(\"no auth plugin configured for TLS certificate checking\")\n\t}\n\n\treturn plugin.checkUserAndTLSCertificate(username, tlsCert, ip, protocol, userAsJSON)\n}\n\nfunc (m *Manager) checkUserAndKeyboardInteractive(username, ip, protocol string, userAsJSON []byte) ([]byte, error) {\n\tvar plugin *authPlugin\n\n\tm.authLock.Lock()\n\tfor _, p := range m.auths {\n\t\tif p.config.AuthOptions.Scope&AuthScopeKeyboardInteractive != 0 {\n\t\t\tplugin = p\n\t\t\tbreak\n\t\t}\n\t}\n\tm.authLock.Unlock()\n\n\tif plugin == nil {\n\t\treturn nil, errors.New(\"no auth plugin configured for keyboard interactive checking\")\n\t}\n\n\treturn plugin.checkUserAndKeyboardInteractive(username, ip, protocol, userAsJSON)\n}\n\nfunc (m *Manager) checkCrashedPlugins() {\n\tm.notifLock.RLock()\n\tfor idx, n := range m.notifiers {\n\t\tif n.exited() {\n\t\t\tdefer func(cfg Config, index int) {\n\t\t\t\tHandler.restartNotifierPlugin(cfg, index)\n\t\t\t}(n.config, idx)\n\t\t} else {\n\t\t\tn.sendQueuedEvents()\n\t\t}\n\t}\n\tm.notifLock.RUnlock()\n\n\tm.kmsLock.RLock()\n\tfor idx, k := range m.kms {\n\t\tif k.exited() {\n\t\t\tdefer func(cfg Config, index int) {\n\t\t\t\tHandler.restartKMSPlugin(cfg, index)\n\t\t\t}(k.config, idx)\n\t\t}\n\t}\n\tm.kmsLock.RUnlock()\n\n\tm.authLock.RLock()\n\tfor idx, a := range m.auths {\n\t\tif a.exited() {\n\t\t\tdefer func(cfg Config, index int) {\n\t\t\t\tHandler.restartAuthPlugin(cfg, index)\n\t\t\t}(a.config, idx)\n\t\t}\n\t}\n\tm.authLock.RUnlock()\n\n\tif m.hasSearcher {\n\t\tm.searcherLock.RLock()\n\t\tif m.searcher.exited() {\n\t\t\tdefer func(cfg Config) {\n\t\t\t\tHandler.restartSearcherPlugin(cfg)\n\t\t\t}(m.searcher.config)\n\t\t}\n\t\tm.searcherLock.RUnlock()\n\t}\n\n\tif m.hasIPFilter {\n\t\tm.ipFilterLock.RLock()\n\t\tif m.filter.exited() {\n\t\t\tdefer func(cfg Config) {\n\t\t\t\tHandler.restartIPFilterPlugin(cfg)\n\t\t\t}(m.filter.config)\n\t\t}\n\t\tm.ipFilterLock.RUnlock()\n\t}\n}\n\nfunc (m *Manager) restartNotifierPlugin(config Config, idx int) {\n\tif m.closed.Load() {\n\t\treturn\n\t}\n\tlogger.Info(logSender, \"\", \"try to restart crashed notifier plugin %q, idx: %v\", config.Cmd, idx)\n\tplugin, err := newNotifierPlugin(config)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to restart notifier plugin %q, err: %v\", config.Cmd, err)\n\t\treturn\n\t}\n\n\tm.notifLock.Lock()\n\tplugin.fsEvents = m.notifiers[idx].fsEvents\n\tplugin.providerEvents = m.notifiers[idx].providerEvents\n\tplugin.logEvents = m.notifiers[idx].logEvents\n\tm.notifiers[idx] = plugin\n\tm.notifLock.Unlock()\n\tplugin.sendQueuedEvents()\n}\n\nfunc (m *Manager) restartKMSPlugin(config Config, idx int) {\n\tif m.closed.Load() {\n\t\treturn\n\t}\n\tlogger.Info(logSender, \"\", \"try to restart crashed kms plugin %q, idx: %v\", config.Cmd, idx)\n\tplugin, err := newKMSPlugin(config)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to restart kms plugin %q, err: %v\", config.Cmd, err)\n\t\treturn\n\t}\n\n\tm.kmsLock.Lock()\n\tm.kms[idx] = plugin\n\tm.kmsLock.Unlock()\n}\n\nfunc (m *Manager) restartAuthPlugin(config Config, idx int) {\n\tif m.closed.Load() {\n\t\treturn\n\t}\n\tlogger.Info(logSender, \"\", \"try to restart crashed auth plugin %q, idx: %v\", config.Cmd, idx)\n\tplugin, err := newAuthPlugin(config)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to restart auth plugin %q, err: %v\", config.Cmd, err)\n\t\treturn\n\t}\n\n\tm.authLock.Lock()\n\tm.auths[idx] = plugin\n\tm.authLock.Unlock()\n}\n\nfunc (m *Manager) restartSearcherPlugin(config Config) {\n\tif m.closed.Load() {\n\t\treturn\n\t}\n\tlogger.Info(logSender, \"\", \"try to restart crashed searcher plugin %q\", config.Cmd)\n\tplugin, err := newSearcherPlugin(config)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to restart searcher plugin %q, err: %v\", config.Cmd, err)\n\t\treturn\n\t}\n\n\tm.searcherLock.Lock()\n\tm.searcher = plugin\n\tm.searcherLock.Unlock()\n}\n\nfunc (m *Manager) restartIPFilterPlugin(config Config) {\n\tif m.closed.Load() {\n\t\treturn\n\t}\n\tlogger.Info(logSender, \"\", \"try to restart crashed IP filter plugin %q\", config.Cmd)\n\tplugin, err := newIPFilterPlugin(config)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to restart IP filter plugin %q, err: %v\", config.Cmd, err)\n\t\treturn\n\t}\n\n\tm.ipFilterLock.Lock()\n\tm.filter = plugin\n\tm.ipFilterLock.Unlock()\n}\n\nfunc (m *Manager) addTask() {\n\tm.concurrencyGuard <- struct{}{}\n}\n\nfunc (m *Manager) removeTask() {\n\t<-m.concurrencyGuard\n}\n\n// Cleanup releases all the active plugins\nfunc (m *Manager) Cleanup() {\n\tif m.closed.Swap(true) {\n\t\treturn\n\t}\n\tlogger.Debug(logSender, \"\", \"cleanup\")\n\tclose(m.done)\n\tm.notifLock.Lock()\n\tfor _, n := range m.notifiers {\n\t\tlogger.Debug(logSender, \"\", \"cleanup notifier plugin %v\", n.config.Cmd)\n\t\tn.cleanup()\n\t}\n\tm.notifLock.Unlock()\n\n\tm.kmsLock.Lock()\n\tfor _, k := range m.kms {\n\t\tlogger.Debug(logSender, \"\", \"cleanup kms plugin %v\", k.config.Cmd)\n\t\tk.cleanup()\n\t}\n\tm.kmsLock.Unlock()\n\n\tm.authLock.Lock()\n\tfor _, a := range m.auths {\n\t\tlogger.Debug(logSender, \"\", \"cleanup auth plugin %v\", a.config.Cmd)\n\t\ta.cleanup()\n\t}\n\tm.authLock.Unlock()\n\n\tif m.hasSearcher {\n\t\tm.searcherLock.Lock()\n\t\tlogger.Debug(logSender, \"\", \"cleanup searcher plugin %v\", m.searcher.config.Cmd)\n\t\tm.searcher.cleanup()\n\t\tm.searcherLock.Unlock()\n\t}\n\n\tif m.hasIPFilter {\n\t\tm.ipFilterLock.Lock()\n\t\tlogger.Debug(logSender, \"\", \"cleanup IP filter plugin %v\", m.filter.config.Cmd)\n\t\tm.filter.cleanup()\n\t\tm.ipFilterLock.Unlock()\n\t}\n}\n\nfunc setLogLevel(logLevel string) {\n\tswitch logLevel {\n\tcase \"info\":\n\t\tpluginsLogLevel = hclog.Info\n\tcase \"warn\":\n\t\tpluginsLogLevel = hclog.Warn\n\tcase \"error\":\n\t\tpluginsLogLevel = hclog.Error\n\tdefault:\n\t\tpluginsLogLevel = hclog.Debug\n\t}\n}\n\nfunc startCheckTicker() {\n\tlogger.Debug(logSender, \"\", \"start plugins checker\")\n\n\tgo func() {\n\t\tticker := time.NewTicker(30 * time.Second)\n\t\tdefer ticker.Stop()\n\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-Handler.done:\n\t\t\t\tlogger.Debug(logSender, \"\", \"handler done, stop plugins checker\")\n\t\t\t\treturn\n\t\t\tcase <-ticker.C:\n\t\t\t\tHandler.checkCrashedPlugins()\n\t\t\t}\n\t\t}\n\t}()\n}\n" }, { "path": "internal/plugin/searcher.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage plugin\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/hashicorp/go-hclog\"\n\t\"github.com/hashicorp/go-plugin\"\n\t\"github.com/sftpgo/sdk/plugin/eventsearcher\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\ntype searcherPlugin struct {\n\tconfig Config\n\tsearchear eventsearcher.Searcher\n\tclient *plugin.Client\n}\n\nfunc newSearcherPlugin(config Config) (*searcherPlugin, error) {\n\tp := &searcherPlugin{\n\t\tconfig: config,\n\t}\n\tif err := p.initialize(); err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to create events searcher plugin: %v, config %+v\", err, config)\n\t\treturn nil, err\n\t}\n\treturn p, nil\n}\n\nfunc (p *searcherPlugin) exited() bool {\n\treturn p.client.Exited()\n}\n\nfunc (p *searcherPlugin) cleanup() {\n\tp.client.Kill()\n}\n\nfunc (p *searcherPlugin) initialize() error {\n\tkillProcess(p.config.Cmd)\n\tlogger.Debug(logSender, \"\", \"create new searcher plugin %q\", p.config.Cmd)\n\tsecureConfig, err := p.config.getSecureConfig()\n\tif err != nil {\n\t\treturn err\n\t}\n\tclient := plugin.NewClient(&plugin.ClientConfig{\n\t\tHandshakeConfig: eventsearcher.Handshake,\n\t\tPlugins: eventsearcher.PluginMap,\n\t\tCmd: p.config.getCommand(),\n\t\tSkipHostEnv: true,\n\t\tAllowedProtocols: []plugin.Protocol{\n\t\t\tplugin.ProtocolGRPC,\n\t\t},\n\t\tAutoMTLS: p.config.AutoMTLS,\n\t\tSecureConfig: secureConfig,\n\t\tManaged: false,\n\t\tLogger: &logger.HCLogAdapter{\n\t\t\tLogger: hclog.New(&hclog.LoggerOptions{\n\t\t\t\tName: fmt.Sprintf(\"%v.%v\", logSender, eventsearcher.PluginName),\n\t\t\t\tLevel: pluginsLogLevel,\n\t\t\t\tDisableTime: true,\n\t\t\t}),\n\t\t},\n\t})\n\trpcClient, err := client.Client()\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get rpc client for plugin %q: %v\", p.config.Cmd, err)\n\t\treturn err\n\t}\n\traw, err := rpcClient.Dispense(eventsearcher.PluginName)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to get plugin %v from rpc client for command %q: %v\",\n\t\t\teventsearcher.PluginName, p.config.Cmd, err)\n\t\treturn err\n\t}\n\n\tp.client = client\n\tp.searchear = raw.(eventsearcher.Searcher)\n\n\treturn nil\n}\n" }, { "path": "internal/plugin/util.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage plugin\n\nimport (\n\t\"github.com/shirou/gopsutil/v3/process\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\nfunc killProcess(processPath string) {\n\tprocs, err := process.Processes()\n\tif err != nil {\n\t\treturn\n\t}\n\tfor _, p := range procs {\n\t\tcmdLine, err := p.Exe()\n\t\tif err == nil {\n\t\t\tif cmdLine == processPath {\n\t\t\t\terr = p.Kill()\n\t\t\t\tlogger.Debug(logSender, \"\", \"killed process %v, pid %v, err %v\", cmdLine, p.Pid, err)\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\tlogger.Debug(logSender, \"\", \"no match for plugin process %v\", processPath)\n}\n" }, { "path": "internal/service/service.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package service allows to start and stop the SFTPGo service\npackage service\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"github.com/rs/zerolog\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/acme\"\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tlogSender = \"service\"\n)\n\nvar (\n\tgraceTime int\n)\n\n// Service defines the SFTPGo service\ntype Service struct {\n\tConfigDir string\n\tConfigFile string\n\tLogFilePath string\n\tLogMaxSize int\n\tLogMaxBackups int\n\tLogMaxAge int\n\tPortableMode int\n\tPortableUser dataprovider.User\n\tLogCompress bool\n\tLogLevel string\n\tLogUTCTime bool\n\tLoadDataClean bool\n\tLoadDataFrom string\n\tLoadDataMode int\n\tLoadDataQuotaScan int\n\tShutdown chan bool\n\tError error\n}\n\nfunc (s *Service) initLogger() {\n\tvar logLevel zerolog.Level\n\tswitch s.LogLevel {\n\tcase \"info\":\n\t\tlogLevel = zerolog.InfoLevel\n\tcase \"warn\":\n\t\tlogLevel = zerolog.WarnLevel\n\tcase \"error\":\n\t\tlogLevel = zerolog.ErrorLevel\n\tdefault:\n\t\tlogLevel = zerolog.DebugLevel\n\t}\n\tif !filepath.IsAbs(s.LogFilePath) && util.IsFileInputValid(s.LogFilePath) {\n\t\ts.LogFilePath = filepath.Join(s.ConfigDir, s.LogFilePath)\n\t}\n\tlogger.InitLogger(s.LogFilePath, s.LogMaxSize, s.LogMaxBackups, s.LogMaxAge, s.LogCompress, s.LogUTCTime, logLevel)\n\tif s.PortableMode == 1 {\n\t\tlogger.EnableConsoleLogger(logLevel)\n\t\tif s.LogFilePath == \"\" {\n\t\t\tlogger.DisableLogger()\n\t\t}\n\t}\n}\n\n// Start initializes and starts the service\nfunc (s *Service) Start() error {\n\ts.initLogger()\n\tlogger.Info(logSender, \"\", \"starting SFTPGo %s, config dir: %s, config file: %s, log max size: %d log max backups: %d \"+\n\t\t\"log max age: %d log level: %s, log compress: %t, log utc time: %t, load data from: %q, grace time: %d secs\",\n\t\tversion.GetAsString(), s.ConfigDir, s.ConfigFile, s.LogMaxSize, s.LogMaxBackups, s.LogMaxAge, s.LogLevel,\n\t\ts.LogCompress, s.LogUTCTime, s.LoadDataFrom, graceTime)\n\t// in portable mode we don't read configuration from file\n\tif s.PortableMode != 1 {\n\t\terr := config.LoadConfig(s.ConfigDir, s.ConfigFile)\n\t\tif err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"error loading configuration: %v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\tif !config.HasServicesToStart() {\n\t\tconst infoString = \"no service configured, nothing to do\"\n\t\tlogger.Info(logSender, \"\", infoString)\n\t\tlogger.InfoToConsole(infoString)\n\t\treturn errors.New(infoString)\n\t}\n\n\tif err := s.initializeServices(); err != nil {\n\t\treturn err\n\t}\n\n\ts.startServices()\n\tgo common.Config.ExecuteStartupHook() //nolint:errcheck\n\n\treturn nil\n}\n\nfunc (s *Service) initializeServices() error {\n\tproviderConf := config.GetProviderConf()\n\tkmsConfig := config.GetKMSConfig()\n\terr := kmsConfig.Initialize()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to initialize KMS: %v\", err)\n\t\tlogger.ErrorToConsole(\"unable to initialize KMS: %v\", err)\n\t\treturn err\n\t}\n\t// We may have KMS plugins and their schema needs to be registered before\n\t// initializing the data provider which may contain KMS secrets.\n\tif err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to initialize plugin system: %v\", err)\n\t\tlogger.ErrorToConsole(\"unable to initialize plugin system: %v\", err)\n\t\treturn err\n\t}\n\tmfaConfig := config.GetMFAConfig()\n\terr = mfaConfig.Initialize()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to initialize MFA: %v\", err)\n\t\tlogger.ErrorToConsole(\"unable to initialize MFA: %v\", err)\n\t\treturn err\n\t}\n\terr = dataprovider.Initialize(providerConf, s.ConfigDir, s.PortableMode == 0)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"error initializing data provider: %v\", err)\n\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\treturn err\n\t}\n\tsmtpConfig := config.GetSMTPConfig()\n\terr = smtpConfig.Initialize(s.ConfigDir, s.PortableMode != 1)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to initialize SMTP configuration: %v\", err)\n\t\tlogger.ErrorToConsole(\"unable to initialize SMTP configuration: %v\", err)\n\t\treturn err\n\t}\n\terr = common.Initialize(config.GetCommonConfig(), providerConf.GetShared())\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"%v\", err)\n\t\tlogger.ErrorToConsole(\"%v\", err)\n\t\treturn err\n\t}\n\n\tif s.PortableMode == 1 {\n\t\t// create the user for portable mode\n\t\terr = dataprovider.AddUser(&s.PortableUser, dataprovider.ActionExecutorSystem, \"\", \"\")\n\t\tif err != nil {\n\t\t\tlogger.ErrorToConsole(\"error adding portable user: %v\", err)\n\t\t\treturn err\n\t\t}\n\t} else {\n\t\tacmeConfig := config.GetACMEConfig()\n\t\terr = acme.Initialize(acmeConfig, s.ConfigDir, true)\n\t\tif err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"error initializing ACME configuration: %v\", err)\n\t\t\tlogger.ErrorToConsole(\"error initializing ACME configuration: %v\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\thttpConfig := config.GetHTTPConfig()\n\terr = httpConfig.Initialize(s.ConfigDir)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"error initializing http client: %v\", err)\n\t\tlogger.ErrorToConsole(\"error initializing http client: %v\", err)\n\t\treturn err\n\t}\n\tcommandConfig := config.GetCommandConfig()\n\tif err := commandConfig.Initialize(); err != nil {\n\t\tlogger.Error(logSender, \"\", \"error initializing commands configuration: %v\", err)\n\t\tlogger.ErrorToConsole(\"error initializing commands configuration: %v\", err)\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc (s *Service) startServices() {\n\terr := s.LoadInitialData()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to load initial data: %v\", err)\n\t\tlogger.ErrorToConsole(\"unable to load initial data: %v\", err)\n\t}\n\n\tsftpdConf := config.GetSFTPDConfig()\n\tftpdConf := config.GetFTPDConfig()\n\thttpdConf := config.GetHTTPDConfig()\n\twebDavDConf := config.GetWebDAVDConfig()\n\ttelemetryConf := config.GetTelemetryConfig()\n\n\tif sftpdConf.ShouldBind() {\n\t\tgo func() {\n\t\t\tredactedConf := sftpdConf\n\t\t\tredactedConf.KeyboardInteractiveHook = util.GetRedactedURL(sftpdConf.KeyboardInteractiveHook)\n\t\t\tlogger.Info(logSender, \"\", \"initializing SFTP server with config %+v\", redactedConf)\n\t\t\tif err := sftpdConf.Initialize(s.ConfigDir); err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"could not start SFTP server: %v\", err)\n\t\t\t\tlogger.ErrorToConsole(\"could not start SFTP server: %v\", err)\n\t\t\t\ts.Error = err\n\t\t\t}\n\t\t\ts.Shutdown <- true\n\t\t}()\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"SFTP server not started, disabled in config file\")\n\t}\n\n\tif httpdConf.ShouldBind() {\n\t\tgo func() {\n\t\t\tproviderConf := config.GetProviderConf()\n\t\t\tif err := httpdConf.Initialize(s.ConfigDir, providerConf.GetShared()); err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"could not start HTTP server: %v\", err)\n\t\t\t\tlogger.ErrorToConsole(\"could not start HTTP server: %v\", err)\n\t\t\t\ts.Error = err\n\t\t\t}\n\t\t\ts.Shutdown <- true\n\t\t}()\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"HTTP server not started, disabled in config file\")\n\t\tif s.PortableMode != 1 {\n\t\t\tlogger.InfoToConsole(\"HTTP server not started, disabled in config file\")\n\t\t}\n\t}\n\tif ftpdConf.ShouldBind() {\n\t\tgo func() {\n\t\t\tif err := ftpdConf.Initialize(s.ConfigDir); err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"could not start FTP server: %v\", err)\n\t\t\t\tlogger.ErrorToConsole(\"could not start FTP server: %v\", err)\n\t\t\t\ts.Error = err\n\t\t\t}\n\t\t\ts.Shutdown <- true\n\t\t}()\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"FTP server not started, disabled in config file\")\n\t}\n\tif webDavDConf.ShouldBind() {\n\t\tgo func() {\n\t\t\tif err := webDavDConf.Initialize(s.ConfigDir); err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"could not start WebDAV server: %v\", err)\n\t\t\t\tlogger.ErrorToConsole(\"could not start WebDAV server: %v\", err)\n\t\t\t\ts.Error = err\n\t\t\t}\n\t\t\ts.Shutdown <- true\n\t\t}()\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"WebDAV server not started, disabled in config file\")\n\t}\n\tif telemetryConf.ShouldBind() {\n\t\tgo func() {\n\t\t\tif err := telemetryConf.Initialize(s.ConfigDir); err != nil {\n\t\t\t\tlogger.Error(logSender, \"\", \"could not start telemetry server: %v\", err)\n\t\t\t\tlogger.ErrorToConsole(\"could not start telemetry server: %v\", err)\n\t\t\t\ts.Error = err\n\t\t\t}\n\t\t\ts.Shutdown <- true\n\t\t}()\n\t} else {\n\t\tlogger.Info(logSender, \"\", \"telemetry server not started, disabled in config file\")\n\t\tif s.PortableMode != 1 {\n\t\t\tlogger.InfoToConsole(\"telemetry server not started, disabled in config file\")\n\t\t}\n\t}\n}\n\n// Wait blocks until the service exits\nfunc (s *Service) Wait() {\n\tif s.PortableMode != 1 {\n\t\tregisterSignals()\n\t}\n\t<-s.Shutdown\n}\n\n// Stop terminates the service unblocking the Wait method\nfunc (s *Service) Stop() {\n\tclose(s.Shutdown)\n\tlogger.Debug(logSender, \"\", \"Service stopped\")\n}\n\n// LoadInitialData if a data file is set\nfunc (s *Service) LoadInitialData() error {\n\tif s.LoadDataFrom == \"\" {\n\t\treturn nil\n\t}\n\tif !filepath.IsAbs(s.LoadDataFrom) {\n\t\treturn fmt.Errorf(\"invalid input_file %q, it must be an absolute path\", s.LoadDataFrom)\n\t}\n\tif s.LoadDataMode < 0 || s.LoadDataMode > 1 {\n\t\treturn fmt.Errorf(\"invalid loaddata-mode %v\", s.LoadDataMode)\n\t}\n\tif s.LoadDataQuotaScan < 0 || s.LoadDataQuotaScan > 2 {\n\t\treturn fmt.Errorf(\"invalid loaddata-scan %v\", s.LoadDataQuotaScan)\n\t}\n\tinfo, err := os.Stat(s.LoadDataFrom)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to stat file %q: %w\", s.LoadDataFrom, err)\n\t}\n\tif info.Size() > httpd.MaxRestoreSize {\n\t\treturn fmt.Errorf(\"unable to restore input file %q size too big: %d/%d bytes\",\n\t\t\ts.LoadDataFrom, info.Size(), httpd.MaxRestoreSize)\n\t}\n\tcontent, err := os.ReadFile(s.LoadDataFrom)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to read input file %q: %w\", s.LoadDataFrom, err)\n\t}\n\tdump, err := dataprovider.ParseDumpData(content)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to parse file to restore %q: %w\", s.LoadDataFrom, err)\n\t}\n\terr = s.restoreDump(&dump)\n\tif err != nil {\n\t\treturn err\n\t}\n\tlogger.Info(logSender, \"\", \"data loaded from file %q mode: %v\", s.LoadDataFrom, s.LoadDataMode)\n\tlogger.InfoToConsole(\"data loaded from file %q mode: %v\", s.LoadDataFrom, s.LoadDataMode)\n\tif s.LoadDataClean {\n\t\terr = os.Remove(s.LoadDataFrom)\n\t\tif err == nil {\n\t\t\tlogger.Info(logSender, \"\", \"file %q deleted after successful load\", s.LoadDataFrom)\n\t\t\tlogger.InfoToConsole(\"file %q deleted after successful load\", s.LoadDataFrom)\n\t\t} else {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to delete file %q after successful load: %v\", s.LoadDataFrom, err)\n\t\t\tlogger.WarnToConsole(\"unable to delete file %q after successful load: %v\", s.LoadDataFrom, err)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (s *Service) restoreDump(dump *dataprovider.BackupData) error {\n\terr := httpd.RestoreConfigs(dump.Configs, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore configs from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreIPListEntries(dump.IPLists, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore IP list entries from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreRoles(dump.Roles, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore roles from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreFolders(dump.Folders, s.LoadDataFrom, s.LoadDataMode, s.LoadDataQuotaScan, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore folders from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreGroups(dump.Groups, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore groups from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreUsers(dump.Users, s.LoadDataFrom, s.LoadDataMode, s.LoadDataQuotaScan, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore users from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreAdmins(dump.Admins, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore admins from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreAPIKeys(dump.APIKeys, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore API keys from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreShares(dump.Shares, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore API keys from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreEventActions(dump.EventActions, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, \"\", \"\")\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore event actions from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\terr = httpd.RestoreEventRules(dump.EventRules, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem,\n\t\t\"\", \"\", dump.Version)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to restore event rules from file %q: %v\", s.LoadDataFrom, err)\n\t}\n\treturn nil\n}\n\n// SetGraceTime sets the grace time\nfunc SetGraceTime(val int) {\n\tgraceTime = val\n}\n" }, { "path": "internal/service/service_portable.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !noportable\n\npackage service\n\nimport (\n\t\"fmt\"\n\t\"math/rand\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\n// StartPortableMode starts the service in portable mode\nfunc (s *Service) StartPortableMode(sftpdPort, ftpPort, webdavPort, httpPort int, enabledSSHCommands []string,\n\tftpsCert, ftpsKey, webDavCert, webDavKey, httpsCert, httpsKey string) error {\n\tif s.PortableMode != 1 {\n\t\treturn fmt.Errorf(\"service is not configured for portable mode\")\n\t}\n\terr := config.LoadConfig(s.ConfigDir, s.ConfigFile)\n\tif err != nil {\n\t\tfmt.Printf(\"error loading configuration file: %v using defaults\\n\", err)\n\t}\n\tkmsConfig := config.GetKMSConfig()\n\terr = kmsConfig.Initialize()\n\tif err != nil {\n\t\treturn err\n\t}\n\tprintablePassword := s.configurePortableUser()\n\tdataProviderConf := config.GetProviderConf()\n\tdataProviderConf.Driver = dataprovider.MemoryDataProviderName\n\tdataProviderConf.Name = \"\"\n\tconfig.SetProviderConf(dataProviderConf)\n\thttpdConf := config.GetHTTPDConfig()\n\tfor idx := range httpdConf.Bindings {\n\t\thttpdConf.Bindings[idx].Port = 0\n\t}\n\tconfig.SetHTTPDConfig(httpdConf)\n\ttelemetryConf := config.GetTelemetryConfig()\n\ttelemetryConf.BindPort = 0\n\tconfig.SetTelemetryConfig(telemetryConf)\n\n\tconfigurePortableSFTPService(sftpdPort, enabledSSHCommands)\n\tconfigurePortableFTPService(ftpPort, ftpsCert, ftpsKey)\n\tconfigurePortableWebDAVService(webdavPort, webDavCert, webDavKey)\n\tconfigurePortableHTTPService(httpPort, httpsCert, httpsKey)\n\n\terr = s.Start()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif httpPort >= 0 {\n\t\tadmin := &dataprovider.Admin{\n\t\t\tUsername: util.GenerateUniqueID(),\n\t\t\tPassword: util.GenerateUniqueID(),\n\t\t\tStatus: 0,\n\t\t\tPermissions: []string{dataprovider.PermAdminAny},\n\t\t}\n\t\tif err := dataprovider.AddAdmin(admin, dataprovider.ActionExecutorSystem, \"\", \"\"); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tlogger.InfoToConsole(\"Portable mode ready, user: %q, password: %q, public keys: %v, directory: %q, \"+\n\t\t\"permissions: %+v, file patterns filters: %+v %v\", s.PortableUser.Username,\n\t\tprintablePassword, s.PortableUser.PublicKeys, s.getPortableDirToServe(), s.PortableUser.Permissions,\n\t\ts.PortableUser.Filters.FilePatterns, s.getServiceOptionalInfoString())\n\treturn nil\n}\n\nfunc (s *Service) getServiceOptionalInfoString() string {\n\tvar info strings.Builder\n\tif config.GetSFTPDConfig().Bindings[0].IsValid() {\n\t\tfmt.Fprintf(&info, \"SFTP port: %d \", config.GetSFTPDConfig().Bindings[0].Port)\n\t}\n\tif config.GetFTPDConfig().Bindings[0].IsValid() {\n\t\tfmt.Fprintf(&info, \"FTP port: %d \", config.GetFTPDConfig().Bindings[0].Port)\n\t}\n\tif config.GetWebDAVDConfig().Bindings[0].IsValid() {\n\t\tscheme := \"http\"\n\t\tif config.GetWebDAVDConfig().CertificateFile != \"\" && config.GetWebDAVDConfig().CertificateKeyFile != \"\" {\n\t\t\tscheme = \"https\"\n\t\t}\n\t\tfmt.Fprintf(&info, \"WebDAV URL: %v://:%v/ \", scheme, config.GetWebDAVDConfig().Bindings[0].Port)\n\t}\n\tif config.GetHTTPDConfig().Bindings[0].IsValid() {\n\t\tscheme := \"http\"\n\t\tif config.GetHTTPDConfig().CertificateFile != \"\" && config.GetHTTPDConfig().CertificateKeyFile != \"\" {\n\t\t\tscheme = \"https\"\n\t\t}\n\t\tfmt.Fprintf(&info, \"WebClient URL: %s://:%d/ \", scheme, config.GetHTTPDConfig().Bindings[0].Port)\n\t}\n\treturn info.String()\n}\n\nfunc (s *Service) getPortableDirToServe() string {\n\tswitch s.PortableUser.FsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\treturn s.PortableUser.FsConfig.S3Config.KeyPrefix\n\tcase sdk.GCSFilesystemProvider:\n\t\treturn s.PortableUser.FsConfig.GCSConfig.KeyPrefix\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\treturn s.PortableUser.FsConfig.AzBlobConfig.KeyPrefix\n\tcase sdk.SFTPFilesystemProvider:\n\t\treturn s.PortableUser.FsConfig.SFTPConfig.Prefix\n\tcase sdk.HTTPFilesystemProvider:\n\t\treturn \"/\"\n\tdefault:\n\t\treturn s.PortableUser.HomeDir\n\t}\n}\n\n// configures the portable user and return the printable password if any\nfunc (s *Service) configurePortableUser() string {\n\tif s.PortableUser.Username == \"\" {\n\t\ts.PortableUser.Username = \"user\"\n\t}\n\tprintablePassword := \"\"\n\tif s.PortableUser.Password != \"\" {\n\t\tprintablePassword = \"[redacted]\"\n\t}\n\tif len(s.PortableUser.PublicKeys) == 0 && s.PortableUser.Password == \"\" {\n\t\ts.PortableUser.Password = util.GenerateUniqueID()\n\t\tprintablePassword = s.PortableUser.Password\n\t}\n\ts.PortableUser.Filters.WebClient = []string{sdk.WebClientSharesDisabled, sdk.WebClientInfoChangeDisabled,\n\t\tsdk.WebClientPubKeyChangeDisabled, sdk.WebClientPasswordChangeDisabled, sdk.WebClientAPIKeyAuthChangeDisabled,\n\t\tsdk.WebClientMFADisabled, sdk.WebClientPasswordResetDisabled, sdk.WebClientTLSCertChangeDisabled,\n\t}\n\tif !s.PortableUser.HasAnyPerm([]string{dataprovider.PermUpload, dataprovider.PermOverwrite}, \"/\") {\n\t\ts.PortableUser.Filters.WebClient = append(s.PortableUser.Filters.WebClient, sdk.WebClientWriteDisabled)\n\t}\n\ts.configurePortableSecrets()\n\treturn printablePassword\n}\n\nfunc (s *Service) configurePortableSecrets() {\n\t// we created the user before to initialize the KMS so we need to create the secret here\n\tswitch s.PortableUser.FsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tpayload := s.PortableUser.FsConfig.S3Config.AccessSecret.GetPayload()\n\t\ts.PortableUser.FsConfig.S3Config.AccessSecret = getSecretFromString(payload)\n\tcase sdk.GCSFilesystemProvider:\n\t\tpayload := s.PortableUser.FsConfig.GCSConfig.Credentials.GetPayload()\n\t\ts.PortableUser.FsConfig.GCSConfig.Credentials = getSecretFromString(payload)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tpayload := s.PortableUser.FsConfig.AzBlobConfig.AccountKey.GetPayload()\n\t\ts.PortableUser.FsConfig.AzBlobConfig.AccountKey = getSecretFromString(payload)\n\t\tpayload = s.PortableUser.FsConfig.AzBlobConfig.SASURL.GetPayload()\n\t\ts.PortableUser.FsConfig.AzBlobConfig.SASURL = getSecretFromString(payload)\n\tcase sdk.CryptedFilesystemProvider:\n\t\tpayload := s.PortableUser.FsConfig.CryptConfig.Passphrase.GetPayload()\n\t\ts.PortableUser.FsConfig.CryptConfig.Passphrase = getSecretFromString(payload)\n\tcase sdk.SFTPFilesystemProvider:\n\t\tpayload := s.PortableUser.FsConfig.SFTPConfig.Password.GetPayload()\n\t\ts.PortableUser.FsConfig.SFTPConfig.Password = getSecretFromString(payload)\n\t\tpayload = s.PortableUser.FsConfig.SFTPConfig.PrivateKey.GetPayload()\n\t\ts.PortableUser.FsConfig.SFTPConfig.PrivateKey = getSecretFromString(payload)\n\t\tpayload = s.PortableUser.FsConfig.SFTPConfig.KeyPassphrase.GetPayload()\n\t\ts.PortableUser.FsConfig.SFTPConfig.KeyPassphrase = getSecretFromString(payload)\n\tcase sdk.HTTPFilesystemProvider:\n\t\tpayload := s.PortableUser.FsConfig.HTTPConfig.Password.GetPayload()\n\t\ts.PortableUser.FsConfig.HTTPConfig.Password = getSecretFromString(payload)\n\t\tpayload = s.PortableUser.FsConfig.HTTPConfig.APIKey.GetPayload()\n\t\ts.PortableUser.FsConfig.HTTPConfig.APIKey = getSecretFromString(payload)\n\t}\n}\n\nfunc getSecretFromString(payload string) *kms.Secret {\n\tif payload != \"\" {\n\t\treturn kms.NewPlainSecret(payload)\n\t}\n\treturn kms.NewEmptySecret()\n}\n\nfunc configurePortableSFTPService(port int, enabledSSHCommands []string) {\n\tsftpdConf := config.GetSFTPDConfig()\n\tif len(sftpdConf.Bindings) == 0 {\n\t\tsftpdConf.Bindings = append(sftpdConf.Bindings, sftpd.Binding{})\n\t}\n\tif port > 0 {\n\t\tsftpdConf.Bindings[0].Port = port\n\t} else if port == 0 {\n\t\t// dynamic ports starts from 49152\n\t\tsftpdConf.Bindings[0].Port = 49152 + rand.Intn(15000)\n\t} else {\n\t\tsftpdConf.Bindings[0].Port = 0\n\t}\n\tif slices.Contains(enabledSSHCommands, \"*\") {\n\t\tsftpdConf.EnabledSSHCommands = sftpd.GetSupportedSSHCommands()\n\t} else {\n\t\tsftpdConf.EnabledSSHCommands = enabledSSHCommands\n\t}\n\tconfig.SetSFTPDConfig(sftpdConf)\n}\n\nfunc configurePortableFTPService(port int, cert, key string) {\n\tftpConf := config.GetFTPDConfig()\n\tif len(ftpConf.Bindings) == 0 {\n\t\tftpConf.Bindings = append(ftpConf.Bindings, ftpd.Binding{})\n\t}\n\tif port > 0 {\n\t\tftpConf.Bindings[0].Port = port\n\t} else if port == 0 {\n\t\tftpConf.Bindings[0].Port = 49152 + rand.Intn(15000)\n\t} else {\n\t\tftpConf.Bindings[0].Port = 0\n\t}\n\tftpConf.Bindings[0].CertificateFile = cert\n\tftpConf.Bindings[0].CertificateKeyFile = key\n\tconfig.SetFTPDConfig(ftpConf)\n}\n\nfunc configurePortableWebDAVService(port int, cert, key string) {\n\twebDavConf := config.GetWebDAVDConfig()\n\tif len(webDavConf.Bindings) == 0 {\n\t\twebDavConf.Bindings = append(webDavConf.Bindings, webdavd.Binding{})\n\t}\n\tif port > 0 {\n\t\twebDavConf.Bindings[0].Port = port\n\t} else if port == 0 {\n\t\twebDavConf.Bindings[0].Port = 49152 + rand.Intn(15000)\n\t} else {\n\t\twebDavConf.Bindings[0].Port = 0\n\t}\n\twebDavConf.Bindings[0].CertificateFile = cert\n\twebDavConf.Bindings[0].CertificateKeyFile = key\n\tif cert != \"\" && key != \"\" {\n\t\twebDavConf.Bindings[0].EnableHTTPS = true\n\t}\n\tconfig.SetWebDAVDConfig(webDavConf)\n}\n\nfunc configurePortableHTTPService(port int, cert, key string) {\n\thttpdConf := config.GetHTTPDConfig()\n\tif len(httpdConf.Bindings) == 0 {\n\t\thttpdConf.Bindings = append(httpdConf.Bindings, httpd.Binding{})\n\t}\n\tif port > 0 {\n\t\thttpdConf.Bindings[0].Port = port\n\t} else if port == 0 {\n\t\thttpdConf.Bindings[0].Port = 49152 + rand.Intn(15000)\n\t} else {\n\t\thttpdConf.Bindings[0].Port = 0\n\t}\n\thttpdConf.Bindings[0].CertificateFile = cert\n\thttpdConf.Bindings[0].CertificateKeyFile = key\n\tif cert != \"\" && key != \"\" {\n\t\thttpdConf.Bindings[0].EnableHTTPS = true\n\t}\n\thttpdConf.Bindings[0].EnableWebAdmin = false\n\thttpdConf.Bindings[0].EnableWebClient = true\n\thttpdConf.Bindings[0].EnableRESTAPI = false\n\thttpdConf.Bindings[0].RenderOpenAPI = false\n\tconfig.SetHTTPDConfig(httpdConf)\n}\n" }, { "path": "internal/service/service_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage service\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"golang.org/x/sys/windows/svc\"\n\t\"golang.org/x/sys/windows/svc/eventlog\"\n\t\"golang.org/x/sys/windows/svc/mgr\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/telemetry\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\tserviceName = \"SFTPGo\"\n\tserviceDesc = \"Full-featured and highly configurable file transfer server\"\n\trotateLogCmd = svc.Cmd(128)\n\tacceptRotateLog = svc.Accepted(rotateLogCmd)\n)\n\n// Status defines service status\ntype Status uint8\n\n// Supported values for service status\nconst (\n\tStatusUnknown Status = iota\n\tStatusRunning\n\tStatusStopped\n\tStatusPaused\n\tStatusStartPending\n\tStatusPausePending\n\tStatusContinuePending\n\tStatusStopPending\n)\n\ntype WindowsService struct {\n\tService Service\n\tisInteractive bool\n}\n\nfunc (s Status) String() string {\n\tswitch s {\n\tcase StatusRunning:\n\t\treturn \"running\"\n\tcase StatusStopped:\n\t\treturn \"stopped\"\n\tcase StatusStartPending:\n\t\treturn \"start pending\"\n\tcase StatusPausePending:\n\t\treturn \"pause pending\"\n\tcase StatusPaused:\n\t\treturn \"paused\"\n\tcase StatusContinuePending:\n\t\treturn \"continue pending\"\n\tcase StatusStopPending:\n\t\treturn \"stop pending\"\n\tdefault:\n\t\treturn \"unknown\"\n\t}\n}\n\nfunc (s *WindowsService) handleExit(wasStopped chan bool) {\n\ts.Service.Wait()\n\n\tselect {\n\tcase <-wasStopped:\n\t\t// the service was stopped nothing to do\n\t\tlogger.Info(logSender, \"\", \"Windows Service was stopped\")\n\t\treturn\n\tdefault:\n\t\t// the server failed while running, we must be sure to exit the process.\n\t\t// The defined recovery action will be executed.\n\t\tlogger.Info(logSender, \"\", \"Service wait ended, error: %v\", s.Service.Error)\n\t\tif s.Service.Error == nil {\n\t\t\tos.Exit(0)\n\t\t} else {\n\t\t\tos.Exit(1)\n\t\t}\n\t}\n}\n\nfunc (s *WindowsService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {\n\tchanges <- svc.Status{State: svc.StartPending}\n\n\tgo func() {\n\t\tif err := s.Service.Start(); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"Windows service failed to start, error: %v\", err)\n\t\t\ts.Service.Error = err\n\t\t\ts.Service.Shutdown <- true\n\t\t\treturn\n\t\t}\n\t\tlogger.Info(logSender, \"\", \"Windows service started\")\n\t\tcmdsAccepted := svc.AcceptStop | svc.AcceptShutdown | svc.AcceptParamChange | acceptRotateLog\n\t\tchanges <- svc.Status{State: svc.Running, Accepts: cmdsAccepted}\n\t}()\n\n\twasStopped := make(chan bool, 1)\n\n\tgo s.handleExit(wasStopped)\n\n\tchanges <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown}\nloop:\n\tfor {\n\t\tc := <-r\n\t\tswitch c.Cmd {\n\t\tcase svc.Interrogate:\n\t\t\tlogger.Debug(logSender, \"\", \"Received service interrogate request, current status: %v\", c.CurrentStatus)\n\t\t\tchanges <- c.CurrentStatus\n\t\tcase svc.Stop, svc.Shutdown:\n\t\t\tlogger.Debug(logSender, \"\", \"Received service stop request\")\n\t\t\tchanges <- svc.Status{State: svc.StopPending}\n\t\t\twasStopped <- true\n\t\t\ts.Service.Stop()\n\t\t\tplugin.Handler.Cleanup()\n\t\t\tcommon.WaitForTransfers(graceTime)\n\t\t\tbreak loop\n\t\tcase svc.ParamChange:\n\t\t\tlogger.Debug(logSender, \"\", \"Received reload request\")\n\t\t\terr := dataprovider.ReloadConfig()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading dataprovider configuration: %v\", err)\n\t\t\t}\n\t\t\terr = httpd.ReloadCertificateMgr()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading cert manager: %v\", err)\n\t\t\t}\n\t\t\terr = ftpd.ReloadCertificateMgr()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading FTPD cert manager: %v\", err)\n\t\t\t}\n\t\t\terr = webdavd.ReloadCertificateMgr()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading WebDAV cert manager: %v\", err)\n\t\t\t}\n\t\t\terr = telemetry.ReloadCertificateMgr()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading telemetry cert manager: %v\", err)\n\t\t\t}\n\t\t\terr = common.Reload()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading common configs: %v\", err)\n\t\t\t}\n\t\t\terr = sftpd.Reload()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error reloading sftpd revoked certificates: %v\", err)\n\t\t\t}\n\t\tcase rotateLogCmd:\n\t\t\tlogger.Debug(logSender, \"\", \"Received log file rotation request\")\n\t\t\terr := logger.RotateLogFile()\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error rotating log file: %v\", err)\n\t\t\t}\n\t\tdefault:\n\t\t\tcontinue loop\n\t\t}\n\t}\n\n\treturn false, 0\n}\n\nfunc (s *WindowsService) RunService() error {\n\texePath, err := s.getExePath()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tisService, err := svc.IsWindowsService()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\ts.isInteractive = !isService\n\tdir := filepath.Dir(exePath)\n\tif err = os.Chdir(dir); err != nil {\n\t\treturn err\n\t}\n\tif s.isInteractive {\n\t\treturn s.Start()\n\t}\n\treturn svc.Run(serviceName, s)\n}\n\nfunc (s *WindowsService) Start() error {\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not access service: %v\", err)\n\t}\n\tdefer service.Close()\n\terr = service.Start()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not start service: %v\", err)\n\t}\n\treturn nil\n}\n\nfunc (s *WindowsService) Reload() error {\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not access service: %v\", err)\n\t}\n\tdefer service.Close()\n\t_, err = service.Control(svc.ParamChange)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not send control=%d: %v\", svc.ParamChange, err)\n\t}\n\treturn nil\n}\n\nfunc (s *WindowsService) RotateLogFile() error {\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not access service: %v\", err)\n\t}\n\tdefer service.Close()\n\t_, err = service.Control(rotateLogCmd)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not send control=%d: %v\", rotateLogCmd, err)\n\t}\n\treturn nil\n}\n\nfunc (s *WindowsService) Install(args ...string) error {\n\texePath, err := s.getExePath()\n\tif err != nil {\n\t\treturn err\n\t}\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err == nil {\n\t\tservice.Close()\n\t\treturn fmt.Errorf(\"service %s already exists\", serviceName)\n\t}\n\tconfig := mgr.Config{\n\t\tDisplayName: serviceName,\n\t\tDescription: serviceDesc,\n\t\tStartType: mgr.StartAutomatic}\n\tservice, err = m.CreateService(serviceName, exePath, config, args...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer service.Close()\n\terr = eventlog.InstallAsEventCreate(serviceName, eventlog.Error|eventlog.Warning|eventlog.Info)\n\tif err != nil {\n\t\tif !strings.Contains(err.Error(), \"exists\") {\n\t\t\tservice.Delete()\n\t\t\treturn fmt.Errorf(\"SetupEventLogSource() failed: %s\", err)\n\t\t}\n\t}\n\trecoveryActions := []mgr.RecoveryAction{\n\t\t{\n\t\t\tType: mgr.ServiceRestart,\n\t\t\tDelay: 5 * time.Second,\n\t\t},\n\t\t{\n\t\t\tType: mgr.ServiceRestart,\n\t\t\tDelay: 60 * time.Second,\n\t\t},\n\t\t{\n\t\t\tType: mgr.ServiceRestart,\n\t\t\tDelay: 90 * time.Second,\n\t\t},\n\t}\n\terr = service.SetRecoveryActions(recoveryActions, 300)\n\tif err != nil {\n\t\tservice.Delete()\n\t\treturn fmt.Errorf(\"unable to set recovery actions: %v\", err)\n\t}\n\treturn nil\n}\n\nfunc (s *WindowsService) Uninstall() error {\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"service %s is not installed\", serviceName)\n\t}\n\tdefer service.Close()\n\terr = service.Delete()\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = eventlog.Remove(serviceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"RemoveEventLogSource() failed: %s\", err)\n\t}\n\treturn nil\n}\n\nfunc (s *WindowsService) Stop() error {\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not access service: %v\", err)\n\t}\n\tdefer service.Close()\n\tstatus, err := service.Control(svc.Stop)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not send control=%d: %v\", svc.Stop, err)\n\t}\n\ttimeout := time.Now().Add(10 * time.Second)\n\tfor status.State != svc.Stopped {\n\t\tif timeout.Before(time.Now()) {\n\t\t\treturn fmt.Errorf(\"timeout waiting for service to go to state=%d\", svc.Stopped)\n\t\t}\n\t\ttime.Sleep(300 * time.Millisecond)\n\t\tstatus, err = service.Query()\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"could not retrieve service status: %v\", err)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (s *WindowsService) Status() (Status, error) {\n\tm, err := mgr.Connect()\n\tif err != nil {\n\t\treturn StatusUnknown, err\n\t}\n\tdefer m.Disconnect()\n\tservice, err := m.OpenService(serviceName)\n\tif err != nil {\n\t\treturn StatusUnknown, fmt.Errorf(\"could not access service: %v\", err)\n\t}\n\tdefer service.Close()\n\tstatus, err := service.Query()\n\tif err != nil {\n\t\treturn StatusUnknown, fmt.Errorf(\"could not query service status: %v\", err)\n\t}\n\tswitch status.State {\n\tcase svc.StartPending:\n\t\treturn StatusStartPending, nil\n\tcase svc.Running:\n\t\treturn StatusRunning, nil\n\tcase svc.PausePending:\n\t\treturn StatusPausePending, nil\n\tcase svc.Paused:\n\t\treturn StatusPaused, nil\n\tcase svc.ContinuePending:\n\t\treturn StatusContinuePending, nil\n\tcase svc.StopPending:\n\t\treturn StatusStopPending, nil\n\tcase svc.Stopped:\n\t\treturn StatusStopped, nil\n\tdefault:\n\t\treturn StatusUnknown, fmt.Errorf(\"unknown status %v\", status)\n\t}\n}\n\nfunc (s *WindowsService) getExePath() (string, error) {\n\treturn os.Executable()\n}\n" }, { "path": "internal/service/signals_unix.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !windows\n\npackage service\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/ftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/telemetry\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nfunc registerSignals() {\n\tc := make(chan os.Signal, 1)\n\tsignal.Notify(c, syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP, syscall.SIGUSR1)\n\tgo func() {\n\t\tfor sig := range c {\n\t\t\tswitch sig {\n\t\t\tcase syscall.SIGHUP:\n\t\t\t\thandleSIGHUP()\n\t\t\tcase syscall.SIGUSR1:\n\t\t\t\thandleSIGUSR1()\n\t\t\tcase syscall.SIGINT, syscall.SIGTERM:\n\t\t\t\thandleInterrupt()\n\t\t\t}\n\t\t}\n\t}()\n}\n\nfunc handleSIGHUP() {\n\tlogger.Debug(logSender, \"\", \"Received reload request\")\n\terr := dataprovider.ReloadConfig()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading dataprovider configuration: %v\", err)\n\t}\n\terr = httpd.ReloadCertificateMgr()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading cert manager: %v\", err)\n\t}\n\terr = ftpd.ReloadCertificateMgr()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading FTPD cert manager: %v\", err)\n\t}\n\terr = webdavd.ReloadCertificateMgr()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading WebDAV cert manager: %v\", err)\n\t}\n\terr = telemetry.ReloadCertificateMgr()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading telemetry cert manager: %v\", err)\n\t}\n\terr = common.Reload()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading common configs: %v\", err)\n\t}\n\terr = sftpd.Reload()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error reloading sftpd revoked certificates: %v\", err)\n\t}\n}\n\nfunc handleSIGUSR1() {\n\tlogger.Debug(logSender, \"\", \"Received log file rotation request\")\n\terr := logger.RotateLogFile()\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"error rotating log file: %v\", err)\n\t}\n}\n\nfunc handleInterrupt() {\n\tlogger.Debug(logSender, \"\", \"Received interrupt request\")\n\tplugin.Handler.Cleanup()\n\tcommon.WaitForTransfers(graceTime)\n\tos.Exit(0)\n}\n" }, { "path": "internal/service/signals_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage service\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n)\n\nfunc registerSignals() {\n\tc := make(chan os.Signal, 1)\n\tsignal.Notify(c, os.Interrupt)\n\tgo func() {\n\t\tfor range c {\n\t\t\tlogger.Debug(logSender, \"\", \"Received interrupt request\")\n\t\t\tplugin.Handler.Cleanup()\n\t\t\tcommon.WaitForTransfers(graceTime)\n\t\t\tos.Exit(0)\n\t\t}\n\t}()\n}\n" }, { "path": "internal/sftpd/cryptfs_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd_test\n\nimport (\n\t\"crypto/sha256\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/minio/sio\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\ttestPassphrase = \"test passphrase\"\n)\n\nfunc TestBasicSFTPCryptoHandling(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUserWithCryptFs(usePubKey)\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\tencryptedFileSize, err := getEncryptedFileSize(testFileSize)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize := user.UsedQuotaSize + encryptedFileSize\n\t\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"/missing_dir\", testFileName), testFileSize, client)\n\t\tassert.Error(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tinitialHash, err := computeHashForFile(sha256.New(), testFilePath)\n\t\tassert.NoError(t, err)\n\t\tdownloadedFileHash, err := computeHashForFile(sha256.New(), localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, initialHash, downloadedFileHash)\n\t\tinfo, err := os.Stat(filepath.Join(user.HomeDir, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, encryptedFileSize, info.Size())\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\tresult, err := client.ReadDir(\".\")\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, result, 1) {\n\t\t\tassert.Equal(t, testFileSize, result[0].Size())\n\t\t}\n\t\tinfo, err = client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t}\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(testFileName)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize-encryptedFileSize, user.UsedQuotaSize)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestOpenReadWriteCryptoFs(t *testing.T) {\n\t// read and write is not supported on crypto fs\n\tusePubKey := false\n\tu := getTestUserWithCryptFs(usePubKey)\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestData := []byte(\"sample test data\")\n\t\t\tn, err := sftpFile.Write(testData)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(testData), n)\n\t\t\tbuffer := make([]byte, 128)\n\t\t\t_, err = sftpFile.ReadAt(buffer, 1)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t\t}\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestEmptyFile(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUserWithCryptFs(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestData := []byte(\"\")\n\t\t\tn, err := sftpFile.Write(testData)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(testData), n)\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, int64(0), info.Size())\n\t\t}\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, 0, client)\n\t\tassert.NoError(t, err)\n\t\tencryptedFileSize, err := getEncryptedFileSize(0)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = os.Stat(filepath.Join(user.HomeDir, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, encryptedFileSize, info.Size())\n\t\t}\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadResumeCryptFs(t *testing.T) {\n\t// resuming uploads is not supported\n\tusePubKey := true\n\tu := getTestUserWithCryptFs(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\tappendDataSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = appendToTestFile(testFilePath, appendDataSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadResumeFile(testFilePath, testFileName, testFileSize, false, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaFileReplaceCryptFs(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUserWithCryptFs(usePubKey)\n\tu.QuotaFiles = 1000\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tencryptedFileSize, err := getEncryptedFileSize(testFileSize)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) { //nolint:dupl\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\texpectedQuotaSize := user.UsedQuotaSize + encryptedFileSize\n\t\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// now replace the same file, the quota must not change\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t// now create a symlink, replace it with a file and check the quota\n\t\t// replacing a symlink is like uploading a new file\n\t\terr = client.Symlink(testFileName, testFileName+\".link\") //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\texpectedQuotaFiles = expectedQuotaFiles + 1\n\t\texpectedQuotaSize = expectedQuotaSize + encryptedFileSize\n\t\terr = sftpUploadFile(testFilePath, testFileName+\".link\", testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t}\n\t// now set a quota size restriction and upload the same file, upload should fail for space limit exceeded\n\tuser.QuotaSize = encryptedFileSize*2 - 1\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.Error(t, err, \"quota size exceeded, file upload must fail\")\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaScanCryptFs(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUserWithCryptFs(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\tencryptedFileSize, err := getEncryptedFileSize(testFileSize)\n\tassert.NoError(t, err)\n\texpectedQuotaSize := user.UsedQuotaSize + encryptedFileSize\n\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t// create user with the same home dir, so there is at least an untracked file\n\tuser, _, err = httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.StartQuotaScan(user, http.StatusAccepted)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\tscans, _, err := httpdtest.GetQuotaScans(http.StatusOK)\n\t\tif err == nil {\n\t\t\treturn len(scans) == 0\n\t\t}\n\t\treturn false\n\t}, 1*time.Second, 50*time.Millisecond)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestGetMimeTypeCryptFs(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUserWithCryptFs(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestData := []byte(\"some UTF-8 text so we should get a text/plain mime type\")\n\t\t\tn, err := sftpFile.Write(testData)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(testData), n)\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(testPassphrase)\n\tfs, err := user.GetFilesystem(\"connID\")\n\tif assert.NoError(t, err) {\n\t\tassert.True(t, vfs.IsCryptOsFs(fs))\n\t\tmime, err := fs.GetMimeType(filepath.Join(user.GetHomeDir(), testFileName))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"text/plain; charset=utf-8\", mime)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestTruncate(t *testing.T) {\n\t// truncate is not supported\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUserWithCryptFs(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tf, err := client.OpenFile(testFileName, os.O_WRONLY|os.O_CREATE)\n\t\tif assert.NoError(t, err) {\n\t\t\terr = f.Truncate(0)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Truncate(1)\n\t\t\tassert.Error(t, err)\n\t\t}\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t\terr = client.Truncate(testFileName, 0)\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPBasicHandlingCryptoFs(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUserWithCryptFs(usePubKey)\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(131074)\n\tencryptedFileSize, err := getEncryptedFileSize(testFileSize)\n\tassert.NoError(t, err)\n\texpectedQuotaSize := user.UsedQuotaSize + encryptedFileSize\n\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\t// test to download a missing file\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.Error(t, err, \"downloading a missing file via scp must fail\")\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.NoError(t, err)\n\tfi, err := os.Stat(localPath)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, testFileSize, fi.Size())\n\t}\n\tfi, err = os.Stat(filepath.Join(user.GetHomeDir(), testFileName))\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, encryptedFileSize, fi.Size())\n\t}\n\terr = os.Remove(localPath)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t// now overwrite the existing file\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPRecursiveCryptFs(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUserWithCryptFs(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestBaseDirName := \"atestdir\"\n\ttestBaseDirPath := filepath.Join(homeBasePath, testBaseDirName)\n\ttestBaseDirDownName := \"test_dir_down\" //nolint:goconst\n\ttestBaseDirDownPath := filepath.Join(homeBasePath, testBaseDirDownName)\n\ttestFilePath := filepath.Join(homeBasePath, testBaseDirName, testFileName)\n\ttestFilePath1 := filepath.Join(homeBasePath, testBaseDirName, testBaseDirName, testFileName)\n\ttestFileSize := int64(131074)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath1, testFileSize)\n\tassert.NoError(t, err)\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testBaseDirName))\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\t// overwrite existing dir\n\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(testBaseDirDownPath, remoteDownPath, true, true)\n\tassert.NoError(t, err)\n\t// test download without passing -r\n\terr = scpDownload(testBaseDirDownPath, remoteDownPath, true, false)\n\tassert.Error(t, err, \"recursive download without -r must fail\")\n\n\tfi, err := os.Stat(filepath.Join(testBaseDirDownPath, testFileName))\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, testFileSize, fi.Size())\n\t}\n\tfi, err = os.Stat(filepath.Join(testBaseDirDownPath, testBaseDirName, testFileName))\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, testFileSize, fi.Size())\n\t}\n\t// upload to a non existent dir\n\tremoteUpPath = fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/non_existent_dir\")\n\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\tassert.Error(t, err, \"uploading via scp to a non existent dir must fail\")\n\n\terr = os.RemoveAll(testBaseDirPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(testBaseDirDownPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc getEncryptedFileSize(size int64) (int64, error) {\n\tencSize, err := sio.EncryptedSize(uint64(size))\n\treturn int64(encSize) + 33, err\n}\n\nfunc getTestUserWithCryptFs(usePubKey bool) dataprovider.User {\n\tu := getTestUser(usePubKey)\n\tu.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tu.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(testPassphrase)\n\treturn u\n}\n" }, { "path": "internal/sftpd/handler.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"io\"\n\t\"net\"\n\t\"os\"\n\t\"path\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// Connection details for an authenticated user\ntype Connection struct {\n\t*common.BaseConnection\n\t// client's version string\n\tClientVersion string\n\t// Remote address for this connection\n\tRemoteAddr net.Addr\n\tLocalAddr net.Addr\n\tchannel io.ReadWriteCloser\n\tcommand string\n}\n\n// GetClientVersion returns the connected client's version\nfunc (c *Connection) GetClientVersion() string {\n\treturn c.ClientVersion\n}\n\n// GetLocalAddress returns local connection address\nfunc (c *Connection) GetLocalAddress() string {\n\tif c.LocalAddr == nil {\n\t\treturn \"\"\n\t}\n\treturn c.LocalAddr.String()\n}\n\n// GetRemoteAddress returns the connected client's address\nfunc (c *Connection) GetRemoteAddress() string {\n\tif c.RemoteAddr == nil {\n\t\treturn \"\"\n\t}\n\treturn c.RemoteAddr.String()\n}\n\n// GetCommand returns the SSH command, if any\nfunc (c *Connection) GetCommand() string {\n\treturn c.command\n}\n\n// Fileread creates a reader for a file on the system and returns the reader back.\nfunc (c *Connection) Fileread(request *sftp.Request) (io.ReaderAt, error) {\n\tc.UpdateLastActivity()\n\tupdateRequestPaths(request)\n\n\tif !c.User.HasPerm(dataprovider.PermDownload, path.Dir(request.Filepath)) {\n\t\treturn nil, sftp.ErrSSHFxPermissionDenied\n\t}\n\tif err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {\n\t\tc.Log(logger.LevelInfo, \"denying file read due to transfer count limits\")\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\ttransferQuota := c.GetTransferQuota()\n\tif !transferQuota.HasDownloadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file read due to quota limits\")\n\t\treturn nil, c.GetReadQuotaExceededError()\n\t}\n\n\tif ok, policy := c.User.IsFileAllowed(request.Filepath); !ok {\n\t\tc.Log(logger.LevelWarn, \"reading file %q is not allowed\", request.Filepath)\n\t\treturn nil, c.GetErrorForDeniedFile(policy)\n\t}\n\n\tfs, p, err := c.GetFsAndResolvedPath(request.Filepath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreDownload, p, request.Filepath, 0, 0); err != nil {\n\t\tc.Log(logger.LevelDebug, \"download for file %q denied by pre action: %v\", request.Filepath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfile, r, cancelFn, err := fs.Open(p, 0)\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"could not open file %q for reading: %+v\", p, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, p, p, request.Filepath, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, transferQuota)\n\tt := newTransfer(baseTransfer, nil, r, nil)\n\n\treturn t, nil\n}\n\n// OpenFile implements OpenFileWriter interface\nfunc (c *Connection) OpenFile(request *sftp.Request) (sftp.WriterAtReaderAt, error) {\n\treturn c.handleFilewrite(request)\n}\n\n// Filewrite handles the write actions for a file on the system.\nfunc (c *Connection) Filewrite(request *sftp.Request) (io.WriterAt, error) {\n\treturn c.handleFilewrite(request)\n}\n\nfunc (c *Connection) handleFilewrite(request *sftp.Request) (sftp.WriterAtReaderAt, error) { //nolint:gocyclo\n\tc.UpdateLastActivity()\n\tupdateRequestPaths(request)\n\n\tif err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to transfer count limits\")\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tif ok, _ := c.User.IsFileAllowed(request.Filepath); !ok {\n\t\tc.Log(logger.LevelWarn, \"writing file %q is not allowed\", request.Filepath)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfs, p, err := c.GetFsAndResolvedPath(request.Filepath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfilePath := p\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\tfilePath = fs.GetAtomicUploadPath(p)\n\t}\n\n\tvar errForRead error\n\tif !vfs.HasOpenRWSupport(fs) && request.Pflags().Read {\n\t\t// read and write mode is only supported for local filesystem\n\t\terrForRead = sftp.ErrSSHFxOpUnsupported\n\t}\n\tif !c.User.HasPerm(dataprovider.PermDownload, path.Dir(request.Filepath)) {\n\t\t// we can try to read only for local fs here, see above.\n\t\t// os.ErrPermission will become sftp.ErrSSHFxPermissionDenied when sent to\n\t\t// the client\n\t\terrForRead = os.ErrPermission\n\t}\n\n\tstat, statErr := fs.Lstat(p)\n\tif (statErr == nil && stat.Mode()&os.ModeSymlink != 0) || fs.IsNotExist(statErr) {\n\t\tif !c.User.HasPerm(dataprovider.PermUpload, path.Dir(request.Filepath)) {\n\t\t\treturn nil, sftp.ErrSSHFxPermissionDenied\n\t\t}\n\t\treturn c.handleSFTPUploadToNewFile(fs, request.Pflags(), p, filePath, request.Filepath, errForRead)\n\t}\n\n\tif statErr != nil {\n\t\tc.Log(logger.LevelError, \"error performing file stat %q: %+v\", p, statErr)\n\t\treturn nil, c.GetFsError(fs, statErr)\n\t}\n\n\t// This happen if we upload a file that has the same name of an existing directory\n\tif stat.IsDir() {\n\t\tc.Log(logger.LevelError, \"attempted to open a directory for writing to: %q\", p)\n\t\treturn nil, sftp.ErrSSHFxOpUnsupported\n\t}\n\n\tif !c.User.HasPerm(dataprovider.PermOverwrite, path.Dir(request.Filepath)) {\n\t\treturn nil, sftp.ErrSSHFxPermissionDenied\n\t}\n\n\treturn c.handleSFTPUploadToExistingFile(fs, request.Pflags(), p, filePath, stat.Size(), request.Filepath, errForRead)\n}\n\n// Filecmd hander for basic SFTP system calls related to files, but not anything to do with reading\n// or writing to those files.\nfunc (c *Connection) Filecmd(request *sftp.Request) error {\n\tc.UpdateLastActivity()\n\tupdateRequestPaths(request)\n\n\tswitch request.Method {\n\tcase \"Setstat\":\n\t\treturn c.handleSFTPSetstat(request)\n\tcase \"Rename\":\n\t\tif err := c.Rename(request.Filepath, request.Target); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase \"Rmdir\":\n\t\treturn c.RemoveDir(request.Filepath)\n\tcase \"Mkdir\":\n\t\terr := c.CreateDir(request.Filepath, true)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\tcase \"Symlink\":\n\t\tif err := c.CreateSymlink(request.Filepath, request.Target); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase \"Remove\":\n\t\treturn c.handleSFTPRemove(request)\n\tdefault:\n\t\treturn sftp.ErrSSHFxOpUnsupported\n\t}\n\n\treturn sftp.ErrSSHFxOk\n}\n\n// Filelist is the handler for SFTP filesystem list calls. This will handle calls to list the contents of\n// a directory as well as perform file/folder stat calls.\nfunc (c *Connection) Filelist(request *sftp.Request) (sftp.ListerAt, error) {\n\tc.UpdateLastActivity()\n\tupdateRequestPaths(request)\n\n\tswitch request.Method {\n\tcase \"List\":\n\t\tlister, err := c.ListDir(request.Filepath)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tmodTime := time.Unix(0, 0)\n\t\tif request.Filepath != \"/\" {\n\t\t\tlister.Prepend(vfs.NewFileInfo(\"..\", true, 0, modTime, false))\n\t\t}\n\t\tlister.Prepend(vfs.NewFileInfo(\".\", true, 0, modTime, false))\n\t\treturn lister, nil\n\tcase \"Stat\":\n\t\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(request.Filepath)) {\n\t\t\treturn nil, sftp.ErrSSHFxPermissionDenied\n\t\t}\n\n\t\ts, err := c.DoStat(request.Filepath, 0, true)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\treturn listerAt([]os.FileInfo{s}), nil\n\tdefault:\n\t\treturn nil, sftp.ErrSSHFxOpUnsupported\n\t}\n}\n\n// Readlink implements the ReadlinkFileLister interface\nfunc (c *Connection) Readlink(filePath string) (string, error) {\n\tfilePath = util.CleanPath(filePath)\n\tif err := c.canReadLink(filePath); err != nil {\n\t\treturn \"\", err\n\t}\n\n\tfs, p, err := c.GetFsAndResolvedPath(filePath)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\ts, err := fs.Readlink(p)\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"error running readlink on path %q: %+v\", p, err)\n\t\treturn \"\", c.GetFsError(fs, err)\n\t}\n\n\tif err := c.canReadLink(s); err != nil {\n\t\treturn \"\", err\n\t}\n\treturn s, nil\n}\n\n// Lstat implements LstatFileLister interface\nfunc (c *Connection) Lstat(request *sftp.Request) (sftp.ListerAt, error) {\n\tc.UpdateLastActivity()\n\tupdateRequestPaths(request)\n\n\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(request.Filepath)) {\n\t\treturn nil, sftp.ErrSSHFxPermissionDenied\n\t}\n\n\ts, err := c.DoStat(request.Filepath, 1, true)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn listerAt([]os.FileInfo{s}), nil\n}\n\n// RealPath implements the RealPathFileLister interface\nfunc (c *Connection) RealPath(p string) (string, error) {\n\tif c.User.Filters.StartDirectory == \"\" {\n\t\tp = util.CleanPath(p)\n\t} else {\n\t\tp = util.CleanPathWithBase(c.User.Filters.StartDirectory, p)\n\t}\n\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(p)) {\n\t\treturn \"\", sftp.ErrSSHFxPermissionDenied\n\t}\n\tfs, fsPath, err := c.GetFsAndResolvedPath(p)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif realPather, ok := fs.(vfs.FsRealPather); ok {\n\t\trealPath, err := realPather.RealPath(fsPath)\n\t\tif err != nil {\n\t\t\treturn \"\", c.GetFsError(fs, err)\n\t\t}\n\t\treturn realPath, nil\n\t}\n\treturn p, nil\n}\n\n// StatVFS implements StatVFSFileCmder interface\nfunc (c *Connection) StatVFS(r *sftp.Request) (*sftp.StatVFS, error) {\n\tc.UpdateLastActivity()\n\tupdateRequestPaths(r)\n\n\t// we are assuming that r.Filepath is a dir, this could be wrong but should\n\t// not produce any side effect here.\n\t// we don't consider c.User.Filters.MaxUploadFileSize, we return disk stats here\n\t// not the limit for a single file upload\n\tquotaResult, _ := c.HasSpace(true, true, path.Join(r.Filepath, \"fakefile.txt\"))\n\n\tfs, p, err := c.GetFsAndResolvedPath(r.Filepath)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif !quotaResult.HasSpace {\n\t\treturn c.getStatVFSFromQuotaResult(fs, p, quotaResult)\n\t}\n\n\tif quotaResult.QuotaSize == 0 && quotaResult.QuotaFiles == 0 {\n\t\t// no quota restrictions\n\t\tstatvfs, err := fs.GetAvailableDiskSize(p)\n\t\tif err == vfs.ErrStorageSizeUnavailable {\n\t\t\treturn c.getStatVFSFromQuotaResult(fs, p, quotaResult)\n\t\t}\n\t\treturn statvfs, err\n\t}\n\n\t// there is free space but some limits are configured\n\treturn c.getStatVFSFromQuotaResult(fs, p, quotaResult)\n}\n\nfunc (c *Connection) canReadLink(name string) error {\n\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(name)) {\n\t\treturn sftp.ErrSSHFxPermissionDenied\n\t}\n\tok, policy := c.User.IsFileAllowed(name)\n\tif !ok && policy == sdk.DenyPolicyHide {\n\t\treturn sftp.ErrSSHFxNoSuchFile\n\t}\n\treturn nil\n}\n\nfunc (c *Connection) handleSFTPSetstat(request *sftp.Request) error {\n\tattrs := common.StatAttributes{\n\t\tFlags: 0,\n\t}\n\tif request.Attributes() != nil {\n\t\tif request.AttrFlags().Permissions {\n\t\t\tattrs.Flags |= common.StatAttrPerms\n\t\t\tattrs.Mode = request.Attributes().FileMode()\n\t\t}\n\t\tif request.AttrFlags().UidGid {\n\t\t\tattrs.Flags |= common.StatAttrUIDGID\n\t\t\tattrs.UID = int(request.Attributes().UID)\n\t\t\tattrs.GID = int(request.Attributes().GID)\n\t\t}\n\t\tif request.AttrFlags().Acmodtime {\n\t\t\tattrs.Flags |= common.StatAttrTimes\n\t\t\tattrs.Atime = time.Unix(int64(request.Attributes().Atime), 0)\n\t\t\tattrs.Mtime = time.Unix(int64(request.Attributes().Mtime), 0)\n\t\t}\n\t\tif request.AttrFlags().Size {\n\t\t\tattrs.Flags |= common.StatAttrSize\n\t\t\tattrs.Size = int64(request.Attributes().Size)\n\t\t}\n\t}\n\n\treturn c.SetStat(request.Filepath, &attrs)\n}\n\nfunc (c *Connection) handleSFTPRemove(request *sftp.Request) error {\n\tfs, fsPath, err := c.GetFsAndResolvedPath(request.Filepath)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tvar fi os.FileInfo\n\tif fi, err = fs.Lstat(fsPath); err != nil {\n\t\tc.Log(logger.LevelDebug, \"failed to remove file %q: stat error: %+v\", fsPath, err)\n\t\treturn c.GetFsError(fs, err)\n\t}\n\tif fi.IsDir() && fi.Mode()&os.ModeSymlink == 0 {\n\t\tc.Log(logger.LevelDebug, \"cannot remove %q is not a file/symlink\", fsPath)\n\t\treturn sftp.ErrSSHFxFailure\n\t}\n\n\treturn c.RemoveFile(fs, fsPath, request.Filepath, fi)\n}\n\nfunc (c *Connection) handleSFTPUploadToNewFile(fs vfs.Fs, pflags sftp.FileOpenFlags, resolvedPath, filePath, requestPath string, errForRead error) (sftp.WriterAtReaderAt, error) {\n\tdiskQuota, transferQuota := c.HasSpace(true, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, c.GetQuotaExceededError()\n\t}\n\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath, 0, 0); err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tosFlags := getOSOpenFlags(pflags)\n\tfile, w, cancelFn, err := fs.Create(filePath, osFlags, c.GetCreateChecks(requestPath, true, false))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error creating file %q, os flags %d, pflags %+v: %+v\", resolvedPath, osFlags, pflags, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\t// we can get an error only for resume\n\tmaxWriteSize, _ := c.GetMaxWriteSize(diskQuota, false, 0, fs.IsUploadResumeSupported())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, 0, 0, maxWriteSize, 0, true, fs, transferQuota)\n\tt := newTransfer(baseTransfer, w, nil, errForRead)\n\n\treturn t, nil\n}\n\nfunc (c *Connection) handleSFTPUploadToExistingFile(fs vfs.Fs, pflags sftp.FileOpenFlags, resolvedPath, filePath string,\n\tfileSize int64, requestPath string, errForRead error) (sftp.WriterAtReaderAt, error) {\n\tvar err error\n\tdiskQuota, transferQuota := c.HasSpace(false, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, c.GetQuotaExceededError()\n\t}\n\n\tosFlags := getOSOpenFlags(pflags)\n\tminWriteOffset := int64(0)\n\tisTruncate := osFlags&os.O_TRUNC != 0\n\t// for upload resumes OpenSSH sets the APPEND flag while WinSCP does not set it,\n\t// so we suppose this is an upload resume if the TRUNCATE flag is not set\n\tisResume := !isTruncate\n\t// if there is a size limit the remaining size cannot be 0 here, since quotaResult.HasSpace\n\t// will return false in this case and we deny the upload before.\n\t// For Cloud FS GetMaxWriteSize will return unsupported operation\n\tmaxWriteSize, err := c.GetMaxWriteSize(diskQuota, isResume, fileSize, vfs.IsUploadResumeSupported(fs, fileSize))\n\tif err != nil {\n\t\tc.Log(logger.LevelDebug, \"unable to get max write size for file %q is resume? %t: %v\",\n\t\t\trequestPath, isResume, err)\n\t\treturn nil, err\n\t}\n\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath, fileSize, osFlags); err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\t_, _, err = fs.Rename(resolvedPath, filePath, 0)\n\t\tif err != nil {\n\t\t\tc.Log(logger.LevelError, \"error renaming existing file for atomic upload, source: %q, dest: %q, err: %+v\",\n\t\t\t\tresolvedPath, filePath, err)\n\t\t\treturn nil, c.GetFsError(fs, err)\n\t\t}\n\t}\n\n\tfile, w, cancelFn, err := fs.Create(filePath, osFlags, c.GetCreateChecks(requestPath, false, isResume))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error opening existing file, os flags %v, pflags: %+v, source: %q, err: %+v\",\n\t\t\tosFlags, pflags, filePath, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tinitialSize := int64(0)\n\ttruncatedSize := int64(0) // bytes truncated and not included in quota\n\tif isResume {\n\t\tc.Log(logger.LevelDebug, \"resuming upload requested, file path %q initial size: %d, has append flag %t\",\n\t\t\tfilePath, fileSize, pflags.Append)\n\t\t// enforce min write offset only if the client passed the APPEND flag or the filesystem\n\t\t// supports emulated resume\n\t\tif pflags.Append || !fs.IsUploadResumeSupported() {\n\t\t\tminWriteOffset = fileSize\n\t\t}\n\t\tinitialSize = fileSize\n\t} else {\n\t\tif isTruncate && vfs.HasTruncateSupport(fs) {\n\t\t\tc.updateQuotaAfterTruncate(requestPath, fileSize)\n\t\t} else {\n\t\t\tinitialSize = fileSize\n\t\t\ttruncatedSize = fileSize\n\t\t}\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, minWriteOffset, initialSize, maxWriteSize, truncatedSize, false, fs, transferQuota)\n\tt := newTransfer(baseTransfer, w, nil, errForRead)\n\n\treturn t, nil\n}\n\n// Disconnect disconnects the client by closing the channel\nfunc (c *Connection) Disconnect() error {\n\tif c.channel == nil {\n\t\tc.Log(logger.LevelWarn, \"cannot disconnect a nil channel\")\n\t\treturn nil\n\t}\n\treturn c.channel.Close()\n}\n\nfunc (c *Connection) getStatVFSFromQuotaResult(fs vfs.Fs, name string, quotaResult vfs.QuotaCheckResult) (*sftp.StatVFS, error) {\n\ts, err := fs.GetAvailableDiskSize(name)\n\tif err == nil {\n\t\tif quotaResult.QuotaSize == 0 || quotaResult.QuotaSize > int64(s.TotalSpace()) {\n\t\t\tquotaResult.QuotaSize = int64(s.TotalSpace())\n\t\t}\n\t\tif quotaResult.QuotaFiles == 0 || quotaResult.QuotaFiles > int(s.Files) {\n\t\t\tquotaResult.QuotaFiles = int(s.Files)\n\t\t}\n\t} else if err != vfs.ErrStorageSizeUnavailable {\n\t\treturn nil, err\n\t}\n\t// if we are unable to get quota size or quota files we add some arbitrary values\n\tif quotaResult.QuotaSize == 0 {\n\t\tquotaResult.QuotaSize = quotaResult.UsedSize + 8*1024*1024*1024*1024 // 8TB\n\t}\n\tif quotaResult.QuotaFiles == 0 {\n\t\tquotaResult.QuotaFiles = quotaResult.UsedFiles + 1000000 // 1 million\n\t}\n\n\tbsize := uint64(4096)\n\tfor bsize > uint64(quotaResult.QuotaSize) {\n\t\tbsize /= 4\n\t}\n\tblocks := uint64(quotaResult.QuotaSize) / bsize\n\tbfree := uint64(quotaResult.QuotaSize-quotaResult.UsedSize) / bsize\n\tfiles := uint64(quotaResult.QuotaFiles)\n\tffree := uint64(quotaResult.QuotaFiles - quotaResult.UsedFiles)\n\tif !quotaResult.HasSpace {\n\t\tbfree = 0\n\t\tffree = 0\n\t}\n\n\treturn &sftp.StatVFS{\n\t\tBsize: bsize,\n\t\tFrsize: bsize,\n\t\tBlocks: blocks,\n\t\tBfree: bfree,\n\t\tBavail: bfree,\n\t\tFiles: files,\n\t\tFfree: ffree,\n\t\tFavail: ffree,\n\t\tNamemax: 255,\n\t}, nil\n}\n\nfunc (c *Connection) updateQuotaAfterTruncate(requestPath string, fileSize int64) {\n\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(requestPath))\n\tif err == nil {\n\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -fileSize, false)\n\t\treturn\n\t}\n\tdataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck\n}\n\nfunc getOSOpenFlags(requestFlags sftp.FileOpenFlags) (flags int) {\n\tvar osFlags int\n\tif requestFlags.Read && requestFlags.Write {\n\t\tosFlags |= os.O_RDWR\n\t} else if requestFlags.Write {\n\t\tosFlags |= os.O_WRONLY\n\t}\n\t// we ignore Append flag since pkg/sftp use WriteAt that cannot work with os.O_APPEND\n\t/*if requestFlags.Append {\n\t\tosFlags |= os.O_APPEND\n\t}*/\n\tif requestFlags.Creat {\n\t\tosFlags |= os.O_CREATE\n\t}\n\tif requestFlags.Trunc {\n\t\tosFlags |= os.O_TRUNC\n\t}\n\tif requestFlags.Excl {\n\t\tosFlags |= os.O_EXCL\n\t}\n\treturn osFlags\n}\n\nfunc updateRequestPaths(request *sftp.Request) {\n\tif request.Method == \"Symlink\" {\n\t\trequest.Filepath = path.Clean(strings.ReplaceAll(request.Filepath, \"\\\\\", \"/\"))\n\t} else {\n\t\trequest.Filepath = util.CleanPath(request.Filepath)\n\t}\n\n\tif request.Target != \"\" {\n\t\trequest.Target = util.CleanPath(request.Target)\n\t}\n}\n" }, { "path": "internal/sftpd/httpfs_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd_test\n\nimport (\n\t\"fmt\"\n\t\"io/fs\"\n\t\"math\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\thttpFsPort = 12345\n\tdefaultHTTPFsUsername = \"httpfs_user\"\n)\n\nvar (\n\thttpFsSocketPath = filepath.Join(os.TempDir(), \"httpfs.sock\")\n)\n\nfunc TestBasicHTTPFsHandling(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUserWithHTTPFs(usePubKey)\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\texpectedQuotaSize := user.UsedQuotaSize + testFileSize*2\n\t\texpectedQuotaFiles := user.UsedQuotaFiles + 2\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"/missing_dir\", testFileName), testFileSize, client)\n\t\tassert.Error(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t}\n\t\tcontents, err := client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, contents, 1) {\n\t\t\tassert.Equal(t, testFileName, contents[0].Name())\n\t\t}\n\t\tdirName := \"test dirname\"\n\t\terr = client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\tcontents, err = client.ReadDir(\".\")\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, contents, 2)\n\t\tcontents, err = client.ReadDir(dirName)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, contents, 0)\n\t\terr = sftpUploadFile(testFilePath, path.Join(dirName, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tcontents, err = client.ReadDir(dirName)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, contents, 1)\n\t\tdirRenamed := dirName + \"_renamed\"\n\t\terr = client.Rename(dirName, dirRenamed)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Stat(dirRenamed)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.IsDir())\n\t\t}\n\t\t// mode 0666 and 0444 works on Windows too\n\t\tnewPerm := os.FileMode(0444)\n\t\terr = client.Chmod(testFileName, newPerm)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Stat(testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, newPerm, info.Mode().Perm())\n\t\tnewPerm = os.FileMode(0666)\n\t\terr = client.Chmod(testFileName, newPerm)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Stat(testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, newPerm, info.Mode().Perm())\n\t\t// chtimes\n\t\tacmodTime := time.Now().Add(-36 * time.Hour)\n\t\terr = client.Chtimes(testFileName, acmodTime, acmodTime)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\tdiff := math.Abs(info.ModTime().Sub(acmodTime).Seconds())\n\t\t\tassert.LessOrEqual(t, diff, float64(1))\n\t\t}\n\t\t_, err = client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t// execute a quota scan\n\t\t_, err = httpdtest.StartQuotaScan(user, http.StatusAccepted)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\tscans, _, err := httpdtest.GetQuotaScans(http.StatusOK)\n\t\t\tif err == nil {\n\t\t\t\treturn len(scans) == 0\n\t\t\t}\n\t\t\treturn false\n\t\t}, 1*time.Second, 50*time.Millisecond)\n\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(testFileName)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize-testFileSize, user.UsedQuotaSize)\n\t\t// truncate\n\t\terr = client.Truncate(path.Join(dirRenamed, testFileName), 100)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Stat(path.Join(dirRenamed, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, int64(100), info.Size())\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(100), user.UsedQuotaSize)\n\t\t// update quota\n\t\t_, err = httpdtest.StartQuotaScan(user, http.StatusAccepted)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\tscans, _, err := httpdtest.GetQuotaScans(http.StatusOK)\n\t\t\tif err == nil {\n\t\t\t\treturn len(scans) == 0\n\t\t\t}\n\t\t\treturn false\n\t\t}, 1*time.Second, 50*time.Millisecond)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(100), user.UsedQuotaSize)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPFsVirtualFolder(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tfolderName := \"httpfsfolder\"\n\tvdirPath := \"/vdir/http fs\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.HTTPFilesystemProvider,\n\t\t\tHTTPConfig: vfs.HTTPFsConfig{\n\t\t\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\t\t\tEndpoint: fmt.Sprintf(\"http://127.0.0.1:%d/api/v1\", httpFsPort),\n\t\t\t\t\tUsername: defaultHTTPFsUsername,\n\t\t\t\t\tEqualityCheckMode: 1,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(path.Join(vdirPath, testFileName))\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(path.Join(vdirPath, testFileName), localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPFsWalk(t *testing.T) {\n\tuser := getTestUserWithHTTPFs(false)\n\tuser.FsConfig.HTTPConfig.EqualityCheckMode = 1\n\thttpFs, err := user.GetFilesystem(\"\")\n\trequire.NoError(t, err)\n\tbasePath := filepath.Join(os.TempDir(), \"httpfs\", user.FsConfig.HTTPConfig.Username)\n\terr = os.RemoveAll(basePath)\n\tassert.NoError(t, err)\n\n\tvar walkedPaths []string\n\terr = httpFs.Walk(\"/\", func(walkedPath string, _ fs.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\twalkedPaths = append(walkedPaths, httpFs.GetRelativePath(walkedPath))\n\t\treturn nil\n\t})\n\trequire.NoError(t, err)\n\trequire.Len(t, walkedPaths, 1)\n\trequire.Contains(t, walkedPaths, \"/\")\n\t// now add some files/folders\n\tfor i := 0; i < 10; i++ {\n\t\terr = os.WriteFile(filepath.Join(basePath, fmt.Sprintf(\"file%d\", i)), nil, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.Mkdir(filepath.Join(basePath, fmt.Sprintf(\"dir%d\", i)), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tfor j := 0; j < 5; j++ {\n\t\t\terr = os.WriteFile(filepath.Join(basePath, fmt.Sprintf(\"dir%d\", i), fmt.Sprintf(\"subfile%d\", j)), nil, os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\twalkedPaths = nil\n\terr = httpFs.Walk(\"/\", func(walkedPath string, _ fs.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\twalkedPaths = append(walkedPaths, httpFs.GetRelativePath(walkedPath))\n\t\treturn nil\n\t})\n\trequire.NoError(t, err)\n\trequire.Len(t, walkedPaths, 71)\n\trequire.Contains(t, walkedPaths, \"/\")\n\tfor i := 0; i < 10; i++ {\n\t\trequire.Contains(t, walkedPaths, path.Join(\"/\", fmt.Sprintf(\"file%d\", i)))\n\t\trequire.Contains(t, walkedPaths, path.Join(\"/\", fmt.Sprintf(\"dir%d\", i)))\n\t\tfor j := 0; j < 5; j++ {\n\t\t\trequire.Contains(t, walkedPaths, path.Join(\"/\", fmt.Sprintf(\"dir%d\", i), fmt.Sprintf(\"subfile%d\", j)))\n\t\t}\n\t}\n\n\terr = os.RemoveAll(basePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestHTTPFsOverUNIXSocket(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"UNIX domain sockets are not supported on Windows\")\n\t}\n\tassert.Eventually(t, func() bool {\n\t\t_, err := os.Stat(httpFsSocketPath)\n\t\treturn err == nil\n\t}, 1*time.Second, 50*time.Millisecond)\n\tusePubKey := true\n\tu := getTestUserWithHTTPFs(usePubKey)\n\tu.FsConfig.HTTPConfig.Endpoint = fmt.Sprintf(\"http://unix?socket_path=%s&api_prefix=%s\",\n\t\turl.QueryEscape(httpFsSocketPath), url.QueryEscape(\"/api/v1\"))\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc getTestUserWithHTTPFs(usePubKey bool) dataprovider.User {\n\tu := getTestUser(usePubKey)\n\tu.FsConfig.Provider = sdk.HTTPFilesystemProvider\n\tu.FsConfig.HTTPConfig = vfs.HTTPFsConfig{\n\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\tEndpoint: fmt.Sprintf(\"http://127.0.0.1:%d/api/v1\", httpFsPort),\n\t\t\tUsername: defaultHTTPFsUsername,\n\t\t},\n\t}\n\treturn u\n}\n\nfunc startHTTPFs() {\n\tif runtime.GOOS != osWindows {\n\t\tgo func() {\n\t\t\tif err := httpdtest.StartTestHTTPFsOverUnixSocket(httpFsSocketPath); err != nil {\n\t\t\t\tlogger.ErrorToConsole(\"could not start HTTPfs test server over UNIX socket: %v\", err)\n\t\t\t\tos.Exit(1)\n\t\t\t}\n\t\t}()\n\t}\n\tgo func() {\n\t\tif err := httpdtest.StartTestHTTPFs(httpFsPort, nil); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTPfs test server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\twaitTCPListening(fmt.Sprintf(\":%d\", httpFsPort))\n}\n" }, { "path": "internal/sftpd/internal_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/eikenb/pipeat\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tosWindows = \"windows\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n)\n\ntype MockChannel struct {\n\tBuffer *bytes.Buffer\n\tStdErrBuffer *bytes.Buffer\n\tReadError error\n\tWriteError error\n\tShortWriteErr bool\n}\n\nfunc (c *MockChannel) Read(data []byte) (int, error) {\n\tif c.ReadError != nil {\n\t\treturn 0, c.ReadError\n\t}\n\treturn c.Buffer.Read(data)\n}\n\nfunc (c *MockChannel) Write(data []byte) (int, error) {\n\tif c.WriteError != nil {\n\t\treturn 0, c.WriteError\n\t}\n\tif c.ShortWriteErr {\n\t\treturn 0, nil\n\t}\n\treturn c.Buffer.Write(data)\n}\n\nfunc (c *MockChannel) Close() error {\n\treturn nil\n}\n\nfunc (c *MockChannel) CloseWrite() error {\n\treturn nil\n}\n\nfunc (c *MockChannel) SendRequest(_ string, _ bool, _ []byte) (bool, error) {\n\treturn true, nil\n}\n\nfunc (c *MockChannel) Stderr() io.ReadWriter {\n\treturn c.StdErrBuffer\n}\n\n// MockOsFs mockable OsFs\ntype MockOsFs struct {\n\tvfs.Fs\n\terr error\n\tstatErr error\n\tisAtomicUploadSupported bool\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs MockOsFs) Name() string {\n\treturn \"mockOsFs\"\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported\nfunc (MockOsFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (MockOsFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn false\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported\nfunc (fs MockOsFs) IsAtomicUploadSupported() bool {\n\treturn fs.isAtomicUploadSupported\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs MockOsFs) Stat(name string) (os.FileInfo, error) {\n\tif fs.statErr != nil {\n\t\treturn nil, fs.statErr\n\t}\n\treturn os.Stat(name)\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs MockOsFs) Lstat(name string) (os.FileInfo, error) {\n\tif fs.statErr != nil {\n\t\treturn nil, fs.statErr\n\t}\n\treturn os.Lstat(name)\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs MockOsFs) Remove(name string, _ bool) error {\n\tif fs.err != nil {\n\t\treturn fs.err\n\t}\n\treturn os.Remove(name)\n}\n\n// Rename renames (moves) source to target\nfunc (fs MockOsFs) Rename(source, target string, _ int) (int, int64, error) {\n\tif fs.err != nil {\n\t\treturn -1, -1, fs.err\n\t}\n\terr := os.Rename(source, target)\n\treturn -1, -1, err\n}\n\nfunc newMockOsFs(err, statErr error, atomicUpload bool, connectionID, rootDir string) vfs.Fs {\n\treturn &MockOsFs{\n\t\tFs: vfs.NewOsFs(connectionID, rootDir, \"\", nil),\n\t\terr: err,\n\t\tstatErr: statErr,\n\t\tisAtomicUploadSupported: atomicUpload,\n\t}\n}\n\nfunc TestRemoveNonexistentQuotaScan(t *testing.T) {\n\tassert.False(t, common.QuotaScans.RemoveUserQuotaScan(\"username\"))\n}\n\nfunc TestGetOSOpenFlags(t *testing.T) {\n\tvar flags sftp.FileOpenFlags\n\tflags.Write = true\n\tflags.Excl = true\n\tosFlags := getOSOpenFlags(flags)\n\tassert.NotEqual(t, 0, osFlags&os.O_WRONLY)\n\tassert.NotEqual(t, 0, osFlags&os.O_EXCL)\n\n\tflags.Append = true\n\t// append flag should be ignored to allow resume\n\tassert.NotEqual(t, 0, osFlags&os.O_WRONLY)\n\tassert.NotEqual(t, 0, osFlags&os.O_EXCL)\n}\n\nfunc TestUploadResumeInvalidOffset(t *testing.T) {\n\ttestfile := \"testfile\" //nolint:goconst\n\tfile, err := os.Create(testfile)\n\tassert.NoError(t, err)\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testuser\",\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user)\n\tbaseTransfer := common.NewBaseTransfer(file, conn, nil, file.Name(), file.Name(), testfile,\n\t\tcommon.TransferUpload, 10, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttransfer := newTransfer(baseTransfer, nil, nil, nil)\n\t_, err = transfer.WriteAt([]byte(\"test\"), 0)\n\tassert.Error(t, err, \"upload with invalid offset must fail\")\n\tif assert.Error(t, transfer.ErrTransfer) {\n\t\tassert.EqualError(t, err, transfer.ErrTransfer.Error())\n\t\tassert.Contains(t, transfer.ErrTransfer.Error(), \"invalid write offset\")\n\t}\n\n\terr = transfer.Close()\n\tif assert.Error(t, err) {\n\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\t}\n\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n}\n\nfunc TestReadWriteErrors(t *testing.T) {\n\ttestfile := \"testfile\"\n\tfile, err := os.Create(testfile)\n\tassert.NoError(t, err)\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testuser\",\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user)\n\tbaseTransfer := common.NewBaseTransfer(file, conn, nil, file.Name(), file.Name(), testfile, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttransfer := newTransfer(baseTransfer, nil, nil, nil)\n\terr = file.Close()\n\tassert.NoError(t, err)\n\t_, err = transfer.WriteAt([]byte(\"test\"), 0)\n\tassert.Error(t, err, \"writing to closed file must fail\")\n\tbuf := make([]byte, 32768)\n\t_, err = transfer.ReadAt(buf, 0)\n\tassert.Error(t, err, \"reading from a closed file must fail\")\n\terr = transfer.Close()\n\tassert.Error(t, err)\n\n\tr, _, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tbaseTransfer = common.NewBaseTransfer(nil, conn, nil, file.Name(), file.Name(), testfile, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttransfer = newTransfer(baseTransfer, nil, vfs.NewPipeReader(r), nil)\n\terr = transfer.Close()\n\tassert.NoError(t, err)\n\t_, err = transfer.ReadAt(buf, 0)\n\tassert.Error(t, err, \"reading from a closed pipe must fail\")\n\n\tr, w, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tpipeWriter := vfs.NewPipeWriter(w)\n\tbaseTransfer = common.NewBaseTransfer(nil, conn, nil, file.Name(), file.Name(), testfile, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttransfer = newTransfer(baseTransfer, pipeWriter, nil, nil)\n\n\terr = r.Close()\n\tassert.NoError(t, err)\n\terrFake := fmt.Errorf(\"fake upload error\")\n\tgo func() {\n\t\ttime.Sleep(100 * time.Millisecond)\n\t\tpipeWriter.Done(errFake)\n\t}()\n\terr = transfer.closeIO()\n\tassert.EqualError(t, err, errFake.Error())\n\t_, err = transfer.WriteAt([]byte(\"test\"), 0)\n\tassert.Error(t, err, \"writing to closed pipe must fail\")\n\terr = transfer.BaseTransfer.Close()\n\tassert.EqualError(t, err, errFake.Error())\n\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n\tassert.Len(t, conn.GetTransfers(), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestUnsupportedListOP(t *testing.T) {\n\tconn := common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", dataprovider.User{})\n\tsftpConn := Connection{\n\t\tBaseConnection: conn,\n\t}\n\trequest := sftp.NewRequest(\"Unsupported\", \"\")\n\t_, err := sftpConn.Filelist(request)\n\tassert.EqualError(t, err, sftp.ErrSSHFxOpUnsupported.Error())\n}\n\nfunc TestTransferCancelFn(t *testing.T) {\n\ttestfile := \"testfile\"\n\tfile, err := os.Create(testfile)\n\tassert.NoError(t, err)\n\tisCancelled := false\n\tcancelFn := func() {\n\t\tisCancelled = true\n\t}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testuser\",\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconn := common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user)\n\tbaseTransfer := common.NewBaseTransfer(file, conn, cancelFn, file.Name(), file.Name(), testfile, common.TransferDownload,\n\t\t0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\ttransfer := newTransfer(baseTransfer, nil, nil, nil)\n\n\terrFake := errors.New(\"fake error, this will trigger cancelFn\")\n\ttransfer.TransferError(errFake)\n\terr = transfer.Close()\n\tif assert.Error(t, err) {\n\t\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\t}\n\tif assert.Error(t, transfer.ErrTransfer) {\n\t\tassert.EqualError(t, transfer.ErrTransfer, errFake.Error())\n\t}\n\tassert.True(t, isCancelled, \"cancelFn not called!\")\n\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadFiles(t *testing.T) {\n\tcommon.Config.UploadMode = common.UploadModeAtomic\n\tfs := vfs.NewOsFs(\"123\", os.TempDir(), \"\", nil)\n\tu := dataprovider.User{}\n\tc := Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", u),\n\t}\n\tvar flags sftp.FileOpenFlags\n\tflags.Write = true\n\tflags.Trunc = true\n\t_, err := c.handleSFTPUploadToExistingFile(fs, flags, \"missing_path\", \"other_missing_path\", 0, \"/missing_path\", nil)\n\tassert.Error(t, err, \"upload to existing file must fail if one or both paths are invalid\")\n\n\tcommon.Config.UploadMode = common.UploadModeStandard\n\t_, err = c.handleSFTPUploadToExistingFile(fs, flags, \"missing_path\", \"other_missing_path\", 0, \"/missing_path\", nil)\n\tassert.Error(t, err, \"upload to existing file must fail if one or both paths are invalid\")\n\n\tmissingFile := \"missing/relative/file.txt\"\n\tif runtime.GOOS == osWindows {\n\t\tmissingFile = \"missing\\\\relative\\\\file.txt\"\n\t}\n\t_, err = c.handleSFTPUploadToNewFile(fs, flags, \".\", missingFile, \"/missing\", nil)\n\tassert.Error(t, err, \"upload new file in missing path must fail\")\n\n\tfs = newMockOsFs(nil, nil, false, \"123\", os.TempDir())\n\tf, err := os.CreateTemp(\"\", \"temp\")\n\tassert.NoError(t, err)\n\terr = f.Close()\n\tassert.NoError(t, err)\n\n\ttr, err := c.handleSFTPUploadToExistingFile(fs, flags, f.Name(), f.Name(), 123, f.Name(), nil)\n\tif assert.NoError(t, err) {\n\t\ttransfer := tr.(*transfer)\n\t\ttransfers := c.GetTransfers()\n\t\tif assert.Equal(t, 1, len(transfers)) {\n\t\t\tassert.Equal(t, transfers[0].ID, transfer.GetID())\n\t\t\tassert.Equal(t, int64(123), transfer.InitialSize)\n\t\t\terr = transfer.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 0, len(c.GetTransfers()))\n\t\t}\n\t}\n\terr = os.Remove(f.Name())\n\tassert.NoError(t, err)\n\tcommon.Config.UploadMode = common.UploadModeAtomicWithResume\n}\n\nfunc TestWithInvalidHome(t *testing.T) {\n\tu := dataprovider.User{}\n\tu.HomeDir = \"home_rel_path\" //nolint:goconst\n\t_, err := loginUser(&u, dataprovider.LoginMethodPassword, \"\", nil)\n\tassert.Error(t, err, \"login a user with an invalid home_dir must fail\")\n\n\tu.HomeDir = os.TempDir()\n\tfs, err := u.GetFilesystem(\"123\")\n\tassert.NoError(t, err)\n\tc := Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", u),\n\t}\n\tresolved, err := fs.ResolvePath(\"../upper_path\")\n\tassert.NoError(t, err)\n\tassert.Equal(t, filepath.Join(u.HomeDir, \"upper_path\"), resolved)\n\t_, err = c.StatVFS(&sftp.Request{\n\t\tMethod: \"StatVFS\",\n\t\tFilepath: \"../unresolvable-path\",\n\t})\n\tassert.Error(t, err)\n}\n\nfunc TestResolveWithRootDir(t *testing.T) {\n\tu := dataprovider.User{}\n\tif runtime.GOOS == osWindows {\n\t\tu.HomeDir = \"C:\\\\\"\n\t} else {\n\t\tu.HomeDir = \"/\"\n\t}\n\tfs, err := u.GetFilesystem(\"\")\n\tassert.NoError(t, err)\n\trel, err := filepath.Rel(u.HomeDir, os.TempDir())\n\tassert.NoError(t, err)\n\tp, err := fs.ResolvePath(rel)\n\tassert.NoError(t, err, \"path %v\", p)\n}\n\nfunc TestSFTPGetUsedQuota(t *testing.T) {\n\tu := dataprovider.User{}\n\tu.HomeDir = \"home_rel_path\"\n\tu.Username = \"test_invalid_user\"\n\tu.QuotaSize = 4096\n\tu.QuotaFiles = 1\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tconnection := Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", u),\n\t}\n\tquotaResult, _ := connection.HasSpace(false, false, \"/\")\n\tassert.False(t, quotaResult.HasSpace)\n}\n\nfunc TestSupportedSSHCommands(t *testing.T) {\n\tcmds := GetSupportedSSHCommands()\n\tassert.Equal(t, len(supportedSSHCommands), len(cmds))\n\n\tfor _, c := range cmds {\n\t\tassert.True(t, slices.Contains(supportedSSHCommands, c))\n\t}\n}\n\nfunc TestSSHCommandPath(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t}\n\tconnection := &Connection{\n\t\tchannel: &mockSSHChannel,\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSSH, \"\", \"\", dataprovider.User{}),\n\t}\n\tsshCommand := sshCommand{\n\t\tcommand: \"test\",\n\t\tconnection: connection,\n\t\targs: []string{},\n\t}\n\tassert.Equal(t, \"\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"/tmp/../path\"}\n\tassert.Equal(t, \"/path\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"/tmp/\"}\n\tassert.Equal(t, \"/tmp/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"tmp/\"}\n\tassert.Equal(t, \"/tmp/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"/tmp/../../../path\"}\n\tassert.Equal(t, \"/path\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"..\"}\n\tassert.Equal(t, \"/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \".\"}\n\tassert.Equal(t, \"/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"//\"}\n\tassert.Equal(t, \"/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"../..\"}\n\tassert.Equal(t, \"/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-t\", \"/..\"}\n\tassert.Equal(t, \"/\", sshCommand.getDestPath())\n\n\tsshCommand.args = []string{\"-f\", \"/a space.txt\"}\n\tassert.Equal(t, \"/a space.txt\", sshCommand.getDestPath())\n}\n\nfunc TestSSHParseCommandPayload(t *testing.T) {\n\tcmd := \"command -a -f /ab\\\\ à/some\\\\ spaces\\\\ \\\\ \\\\(\\\\).txt\"\n\tname, args, _ := parseCommandPayload(cmd)\n\tassert.Equal(t, \"command\", name)\n\tassert.Equal(t, 3, len(args))\n\tassert.Equal(t, \"/ab à/some spaces ().txt\", args[2])\n\n\t_, _, err := parseCommandPayload(\"\")\n\tassert.Error(t, err, \"parsing invalid command must fail\")\n}\n\nfunc TestSSHCommandErrors(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t}\n\tserver, client := net.Pipe()\n\tdefer func() {\n\t\terr := server.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tdefer func() {\n\t\terr := client.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tuser := dataprovider.User{}\n\tuser.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermAny},\n\t}\n\tconnection := Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSSH, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tcmd := sshCommand{\n\t\tcommand: \"md5sum\",\n\t\tconnection: &connection,\n\t\targs: []string{},\n\t}\n\terr := cmd.handle()\n\tassert.Error(t, err, \"ssh command must fail, we are sending a fake error\")\n\n\tcmd = sshCommand{\n\t\tcommand: \"md5sum\",\n\t\tconnection: &connection,\n\t\targs: []string{\"/../../test_file_ftp.dat\"},\n\t}\n\terr = cmd.handle()\n\tassert.Error(t, err, \"ssh command must fail, we are requesting an invalid path\")\n\n\tuser = dataprovider.User{}\n\tuser.Permissions = map[string][]string{\n\t\t\"/\": {dataprovider.PermAny},\n\t}\n\tuser.HomeDir = filepath.Clean(os.TempDir())\n\tuser.QuotaFiles = 1\n\tuser.UsedQuotaFiles = 2\n\tcmd.connection.User = user\n\t_, err = cmd.connection.User.GetFilesystem(\"123\")\n\tassert.NoError(t, err)\n\n\tcmd = sshCommand{\n\t\tcommand: \"sftpgo-remove\",\n\t\tconnection: &connection,\n\t\targs: []string{\"/../../src\"},\n\t}\n\terr = cmd.handle()\n\tassert.Error(t, err, \"ssh command must fail, we are requesting an invalid path\")\n\n\tcmd = sshCommand{\n\t\tcommand: \"sftpgo-copy\",\n\t\tconnection: &connection,\n\t\targs: []string{\"/../../test_src\", \".\"},\n\t}\n\terr = cmd.handle()\n\tassert.Error(t, err, \"ssh command must fail, we are requesting an invalid path\")\n\n\terr = common.Initialize(common.Config, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestCommandsWithExtensionsFilter(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t}\n\tserver, client := net.Pipe()\n\tdefer server.Close()\n\tdefer client.Close()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"test\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t\tStatus: 1,\n\t\t},\n\t}\n\tuser.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/subdir\",\n\t\t\tAllowedPatterns: []string{\".jpg\"},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSSH, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tcmd := sshCommand{\n\t\tcommand: \"md5sum\",\n\t\tconnection: connection,\n\t\targs: []string{\"subdir/test.png\"},\n\t}\n\terr := cmd.handleHashCommands()\n\tassert.EqualError(t, err, common.ErrPermissionDenied.Error())\n}\n\nfunc TestSSHCommandsRemoteFs(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t}\n\tuser := dataprovider.User{}\n\tuser.FsConfig = vfs.Filesystem{\n\t\tProvider: sdk.S3FilesystemProvider,\n\t\tS3Config: vfs.S3FsConfig{\n\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\tBucket: \"s3bucket\",\n\t\t\t\tEndpoint: \"endpoint\",\n\t\t\t\tRegion: \"eu-west-1\",\n\t\t\t},\n\t\t},\n\t}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tcmd := sshCommand{\n\t\tcommand: \"md5sum\",\n\t\tconnection: connection,\n\t\targs: []string{},\n\t}\n\n\terr := cmd.handleSFTPGoCopy()\n\tassert.Error(t, err)\n\tcmd = sshCommand{\n\t\tcommand: \"sftpgo-remove\",\n\t\tconnection: connection,\n\t\targs: []string{},\n\t}\n\terr = cmd.handleSFTPGoRemove()\n\tassert.Error(t, err)\n}\n\nfunc TestSSHCmdGetFsErrors(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: \"relative path\",\n\t\t},\n\t}\n\tuser.Permissions = map[string][]string{}\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tcmd := sshCommand{\n\t\tcommand: \"sftpgo-remove\",\n\t\tconnection: connection,\n\t\targs: []string{\"path\"},\n\t}\n\terr := cmd.handleSFTPGoRemove()\n\tassert.Error(t, err)\n\n\tcmd = sshCommand{\n\t\tcommand: \"sftpgo-copy\",\n\t\tconnection: connection,\n\t\targs: []string{\"path1\", \"path2\"},\n\t}\n\terr = cmd.handleSFTPGoCopy()\n\tassert.Error(t, err)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCommandGetFsError(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t},\n\t}\n\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t}\n\tconn := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: conn,\n\t\t\targs: []string{\"-t\", \"/tmp\"},\n\t\t},\n\t}\n\n\terr := scpCommand.handleRecursiveUpload()\n\tassert.Error(t, err)\n\terr = scpCommand.handleDownload(\"\")\n\tassert.Error(t, err)\n}\n\nfunc TestSCPFileMode(t *testing.T) {\n\tmode := getFileModeAsString(0, true)\n\tassert.Equal(t, \"0755\", mode)\n\n\tmode = getFileModeAsString(0700, true)\n\tassert.Equal(t, \"0700\", mode)\n\n\tmode = getFileModeAsString(0750, true)\n\tassert.Equal(t, \"0750\", mode)\n\n\tmode = getFileModeAsString(0777, true)\n\tassert.Equal(t, \"0777\", mode)\n\n\tmode = getFileModeAsString(0640, false)\n\tassert.Equal(t, \"0640\", mode)\n\n\tmode = getFileModeAsString(0600, false)\n\tassert.Equal(t, \"0600\", mode)\n\n\tmode = getFileModeAsString(0, false)\n\tassert.Equal(t, \"0644\", mode)\n\n\tfileMode := uint32(0777)\n\tfileMode = fileMode | uint32(os.ModeSetgid)\n\tfileMode = fileMode | uint32(os.ModeSetuid)\n\tfileMode = fileMode | uint32(os.ModeSticky)\n\tmode = getFileModeAsString(os.FileMode(fileMode), false)\n\tassert.Equal(t, \"7777\", mode)\n\n\tfileMode = uint32(0644)\n\tfileMode = fileMode | uint32(os.ModeSetgid)\n\tmode = getFileModeAsString(os.FileMode(fileMode), false)\n\tassert.Equal(t, \"4644\", mode)\n\n\tfileMode = uint32(0600)\n\tfileMode = fileMode | uint32(os.ModeSetuid)\n\tmode = getFileModeAsString(os.FileMode(fileMode), false)\n\tassert.Equal(t, \"2600\", mode)\n\n\tfileMode = uint32(0044)\n\tfileMode = fileMode | uint32(os.ModeSticky)\n\tmode = getFileModeAsString(os.FileMode(fileMode), false)\n\tassert.Equal(t, \"1044\", mode)\n}\n\nfunc TestSCPUploadError(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: writeErr,\n\t}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Join(os.TempDir()),\n\t\t\tPermissions: make(map[string][]string),\n\t\t},\n\t}\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-t\", \"/\"},\n\t\t},\n\t}\n\terr := scpCommand.handle()\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer([]byte(\"D0755 0 testdir\\n\")),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: writeErr,\n\t}\n\terr = scpCommand.handleRecursiveUpload()\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer([]byte(\"D0755 a testdir\\n\")),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\terr = scpCommand.handleRecursiveUpload()\n\tassert.Error(t, err)\n}\n\nfunc TestSCPInvalidEndDir(t *testing.T) {\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer([]byte(\"E\\n\")),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tHomeDir: os.TempDir(),\n\t\t\t},\n\t\t}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-t\", \"/tmp\"},\n\t\t},\n\t}\n\terr := scpCommand.handleRecursiveUpload()\n\tassert.EqualError(t, err, \"unacceptable end dir command\")\n}\n\nfunc TestSCPParseUploadMessage(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tHomeDir: os.TempDir(),\n\t\t\t},\n\t\t}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-t\", \"/tmp\"},\n\t\t},\n\t}\n\t_, _, err := scpCommand.parseUploadMessage(fs, \"invalid\")\n\tassert.Error(t, err, \"parsing invalid upload message must fail\")\n\n\t_, _, err = scpCommand.parseUploadMessage(fs, \"D0755 0\")\n\tassert.Error(t, err, \"parsing incomplete upload message must fail\")\n\n\t_, _, err = scpCommand.parseUploadMessage(fs, \"D0755 invalidsize testdir\")\n\tassert.Error(t, err, \"parsing upload message with invalid size must fail\")\n\n\t_, _, err = scpCommand.parseUploadMessage(fs, \"D0755 0 \")\n\tassert.Error(t, err, \"parsing upload message with invalid name must fail\")\n}\n\nfunc TestSCPProtocolMessages(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", dataprovider.User{}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-t\", \"/tmp\"},\n\t\t},\n\t}\n\t_, err := scpCommand.readProtocolMessage()\n\tassert.EqualError(t, err, readErr.Error())\n\n\terr = scpCommand.sendConfirmationMessage()\n\tassert.EqualError(t, err, writeErr.Error())\n\n\terr = scpCommand.sendProtocolMessage(\"E\\n\")\n\tassert.EqualError(t, err, writeErr.Error())\n\n\t_, err = scpCommand.getNextUploadProtocolMessage()\n\tassert.EqualError(t, err, readErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer([]byte(\"T1183832947 0 1183833773 0\\n\")),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: writeErr,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\t_, err = scpCommand.getNextUploadProtocolMessage()\n\tassert.EqualError(t, err, writeErr.Error())\n\n\trespBuffer := []byte{0x02}\n\tprotocolErrorMsg := \"protocol error msg\"\n\trespBuffer = append(respBuffer, protocolErrorMsg...)\n\trespBuffer = append(respBuffer, 0x0A)\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(respBuffer),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\terr = scpCommand.readConfirmationMessage()\n\tif assert.Error(t, err) {\n\t\tassert.Equal(t, protocolErrorMsg, err.Error())\n\t}\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(respBuffer),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: writeErr,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\n\terr = scpCommand.downloadDirs(nil, nil)\n\tassert.ErrorIs(t, err, writeErr)\n}\n\nfunc TestSCPTestDownloadProtocolMessages(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", dataprovider.User{}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-f\", \"-p\", \"/tmp\"},\n\t\t},\n\t}\n\tpath := \"testDir\"\n\terr := os.Mkdir(path, os.ModePerm)\n\tassert.NoError(t, err)\n\tstat, err := os.Stat(path)\n\tassert.NoError(t, err)\n\terr = scpCommand.sendDownloadProtocolMessages(path, stat)\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: nil,\n\t}\n\n\terr = scpCommand.sendDownloadProtocolMessages(path, stat)\n\tassert.EqualError(t, err, readErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tscpCommand.args = []string{\"-f\", \"/tmp\"}\n\tscpCommand.connection.channel = &mockSSHChannel\n\terr = scpCommand.sendDownloadProtocolMessages(path, stat)\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: nil,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\terr = scpCommand.sendDownloadProtocolMessages(path, stat)\n\tassert.EqualError(t, err, readErr.Error())\n\n\terr = os.Remove(path)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPCommandHandleErrors(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tserver, client := net.Pipe()\n\tdefer func() {\n\t\terr := server.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tdefer func() {\n\t\terr := client.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", dataprovider.User{}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-f\", \"/tmp\"},\n\t\t},\n\t}\n\terr := scpCommand.handle()\n\tassert.EqualError(t, err, readErr.Error())\n\tscpCommand.args = []string{\"-i\", \"/tmp\"}\n\terr = scpCommand.handle()\n\tassert.Error(t, err, \"invalid scp command must fail\")\n}\n\nfunc TestSCPErrorsMockFs(t *testing.T) {\n\terrFake := errors.New(\"fake error\")\n\tu := dataprovider.User{}\n\tu.Username = \"test\"\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.HomeDir = os.TempDir()\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t}\n\tserver, client := net.Pipe()\n\tdefer func() {\n\t\terr := server.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tdefer func() {\n\t\terr := client.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tconnection := &Connection{\n\t\tchannel: &mockSSHChannel,\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", u),\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-r\", \"-t\", \"/tmp\"},\n\t\t},\n\t}\n\ttestfile := filepath.Join(u.HomeDir, \"testfile\")\n\terr := os.WriteFile(testfile, []byte(\"test\"), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tfs := newMockOsFs(errFake, nil, true, \"123\", os.TempDir())\n\terr = scpCommand.handleUploadFile(fs, testfile, testfile, 0, false, 4, \"/testfile\")\n\tassert.NoError(t, err)\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPRecursiveDownloadErrors(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tserver, client := net.Pipe()\n\tdefer func() {\n\t\terr := server.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tdefer func() {\n\t\terr := client.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\tfs := vfs.NewOsFs(\"123\", os.TempDir(), \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tHomeDir: os.TempDir(),\n\t\t\t},\n\t\t}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-r\", \"-f\", \"/tmp\"},\n\t\t},\n\t}\n\tpath := \"testDir\"\n\terr := os.Mkdir(path, os.ModePerm)\n\tassert.NoError(t, err)\n\tstat, err := os.Stat(path)\n\tassert.NoError(t, err)\n\terr = scpCommand.handleRecursiveDownload(fs, \"invalid_dir\", \"invalid_dir\", stat)\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\terr = scpCommand.handleRecursiveDownload(fs, \"invalid_dir\", \"invalid_dir\", stat)\n\tassert.Error(t, err, \"recursive upload download must fail for a non existing dir\")\n\n\terr = os.Remove(path)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPRecursiveUploadErrors(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", dataprovider.User{}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-r\", \"-t\", \"/tmp\"},\n\t\t},\n\t}\n\terr := scpCommand.handleRecursiveUpload()\n\tassert.Error(t, err, \"recursive upload must fail, we send a fake error message\")\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: nil,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\terr = scpCommand.handleRecursiveUpload()\n\tassert.Error(t, err, \"recursive upload must fail, we send a fake error message\")\n}\n\nfunc TestSCPCreateDirs(t *testing.T) {\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tu := dataprovider.User{}\n\tu.HomeDir = \"home_rel_path\"\n\tu.Username = \"test\"\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\tfs, err := u.GetFilesystem(\"123\")\n\tassert.NoError(t, err)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", u),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-r\", \"-t\", \"/tmp\"},\n\t\t},\n\t}\n\terr = scpCommand.handleCreateDir(fs, \"invalid_dir\")\n\tassert.Error(t, err, \"create invalid dir must fail\")\n}\n\nfunc TestSCPDownloadFileData(t *testing.T) {\n\ttestfile := \"testfile\"\n\tbuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannelReadErr := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: nil,\n\t}\n\tmockSSHChannelWriteErr := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: writeErr,\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", dataprovider.User{BaseUser: sdk.BaseUser{HomeDir: os.TempDir()}}),\n\t\tchannel: &mockSSHChannelReadErr,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-r\", \"-f\", \"/tmp\"},\n\t\t},\n\t}\n\terr := os.WriteFile(testfile, []byte(\"test\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tstat, err := os.Stat(testfile)\n\tassert.NoError(t, err)\n\terr = scpCommand.sendDownloadFileData(fs, testfile, stat, nil)\n\tassert.EqualError(t, err, readErr.Error())\n\n\tscpCommand.connection.channel = &mockSSHChannelWriteErr\n\terr = scpCommand.sendDownloadFileData(fs, testfile, stat, nil)\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tscpCommand.args = []string{\"-r\", \"-p\", \"-f\", \"/tmp\"}\n\terr = scpCommand.sendDownloadFileData(fs, testfile, stat, nil)\n\tassert.EqualError(t, err, writeErr.Error())\n\n\tscpCommand.connection.channel = &mockSSHChannelReadErr\n\terr = scpCommand.sendDownloadFileData(fs, testfile, stat, nil)\n\tassert.EqualError(t, err, readErr.Error())\n\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPUploadFiledata(t *testing.T) {\n\ttestfile := \"testfile\"\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\treadErr := fmt.Errorf(\"test read error\")\n\twriteErr := fmt.Errorf(\"test write error\")\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: writeErr,\n\t}\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testuser\",\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", user),\n\t\tchannel: &mockSSHChannel,\n\t}\n\tscpCommand := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t\targs: []string{\"-r\", \"-t\", \"/tmp\"},\n\t\t},\n\t}\n\tfile, err := os.Create(testfile)\n\tassert.NoError(t, err)\n\n\tbaseTransfer := common.NewBaseTransfer(file, scpCommand.connection.BaseConnection, nil, file.Name(), file.Name(),\n\t\t\"/\"+testfile, common.TransferDownload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\ttransfer := newTransfer(baseTransfer, nil, nil, nil)\n\n\terr = scpCommand.getUploadFileData(2, transfer)\n\tassert.Error(t, err, \"upload must fail, we send a fake write error message\")\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: readErr,\n\t\tWriteError: nil,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\tfile, err = os.Create(testfile)\n\tassert.NoError(t, err)\n\ttransfer.File = file\n\ttransfer.isFinished = false\n\ttransfer.Connection.AddTransfer(transfer)\n\terr = scpCommand.getUploadFileData(2, transfer)\n\tassert.Error(t, err, \"upload must fail, we send a fake read error message\")\n\n\trespBuffer := []byte(\"12\")\n\trespBuffer = append(respBuffer, 0x02)\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(respBuffer),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\tscpCommand.connection.channel = &mockSSHChannel\n\tfile, err = os.Create(testfile)\n\tassert.NoError(t, err)\n\tbaseTransfer.File = file\n\ttransfer = newTransfer(baseTransfer, nil, nil, nil)\n\ttransfer.Connection.AddTransfer(transfer)\n\terr = scpCommand.getUploadFileData(2, transfer)\n\tassert.Error(t, err, \"upload must fail, we have not enough data to read\")\n\n\t// the file is already closed so we have an error on trasfer closing\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\n\ttransfer.Connection.AddTransfer(transfer)\n\terr = scpCommand.getUploadFileData(0, transfer)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrTransferClosed.Error())\n\t}\n\ttransfer.Connection.RemoveTransfer(transfer)\n\n\tmockSSHChannel = MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t\tReadError: nil,\n\t\tWriteError: nil,\n\t}\n\n\ttransfer.Connection.AddTransfer(transfer)\n\terr = scpCommand.getUploadFileData(2, transfer)\n\tassert.ErrorContains(t, err, os.ErrClosed.Error())\n\ttransfer.Connection.RemoveTransfer(transfer)\n\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestUploadError(t *testing.T) {\n\tcommon.Config.UploadMode = common.UploadModeAtomic\n\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testuser\",\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"\", os.TempDir(), \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSCP, \"\", \"\", user),\n\t}\n\n\ttestfile := \"testfile\"\n\tfileTempName := \"temptestfile\"\n\tfile, err := os.Create(fileTempName)\n\tassert.NoError(t, err)\n\tbaseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, testfile, file.Name(),\n\t\ttestfile, common.TransferUpload, 0, 0, 0, 0, true, fs, dataprovider.TransferQuota{})\n\ttransfer := newTransfer(baseTransfer, nil, nil, nil)\n\n\terrFake := errors.New(\"fake error\")\n\ttransfer.TransferError(errFake)\n\terr = transfer.Close()\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\tif assert.Error(t, transfer.ErrTransfer) {\n\t\tassert.EqualError(t, transfer.ErrTransfer, errFake.Error())\n\t}\n\tassert.Equal(t, int64(0), transfer.BytesReceived.Load())\n\n\tassert.NoFileExists(t, testfile)\n\tassert.NoFileExists(t, fileTempName)\n\n\tcommon.Config.UploadMode = common.UploadModeAtomicWithResume\n}\n\nfunc TestTransferFailingReader(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"testuser\",\n\t\t\tHomeDir: os.TempDir(),\n\t\t},\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(\"crypt secret\"),\n\t\t\t},\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\n\tfs := newMockOsFs(nil, nil, true, \"\", os.TempDir())\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(\"\", common.ProtocolSFTP, \"\", \"\", user),\n\t}\n\n\trequest := sftp.NewRequest(\"Open\", \"afile.txt\")\n\trequest.Flags = 27 // read,write,create,truncate\n\n\ttransfer, err := connection.handleFilewrite(request)\n\trequire.NoError(t, err)\n\tbuf := make([]byte, 32)\n\t_, err = transfer.ReadAt(buf, 0)\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxOpUnsupported)\n\tif c, ok := transfer.(io.Closer); ok {\n\t\terr = c.Close()\n\t\tassert.NoError(t, err)\n\t}\n\n\tfsPath := filepath.Join(os.TempDir(), \"afile.txt\")\n\n\tr, _, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tbaseTransfer := common.NewBaseTransfer(nil, connection.BaseConnection, nil, fsPath, fsPath, filepath.Base(fsPath),\n\t\tcommon.TransferUpload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\terrRead := errors.New(\"read is not allowed\")\n\ttr := newTransfer(baseTransfer, nil, vfs.NewPipeReader(r), errRead)\n\t_, err = tr.ReadAt(buf, 0)\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\n\terr = tr.Close()\n\tassert.NoError(t, err)\n\n\ttr = newTransfer(baseTransfer, nil, nil, errRead)\n\t_, err = tr.ReadAt(buf, 0)\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxFailure)\n\n\terr = tr.Close()\n\tassert.NoError(t, err)\n\n\terr = os.Remove(fsPath)\n\tassert.NoError(t, err)\n\tassert.Len(t, connection.GetTransfers(), 0)\n}\n\nfunc TestConfigsFromProvider(t *testing.T) {\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc := Configuration{}\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Len(t, c.HostKeyAlgorithms, 0)\n\tassert.Len(t, c.KexAlgorithms, 0)\n\tassert.Len(t, c.Ciphers, 0)\n\tassert.Len(t, c.MACs, 0)\n\tassert.Len(t, c.PublicKeyAlgorithms, 0)\n\tconfigs := dataprovider.Configs{\n\t\tSFTPD: &dataprovider.SFTPDConfigs{\n\t\t\tHostKeyAlgos: []string{ssh.KeyAlgoRSA},\n\t\t\tKexAlgorithms: []string{ssh.InsecureKeyExchangeDHGEXSHA1},\n\t\t\tCiphers: []string{ssh.InsecureCipherAES128CBC},\n\t\t\tMACs: []string{ssh.HMACSHA512ETM},\n\t\t\tPublicKeyAlgos: []string{ssh.InsecureKeyAlgoDSA}, //nolint:staticcheck\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\texpectedHostKeyAlgos := append(preferredHostKeyAlgos, configs.SFTPD.HostKeyAlgos...)\n\texpectedKEXs := append(preferredKexAlgos, configs.SFTPD.KexAlgorithms...)\n\texpectedCiphers := append(preferredCiphers, configs.SFTPD.Ciphers...)\n\texpectedMACs := append(preferredMACs, configs.SFTPD.MACs...)\n\texpectedPublicKeyAlgos := append(preferredPublicKeyAlgos, configs.SFTPD.PublicKeyAlgos...)\n\tassert.Equal(t, expectedHostKeyAlgos, c.HostKeyAlgorithms)\n\tassert.Equal(t, expectedKEXs, c.KexAlgorithms)\n\tassert.Equal(t, expectedCiphers, c.Ciphers)\n\tassert.Equal(t, expectedMACs, c.MACs)\n\tassert.Equal(t, expectedPublicKeyAlgos, c.PublicKeyAlgorithms)\n\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestSupportedSecurityOptions(t *testing.T) {\n\tc := Configuration{\n\t\tKexAlgorithms: supportedKexAlgos,\n\t\tMACs: supportedMACs,\n\t\tCiphers: supportedCiphers,\n\t}\n\tvar defaultKexs []string\n\tfor _, k := range supportedKexAlgos {\n\t\tdefaultKexs = append(defaultKexs, k)\n\t\tif k == ssh.KeyExchangeCurve25519 {\n\t\t\tdefaultKexs = append(defaultKexs, keyExchangeCurve25519SHA256LibSSH)\n\t\t}\n\t}\n\tserverConfig := &ssh.ServerConfig{}\n\terr := c.configureSecurityOptions(serverConfig)\n\tassert.NoError(t, err)\n\tassert.Equal(t, supportedCiphers, serverConfig.Ciphers)\n\tassert.Equal(t, supportedMACs, serverConfig.MACs)\n\tassert.Equal(t, defaultKexs, serverConfig.KeyExchanges)\n\tc.KexAlgorithms = append(c.KexAlgorithms, \"not a kex\")\n\terr = c.configureSecurityOptions(serverConfig)\n\tassert.Error(t, err)\n\tc.KexAlgorithms = append(supportedKexAlgos, \"diffie-hellman-group18-sha512\")\n\tc.MACs = []string{\n\t\t\" hmac-sha2-256-etm@openssh.com \", \" hmac-sha2-512-etm@openssh.com\",\n\t\t\"hmac-sha2-256\", \"hmac-sha2-512 \",\n\t\t\"hmac-sha1 \", \" hmac-sha1-96\",\n\t}\n\terr = c.configureSecurityOptions(serverConfig)\n\tassert.NoError(t, err)\n\tassert.Equal(t, supportedCiphers, serverConfig.Ciphers)\n\tassert.Equal(t, supportedMACs, serverConfig.MACs)\n\tassert.Equal(t, defaultKexs, serverConfig.KeyExchanges)\n}\n\nfunc TestLoadHostKeys(t *testing.T) {\n\tserverConfig := &ssh.ServerConfig{}\n\tc := Configuration{}\n\tc.HostKeys = []string{\".\", \"missing file\"}\n\terr := c.checkAndLoadHostKeys(configDir, serverConfig)\n\tassert.Error(t, err)\n\ttestfile := filepath.Join(os.TempDir(), \"invalidkey\")\n\terr = os.WriteFile(testfile, []byte(\"some bytes\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tc.HostKeys = []string{testfile}\n\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\tassert.Error(t, err)\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n\tkeysDir := filepath.Join(os.TempDir(), \"keys\")\n\terr = os.MkdirAll(keysDir, os.ModePerm)\n\tassert.NoError(t, err)\n\trsaKeyName := filepath.Join(keysDir, defaultPrivateRSAKeyName)\n\tecdsaKeyName := filepath.Join(keysDir, defaultPrivateECDSAKeyName)\n\ted25519KeyName := filepath.Join(keysDir, defaultPrivateEd25519KeyName)\n\tnonDefaultKeyName := filepath.Join(keysDir, \"akey\")\n\tc.HostKeys = []string{nonDefaultKeyName, rsaKeyName, ecdsaKeyName, ed25519KeyName}\n\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\tassert.Error(t, err)\n\tc.HostKeyAlgorithms = []string{ssh.KeyAlgoRSASHA256}\n\tc.HostKeys = []string{ecdsaKeyName}\n\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\tassert.Error(t, err)\n\tc.HostKeyAlgorithms = preferredHostKeyAlgos\n\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\tassert.NoError(t, err)\n\tassert.FileExists(t, rsaKeyName)\n\tassert.FileExists(t, ecdsaKeyName)\n\tassert.FileExists(t, ed25519KeyName)\n\tassert.NoFileExists(t, nonDefaultKeyName)\n\terr = os.Remove(rsaKeyName)\n\tassert.NoError(t, err)\n\terr = os.Remove(ecdsaKeyName)\n\tassert.NoError(t, err)\n\terr = os.Remove(ed25519KeyName)\n\tassert.NoError(t, err)\n\tif runtime.GOOS != osWindows {\n\t\terr = os.Chmod(keysDir, 0551)\n\t\tassert.NoError(t, err)\n\t\tc.HostKeys = nil\n\t\terr = c.checkAndLoadHostKeys(keysDir, serverConfig)\n\t\tassert.Error(t, err)\n\t\tc.HostKeys = []string{rsaKeyName, ecdsaKeyName}\n\t\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\t\tassert.Error(t, err)\n\t\tc.HostKeys = []string{ecdsaKeyName, rsaKeyName}\n\t\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\t\tassert.Error(t, err)\n\t\tc.HostKeys = []string{ed25519KeyName}\n\t\terr = c.checkAndLoadHostKeys(configDir, serverConfig)\n\t\tassert.Error(t, err)\n\t\terr = os.Chmod(keysDir, 0755)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.RemoveAll(keysDir)\n\tassert.NoError(t, err)\n}\n\nfunc TestCertCheckerInitErrors(t *testing.T) {\n\tc := Configuration{}\n\tc.TrustedUserCAKeys = []string{\".\", \"missing file\"}\n\terr := c.initializeCertChecker(\"\")\n\tassert.Error(t, err)\n\ttestfile := filepath.Join(os.TempDir(), \"invalidkey\")\n\terr = os.WriteFile(testfile, []byte(\"some bytes\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tc.TrustedUserCAKeys = []string{testfile}\n\terr = c.initializeCertChecker(\"\")\n\tassert.Error(t, err)\n\terr = os.Remove(testfile)\n\tassert.NoError(t, err)\n}\n\nfunc TestRecoverer(t *testing.T) {\n\tc := Configuration{}\n\tc.AcceptInboundConnection(nil, nil)\n\tconnID := \"connectionID\"\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolSFTP, \"\", \"\", dataprovider.User{}),\n\t}\n\tc.handleSftpConnection(nil, connection)\n\tsshCmd := sshCommand{\n\t\tcommand: \"cd\",\n\t\tconnection: connection,\n\t}\n\terr := sshCmd.handle()\n\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\tscpCmd := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: connection,\n\t\t},\n\t}\n\terr = scpCmd.handle()\n\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestListernerAcceptErrors(t *testing.T) {\n\terrFake := errors.New(\"a fake error\")\n\tlistener := newFakeListener(errFake)\n\tc := Configuration{}\n\terr := c.serve(listener, nil)\n\trequire.EqualError(t, err, errFake.Error())\n\terr = listener.Close()\n\trequire.NoError(t, err)\n\n\terrNetFake := &fakeNetError{error: errFake}\n\tlistener = newFakeListener(errNetFake)\n\terr = c.serve(listener, nil)\n\trequire.EqualError(t, err, errFake.Error())\n\terr = listener.Close()\n\trequire.NoError(t, err)\n}\n\ntype fakeNetError struct {\n\terror\n\tcount int\n}\n\nfunc (e *fakeNetError) Timeout() bool {\n\treturn false\n}\n\nfunc (e *fakeNetError) Temporary() bool {\n\te.count++\n\treturn e.count < 10\n}\n\nfunc (e *fakeNetError) Error() string {\n\treturn e.error.Error()\n}\n\ntype fakeListener struct {\n\tserver net.Conn\n\tclient net.Conn\n\terr error\n}\n\nfunc (l *fakeListener) Accept() (net.Conn, error) {\n\treturn l.client, l.err\n}\n\nfunc (l *fakeListener) Close() error {\n\terrClient := l.client.Close()\n\terrServer := l.server.Close()\n\tif errServer != nil {\n\t\treturn errServer\n\t}\n\treturn errClient\n}\n\nfunc (l *fakeListener) Addr() net.Addr {\n\treturn l.server.LocalAddr()\n}\n\nfunc newFakeListener(err error) net.Listener {\n\tserver, client := net.Pipe()\n\n\treturn &fakeListener{\n\t\tserver: server,\n\t\tclient: client,\n\t\terr: err,\n\t}\n}\n\nfunc TestLoadRevokedUserCertsFile(t *testing.T) {\n\tr := revokedCertificates{\n\t\tcerts: map[string]bool{},\n\t}\n\terr := r.load()\n\tassert.NoError(t, err)\n\tr.filePath = filepath.Join(os.TempDir(), \"sub\", \"testrevoked\")\n\terr = os.MkdirAll(filepath.Dir(r.filePath), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(r.filePath, []byte(`no json`), 0644)\n\tassert.NoError(t, err)\n\terr = r.load()\n\tassert.Error(t, err)\n\tr.filePath = filepath.Dir(r.filePath)\n\terr = r.load()\n\tassert.Error(t, err)\n\terr = os.RemoveAll(r.filePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestMaxUserSessions(t *testing.T) {\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: \"user_max_sessions\",\n\t\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t\t\tMaxSessions: 1,\n\t\t\t},\n\t\t}),\n\t}\n\terr := common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\n\tc := Configuration{}\n\tc.handleSftpConnection(nil, connection)\n\n\tbuf := make([]byte, 65535)\n\tstdErrBuf := make([]byte, 65535)\n\tmockSSHChannel := MockChannel{\n\t\tBuffer: bytes.NewBuffer(buf),\n\t\tStdErrBuffer: bytes.NewBuffer(stdErrBuf),\n\t}\n\n\tconn := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: \"user_max_sessions\",\n\t\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t\t\tMaxSessions: 1,\n\t\t\t},\n\t\t}),\n\t\tchannel: &mockSSHChannel,\n\t}\n\n\tsshCmd := sshCommand{\n\t\tcommand: \"cd\",\n\t\tconnection: conn,\n\t}\n\terr = sshCmd.handle()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"too many open sessions\")\n\t}\n\tscpCmd := scpCommand{\n\t\tsshCommand: sshCommand{\n\t\t\tcommand: \"scp\",\n\t\t\tconnection: conn,\n\t\t},\n\t}\n\terr = scpCmd.handle()\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"too many open sessions\")\n\t}\n\n\tcommon.Connections.Remove(connection.GetID())\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestCanReadSymlink(t *testing.T) {\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolSFTP, \"\", \"\", dataprovider.User{\n\t\t\tBaseUser: sdk.BaseUser{\n\t\t\t\tUsername: \"user_can_read_symlink\",\n\t\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t\t\t\"/sub\": {dataprovider.PermUpload},\n\t\t\t\t},\n\t\t\t},\n\t\t\tFilters: dataprovider.UserFilters{\n\t\t\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\t\t\tFilePatterns: []sdk.PatternsFilter{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tPath: \"/denied\",\n\t\t\t\t\t\t\tDeniedPatterns: []string{\"*.txt\"},\n\t\t\t\t\t\t\tDenyPolicy: sdk.DenyPolicyHide,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}),\n\t}\n\terr := connection.canReadLink(\"/sub/link\")\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxPermissionDenied)\n\n\terr = connection.canReadLink(\"/denied/file.txt\")\n\tassert.ErrorIs(t, err, sftp.ErrSSHFxNoSuchFile)\n}\n\nfunc TestAuthenticationErrors(t *testing.T) {\n\tsftpAuthError := newAuthenticationError(nil, \"\", \"\")\n\tloginMethod := dataprovider.SSHLoginMethodPassword\n\tusername := \"test user\"\n\terr := newAuthenticationError(fmt.Errorf(\"cannot validate credentials: %w\", util.NewRecordNotFoundError(\"not found\")),\n\t\tloginMethod, username)\n\tassert.ErrorIs(t, err, sftpAuthError)\n\tassert.ErrorIs(t, err, util.ErrNotFound)\n\tvar sftpAuthErr *authenticationError\n\tif assert.ErrorAs(t, err, &sftpAuthErr) {\n\t\tassert.Equal(t, loginMethod, sftpAuthErr.getLoginMethod())\n\t\tassert.Equal(t, username, sftpAuthErr.getUsername())\n\t}\n\terr = newAuthenticationError(fmt.Errorf(\"cannot validate credentials: %w\", fs.ErrPermission), loginMethod, username)\n\tassert.ErrorIs(t, err, sftpAuthError)\n\tassert.NotErrorIs(t, err, util.ErrNotFound)\n\terr = newAuthenticationError(fmt.Errorf(\"cert has wrong type %d\", ssh.HostCert), loginMethod, username)\n\tassert.ErrorIs(t, err, sftpAuthError)\n\tassert.NotErrorIs(t, err, util.ErrNotFound)\n\terr = newAuthenticationError(errors.New(\"ssh: certificate signed by unrecognized authority\"), loginMethod, username)\n\tassert.ErrorIs(t, err, sftpAuthError)\n\tassert.NotErrorIs(t, err, util.ErrNotFound)\n\terr = newAuthenticationError(nil, loginMethod, username)\n\tassert.ErrorIs(t, err, sftpAuthError)\n\tassert.NotErrorIs(t, err, util.ErrNotFound)\n}\n\ntype mockCommandExecutor struct {\n\tOutput []byte\n\tErr error\n}\n\nfunc (f mockCommandExecutor) CombinedOutput(ctx context.Context, name string, args ...string) ([]byte, error) {\n\treturn f.Output, f.Err\n}\n\nfunc TestVerifyWithOPKSSH(t *testing.T) {\n\tsshCert := []byte(`ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg4+hKHVPKv183MU/Q7XD/mzDBFSc2YY3eraltxLMGJo0AAAADAQABAAABAQCe6jMoy1xCQgiZkZJ7gi6NLj4uRqz2OaUGK/OJYZTfBqK+SlS9iymAluHu9K+cc4+0qxx0gn7dRTJWINSgzvca6ayYe995EKgD1hE5krh9BH0bRrXB+hGqyslcZOgLNO+v8jYojClQbRtET2tS+xb4k33GCuL5wgla2790ZgOQgs7huQUjG0S8c1W+EYt6fI4cWE/DeEBnv9sqryS8rOb0PbM6WUd7XBadwySFWYQUX0ei56GNt12Z4gADEGlFQV/OnV0PvnTcAMGUl0rfToPgJ4jgogWKoTVWuZ9wyA/x+2LRLRvgm2a969ig937/AH0i0Wq+FzqfK7EXQ99Yf5K/AAAAAAAAAAAAAAACAAAAFGhvc3QuZXhhbXBsZS5jb20ta2V5AAAAFAAAABBob3N0LmV4YW1wbGUuY29tAAAAAGXEzYAAAAAAd8sP4wAAAAAAAAAAAAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAL4PXUPSERufZWCW/hhEnylk3IeMgaa+2HcNY5Cur77a8fYy6OYZAPF+vhJUT0akwGUpTeXAZumAgHECDrJlw1J+jo9ZVT0AKDo0wU77IzNzYxob7+dpB02NJ7DLAXmPauQ07Zc5pWJFVKtmuh7YH9pjYtNXSMOXye7k06PBGzX+ztIt7nPWvD9fR2mZeTSoljeBCGZHwdlnV2ESQlQbBoEI93RPxqxJh/UCDatQPhpDbyverr2ZvB9Y45rqsx6ZVmu5RXl3MfBU1U21W/4ia2di3PybyD4rSmVoam0efcqxo6cBKSHe26OFoTuS9zgdH0iCWL37vqOFmJ7eH91M3nMAAAEUAAAADHJzYS1zaGEyLTI1NgAAAQA/ByIegNZYJRRl413S/8LxGvTZnbxsPwaluoJ/54niGZV9P28THz7d9jXfSHPjalhH93jNPfTYXvI4opnDC37ua1Nu8KKfk40IWXnnDdZLWraUxEidIzhmfVtz8kGdGoFQ8H0EzubL7zKNOTlfSfOoDlmQVOuxT/+eh2mEp4ri0/+8J1mLfLBr8tREX0/iaNjK+RKdcyTMicKursAYMCDdu8vlaphxea+ocyHM9izSX/l33t44V13ueTqIOh2Zbl2UE2k+jk+0dc1CmV0SEoiWiIyt8TRM4yQry1vPlQLsrf28sYM/QMwnhCVhyZO3vs5F25aQWrB9d51VEzBW9/fd host.example.com`)\n\tkey, _, _, _, err := ssh.ParseAuthorizedKey(sshCert) //nolint:dogsled\n\trequire.NoError(t, err)\n\tcert, ok := key.(*ssh.Certificate)\n\trequire.True(t, ok)\n\tc := Configuration{}\n\tc.executor = mockCommandExecutor{\n\t\tErr: errors.New(\"test error\"),\n\t}\n\terr = c.verifyWithOPKSSH(\"user\", cert)\n\tassert.Error(t, err)\n\n\tc.executor = mockCommandExecutor{}\n\terr = c.verifyWithOPKSSH(\"\", cert)\n\tassert.Error(t, err)\n\n\tc.executor = mockCommandExecutor{\n\t\tOutput: ssh.MarshalAuthorizedKey(cert),\n\t}\n\terr = c.verifyWithOPKSSH(\"\", cert)\n\tassert.Error(t, err)\n\n\tc.executor = mockCommandExecutor{\n\t\tOutput: ssh.MarshalAuthorizedKey(cert.SignatureKey),\n\t}\n\terr = c.verifyWithOPKSSH(\"\", cert)\n\tassert.NoError(t, err)\n}\n" }, { "path": "internal/sftpd/lister.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"io\"\n\t\"os\"\n)\n\ntype listerAt []os.FileInfo\n\n// ListAt returns the number of entries copied and an io.EOF error if we made it to the end of the file list.\n// Take a look at the pkg/sftp godoc for more information about how this function should work.\nfunc (l listerAt) ListAt(f []os.FileInfo, offset int64) (int, error) {\n\tif offset >= int64(len(l)) {\n\t\treturn 0, io.EOF\n\t}\n\n\tn := copy(f, l[offset:])\n\tif n < len(f) {\n\t\treturn n, io.EOF\n\t}\n\treturn n, nil\n}\n" }, { "path": "internal/sftpd/scp.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"math\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime/debug\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\tokMsg = []byte{0x00}\n\twarnMsg = []byte{0x01} // must be followed by an optional message and a newline\n\terrMsg = []byte{0x02} // must be followed by an optional message and a newline\n\tnewLine = []byte{0x0A}\n)\n\ntype scpCommand struct {\n\tsshCommand\n}\n\nfunc (c *scpCommand) handle() (err error) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tlogger.Error(logSender, \"\", \"panic in handle scp command: %q stack trace: %v\", r, string(debug.Stack()))\n\t\t\terr = common.ErrGenericFailure\n\t\t}\n\t}()\n\tif err := common.Connections.Add(c.connection); err != nil {\n\t\tdefer c.connection.CloseFS() //nolint:errcheck\n\t\tlogger.Info(logSender, \"\", \"unable to add SCP connection: %v\", err)\n\t\treturn c.sendErrorResponse(err)\n\t}\n\tdefer common.Connections.Remove(c.connection.GetID())\n\n\tdestPath := c.getDestPath()\n\tc.connection.Log(logger.LevelDebug, \"handle scp command, args: %v user: %s, dest path: %q\",\n\t\tc.args, c.connection.User.Username, destPath)\n\tif c.hasFlag(\"t\") {\n\t\t// -t means \"to\", so upload\n\t\terr = c.sendConfirmationMessage()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = c.handleRecursiveUpload()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t} else if c.hasFlag(\"f\") {\n\t\t// -f means \"from\" so download\n\t\terr = c.readConfirmationMessage()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = c.handleDownload(destPath)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t} else {\n\t\terr = fmt.Errorf(\"scp command not supported, args: %v\", c.args)\n\t\tc.connection.Log(logger.LevelDebug, \"unsupported scp command, args: %v\", c.args)\n\t}\n\tc.sendExitStatus(err)\n\treturn err\n}\n\nfunc (c *scpCommand) handleRecursiveUpload() error {\n\tnumDirs := 0\n\tdestPath := c.getDestPath()\n\tfor {\n\t\tfs, err := c.connection.User.GetFilesystemForPath(destPath, c.connection.ID)\n\t\tif err != nil {\n\t\t\tc.connection.Log(logger.LevelError, \"error uploading file %q: %+v\", destPath, err)\n\t\t\tc.sendErrorMessage(nil, fmt.Errorf(\"unable to get fs for path %q\", destPath))\n\t\t\treturn err\n\t\t}\n\t\tcommand, err := c.getNextUploadProtocolMessage()\n\t\tif err != nil {\n\t\t\tif errors.Is(err, io.EOF) {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\tc.sendErrorMessage(fs, err)\n\t\t\treturn err\n\t\t}\n\t\tif strings.HasPrefix(command, \"E\") {\n\t\t\tnumDirs--\n\t\t\tc.connection.Log(logger.LevelDebug, \"received end dir command, num dirs: %v\", numDirs)\n\t\t\tif numDirs < 0 {\n\t\t\t\terr = errors.New(\"unacceptable end dir command\")\n\t\t\t\tc.sendErrorMessage(nil, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t\t// the destination dir is now the parent directory\n\t\t\tdestPath = path.Join(destPath, \"..\")\n\t\t} else {\n\t\t\tsizeToRead, name, err := c.parseUploadMessage(fs, command)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif strings.HasPrefix(command, \"D\") {\n\t\t\t\tnumDirs++\n\t\t\t\tdestPath = path.Join(destPath, name)\n\t\t\t\tfs, err = c.connection.User.GetFilesystemForPath(destPath, c.connection.ID)\n\t\t\t\tif err != nil {\n\t\t\t\t\tc.connection.Log(logger.LevelError, \"error uploading file %q: %+v\", destPath, err)\n\t\t\t\t\tc.sendErrorMessage(nil, fmt.Errorf(\"unable to get fs for path %q\", destPath))\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\terr = c.handleCreateDir(fs, destPath)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tc.connection.Log(logger.LevelDebug, \"received start dir command, num dirs: %v destPath: %q\", numDirs, destPath)\n\t\t\t} else if strings.HasPrefix(command, \"C\") {\n\t\t\t\terr = c.handleUpload(c.getFileUploadDestPath(fs, destPath, name), sizeToRead)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\terr = c.sendConfirmationMessage()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n}\n\nfunc (c *scpCommand) handleCreateDir(fs vfs.Fs, dirPath string) error {\n\tc.connection.UpdateLastActivity()\n\n\tp, err := fs.ResolvePath(dirPath)\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error creating dir: %q, invalid file path, err: %v\", dirPath, err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\tif !c.connection.User.HasPerm(dataprovider.PermCreateDirs, path.Dir(dirPath)) {\n\t\tc.connection.Log(logger.LevelError, \"error creating dir: %q, permission denied\", dirPath)\n\t\tc.sendErrorMessage(fs, common.ErrPermissionDenied)\n\t\treturn common.ErrPermissionDenied\n\t}\n\n\tinfo, err := c.connection.DoStat(dirPath, 1, true)\n\tif err == nil && info.IsDir() {\n\t\treturn nil\n\t}\n\n\terr = c.createDir(fs, p)\n\tif err != nil {\n\t\treturn err\n\t}\n\tc.connection.Log(logger.LevelDebug, \"created dir %q\", dirPath)\n\treturn nil\n}\n\n// we need to close the transfer if we have an error\nfunc (c *scpCommand) getUploadFileData(sizeToRead int64, transfer *transfer) error {\n\terr := c.sendConfirmationMessage()\n\tif err != nil {\n\t\ttransfer.TransferError(err)\n\t\ttransfer.Close()\n\t\treturn err\n\t}\n\n\tif sizeToRead > 0 {\n\t\t// we could replace this method with io.CopyN implementing \"Write\" method in transfer struct\n\t\tremaining := sizeToRead\n\t\tbuf := make([]byte, int64(math.Min(32768, float64(sizeToRead))))\n\t\tfor {\n\t\t\tn, err := c.connection.channel.Read(buf)\n\t\t\tif err != nil {\n\t\t\t\ttransfer.TransferError(err)\n\t\t\t\ttransfer.Close()\n\t\t\t\tc.sendErrorMessage(transfer.Fs, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t\t_, err = transfer.WriteAt(buf[:n], sizeToRead-remaining)\n\t\t\tif err != nil {\n\t\t\t\ttransfer.Close()\n\t\t\t\tc.sendErrorMessage(transfer.Fs, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tremaining -= int64(n)\n\t\t\tif remaining <= 0 {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif remaining < int64(len(buf)) {\n\t\t\t\tbuf = make([]byte, remaining)\n\t\t\t}\n\t\t}\n\t}\n\terr = c.readConfirmationMessage()\n\tif err != nil {\n\t\ttransfer.TransferError(err)\n\t\ttransfer.Close()\n\t\treturn err\n\t}\n\terr = transfer.Close()\n\tif err != nil {\n\t\tc.sendErrorMessage(transfer.Fs, err)\n\t\treturn err\n\t}\n\treturn nil\n}\n\nfunc (c *scpCommand) handleUploadFile(fs vfs.Fs, resolvedPath, filePath string, sizeToRead int64, isNewFile bool, fileSize int64, requestPath string) error {\n\tif err := common.Connections.IsNewTransferAllowed(c.connection.User.Username); err != nil {\n\t\terr := fmt.Errorf(\"denying file write due to transfer count limits\")\n\t\tc.connection.Log(logger.LevelInfo, \"denying file write due to transfer count limits\")\n\t\tc.sendErrorMessage(nil, err)\n\t\treturn err\n\t}\n\tdiskQuota, transferQuota := c.connection.HasSpace(isNewFile, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\terr := fmt.Errorf(\"denying file write due to quota limits\")\n\t\tc.connection.Log(logger.LevelError, \"error uploading file: %q, err: %v\", filePath, err)\n\t\tc.sendErrorMessage(nil, err)\n\t\treturn err\n\t}\n\t_, err := common.ExecutePreAction(c.connection.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath,\n\t\tfileSize, os.O_TRUNC)\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\terr = c.connection.GetPermissionDeniedError()\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\n\tmaxWriteSize, _ := c.connection.GetMaxWriteSize(diskQuota, false, fileSize, fs.IsUploadResumeSupported())\n\n\tfile, w, cancelFn, err := fs.Create(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, c.connection.GetCreateChecks(requestPath, isNewFile, false))\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error creating file %q: %v\", resolvedPath, err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\n\tinitialSize := int64(0)\n\ttruncatedSize := int64(0) // bytes truncated and not included in quota\n\tif !isNewFile {\n\t\tif vfs.HasTruncateSupport(fs) {\n\t\t\tvfolder, err := c.connection.User.GetVirtualFolderForPath(path.Dir(requestPath))\n\t\t\tif err == nil {\n\t\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.connection.User, 0, -fileSize, false)\n\t\t\t} else {\n\t\t\t\tdataprovider.UpdateUserQuota(&c.connection.User, 0, -fileSize, false) //nolint:errcheck\n\t\t\t}\n\t\t} else {\n\t\t\tinitialSize = fileSize\n\t\t\ttruncatedSize = initialSize\n\t\t}\n\t\tif maxWriteSize > 0 {\n\t\t\tmaxWriteSize += fileSize\n\t\t}\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.connection.User.GetUID(), c.connection.User.GetGID())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.connection.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, 0, initialSize, maxWriteSize, truncatedSize, isNewFile, fs, transferQuota)\n\tt := newTransfer(baseTransfer, w, nil, nil)\n\n\treturn c.getUploadFileData(sizeToRead, t)\n}\n\nfunc (c *scpCommand) handleUpload(uploadFilePath string, sizeToRead int64) error {\n\tc.connection.UpdateLastActivity()\n\n\tfs, p, err := c.connection.GetFsAndResolvedPath(uploadFilePath)\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error uploading file: %q, err: %v\", uploadFilePath, err)\n\t\tc.sendErrorMessage(nil, err)\n\t\treturn err\n\t}\n\n\tif ok, _ := c.connection.User.IsFileAllowed(uploadFilePath); !ok {\n\t\tc.connection.Log(logger.LevelWarn, \"writing file %q is not allowed\", uploadFilePath)\n\t\tc.sendErrorMessage(fs, c.connection.GetPermissionDeniedError())\n\t\treturn common.ErrPermissionDenied\n\t}\n\n\tfilePath := p\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\tfilePath = fs.GetAtomicUploadPath(p)\n\t}\n\tstat, statErr := fs.Lstat(p)\n\tif (statErr == nil && stat.Mode()&os.ModeSymlink != 0) || fs.IsNotExist(statErr) {\n\t\tif !c.connection.User.HasPerm(dataprovider.PermUpload, path.Dir(uploadFilePath)) {\n\t\t\tc.connection.Log(logger.LevelWarn, \"cannot upload file: %q, permission denied\", uploadFilePath)\n\t\t\tc.sendErrorMessage(fs, common.ErrPermissionDenied)\n\t\t\treturn common.ErrPermissionDenied\n\t\t}\n\t\treturn c.handleUploadFile(fs, p, filePath, sizeToRead, true, 0, uploadFilePath)\n\t}\n\n\tif statErr != nil {\n\t\tc.connection.Log(logger.LevelError, \"error performing file stat %q: %v\", p, statErr)\n\t\tc.sendErrorMessage(fs, statErr)\n\t\treturn statErr\n\t}\n\n\tif stat.IsDir() {\n\t\tc.connection.Log(logger.LevelError, \"attempted to open a directory for writing to: %q\", p)\n\t\terr = fmt.Errorf(\"attempted to open a directory for writing: %q\", p)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\n\tif !c.connection.User.HasPerm(dataprovider.PermOverwrite, uploadFilePath) {\n\t\tc.connection.Log(logger.LevelWarn, \"cannot overwrite file: %q, permission denied\", uploadFilePath)\n\t\tc.sendErrorMessage(fs, common.ErrPermissionDenied)\n\t\treturn common.ErrPermissionDenied\n\t}\n\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\t_, _, err = fs.Rename(p, filePath, 0)\n\t\tif err != nil {\n\t\t\tc.connection.Log(logger.LevelError, \"error renaming existing file for atomic upload, source: %q, dest: %q, err: %v\",\n\t\t\t\tp, filePath, err)\n\t\t\tc.sendErrorMessage(fs, err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn c.handleUploadFile(fs, p, filePath, sizeToRead, false, stat.Size(), uploadFilePath)\n}\n\nfunc (c *scpCommand) sendDownloadProtocolMessages(virtualDirPath string, stat os.FileInfo) error {\n\tvar err error\n\tif c.sendFileTime() {\n\t\tmodTime := stat.ModTime().UnixNano() / 1000000000\n\t\ttCommand := fmt.Sprintf(\"T%d 0 %d 0\\n\", modTime, modTime)\n\t\terr = c.sendProtocolMessage(tCommand)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = c.readConfirmationMessage()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tdirName := path.Base(virtualDirPath)\n\tif dirName == \"/\" || dirName == \".\" {\n\t\tdirName = c.connection.User.Username\n\t}\n\n\tfileMode := fmt.Sprintf(\"D%v 0 %v\\n\", getFileModeAsString(stat.Mode(), stat.IsDir()), dirName)\n\terr = c.sendProtocolMessage(fileMode)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = c.readConfirmationMessage()\n\treturn err\n}\n\n// We send first all the files in the root directory and then the directories.\n// For each directory we recursively call this method again\nfunc (c *scpCommand) handleRecursiveDownload(fs vfs.Fs, dirPath, virtualPath string, stat os.FileInfo) error {\n\tvar err error\n\tif c.isRecursive() {\n\t\tc.connection.Log(logger.LevelDebug, \"recursive download, dir path %q virtual path %q\", dirPath, virtualPath)\n\t\terr = c.sendDownloadProtocolMessages(virtualPath, stat)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// dirPath is a fs path, not a virtual path\n\t\tlister, err := fs.ReadDir(dirPath)\n\t\tif err != nil {\n\t\t\tc.sendErrorMessage(fs, err)\n\t\t\treturn err\n\t\t}\n\t\tdefer lister.Close()\n\n\t\tvdirs := c.connection.User.GetVirtualFoldersInfo(virtualPath)\n\n\t\tvar dirs []string\n\t\tfor {\n\t\t\tfiles, err := lister.Next(vfs.ListerBatchSize)\n\t\t\tfinished := errors.Is(err, io.EOF)\n\t\t\tif err != nil && !finished {\n\t\t\t\tc.sendErrorMessage(fs, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tfiles = c.connection.User.FilterListDir(files, fs.GetRelativePath(dirPath))\n\t\t\tif len(vdirs) > 0 {\n\t\t\t\tfiles = append(files, vdirs...)\n\t\t\t\tvdirs = nil\n\t\t\t}\n\t\t\tfor _, file := range files {\n\t\t\t\tfilePath := fs.GetRelativePath(fs.Join(dirPath, file.Name()))\n\t\t\t\tif file.Mode().IsRegular() || file.Mode()&os.ModeSymlink != 0 {\n\t\t\t\t\terr = c.handleDownload(filePath)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tc.sendErrorMessage(fs, err)\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t} else if file.IsDir() {\n\t\t\t\t\tdirs = append(dirs, filePath)\n\t\t\t\t}\n\t\t\t}\n\t\t\tif finished {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tlister.Close()\n\n\t\treturn c.downloadDirs(fs, dirs)\n\t}\n\terr = errors.New(\"unable to send directory for non recursive copy\")\n\tc.sendErrorMessage(nil, err)\n\treturn err\n}\n\nfunc (c *scpCommand) downloadDirs(fs vfs.Fs, dirs []string) error {\n\tfor _, dir := range dirs {\n\t\tif err := c.handleDownload(dir); err != nil {\n\t\t\tc.sendErrorMessage(fs, err)\n\t\t\treturn err\n\t\t}\n\t}\n\tif err := c.sendProtocolMessage(\"E\\n\"); err != nil {\n\t\treturn err\n\t}\n\treturn c.readConfirmationMessage()\n}\n\nfunc (c *scpCommand) sendDownloadFileData(fs vfs.Fs, filePath string, stat os.FileInfo, transfer *transfer) error {\n\tvar err error\n\tif c.sendFileTime() {\n\t\tmodTime := stat.ModTime().UnixNano() / 1000000000\n\t\ttCommand := fmt.Sprintf(\"T%d 0 %d 0\\n\", modTime, modTime)\n\t\terr = c.sendProtocolMessage(tCommand)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = c.readConfirmationMessage()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tif vfs.IsCryptOsFs(fs) {\n\t\tstat = fs.(*vfs.CryptFs).ConvertFileInfo(stat)\n\t}\n\n\tfileSize := stat.Size()\n\treaded := int64(0)\n\tfileMode := fmt.Sprintf(\"C%v %v %v\\n\", getFileModeAsString(stat.Mode(), stat.IsDir()), fileSize, filepath.Base(filePath))\n\terr = c.sendProtocolMessage(fileMode)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = c.readConfirmationMessage()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// we could replace this method with io.CopyN implementing \"Read\" method in transfer struct\n\tbuf := make([]byte, 32768)\n\tvar n int\n\tfor {\n\t\tn, err = transfer.ReadAt(buf, readed)\n\t\tif err == nil || err == io.EOF {\n\t\t\tif n > 0 {\n\t\t\t\t_, err = c.connection.channel.Write(buf[:n])\n\t\t\t}\n\t\t}\n\t\treaded += int64(n)\n\t\tif err != nil {\n\t\t\tbreak\n\t\t}\n\t}\n\tif err != io.EOF {\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\terr = c.sendConfirmationMessage()\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = c.readConfirmationMessage()\n\treturn err\n}\n\nfunc (c *scpCommand) handleDownload(filePath string) error {\n\tc.connection.UpdateLastActivity()\n\n\tif err := common.Connections.IsNewTransferAllowed(c.connection.User.Username); err != nil {\n\t\terr := fmt.Errorf(\"denying file read due to transfer count limits\")\n\t\tc.connection.Log(logger.LevelInfo, \"denying file read due to transfer count limits\")\n\t\tc.sendErrorMessage(nil, err)\n\t\treturn err\n\t}\n\ttransferQuota := c.connection.GetTransferQuota()\n\tif !transferQuota.HasDownloadSpace() {\n\t\tc.connection.Log(logger.LevelInfo, \"denying file read due to quota limits\")\n\t\tc.sendErrorMessage(nil, c.connection.GetReadQuotaExceededError())\n\t\treturn c.connection.GetReadQuotaExceededError()\n\t}\n\tvar err error\n\n\tfs, p, err := c.connection.GetFsAndResolvedPath(filePath)\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error downloading file %q: %+v\", filePath, err)\n\t\tc.sendErrorMessage(nil, fmt.Errorf(\"unable to download file %q: %w\", filePath, err))\n\t\treturn err\n\t}\n\n\tvar stat os.FileInfo\n\tif stat, err = fs.Stat(p); err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error downloading file: %q->%q, err: %v\", filePath, p, err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\n\tif stat.IsDir() {\n\t\tif !c.connection.User.HasPerm(dataprovider.PermDownload, filePath) {\n\t\t\tc.connection.Log(logger.LevelWarn, \"error downloading dir: %q, permission denied\", filePath)\n\t\t\tc.sendErrorMessage(fs, common.ErrPermissionDenied)\n\t\t\treturn common.ErrPermissionDenied\n\t\t}\n\t\terr = c.handleRecursiveDownload(fs, p, filePath, stat)\n\t\treturn err\n\t}\n\n\tif !c.connection.User.HasPerm(dataprovider.PermDownload, path.Dir(filePath)) {\n\t\tc.connection.Log(logger.LevelWarn, \"error downloading dir: %q, permission denied\", filePath)\n\t\tc.sendErrorMessage(fs, common.ErrPermissionDenied)\n\t\treturn common.ErrPermissionDenied\n\t}\n\n\tif ok, policy := c.connection.User.IsFileAllowed(filePath); !ok {\n\t\tc.connection.Log(logger.LevelWarn, \"reading file %q is not allowed\", filePath)\n\t\tc.sendErrorMessage(fs, c.connection.GetErrorForDeniedFile(policy))\n\t\treturn common.ErrPermissionDenied\n\t}\n\n\tif _, err := common.ExecutePreAction(c.connection.BaseConnection, common.OperationPreDownload, p, filePath, 0, 0); err != nil {\n\t\tc.connection.Log(logger.LevelDebug, \"download for file %q denied by pre action: %v\", filePath, err)\n\t\tc.sendErrorMessage(fs, common.ErrPermissionDenied)\n\t\treturn common.ErrPermissionDenied\n\t}\n\n\tfile, r, cancelFn, err := fs.Open(p, 0)\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"could not open file %q for reading: %v\", p, err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.connection.BaseConnection, cancelFn, p, p, filePath,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, transferQuota)\n\tt := newTransfer(baseTransfer, nil, r, nil)\n\n\terr = c.sendDownloadFileData(fs, p, stat, t)\n\t// we need to call Close anyway and return close error if any and\n\t// if we have no previous error\n\tif err == nil {\n\t\terr = t.Close()\n\t} else {\n\t\tt.TransferError(err)\n\t\tt.Close()\n\t}\n\treturn err\n}\n\nfunc (c *scpCommand) sendFileTime() bool {\n\treturn c.hasFlag(\"p\")\n}\n\nfunc (c *scpCommand) isRecursive() bool {\n\treturn c.hasFlag(\"r\")\n}\n\nfunc (c *scpCommand) hasFlag(flag string) bool {\n\tfor idx := 0; idx < len(c.args)-1; idx++ {\n\t\targ := c.args[idx]\n\t\tif !strings.HasPrefix(arg, \"--\") && strings.HasPrefix(arg, \"-\") && strings.Contains(arg, flag) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// read the SCP confirmation message and the optional text message\n// the channel will be closed on errors\nfunc (c *scpCommand) readConfirmationMessage() error {\n\tvar msg strings.Builder\n\tbuf := make([]byte, 1)\n\tn, err := c.connection.channel.Read(buf)\n\tif err != nil {\n\t\tc.connection.channel.Close()\n\t\treturn err\n\t}\n\tif n == 1 && (buf[0] == warnMsg[0] || buf[0] == errMsg[0]) {\n\t\tisError := buf[0] == errMsg[0]\n\t\tfor {\n\t\t\tn, err = c.connection.channel.Read(buf)\n\t\t\treaded := buf[:n]\n\t\t\tif err != nil || (n == 1 && readed[0] == newLine[0]) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif n > 0 {\n\t\t\t\tmsg.Write(readed)\n\t\t\t}\n\t\t}\n\t\tc.connection.Log(logger.LevelInfo, \"scp error message received: %v is error: %v\", msg.String(), isError)\n\t\terr = fmt.Errorf(\"%v\", msg.String())\n\t\tc.connection.channel.Close()\n\t}\n\treturn err\n}\n\n// protool messages are newline terminated\nfunc (c *scpCommand) readProtocolMessage() (string, error) {\n\tvar command strings.Builder\n\tvar err error\n\tbuf := make([]byte, 1)\n\tfor {\n\t\tvar n int\n\t\tn, err = c.connection.channel.Read(buf)\n\t\tif err != nil {\n\t\t\tbreak\n\t\t}\n\t\tif n > 0 {\n\t\t\treaded := buf[:n]\n\t\t\tif n == 1 && readed[0] == newLine[0] {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tcommand.Write(readed)\n\t\t}\n\t}\n\tif err != nil && !errors.Is(err, io.EOF) {\n\t\tc.connection.channel.Close()\n\t}\n\treturn command.String(), err\n}\n\n// sendErrorMessage sends an error message and close the channel\n// we don't check write errors here, we have to close the channel anyway\n//\n//nolint:errcheck\nfunc (c *scpCommand) sendErrorMessage(fs vfs.Fs, err error) {\n\tc.connection.channel.Write(errMsg)\n\tif fs != nil {\n\t\tc.connection.channel.Write([]byte(c.connection.GetFsError(fs, err).Error()))\n\t} else {\n\t\tc.connection.channel.Write([]byte(err.Error()))\n\t}\n\tc.connection.channel.Write(newLine)\n\tc.connection.channel.Close()\n}\n\n// send scp confirmation message and close the channel if an error happen\nfunc (c *scpCommand) sendConfirmationMessage() error {\n\t_, err := c.connection.channel.Write(okMsg)\n\tif err != nil {\n\t\tc.connection.channel.Close()\n\t}\n\treturn err\n}\n\n// sends a protocol message and close the channel on error\nfunc (c *scpCommand) sendProtocolMessage(message string) error {\n\t_, err := c.connection.channel.Write([]byte(message))\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error sending protocol message: %v, err: %v\", message, err)\n\t\tc.connection.channel.Close()\n\t}\n\treturn err\n}\n\n// get the next upload protocol message ignoring T command if any\nfunc (c *scpCommand) getNextUploadProtocolMessage() (string, error) {\n\tvar command string\n\tvar err error\n\tfor {\n\t\tcommand, err = c.readProtocolMessage()\n\t\tif err != nil {\n\t\t\treturn command, err\n\t\t}\n\t\tif strings.HasPrefix(command, \"T\") {\n\t\t\terr = c.sendConfirmationMessage()\n\t\t\tif err != nil {\n\t\t\t\treturn command, err\n\t\t\t}\n\t\t} else {\n\t\t\tbreak\n\t\t}\n\t}\n\treturn command, err\n}\n\nfunc (c *scpCommand) createDir(fs vfs.Fs, dirPath string) error {\n\terr := fs.Mkdir(dirPath)\n\tif err != nil {\n\t\tc.connection.Log(logger.LevelError, \"error creating dir %q: %v\", dirPath, err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn err\n\t}\n\tvfs.SetPathPermissions(fs, dirPath, c.connection.User.GetUID(), c.connection.User.GetGID())\n\treturn err\n}\n\n// parse protocol messages such as:\n// D0755 0 testdir\n// or:\n// C0644 6 testfile\n// and returns file size and file/directory name\nfunc (c *scpCommand) parseUploadMessage(fs vfs.Fs, command string) (int64, string, error) {\n\tvar size int64\n\tvar name string\n\tvar err error\n\tif !strings.HasPrefix(command, \"C\") && !strings.HasPrefix(command, \"D\") {\n\t\terr = fmt.Errorf(\"unknown or invalid upload message: %v args: %v user: %v\",\n\t\t\tcommand, c.args, c.connection.User.Username)\n\t\tc.connection.Log(logger.LevelError, \"error: %v\", err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn size, name, err\n\t}\n\tparts := strings.SplitN(command, \" \", 3)\n\tif len(parts) == 3 {\n\t\tsize, err = strconv.ParseInt(parts[1], 10, 64)\n\t\tif err != nil {\n\t\t\tc.connection.Log(logger.LevelError, \"error getting size from upload message: %v\", err)\n\t\t\tc.sendErrorMessage(fs, err)\n\t\t\treturn size, name, err\n\t\t}\n\t\tname = parts[2]\n\t\tif name == \"\" {\n\t\t\terr = fmt.Errorf(\"error getting name from upload message, cannot be empty\")\n\t\t\tc.connection.Log(logger.LevelError, \"error: %v\", err)\n\t\t\tc.sendErrorMessage(fs, err)\n\t\t\treturn size, name, err\n\t\t}\n\t} else {\n\t\terr = fmt.Errorf(\"unable to split upload message: %q\", command)\n\t\tc.connection.Log(logger.LevelError, \"error: %v\", err)\n\t\tc.sendErrorMessage(fs, err)\n\t\treturn size, name, err\n\t}\n\treturn size, name, err\n}\n\nfunc (c *scpCommand) getFileUploadDestPath(fs vfs.Fs, scpDestPath, fileName string) string {\n\tif !c.isRecursive() {\n\t\t// if the upload is not recursive and the destination path does not end with \"/\"\n\t\t// then scpDestPath is the wanted filename, for example:\n\t\t// scp fileName.txt user@127.0.0.1:/newFileName.txt\n\t\t// or\n\t\t// scp fileName.txt user@127.0.0.1:/fileName.txt\n\t\tif !strings.HasSuffix(scpDestPath, \"/\") {\n\t\t\t// but if scpDestPath is an existing directory then we put the uploaded file\n\t\t\t// inside that directory this is as scp command works, for example:\n\t\t\t// scp fileName.txt user@127.0.0.1:/existing_dir\n\t\t\tif p, err := fs.ResolvePath(scpDestPath); err == nil {\n\t\t\t\tif stat, err := fs.Stat(p); err == nil {\n\t\t\t\t\tif stat.IsDir() {\n\t\t\t\t\t\treturn path.Join(scpDestPath, fileName)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn scpDestPath\n\t\t}\n\t}\n\t// if the upload is recursive or scpDestPath has the \"/\" suffix then the destination\n\t// file is relative to scpDestPath\n\treturn path.Join(scpDestPath, fileName)\n}\n\nfunc getFileModeAsString(fileMode os.FileMode, isDir bool) string {\n\tvar defaultMode string\n\tif isDir {\n\t\tdefaultMode = \"0755\"\n\t} else {\n\t\tdefaultMode = \"0644\"\n\t}\n\tif fileMode == 0 {\n\t\treturn defaultMode\n\t}\n\tmodeString := []byte(fileMode.String())\n\tnullPerm := []byte(\"-\")\n\tu := 0\n\tg := 0\n\to := 0\n\ts := 0\n\tlastChar := len(modeString) - 1\n\tif fileMode&os.ModeSticky != 0 {\n\t\ts++\n\t}\n\tif fileMode&os.ModeSetuid != 0 {\n\t\ts += 2\n\t}\n\tif fileMode&os.ModeSetgid != 0 {\n\t\ts += 4\n\t}\n\tif modeString[lastChar-8] != nullPerm[0] {\n\t\tu += 4\n\t}\n\tif modeString[lastChar-7] != nullPerm[0] {\n\t\tu += 2\n\t}\n\tif modeString[lastChar-6] != nullPerm[0] {\n\t\tu++\n\t}\n\tif modeString[lastChar-5] != nullPerm[0] {\n\t\tg += 4\n\t}\n\tif modeString[lastChar-4] != nullPerm[0] {\n\t\tg += 2\n\t}\n\tif modeString[lastChar-3] != nullPerm[0] {\n\t\tg++\n\t}\n\tif modeString[lastChar-2] != nullPerm[0] {\n\t\to += 4\n\t}\n\tif modeString[lastChar-1] != nullPerm[0] {\n\t\to += 2\n\t}\n\tif modeString[lastChar] != nullPerm[0] {\n\t\to++\n\t}\n\treturn fmt.Sprintf(\"%v%v%v%v\", s, u, g, o)\n}\n" }, { "path": "internal/sftpd/server.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/sha256\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"maps\"\n\t\"net\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime/debug\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tdefaultPrivateRSAKeyName = \"id_rsa\"\n\tdefaultPrivateECDSAKeyName = \"id_ecdsa\"\n\tdefaultPrivateEd25519KeyName = \"id_ed25519\"\n\tsourceAddressCriticalOption = \"source-address\"\n\tkeyExchangeCurve25519SHA256LibSSH = \"curve25519-sha256@libssh.org\"\n\textraDataPartialSuccessErrKey = \"partialSuccessErr\"\n\textraDataUserKey = \"user\"\n\textraDataKeyIDKey = \"keyID\"\n\textraDataLoginMethodKey = \"login_method\"\n)\n\nvar (\n\tsupportedAlgos = ssh.SupportedAlgorithms()\n\tinsecureAlgos = ssh.InsecureAlgorithms()\n\tsftpExtensions = []string{\"statvfs@openssh.com\"}\n\tsupportedHostKeyAlgos = append(supportedAlgos.HostKeys, insecureAlgos.HostKeys...)\n\tpreferredHostKeyAlgos = []string{\n\t\tssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512,\n\t\tssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521,\n\t\tssh.KeyAlgoED25519,\n\t}\n\tsupportedPublicKeyAlgos = append(supportedAlgos.PublicKeyAuths, insecureAlgos.PublicKeyAuths...)\n\tpreferredPublicKeyAlgos = supportedAlgos.PublicKeyAuths\n\tsupportedKexAlgos = append(supportedAlgos.KeyExchanges, insecureAlgos.KeyExchanges...)\n\tpreferredKexAlgos = supportedAlgos.KeyExchanges\n\tsupportedCiphers = append(supportedAlgos.Ciphers, insecureAlgos.Ciphers...)\n\tpreferredCiphers = supportedAlgos.Ciphers\n\tsupportedMACs = append(supportedAlgos.MACs, insecureAlgos.MACs...)\n\tpreferredMACs = []string{\n\t\tssh.HMACSHA256ETM, ssh.HMACSHA256,\n\t}\n\n\trevokedCertManager = revokedCertificates{\n\t\tcerts: map[string]bool{},\n\t}\n)\n\ntype commandExecutor interface {\n\tCombinedOutput(ctx context.Context, name string, args ...string) ([]byte, error)\n}\n\ntype defaultExecutor struct{}\n\nfunc (d defaultExecutor) CombinedOutput(ctx context.Context, name string, args ...string) ([]byte, error) {\n\tcmd := exec.CommandContext(ctx, name, args...)\n\tcmd.Env = []string{}\n\treturn cmd.CombinedOutput()\n}\n\n// Binding defines the configuration for a network listener\ntype Binding struct {\n\t// The address to listen on. A blank value means listen on all available network interfaces.\n\tAddress string `json:\"address\" mapstructure:\"address\"`\n\t// The port used for serving requests\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\t// Apply the proxy configuration, if any, for this binding\n\tApplyProxyConfig bool `json:\"apply_proxy_config\" mapstructure:\"apply_proxy_config\"`\n}\n\n// GetAddress returns the binding address\nfunc (b *Binding) GetAddress() string {\n\treturn fmt.Sprintf(\"%s:%d\", b.Address, b.Port)\n}\n\n// IsValid returns true if the binding port is > 0\nfunc (b *Binding) IsValid() bool {\n\treturn b.Port > 0\n}\n\n// HasProxy returns true if the proxy protocol is active for this binding\nfunc (b *Binding) HasProxy() bool {\n\treturn b.ApplyProxyConfig && common.Config.ProxyProtocol > 0\n}\n\n// Configuration for the SFTP server\ntype Configuration struct {\n\t// Addresses and ports to bind to\n\tBindings []Binding `json:\"bindings\" mapstructure:\"bindings\"`\n\t// Maximum number of authentication attempts permitted per connection.\n\t// If set to a negative number, the number of attempts is unlimited.\n\t// If set to zero, the number of attempts are limited to 6.\n\tMaxAuthTries int `json:\"max_auth_tries\" mapstructure:\"max_auth_tries\"`\n\t// HostKeys define the daemon's private host keys.\n\t// Each host key can be defined as a path relative to the configuration directory or an absolute one.\n\t// If empty or missing, the daemon will search or try to generate \"id_rsa\" and \"id_ecdsa\" host keys\n\t// inside the configuration directory.\n\tHostKeys []string `json:\"host_keys\" mapstructure:\"host_keys\"`\n\t// HostCertificates defines public host certificates.\n\t// Each certificate can be defined as a path relative to the configuration directory or an absolute one.\n\t// Certificate's public key must match a private host key otherwise it will be silently ignored.\n\tHostCertificates []string `json:\"host_certificates\" mapstructure:\"host_certificates\"`\n\t// HostKeyAlgorithms lists the public key algorithms that the server will accept for host\n\t// key authentication.\n\tHostKeyAlgorithms []string `json:\"host_key_algorithms\" mapstructure:\"host_key_algorithms\"`\n\t// KexAlgorithms specifies the available KEX (Key Exchange) algorithms in\n\t// preference order.\n\tKexAlgorithms []string `json:\"kex_algorithms\" mapstructure:\"kex_algorithms\"`\n\t// Ciphers specifies the ciphers allowed\n\tCiphers []string `json:\"ciphers\" mapstructure:\"ciphers\"`\n\t// MACs Specifies the available MAC (message authentication code) algorithms\n\t// in preference order\n\tMACs []string `json:\"macs\" mapstructure:\"macs\"`\n\t// PublicKeyAlgorithms lists the supported public key algorithms for client authentication.\n\tPublicKeyAlgorithms []string `json:\"public_key_algorithms\" mapstructure:\"public_key_algorithms\"`\n\t// TrustedUserCAKeys specifies a list of public keys paths of certificate authorities\n\t// that are trusted to sign user certificates for authentication.\n\t// The paths can be absolute or relative to the configuration directory\n\tTrustedUserCAKeys []string `json:\"trusted_user_ca_keys\" mapstructure:\"trusted_user_ca_keys\"`\n\t// Path to a file containing the revoked user certificates.\n\t// This file must contain a JSON list with the public key fingerprints of the revoked certificates.\n\t// Example content:\n\t// [\"SHA256:bsBRHC/xgiqBJdSuvSTNpJNLTISP/G356jNMCRYC5Es\",\"SHA256:119+8cL/HH+NLMawRsJx6CzPF1I3xC+jpM60bQHXGE8\"]\n\tRevokedUserCertsFile string `json:\"revoked_user_certs_file\" mapstructure:\"revoked_user_certs_file\"`\n\t// Absolute path to the opkssh binary used for OpenPubkey SSH integration\n\tOPKSSHPath string `json:\"opkssh_path\" mapstructure:\"opkssh_path\"`\n\t// Expected SHA256 checksum of the opkssh binary. It is verified at application startup\n\tOPKSSHChecksum string `json:\"opkssh_checksum\" mapstructure:\"opkssh_checksum\"`\n\t// LoginBannerFile the contents of the specified file, if any, are sent to\n\t// the remote user before authentication is allowed.\n\tLoginBannerFile string `json:\"login_banner_file\" mapstructure:\"login_banner_file\"`\n\t// List of enabled SSH commands.\n\t// We support the following SSH commands:\n\t// - \"scp\". SCP is an experimental feature, we have our own SCP implementation since\n\t// we can't rely on scp system command to proper handle permissions, quota and\n\t// user's home dir restrictions.\n\t// \t\tThe SCP protocol is quite simple but there is no official docs about it,\n\t// \t\tso we need more testing and feedbacks before enabling it by default.\n\t// \t\tWe may not handle some borderline cases or have sneaky bugs.\n\t// \t\tPlease do accurate tests yourself before enabling SCP and let us known\n\t// \t\tif something does not work as expected for your use cases.\n\t// SCP between two remote hosts is supported using the `-3` scp option.\n\t// - \"md5sum\", \"sha1sum\", \"sha256sum\", \"sha384sum\", \"sha512sum\". Useful to check message\n\t// digests for uploaded files. These commands are implemented inside SFTPGo so they\n\t// work even if the matching system commands are not available, for example on Windows.\n\t// - \"cd\", \"pwd\". Some mobile SFTP clients does not support the SFTP SSH_FXP_REALPATH and so\n\t// they use \"cd\" and \"pwd\" SSH commands to get the initial directory.\n\t// Currently `cd` do nothing and `pwd` always returns the \"/\" path.\n\t//\n\t// The following SSH commands are enabled by default: \"md5sum\", \"sha1sum\", \"cd\", \"pwd\".\n\t// \"*\" enables all supported SSH commands.\n\tEnabledSSHCommands []string `json:\"enabled_ssh_commands\" mapstructure:\"enabled_ssh_commands\"`\n\t// KeyboardInteractiveAuthentication specifies whether keyboard interactive authentication is allowed.\n\t// If no keyboard interactive hook or auth plugin is defined the default is to prompt for the user password and then the\n\t// one time authentication code, if defined.\n\tKeyboardInteractiveAuthentication bool `json:\"keyboard_interactive_authentication\" mapstructure:\"keyboard_interactive_authentication\"`\n\t// Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication.\n\t// Leave empty to disable this authentication mode.\n\tKeyboardInteractiveHook string `json:\"keyboard_interactive_auth_hook\" mapstructure:\"keyboard_interactive_auth_hook\"`\n\t// PasswordAuthentication specifies whether password authentication is allowed.\n\tPasswordAuthentication bool `json:\"password_authentication\" mapstructure:\"password_authentication\"`\n\tcertChecker *ssh.CertChecker\n\tparsedUserCAKeys []ssh.PublicKey\n\texecutor commandExecutor\n}\n\ntype authenticationError struct {\n\terr error\n\tloginMethod string\n\tusername string\n}\n\nfunc (e *authenticationError) Error() string {\n\treturn fmt.Sprintf(\"Authentication error: %v\", e.err)\n}\n\n// Is reports if target matches\nfunc (e *authenticationError) Is(target error) bool {\n\t_, ok := target.(*authenticationError)\n\treturn ok\n}\n\n// Unwrap returns the wrapped error\nfunc (e *authenticationError) Unwrap() error {\n\treturn e.err\n}\n\nfunc (e *authenticationError) getLoginMethod() string {\n\treturn e.loginMethod\n}\n\nfunc (e *authenticationError) getUsername() string {\n\treturn e.username\n}\n\nfunc newAuthenticationError(err error, loginMethod, username string) *authenticationError {\n\treturn &authenticationError{err: err, loginMethod: loginMethod, username: username}\n}\n\n// ShouldBind returns true if there is at least a valid binding\nfunc (c *Configuration) ShouldBind() bool {\n\tfor _, binding := range c.Bindings {\n\t\tif binding.IsValid() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (c *Configuration) getServerConfig() *ssh.ServerConfig {\n\tserverConfig := &ssh.ServerConfig{\n\t\tNoClientAuth: false,\n\t\tMaxAuthTries: c.MaxAuthTries,\n\t\tPublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {\n\t\t\tsp, err := c.validatePublicKeyCredentials(conn, pubKey)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, newAuthenticationError(fmt.Errorf(\"could not validate public key credentials: %w\", err),\n\t\t\t\t\tdataprovider.SSHLoginMethodPublicKey, conn.User())\n\t\t\t}\n\n\t\t\treturn sp, nil\n\t\t},\n\t\tVerifiedPublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey, permissions *ssh.Permissions, signatureAlgorithm string) (*ssh.Permissions, error) {\n\t\t\tif partialErr, ok := permissions.ExtraData[extraDataPartialSuccessErrKey]; ok {\n\t\t\t\tlogger.Info(logSender, hex.EncodeToString(conn.SessionID()), \"user %q authenticated with partial success, signature algorithm %q\",\n\t\t\t\t\tconn.User(), signatureAlgorithm)\n\t\t\t\treturn nil, partialErr.(error)\n\t\t\t}\n\t\t\tmethod := dataprovider.SSHLoginMethodPublicKey\n\t\t\tuser := permissions.ExtraData[extraDataUserKey].(dataprovider.User)\n\t\t\tkeyID := permissions.ExtraData[extraDataKeyIDKey].(string)\n\t\t\tsshPerm, err := loginUser(&user, method, fmt.Sprintf(\"%s (%s)\", keyID, signatureAlgorithm), conn)\n\t\t\tif err == nil {\n\t\t\t\t// if we have a SSH user cert we need to merge certificate permissions with our ones\n\t\t\t\t// we only set Extensions, so CriticalOptions are always the ones from the certificate\n\t\t\t\tsshPerm.CriticalOptions = permissions.CriticalOptions\n\t\t\t\tif permissions.Extensions != nil {\n\t\t\t\t\tif sshPerm.Extensions == nil {\n\t\t\t\t\t\tsshPerm.Extensions = make(map[string]string)\n\t\t\t\t\t}\n\t\t\t\t\tmaps.Copy(sshPerm.Extensions, permissions.Extensions)\n\t\t\t\t}\n\t\t\t\tif sshPerm.ExtraData == nil {\n\t\t\t\t\tsshPerm.ExtraData = make(map[any]any)\n\t\t\t\t}\n\t\t\t}\n\t\t\tuser.Username = conn.User()\n\t\t\tipAddr := util.GetIPFromRemoteAddress(conn.RemoteAddr().String())\n\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\treturn sshPerm, err\n\t\t},\n\t\tServerVersion: fmt.Sprintf(\"SSH-2.0-%s\", version.GetServerVersion(\"_\", false)),\n\t}\n\n\tif c.PasswordAuthentication {\n\t\tserverConfig.PasswordCallback = func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {\n\t\t\treturn c.validatePasswordCredentials(conn, password, dataprovider.LoginMethodPassword)\n\t\t}\n\t\tserviceStatus.Authentications = append(serviceStatus.Authentications, dataprovider.LoginMethodPassword)\n\t}\n\tserviceStatus.Authentications = append(serviceStatus.Authentications, dataprovider.SSHLoginMethodPublicKey)\n\n\treturn serverConfig\n}\n\nfunc (c *Configuration) updateSupportedAuthentications() {\n\tserviceStatus.Authentications = util.RemoveDuplicates(serviceStatus.Authentications, false)\n\n\tif slices.Contains(serviceStatus.Authentications, dataprovider.LoginMethodPassword) &&\n\t\tslices.Contains(serviceStatus.Authentications, dataprovider.SSHLoginMethodPublicKey) {\n\t\tserviceStatus.Authentications = append(serviceStatus.Authentications, dataprovider.SSHLoginMethodKeyAndPassword)\n\t}\n\n\tif slices.Contains(serviceStatus.Authentications, dataprovider.SSHLoginMethodKeyboardInteractive) &&\n\t\tslices.Contains(serviceStatus.Authentications, dataprovider.SSHLoginMethodPublicKey) {\n\t\tserviceStatus.Authentications = append(serviceStatus.Authentications, dataprovider.SSHLoginMethodKeyAndKeyboardInt)\n\t}\n}\n\nfunc (c *Configuration) loadFromProvider() error {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to load config from provider: %w\", err)\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif len(configs.SFTPD.HostKeyAlgos) > 0 {\n\t\tif len(c.HostKeyAlgorithms) == 0 {\n\t\t\tc.HostKeyAlgorithms = preferredHostKeyAlgos\n\t\t}\n\t\tc.HostKeyAlgorithms = append(c.HostKeyAlgorithms, configs.SFTPD.HostKeyAlgos...)\n\t}\n\tif len(configs.SFTPD.PublicKeyAlgos) > 0 {\n\t\tif len(c.PublicKeyAlgorithms) == 0 {\n\t\t\tc.PublicKeyAlgorithms = preferredPublicKeyAlgos\n\t\t}\n\t\tc.PublicKeyAlgorithms = append(c.PublicKeyAlgorithms, configs.SFTPD.PublicKeyAlgos...)\n\t}\n\tif len(configs.SFTPD.KexAlgorithms) > 0 {\n\t\tif len(c.KexAlgorithms) == 0 {\n\t\t\tc.KexAlgorithms = preferredKexAlgos\n\t\t}\n\t\tc.KexAlgorithms = append(c.KexAlgorithms, configs.SFTPD.KexAlgorithms...)\n\t}\n\tif len(configs.SFTPD.Ciphers) > 0 {\n\t\tif len(c.Ciphers) == 0 {\n\t\t\tc.Ciphers = preferredCiphers\n\t\t}\n\t\tc.Ciphers = append(c.Ciphers, configs.SFTPD.Ciphers...)\n\t}\n\tif len(configs.SFTPD.MACs) > 0 {\n\t\tif len(c.MACs) == 0 {\n\t\t\tc.MACs = preferredMACs\n\t\t}\n\t\tc.MACs = append(c.MACs, configs.SFTPD.MACs...)\n\t}\n\treturn nil\n}\n\n// Initialize the SFTP server and add a persistent listener to handle inbound SFTP connections.\nfunc (c *Configuration) Initialize(configDir string) error {\n\tc.executor = defaultExecutor{}\n\tif err := c.loadFromProvider(); err != nil {\n\t\treturn fmt.Errorf(\"unable to load configs from provider: %w\", err)\n\t}\n\tserviceStatus = ServiceStatus{}\n\tserverConfig := c.getServerConfig()\n\n\tif !c.ShouldBind() {\n\t\treturn common.ErrNoBinding\n\t}\n\n\tsftp.SetSFTPExtensions(sftpExtensions...) //nolint:errcheck // we configure valid SFTP Extensions so we cannot get an error\n\tsftp.MaxFilelist = 250\n\n\tif err := c.configureSecurityOptions(serverConfig); err != nil {\n\t\treturn err\n\t}\n\tif err := c.checkAndLoadHostKeys(configDir, serverConfig); err != nil {\n\t\tserviceStatus.HostKeys = nil\n\t\treturn err\n\t}\n\tif err := c.initializeCertChecker(configDir); err != nil {\n\t\treturn err\n\t}\n\tif err := c.initializeOPKSSH(); err != nil {\n\t\treturn err\n\t}\n\tc.configureKeyboardInteractiveAuth(serverConfig)\n\tc.configureLoginBanner(serverConfig, configDir)\n\tc.checkSSHCommands()\n\n\texitChannel := make(chan error, 1)\n\tserviceStatus.Bindings = nil\n\n\tfor _, binding := range c.Bindings {\n\t\tif !binding.IsValid() {\n\t\t\tcontinue\n\t\t}\n\t\tserviceStatus.Bindings = append(serviceStatus.Bindings, binding)\n\n\t\tgo func(binding Binding) {\n\t\t\taddr := binding.GetAddress()\n\t\t\tutil.CheckTCP4Port(binding.Port)\n\t\t\tlistener, err := net.Listen(\"tcp\", addr)\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error starting listener on address %v: %v\", addr, err)\n\t\t\t\texitChannel <- err\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif binding.ApplyProxyConfig && common.Config.ProxyProtocol > 0 {\n\t\t\t\tproxyListener, err := common.Config.GetProxyListener(listener)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlogger.Warn(logSender, \"\", \"error enabling proxy listener: %v\", err)\n\t\t\t\t\texitChannel <- err\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tlistener = proxyListener\n\t\t\t}\n\n\t\t\texitChannel <- c.serve(listener, serverConfig)\n\t\t}(binding)\n\t}\n\n\tserviceStatus.IsActive = true\n\tserviceStatus.SSHCommands = c.EnabledSSHCommands\n\tc.updateSupportedAuthentications()\n\n\treturn <-exitChannel\n}\n\nfunc (c *Configuration) serve(listener net.Listener, serverConfig *ssh.ServerConfig) error {\n\tlogger.Info(logSender, \"\", \"server listener registered, address: %s\", listener.Addr().String())\n\tvar tempDelay time.Duration // how long to sleep on accept failure\n\n\tfor {\n\t\tconn, err := listener.Accept()\n\t\tif err != nil {\n\t\t\t// see https://github.com/golang/go/blob/4aa1efed4853ea067d665a952eee77c52faac774/src/net/http/server.go#L3046\n\t\t\tif ne, ok := err.(net.Error); ok && ne.Temporary() { //nolint:staticcheck\n\t\t\t\tif tempDelay == 0 {\n\t\t\t\t\ttempDelay = 5 * time.Millisecond\n\t\t\t\t} else {\n\t\t\t\t\ttempDelay *= 2\n\t\t\t\t}\n\t\t\t\tif maxDelay := 1 * time.Second; tempDelay > maxDelay {\n\t\t\t\t\ttempDelay = maxDelay\n\t\t\t\t}\n\t\t\t\tlogger.Warn(logSender, \"\", \"accept error: %v; retrying in %v\", err, tempDelay)\n\t\t\t\ttime.Sleep(tempDelay)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tlogger.Warn(logSender, \"\", \"unrecoverable accept error: %v\", err)\n\t\t\treturn err\n\t\t}\n\t\ttempDelay = 0\n\n\t\tgo c.AcceptInboundConnection(conn, serverConfig)\n\t}\n}\n\nfunc (c *Configuration) configureKeyAlgos(serverConfig *ssh.ServerConfig) error {\n\tif len(c.HostKeyAlgorithms) == 0 {\n\t\tc.HostKeyAlgorithms = preferredHostKeyAlgos\n\t} else {\n\t\tc.HostKeyAlgorithms = util.RemoveDuplicates(c.HostKeyAlgorithms, true)\n\t}\n\tfor _, hostKeyAlgo := range c.HostKeyAlgorithms {\n\t\tif !slices.Contains(supportedHostKeyAlgos, hostKeyAlgo) {\n\t\t\treturn fmt.Errorf(\"unsupported host key algorithm %q\", hostKeyAlgo)\n\t\t}\n\t}\n\n\tif len(c.PublicKeyAlgorithms) > 0 {\n\t\tc.PublicKeyAlgorithms = util.RemoveDuplicates(c.PublicKeyAlgorithms, true)\n\t\tfor _, algo := range c.PublicKeyAlgorithms {\n\t\t\tif !slices.Contains(supportedPublicKeyAlgos, algo) {\n\t\t\t\treturn fmt.Errorf(\"unsupported public key authentication algorithm %q\", algo)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tc.PublicKeyAlgorithms = preferredPublicKeyAlgos\n\t}\n\tserverConfig.PublicKeyAuthAlgorithms = c.PublicKeyAlgorithms\n\tserviceStatus.PublicKeyAlgorithms = c.PublicKeyAlgorithms\n\n\treturn nil\n}\n\nfunc (c *Configuration) checkKeyExchangeAlgorithms() {\n\tvar kexs []string\n\tfor _, k := range c.KexAlgorithms {\n\t\tif k == \"diffie-hellman-group18-sha512\" {\n\t\t\tlogger.Warn(logSender, \"\", \"KEX %q is not supported and will be ignored\", k)\n\t\t\tcontinue\n\t\t}\n\t\tkexs = append(kexs, k)\n\t\tif strings.TrimSpace(k) == keyExchangeCurve25519SHA256LibSSH {\n\t\t\tkexs = append(kexs, ssh.KeyExchangeCurve25519)\n\t\t}\n\t\tif strings.TrimSpace(k) == ssh.KeyExchangeCurve25519 {\n\t\t\tkexs = append(kexs, keyExchangeCurve25519SHA256LibSSH)\n\t\t}\n\t}\n\tc.KexAlgorithms = util.RemoveDuplicates(kexs, true)\n}\n\nfunc (c *Configuration) configureSecurityOptions(serverConfig *ssh.ServerConfig) error {\n\tif err := c.configureKeyAlgos(serverConfig); err != nil {\n\t\treturn err\n\t}\n\n\tif len(c.KexAlgorithms) > 0 {\n\t\tc.checkKeyExchangeAlgorithms()\n\t\tfor _, kex := range c.KexAlgorithms {\n\t\t\tif kex == keyExchangeCurve25519SHA256LibSSH {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif !slices.Contains(supportedKexAlgos, kex) {\n\t\t\t\treturn fmt.Errorf(\"unsupported key-exchange algorithm %q\", kex)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tc.KexAlgorithms = preferredKexAlgos\n\t\tc.checkKeyExchangeAlgorithms()\n\t}\n\tserverConfig.KeyExchanges = c.KexAlgorithms\n\tserviceStatus.KexAlgorithms = c.KexAlgorithms\n\n\tif len(c.Ciphers) > 0 {\n\t\tc.Ciphers = util.RemoveDuplicates(c.Ciphers, true)\n\t\tfor _, cipher := range c.Ciphers {\n\t\t\tif slices.Contains([]string{\"aes192-cbc\", \"aes256-cbc\"}, cipher) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif !slices.Contains(supportedCiphers, cipher) {\n\t\t\t\treturn fmt.Errorf(\"unsupported cipher %q\", cipher)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tc.Ciphers = preferredCiphers\n\t}\n\tserverConfig.Ciphers = c.Ciphers\n\tserviceStatus.Ciphers = c.Ciphers\n\n\tif len(c.MACs) > 0 {\n\t\tc.MACs = util.RemoveDuplicates(c.MACs, true)\n\t\tfor _, mac := range c.MACs {\n\t\t\tif !slices.Contains(supportedMACs, mac) {\n\t\t\t\treturn fmt.Errorf(\"unsupported MAC algorithm %q\", mac)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tc.MACs = preferredMACs\n\t}\n\tserverConfig.MACs = c.MACs\n\tserviceStatus.MACs = c.MACs\n\n\treturn nil\n}\n\nfunc (c *Configuration) configureLoginBanner(serverConfig *ssh.ServerConfig, configDir string) {\n\tif c.LoginBannerFile != \"\" {\n\t\tbannerFilePath := c.LoginBannerFile\n\t\tif !filepath.IsAbs(bannerFilePath) {\n\t\t\tbannerFilePath = filepath.Join(configDir, bannerFilePath)\n\t\t}\n\t\tbannerContent, err := os.ReadFile(bannerFilePath)\n\t\tif err == nil {\n\t\t\tbanner := util.BytesToString(bannerContent)\n\t\t\tserverConfig.BannerCallback = func(_ ssh.ConnMetadata) string {\n\t\t\t\treturn banner\n\t\t\t}\n\t\t} else {\n\t\t\tlogger.WarnToConsole(\"unable to read SFTPD login banner file: %v\", err)\n\t\t\tlogger.Warn(logSender, \"\", \"unable to read login banner file: %v\", err)\n\t\t}\n\t}\n}\n\nfunc (c *Configuration) configureKeyboardInteractiveAuth(serverConfig *ssh.ServerConfig) {\n\tif !c.KeyboardInteractiveAuthentication {\n\t\treturn\n\t}\n\tif c.KeyboardInteractiveHook != \"\" {\n\t\tif !strings.HasPrefix(c.KeyboardInteractiveHook, \"http\") {\n\t\t\tif !filepath.IsAbs(c.KeyboardInteractiveHook) {\n\t\t\t\tc.KeyboardInteractiveAuthentication = false\n\t\t\t\tlogger.WarnToConsole(\"invalid keyboard interactive authentication program: %q must be an absolute path\",\n\t\t\t\t\tc.KeyboardInteractiveHook)\n\t\t\t\tlogger.Warn(logSender, \"\", \"invalid keyboard interactive authentication program: %q must be an absolute path\",\n\t\t\t\t\tc.KeyboardInteractiveHook)\n\t\t\t\treturn\n\t\t\t}\n\t\t\t_, err := os.Stat(c.KeyboardInteractiveHook)\n\t\t\tif err != nil {\n\t\t\t\tc.KeyboardInteractiveAuthentication = false\n\t\t\t\tlogger.WarnToConsole(\"invalid keyboard interactive authentication program:: %v\", err)\n\t\t\t\tlogger.Warn(logSender, \"\", \"invalid keyboard interactive authentication program:: %v\", err)\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}\n\tserverConfig.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, client ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {\n\t\treturn c.validateKeyboardInteractiveCredentials(conn, client, dataprovider.SSHLoginMethodKeyboardInteractive, false)\n\t}\n\n\tserviceStatus.Authentications = append(serviceStatus.Authentications, dataprovider.SSHLoginMethodKeyboardInteractive)\n}\n\n// AcceptInboundConnection handles an inbound connection to the server instance and determines if the request should be served or not.\nfunc (c *Configuration) AcceptInboundConnection(conn net.Conn, config *ssh.ServerConfig) { //nolint:gocyclo\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tlogger.Error(logSender, \"\", \"panic in AcceptInboundConnection: %q stack trace: %v\", r, string(debug.Stack()))\n\t\t}\n\t}()\n\n\tipAddr := util.GetIPFromRemoteAddress(conn.RemoteAddr().String())\n\tcommon.Connections.AddClientConnection(ipAddr)\n\tdefer common.Connections.RemoveClientConnection(ipAddr)\n\n\tif !canAcceptConnection(ipAddr) {\n\t\tconn.Close()\n\t\treturn\n\t}\n\t// Before beginning a handshake must be performed on the incoming net.Conn\n\t// we'll set a Deadline for handshake to complete, the default is 2 minutes as OpenSSH\n\tconn.SetDeadline(time.Now().Add(handshakeTimeout)) //nolint:errcheck\n\n\tsconn, chans, reqs, err := ssh.NewServerConn(conn, config)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"failed to accept an incoming connection from ip %q: %v\", ipAddr, err)\n\t\tcheckAuthError(ipAddr, err)\n\t\treturn\n\t}\n\t// handshake completed so remove the deadline, we'll use IdleTimeout configuration from now on\n\tconn.SetDeadline(time.Time{}) //nolint:errcheck\n\tgo ssh.DiscardRequests(reqs)\n\n\tdefer sconn.Close()\n\n\tuser := sconn.Permissions.ExtraData[extraDataUserKey].(dataprovider.User)\n\tloginType := sconn.Permissions.ExtraData[extraDataLoginMethodKey].(string)\n\tconnectionID := hex.EncodeToString(sconn.SessionID())\n\n\tdefer user.CloseFs() //nolint:errcheck\n\tif err = user.CheckFsRoot(connectionID); err != nil {\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root for user %q: %v\", user.Username, err)\n\t\tgo discardAllChannels(chans, \"invalid root fs\", connectionID)\n\t\treturn\n\t}\n\n\tlogger.LoginLog(user.Username, ipAddr, loginType, common.ProtocolSSH, connectionID,\n\t\tutil.BytesToString(sconn.ClientVersion()), true,\n\t\tfmt.Sprintf(\"negotiated algorithms: %+v\", sconn.Conn.(ssh.AlgorithmsConnMetadata).Algorithms()))\n\n\tdataprovider.UpdateLastLogin(&user)\n\n\tsshConnection := common.NewSSHConnection(connectionID, sconn)\n\tcommon.Connections.AddSSHConnection(sshConnection)\n\n\tdefer common.Connections.RemoveSSHConnection(connectionID)\n\n\tchannelCounter := int64(0)\n\tfor newChannel := range chans {\n\t\t// If its not a session channel we just move on because its not something we\n\t\t// know how to handle at this point.\n\t\tif newChannel.ChannelType() != \"session\" {\n\t\t\tlogger.Log(logger.LevelDebug, common.ProtocolSSH, connectionID, \"received an unknown channel type: %v\",\n\t\t\t\tnewChannel.ChannelType())\n\t\t\tnewChannel.Reject(ssh.UnknownChannelType, \"unknown channel type\") //nolint:errcheck\n\t\t\tcontinue\n\t\t}\n\n\t\tchannel, requests, err := newChannel.Accept()\n\t\tif err != nil {\n\t\t\tlogger.Log(logger.LevelWarn, common.ProtocolSSH, connectionID, \"could not accept a channel: %v\", err)\n\t\t\tcontinue\n\t\t}\n\n\t\tchannelCounter++\n\t\t// Channels have a type that is dependent on the protocol. For SFTP this is \"subsystem\"\n\t\t// with a payload that (should) be \"sftp\". Discard anything else we receive (\"pty\", \"shell\", etc)\n\t\tgo func(in <-chan *ssh.Request, counter int64) {\n\t\t\tfor req := range in {\n\t\t\t\tok := false\n\t\t\t\tconnID := fmt.Sprintf(\"%s_%d\", connectionID, counter)\n\n\t\t\t\tswitch req.Type {\n\t\t\t\tcase \"subsystem\":\n\t\t\t\t\tif bytes.Equal(req.Payload[4:], []byte(\"sftp\")) {\n\t\t\t\t\t\tok = true\n\t\t\t\t\t\tsshConnection.UpdateLastActivity()\n\t\t\t\t\t\tconnection := &Connection{\n\t\t\t\t\t\t\tBaseConnection: common.NewBaseConnection(connID, common.ProtocolSFTP, conn.LocalAddr().String(),\n\t\t\t\t\t\t\t\tconn.RemoteAddr().String(), user),\n\t\t\t\t\t\t\tClientVersion: util.BytesToString(sconn.ClientVersion()),\n\t\t\t\t\t\t\tRemoteAddr: conn.RemoteAddr(),\n\t\t\t\t\t\t\tLocalAddr: conn.LocalAddr(),\n\t\t\t\t\t\t\tchannel: channel,\n\t\t\t\t\t\t}\n\t\t\t\t\t\tgo c.handleSftpConnection(channel, connection)\n\t\t\t\t\t}\n\t\t\t\tcase \"exec\":\n\t\t\t\t\t// protocol will be set later inside processSSHCommand it could be SSH or SCP\n\t\t\t\t\tconnection := Connection{\n\t\t\t\t\t\tBaseConnection: common.NewBaseConnection(connID, \"sshd_exec\", conn.LocalAddr().String(),\n\t\t\t\t\t\t\tconn.RemoteAddr().String(), user),\n\t\t\t\t\t\tClientVersion: util.BytesToString(sconn.ClientVersion()),\n\t\t\t\t\t\tRemoteAddr: conn.RemoteAddr(),\n\t\t\t\t\t\tLocalAddr: conn.LocalAddr(),\n\t\t\t\t\t\tchannel: channel,\n\t\t\t\t\t}\n\t\t\t\t\tok = processSSHCommand(req.Payload, &connection, c.EnabledSSHCommands)\n\t\t\t\t\tif ok {\n\t\t\t\t\t\tsshConnection.UpdateLastActivity()\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif req.WantReply {\n\t\t\t\t\treq.Reply(ok, nil) //nolint:errcheck\n\t\t\t\t}\n\t\t\t}\n\t\t}(requests, channelCounter)\n\t}\n}\n\nfunc (c *Configuration) handleSftpConnection(channel ssh.Channel, connection *Connection) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tlogger.Error(logSender, \"\", \"panic in handleSftpConnection: %q stack trace: %v\", r, string(debug.Stack()))\n\t\t}\n\t}()\n\tif err := common.Connections.Add(connection); err != nil {\n\t\tdefer connection.CloseFS() //nolint:errcheck\n\t\terrClose := connection.Disconnect()\n\t\tlogger.Info(logSender, \"\", \"unable to add connection: %v, close err: %v\", err, errClose)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\t// Create the server instance for the channel using the handler we created above.\n\tserver := sftp.NewRequestServer(channel, c.createHandlers(connection),\n\t\tsftp.WithStartDirectory(connection.User.Filters.StartDirectory))\n\n\tdefer server.Close()\n\tif err := server.Serve(); errors.Is(err, io.EOF) {\n\t\texitStatus := sshSubsystemExitStatus{Status: uint32(0)}\n\t\t_, err = channel.SendRequest(\"exit-status\", false, ssh.Marshal(&exitStatus))\n\t\tconnection.Log(logger.LevelInfo, \"connection closed, sent exit status %+v error: %v\", exitStatus, err)\n\t} else if err != nil {\n\t\tconnection.Log(logger.LevelError, \"connection closed with error: %v\", err)\n\t}\n}\n\nfunc (c *Configuration) createHandlers(connection *Connection) sftp.Handlers {\n\treturn sftp.Handlers{\n\t\tFileGet: connection,\n\t\tFilePut: connection,\n\t\tFileCmd: connection,\n\t\tFileList: connection,\n\t}\n}\n\nfunc canAcceptConnection(ip string) bool {\n\tif common.IsBanned(ip, common.ProtocolSSH) {\n\t\tlogger.Log(logger.LevelDebug, common.ProtocolSSH, \"\", \"connection refused, ip %q is banned\", ip)\n\t\treturn false\n\t}\n\tif err := common.Connections.IsNewConnectionAllowed(ip, common.ProtocolSSH); err != nil {\n\t\tlogger.Log(logger.LevelDebug, common.ProtocolSSH, \"\", \"connection not allowed from ip %q: %v\", ip, err)\n\t\treturn false\n\t}\n\t_, err := common.LimitRate(common.ProtocolSSH, ip)\n\tif err != nil {\n\t\treturn false\n\t}\n\tif err := common.Config.ExecutePostConnectHook(ip, common.ProtocolSSH); err != nil {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc discardAllChannels(in <-chan ssh.NewChannel, message, connectionID string) {\n\tfor req := range in {\n\t\terr := req.Reject(ssh.ConnectionFailed, message)\n\t\tlogger.Debug(logSender, connectionID, \"discarded channel request, message %q err: %v\", message, err)\n\t}\n}\n\nfunc checkAuthError(ip string, err error) {\n\tvar authErrors *ssh.ServerAuthError\n\tif errors.As(err, &authErrors) {\n\t\t// check public key auth errors here\n\t\tfor _, err := range authErrors.Errors {\n\t\t\tvar sftpAuthErr *authenticationError\n\t\t\tif errors.As(err, &sftpAuthErr) {\n\t\t\t\tif sftpAuthErr.getLoginMethod() == dataprovider.SSHLoginMethodPublicKey {\n\t\t\t\t\tevent := common.HostEventLoginFailed\n\t\t\t\t\tlogEv := notifier.LogEventTypeLoginFailed\n\t\t\t\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\t\t\t\tevent = common.HostEventUserNotFound\n\t\t\t\t\t\tlogEv = notifier.LogEventTypeLoginNoUser\n\t\t\t\t\t}\n\t\t\t\t\tcommon.AddDefenderEvent(ip, common.ProtocolSSH, event)\n\t\t\t\t\tplugin.Handler.NotifyLogEvent(logEv, common.ProtocolSSH, sftpAuthErr.getUsername(), ip, \"\", err)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\tlogger.ConnectionFailedLog(\"\", ip, dataprovider.LoginMethodNoAuthTried, common.ProtocolSSH, err.Error())\n\t\tmetric.AddNoAuthTried()\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolSSH, common.HostEventNoLoginTried)\n\t\tdataprovider.ExecutePostLoginHook(&dataprovider.User{}, dataprovider.LoginMethodNoAuthTried, ip, common.ProtocolSSH, err)\n\t\tlogEv := notifier.LogEventTypeNoLoginTried\n\t\tvar negotiationError *ssh.AlgorithmNegotiationError\n\t\tif errors.As(err, &negotiationError) {\n\t\t\tlogEv = notifier.LogEventTypeNotNegotiated\n\t\t}\n\t\tplugin.Handler.NotifyLogEvent(logEv, common.ProtocolSSH, \"\", ip, \"\", err)\n\t}\n}\n\nfunc loginUser(user *dataprovider.User, loginMethod, publicKey string, conn ssh.ConnMetadata) (*ssh.Permissions, error) {\n\tconnectionID := \"\"\n\tif conn != nil {\n\t\tconnectionID = hex.EncodeToString(conn.SessionID())\n\t}\n\tif !filepath.IsAbs(user.HomeDir) {\n\t\tlogger.Warn(logSender, connectionID, \"user %q has an invalid home dir: %q. Home dir must be an absolute path, login not allowed\",\n\t\t\tuser.Username, user.HomeDir)\n\t\treturn nil, fmt.Errorf(\"cannot login user with invalid home dir: %q\", user.HomeDir)\n\t}\n\tif slices.Contains(user.Filters.DeniedProtocols, common.ProtocolSSH) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, protocol SSH is not allowed\", user.Username)\n\t\treturn nil, fmt.Errorf(\"protocol SSH is not allowed for user %q\", user.Username)\n\t}\n\tif user.MaxSessions > 0 {\n\t\tactiveSessions := common.Connections.GetActiveSessions(user.Username)\n\t\tif activeSessions >= user.MaxSessions {\n\t\t\tlogger.Info(logSender, \"\", \"authentication refused for user: %q, too many open sessions: %v/%v\", user.Username,\n\t\t\t\tactiveSessions, user.MaxSessions)\n\t\t\treturn nil, fmt.Errorf(\"too many open sessions: %v\", activeSessions)\n\t\t}\n\t}\n\tif !user.IsLoginMethodAllowed(loginMethod, common.ProtocolSSH) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, login method %q is not allowed\",\n\t\t\tuser.Username, loginMethod)\n\t\treturn nil, fmt.Errorf(\"login method %q is not allowed for user %q\", loginMethod, user.Username)\n\t}\n\tif user.MustSetSecondFactorForProtocol(common.ProtocolSSH) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, second factor authentication is not set\",\n\t\t\tuser.Username)\n\t\treturn nil, fmt.Errorf(\"second factor authentication is not set for user %q\", user.Username)\n\t}\n\tremoteAddr := util.GetIPFromRemoteAddress(conn.RemoteAddr().String())\n\tif !user.IsLoginFromAddrAllowed(remoteAddr) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, remote address is not allowed: %v\",\n\t\t\tuser.Username, remoteAddr)\n\t\treturn nil, fmt.Errorf(\"login for user %q is not allowed from this address: %v\", user.Username, remoteAddr)\n\t}\n\n\tif publicKey != \"\" {\n\t\tloginMethod = fmt.Sprintf(\"%v: %v\", loginMethod, publicKey)\n\t}\n\tp := &ssh.Permissions{}\n\tp.ExtraData = make(map[any]any)\n\tp.ExtraData[extraDataUserKey] = *user\n\tp.ExtraData[extraDataLoginMethodKey] = loginMethod\n\treturn p, nil\n}\n\nfunc (c *Configuration) checkSSHCommands() {\n\tif slices.Contains(c.EnabledSSHCommands, \"*\") {\n\t\tc.EnabledSSHCommands = GetSupportedSSHCommands()\n\t\treturn\n\t}\n\tsshCommands := []string{}\n\tfor _, command := range c.EnabledSSHCommands {\n\t\tcommand = strings.TrimSpace(command)\n\t\tif slices.Contains(supportedSSHCommands, command) {\n\t\t\tsshCommands = append(sshCommands, command)\n\t\t} else {\n\t\t\tlogger.Warn(logSender, \"\", \"unsupported ssh command: %q ignored\", command)\n\t\t\tlogger.WarnToConsole(\"unsupported ssh command: %q ignored\", command)\n\t\t}\n\t}\n\tc.EnabledSSHCommands = sshCommands\n\tlogger.Debug(logSender, \"\", \"enabled SSH commands %v\", c.EnabledSSHCommands)\n}\n\nfunc (c *Configuration) generateDefaultHostKeys(configDir string) error {\n\tvar err error\n\tdefaultHostKeys := []string{defaultPrivateRSAKeyName, defaultPrivateECDSAKeyName, defaultPrivateEd25519KeyName}\n\tfor _, k := range defaultHostKeys {\n\t\tautoFile := filepath.Join(configDir, k)\n\t\tif _, err = os.Stat(autoFile); errors.Is(err, fs.ErrNotExist) {\n\t\t\tlogger.Info(logSender, \"\", \"No host keys configured and %q does not exist; try to create a new host key\", autoFile)\n\t\t\tlogger.InfoToConsole(\"No host keys configured and %q does not exist; try to create a new host key\", autoFile)\n\t\t\tswitch k {\n\t\t\tcase defaultPrivateRSAKeyName:\n\t\t\t\terr = util.GenerateRSAKeys(autoFile)\n\t\t\tcase defaultPrivateECDSAKeyName:\n\t\t\t\terr = util.GenerateECDSAKeys(autoFile)\n\t\t\tdefault:\n\t\t\t\terr = util.GenerateEd25519Keys(autoFile)\n\t\t\t}\n\t\t\tif err != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"error creating host key %q: %v\", autoFile, err)\n\t\t\t\tlogger.WarnToConsole(\"error creating host key %q: %v\", autoFile, err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tc.HostKeys = append(c.HostKeys, k)\n\t}\n\n\treturn err\n}\n\nfunc (c *Configuration) checkHostKeyAutoGeneration(configDir string) error {\n\tfor _, k := range c.HostKeys {\n\t\tk = strings.TrimSpace(k)\n\t\tif filepath.IsAbs(k) {\n\t\t\tif _, err := os.Stat(k); errors.Is(err, fs.ErrNotExist) {\n\t\t\t\tkeyName := filepath.Base(k)\n\t\t\t\tswitch keyName {\n\t\t\t\tcase defaultPrivateRSAKeyName:\n\t\t\t\t\tlogger.Info(logSender, \"\", \"try to create non-existent host key %q\", k)\n\t\t\t\t\tlogger.InfoToConsole(\"try to create non-existent host key %q\", k)\n\t\t\t\t\terr = util.GenerateRSAKeys(k)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tlogger.Warn(logSender, \"\", \"error creating host key %q: %v\", k, err)\n\t\t\t\t\t\tlogger.WarnToConsole(\"error creating host key %q: %v\", k, err)\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\tcase defaultPrivateECDSAKeyName:\n\t\t\t\t\tlogger.Info(logSender, \"\", \"try to create non-existent host key %q\", k)\n\t\t\t\t\tlogger.InfoToConsole(\"try to create non-existent host key %q\", k)\n\t\t\t\t\terr = util.GenerateECDSAKeys(k)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tlogger.Warn(logSender, \"\", \"error creating host key %q: %v\", k, err)\n\t\t\t\t\t\tlogger.WarnToConsole(\"error creating host key %q: %v\", k, err)\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\tcase defaultPrivateEd25519KeyName:\n\t\t\t\t\tlogger.Info(logSender, \"\", \"try to create non-existent host key %q\", k)\n\t\t\t\t\tlogger.InfoToConsole(\"try to create non-existent host key %q\", k)\n\t\t\t\t\terr = util.GenerateEd25519Keys(k)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tlogger.Warn(logSender, \"\", \"error creating host key %q: %v\", k, err)\n\t\t\t\t\t\tlogger.WarnToConsole(\"error creating host key %q: %v\", k, err)\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\tdefault:\n\t\t\t\t\tlogger.Warn(logSender, \"\", \"non-existent host key %q will not be created\", k)\n\t\t\t\t\tlogger.WarnToConsole(\"non-existent host key %q will not be created\", k)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tif len(c.HostKeys) == 0 {\n\t\tif err := c.generateDefaultHostKeys(configDir); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *Configuration) getHostKeyAlgorithms(keyFormat string) []string {\n\tvar algos []string\n\tfor _, algo := range algorithmsForKeyFormat(keyFormat) {\n\t\tif slices.Contains(c.HostKeyAlgorithms, algo) {\n\t\t\talgos = append(algos, algo)\n\t\t}\n\t}\n\treturn algos\n}\n\n// If no host keys are defined we try to use or generate the default ones.\nfunc (c *Configuration) checkAndLoadHostKeys(configDir string, serverConfig *ssh.ServerConfig) error {\n\tif err := c.checkHostKeyAutoGeneration(configDir); err != nil {\n\t\treturn err\n\t}\n\thostCertificates, err := c.loadHostCertificates(configDir)\n\tif err != nil {\n\t\treturn err\n\t}\n\tserviceStatus.HostKeys = nil\n\tfor _, hostKey := range c.HostKeys {\n\t\thostKey = strings.TrimSpace(hostKey)\n\t\tif !util.IsFileInputValid(hostKey) {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to load invalid host key %q\", hostKey)\n\t\t\tlogger.WarnToConsole(\"unable to load invalid host key %q\", hostKey)\n\t\t\tcontinue\n\t\t}\n\t\tif !filepath.IsAbs(hostKey) {\n\t\t\thostKey = filepath.Join(configDir, hostKey)\n\t\t}\n\t\tlogger.Info(logSender, \"\", \"Loading private host key %q\", hostKey)\n\n\t\tprivateBytes, err := os.ReadFile(hostKey)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tprivate, err := ssh.ParsePrivateKey(privateBytes)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tk := HostKey{\n\t\t\tPath: hostKey,\n\t\t\tFingerprint: ssh.FingerprintSHA256(private.PublicKey()),\n\t\t\tAlgorithms: c.getHostKeyAlgorithms(private.PublicKey().Type()),\n\t\t}\n\t\tmas, err := ssh.NewSignerWithAlgorithms(private.(ssh.AlgorithmSigner), k.Algorithms)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"could not create signer for key %q with algorithms %+v: %w\", k.Path, k.Algorithms, err)\n\t\t}\n\t\tserviceStatus.HostKeys = append(serviceStatus.HostKeys, k)\n\t\tlogger.Info(logSender, \"\", \"Host key %q loaded, type %q, fingerprint %q, algorithms %+v\", hostKey,\n\t\t\tprivate.PublicKey().Type(), k.Fingerprint, k.Algorithms)\n\n\t\t// Add private key to the server configuration.\n\t\tserverConfig.AddHostKey(mas)\n\t\tfor _, cert := range hostCertificates {\n\t\t\tsigner, err := ssh.NewCertSigner(cert.Certificate, mas)\n\t\t\tif err == nil {\n\t\t\t\tvar algos []string\n\t\t\t\tfor _, algo := range algorithmsForKeyFormat(signer.PublicKey().Type()) {\n\t\t\t\t\tif underlyingAlgo, ok := certKeyAlgoNames[algo]; ok {\n\t\t\t\t\t\tif slices.Contains(mas.Algorithms(), underlyingAlgo) {\n\t\t\t\t\t\t\talgos = append(algos, algo)\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tserviceStatus.HostKeys = append(serviceStatus.HostKeys, HostKey{\n\t\t\t\t\tPath: cert.Path,\n\t\t\t\t\tFingerprint: ssh.FingerprintSHA256(signer.PublicKey()),\n\t\t\t\t\tAlgorithms: algos,\n\t\t\t\t})\n\t\t\t\tserverConfig.AddHostKey(signer)\n\t\t\t\tlogger.Info(logSender, \"\", \"Host certificate loaded for host key %q, fingerprint %q, algorithms %+v\",\n\t\t\t\t\thostKey, ssh.FingerprintSHA256(signer.PublicKey()), algos)\n\t\t\t}\n\t\t}\n\t}\n\tvar fp []string\n\tfor idx := range serviceStatus.HostKeys {\n\t\th := &serviceStatus.HostKeys[idx]\n\t\tfp = append(fp, h.Fingerprint)\n\t}\n\tvfs.SetSFTPFingerprints(fp)\n\treturn nil\n}\n\nfunc (c *Configuration) loadHostCertificates(configDir string) ([]hostCertificate, error) {\n\tvar certs []hostCertificate\n\tfor _, certPath := range c.HostCertificates {\n\t\tcertPath = strings.TrimSpace(certPath)\n\t\tif !util.IsFileInputValid(certPath) {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to load invalid host certificate %q\", certPath)\n\t\t\tlogger.WarnToConsole(\"unable to load invalid host certificate %q\", certPath)\n\t\t\tcontinue\n\t\t}\n\t\tif !filepath.IsAbs(certPath) {\n\t\t\tcertPath = filepath.Join(configDir, certPath)\n\t\t}\n\t\tcertBytes, err := os.ReadFile(certPath)\n\t\tif err != nil {\n\t\t\treturn certs, fmt.Errorf(\"unable to load host certificate %q: %w\", certPath, err)\n\t\t}\n\t\tparsed, _, _, _, err := ssh.ParseAuthorizedKey(certBytes)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"unable to parse host certificate %q: %w\", certPath, err)\n\t\t}\n\t\tcert, ok := parsed.(*ssh.Certificate)\n\t\tif !ok {\n\t\t\treturn nil, fmt.Errorf(\"the file %q is not an SSH certificate\", certPath)\n\t\t}\n\t\tif cert.CertType != ssh.HostCert {\n\t\t\treturn nil, fmt.Errorf(\"the file %q is not an host certificate\", certPath)\n\t\t}\n\t\tcerts = append(certs, hostCertificate{\n\t\t\tPath: certPath,\n\t\t\tCertificate: cert,\n\t\t})\n\t}\n\treturn certs, nil\n}\n\nfunc (c *Configuration) initializeOPKSSH() error {\n\tif c.OPKSSHPath != \"\" {\n\t\tif len(c.parsedUserCAKeys) > 0 {\n\t\t\treturn errors.New(\"opkssh and certificate authorities are mutually exclusive\")\n\t\t}\n\t\tif !util.IsFileInputValid(c.OPKSSHPath) || !filepath.IsAbs(c.OPKSSHPath) {\n\t\t\treturn fmt.Errorf(\"opkssh path %q is not valid, it must be an absolute path\", c.OPKSSHPath)\n\t\t}\n\t\tif c.OPKSSHChecksum == \"\" {\n\t\t\tif _, err := os.Stat(c.OPKSSHPath); err != nil {\n\t\t\t\treturn fmt.Errorf(\"error validating opkssh path %q: %w\", c.OPKSSHPath, err)\n\t\t\t}\n\t\t} else {\n\t\t\tif err := util.VerifyFileChecksum(c.OPKSSHPath, sha256.New(), c.OPKSSHChecksum, 100*1024*1024); err != nil {\n\t\t\t\treturn fmt.Errorf(\"error validating opkssh checksum: %w\", err)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (c *Configuration) verifyWithOPKSSH(username string, cert *ssh.Certificate) error {\n\tctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)\n\tdefer cancel()\n\n\targs := []string{\"verify\", username, util.BytesToString(ssh.MarshalAuthorizedKey(cert)), cert.Type()}\n\tout, err := c.executor.CombinedOutput(ctx, c.OPKSSHPath, args...)\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to execute opk verifier: %s\", string(out))\n\t\treturn fmt.Errorf(\"unable to execute opk verifier: %w\", err)\n\t}\n\tpubKey, _, _, _, err := ssh.ParseAuthorizedKey(out) //nolint:dogsled\n\tif err != nil {\n\t\tlogger.Debug(logSender, \"\", \"unable to validate the opk verifier output: %s\", string(out))\n\t\treturn fmt.Errorf(\"unable to validate the opk verifier output: %w\", err)\n\t}\n\tif !bytes.Equal(pubKey.Marshal(), cert.SignatureKey.Marshal()) {\n\t\treturn errors.New(\"unable to validate opk result\")\n\t}\n\treturn nil\n}\n\nfunc (c *Configuration) initializeCertChecker(configDir string) error {\n\tfor _, keyPath := range c.TrustedUserCAKeys {\n\t\tkeyPath = strings.TrimSpace(keyPath)\n\t\tif !util.IsFileInputValid(keyPath) {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to load invalid trusted user CA key %q\", keyPath)\n\t\t\tlogger.WarnToConsole(\"unable to load invalid trusted user CA key %q\", keyPath)\n\t\t\tcontinue\n\t\t}\n\t\tif !filepath.IsAbs(keyPath) {\n\t\t\tkeyPath = filepath.Join(configDir, keyPath)\n\t\t}\n\t\tkeyBytes, err := os.ReadFile(keyPath)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"error loading trusted user CA key %q: %v\", keyPath, err)\n\t\t\tlogger.WarnToConsole(\"error loading trusted user CA key %q: %v\", keyPath, err)\n\t\t\treturn err\n\t\t}\n\t\tparsedKey, _, _, _, err := ssh.ParseAuthorizedKey(keyBytes)\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"error parsing trusted user CA key %q: %v\", keyPath, err)\n\t\t\tlogger.WarnToConsole(\"error parsing trusted user CA key %q: %v\", keyPath, err)\n\t\t\treturn err\n\t\t}\n\t\tc.parsedUserCAKeys = append(c.parsedUserCAKeys, parsedKey)\n\t}\n\tc.certChecker = &ssh.CertChecker{\n\t\tSupportedCriticalOptions: []string{\n\t\t\tsourceAddressCriticalOption,\n\t\t},\n\t\tIsUserAuthority: func(k ssh.PublicKey) bool {\n\t\t\tfor _, key := range c.parsedUserCAKeys {\n\t\t\t\tif bytes.Equal(k.Marshal(), key.Marshal()) {\n\t\t\t\t\treturn true\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false\n\t\t},\n\t}\n\tif c.RevokedUserCertsFile != \"\" {\n\t\tif !util.IsFileInputValid(c.RevokedUserCertsFile) {\n\t\t\treturn fmt.Errorf(\"invalid revoked user certificate: %q\", c.RevokedUserCertsFile)\n\t\t}\n\t\tif !filepath.IsAbs(c.RevokedUserCertsFile) {\n\t\t\tc.RevokedUserCertsFile = filepath.Join(configDir, c.RevokedUserCertsFile)\n\t\t}\n\t}\n\trevokedCertManager.filePath = c.RevokedUserCertsFile\n\treturn revokedCertManager.load()\n}\n\nfunc (c *Configuration) getPartialSuccessError(nextAuthMethods []string) error {\n\terr := &ssh.PartialSuccessError{}\n\tif c.PasswordAuthentication && slices.Contains(nextAuthMethods, dataprovider.LoginMethodPassword) {\n\t\terr.Next.PasswordCallback = func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {\n\t\t\treturn c.validatePasswordCredentials(conn, password, dataprovider.SSHLoginMethodKeyAndPassword)\n\t\t}\n\t}\n\tif c.KeyboardInteractiveAuthentication && slices.Contains(nextAuthMethods, dataprovider.SSHLoginMethodKeyboardInteractive) {\n\t\terr.Next.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, client ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {\n\t\t\treturn c.validateKeyboardInteractiveCredentials(conn, client, dataprovider.SSHLoginMethodKeyAndKeyboardInt, true)\n\t\t}\n\t}\n\treturn err\n}\n\nfunc (c *Configuration) validatePublicKeyCredentials(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {\n\tvar user dataprovider.User\n\tvar certPerm *ssh.Permissions\n\n\tmethod := dataprovider.SSHLoginMethodPublicKey\n\tipAddr := util.GetIPFromRemoteAddress(conn.RemoteAddr().String())\n\tcert, ok := pubKey.(*ssh.Certificate)\n\tvar certFingerprint string\n\tif ok {\n\t\tcertFingerprint = ssh.FingerprintSHA256(cert.Key)\n\t\tif c.OPKSSHPath != \"\" {\n\t\t\tif err := c.verifyWithOPKSSH(conn.User(), cert); err != nil {\n\t\t\t\terr := fmt.Errorf(\"ssh: verification with OPK failed: %v\", err)\n\t\t\t\tuser.Username = conn.User()\n\t\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t} else {\n\t\t\tif cert.CertType != ssh.UserCert {\n\t\t\t\terr := fmt.Errorf(\"ssh: cert has type %d\", cert.CertType)\n\t\t\t\tuser.Username = conn.User()\n\t\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif !c.certChecker.IsUserAuthority(cert.SignatureKey) {\n\t\t\t\terr := errors.New(\"ssh: certificate signed by unrecognized authority\")\n\t\t\t\tuser.Username = conn.User()\n\t\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif len(cert.ValidPrincipals) == 0 {\n\t\t\t\terr := fmt.Errorf(\"ssh: certificate %s has no valid principals, user: \\\"%s\\\"\", certFingerprint, conn.User())\n\t\t\t\tuser.Username = conn.User()\n\t\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif revokedCertManager.isRevoked(certFingerprint) {\n\t\t\t\terr := fmt.Errorf(\"ssh: certificate %s is revoked\", certFingerprint)\n\t\t\t\tuser.Username = conn.User()\n\t\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tif err := c.certChecker.CheckCert(conn.User(), cert); err != nil {\n\t\t\t\tuser.Username = conn.User()\n\t\t\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t\tcertPerm = &cert.Permissions\n\t}\n\tuser, keyID, err := dataprovider.CheckUserAndPubKey(conn.User(), pubKey.Marshal(), ipAddr, common.ProtocolSSH, ok)\n\tif err != nil {\n\t\tuser.Username = conn.User()\n\t\tupdateLoginMetrics(&user, ipAddr, method, err)\n\t\treturn nil, err\n\t}\n\tif ok {\n\t\tkeyID = fmt.Sprintf(\"%s: ID: %s, serial: %v, CA %s %s\", certFingerprint,\n\t\t\tcert.KeyId, cert.Serial, cert.Type(), ssh.FingerprintSHA256(cert.SignatureKey))\n\t}\n\tif certPerm == nil {\n\t\tcertPerm = &ssh.Permissions{}\n\t}\n\tcertPerm.ExtraData = make(map[any]any)\n\tcertPerm.ExtraData[extraDataKeyIDKey] = keyID\n\tcertPerm.ExtraData[extraDataUserKey] = user\n\tif user.IsPartialAuth() {\n\t\tcertPerm.ExtraData[extraDataPartialSuccessErrKey] = c.getPartialSuccessError(user.GetNextAuthMethods())\n\t}\n\treturn certPerm, nil\n}\n\nfunc (c *Configuration) validatePasswordCredentials(conn ssh.ConnMetadata, pass []byte, method string) (*ssh.Permissions, error) {\n\tvar err error\n\tvar user dataprovider.User\n\tvar sshPerm *ssh.Permissions\n\n\tipAddr := util.GetIPFromRemoteAddress(conn.RemoteAddr().String())\n\tif user, err = dataprovider.CheckUserAndPass(conn.User(), util.BytesToString(pass), ipAddr, common.ProtocolSSH); err == nil {\n\t\tsshPerm, err = loginUser(&user, method, \"\", conn)\n\t}\n\tuser.Username = conn.User()\n\tupdateLoginMetrics(&user, ipAddr, method, err)\n\tif err != nil {\n\t\treturn nil, newAuthenticationError(fmt.Errorf(\"could not validate password credentials: %w\", err), method, conn.User())\n\t}\n\treturn sshPerm, nil\n}\n\nfunc (c *Configuration) validateKeyboardInteractiveCredentials(conn ssh.ConnMetadata, client ssh.KeyboardInteractiveChallenge,\n\tmethod string, isPartialAuth bool,\n) (*ssh.Permissions, error) {\n\tvar err error\n\tvar user dataprovider.User\n\tvar sshPerm *ssh.Permissions\n\n\tipAddr := util.GetIPFromRemoteAddress(conn.RemoteAddr().String())\n\tif user, err = dataprovider.CheckKeyboardInteractiveAuth(conn.User(), c.KeyboardInteractiveHook, client,\n\t\tipAddr, common.ProtocolSSH, isPartialAuth); err == nil {\n\t\tsshPerm, err = loginUser(&user, method, \"\", conn)\n\t}\n\tuser.Username = conn.User()\n\tupdateLoginMetrics(&user, ipAddr, method, err)\n\tif err != nil {\n\t\treturn nil, newAuthenticationError(fmt.Errorf(\"could not validate keyboard interactive credentials: %w\", err), method, conn.User())\n\t}\n\treturn sshPerm, nil\n}\n\nfunc updateLoginMetrics(user *dataprovider.User, ip, method string, err error) {\n\tmetric.AddLoginAttempt(method)\n\tif err == nil {\n\t\tplugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolSSH, user.Username, ip, \"\", err)\n\t\tcommon.DelayLogin(nil)\n\t} else {\n\t\tlogger.ConnectionFailedLog(user.Username, ip, method, common.ProtocolSSH, err.Error())\n\t\tif method != dataprovider.SSHLoginMethodPublicKey {\n\t\t\t// some clients try all available public keys for a user, we\n\t\t\t// record failed login key auth only once for session if the\n\t\t\t// authentication fails in checkAuthError\n\t\t\tevent := common.HostEventLoginFailed\n\t\t\tlogEv := notifier.LogEventTypeLoginFailed\n\t\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\t\tevent = common.HostEventUserNotFound\n\t\t\t\tlogEv = notifier.LogEventTypeLoginNoUser\n\t\t\t}\n\t\t\tcommon.AddDefenderEvent(ip, common.ProtocolSSH, event)\n\t\t\tplugin.Handler.NotifyLogEvent(logEv, common.ProtocolSSH, user.Username, ip, \"\", err)\n\t\t\tif method != dataprovider.SSHLoginMethodPublicKey {\n\t\t\t\tcommon.DelayLogin(err)\n\t\t\t}\n\t\t}\n\t}\n\tmetric.AddLoginResult(method, err)\n\tdataprovider.ExecutePostLoginHook(user, method, ip, common.ProtocolSSH, err)\n}\n\ntype revokedCertificates struct {\n\tfilePath string\n\tmu sync.RWMutex\n\tcerts map[string]bool\n}\n\nfunc (r *revokedCertificates) load() error {\n\tif r.filePath == \"\" {\n\t\treturn nil\n\t}\n\tlogger.Debug(logSender, \"\", \"loading revoked user certificate file %q\", r.filePath)\n\tinfo, err := os.Stat(r.filePath)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to load revoked user certificate file %q: %w\", r.filePath, err)\n\t}\n\tmaxSize := int64(1048576 * 5) // 5MB\n\tif info.Size() > maxSize {\n\t\treturn fmt.Errorf(\"unable to load revoked user certificate file %q size too big: %v/%v bytes\",\n\t\t\tr.filePath, info.Size(), maxSize)\n\t}\n\tcontent, err := os.ReadFile(r.filePath)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to read revoked user certificate file %q: %w\", r.filePath, err)\n\t}\n\tvar certs []string\n\terr = json.Unmarshal(content, &certs)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to parse revoked user certificate file %q: %w\", r.filePath, err)\n\t}\n\n\tr.mu.Lock()\n\tdefer r.mu.Unlock()\n\n\tr.certs = map[string]bool{}\n\tfor _, fp := range certs {\n\t\tr.certs[fp] = true\n\t}\n\tlogger.Debug(logSender, \"\", \"revoked user certificate file %q loaded, entries: %v\", r.filePath, len(r.certs))\n\treturn nil\n}\n\nfunc (r *revokedCertificates) isRevoked(fp string) bool {\n\tr.mu.RLock()\n\tdefer r.mu.RUnlock()\n\n\treturn r.certs[fp]\n}\n\n// Reload reloads the list of revoked user certificates\nfunc Reload() error {\n\treturn revokedCertManager.load()\n}\n\nfunc algorithmsForKeyFormat(keyFormat string) []string {\n\tswitch keyFormat {\n\tcase ssh.KeyAlgoRSA:\n\t\treturn []string{ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512, ssh.KeyAlgoRSA}\n\tcase ssh.CertAlgoRSAv01:\n\t\treturn []string{ssh.CertAlgoRSASHA256v01, ssh.CertAlgoRSASHA512v01, ssh.CertAlgoRSAv01}\n\tdefault:\n\t\treturn []string{keyFormat}\n\t}\n}\n" }, { "path": "internal/sftpd/sftpd.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package sftpd implements the SSH File Transfer Protocol as described in https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02.\n// It uses pkg/sftp library:\n// https://github.com/pkg/sftp\npackage sftpd\n\nimport (\n\t\"strings\"\n\t\"time\"\n\n\t\"golang.org/x/crypto/ssh\"\n)\n\nconst (\n\tlogSender = \"sftpd\"\n\thandshakeTimeout = 2 * time.Minute\n)\n\nvar (\n\tsupportedSSHCommands = []string{\"scp\", \"md5sum\", \"sha1sum\", \"sha256sum\", \"sha384sum\", \"sha512sum\", \"cd\", \"pwd\",\n\t\t\"sftpgo-copy\", \"sftpgo-remove\"}\n\tdefaultSSHCommands = []string{\"md5sum\", \"sha1sum\", \"sha256sum\", \"cd\", \"pwd\", \"scp\"}\n\tsshHashCommands = []string{\"md5sum\", \"sha1sum\", \"sha256sum\", \"sha384sum\", \"sha512sum\"}\n\tserviceStatus ServiceStatus\n\tcertKeyAlgoNames = map[string]string{\n\t\tssh.CertAlgoRSAv01: ssh.KeyAlgoRSA,\n\t\tssh.CertAlgoRSASHA256v01: ssh.KeyAlgoRSASHA256,\n\t\tssh.CertAlgoRSASHA512v01: ssh.KeyAlgoRSASHA512,\n\t\tssh.InsecureCertAlgoDSAv01: ssh.InsecureKeyAlgoDSA, //nolint:staticcheck\n\t\tssh.CertAlgoECDSA256v01: ssh.KeyAlgoECDSA256,\n\t\tssh.CertAlgoECDSA384v01: ssh.KeyAlgoECDSA384,\n\t\tssh.CertAlgoECDSA521v01: ssh.KeyAlgoECDSA521,\n\t\tssh.CertAlgoSKECDSA256v01: ssh.KeyAlgoSKECDSA256,\n\t\tssh.CertAlgoED25519v01: ssh.KeyAlgoED25519,\n\t\tssh.CertAlgoSKED25519v01: ssh.KeyAlgoSKED25519,\n\t}\n)\n\ntype sshSubsystemExitStatus struct {\n\tStatus uint32\n}\n\ntype sshSubsystemExecMsg struct {\n\tCommand string\n}\n\ntype hostCertificate struct {\n\tCertificate *ssh.Certificate\n\tPath string\n}\n\n// HostKey defines the details for a used host key\ntype HostKey struct {\n\tPath string `json:\"path\"`\n\tFingerprint string `json:\"fingerprint\"`\n\tAlgorithms []string `json:\"algorithms\"`\n}\n\n// GetAlgosAsString returns the host key algorithms as comma separated string\nfunc (h *HostKey) GetAlgosAsString() string {\n\treturn strings.Join(h.Algorithms, \", \")\n}\n\n// ServiceStatus defines the service status\ntype ServiceStatus struct {\n\tIsActive bool `json:\"is_active\"`\n\tBindings []Binding `json:\"bindings\"`\n\tSSHCommands []string `json:\"ssh_commands\"`\n\tHostKeys []HostKey `json:\"host_keys\"`\n\tAuthentications []string `json:\"authentications\"`\n\tMACs []string `json:\"macs\"`\n\tKexAlgorithms []string `json:\"kex_algorithms\"`\n\tCiphers []string `json:\"ciphers\"`\n\tPublicKeyAlgorithms []string `json:\"public_key_algorithms\"`\n}\n\n// GetSSHCommandsAsString returns enabled SSH commands as comma separated string\nfunc (s *ServiceStatus) GetSSHCommandsAsString() string {\n\treturn strings.Join(s.SSHCommands, \", \")\n}\n\n// GetSupportedAuthsAsString returns the supported authentications as comma separated string\nfunc (s *ServiceStatus) GetSupportedAuthsAsString() string {\n\treturn strings.Join(s.Authentications, \", \")\n}\n\n// GetMACsAsString returns the enabled MAC algorithms as comma separated string\nfunc (s *ServiceStatus) GetMACsAsString() string {\n\treturn strings.Join(s.MACs, \", \")\n}\n\n// GetKEXsAsString returns the enabled KEX algorithms as comma separated string\nfunc (s *ServiceStatus) GetKEXsAsString() string {\n\treturn strings.Join(s.KexAlgorithms, \", \")\n}\n\n// GetCiphersAsString returns the enabled ciphers as comma separated string\nfunc (s *ServiceStatus) GetCiphersAsString() string {\n\treturn strings.Join(s.Ciphers, \", \")\n}\n\n// GetPublicKeysAlgosAsString returns enabled public key authentication\n// algorithms as comma separated string\nfunc (s *ServiceStatus) GetPublicKeysAlgosAsString() string {\n\treturn strings.Join(s.PublicKeyAlgorithms, \", \")\n}\n\n// GetStatus returns the server status\nfunc GetStatus() ServiceStatus {\n\treturn serviceStatus\n}\n\n// GetDefaultSSHCommands returns the SSH commands enabled as default\nfunc GetDefaultSSHCommands() []string {\n\tresult := make([]string, len(defaultSSHCommands))\n\tcopy(result, defaultSSHCommands)\n\treturn result\n}\n\n// GetSupportedSSHCommands returns the supported SSH commands\nfunc GetSupportedSSHCommands() []string {\n\tresult := make([]string, len(supportedSSHCommands))\n\tcopy(result, supportedSSHCommands)\n\treturn result\n}\n" }, { "path": "internal/sftpd/sftpd_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd_test\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/sha256\"\n\t\"crypto/sha512\"\n\t\"encoding/base64\"\n\t\"encoding/binary\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"hash\"\n\t\"io\"\n\t\"io/fs\"\n\t\"math\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"testing\"\n\t\"time\"\n\n\t_ \"github.com/go-sql-driver/mysql\"\n\t_ \"github.com/jackc/pgx/v5/stdlib\"\n\t_ \"github.com/mattn/go-sqlite3\"\n\t\"github.com/pquerna/otp\"\n\t\"github.com/pquerna/otp/totp\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/mfa\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tlogSender = \"sftpdTesting\"\n\tsftpServerAddr = \"127.0.0.1:2022\"\n\tsftpSrvAddr2222 = \"127.0.0.1:2222\"\n\tdefaultUsername = \"test_user_sftp\"\n\tdefaultPassword = \"test_password\"\n\tdefaultSFTPUsername = \"test_sftpfs_user\"\n\ttestPubKey = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1\"\n\ttestPubKey1 = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd60+/j+y8f0tLftihWV1YN9RSahMI9btQMDIMqts/jeNbD8jgoogM3nhF7KxfcaMKURuD47KC4Ey6iAJUJ0sWkSNNxOcIYuvA+5MlspfZDsa8Ag76Fe1vyz72WeHMHMeh/hwFo2TeIeIXg480T1VI6mzfDrVp2GzUx0SS0dMsQBjftXkuVR8YOiOwMCAH2a//M1OrvV7d/NBk6kBN0WnuIBb2jKm15PAA7+jQQG7tzwk2HedNH3jeL5GH31xkSRwlBczRK0xsCQXehAlx6cT/e/s44iJcJTHfpPKoSk6UAhPJYe7Z1QnuoawY9P9jQaxpyeImBZxxUEowhjpj2avBxKdRGBVK8R7EL8tSOeLbhdyWe5Mwc1+foEbq9Zz5j5Kd+hn3Wm1UnsGCrXUUUoZp1jnlNl0NakCto+5KmqnT9cHxaY+ix2RLUWAZyVFlRq71OYux1UHJnEJPiEI1/tr4jFBSL46qhQZv/TfpkfVW8FLz0lErfqu0gQEZnNHr3Fc= nicola@p1\"\n\ttestPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAtN449A/nY5O6cSH/9Doa8a3ISU0WZJaHydTaCLuO+dkqtNpnV5mq\nzFbKidXAI1eSwVctw9ReVOl1uK6aZF3lbXdOD8W9PXobR9KUUT2qBx5QC4ibfAqDKWymDA\nPG9ylzz64hsYBqJr7VNk9kTFEUsDmWzLabLoH42Elnp8mF/lTkWIcpVp0ly/etS08gttXo\nXenekJ1vRuxOYWDCEzGPU7kGc920TmM14k7IDdPoOh5+3sRUKedKeOUrVDH1f0n7QjHQsZ\ncbshp8tgqzf734zu8cTqNrr+6taptdEOOij1iUL/qYGfzny/hA48tO5+UFUih5W8ftp0+E\nNBIDkkGgk2MJ92I7QAXyMVsIABXco+mJT7pQi9tqlODGIQ3AOj0gcA3X/Ib8QX77Ih3TPi\nXEh77/P1XiYZOgpp2cRmNH8QbqaL9u898hDvJwIPJPuj2lIltTElH7hjBf5LQfCzrLV7BD\n10rM7sl4jr+A2q8jl1Ikp+25kainBBZSbrDummT9AAAFgDU/VLk1P1S5AAAAB3NzaC1yc2\nEAAAGBALTeOPQP52OTunEh//Q6GvGtyElNFmSWh8nU2gi7jvnZKrTaZ1eZqsxWyonVwCNX\nksFXLcPUXlTpdbiummRd5W13Tg/FvT16G0fSlFE9qgceUAuIm3wKgylspgwDxvcpc8+uIb\nGAaia+1TZPZExRFLA5lsy2my6B+NhJZ6fJhf5U5FiHKVadJcv3rUtPILbV6F3p3pCdb0bs\nTmFgwhMxj1O5BnPdtE5jNeJOyA3T6Doeft7EVCnnSnjlK1Qx9X9J+0Ix0LGXG7IafLYKs3\n+9+M7vHE6ja6/urWqbXRDjoo9YlC/6mBn858v4QOPLTuflBVIoeVvH7adPhDQSA5JBoJNj\nCfdiO0AF8jFbCAAV3KPpiU+6UIvbapTgxiENwDo9IHAN1/yG/EF++yId0z4lxIe+/z9V4m\nGToKadnEZjR/EG6mi/bvPfIQ7ycCDyT7o9pSJbUxJR+4YwX+S0Hws6y1ewQ9dKzO7JeI6/\ngNqvI5dSJKftuZGopwQWUm6w7ppk/QAAAAMBAAEAAAGAHKnC+Nq0XtGAkIFE4N18e6SAwy\n0WSWaZqmCzFQM0S2AhJnweOIG/0ZZHjsRzKKauOTmppQk40dgVsejpytIek9R+aH172gxJ\n2n4Cx0UwduRU5x8FFQlNc/kl722B0JWfJuB/snOZXv6LJ4o5aObIkozt2w9tVFeAqjYn2S\n1UsNOfRHBXGsTYwpRDwFWP56nKo2d2wBBTHDhCy6fb2dLW1fvSi/YspueOGIlHpvlYKi2/\nCWqvs9xVrwcScMtiDoQYq0khhO0efLCxvg/o+W9CLMVM2ms4G1zoSUQKN0oYWWQJyW4+VI\nYneWO8UpN0J3ElXKi7bhgAat7dBaM1g9IrAzk153DiEFZNsPxGOgL/+YdQN7zUBx/z7EkI\njyv80RV7fpUXvcq2p+qNl6UVig3VSzRrnsaJkUWu/A0u59ha7ocv6NxDIXjxpIDJme16GF\nquiGVBQNnYJymS/vFEbGf6bgf7iRmMCRUMG4nqLA6fPYP9uAtch+CmDfVLZC/fIdC5AAAA\nwQCDissV4zH6bfqgxJSuYNk8Vbb+19cF3b7gH1rVlB3zxpCAgcRgMHC+dP1z2NRx7UW9MR\nnye6kjpkzZZ0OigLqo7TtEq8uTglD9o6W7mRXqhy5A/ySOmqPL3ernHHQhGuoNODYAHkOU\nu2Rh8HXi+VLwKZcLInPOYJvcuLG4DxN8WfeVvlMHwhAOaTNNOtL4XZDHQeIPc4qHmJymmv\nsV7GuyQ6yW5C10uoGdxRPd90Bh4z4h2bKfZFjvEBbSBVkqrlAAAADBAN/zNtNayd/dX7Cr\nNb4sZuzCh+CW4BH8GOePZWNCATwBbNXBVb5cR+dmuTqYm+Ekz0VxVQRA1TvKncluJOQpoa\nXj8r0xdIgqkehnfDPMKtYVor06B9Fl1jrXtXU0Vrr6QcBWruSVyK1ZxqcmcNK/+KolVepe\nA6vcl/iKaG4U7su166nxLST06M2EgcSVsFJHpKn5+WAXC+X0Gx8kNjWIIb3GpiChdc0xZD\nmq02xZthVJrTCVw/e7gfDoB2QRsNV8HwAAAMEAzsCghZVp+0YsYg9oOrw4tEqcbEXEMhwY\n0jW8JNL8Spr1Ibp5Dw6bRSk5azARjmJtnMJhJ3oeHfF0eoISqcNuQXGndGQbVM9YzzAzc1\nNbbCNsVroqKlChT5wyPNGS+phi2bPARBno7WSDvshTZ7dAVEP2c9MJW0XwoSevwKlhgSdt\nRLFFQ/5nclJSdzPBOmQouC0OBcMFSrYtMeknJ4VvueVvve5HcHFaEsaMc7ABAGaLYaBQOm\niixITGvaNZh/tjAAAACW5pY29sYUBwMQE=\n-----END OPENSSH PRIVATE KEY-----`\n\t// password protected private key\n\ttestPrivateKeyPwd = `-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAvfwQQcs\n+PyMsCLTNFcKiQAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILqltfCL7IPuIQ2q\n+8w23flfgskjIlKViEwMfjJR4mrbAAAAkHp5xgG8J1XW90M/fT59ZUQht8sZzzP17rEKlX\nwaYKvLzDxkPK6LFIYs55W1EX1eVt/2Maq+zQ7k2SOUmhPNknsUOlPV2gytX3uIYvXF7u2F\nFTBIJuzZ+UQ14wFbraunliE9yye9DajVG1kz2cz2wVgXUbee+gp5NyFVvln+TcTxXwMsWD\nqwlk5iw/jQekxThg==\n-----END OPENSSH PRIVATE KEY-----\n`\n\ttestPubKeyPwd = \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqltfCL7IPuIQ2q+8w23flfgskjIlKViEwMfjJR4mrb\"\n\tprivateKeyPwd = \"password\"\n\t// test CA user key.\n\t// % ssh-keygen -f ca_user_key\n\ttestCAUserKey = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDF5fcwZHiyixmnE6IlOZJpZhWXoh62gN+yadAA0GJ509SAEaZVLPDP8S5RsE8mUikR3wxynVshxHeqMhrkS+RlNbhSlOXDdNg94yTrq/xF8Z/PgKRInvef74k5i7bAIytza7jERzFJ/ujTEy3537T5k5EYQJ15ZQGuvzynSdv+6o99SjI4jFplyQOZ2QcYbEAmhHm5GgQlIiEFG/RlDtLksOulKZxOY3qPzP0AyQxtZJXn/5vG40aW9LTbwxCJqWlgrkFXMqAAVCbuU5YspwhiXmKt1PsldiXw23oloa4caCKN1jzbFiGuZNXEU2Ebx7JIvjQCPaUYwLjEbkRDxDqN/vmwZqBuKYiuG9Eafx+nFSQkr7QYb5b+mT+/1IFHnmeRGn38731kBqtH7tpzC/t+soRX9p2HtJM+9MYhblO2OqTSPGTlxihWUkyiRBekpAhaiHld16TsG+A3bOJHrojGcX+5g6oGarKGLAMcykL1X+rZqT993Mo6d2Z7q43MOXE= root@p1\"\n\t// this is testPubKey signed using testCAUserKey.\n\t// % ssh-keygen -s ca_user_key -I test_user_sftp -n test_user_sftp -V always:forever -O source-address=127.0.0.1 -z 1 /tmp/test.pub\n\ttestCertValid = \"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgm2fil1IIoTixrA2QE9tk7Vbspj/JdEY90e3K2htxYv8AAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0AAAAAAAAAAQAAAAEAAAAOdGVzdF91c2VyX3NmdHAAAAASAAAADnRlc3RfdXNlcl9zZnRwAAAAAAAAAAD//////////wAAACMAAAAOc291cmNlLWFkZHJlc3MAAAANAAAACTEyNy4wLjAuMQAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAMXl9zBkeLKLGacToiU5kmlmFZeiHraA37Jp0ADQYnnT1IARplUs8M/xLlGwTyZSKRHfDHKdWyHEd6oyGuRL5GU1uFKU5cN02D3jJOur/EXxn8+ApEie95/viTmLtsAjK3NruMRHMUn+6NMTLfnftPmTkRhAnXllAa6/PKdJ2/7qj31KMjiMWmXJA5nZBxhsQCaEebkaBCUiIQUb9GUO0uSw66UpnE5jeo/M/QDJDG1klef/m8bjRpb0tNvDEImpaWCuQVcyoABUJu5TliynCGJeYq3U+yV2JfDbeiWhrhxoIo3WPNsWIa5k1cRTYRvHski+NAI9pRjAuMRuREPEOo3++bBmoG4piK4b0Rp/H6cVJCSvtBhvlv6ZP7/UgUeeZ5EaffzvfWQGq0fu2nML+36yhFf2nYe0kz70xiFuU7Y6pNI8ZOXGKFZSTKJEF6SkCFqIeV3XpOwb4Dds4keuiMZxf7mDqgZqsoYsAxzKQvVf6tmpP33cyjp3Znurjcw5cQAAAZQAAAAMcnNhLXNoYTItNTEyAAABgMNenD7d1J9cF7JWgHA1DYpJ5+5knPtdXbbIgZAznsTxX7qOdptjeeYOuzhQ5Bwklh3fjewiJpGR1rBqbULP+6PAKeYqd7dNLH/upfKBfJweRf5pdXDpoknHaVuIhi4Uu6FeI4NkAzX9nqNKjFAflhJ+7GLGkLNb0UVZxgxr/t0rPmxc5iTg2ZRM+rk1Ij0S5RnGiKVsdAClqNA6h4TDzu5lJVdK5XvuNKBsKVRCvsVBOgJQTtRTLywQaqWR+HBfCiMj8X8EI7atDlJ6XIAlTLOO/f1sM8QPLjT0+tCHZaGFzg/lKPh3/yFQ4MvddZCptMy1Ll1xvj7cz2ynhGR4PiDfikV3YzgJU/KtL5y+ZB4jU08oPRiOP612PjwZZ+MqYOVOFCKUpMpZQs5UJHME+zNKr4LEj8M0x4YFKIciC+RsrCo4ujbJHmz61ionCadU+fmngvl3C3QjmUdgULBevODeUeIpJv4yFahNxrG1SKRTAa8VVDwJ9GdDTtmXM0mrwA== nicola@p1\"\n\t// this is testPubKey signed using a CA user key different from testCAUserKey\n\ttestCertUntrustedCA = \"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg8oFPWpjYy/DowMmtOjWj7Dq20d2N/4Rxzr/c710tOOUAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0AAAAAAAAAAAAAAAEAAAAOdGVzdF91c2VyX3NmdHAAAAASAAAADnRlc3RfdXNlcl9zZnRwAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCqgm2gVlptULThfpRR0oCb4SAU3368ULlJaiZOUdq6b94KTfgmu4hTLs7u3a8hyZnVxrKrJ93uAVCwa/HGtgiN96CNC6JUt/QnPqTJ8LQ207RdoE9fbOe6mGwOle5z45+5JFoIi5ZZuD8JsBGodVoa92UepoMyBcNtZyl9q2GP4yT2tIYRon79dtG9AXiDYyhSgePqaObN67dn3ivMc4ZGNukK3cG07cYPic5y0wxX16wSMG3pGQDyUkAu+s4AqpnV9EWHM4PE7SYkCXE99++tUK3QALYqvGZKrLHgzmDKi6n+e14vHYUppAeGDZzwlawiY4oGP9eOW2KUfjZe2ZeL22JTFDYzH2lNV2WtUpeKRGGTSGaUblRVC9hRt6hKCT4c7qpW4kO4kPhE39JpcNPGLql7srNkw+3xXBs8xghMPtH3nOl1Rz2mxnX5tAqmPBb+KiPepnrs+pBRu7i+nCVp8az+iN87STYHy+zPtvTR+QURC8BpNraPOfXwpwM2HaMAAAGUAAAADHJzYS1zaGEyLTUxMgAAAYBnTXCL6tXUO3/Gtsm7lnH9Sulzca8FOoI4Y/4bVYhq4iUNu7Ca452m+Xr9qmCEoIyIJF0LEEcJ8jcS4rfX15e7tNNoknv7JbYXBFAbp1Y/76iqVf89FjfVcbEyH2ToAf7eyQAWzQ3gEKS8mQIkLnAwmCboUXC4GRodSIiOXiTt5Q6T02MVc8TxkhmlTA0uVLd5XgstySgE/oLBnL59lhJcwQmdhHL+m480+PaW55CtMuC36RTwk/tOyuWCDC5qMXnoveNB3yu45o3L/U4hoyJ0/5FyP5C8ahgydY0LoRZQG/mNzuraY4433rK+IfkQvZTyaDtcjhxE6hCD5F40aDDh88i6XaKAPikD6fqra6BN8PoPgLuRHzOJuqsMXBWM99s7qPgSnBbmXlekz/1jvvFiCh3zvAFTxFz2KyE4+SbDcCrhpxkNL7idw6r/ZsHaI/2+zhDcgSs5MgBwYLJEj6zUqVdp5XsF8YfC7yNZV5/qy68qY2+zXrC57SPifU2SCPE= nicola@p1\"\n\t// this is testPubKey signed as host certificate.\n\t// % ssh-keygen -s ca_user_key -I test_user_sftp -h -n test_user_sftp -V always:forever -z 2 /tmp/test.pub\n\ttestHostCert = \"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg7O2LDpLO1jGTX3SSzEMILoAYJb9DdggyyaUMXUUg3L4AAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0AAAAAAAAAAgAAAAIAAAAOdGVzdF91c2VyX3NmdHAAAAASAAAADnRlc3RfdXNlcl9zZnRwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAMXl9zBkeLKLGacToiU5kmlmFZeiHraA37Jp0ADQYnnT1IARplUs8M/xLlGwTyZSKRHfDHKdWyHEd6oyGuRL5GU1uFKU5cN02D3jJOur/EXxn8+ApEie95/viTmLtsAjK3NruMRHMUn+6NMTLfnftPmTkRhAnXllAa6/PKdJ2/7qj31KMjiMWmXJA5nZBxhsQCaEebkaBCUiIQUb9GUO0uSw66UpnE5jeo/M/QDJDG1klef/m8bjRpb0tNvDEImpaWCuQVcyoABUJu5TliynCGJeYq3U+yV2JfDbeiWhrhxoIo3WPNsWIa5k1cRTYRvHski+NAI9pRjAuMRuREPEOo3++bBmoG4piK4b0Rp/H6cVJCSvtBhvlv6ZP7/UgUeeZ5EaffzvfWQGq0fu2nML+36yhFf2nYe0kz70xiFuU7Y6pNI8ZOXGKFZSTKJEF6SkCFqIeV3XpOwb4Dds4keuiMZxf7mDqgZqsoYsAxzKQvVf6tmpP33cyjp3Znurjcw5cQAAAZQAAAAMcnNhLXNoYTItNTEyAAABgHlAWMTTzNrE6pxHlkr09ZXsHgJi8U2p7eifs56DOLgklYIXVUJPEEcnzMKGdpPBnqJsvg3+PccqxgOr5L1dFuOmekQ/dGiHd1enrESiGvJOvDfm0WsuBjxEZkSNFWgC9Z2NltToMmRlhVBmb4ZRZtAmi9DAFlJ/BDV4t8ikXZ5oUsigwIeOeLkdPFx3C3x9KZIpuwuAIV4Nfmz75q1NMWY2K1hv682QCKwMYqOWSotz1vWunNmZ0yPRl9UwqAq+nqwO3AApnlrQ3MmHujWQ5tl65PyhfpI8oghhUtB6YrJIAuRXNI/S0+KewCpiYm7nbFBtv9lpecujxAeTibYBrFZ5VODEUm3sdQ/HMdTmkhi6xNgPDQVlvKFqBJAaqoO3tbhKTbEZ865tJMqhyxmZ4XY08wduvSVobrNr7s3rm42/FXLIpung+UOVXonHyeIv9zQ0iJ/bvqKQ1fOsTisZdcD0lz80ZGsjdgJt7yKfUNBnAyVbTXm048E3WsZslJIYCA== nicola@p1\"\n\t// this is testPubKey signed using testCAUserKey but with source address 172.16.34.45.\n\t// % ssh-keygen -s ca_user_key -I test_user_sftp -n test_user_sftp -V always:forever -O source-address=172.16.34.45 -z 3 /tmp/test.pub\n\ttestCertOtherSourceAddress = \"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgZ4Su0250R4sQRNYJqJH9VTp9OyeYMAvqY5+lJRI4LzMAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0AAAAAAAAAAwAAAAEAAAAOdGVzdF91c2VyX3NmdHAAAAASAAAADnRlc3RfdXNlcl9zZnRwAAAAAAAAAAD//////////wAAACYAAAAOc291cmNlLWFkZHJlc3MAAAAQAAAADDE3Mi4xNi4zNC40NQAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAMXl9zBkeLKLGacToiU5kmlmFZeiHraA37Jp0ADQYnnT1IARplUs8M/xLlGwTyZSKRHfDHKdWyHEd6oyGuRL5GU1uFKU5cN02D3jJOur/EXxn8+ApEie95/viTmLtsAjK3NruMRHMUn+6NMTLfnftPmTkRhAnXllAa6/PKdJ2/7qj31KMjiMWmXJA5nZBxhsQCaEebkaBCUiIQUb9GUO0uSw66UpnE5jeo/M/QDJDG1klef/m8bjRpb0tNvDEImpaWCuQVcyoABUJu5TliynCGJeYq3U+yV2JfDbeiWhrhxoIo3WPNsWIa5k1cRTYRvHski+NAI9pRjAuMRuREPEOo3++bBmoG4piK4b0Rp/H6cVJCSvtBhvlv6ZP7/UgUeeZ5EaffzvfWQGq0fu2nML+36yhFf2nYe0kz70xiFuU7Y6pNI8ZOXGKFZSTKJEF6SkCFqIeV3XpOwb4Dds4keuiMZxf7mDqgZqsoYsAxzKQvVf6tmpP33cyjp3Znurjcw5cQAAAZQAAAAMcnNhLXNoYTItNTEyAAABgL34Q3Li8AJIxZLU+fh4i8ehUWpm31vEvlNjXVCeP70xI+5hWuEt6E1TgKw7GCL5GeD4KehX4vVcNs+A2eOdIUZfDBZIFxn88BN8xcMlDpAMJXgvNqGttiOwcspL6X3N288djUgpCI718lLRdz8nvFqcuYBhSpBm5KL4JzH5o1o8yqv75wMJsH8CJYwGhvWi0OgWOqaLRAk3IUxq3Fbgo/nX11NgrkY/dHIZCkGBFaLJ/M5mfmt/K/5hJAVgLcSxMwB/ryyGaziB9Pv7CwZ9uwnMoRcAvyr96lqgdtLt7LNY8ktugAJ7EnBWjQn4+EJAjjRK2sCaiwpdP37ckDZgmk0OWGEL1yVy8VXgl9QBd7Mb1EVl+lhRyw8jlgBXZOGqpdDrmKCdBYGtU7ujyndLXmxZEAlqhef0yCsyZPTkYH3RhjCYs8ATrEqndEpiL59Nej5uUGQURYijJfHep08AMb4rCxvIZATVm1Ocxu48rGCGolv8jZFJzSJq84HCrVRKMw== nicola@p1\"\n\t// this is testPubKey signed using testCAUserKey but expired.\n\t// % ssh-keygen -s ca_user_key -I test_user_sftp -n test_user_sftp -V 20100101123000:20110101123000 -z 4 /tmp/test.pub\n\ttestCertExpired = \"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgU3TLP5285k20fBSsdZioI78oJUpaRXFlgx5IPg6gWg8AAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0AAAAAAAAABAAAAAEAAAAOdGVzdF91c2VyX3NmdHAAAAASAAAADnRlc3RfdXNlcl9zZnRwAAAAAEs93LgAAAAATR8QOAAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDF5fcwZHiyixmnE6IlOZJpZhWXoh62gN+yadAA0GJ509SAEaZVLPDP8S5RsE8mUikR3wxynVshxHeqMhrkS+RlNbhSlOXDdNg94yTrq/xF8Z/PgKRInvef74k5i7bAIytza7jERzFJ/ujTEy3537T5k5EYQJ15ZQGuvzynSdv+6o99SjI4jFplyQOZ2QcYbEAmhHm5GgQlIiEFG/RlDtLksOulKZxOY3qPzP0AyQxtZJXn/5vG40aW9LTbwxCJqWlgrkFXMqAAVCbuU5YspwhiXmKt1PsldiXw23oloa4caCKN1jzbFiGuZNXEU2Ebx7JIvjQCPaUYwLjEbkRDxDqN/vmwZqBuKYiuG9Eafx+nFSQkr7QYb5b+mT+/1IFHnmeRGn38731kBqtH7tpzC/t+soRX9p2HtJM+9MYhblO2OqTSPGTlxihWUkyiRBekpAhaiHld16TsG+A3bOJHrojGcX+5g6oGarKGLAMcykL1X+rZqT993Mo6d2Z7q43MOXEAAAGUAAAADHJzYS1zaGEyLTUxMgAAAYAlH3hhj8J6xLyVpeLZjblzwDKrxp/MWiH30hQ965ExPrPRcoAZFEKVqOYdj6bp4Q19Q4Yzqdobg3aN5ym2iH0b2TlOY0mM901CAoHbNJyiLs+0KiFRoJ+30EDj/hcKusg6v8ln2yixPagAyQu3zyiWo4t1ZuO3I86xchGlptStxSdHAHPFCfpbhcnzWFZctiMqUutl82C4ROWyjOZcRzdVdWHeN5h8wnooXuvba2VkT8QPmjYYyRGuQ3Hg+ySdh8Tel4wiix1Dg5MX7Wjh4hKEx80No9UPy+0iyZMNc07lsWAtrY6NRxGM5CzB6mklscB8TzFrVSnIl9u3bquLfaCrFt/Mft5dR7Yy4jmF+zUhjia6h6giCZ91J+FZ4hV+WkBtPCvTfrGWoA1BgEB/iI2xOq/NPqJ7UXRoMXk/l0NPgRPT2JS1adegqnt4ddr6IlmPyZxaSEvXhanjKdfMlEFYO1wz7ouqpYUozQVy4KXBlzFlNwyD1hI+k4+/A6AIYeI= nicola@p1\"\n\t// this is testPubKey signed without a principal\n\t// ssh-keygen -s ca_user_key -I test_user_sftp -V always:forever -O source-address=127.0.0.1 -z 1 /tmp/test.pub\n\ttestCertNoPrincipals = \"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg2Bx0s8nafJtriqoBuQfbFByhdQMkjDIZhV90JZSGN8AAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0AAAAAAAAAAQAAAAEAAAAOdGVzdF91c2VyX3NmdHAAAAAAAAAAAAAAAAD//////////wAAACMAAAAOc291cmNlLWFkZHJlc3MAAAANAAAACTEyNy4wLjAuMQAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBAMXl9zBkeLKLGacToiU5kmlmFZeiHraA37Jp0ADQYnnT1IARplUs8M/xLlGwTyZSKRHfDHKdWyHEd6oyGuRL5GU1uFKU5cN02D3jJOur/EXxn8+ApEie95/viTmLtsAjK3NruMRHMUn+6NMTLfnftPmTkRhAnXllAa6/PKdJ2/7qj31KMjiMWmXJA5nZBxhsQCaEebkaBCUiIQUb9GUO0uSw66UpnE5jeo/M/QDJDG1klef/m8bjRpb0tNvDEImpaWCuQVcyoABUJu5TliynCGJeYq3U+yV2JfDbeiWhrhxoIo3WPNsWIa5k1cRTYRvHski+NAI9pRjAuMRuREPEOo3++bBmoG4piK4b0Rp/H6cVJCSvtBhvlv6ZP7/UgUeeZ5EaffzvfWQGq0fu2nML+36yhFf2nYe0kz70xiFuU7Y6pNI8ZOXGKFZSTKJEF6SkCFqIeV3XpOwb4Dds4keuiMZxf7mDqgZqsoYsAxzKQvVf6tmpP33cyjp3Znurjcw5cQAAAZQAAAAMcnNhLXNoYTItNTEyAAABgHgax/++NA5YZXDHH180BcQtDBve8Vc+XJzqQUe8xBiqd+KJnas6He7vW62qMaAfu63i0Uycj2Djfjy5dyx1GB9wup8YuP5mXlmJTx+7UPPjwbfrZWtk8iJ7KhFAwjh0KRZD4uIvoeecK8QE9zh64k2LNVqlWbFTdoPulRC29cGcXDpMU2eToFEyWbceHOZyyifXf98ZMZbaQzWzwSZ5rFucJ1b0aeT6aAJWB+Dq7mIQWf/jCWr8kNaeCzMKJsFQkQEfmHls29ChV92sNRhngUDxll0Ir0wpPea1fFEBnUhLRTLC8GhDDbWAzsZtXqx9fjoAkb/gwsU6TGxevuOMxEABjDA9PyJiTXJI9oTUCwDIAUVVFLsCEum3o/BblngXajUGibaif5ZSKBocpP70oTeAngQYB7r1/vquQzGsGFhTN4FUXLSpLu9Zqi1z58/qa7SgKSfNp98X/4zrhltAX73ZEvg0NUMv2HwlwlqHdpF3FYolAxInp7c2jBTncQ2l3w== nicola@p1\"\n\tosWindows = \"windows\"\n\ttestFileName = \"test_file_sftp.dat\"\n\ttestDLFileName = \"test_download_sftp.dat\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n\tallPerms = []string{dataprovider.PermAny}\n\thomeBasePath string\n\tscpPath string\n\tscpForce bool\n\tgitPath string\n\tsshPath string\n\thookCmdPath string\n\tpubKeyPath string\n\tprivateKeyPath string\n\ttrustedCAUserKey string\n\trevokeUserCerts string\n\tgitWrapPath string\n\textAuthPath string\n\tkeyIntAuthPath string\n\tpreLoginPath string\n\tpostConnectPath string\n\tpreDownloadPath string\n\tpreUploadPath string\n\tcheckPwdPath string\n\tlogFilePath string\n\thostKeyFPs []string\n)\n\nfunc TestMain(m *testing.M) {\n\tlogFilePath = filepath.Join(configDir, \"sftpgo_sftpd_test.log\")\n\tloginBannerFileName := \"login_banner\"\n\tloginBannerFile := filepath.Join(configDir, loginBannerFileName)\n\tlogger.InitLogger(logFilePath, 10, 1, 28, false, false, zerolog.DebugLevel)\n\terr := os.WriteFile(loginBannerFile, []byte(\"simple login banner\\n\"), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error creating login banner: %v\", err)\n\t}\n\tos.Setenv(\"SFTPGO_COMMON__UPLOAD_MODE\", \"2\")\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"1\")\n\tos.Setenv(\"SFTPGO_COMMON__ALLOW_SELF_CONNECTIONS\", \"1\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_USERNAME\", \"admin\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_PASSWORD\", \"password\")\n\terr = config.LoadConfig(configDir, \"\")\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error loading configuration: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tproviderConf := config.GetProviderConf()\n\tlogger.InfoToConsole(\"Starting SFTPD tests, provider: %v\", providerConf.Driver)\n\n\tcommonConf := config.GetCommonConfig()\n\thomeBasePath = os.TempDir()\n\tcheckSystemCommands()\n\tvar scriptArgs string\n\tif runtime.GOOS == osWindows {\n\t\tscriptArgs = \"%*\"\n\t} else {\n\t\tcommonConf.Actions.ExecuteOn = []string{\"download\", \"upload\", \"rename\", \"delete\", \"ssh_cmd\",\n\t\t\t\"pre-download\", \"pre-upload\"}\n\t\tcommonConf.Actions.Hook = hookCmdPath\n\t\tscriptArgs = \"$@\"\n\t}\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error resetting configs: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = common.Initialize(commonConf, 0)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error initializing common: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\thttpConfig := config.GetHTTPConfig()\n\thttpConfig.Initialize(configDir) //nolint:errcheck\n\tkmsConfig := config.GetKMSConfig()\n\terr = kmsConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing kms: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tmfaConfig := config.GetMFAConfig()\n\terr = mfaConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing MFA: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\tsftpdConf := config.GetSFTPDConfig()\n\thttpdConf := config.GetHTTPDConfig()\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 2022,\n\t\t\tApplyProxyConfig: true,\n\t\t},\n\t}\n\tsftpdConf.KexAlgorithms = []string{\"curve25519-sha256@libssh.org\", ssh.KeyExchangeECDHP256,\n\t\tssh.KeyExchangeECDHP384}\n\tsftpdConf.Ciphers = []string{ssh.CipherChaCha20Poly1305, ssh.CipherAES128GCM,\n\t\tssh.CipherAES256CTR}\n\tsftpdConf.LoginBannerFile = loginBannerFileName\n\t// we need to test all supported ssh commands\n\tsftpdConf.EnabledSSHCommands = []string{\"*\"}\n\n\tkeyIntAuthPath = filepath.Join(homeBasePath, \"keyintauth.sh\")\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 0, false, 1), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing keyboard interactive script: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tsftpdConf.KeyboardInteractiveAuthentication = true\n\tsftpdConf.KeyboardInteractiveHook = keyIntAuthPath\n\n\tcreateInitialFiles(scriptArgs)\n\tsftpdConf.TrustedUserCAKeys = append(sftpdConf.TrustedUserCAKeys, trustedCAUserKey)\n\tsftpdConf.RevokedUserCertsFile = revokeUserCerts\n\n\tgo func(cfg sftpd.Configuration) {\n\t\tlogger.Debug(logSender, \"\", \"initializing SFTP server with config %+v\", sftpdConf)\n\t\tif err := cfg.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}(sftpdConf)\n\n\tgo func() {\n\t\tif err := httpdConf.Initialize(configDir, 0); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(httpdConf.Bindings[0].GetAddress())\n\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 2222,\n\t\t\tApplyProxyConfig: true,\n\t\t},\n\t}\n\tsftpdConf.PasswordAuthentication = false\n\tcommon.Config.ProxyProtocol = 1\n\tgo func(cfg sftpd.Configuration) {\n\t\tlogger.Debug(logSender, \"\", \"initializing SFTP server with config %+v and proxy protocol %v\",\n\t\t\tsftpdConf, common.Config.ProxyProtocol)\n\t\tif err := cfg.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server with proxy protocol 1: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}(sftpdConf)\n\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 2226,\n\t\t\tApplyProxyConfig: false,\n\t\t},\n\t}\n\tsftpdConf.PasswordAuthentication = true\n\tgo func(cfg sftpd.Configuration) {\n\t\tlogger.Debug(logSender, \"\", \"initializing SFTP server with config %+v and proxy protocol %v\",\n\t\t\tcfg, common.Config.ProxyProtocol)\n\t\tif err := cfg.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server with proxy protocol 2: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}(sftpdConf)\n\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 2224,\n\t\t\tApplyProxyConfig: true,\n\t\t},\n\t}\n\tsftpdConf.PasswordAuthentication = true\n\tcommon.Config.ProxyProtocol = 2\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing SFTP server with config %+v and proxy protocol %v\",\n\t\t\tsftpdConf, common.Config.ProxyProtocol)\n\t\tif err := sftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server with proxy protocol 2: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\tgetHostKeysFingerprints(sftpdConf.HostKeys)\n\tstartHTTPFs()\n\n\texitCode := m.Run()\n\tos.Remove(logFilePath)\n\tos.Remove(loginBannerFile)\n\tos.Remove(pubKeyPath)\n\tos.Remove(privateKeyPath)\n\tos.Remove(trustedCAUserKey)\n\tos.Remove(revokeUserCerts)\n\tos.Remove(gitWrapPath)\n\tos.Remove(extAuthPath)\n\tos.Remove(preLoginPath)\n\tos.Remove(postConnectPath)\n\tos.Remove(preDownloadPath)\n\tos.Remove(preUploadPath)\n\tos.Remove(keyIntAuthPath)\n\tos.Remove(checkPwdPath)\n\tos.Exit(exitCode)\n}\n\nfunc TestInitialization(t *testing.T) {\n\terr := config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 2022,\n\t\t\tApplyProxyConfig: true,\n\t\t},\n\t\t{\n\t\t\tPort: 0,\n\t\t},\n\t}\n\tsftpdConf.LoginBannerFile = \"invalid_file\"\n\tsftpdConf.EnabledSSHCommands = append(sftpdConf.EnabledSSHCommands, \"ls\")\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.KeyboardInteractiveAuthentication = true\n\tsftpdConf.KeyboardInteractiveHook = \"invalid_file\"\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.KeyboardInteractiveAuthentication = true\n\tsftpdConf.KeyboardInteractiveHook = filepath.Join(homeBasePath, \"invalid_file\")\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.KeyboardInteractiveAuthentication = false\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 4444,\n\t\t\tApplyProxyConfig: true,\n\t\t},\n\t}\n\tcommon.Config.ProxyProtocol = 1\n\tassert.True(t, sftpdConf.Bindings[0].HasProxy())\n\tcommon.Config.ProxyProtocol = 0\n\tsftpdConf.HostKeys = []string{\"missing key\"}\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.HostKeys = nil\n\tsftpdConf.TrustedUserCAKeys = []string{\"missing ca key\"}\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.Bindings = nil\n\terr = sftpdConf.Initialize(configDir)\n\tassert.EqualError(t, err, common.ErrNoBinding.Error())\n\tsftpdConf = config.GetSFTPDConfig()\n\tsftpdConf.Ciphers = []string{\"not a cipher\"}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported cipher\")\n\t}\n\tsftpdConf.Ciphers = nil\n\tsftpdConf.MACs = []string{\"not a MAC\"}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported MAC algorithm\")\n\t}\n\tsftpdConf.MACs = nil\n\tsftpdConf.KexAlgorithms = []string{\"diffie-hellman-group-exchange-sha1\", \"not a KEX\"}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported key-exchange algorithm\")\n\t}\n\tsftpdConf.KexAlgorithms = nil\n\tsftpdConf.PublicKeyAlgorithms = []string{\"not a pub key algo\"}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported public key authentication algorithm\")\n\t}\n\tsftpdConf.PublicKeyAlgorithms = nil\n\tsftpdConf.HostKeyAlgorithms = []string{\"not a host key algo\"}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unsupported host key algorithm\")\n\t}\n\tsftpdConf.HostKeyAlgorithms = nil\n\tsftpdConf.HostCertificates = []string{\"missing file\"}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to load host certificate\")\n\t}\n\tsftpdConf.HostCertificates = []string{\".\"}\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\thostCertPath := filepath.Join(os.TempDir(), \"host_cert.pub\")\n\terr = os.WriteFile(hostCertPath, []byte(testCertValid), 0600)\n\tassert.NoError(t, err)\n\tsftpdConf.HostKeys = []string{privateKeyPath}\n\tsftpdConf.HostCertificates = []string{hostCertPath}\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is not an host certificate\")\n\t}\n\terr = os.WriteFile(hostCertPath, []byte(testPubKey), 0600)\n\tassert.NoError(t, err)\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is not an SSH certificate\")\n\t}\n\terr = os.WriteFile(hostCertPath, []byte(\"abc\"), 0600)\n\tassert.NoError(t, err)\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to parse host certificate\")\n\t}\n\terr = os.WriteFile(hostCertPath, []byte(testHostCert), 0600)\n\tassert.NoError(t, err)\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\n\terr = os.Remove(hostCertPath)\n\tassert.NoError(t, err)\n\tsftpdConf.HostKeys = nil\n\tsftpdConf.HostCertificates = nil\n\tsftpdConf.OPKSSHPath = \"relative path\"\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.OPKSSHPath = filepath.Join(os.TempDir(), \"missing path\")\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.OPKSSHChecksum = \"invalid checksum\"\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.OPKSSHPath = \"\"\n\tsftpdConf.OPKSSHChecksum = \"\"\n\tsftpdConf.RevokedUserCertsFile = \".\"\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\tsftpdConf.RevokedUserCertsFile = \"a missing file\"\n\terr = sftpdConf.Initialize(configDir)\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\terr = createTestFile(revokeUserCerts, 10*1024*1024)\n\tassert.NoError(t, err)\n\tsftpdConf.RevokedUserCertsFile = revokeUserCerts\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\n\terr = os.WriteFile(revokeUserCerts, []byte(`[]`), 0644)\n\tassert.NoError(t, err)\n\terr = sftpdConf.Initialize(configDir)\n\tassert.Error(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = sftpdConf.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to load configs from provider\")\n\t}\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicSFTPHandling(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\texpectedQuotaSize := user.UsedQuotaSize + testFileSize\n\t\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"/missing_dir\", testFileName), testFileSize, client)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), user.FirstUpload)\n\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(testFileName)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize-testFileSize, user.UsedQuotaSize)\n\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\tassert.Greater(t, user.FirstDownload, int64(0))\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\tu.Username = \"missing user\"\n\t_, _, err = getSftpClient(u, false)\n\tassert.Error(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tstatus := sftpd.GetStatus()\n\tassert.True(t, status.IsActive)\n\tsshCommands := status.GetSSHCommandsAsString()\n\tassert.NotEmpty(t, sshCommands)\n\tsshAuths := status.GetSupportedAuthsAsString()\n\tassert.NotEmpty(t, sshAuths)\n\tassert.NotEmpty(t, status.HostKeys[0].GetAlgosAsString())\n\tassert.NotEmpty(t, status.GetMACsAsString())\n\tassert.NotEmpty(t, status.GetKEXsAsString())\n\tassert.NotEmpty(t, status.GetCiphersAsString())\n\tassert.NotEmpty(t, status.GetPublicKeysAlgosAsString())\n}\n\nfunc TestBasicSFTPFsHandling(t *testing.T) {\n\tusePubKey := true\n\tbaseUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestSFTPUser(usePubKey)\n\tu.QuotaSize = 6553600\n\tu.FsConfig.SFTPConfig.DisableCouncurrentReads = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\ttestLinkName := testFileName + \".link\"\n\t\ttestLinkToLinkName := testLinkName + \".link\"\n\t\texpectedQuotaSize := testFileSize\n\t\texpectedQuotaFiles := 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\terr = client.Symlink(testFileName, testLinkName)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Lstat(testLinkName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.Mode()&os.ModeSymlink != 0)\n\t\t}\n\t\tinfo, err = client.Stat(testLinkName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.Mode()&os.ModeSymlink == 0)\n\t\t}\n\t\tval, err := client.ReadLink(testLinkName)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, path.Join(\"/\", testFileName), val)\n\t\t}\n\t\tlinkDir := \"linkDir\"\n\t\terr = client.Mkdir(linkDir)\n\t\tassert.NoError(t, err)\n\t\tlinkToLinkPath := path.Join(linkDir, testLinkToLinkName)\n\t\terr = client.Symlink(path.Join(\"/\", testLinkName), linkToLinkPath)\n\t\tassert.NoError(t, err)\n\t\tinfo, err = client.Lstat(linkToLinkPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.Mode()&os.ModeSymlink != 0)\n\t\t}\n\t\tinfo, err = client.Stat(linkToLinkPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.Mode()&os.ModeSymlink == 0)\n\t\t}\n\t\tval, err = client.ReadLink(linkToLinkPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, path.Join(\"/\", testLinkName), val)\n\t\t}\n\t\terr = client.Remove(linkToLinkPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(linkDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(testFileName)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t// now overwrite the symlink\n\t\terr = sftpUploadFile(testFilePath, testLinkName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tcontents, err := client.ReadDir(\"/\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Len(t, contents, 1)\n\t\t\tassert.Equal(t, testFileSize, contents[0].Size())\n\t\t\tassert.Equal(t, testLinkName, contents[0].Name())\n\t\t\tassert.False(t, contents[0].IsDir())\n\t\t\tassert.True(t, contents[0].Mode().IsRegular())\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, uint64(u.QuotaSize/4096), stat.Blocks)\n\t\tassert.Equal(t, uint64((u.QuotaSize-testFileSize)/4096), stat.Bfree)\n\t\tassert.Equal(t, uint64(1), stat.Files-stat.Ffree)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPFsPasswordProtectedPrivateKey(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(true)\n\tu.PublicKeys = []string{testPubKeyPwd}\n\tbaseUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(testPrivateKeyPwd)\n\tu.FsConfig.SFTPConfig.KeyPassphrase = kms.NewPlainSecret(privateKeyPwd)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\t// update the user, the key must be preserved\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPFsEscapeHomeDir(t *testing.T) {\n\tusePubKey := true\n\tbaseUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestSFTPUser(usePubKey)\n\tsftpPrefix := \"/prefix\"\n\tu.FsConfig.SFTPConfig.Prefix = sftpPrefix\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\tdirName := \"dir\"\n\t\tlinkName := \"link\"\n\t\terr := client.Mkdir(dirName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Symlink(baseUser.GetHomeDir(), filepath.Join(baseUser.GetHomeDir(), sftpPrefix, dirName, linkName))\n\t\tassert.NoError(t, err)\n\t\terr = os.Symlink(filepath.Join(baseUser.GetHomeDir(), sftpPrefix, dirName, linkName),\n\t\t\tfilepath.Join(baseUser.GetHomeDir(), sftpPrefix, linkName))\n\t\tassert.NoError(t, err)\n\t\t// linkName points to a link inside the home dir and this link points to a dir outside the home dir\n\t\t_, err = client.ReadLink(linkName)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t_, err = client.RealPath(linkName)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t_, err = client.ReadDir(linkName)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t_, err = client.ReadDir(path.Join(dirName, linkName))\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t_, err = client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestReadDirLongNames(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tnumFiles := 1000\n\t\tfor i := 0; i < 1000; i++ {\n\t\t\tfPath := filepath.Join(user.GetHomeDir(), hex.EncodeToString(util.GenerateRandomBytes(127)))\n\t\t\terr = os.WriteFile(fPath, util.GenerateRandomBytes(30), 0666)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\n\t\tentries, err := client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, entries, numFiles)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestGroupSettingsOverride(t *testing.T) {\n\tusePubKey := true\n\tg := getTestGroup()\n\tg.UserSettings.Filters.StartDirectory = \"/%username%\"\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser(usePubKey)\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tcurrentDir, err := client.Getwd()\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"/\"+user.Username, currentDir)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestStartDirectory(t *testing.T) {\n\tusePubKey := false\n\tstartDir := \"/st@ rt/dir\"\n\tu := getTestUser(usePubKey)\n\tu.Filters.StartDirectory = startDir\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.Filters.StartDirectory = startDir\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\n\t\t\tcurrentDir, err := client.Getwd()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, startDir, currentDir)\n\n\t\t\tentries, err := client.ReadDir(\".\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Len(t, entries, 0)\n\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = client.Stat(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(testFileName, testFileName+\"_rename\")\n\t\t\tassert.NoError(t, err)\n\n\t\t\tentries, err = client.ReadDir(\".\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Len(t, entries, 1)\n\n\t\t\tcurrentDir, err = client.RealPath(\"..\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, path.Dir(startDir), currentDir)\n\n\t\t\tcurrentDir, err = client.RealPath(\"../..\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"/\", currentDir)\n\n\t\t\tcurrentDir, err = client.RealPath(\"../../..\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"/\", currentDir)\n\n\t\t\terr = client.Remove(testFileName + \"_rename\")\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginNonExistentUser(t *testing.T) {\n\tusePubKey := true\n\tuser := getTestUser(usePubKey)\n\t_, _, err := getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n}\n\nfunc TestRateLimiter(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.RateLimitersConfig = []common.RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 1,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 1,\n\t\t\tType: 1,\n\t\t\tProtocols: []string{common.ProtocolSSH},\n\t\t},\n\t}\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestDefender(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.DefenderConfig.Enabled = true\n\tcfg.DefenderConfig.Threshold = 3\n\tcfg.DefenderConfig.ScoreLimitExceeded = 2\n\tcfg.DefenderConfig.ScoreValid = 1\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser.Password = \"wrong_pwd\"\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\thosts, _, err := httpdtest.GetDefenderHosts(http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\thost := hosts[0]\n\t\tassert.Empty(t, host.GetBanTime())\n\t\tassert.Equal(t, 1, host.Score)\n\t}\n\n\tfor i := 0; i < 2; i++ {\n\t\t_, _, err = getSftpClient(user, usePubKey)\n\t\tassert.Error(t, err)\n\t}\n\n\tuser.Password = defaultPassword\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestOpenReadWrite(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaSize = 6553600\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaSize = 6553600\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\ttestData := []byte(\"sample test data\")\n\t\t\t\tn, err := sftpFile.Write(testData)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testData), n)\n\t\t\t\tbuffer := make([]byte, 128)\n\t\t\t\tn, err = sftpFile.ReadAt(buffer, 1)\n\t\t\t\tassert.EqualError(t, err, io.EOF.Error())\n\t\t\t\tassert.Equal(t, len(testData)-1, n)\n\t\t\t\tassert.Equal(t, testData[1:], buffer[:n])\n\t\t\t\terr = sftpFile.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t\tsftpFile, err = client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\ttestData := []byte(\"new test data\")\n\t\t\t\tn, err := sftpFile.Write(testData)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testData), n)\n\t\t\t\tbuffer := make([]byte, 128)\n\t\t\t\tn, err = sftpFile.ReadAt(buffer, 1)\n\t\t\t\tassert.EqualError(t, err, io.EOF.Error())\n\t\t\t\tassert.Equal(t, len(testData)-1, n)\n\t\t\t\tassert.Equal(t, testData[1:], buffer[:n])\n\t\t\t\terr = sftpFile.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestOpenReadWritePerm(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\t// we cannot read inside \"/sub\", rename is needed otherwise the atomic upload will fail for the sftpfs user\n\tu.Permissions[\"/sub\"] = []string{dataprovider.PermUpload, dataprovider.PermListItems, dataprovider.PermRename}\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.Permissions[\"/sub\"] = []string{dataprovider.PermUpload, dataprovider.PermListItems}\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = client.Mkdir(\"sub\")\n\t\t\tassert.NoError(t, err)\n\t\t\tsftpFileName := path.Join(\"sub\", \"file.txt\")\n\t\t\tsftpFile, err := client.OpenFile(sftpFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\ttestData := []byte(\"test data\")\n\t\t\t\tn, err := sftpFile.Write(testData)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testData), n)\n\t\t\t\tbuffer := make([]byte, 128)\n\t\t\t\t_, err = sftpFile.ReadAt(buffer, 1)\n\t\t\t\tif assert.Error(t, err) {\n\t\t\t\t\tassert.Contains(t, strings.ToLower(err.Error()), \"permission denied\")\n\t\t\t\t}\n\t\t\t\terr = sftpFile.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestConcurrency(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 0\n\n\tusePubKey := true\n\tnumLogins := 50\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = numLogins + 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tvar wg sync.WaitGroup\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(262144)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tvar closedConns atomic.Int32\n\tfor i := 0; i < numLogins; i++ {\n\t\twg.Add(1)\n\t\tgo func(counter int) {\n\t\t\tdefer wg.Done()\n\t\t\tdefer closedConns.Add(1)\n\n\t\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = sftpUploadFile(testFilePath, testFileName+strconv.Itoa(counter), testFileSize, client)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Greater(t, common.Connections.GetActiveSessions(defaultUsername), 0)\n\t\t\t\tclient.Close()\n\t\t\t\tconn.Close()\n\t\t\t}\n\t\t}(i)\n\t}\n\n\twg.Add(1)\n\tgo func() {\n\t\tdefer wg.Done()\n\n\t\tmaxConns := 0\n\t\tmaxSessions := 0\n\t\tfor {\n\t\t\tservedReqs := closedConns.Load()\n\t\t\tif servedReqs > 0 {\n\t\t\t\tstats := common.Connections.GetStats(\"\")\n\t\t\t\tif len(stats) > maxConns {\n\t\t\t\t\tmaxConns = len(stats)\n\t\t\t\t}\n\t\t\t\tactiveSessions := common.Connections.GetActiveSessions(defaultUsername)\n\t\t\t\tif activeSessions > maxSessions {\n\t\t\t\t\tmaxSessions = activeSessions\n\t\t\t\t}\n\t\t\t}\n\t\t\tif servedReqs >= int32(numLogins) {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\ttime.Sleep(1 * time.Millisecond)\n\t\t}\n\t\tassert.Greater(t, maxConns, 0)\n\t\tassert.Greater(t, maxSessions, 0)\n\t}()\n\n\twg.Wait()\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tfiles, err := client.ReadDir(\".\")\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, files, numLogins)\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetActiveSessions(defaultUsername) == 0\n\t}, 1*time.Second, 50*time.Millisecond)\n\n\tassert.Eventually(t, func() bool {\n\t\treturn len(common.Connections.GetStats(\"\")) == 0\n\t}, 1*time.Second, 50*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestProxyProtocol(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\t// remove the home dir to test auto creation\n\terr = os.RemoveAll(user.HomeDir)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClientWithAddr(user, usePubKey, sftpSrvAddr2222)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t_, _, err = getSftpClientWithAddr(user, usePubKey, \"127.0.0.1:2224\")\n\tassert.Error(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRealPath(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tp, err := client.RealPath(\"../..\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"/\", p)\n\t\t\tp, err = client.RealPath(\"../test\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"/test\", p)\n\t\t\tsubdir := \"testsubdir\"\n\t\t\terr = client.Mkdir(subdir)\n\t\t\tassert.NoError(t, err)\n\t\t\tlinkName := testFileName + \"_link\"\n\t\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(subdir, linkName))\n\t\t\tassert.NoError(t, err)\n\t\t\tp, err = client.RealPath(path.Join(subdir, linkName))\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, path.Join(\"/\", testFileName), p)\n\t\t\t// an existing path\n\t\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\ttestData := []byte(\"hello world\")\n\t\t\t\tn, err := sftpFile.WriteAt(testData, 0)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(testData), n)\n\t\t\t}\n\t\t\tp, err = client.RealPath(path.Join(subdir, linkName))\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, path.Join(\"/\", testFileName), p)\n\t\t\t// now a link outside the home dir\n\t\t\terr = os.Symlink(filepath.Clean(os.TempDir()), filepath.Join(localUser.GetHomeDir(), subdir, \"temp\"))\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = client.RealPath(path.Join(subdir, \"temp\"))\n\t\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\n\t\t\tconn.Close()\n\t\t\tclient.Close()\n\t\t\terr = os.Remove(filepath.Join(localUser.GetHomeDir(), subdir, \"temp\"))\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == localUser.Username {\n\t\t\t\terr = os.RemoveAll(filepath.Join(localUser.GetHomeDir(), subdir))\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestBufferedSFTP(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.FsConfig.SFTPConfig.BufferSize = 2\n\tu.HomeDir = filepath.Join(os.TempDir(), u.Username)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(sftpUser, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\tappendDataSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tinitialHash, err := computeHashForFile(sha256.New(), testFilePath)\n\t\tassert.NoError(t, err)\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = appendToTestFile(testFilePath, appendDataSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadResumeFile(testFilePath, testFileName, testFileSize+appendDataSize, false, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t}\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tdownloadedFileHash, err := computeHashForFile(sha256.New(), localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, initialHash, downloadedFileHash)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\n\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestData := []byte(\"sample test sftp data\")\n\t\t\tn, err := sftpFile.Write(testData)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(testData), n)\n\t\t\terr = sftpFile.Truncate(0)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t\t}\n\t\t\terr = sftpFile.Truncate(4)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t\t}\n\t\t\tbuffer := make([]byte, 128)\n\t\t\t_, err = sftpFile.Read(buffer)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_OP_UNSUPPORTED\")\n\t\t\t}\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tinfo, err := client.Stat(testFileName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, int64(len(testData)), info.Size())\n\t\t\t}\n\t\t}\n\t\t// test WriteAt\n\t\tsftpFile, err = client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestData := []byte(\"hello world\")\n\t\t\tn, err := sftpFile.WriteAt(testData[:6], 0)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 6, n)\n\t\t\tn, err = sftpFile.WriteAt(testData[6:], 6)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 5, n)\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tinfo, err := client.Stat(testFileName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, int64(len(testData)), info.Size())\n\t\t\t}\n\t\t}\n\t\t// test ReadAt\n\t\tsftpFile, err = client.OpenFile(testFileName, os.O_RDONLY)\n\t\tif assert.NoError(t, err) {\n\t\t\tbuffer := make([]byte, 128)\n\t\t\tn, err := sftpFile.ReadAt(buffer, 6)\n\t\t\tassert.ErrorIs(t, err, io.EOF)\n\t\t\tassert.Equal(t, 5, n)\n\t\t\tassert.Equal(t, []byte(\"world\"), buffer[:n])\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(sftpUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadResume(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestUser(usePubKey)\n\tu.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tWriteBufferSize: 1,\n\t\tReadBufferSize: 1,\n\t}\n\tu.Username += \"_buffered\"\n\tu.HomeDir += \"_with_buf\"\n\tbufferedUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, bufferedUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\tappendDataSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = appendToTestFile(testFilePath, appendDataSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadResumeFile(testFilePath, testFileName, testFileSize+appendDataSize, false, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize+appendDataSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tinitialHash, err := computeHashForFile(sha256.New(), testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tdownloadedFileHash, err := computeHashForFile(sha256.New(), localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, initialHash, downloadedFileHash)\n\t\t\terr = sftpUploadResumeFile(testFilePath, testFileName, testFileSize+appendDataSize, true, client)\n\t\t\tassert.Error(t, err, \"resume uploading file with invalid offset must fail\")\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(localDownloadPath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(bufferedUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(bufferedUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDirCommands(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\t// remove the home dir to test auto creation\n\terr = os.RemoveAll(user.HomeDir)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"test1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"test1\", \"test\")\n\t\tassert.NoError(t, err)\n\t\t// rename a missing file\n\t\terr = client.Rename(\"test1\", \"test2\")\n\t\tassert.Error(t, err)\n\t\t_, err = client.Lstat(\"/test1\")\n\t\tassert.Error(t, err, \"stat for renamed dir must not succeed\")\n\t\terr = client.PosixRename(\"test\", \"test1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(\"test1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"/test/test1\")\n\t\tassert.Error(t, err, \"recursive mkdir must fail\")\n\t\terr = client.Mkdir(\"/test\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"/test/test1\")\n\t\tassert.NoError(t, err)\n\t\t_, err = client.ReadDir(\"/this/dir/does/not/exist\")\n\t\tassert.Error(t, err, \"reading a missing dir must fail\")\n\t\terr = client.RemoveDirectory(\"/test/test1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(\"/test\")\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(\"/test\")\n\t\tassert.Error(t, err, \"stat for deleted dir must not succeed\")\n\t\t_, err = client.Stat(\"/test\")\n\t\tassert.Error(t, err, \"stat for deleted dir must not succeed\")\n\t\terr = client.RemoveDirectory(\"/test\")\n\t\tassert.Error(t, err, \"remove missing path must fail\")\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRemove(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"test\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"/test/test1\")\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"/test\", testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(\"/test\")\n\t\tassert.Error(t, err, \"remove non empty dir must fail\")\n\t\terr = client.RemoveDirectory(path.Join(\"/test\", testFileName))\n\t\tassert.Error(t, err, \"remove a file with rmdir must fail\")\n\t\terr = client.Remove(path.Join(\"/test\", testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(\"/test\", testFileName))\n\t\tassert.Error(t, err, \"remove missing file must fail\")\n\t\terr = client.Remove(\"/test/test1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(\"/test\")\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLink(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.NoError(t, err)\n\t\tlinkName, err := client.ReadLink(testFileName + \".link\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, path.Join(\"/\", testFileName), linkName)\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.Error(t, err, \"creating a symlink to an existing one must fail\")\n\t\terr = client.Link(testFileName, testFileName+\".hlink\")\n\t\tassert.Error(t, err, \"hard link is not supported and must fail\")\n\t\terr = client.Remove(testFileName + \".link\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestStat(t *testing.T) {\n\tusePubKey := false\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err := client.Lstat(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = client.Stat(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\t// stat a missing path we should get an fs.ErrNotExist error\n\t\t\t_, err = client.Stat(\"missing path\")\n\t\t\tassert.True(t, errors.Is(err, fs.ErrNotExist))\n\t\t\t_, err = client.Lstat(\"missing path\")\n\t\t\tassert.True(t, errors.Is(err, fs.ErrNotExist))\n\t\t\t// mode 0666 and 0444 works on Windows too\n\t\t\tnewPerm := os.FileMode(0666)\n\t\t\terr = client.Chmod(testFileName, newPerm)\n\t\t\tassert.NoError(t, err)\n\t\t\tnewFi, err := client.Lstat(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, newPerm, newFi.Mode().Perm())\n\t\t\tnewPerm = os.FileMode(0444)\n\t\t\terr = client.Chmod(testFileName, newPerm)\n\t\t\tassert.NoError(t, err)\n\t\t\tnewFi, err = client.Lstat(testFileName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, newPerm, newFi.Mode().Perm())\n\t\t\t}\n\t\t\t_, err = client.ReadLink(testFileName)\n\t\t\tassert.Error(t, err, \"readlink on a file must fail\")\n\t\t\tsymlinkName := testFileName + \".sym\"\n\t\t\terr = client.Symlink(testFileName, symlinkName)\n\t\t\tassert.NoError(t, err)\n\t\t\tinfo, err := client.Lstat(symlinkName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.True(t, info.Mode()&os.ModeSymlink != 0)\n\t\t\t}\n\t\t\tinfo, err = client.Stat(symlinkName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.False(t, info.Mode()&os.ModeSymlink != 0)\n\t\t\t}\n\t\t\tlinkName, err := client.ReadLink(symlinkName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, path.Join(\"/\", testFileName), linkName)\n\t\t\tnewPerm = os.FileMode(0666)\n\t\t\terr = client.Chmod(testFileName, newPerm)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Truncate(testFileName, 100)\n\t\t\tassert.NoError(t, err)\n\t\t\tfi, err := client.Stat(testFileName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, int64(100), fi.Size())\n\t\t\t}\n\t\t\tf, err := client.OpenFile(testFileName, os.O_WRONLY)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = f.Truncate(5)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY)\n\t\t\tnewPerm = os.FileMode(0444)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = f.Chmod(newPerm)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t}\n\t\t\tnewFi, err = client.Lstat(testFileName)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Equal(t, newPerm, newFi.Mode().Perm())\n\t\t\t}\n\t\t\tnewPerm = os.FileMode(0666)\n\t\t\terr = client.Chmod(testFileName, newPerm)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestStatChownChmod(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"chown is not supported on Windows, chmod is partially supported\")\n\t}\n\tusePubKey := true\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Chown(testFileName, os.Getuid(), os.Getgid())\n\t\t\tassert.NoError(t, err)\n\t\t\tnewPerm := os.FileMode(0600)\n\t\t\terr = client.Chmod(testFileName, newPerm)\n\t\t\tassert.NoError(t, err)\n\t\t\tnewFi, err := client.Lstat(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, newPerm, newFi.Mode().Perm())\n\t\t\terr = client.Remove(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Chmod(testFileName, newPerm)\n\t\t\tassert.EqualError(t, err, os.ErrNotExist.Error())\n\t\t\terr = client.Chown(testFileName, os.Getuid(), os.Getgid())\n\t\t\tassert.EqualError(t, err, os.ErrNotExist.Error())\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPFsLoginWrongFingerprint(t *testing.T) {\n\tusePubKey := true\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(sftpUser, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tsftpUser.FsConfig.SFTPConfig.Fingerprints = append(sftpUser.FsConfig.SFTPConfig.Fingerprints, \"wrong\")\n\t_, _, err = httpdtest.UpdateUser(sftpUser, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(sftpUser, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tout, err := runSSHCommand(\"md5sum\", sftpUser, usePubKey)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(out), \"d41d8cd98f00b204e9800998ecf8427e\")\n\n\tsftpUser.FsConfig.SFTPConfig.Fingerprints = []string{\"wrong\"}\n\t_, _, err = httpdtest.UpdateUser(sftpUser, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(sftpUser, usePubKey)\n\tif !assert.Error(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestChtimes(t *testing.T) {\n\tusePubKey := false\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\ttestDir := \"test\" //nolint:goconst\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tacmodTime := time.Now()\n\t\t\terr = client.Chtimes(testFileName, acmodTime, acmodTime)\n\t\t\tassert.NoError(t, err)\n\t\t\tnewFi, err := client.Lstat(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t\tdiff := math.Abs(newFi.ModTime().Sub(acmodTime).Seconds())\n\t\t\tassert.LessOrEqual(t, diff, float64(1))\n\t\t\terr = client.Chtimes(\"invalidFile\", acmodTime, acmodTime)\n\t\t\tassert.EqualError(t, err, os.ErrNotExist.Error())\n\t\t\terr = client.Mkdir(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Chtimes(testDir, acmodTime, acmodTime)\n\t\t\tassert.NoError(t, err)\n\t\t\tnewFi, err = client.Lstat(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\tdiff = math.Abs(newFi.ModTime().Sub(acmodTime).Seconds())\n\t\t\tassert.LessOrEqual(t, diff, float64(1))\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n// basic tests to verify virtual chroot, should be improved to cover more cases ...\nfunc TestEscapeHomeDir(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tdirOutsideHome := filepath.Join(homeBasePath, defaultUsername+\"1\", \"dir\")\n\terr = os.MkdirAll(dirOutsideHome, os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\ttestDir := \"testDir\" //nolint:goconst\n\t\tlinkPath := filepath.Join(homeBasePath, defaultUsername, testDir)\n\t\terr = os.Symlink(homeBasePath, linkPath)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.ReadDir(testDir)\n\t\tassert.Error(t, err, \"reading a symbolic link outside home dir should not succeeded\")\n\t\terr = os.Remove(linkPath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Symlink(dirOutsideHome, linkPath)\n\t\tassert.NoError(t, err)\n\t\t_, err := client.ReadDir(testDir)\n\t\tassert.Error(t, err, \"reading a symbolic link outside home dir should not succeeded\")\n\t\terr = client.Chmod(path.Join(testDir, \"sub\", \"dir\"), os.ModePerm)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\tassert.Error(t, err, \"setstat on a file outside home dir must fail\")\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tremoteDestPath := path.Join(\"..\", \"..\", testFileName)\n\t\terr = sftpUploadFile(testFilePath, remoteDestPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\tlinkPath = filepath.Join(homeBasePath, defaultUsername, testFileName)\n\t\terr = os.Symlink(homeBasePath, linkPath)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, testFilePath, 0, client)\n\t\tassert.Error(t, err, \"download file outside home dir must fail\")\n\t\terr = sftpUploadFile(testFilePath, remoteDestPath, testFileSize, client)\n\t\tassert.Error(t, err, \"overwrite a file outside home dir must fail\")\n\t\terr = client.Chmod(remoteDestPath, 0644)\n\t\tassert.Error(t, err, \"setstat on a file outside home dir must fail\")\n\t\terr = os.Remove(linkPath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(filepath.Join(homeBasePath, defaultUsername+\"1\"))\n\tassert.NoError(t, err)\n}\n\nfunc TestEscapeSFTPFsPrefix(t *testing.T) {\n\tusePubKey := false\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestSFTPUser(usePubKey)\n\tsftpPrefix := \"/prefix\"\n\toutPrefix1 := \"/pre\"\n\toutPrefix2 := sftpPrefix + \"1\"\n\tout1 := \"out1\"\n\tout2 := \"out2\"\n\tu.FsConfig.SFTPConfig.Prefix = sftpPrefix\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(localUser, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(sftpPrefix)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(outPrefix1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(outPrefix2)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(outPrefix1, path.Join(sftpPrefix, out1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(outPrefix2, path.Join(sftpPrefix, out2))\n\t\tassert.NoError(t, err)\n\t}\n\n\tconn, client, err = getSftpClient(sftpUser, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tcontents, err := client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, contents, 2)\n\t\t_, err = client.ReadDir(out1)\n\t\tassert.Error(t, err)\n\t\t_, err = client.ReadDir(out2)\n\t\tassert.Error(t, err)\n\t\terr = client.Mkdir(path.Join(out1, \"subout1\"))\n\t\tassert.Error(t, err)\n\t\terr = client.Mkdir(path.Join(out2, \"subout2\"))\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestGetMimeTypeSFTPFs(t *testing.T) {\n\tusePubKey := false\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(localUser, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tsftpFile, err := client.OpenFile(testFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC)\n\t\tif assert.NoError(t, err) {\n\t\t\ttestData := []byte(\"some UTF-8 text so we should get a text/plain mime type\")\n\t\t\tn, err := sftpFile.Write(testData)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(testData), n)\n\t\t\terr = sftpFile.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\tsftpUser.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\tsftpUser.FsConfig.SFTPConfig.PrivateKey = kms.NewEmptySecret()\n\tfs, err := sftpUser.GetFilesystem(\"connID\")\n\tif assert.NoError(t, err) {\n\t\tassert.True(t, vfs.IsSFTPFs(fs))\n\t\tmime, err := fs.GetMimeType(testFileName)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"text/plain; charset=utf-8\", mime)\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHomeSpecialChars(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.HomeDir = filepath.Join(homeBasePath, \"abc açà#&%lk\")\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tfiles, err := client.ReadDir(\".\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, len(files))\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLogin(t *testing.T) {\n\tu := getTestUser(false)\n\tu.PublicKeys = []string{testPubKey}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, false)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.LastLogin, int64(0), \"last login must be updated after a successful login: %v\", user.LastLogin)\n\t}\n\tconn, client, err = getSftpClient(user, true)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser.Password = \"invalid password\"\n\tconn, client, err = getSftpClient(user, false)\n\tif !assert.Error(t, err, \"login with invalid password must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// testPubKey1 is not authorized\n\tuser.PublicKeys = []string{testPubKey1}\n\tuser.Password = \"\"\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, true)\n\tif !assert.Error(t, err, \"login with invalid public key must fail\") {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t}\n\t// login a user with multiple public keys, only the second one is valid\n\tuser.PublicKeys = []string{testPubKey1, testPubKey}\n\tuser.Password = \"\"\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, true)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginUserCert(t *testing.T) {\n\tu := getTestUser(true)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// try login using a cert signed from a trusted CA\n\tsigner, err := getSignerForUserCert([]byte(testCertValid))\n\tassert.NoError(t, err)\n\tconn, client, err := getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t// revoke the certificate\n\tcerts := []string{\"SHA256:OkxVB1ImSJ2XeI8nA2Wg+6zJVlxdevD1FYBSEJjFEN4\"}\n\tdata, err := json.Marshal(certs)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(revokeUserCerts, data, 0644)\n\tassert.NoError(t, err)\n\terr = sftpd.Reload()\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// if we remove the revoked certificate login should work again\n\tcerts = []string{\"SHA256:bsBRHC/xgiqBJdSuvSTNpJNLTISP/G356jNMCRYC5Es, SHA256:1kxVB1ImSJ2XeI8nA2Wg+6zJVlxdevD1FYBSEJjFEN4\"}\n\tdata, err = json.Marshal(certs)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(revokeUserCerts, data, 0644)\n\tassert.NoError(t, err)\n\terr = sftpd.Reload()\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\t// try login using a cert signed from an untrusted CA\n\tsigner, err = getSignerForUserCert([]byte(testCertUntrustedCA))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// try login using an host certificate instead of an user certificate\n\tsigner, err = getSignerForUserCert([]byte(testHostCert))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// try login using a user certificate with an authorized source address different from localhost\n\tsigner, err = getSignerForUserCert([]byte(testCertOtherSourceAddress))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// try login using an expired certificate\n\tsigner, err = getSignerForUserCert([]byte(testCertExpired))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// try login using a certificate with no principals\n\tsigner, err = getSignerForUserCert([]byte(testCertNoPrincipals))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\t// the user does not exist\n\tsigner, err = getSignerForUserCert([]byte(testCertValid))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t// now login with a username not in the set of valid principals for the given certificate\n\tu.Username += \"1\"\n\tuser, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tsigner, err = getSignerForUserCert([]byte(testCertValid))\n\tassert.NoError(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, []ssh.AuthMethod{ssh.PublicKeys(signer)}, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\terr = os.WriteFile(revokeUserCerts, []byte(`[]`), 0644)\n\tassert.NoError(t, err)\n\terr = sftpd.Reload()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMultiStepLoginKeyAndPwd(t *testing.T) {\n\tu := getTestUser(true)\n\tu.Password = defaultPassword\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, []string{\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}...)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, true)\n\tif !assert.Error(t, err, \"login with public key is disallowed and must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tconn, client, err = getSftpClient(user, true)\n\tif !assert.Error(t, err, \"login with password is disallowed and must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tsigner, _ := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.Password(defaultPassword),\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, sftpSrvAddr2222)\n\tif !assert.Error(t, err, \"password auth is disabled on port 2222, multi-step auth must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.Password(defaultPassword),\n\t\tssh.PublicKeys(signer),\n\t}\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tassert.Error(t, err, \"multi step auth login with wrong order must fail\")\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMultiStepLoginKeyAndKeyInt(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser(true)\n\tu.Password = defaultPassword\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, []string{\n\t\tdataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}...)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 0, false, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, true)\n\tif !assert.Error(t, err, \"login with public key is disallowed and must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\tsigner, _ := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.KeyboardInteractive(func(_, _ string, _ []string, _ []bool) ([]string, error) {\n\t\t\treturn []string{\"1\", \"2\"}, nil\n\t\t}),\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, sftpSrvAddr2222)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.KeyboardInteractive(func(_, _ string, _ []string, _ []bool) ([]string, error) {\n\t\t\treturn []string{\"1\", \"2\"}, nil\n\t\t}),\n\t\tssh.PublicKeys(signer),\n\t}\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tassert.Error(t, err, \"multi step auth login with wrong order must fail\")\n\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.Password(defaultPassword),\n\t}\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tassert.Error(t, err, \"multi step auth login with wrong method must fail\")\n\n\tuser.Filters.DeniedLoginMethods = nil\n\tuser.Filters.DeniedLoginMethods = append(user.Filters.DeniedLoginMethods, []string{\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}...)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, sftpSrvAddr2222)\n\tassert.Error(t, err)\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tif assert.NoError(t, err) {\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMultiStepLoginCertAndPwd(t *testing.T) {\n\tu := getTestUser(true)\n\tu.Password = defaultPassword\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, []string{\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}...)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsigner, err := getSignerForUserCert([]byte(testCertValid))\n\tassert.NoError(t, err)\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.Password(defaultPassword),\n\t}\n\tconn, client, err := getCustomAuthSftpClient(user, authMethods, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\tsigner, err = getSignerForUserCert([]byte(testCertOtherSourceAddress))\n\tassert.NoError(t, err)\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.Password(defaultPassword),\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginUserStatus(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.LastLogin, int64(0), \"last login must be updated after a successful login: %v\", user.LastLogin)\n\t}\n\tuser.Status = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err, \"login for a disabled user must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginUserExpiration(t *testing.T) {\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.LastLogin, int64(0), \"last login must be updated after a successful login: %v\", user.LastLogin)\n\t}\n\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now()) - 120000\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err, \"login for an expired user must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tuser.ExpirationDate = util.GetTimeAsMsSinceEpoch(time.Now()) + 120000\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginWithDatabaseCredentials(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"testbucket\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(`{ \"type\": \"service_account\", \"private_key\": \" \", \"client_email\": \"example@iam.gserviceaccount.com\" }`)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.GCSConfig.Credentials.GetPayload())\n\tassert.Empty(t, user.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.GCSConfig.Credentials.GetKey())\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginInvalidFs(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"invalid JSON for credentials\")\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err, \"login must fail, the user has an invalid filesystem config\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDeniedProtocols(t *testing.T) {\n\tu := getTestUser(true)\n\tu.Filters.DeniedProtocols = []string{common.ProtocolSSH}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, true)\n\tif !assert.Error(t, err, \"SSH protocol is disabled, authentication must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolFTP, common.ProtocolWebDAV}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, true)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDeniedLoginMethods(t *testing.T) {\n\tu := getTestUser(true)\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.LoginMethodPassword}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, true)\n\tif !assert.Error(t, err, \"public key login is disabled, authentication must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.LoginMethodPassword}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, true)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser.Password = defaultPassword\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user, false)\n\tif !assert.Error(t, err, \"password login is disabled, authentication must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodPublicKey}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, false)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginWithIPFilters(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Filters.DeniedIP = []string{\"192.167.0.0/24\", \"172.18.0.0/16\"}\n\tu.Filters.AllowedIP = []string{}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.LastLogin, int64(0), \"last login must be updated after a successful login: %v\", user.LastLogin)\n\t}\n\tuser.Filters.AllowedIP = []string{\"127.0.0.0/8\"}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser.Filters.AllowedIP = []string{\"172.19.0.0/16\"}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err, \"login from an not allowed IP must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginEmptyPassword(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Password = \"\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Password = \"empty\"\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginAnonymousUser(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Password = \"\"\n\tu.Filters.IsAnonymous = true\n\t_, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser, _, err := httpdtest.GetUserByUsername(u.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.IsAnonymous)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermDownload}, user.Permissions[\"/\"])\n\tassert.Equal(t, []string{common.ProtocolSSH, common.ProtocolHTTP}, user.Filters.DeniedProtocols)\n\tassert.Equal(t, []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd}, user.Filters.DeniedLoginMethods)\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAnonymousGroupInheritance(t *testing.T) {\n\tg := getTestGroup()\n\tg.UserSettings.Filters.IsAnonymous = true\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: group.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginAfterUserUpdateEmptyPwd(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\t// password should remain unchanged\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginKeyboardInteractiveAuth(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tuser, _, err := httpdtest.AddUser(getTestUser(false), http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 0, false, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err := getKeyboardInteractiveSftpClient(user, []string{\"1\", \"2\"})\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser.Status = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getKeyboardInteractiveSftpClient(user, []string{\"1\", \"2\"})\n\tif !assert.Error(t, err, \"keyboard interactive auth must fail the user is disabled\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tuser.Status = 1\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 0, false, -1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getKeyboardInteractiveSftpClient(user, []string{\"1\", \"2\"})\n\tif !assert.Error(t, err, \"keyboard interactive auth must fail the script returned -1\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 0, true, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getKeyboardInteractiveSftpClient(user, []string{\"1\", \"2\"})\n\tif !assert.Error(t, err, \"keyboard interactive auth must fail the script returned bad json\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 5, true, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getKeyboardInteractiveSftpClient(user, []string{\"1\", \"2\"})\n\tif !assert.Error(t, err, \"keyboard interactive auth must fail the script returned bad json\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestInteractiveLoginWithPasscode(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tuser, _, err := httpdtest.AddUser(getTestUser(false), http.StatusCreated)\n\tassert.NoError(t, err)\n\t// test password check\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptForBuiltinChecks(false, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err := getKeyboardInteractiveSftpClient(user, []string{defaultPassword})\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t// wrong password\n\t_, _, err = getKeyboardInteractiveSftpClient(user, []string{\"wrong_password\"})\n\tassert.Error(t, err)\n\t// correct password but the script returns an error\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptForBuiltinChecks(false, 0), os.ModePerm)\n\tassert.NoError(t, err)\n\t_, _, err = getKeyboardInteractiveSftpClient(user, []string{\"wrong_password\"})\n\tassert.Error(t, err)\n\t// add multi-factor authentication\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tpasscode, err := totp.GenerateCodeCustom(key.Secret(), time.Now(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: otp.AlgorithmSHA1,\n\t})\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptForBuiltinChecks(true, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tpasswordAsked := false\n\tpasscodeAsked := false\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.KeyboardInteractive(func(_, _ string, questions []string, _ []bool) ([]string, error) {\n\t\t\tvar answers []string\n\t\t\tif strings.HasPrefix(questions[0], \"Password\") {\n\t\t\t\tanswers = append(answers, defaultPassword)\n\t\t\t\tpasswordAsked = true\n\t\t\t} else {\n\t\t\t\tanswers = append(answers, passcode)\n\t\t\t\tpasscodeAsked = true\n\t\t\t}\n\t\t\treturn answers, nil\n\t\t}),\n\t}\n\tconn, client, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tassert.True(t, passwordAsked)\n\tassert.True(t, passcodeAsked)\n\t// the same passcode cannot be reused\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tassert.Error(t, err)\n\t// correct passcode but the script returns an error\n\tconfigName, key, _, err = mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tpasscode, err = totp.GenerateCodeCustom(key.Secret(), time.Now(), totp.ValidateOpts{\n\t\tPeriod: 30,\n\t\tSkew: 1,\n\t\tDigits: otp.DigitsSix,\n\t\tAlgorithm: otp.AlgorithmSHA1,\n\t})\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptForBuiltinChecks(true, 0), os.ModePerm)\n\tassert.NoError(t, err)\n\tpasswordAsked = false\n\tpasscodeAsked = false\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tassert.Error(t, err)\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.KeyboardInteractive(func(_, _ string, questions []string, _ []bool) ([]string, error) {\n\t\t\tvar answers []string\n\t\t\tif strings.HasPrefix(questions[0], \"Password\") {\n\t\t\t\tanswers = append(answers, defaultPassword)\n\t\t\t\tpasswordAsked = true\n\t\t\t} else {\n\t\t\t\tanswers = append(answers, passcode)\n\t\t\t\tpasscodeAsked = true\n\t\t\t}\n\t\t\treturn answers, nil\n\t\t}),\n\t}\n\t_, _, err = getCustomAuthSftpClient(user, authMethods, \"\")\n\tassert.Error(t, err)\n\tassert.True(t, passwordAsked)\n\tassert.True(t, passcodeAsked)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMustChangePasswordRequirement(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Filters.RequirePasswordChange = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\t// public key auth works even if the user must change password\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t// password auth does not work\n\t_, _, err = getSftpClient(user, false)\n\tassert.Error(t, err)\n\t// change password\n\terr = dataprovider.UpdateUserPassword(user.Username, defaultPassword, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, false)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSecondFactorRequirement(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Filters.TwoFactorAuthProtocols = []string{common.ProtocolSSH}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\t_, _, err = getSftpClient(user, usePubKey)\n\tassert.Error(t, err)\n\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestNamingRules(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.NamingRules = 7\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Username = \"useR@user.com \"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, \"user@user.com\", user.Username)\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tu.Password = defaultPassword\n\t_, _, err = httpdtest.UpdateUser(u, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, false)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t_, err = httpdtest.RemoveUser(u, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginScript(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tfolderMountPath := \"/vpath\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: folderMountPath,\n\t})\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestData := []byte(\"test data\")\n\t\terr = os.WriteFile(testFilePath, testData, 0666)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(folderMountPath, testFileName), int64(len(testData)), client)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := os.Stat(filepath.Join(mappedPath, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Greater(t, info.Size(), int64(len(testData)))\n\t\t}\n\t}\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, true), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err, \"pre-login script returned a non json response, login must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// now disable the the hook\n\tuser.Filters.Hooks.PreLoginDisabled = true\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\tuser.Filters.Hooks.PreLoginDisabled = false\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tuser.Status = 0\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err, \"pre-login script returned a disabled user, login must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginUserCreation(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/list\"] = []string{\"list\", \"download\"}\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\t_, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusNotFound)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Permissions, 2)\n\tassert.Empty(t, user.Description)\n\tu.Description = \"some desc\"\n\tdelete(u.Permissions, \"/list\")\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\t// The user should be updated and list permission removed\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Permissions, 1)\n\tassert.NotEmpty(t, user.Description)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginHookPreserveMFAConfig(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t// add multi-factor authentication\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 0)\n\tassert.False(t, user.Filters.TOTPConfig.Enabled)\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tfor i := 0; i < 12; i++ {\n\t\tuser.Filters.RecoveryCodes = append(user.Filters.RecoveryCodes, dataprovider.RecoveryCode{\n\t\t\tSecret: kms.NewPlainSecret(fmt.Sprintf(\"RC-%v\", strings.ToUpper(util.GenerateUniqueID()))),\n\t\t})\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 12)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, configName, user.Filters.TOTPConfig.ConfigName)\n\tassert.Equal(t, []string{common.ProtocolSSH}, user.Filters.TOTPConfig.Protocols)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.Filters.TOTPConfig.Secret.GetStatus())\n\n\terr = os.WriteFile(extAuthPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 12)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, configName, user.Filters.TOTPConfig.ConfigName)\n\tassert.Equal(t, []string{common.ProtocolSSH}, user.Filters.TOTPConfig.Protocols)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.Filters.TOTPConfig.Secret.GetStatus())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreDownloadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreDownload}\n\tcommon.Config.Actions.Hook = preDownloadPath\n\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preDownloadPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tremoteSCPDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\terr = scpDownload(localDownloadPath, remoteSCPDownPath, false, false)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(preDownloadPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\n\terr = scpDownload(localDownloadPath, remoteSCPDownPath, false, false)\n\tassert.Error(t, err)\n\n\tcommon.Config.Actions.Hook = \"http://127.0.0.1:8080/web/admin/login\"\n\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t}\n\terr = scpDownload(localDownloadPath, remoteSCPDownPath, false, false)\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.Hook = \"http://127.0.0.1:8080/\"\n\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\terr = scpDownload(localDownloadPath, remoteSCPDownPath, false, false)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPreUploadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreUpload}\n\tcommon.Config.Actions.Hook = preUploadPath\n\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preUploadPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tremoteSCPUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\terr = scpUpload(testFilePath, remoteSCPUpPath, true, false)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(preUploadPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = sftpUploadFile(testFilePath, testFileName+\"1\", testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\terr = scpUpload(testFilePath, remoteSCPUpPath, true, false)\n\tassert.Error(t, err)\n\n\tcommon.Config.Actions.Hook = \"http://127.0.0.1:8080/web/client/login\"\n\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t}\n\terr = scpUpload(testFilePath, remoteSCPUpPath, true, false)\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.Hook = \"http://127.0.0.1:8080/web\"\n\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = sftpUploadFile(testFilePath, testFileName+\"1\", testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t}\n\n\terr = scpUpload(testFilePath, remoteSCPUpPath, true, false)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPostConnectHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tcommon.Config.PostConnectHook = postConnectPath\n\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\tcommon.Config.PostConnectHook = \"http://127.0.0.1:8080/healthz\"\n\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tcommon.Config.PostConnectHook = \"http://127.0.0.1:8080/notfound\"\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.PostConnectHook = \"\"\n}\n\nfunc TestCheckPwdHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(checkPwdPath, getCheckPwdScriptsContents(2, defaultPassword), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.CheckPasswordHook = checkPwdPath\n\tproviderConf.CheckPasswordScope = 1\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\terr = os.WriteFile(checkPwdPath, getCheckPwdScriptsContents(0, defaultPassword), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t// now disable the the hook\n\tuser.Filters.Hooks.CheckPasswordDisabled = true\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t// enable the hook again\n\tuser.Filters.Hooks.CheckPasswordDisabled = false\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(checkPwdPath, getCheckPwdScriptsContents(1, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword + \"1\"\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\tproviderConf.CheckPasswordScope = 6\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword + \"1\"\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(checkPwdPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginExternalAuthPwdAndPubKey(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\ttestFileSize := int64(65535)\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\tu.Username = defaultUsername + \"1\"\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err, \"external auth login with invalid user must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tusePubKey = false\n\tu = getTestUser(usePubKey)\n\tu.PublicKeys = []string{}\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, len(user.PublicKeys))\n\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\tu.Status = 0\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err) {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t// now disable the the hook\n\tuser.Filters.Hooks.ExternalAuthDisabled = true\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthMultiStepLoginKeyAndPwd(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser(true)\n\tu.Password = defaultPassword\n\tu.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, []string{\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}...)\n\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tsigner, err := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\tassert.NoError(t, err)\n\tauthMethods := []ssh.AuthMethod{\n\t\tssh.PublicKeys(signer),\n\t\tssh.Password(defaultPassword),\n\t}\n\tconn, client, err := getCustomAuthSftpClient(u, authMethods, \"\")\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t// wrong sequence should fail\n\tauthMethods = []ssh.AuthMethod{\n\t\tssh.Password(defaultPassword),\n\t\tssh.PublicKeys(signer),\n\t}\n\t_, _, err = getCustomAuthSftpClient(u, authMethods, \"\")\n\tassert.Error(t, err)\n\n\t// public key only auth must fail\n\t_, _, err = getSftpClient(u, true)\n\tassert.Error(t, err)\n\t// password only auth must fail\n\t_, _, err = getSftpClient(u, false)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(u, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthEmptyResponse(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\ttestFileSize := int64(65535)\n\t// the user will be created\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, len(user.PublicKeys))\n\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t// now modify the user\n\tuser.MaxSessions = 10\n\tuser.QuotaFiles = 100\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, true, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 10, user.MaxSessions)\n\tassert.Equal(t, 100, user.QuotaFiles)\n\n\t// the auth script accepts any password and returns an empty response, the\n\t// user password must be updated\n\tu.Password = defaultUsername\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthDifferentUsername(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\textAuthUsername := \"common_user\"\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, extAuthUsername), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\t// the user logins using \"defaultUsername\" and the external auth returns \"extAuthUsername\"\n\ttestFileSize := int64(65535)\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t// logins again to test that used quota is preserved\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = checkBasicSFTP(client)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.GetUserByUsername(extAuthUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, 0, len(user.PublicKeys))\n\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginExternalAuth(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName := filepath.Base(mappedPath)\n\textAuthScopes := []int{1, 2}\n\tfor _, authScope := range extAuthScopes {\n\t\tvar usePubKey bool\n\t\tif authScope == 1 {\n\t\t\tusePubKey = false\n\t\t} else {\n\t\t\tusePubKey = true\n\t\t}\n\t\tu := getTestUser(usePubKey)\n\t\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\t\tName: folderName,\n\t\t\t},\n\t\t\tVirtualPath: \"/vpath\",\n\t\t\tQuotaFiles: 1 + authScope,\n\t\t\tQuotaSize: 10 + int64(authScope),\n\t\t})\n\n\t\terr := dataprovider.Close()\n\t\tassert.NoError(t, err)\n\t\terr = config.LoadConfig(configDir, \"\")\n\t\tassert.NoError(t, err)\n\t\tproviderConf := config.GetProviderConf()\n\t\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tproviderConf.ExternalAuthHook = extAuthPath\n\t\tproviderConf.ExternalAuthScope = authScope\n\t\terr = dataprovider.Initialize(providerConf, configDir, true)\n\t\tassert.NoError(t, err)\n\n\t\tf := vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t\tMappedPath: mappedPath,\n\t\t}\n\t\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\n\t\tconn, client, err := getSftpClient(u, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t}\n\t\tif !usePubKey {\n\t\t\tdbUser, err := dataprovider.UserExists(defaultUsername, \"\")\n\t\t\tassert.NoError(t, err)\n\t\t\tfound, match := dataprovider.CheckCachedUserPassword(defaultUsername, defaultPassword, dbUser.Password)\n\t\t\tassert.True(t, found)\n\t\t\tassert.True(t, match)\n\t\t}\n\t\tu.Username = defaultUsername + \"1\"\n\t\tconn, client, err = getSftpClient(u, usePubKey)\n\t\tif !assert.Error(t, err, \"external auth login with invalid user must fail\") {\n\t\t\tclient.Close()\n\t\t\tconn.Close()\n\t\t}\n\t\tusePubKey = !usePubKey\n\t\tu = getTestUser(usePubKey)\n\t\tconn, client, err = getSftpClient(u, usePubKey)\n\t\tif !assert.Error(t, err, \"external auth login with valid user but invalid auth scope must fail\") {\n\t\t\tclient.Close()\n\t\t\tconn.Close()\n\t\t}\n\t\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tif assert.Len(t, user.VirtualFolders, 1) {\n\t\t\tfolder := user.VirtualFolders[0]\n\t\t\tassert.Equal(t, folderName, folder.Name)\n\t\t\tassert.Equal(t, mappedPath, folder.MappedPath)\n\t\t\tassert.Equal(t, 1+authScope, folder.QuotaFiles)\n\t\t\tassert.Equal(t, 10+int64(authScope), folder.QuotaSize)\n\t\t}\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\n\t\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = dataprovider.Close()\n\t\tassert.NoError(t, err)\n\t\terr = config.LoadConfig(configDir, \"\")\n\t\tassert.NoError(t, err)\n\t\tproviderConf = config.GetProviderConf()\n\t\terr = dataprovider.Initialize(providerConf, configDir, true)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(extAuthPath)\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestLoginExternalAuthCache(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser(false)\n\tu.Filters.ExternalAuthCacheTime = 120\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 1\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(u, false)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tlastLogin := user.LastLogin\n\tassert.Greater(t, lastLogin, int64(0))\n\tassert.Equal(t, u.Filters.ExternalAuthCacheTime, user.Filters.ExternalAuthCacheTime)\n\t// the auth should be now cached so update the hook to return an error\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, true, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(u, false)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, lastLogin, user.LastLogin)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginExternalAuthInteractive(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 4\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(keyIntAuthPath, getKeyboardInteractiveScriptContent([]string{\"1\", \"2\"}, 0, false, 1), os.ModePerm)\n\tassert.NoError(t, err)\n\tconn, client, err := getKeyboardInteractiveSftpClient(u, []string{\"1\", \"2\"})\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tu.Username = defaultUsername + \"1\"\n\tconn, client, err = getKeyboardInteractiveSftpClient(u, []string{\"1\", \"2\"})\n\tif !assert.Error(t, err, \"external auth login with invalid user must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tusePubKey = true\n\tu = getTestUser(usePubKey)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err, \"external auth login with valid user but invalid auth scope must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginExternalAuthErrors(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, true, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err, \"login must fail, external auth returns a non json response\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\n\tusePubKey = false\n\tu = getTestUser(usePubKey)\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif !assert.Error(t, err, \"login must fail, external auth returns a non json response\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t_, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusNotFound)\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthReturningAnonymousUser(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Filters.IsAnonymous = true\n\tu.Password = \"\"\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t_, _, err = getSftpClient(u, usePubKey)\n\tassert.Error(t, err)\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.IsAnonymous)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermDownload}, user.Permissions[\"/\"])\n\tassert.Equal(t, []string{common.ProtocolSSH, common.ProtocolHTTP}, user.Filters.DeniedProtocols)\n\tassert.Equal(t, []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd}, user.Filters.DeniedLoginMethods)\n\n\t// test again, the user now exists\n\t_, _, err = getSftpClient(u, usePubKey)\n\tassert.Error(t, err)\n\tupdatedUser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tuser.UpdatedAt = updatedUser.UpdatedAt\n\tuser.LastPasswordChange = updatedUser.LastPasswordChange\n\tassert.Equal(t, user, updatedUser)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthPreserveMFAConfig(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, false, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\t// add multi-factor authentication\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 0)\n\tassert.False(t, user.Filters.TOTPConfig.Enabled)\n\tconfigName, key, _, err := mfa.GenerateTOTPSecret(mfa.GetAvailableTOTPConfigNames()[0], user.Username)\n\tassert.NoError(t, err)\n\tuser.Password = defaultPassword\n\tuser.Filters.TOTPConfig = dataprovider.UserTOTPConfig{\n\t\tEnabled: true,\n\t\tConfigName: configName,\n\t\tSecret: kms.NewPlainSecret(key.Secret()),\n\t\tProtocols: []string{common.ProtocolSSH},\n\t}\n\tfor i := 0; i < 12; i++ {\n\t\tuser.Filters.RecoveryCodes = append(user.Filters.RecoveryCodes, dataprovider.RecoveryCode{\n\t\t\tSecret: kms.NewPlainSecret(fmt.Sprintf(\"RC-%v\", strings.ToUpper(util.GenerateUniqueID()))),\n\t\t})\n\t}\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// login again and check that the MFA configs are preserved\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 12)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, configName, user.Filters.TOTPConfig.ConfigName)\n\tassert.Equal(t, []string{common.ProtocolSSH}, user.Filters.TOTPConfig.Protocols)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.Filters.TOTPConfig.Secret.GetStatus())\n\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, true, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tconn, client, err = getSftpClient(u, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Len(t, user.Filters.RecoveryCodes, 12)\n\tassert.True(t, user.Filters.TOTPConfig.Enabled)\n\tassert.Equal(t, configName, user.Filters.TOTPConfig.ConfigName)\n\tassert.Equal(t, []string{common.ProtocolSSH}, user.Filters.TOTPConfig.Protocols)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.Filters.TOTPConfig.Secret.GetStatus())\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaDisabledError(t *testing.T) {\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\tproviderConf.TrackQuota = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName+\"1\", testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName+\"1\", testFileName+\".rename\") //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestMaxConnections(t *testing.T) {\n\toldValue := common.Config.MaxTotalConnections\n\tcommon.Config.MaxTotalConnections = 1\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tusePubKey := true\n\tuser := getTestUser(usePubKey)\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\ts, c, err := getSftpClient(user, usePubKey)\n\t\tif !assert.Error(t, err, \"max total connections exceeded, new login should not succeed\") {\n\t\t\tc.Close()\n\t\t\ts.Close()\n\t\t}\n\t\terr = client.Close()\n\t\tassert.NoError(t, err)\n\t\terr = conn.Close()\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxTotalConnections = oldValue\n}\n\n//nolint:dupl\nfunc TestMaxPerHostConnections(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 1\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tusePubKey := true\n\tuser := getTestUser(usePubKey)\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\ts, c, err := getSftpClient(user, usePubKey)\n\t\tif !assert.Error(t, err, \"max per host connections exceeded, new login should not succeed\") {\n\t\t\tc.Close()\n\t\t\ts.Close()\n\t\t}\n\t\terr = client.Close()\n\t\tassert.NoError(t, err)\n\t\terr = conn.Close()\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestMaxTransfers(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 2\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tusePubKey := true\n\tuser := getTestUser(usePubKey)\n\terr := dataprovider.AddUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.Password = \"\"\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\n\t\tf1, err := client.Create(\"file1\")\n\t\tassert.NoError(t, err)\n\t\tf2, err := client.Create(\"file2\")\n\t\tassert.NoError(t, err)\n\t\t_, err = f1.Write([]byte(\" \"))\n\t\tassert.NoError(t, err)\n\t\t_, err = f2.Write([]byte(\" \"))\n\t\tassert.NoError(t, err)\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.ErrorContains(t, err, sftp.ErrSSHFxPermissionDenied.Error())\n\n\t\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\t\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\t\tassert.Error(t, err)\n\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.ErrorContains(t, err, sftp.ErrSSHFxPermissionDenied.Error())\n\n\t\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\t\terr = scpDownload(localDownloadPath, remoteDownPath, false, false)\n\t\tassert.Error(t, err)\n\n\t\terr = f1.Close()\n\t\tassert.NoError(t, err)\n\t\terr = f2.Close()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.Close()\n\t\tassert.NoError(t, err)\n\t\terr = conn.Close()\n\t\tassert.NoError(t, err)\n\t}\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetTotalTransfers() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestMaxSessions(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Username += \"1\"\n\tu.MaxSessions = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\ts, c, err := getSftpClient(user, usePubKey)\n\t\tif !assert.Error(t, err, \"max sessions exceeded, new login should not succeed\") {\n\t\t\tc.Close()\n\t\t\ts.Close()\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSupportedExtensions(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\tv, ok := client.HasExtension(\"statvfs@openssh.com\")\n\t\tassert.Equal(t, \"2\", v)\n\t\tassert.True(t, ok)\n\t\t_, ok = client.HasExtension(\"hardlink@openssh.com\")\n\t\tassert.False(t, ok)\n\t\t_, ok = client.HasExtension(\"posix-rename@openssh.com\")\n\t\tassert.False(t, ok)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaFileReplace(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) { //nolint:dupl\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\texpectedQuotaSize := testFileSize\n\t\t\texpectedQuotaFiles := 1\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\t// now replace the same file, the quota must not change\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t// now create a symlink, replace it with a file and check the quota\n\t\t\t// replacing a symlink is like uploading a new file\n\t\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\texpectedQuotaFiles++\n\t\t\texpectedQuotaSize += testFileSize\n\t\t\terr = sftpUploadFile(testFilePath, testFileName+\".link\", testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t}\n\t\t// now set a quota size restriction and upload the same file, upload should fail for space limit exceeded\n\t\tuser.QuotaSize = testFileSize*2 - 1\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tconn, client, err = getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.Error(t, err, \"quota size exceeded, file upload must fail\")\n\t\t\terr = client.Remove(testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\tuser.QuotaSize = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRename(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\ttestFileSize1 := int64(65537)\n\ttestFileName1 := \"test_file1.dat\" //nolint:goconst\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\t\terr = client.Rename(testFileName1, testFileName+\".rename\")\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\t\terr = client.Symlink(testFileName+\".rename\", testFileName+\".symlink\") //nolint:goconst\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\t// overwrite a symlink\n\t\t\terr = client.Rename(testFileName, testFileName+\".symlink\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Mkdir(\"testdir\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(\"testdir\", \"testdir1\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Mkdir(\"testdir\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(\"testdir\", \"testdir1\")\n\t\t\tassert.Error(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\t\ttestDir := \"tdir\"\n\t\t\terr = client.Mkdir(testDir)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, path.Join(testDir, testFileName), testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath1, path.Join(testDir, testFileName1), testFileSize1, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 4, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize*2+testFileSize1*2, user.UsedQuotaSize)\n\t\t\terr = client.Rename(testDir, testDir+\"1\")\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 4, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize*2+testFileSize1*2, user.UsedQuotaSize)\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaScan(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\texpectedQuotaSize := user.UsedQuotaSize + testFileSize\n\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t// create user with the same home dir, so there is at least an untracked file\n\tuser, _, err = httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.StartQuotaScan(user, http.StatusAccepted)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\tscans, _, err := httpdtest.GetQuotaScans(http.StatusOK)\n\t\tif err == nil {\n\t\t\treturn len(scans) == 0\n\t\t}\n\t\treturn false\n\t}, 1*time.Second, 50*time.Millisecond)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMultipleQuotaScans(t *testing.T) {\n\tres := common.QuotaScans.AddUserQuotaScan(defaultUsername, \"\")\n\tassert.True(t, res)\n\tres = common.QuotaScans.AddUserQuotaScan(defaultUsername, \"\")\n\tassert.False(t, res, \"add quota must fail if another scan is already active\")\n\tassert.True(t, common.QuotaScans.RemoveUserQuotaScan(defaultUsername))\n\tactiveScans := common.QuotaScans.GetUsersQuotaScans(\"\")\n\tassert.Equal(t, 0, len(activeScans))\n\tassert.False(t, common.QuotaScans.RemoveUserQuotaScan(defaultUsername))\n}\n\nfunc TestQuotaLimits(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaFiles = 1\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\ttestFileSize1 := int64(131072)\n\ttestFileName1 := \"test_file1.dat\"\n\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\terr = createTestFile(testFilePath1, testFileSize1)\n\tassert.NoError(t, err)\n\ttestFileSize2 := int64(32768)\n\ttestFileName2 := \"test_file2.dat\" //nolint:goconst\n\ttestFilePath2 := filepath.Join(homeBasePath, testFileName2)\n\terr = createTestFile(testFilePath2, testFileSize2)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\t// test quota files\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = sftpUploadFile(testFilePath, testFileName+\".quota\", testFileSize, client) //nolint:goconst\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName+\".quota.1\", testFileSize, client)\n\t\t\tif assert.Error(t, err, \"user is over quota files, upload must fail\") {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t\t}\n\t\t\t// rename should work\n\t\t\terr = client.Rename(testFileName+\".quota\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\t// test quota size\n\t\tuser.QuotaSize = testFileSize - 1\n\t\tuser.QuotaFiles = 0\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tconn, client, err = getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = sftpUploadFile(testFilePath, testFileName+\".quota.1\", testFileSize, client)\n\t\t\tif assert.Error(t, err, \"user is over quota size, upload must fail\") {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t\t}\n\t\t\terr = client.Rename(testFileName, testFileName+\".quota\")\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(testFileName+\".quota\", testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\t// now test quota limits while uploading the current file, we have 1 bytes remaining\n\t\tuser.QuotaSize = testFileSize + 1\n\t\tuser.QuotaFiles = 0\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tconn, client, err = getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\t\tif assert.Error(t, err) {\n\t\t\t\tassert.Contains(t, err.Error(), \"SSH_FX_FAILURE\")\n\t\t\t\tif user.Username == localUser.Username {\n\t\t\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t\t\t}\n\t\t\t}\n\t\t\t_, err = client.Stat(testFileName1)\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.Lstat(testFileName1)\n\t\t\tassert.Error(t, err)\n\t\t\t// overwriting an existing file will work if the resulting size is lesser or equal than the current one\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath2, testFileName, testFileSize2, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath1, testFileName, testFileSize1, client)\n\t\t\tassert.Error(t, err)\n\t\t\t_, err := client.Stat(testFileName)\n\t\t\tassert.Error(t, err)\n\t\t}\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath1)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath2)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferQuotaLimits(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.DownloadDataTransfer = 1\n\tu.UploadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(550000)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// error while download is active\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrReadQuotaExceeded.Error())\n\t\t}\n\t\t// error before starting the download\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrReadQuotaExceeded.Error())\n\t\t}\n\t\t// error while upload is active\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t}\n\t\t// error before starting the upload\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t}\n\t}\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, user.UsedDownloadDataTransfer, int64(1024*1024))\n\tassert.Greater(t, user.UsedUploadDataTransfer, int64(1024*1024))\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadMaxSize(t *testing.T) {\n\ttestFileSize := int64(65535)\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Filters.MaxUploadFileSize = testFileSize + 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\ttestFileSize1 := int64(131072)\n\ttestFileName1 := \"test_file1.dat\"\n\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\terr = createTestFile(testFilePath1, testFileSize1)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\tassert.Error(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// now test overwrite an existing file with a size bigger than the allowed one\n\t\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFileName1), testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\tassert.Error(t, err)\n\t}\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath1)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestBandwidthAndConnections(t *testing.T) {\n\tusePubKey := false\n\ttestFileSize := int64(524288)\n\tu := getTestUser(usePubKey)\n\tu.UploadBandwidth = 120\n\tu.DownloadBandwidth = 100\n\twantedUploadElapsed := 1000 * (testFileSize / 1024) / u.UploadBandwidth\n\twantedDownloadElapsed := 1000 * (testFileSize / 1024) / u.DownloadBandwidth\n\t// 100 ms tolerance\n\twantedUploadElapsed -= 100\n\twantedDownloadElapsed -= 100\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tstartTime := time.Now()\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\telapsed := time.Since(startTime).Nanoseconds() / 1000000\n\t\tassert.GreaterOrEqual(t, elapsed, wantedUploadElapsed, \"upload bandwidth throttling not respected\")\n\t\tstartTime = time.Now()\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\tc := sftpDownloadNonBlocking(testFileName, localDownloadPath, testFileSize, client)\n\t\twaitForActiveTransfers(t)\n\t\t// wait some additional arbitrary time to wait for transfer activity to happen\n\t\t// it is need to reach all the code in CheckIdleConnections\n\t\ttime.Sleep(100 * time.Millisecond)\n\t\terr = <-c\n\t\tassert.NoError(t, err)\n\t\telapsed = time.Since(startTime).Nanoseconds() / 1000000\n\t\tassert.GreaterOrEqual(t, elapsed, wantedDownloadElapsed, \"download bandwidth throttling not respected\")\n\t\t// test disconnection\n\t\tc = sftpUploadNonBlocking(testFilePath, testFileName+\"_partial\", testFileSize, client)\n\t\twaitForActiveTransfers(t)\n\t\ttime.Sleep(100 * time.Millisecond)\n\n\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\tcommon.Connections.Close(stat.ConnectionID, \"\")\n\t\t}\n\t\terr = <-c\n\t\tassert.Error(t, err, \"connection closed while uploading: the upload must fail\")\n\t\tassert.Eventually(t, func() bool {\n\t\t\treturn len(common.Connections.GetStats(\"\")) == 0\n\t\t}, 10*time.Second, 200*time.Millisecond)\n\t\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPatternsFilters(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName+\".zip\", testFileSize, client)\n\t\tassert.NoError(t, err)\n\t}\n\tuser.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tAllowedPatterns: []string{\"*.zIp\"},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\tuser.Filters.DisableFsChecks = true\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.Error(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\"1\")\n\t\tassert.Error(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.Error(t, err)\n\t\terr = sftpDownloadFile(testFileName+\".zip\", localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"dir.zip\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"dir.zip\", \"dir1.zip\")\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFolders(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/vdir/subdir\"\n\ttestDir := \"/userDir\"\n\ttestDir1 := \"/userDir1\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tu.Permissions[testDir] = []string{dataprovider.PermCreateDirs}\n\tu.Permissions[testDir1] = []string{dataprovider.PermCreateDirs, dataprovider.PermUpload, dataprovider.PermRename}\n\tu.Permissions[path.Join(testDir1, \"subdir\")] = []string{dataprovider.PermRename}\n\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t// check virtual folder auto creation\n\t\t_, err = os.Stat(mappedPath)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize := int64(131072)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(path.Join(vdirPath, testFileName), localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(vdirPath, \"new_name\")\n\t\tassert.Error(t, err, \"renaming a virtual folder must fail\")\n\t\terr = client.RemoveDirectory(vdirPath)\n\t\tassert.Error(t, err, \"removing a virtual folder must fail\")\n\t\terr = client.Mkdir(vdirPath)\n\t\tassert.Error(t, err, \"creating a virtual folder must fail\")\n\t\terr = client.Symlink(path.Join(vdirPath, testFileName), vdirPath)\n\t\tassert.Error(t, err, \"symlink to a virtual folder must fail\")\n\t\terr = client.Rename(\"/vdir\", \"/vdir1\")\n\t\tassert.Error(t, err, \"renaming a directory with a virtual folder inside must fail\")\n\t\terr = client.RemoveDirectory(\"/vdir\")\n\t\tassert.Error(t, err, \"removing a directory with a virtual folder inside must fail\")\n\t\terr = client.Mkdir(\"vdir1\")\n\t\tassert.NoError(t, err)\n\t\t// rename empty dir /vdir1, we have permission on /\n\t\terr = client.Rename(\"vdir1\", \"vdir2\")\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"vdir2\", testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// we don't have rename permission in testDir and vdir2 contains a file\n\t\terr = client.Rename(\"vdir2\", testDir)\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(\"vdir2\", testDir1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testDir1, \"vdir2\")\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(path.Join(\"vdir2\", \"subdir\"))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"vdir2\", \"subdir\", testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"vdir2\", testDir1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testDir1, \"vdir2\")\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(path.Join(\"vdir2\", \"subdir\", \"subdir\"))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"vdir2\", \"subdir\", \"subdir\", testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"vdir2\", testDir1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testDir1, \"vdir3\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(\"vdir3\", \"subdir\", \"subdir\", testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(\"vdir3\", \"subdir\", \"subdir\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"vdir3\", testDir1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testDir1, \"vdir2\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(\"vdir2\", \"subdir\", testFileName), path.Join(\"vdir2\", \"subdir\", \"alink\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"vdir2\", testDir1)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersQuotaLimit(t *testing.T) {\n\tusePubKey := false\n\tu1 := getTestUser(usePubKey)\n\tu1.QuotaFiles = 1\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\" //nolint:goconst\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\" //nolint:goconst\n\tu1.VirtualFolders = append(u1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu1.VirtualFolders = append(u1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 1,\n\t\tQuotaSize: 0,\n\t})\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr := createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tu2 := getTestUser(usePubKey)\n\tu2.QuotaSize = testFileSize + 1\n\tu2.VirtualFolders = append(u2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu2.VirtualFolders = append(u2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: testFileSize + 1,\n\t})\n\tusers := []dataprovider.User{u1, u2}\n\tfor _, u := range users {\n\t\terr = os.MkdirAll(mappedPath1, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tf1 := vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t\tMappedPath: mappedPath1,\n\t\t}\n\t\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t\tf2 := vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t\tMappedPath: mappedPath2,\n\t\t}\n\t\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.Stat(testFileName)\n\t\t\tassert.Error(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName+\"1\"), testFileSize, client)\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.Stat(path.Join(vdirPath1, testFileName+\"1\"))\n\t\t\tassert.Error(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName+\"1\"), testFileSize, client)\n\t\t\tassert.Error(t, err)\n\t\t\t_, err = client.Stat(path.Join(vdirPath2, testFileName+\"1\"))\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Remove(path.Join(vdirPath1, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\t\tassert.Error(t, err)\n\t\t\t// now test renames\n\t\t\terr = client.Rename(testFileName, path.Join(vdirPath1, testFileName))\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(path.Join(vdirPath1, testFileName), path.Join(vdirPath1, testFileName+\".rename\"))\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(path.Join(vdirPath2, testFileName), path.Join(vdirPath2, testFileName+\".rename\"))\n\t\t\tassert.NoError(t, err)\n\t\t\terr = client.Rename(path.Join(vdirPath2, testFileName+\".rename\"), testFileName+\".rename\")\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(path.Join(vdirPath2, testFileName+\".rename\"), path.Join(vdirPath1, testFileName))\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(path.Join(vdirPath1, testFileName+\".rename\"), path.Join(vdirPath2, testFileName))\n\t\t\tassert.Error(t, err)\n\t\t\terr = client.Rename(path.Join(vdirPath1, testFileName+\".rename\"), testFileName)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(mappedPath1)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(mappedPath2)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPLoopSimple(t *testing.T) {\n\tusePubKey := false\n\tuser1 := getTestSFTPUser(usePubKey)\n\tuser2 := getTestSFTPUser(usePubKey)\n\tuser1.Username += \"1\"\n\tuser2.Username += \"2\"\n\tuser1.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser2.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser1.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user2.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\tuser2.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user1.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\tuser1, resp, err := httpdtest.AddUser(user1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser2, resp, err = httpdtest.AddUser(user2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\t_, _, err = getSftpClient(user1, usePubKey)\n\tassert.Error(t, err)\n\t_, _, err = getSftpClient(user2, usePubKey)\n\tassert.Error(t, err)\n\n\tuser1.FsConfig.SFTPConfig.Username = user1.Username\n\tuser1.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\n\t_, _, err = httpdtest.UpdateUser(user1, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, _, err = getSftpClient(user1, usePubKey)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPLoopVirtualFolders(t *testing.T) {\n\tusePubKey := false\n\tsftpFloderName := \"sftp\"\n\tuser1 := getTestUser(usePubKey)\n\tuser2 := getTestSFTPUser(usePubKey)\n\tuser3 := getTestSFTPUser(usePubKey)\n\tuser1.Username += \"1\"\n\tuser2.Username += \"2\"\n\tuser3.Username += \"3\"\n\n\t// user1 is a local account with a virtual SFTP folder to user2\n\t// user2 has user1 as SFTP fs\n\tuser1.VirtualFolders = append(user1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: sftpFloderName,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\n\tuser2.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser2.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user1.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\tuser3.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser3.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user1.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\tf := vfs.BaseVirtualFolder{\n\t\tName: sftpFloderName,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: user2.Username,\n\t\t\t\t\tEqualityCheckMode: 1,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser1, resp, err := httpdtest.AddUser(user1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser2, resp, err = httpdtest.AddUser(user2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser3, resp, err = httpdtest.AddUser(user3, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\t// login will work but /vdir will not be accessible\n\tconn, client, err := getSftpClient(user1, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t_, err = client.ReadDir(\"/vdir\")\n\t\tassert.Error(t, err)\n\t}\n\t// now make user2 a local account with an SFTP virtual folder to user1.\n\t// So we have:\n\t// user1 -> local account with the SFTP virtual folder /vdir to user2\n\t// user2 -> local account with the SFTP virtual folder /vdir2 to user3\n\t// user3 -> sftp user with user1 as fs\n\tuser2.FsConfig.Provider = sdk.LocalFilesystemProvider\n\tuser2.FsConfig.SFTPConfig = vfs.SFTPFsConfig{}\n\tuser2.VirtualFolders = append(user2.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: sftpFloderName,\n\t\t\tFsConfig: vfs.Filesystem{\n\t\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\t\tUsername: user3.Username,\n\t\t\t\t\t},\n\t\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tVirtualPath: \"/vdir2\",\n\t})\n\tuser2, _, err = httpdtest.UpdateUser(user2, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\t// login will work but /vdir will not be accessible\n\tconn, client, err = getSftpClient(user1, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t_, err = client.ReadDir(\"/vdir\")\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user3, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user3.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: sftpFloderName}, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestNestedVirtualFolders(t *testing.T) {\n\tusePubKey := true\n\tbaseUser, resp, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tu := getTestSFTPUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tmappedPathCrypt := filepath.Join(os.TempDir(), \"crypt\")\n\tfolderNameCrypt := filepath.Base(mappedPathCrypt)\n\tvdirCryptPath := \"/vdir/crypt\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameCrypt,\n\t\t},\n\t\tVirtualPath: vdirCryptPath,\n\t\tQuotaFiles: 100,\n\t})\n\tmappedPath := filepath.Join(os.TempDir(), \"local\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/vdir/local\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tmappedPathNested := filepath.Join(os.TempDir(), \"nested\")\n\tfolderNameNested := filepath.Base(mappedPathNested)\n\tvdirNestedPath := \"/vdir/crypt/nested\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameNested,\n\t\t},\n\t\tVirtualPath: vdirNestedPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderNameCrypt,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t\tMappedPath: mappedPathCrypt,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderNameNested,\n\t\tMappedPath: mappedPathNested,\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\texpectedQuotaSize := int64(0)\n\t\texpectedQuotaFiles := 0\n\t\tfileSize := int64(32765)\n\t\terr = writeSFTPFile(testFileName, fileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tfileSize = 38764\n\t\terr = writeSFTPFile(path.Join(\"/vdir\", testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tfileSize = 18769\n\t\terr = writeSFTPFile(path.Join(vdirPath, testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tfileSize = 27658\n\t\terr = writeSFTPFile(path.Join(vdirNestedPath, testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tfileSize = 39765\n\t\terr = writeSFTPFile(path.Join(vdirCryptPath, testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\n\t\tuserGet, _, err := httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, userGet.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, userGet.UsedQuotaSize)\n\n\t\tfolderGet, _, err := httpdtest.GetFolderByName(folderNameCrypt, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, folderGet.UsedQuotaSize, fileSize)\n\t\tassert.Equal(t, 1, folderGet.UsedQuotaFiles)\n\n\t\tfolderGet, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), folderGet.UsedQuotaSize)\n\t\tassert.Equal(t, 0, folderGet.UsedQuotaFiles)\n\n\t\tfolderGet, _, err = httpdtest.GetFolderByName(folderNameNested, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), folderGet.UsedQuotaSize)\n\t\tassert.Equal(t, 0, folderGet.UsedQuotaFiles)\n\n\t\tfiles, err := client.ReadDir(\"/\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Len(t, files, 2)\n\t\t}\n\t\tinfo, err := client.Stat(\"vdir\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.IsDir())\n\t\t}\n\t\tfiles, err = client.ReadDir(\"/vdir\")\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Len(t, files, 3)\n\t\t}\n\t\tfiles, err = client.ReadDir(vdirCryptPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Len(t, files, 2)\n\t\t}\n\t\tinfo, err = client.Stat(vdirNestedPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.IsDir())\n\t\t}\n\t\t// finally add some files directly using os method and then check quota\n\t\tfName := \"testfile\"\n\t\tfileSize = 123456\n\t\terr = createTestFile(filepath.Join(baseUser.HomeDir, fName), fileSize)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tfileSize = 8765\n\t\terr = createTestFile(filepath.Join(mappedPath, fName), fileSize)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tfileSize = 98751\n\t\terr = createTestFile(filepath.Join(mappedPathNested, fName), fileSize)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\terr = createTestFile(filepath.Join(mappedPathCrypt, fName), fileSize)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.StartQuotaScan(user, http.StatusAccepted)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\tscans, _, err := httpdtest.GetQuotaScans(http.StatusOK)\n\t\t\tif err == nil {\n\t\t\t\treturn len(scans) == 0\n\t\t\t}\n\t\t\treturn false\n\t\t}, 1*time.Second, 50*time.Millisecond)\n\n\t\tuserGet, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, userGet.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, userGet.UsedQuotaSize)\n\n\t\t// the crypt folder is not included within user quota so we need to do a separate scan\n\t\t_, err = httpdtest.StartFolderQuotaScan(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusAccepted)\n\t\tassert.NoError(t, err)\n\t\tassert.Eventually(t, func() bool {\n\t\t\tscans, _, err := httpdtest.GetFoldersQuotaScans(http.StatusOK)\n\t\t\tif err == nil {\n\t\t\t\treturn len(scans) == 0\n\t\t\t}\n\t\t\treturn false\n\t\t}, 1*time.Second, 50*time.Millisecond)\n\t\tfolderGet, _, err = httpdtest.GetFolderByName(folderNameCrypt, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, folderGet.UsedQuotaSize, int64(39765+98751))\n\t\tassert.Equal(t, 2, folderGet.UsedQuotaFiles)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameNested}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathCrypt)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathNested)\n\tassert.NoError(t, err)\n}\n\nfunc TestBufferedUser(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tu.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tWriteBufferSize: 2,\n\t\tReadBufferSize: 1,\n\t}\n\tvdirPath := \"/crypted\"\n\tmappedPath := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName := filepath.Base(mappedPath)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tOSFsConfig: sdk.OSFsConfig{\n\t\t\t\t\tWriteBufferSize: 3,\n\t\t\t\t\tReadBufferSize: 2,\n\t\t\t\t},\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\texpectedQuotaSize := int64(0)\n\t\texpectedQuotaFiles := 0\n\t\tfileSize := int64(32768)\n\t\terr = writeSFTPFile(testFileName, fileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\terr = writeSFTPFile(path.Join(vdirPath, testFileName), fileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaSize += fileSize\n\t\texpectedQuotaFiles++\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Greater(t, user.UsedQuotaSize, expectedQuotaSize)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(path.Join(vdirPath, testFileName), localDownloadPath, fileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(vdirPath, testFileName))\n\t\tassert.NoError(t, err)\n\n\t\tdata := []byte(\"test data\")\n\t\tf, err := client.OpenFile(testFileName, os.O_WRONLY|os.O_CREATE)\n\t\tif assert.NoError(t, err) {\n\t\t\tn, err := f.Write(data)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(data), n)\n\t\t\terr = f.Truncate(2)\n\t\t\tassert.NoError(t, err)\n\t\t\texpectedQuotaSize := int64(2)\n\t\t\texpectedQuotaFiles := 0\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t_, err = f.Seek(expectedQuotaSize, io.SeekStart)\n\t\t\tassert.NoError(t, err)\n\t\t\tn, err = f.Write(data)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(data), n)\n\t\t\terr = f.Truncate(5)\n\t\t\tassert.NoError(t, err)\n\t\t\texpectedQuotaSize = int64(5)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t_, err = f.Seek(expectedQuotaSize, io.SeekStart)\n\t\t\tassert.NoError(t, err)\n\t\t\tn, err = f.Write(data)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, len(data), n)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\texpectedQuotaSize = int64(5) + int64(len(data))\n\t\t\texpectedQuotaFiles = 1\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t}\n\t\t// now truncate by path\n\t\terr = client.Truncate(testFileName, 5)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestTruncateQuotaLimits(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaSize = 20\n\tmappedPath := filepath.Join(os.TempDir(), \"mapped\")\n\tfolderName := filepath.Base(mappedPath)\n\terr := os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tvdirPath := \"/vmapped\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaFiles: 10,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err = httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaSize = 20\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\tdata := []byte(\"test data\")\n\t\t\tf, err := client.OpenFile(testFileName, os.O_WRONLY|os.O_CREATE)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tn, err := f.Write(data)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\terr = f.Truncate(2)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaFiles := 0\n\t\t\t\texpectedQuotaSize := int64(2)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(expectedQuotaSize, io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(data)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\terr = f.Truncate(5)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaSize = int64(5)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(expectedQuotaSize, io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(data)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\texpectedQuotaFiles = 1\n\t\t\t\texpectedQuotaSize = int64(5) + int64(len(data))\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// now truncate by path\n\t\t\terr = client.Truncate(testFileName, 5)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t\t\t// now open an existing file without truncate it, quota should not change\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// open the file truncating it\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY|os.O_TRUNC)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t\t}\n\t\t\t// now test max write size\n\t\t\tf, err = client.OpenFile(testFileName, os.O_WRONLY)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tn, err := f.Write(data)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\terr = f.Truncate(11)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(11), user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(int64(11), io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(data)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\terr = f.Truncate(5)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(5), user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(int64(5), io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tn, err = f.Write(data)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\terr = f.Truncate(12)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(12), user.UsedQuotaSize)\n\t\t\t\t_, err = f.Seek(int64(12), io.SeekStart)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = f.Write(data)\n\t\t\t\tif assert.Error(t, err) {\n\t\t\t\t\tassert.Contains(t, err.Error(), common.ErrQuotaExceeded.Error())\n\t\t\t\t}\n\t\t\t\terr = f.Close()\n\t\t\t\tassert.Error(t, err)\n\t\t\t\t// the file is deleted\n\t\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\t\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t\t}\n\n\t\t\tif user.Username == defaultUsername {\n\t\t\t\t// basic test inside a virtual folder\n\t\t\t\tvfileName := path.Join(vdirPath, testFileName)\n\t\t\t\tf, err = client.OpenFile(vfileName, os.O_WRONLY|os.O_CREATE)\n\t\t\t\tif assert.NoError(t, err) {\n\t\t\t\t\tn, err := f.Write(data)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, len(data), n)\n\t\t\t\t\terr = f.Truncate(2)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\texpectedQuotaFiles := 0\n\t\t\t\t\texpectedQuotaSize := int64(2)\n\t\t\t\t\tfold, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, expectedQuotaSize, fold.UsedQuotaSize)\n\t\t\t\t\tassert.Equal(t, expectedQuotaFiles, fold.UsedQuotaFiles)\n\t\t\t\t\terr = f.Close()\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\texpectedQuotaFiles = 1\n\t\t\t\t\tfold, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\t\t\t\tassert.NoError(t, err)\n\t\t\t\t\tassert.Equal(t, expectedQuotaSize, fold.UsedQuotaSize)\n\t\t\t\t\tassert.Equal(t, expectedQuotaFiles, fold.UsedQuotaFiles)\n\t\t\t\t}\n\t\t\t\terr = client.Truncate(vfileName, 1)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tfold, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, int64(1), fold.UsedQuotaSize)\n\t\t\t\tassert.Equal(t, 1, fold.UsedQuotaFiles)\n\t\t\t\t// cleanup\n\t\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tuser.Password = defaultPassword\n\t\t\t\tuser.ID = 0\n\t\t\t\tuser.CreatedAt = 0\n\t\t\t\tuser.QuotaSize = 0\n\t\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\t\tassert.NoError(t, err, string(resp))\n\t\t\t}\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersQuotaRenameOverwrite(t *testing.T) {\n\tusePubKey := true\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize1 := int64(65537)\n\ttestFileName1 := \"test_file1.dat\"\n\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\terr := createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath1, testFileSize1)\n\tassert.NoError(t, err)\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 0\n\tu.QuotaSize = 0\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tmappedPath3 := filepath.Join(os.TempDir(), \"vdir3\")\n\tfolderName3 := filepath.Base(mappedPath3)\n\tvdirPath3 := \"/vdir3\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: 2,\n\t\tQuotaSize: 0,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: testFileSize + testFileSize1 + 1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName3,\n\t\t},\n\t\tVirtualPath: vdirPath3,\n\t\tQuotaFiles: 2,\n\t\tQuotaSize: testFileSize * 2,\n\t})\n\terr = os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath3, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderName3,\n\t\tMappedPath: mappedPath3,\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath3, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath3, testFileName+\"1\"), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, path.Join(vdirPath1, testFileName+\".rename\"))\n\t\tassert.Error(t, err)\n\t\t// we overwrite an existing file and we have unlimited size\n\t\terr = client.Rename(testFileName, path.Join(vdirPath1, testFileName))\n\t\tassert.NoError(t, err)\n\t\t// we have no space and we try to overwrite a bigger file with a smaller one, this should succeed\n\t\terr = client.Rename(testFileName1, path.Join(vdirPath2, testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// we have no space and we try to overwrite a smaller file with a bigger one, this should fail\n\t\terr = client.Rename(testFileName, path.Join(vdirPath2, testFileName1))\n\t\tassert.Error(t, err)\n\t\tfi, err := client.Stat(path.Join(vdirPath1, testFileName1))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize1, fi.Size())\n\t\t}\n\t\t// we are overquota inside vdir3 size 2/2 and size 262144/262144\n\t\terr = client.Rename(path.Join(vdirPath1, testFileName1), path.Join(vdirPath3, testFileName1+\".rename\"))\n\t\tassert.Error(t, err)\n\t\t// we overwrite an existing file and we have enough size\n\t\terr = client.Rename(path.Join(vdirPath1, testFileName1), path.Join(vdirPath3, testFileName))\n\t\tassert.NoError(t, err)\n\t\ttestFileName2 := \"test_file2.dat\"\n\t\ttestFilePath2 := filepath.Join(homeBasePath, testFileName2)\n\t\terr = createTestFile(testFilePath2, testFileSize+testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath2, testFileName2, testFileSize+testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// we overwrite an existing file and we haven't enough size\n\t\terr = client.Rename(testFileName2, path.Join(vdirPath3, testFileName))\n\t\tassert.Error(t, err)\n\t\terr = os.Remove(testFilePath2)\n\t\tassert.NoError(t, err)\n\t\t// now remove a file from vdir3, create a dir with 2 files and try to rename it in vdir3\n\t\t// this will fail since the rename will result in 3 files inside vdir3 and quota limits only\n\t\t// allow 2 total files there\n\t\terr = client.Remove(path.Join(vdirPath3, testFileName+\"1\"))\n\t\tassert.NoError(t, err)\n\t\taDir := \"a dir\"\n\t\terr = client.Mkdir(aDir)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(aDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(aDir, testFileName1+\"1\"), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(aDir, path.Join(vdirPath3, aDir))\n\t\tassert.Error(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName3}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath3)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath1)\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersQuotaValues(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tvdirPath1 := \"/vdir1\" //nolint:goconst\n\tfolderName1 := filepath.Base(mappedPath1)\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tvdirPath2 := \"/vdir2\" //nolint:goconst\n\tfolderName2 := filepath.Base(mappedPath2)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// we copy the same file two times to test quota update on file overwrite\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\texpectedQuotaFiles := 2\n\t\texpectedQuotaSize := testFileSize * 2\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = client.Remove(path.Join(vdirPath1, testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(vdirPath2, testFileName))\n\t\tassert.NoError(t, err)\n\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameInsideSameVirtualFolder(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tvdirPath1 := \"/vdir1\"\n\tfolderName1 := filepath.Base(mappedPath1)\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tvdirPath2 := \"/vdir2\"\n\tfolderName2 := filepath.Base(mappedPath2)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\tdir1 := \"dir1\" //nolint:goconst\n\t\tdir2 := \"dir2\" //nolint:goconst\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// initial files:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t//\n\t\t// rename a file inside vdir1 it is included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName.rename\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath1, dir1, testFileName), path.Join(vdirPath1, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file inside vdir2, it isn't included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName.rename\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName.rename\n\t\t// - vdir2/dir2/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName), path.Join(vdirPath2, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file inside vdir2 overwriting an existing, we now have:\n\t\t// - vdir1/dir1/testFileName.rename\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName.rename (initial testFileName1)\n\t\terr = client.Rename(path.Join(vdirPath2, dir2, testFileName1), path.Join(vdirPath2, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file inside vdir1 overwriting an existing, we now have:\n\t\t// - vdir1/dir1/testFileName.rename (initial testFileName1)\n\t\t// - vdir2/dir1/testFileName.rename (initial testFileName1)\n\t\terr = client.Rename(path.Join(vdirPath1, dir2, testFileName1), path.Join(vdirPath1, dir1, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a directory inside the same virtual folder, quota should not change\n\t\terr = client.RemoveDirectory(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirPath1, dir1), path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(path.Join(vdirPath2, dir1), path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameBetweenVirtualFolder(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir2\"\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// initial files:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t//\n\t\t// rename a file from vdir1 to vdir2, vdir1 is included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName1.rename\n\t\terr = client.Rename(path.Join(vdirPath1, dir2, testFileName1), path.Join(vdirPath2, dir1, testFileName1+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 3, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to vdir1, vdir2 is not included inside user quota, so we have:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName.rename\n\t\t// - vdir2/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName1.rename\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName), path.Join(vdirPath1, dir2, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1*2, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// rename a file from vdir1 to vdir2 overwriting an existing file, vdir1 is included inside user quota, so we have:\n\t\t// - vdir1/dir2/testFileName.rename\n\t\t// - vdir2/dir2/testFileName1 (is the initial testFileName)\n\t\t// - vdir2/dir1/testFileName1.rename\n\t\terr = client.Rename(path.Join(vdirPath1, dir1, testFileName), path.Join(vdirPath2, dir2, testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1+testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to vdir1 overwriting an existing file, vdir2 is not included inside user quota, so we have:\n\t\t// - vdir1/dir2/testFileName.rename (is the initial testFileName1)\n\t\t// - vdir2/dir2/testFileName1 (is the initial testFileName)\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName1+\".rename\"), path.Join(vdirPath1, dir2, testFileName+\".rename\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, dir2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, dir2, testFileName), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, dir2, testFileName+\"1.dupl\"), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\t// - vdir1/dir2/testFileName.rename (initial testFileName1)\n\t\t// - vdir1/dir2/testFileName\n\t\t// - vdir2/dir2/testFileName1 (initial testFileName)\n\t\t// - vdir2/dir2/testFileName (initial testFileName1)\n\t\t// - vdir2/dir2/testFileName1.dupl\n\t\t// rename directories between the two virtual folders\n\t\terr = client.Rename(path.Join(vdirPath2, dir2), path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 5, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1*3+testFileSize*2, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// now move on vpath2\n\t\terr = client.Rename(path.Join(vdirPath1, dir2), path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1*2+testFileSize, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameFromVirtualFolder(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir2\"\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, dir2, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// initial files:\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\t//\n\t\t// rename a file from vdir1 to the user home dir, vdir1 is included in user quota so we have:\n\t\t// - testFileName\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\t// - vdir2/dir2/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath1, dir1, testFileName), path.Join(testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to the user home dir, vdir2 is not included in user quota so we have:\n\t\t// - testFileName\n\t\t// - testFileName1\n\t\t// - vdir1/dir2/testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\terr = client.Rename(path.Join(vdirPath2, dir2, testFileName1), path.Join(testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a file from vdir1 to the user home dir overwriting an existing file, vdir1 is included in user quota so we have:\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1\n\t\t// - vdir2/dir1/testFileName\n\t\terr = client.Rename(path.Join(vdirPath1, dir2, testFileName1), path.Join(testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a file from vdir2 to the user home dir overwriting an existing file, vdir2 is not included in user quota so we have:\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1 (initial testFileName)\n\t\terr = client.Rename(path.Join(vdirPath2, dir1, testFileName), path.Join(testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// dir rename\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1 (initial testFileName)\n\t\t// - vdir1/dir1/testFileName\n\t\t// - vdir1/dir1/testFileName1\n\t\t// - dir1/testFileName\n\t\t// - dir1/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath2, dir1), dir1)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*3+testFileSize1*3, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// - testFileName (initial testFileName1)\n\t\t// - testFileName1 (initial testFileName)\n\t\t// - dir2/testFileName\n\t\t// - dir2/testFileName1\n\t\t// - dir1/testFileName\n\t\t// - dir1/testFileName1\n\t\terr = client.Rename(path.Join(vdirPath1, dir1), dir2)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*3+testFileSize1*3, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaRenameToVirtualFolder(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFileSize1 := int64(65535)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\tdir1 := \"dir1\"\n\t\tdir2 := \"dir2\"\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, dir2))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// initial files:\n\t\t// - testFileName\n\t\t// - testFileName1\n\t\t//\n\t\t// rename a file from user home dir to vdir1, vdir1 is included in user quota so we have:\n\t\t// - testFileName\n\t\t// - /vdir1/dir1/testFileName1\n\t\terr = client.Rename(testFileName1, path.Join(vdirPath1, dir1, testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t// rename a file from user home dir to vdir2, vdir2 is not included in user quota so we have:\n\t\t// - /vdir2/dir1/testFileName\n\t\t// - /vdir1/dir1/testFileName1\n\t\terr = client.Rename(testFileName, path.Join(vdirPath2, dir1, testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// upload two new files to the user home dir so we have:\n\t\t// - testFileName\n\t\t// - testFileName1\n\t\t// - /vdir1/dir1/testFileName1\n\t\t// - /vdir2/dir1/testFileName\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1+testFileSize1, user.UsedQuotaSize)\n\t\t// rename a file from user home dir to vdir1 overwriting an existing file, vdir1 is included in user quota so we have:\n\t\t// - testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName\n\t\terr = client.Rename(testFileName, path.Join(vdirPath1, dir1, testFileName1))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// rename a file from user home dir to vdir2 overwriting an existing file, vdir2 is not included in user quota so we have:\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\terr = client.Rename(testFileName1, path.Join(vdirPath2, dir1, testFileName))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\n\t\terr = client.Mkdir(dir1)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// - /dir1/testFileName\n\t\t// - /dir1/testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\t// - /vdir1/adir/testFileName\n\t\t// - /vdir1/adir/testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\terr = client.Rename(dir1, path.Join(vdirPath1, \"adir\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t\terr = client.Mkdir(dir1)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(dir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(dir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t// - /vdir1/adir/testFileName\n\t\t// - /vdir1/adir/testFileName1\n\t\t// - /vdir1/dir1/testFileName1 (initial testFileName)\n\t\t// - /vdir2/dir1/testFileName (initial testFileName1)\n\t\t// - /vdir2/adir/testFileName\n\t\t// - /vdir2/adir/testFileName1\n\t\terr = client.Rename(dir1, path.Join(vdirPath2, \"adir\"))\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize*2+testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize1*2+testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 3, f.UsedQuotaFiles)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFoldersLink(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\t// quota is unlimited and excluded from user's one\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestDir := \"adir\"\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), path.Join(vdirPath1, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), path.Join(vdirPath1, testDir, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), path.Join(vdirPath2, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), path.Join(vdirPath2, testDir, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath1, testFileName+\".link1\")) //nolint:goconst\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath1, testDir, testFileName+\".link1\"))\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath2, testFileName+\".link1\"))\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(vdirPath2, testDir, testFileName+\".link1\"))\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), testFileName+\".link1\")\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), testFileName+\".link1\")\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath1, testFileName), path.Join(vdirPath2, testDir, testFileName+\".link1\"))\n\t\tassert.Error(t, err)\n\t\terr = client.Symlink(path.Join(vdirPath2, testFileName), path.Join(vdirPath1, testFileName+\".link1\"))\n\t\tassert.Error(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualFolderQuotaScan(t *testing.T) {\n\tmappedPath := filepath.Join(os.TempDir(), \"mapped_dir\")\n\tfolderName := filepath.Base(mappedPath)\n\terr := os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\ttestFilePath := filepath.Join(mappedPath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\texpectedQuotaSize := testFileSize\n\texpectedQuotaFiles := 1\n\tfolder, _, err := httpdtest.AddFolder(vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}, http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.StartFolderQuotaScan(folder, http.StatusAccepted)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool {\n\t\tscans, _, err := httpdtest.GetFoldersQuotaScans(http.StatusOK)\n\t\tif err == nil {\n\t\t\treturn len(scans) == 0\n\t\t}\n\t\treturn false\n\t}, 1*time.Second, 50*time.Millisecond)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, folder.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, folder.UsedQuotaSize)\n\t_, err = httpdtest.RemoveFolder(folder, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestVFolderMultipleQuotaScan(t *testing.T) {\n\tfolderName := \"folder_name\"\n\tres := common.QuotaScans.AddVFolderQuotaScan(folderName)\n\tassert.True(t, res)\n\tres = common.QuotaScans.AddVFolderQuotaScan(folderName)\n\tassert.False(t, res)\n\tres = common.QuotaScans.RemoveVFolderQuotaScan(folderName)\n\tassert.True(t, res)\n\tactiveScans := common.QuotaScans.GetVFoldersQuotaScans()\n\tassert.Len(t, activeScans, 0)\n\tres = common.QuotaScans.RemoveVFolderQuotaScan(folderName)\n\tassert.False(t, res)\n}\n\nfunc TestVFolderQuotaSize(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\ttestFileSize := int64(131072)\n\tu.QuotaFiles = 1\n\tu.QuotaSize = testFileSize + 1\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vpath1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vpath2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\t// quota is included in the user's one\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 1,\n\t\tQuotaSize: testFileSize * 2,\n\t})\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// vdir1 is included in the user quota so upload must fail\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.Error(t, err)\n\t\t// upload to vdir2 must work, it has its own quota\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// now vdir2 is over quota\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName+\".quota\"), testFileSize, client)\n\t\tassert.Error(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\t// remove a file\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\t// upload to vdir1 must work now\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, f.UsedQuotaSize)\n\t\tassert.Equal(t, 1, f.UsedQuotaFiles)\n\t}\n\t// now create another user with the same shared folder but a different quota limit\n\tu.Username = defaultUsername + \"1\"\n\tu.VirtualFolders = nil\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t\tMappedPath: mappedPath2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 10,\n\t\tQuotaSize: testFileSize*2 + 1,\n\t})\n\tuser1, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user1, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName+\".quota\"), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// the folder is now over quota for size but not for files\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testFileName+\".quota1\"), testFileSize, client)\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestMissingFile(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(\"missing_file\", localDownloadPath, 0, client)\n\t\tassert.Error(t, err, \"download missing file must fail\")\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestOpenError(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = os.Chmod(user.GetHomeDir(), 0001)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.ReadDir(\".\")\n\t\tassert.Error(t, err, \"read dir must fail if we have no filesystem read permissions\")\n\t\terr = os.Chmod(user.GetHomeDir(), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize := int64(65535)\n\t\ttestFilePath := filepath.Join(user.GetHomeDir(), testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testFileName)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(testFilePath, 0001)\n\t\tassert.NoError(t, err)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.Error(t, err, \"file download must fail if we have no filesystem read permissions\")\n\t\terr = sftpUploadFile(localDownloadPath, testFileName, testFileSize, client)\n\t\tassert.Error(t, err, \"upload must fail if we have no filesystem write permissions\")\n\t\ttestDir := \"test\"\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(filepath.Join(user.GetHomeDir(), testDir, testFileName), testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(user.GetHomeDir(), 0000)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Lstat(testFileName)\n\t\tassert.Error(t, err, \"file stat must fail if we have no filesystem read permissions\")\n\t\terr = sftpUploadFile(localDownloadPath, path.Join(testDir, testFileName), testFileSize, client)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\t_, err = client.ReadLink(testFileName)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = client.Remove(testFileName)\n\t\tassert.ErrorIs(t, err, os.ErrPermission)\n\t\terr = os.Chmod(user.GetHomeDir(), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(filepath.Join(user.GetHomeDir(), testDir), 0000)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, path.Join(testDir, testFileName))\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = os.Chmod(filepath.Join(user.GetHomeDir(), testDir), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestOverwriteDirWithFile(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(65535)\n\t\ttestDirName := \"test_dir\" //nolint:goconst\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDirName)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testDirName, testFileSize, client)\n\t\tassert.Error(t, err, \"copying a file over an existing dir must fail\")\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testDirName)\n\t\tassert.Error(t, err, \"rename a file over an existing dir must fail\")\n\t\terr = client.RemoveDirectory(testDirName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHashedPasswords(t *testing.T) {\n\tusePubKey := false\n\tplainPwd := \"password\"\n\tpwdMapping := make(map[string]string)\n\tpwdMapping[\"$argon2id$v=19$m=65536,t=3,p=2$xtcO/oRkC8O2Tn+mryl2mw$O7bn24f2kuSGRMi9s5Cm61Wqd810px1jDsAasrGWkzQ\"] = plainPwd\n\tpwdMapping[\"$pbkdf2-sha1$150000$DveVjgYUD05R$X6ydQZdyMeOvpgND2nqGR/0GGic=\"] = plainPwd\n\tpwdMapping[\"$pbkdf2-sha256$150000$E86a9YMX3zC7$R5J62hsSq+pYw00hLLPKBbcGXmq7fj5+/M0IFoYtZbo=\"] = plainPwd\n\tpwdMapping[\"$pbkdf2-sha512$150000$dsu7T5R3IaVQ$1hFXPO1ntRBcoWkSLKw+s4sAP09Xtu4Ya7CyxFq64jM9zdUg8eRJVr3NcR2vQgb0W9HHvZaILHsL4Q/Vr6arCg==\"] = plainPwd\n\tpwdMapping[\"$1$b5caebda$VODr/nyhGWgZaY8sJ4x05.\"] = plainPwd\n\tpwdMapping[\"$2a$14$ajq8Q7fbtFRQvXpdCq7Jcuy.Rx1h/L4J60Otx.gyNLbAYctGMJ9tK\"] = \"secret\"\n\tpwdMapping[\"$6$459ead56b72e44bc$uog86fUxscjt28BZxqFBE2pp2QD8P/1e98MNF75Z9xJfQvOckZnQ/1YJqiq1XeytPuDieHZvDAMoP7352ELkO1\"] = \"secret\"\n\tpwdMapping[\"$5$h4Aalt0fJdGX8sgv$Rd2ew0fvgzUN.DzAVlKa9QL4q/DZWo4SsKpB9.3AyZ/\"] = plainPwd\n\tpwdMapping[\"$apr1$OBWLeSme$WoJbB736e7kKxMBIAqilb1\"] = plainPwd\n\tpwdMapping[\"{MD5}5f4dcc3b5aa765d61d8327deb882cf99\"] = plainPwd\n\tpwdMapping[\"{SHA256}5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8\"] = plainPwd\n\tpwdMapping[\"{SHA512}b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86\"] = plainPwd\n\tfor pwd, clearPwd := range pwdMapping {\n\t\tu := getTestUser(usePubKey)\n\t\tu.Password = pwd\n\t\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t\tuser.Password = \"\"\n\t\tuserGetInitial, _, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tuser, err = dataprovider.UserExists(user.Username, \"\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, pwd, user.Password)\n\t\tuser.Password = clearPwd\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err, \"unable to login with password %q\", pwd) {\n\t\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t\tconn.Close()\n\t\t\tclient.Close()\n\t\t}\n\t\tuser.Password = pwd\n\t\tconn, client, err = getSftpClient(user, usePubKey)\n\t\tif !assert.Error(t, err, \"login with wrong password must fail\") {\n\t\t\tclient.Close()\n\t\t\tconn.Close()\n\t\t}\n\t\t// the password must converted to bcrypt and we should still be able to login\n\t\tuser, err = dataprovider.UserExists(user.Username, \"\")\n\t\tassert.NoError(t, err)\n\t\tassert.True(t, strings.HasPrefix(user.Password, \"$2a$\"))\n\t\t// update the user to invalidate the cached password and force a new check\n\t\tuser.Password = \"\"\n\t\tuserGet, _, err := httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tuserGetInitial.LastLogin = userGet.LastLogin\n\t\tuserGetInitial.UpdatedAt = userGet.UpdatedAt\n\t\tassert.Equal(t, userGetInitial, userGet)\n\t\t// login should still work\n\t\tuser.Password = clearPwd\n\t\tconn, client, err = getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err, \"unable to login with password %q\", pwd) {\n\t\t\tassert.NoError(t, checkBasicSFTP(client))\n\t\t\tconn.Close()\n\t\t\tclient.Close()\n\t\t}\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestPasswordsHashPbkdf2Sha256_389DS(t *testing.T) {\n\tpbkdf389dsPwd := \"{PBKDF2_SHA256}AAAIAMZIKG4ie44zJY4HOXI+upFR74PzWLUQV63jg+zzkbEjCK3N4qW583WF7EdcpeoOMQ4HY3aWEXB6lnXhXJixbJkU4vVSJkL6YCbU3TrD0qn1uUUVSkaIgAOtmZENitwbhYhiWfEzGyAtFqkFd75P5xhWJEog9XhQKYrR0f7S3WGGZq03JRcLJ460xpU97bE/sWRn7sshgkWzLuyrs0I+XRKmK7FJeaA9zd+1m44Y3IVmZ2YLdKATzjRHAIgpBC6i1TWOcpKJT1+feP1C9hrxH8vU9baw9thNiO8jSHaZlwb//KpJFe0ahVnG/1ubiG8cO0+CCqDqXVJR6Vr4QZxHP+4pwooW+4TP/L+HFdyA1y6z4gKfqYnBsmb3sD1R1TbxfH4btTdvgZAnBk9CmR3QASkFXxeTYsrmNd5+9IAHc6dm\"\n\tpbkdf389dsPwd = pbkdf389dsPwd[15:]\n\thashBytes, err := base64.StdEncoding.DecodeString(pbkdf389dsPwd)\n\tassert.NoError(t, err)\n\titerBytes := hashBytes[0:4]\n\tvar iterations int32\n\terr = binary.Read(bytes.NewBuffer(iterBytes), binary.BigEndian, &iterations)\n\tassert.NoError(t, err)\n\tsalt := hashBytes[4:68]\n\ttargetKey := hashBytes[68:]\n\tkey := base64.StdEncoding.EncodeToString(targetKey)\n\tpbkdf2Pwd := fmt.Sprintf(\"$pbkdf2-b64salt-sha256$%v$%v$%v\", iterations, base64.StdEncoding.EncodeToString(salt), key)\n\tpbkdf2ClearPwd := \"password\"\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Password = pbkdf2Pwd\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser.Password = pbkdf2ClearPwd\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tassert.NoError(t, checkBasicSFTP(client))\n\t}\n\tuser.Password = pbkdf2Pwd\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif !assert.Error(t, err, \"login with wrong password must fail\") {\n\t\tclient.Close()\n\t\tconn.Close()\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermList(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete, dataprovider.PermRename,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tu.Permissions[\"/sub\"] = []string{dataprovider.PermCreateSymlinks, dataprovider.PermListItems}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t_, err = client.ReadDir(\".\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission, \"read remote dir without permission should not succeed\")\n\t\t_, err = client.Stat(\"test_file\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission, \"stat remote file without permission should not succeed\")\n\t\t_, err = client.Lstat(\"test_file\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission, \"lstat remote file without permission should not succeed\")\n\t\t_, err = client.ReadLink(\"test_link\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission, \"read remote link without permission on source dir should not succeed\")\n\t\t_, err = client.RealPath(\".\")\n\t\tassert.ErrorIs(t, err, os.ErrPermission, \"real path without permission should not succeed\")\n\t\tf, err := client.Create(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\t_, err = f.Write([]byte(\"content\"))\n\t\t\tassert.NoError(t, err)\n\t\t\terr = f.Close()\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t\terr = client.Mkdir(\"sub\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(\"/\", testFileName), path.Join(\"/sub\", testFileName))\n\t\tassert.NoError(t, err)\n\t\t_, err = client.ReadLink(path.Join(\"/sub\", testFileName))\n\t\tassert.Error(t, err, \"read remote link without permission on targe dir should not succeed\")\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermDownload(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload, dataprovider.PermDelete, dataprovider.PermRename,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.Error(t, err, \"file download without permission should not succeed\")\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermUpload(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermDelete, dataprovider.PermRename,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.Error(t, err, \"file upload without permission should not succeed\")\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermOverwrite(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermRename, dataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.Error(t, err, \"file overwrite without permission should not succeed\")\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermDelete(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermRename,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.Error(t, err, \"delete without permission should not succeed\")\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestPermRename(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\t_, err = client.Stat(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestPermRenameOverwrite(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermChmod, dataprovider.PermRename,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermCreateDirs(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermRename, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite, dataprovider.PermChmod,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"testdir\")\n\t\tassert.Error(t, err, \"mkdir without permission should not succeed\")\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestPermSymlink(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermRename, dataprovider.PermCreateDirs, dataprovider.PermOverwrite, dataprovider.PermChmod, dataprovider.PermChown,\n\t\tdataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(testFilePath, testFilePath+\".symlink\")\n\t\tassert.Error(t, err, \"symlink without permission should not succeed\")\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermChmod(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermRename, dataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite,\n\t\tdataprovider.PermChown, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chmod(testFileName, os.ModePerm)\n\t\tassert.Error(t, err, \"chmod without permission should not succeed\")\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestPermChown(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermRename, dataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite,\n\t\tdataprovider.PermChmod, dataprovider.PermChtimes}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chown(testFileName, os.Getuid(), os.Getgid())\n\t\tassert.Error(t, err, \"chown without permission should not succeed\")\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\n//nolint:dupl\nfunc TestPermChtimes(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermDelete,\n\t\tdataprovider.PermRename, dataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermOverwrite,\n\t\tdataprovider.PermChmod, dataprovider.PermChown}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chtimes(testFileName, time.Now(), time.Now())\n\t\tassert.Error(t, err, \"chtimes without permission should not succeed\")\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSubDirsUploads(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermChtimes, dataprovider.PermDownload, dataprovider.PermOverwrite}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"subdir\")\n\t\tassert.NoError(t, err)\n\t\ttestFileNameSub := \"/subdir/test_file_dat\"\n\t\ttestSubFile := filepath.Join(user.GetHomeDir(), \"subdir\", \"file.dat\")\n\t\ttestDir := \"testdir\"\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testSubFile, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileNameSub, testFileSize, client)\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Symlink(testFileName, testFileNameSub+\".link\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testFileNameSub+\".rename\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// rename overwriting an existing file\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.NoError(t, err)\n\t\t// now try to overwrite a directory\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(testFileName, testDir)\n\t\tassert.Error(t, err)\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(\"/subdir\", \"file.dat\"))\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Remove(testFileName + \".rename\")\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSubDirsOverwrite(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermOverwrite, dataprovider.PermListItems}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileName := \"/subdir/test_file.dat\" //nolint:goconst\n\t\ttestFilePath := filepath.Join(homeBasePath, \"test_file.dat\")\n\t\ttestFileSFTPPath := filepath.Join(u.GetHomeDir(), \"subdir\", \"test_file.dat\")\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFileSFTPPath, 16384)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName+\".new\", testFileSize, client)\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSubDirsDownloads(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermChmod, dataprovider.PermUpload, dataprovider.PermListItems}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"subdir\")\n\t\tassert.NoError(t, err)\n\t\ttestFileName := \"/subdir/test_file.dat\"\n\t\ttestFilePath := filepath.Join(homeBasePath, \"test_file.dat\")\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = sftpDownloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Chtimes(testFileName, time.Now(), time.Now())\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Rename(testFileName, testFileName+\".rename\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Remove(testFileName)\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermsSubDirsSetstat(t *testing.T) {\n\t// for setstat we check the parent dir permission if the requested path is a dir\n\t// otherwise the path permission\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermListItems, dataprovider.PermCreateDirs}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermAny}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"subdir\")\n\t\tassert.NoError(t, err)\n\t\ttestFileName := \"/subdir/test_file.dat\"\n\t\ttestFilePath := filepath.Join(homeBasePath, \"test_file.dat\")\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Chtimes(\"/subdir/\", time.Now(), time.Now())\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Chtimes(\"subdir/\", time.Now(), time.Now())\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Chtimes(testFileName, time.Now(), time.Now())\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestOpenUnhandledChannel(t *testing.T) {\n\tu := getTestUser(false)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tAuth: []ssh.AuthMethod{ssh.Password(defaultPassword)},\n\t\tTimeout: 5 * time.Second,\n\t}\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif assert.NoError(t, err) {\n\t\t_, _, err = conn.OpenChannel(\"unhandled\", nil)\n\t\tif assert.Error(t, err) {\n\t\t\tassert.Contains(t, err.Error(), \"unknown channel type\")\n\t\t}\n\t\terr = conn.Close()\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAlgorithmNotNegotiated(t *testing.T) {\n\tu := getTestUser(false)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tconfig := &ssh.ClientConfig{\n\t\tConfig: ssh.Config{\n\t\t\tCiphers: []string{ssh.InsecureCipherRC4},\n\t\t},\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tAuth: []ssh.AuthMethod{ssh.Password(defaultPassword)},\n\t\tTimeout: 5 * time.Second,\n\t}\n\t_, err = ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif assert.Error(t, err) {\n\t\tnegotiationErr := &ssh.AlgorithmNegotiationError{}\n\t\tassert.ErrorAs(t, err, &negotiationErr)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPermsSubDirsCommands(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermCreateDirs}\n\tu.Permissions[\"/subdir/otherdir\"] = []string{dataprovider.PermListItems, dataprovider.PermDownload}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\terr = client.Mkdir(\"subdir\")\n\t\tassert.NoError(t, err)\n\t\tacmodTime := time.Now()\n\t\terr = client.Chtimes(\"/subdir\", acmodTime, acmodTime)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(\"/subdir\")\n\t\tassert.NoError(t, err)\n\t\t_, err = client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\t_, err = client.ReadDir(\"/subdir\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.RemoveDirectory(\"/subdir/dir\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Mkdir(\"/subdir/otherdir/dir\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Mkdir(\"/otherdir\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(\"/subdir/otherdir\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"/otherdir\", \"/subdir/otherdir/adir\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Symlink(\"/otherdir\", \"/subdir/otherdir\")\n\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\terr = client.Symlink(\"/otherdir\", \"/otherdir_link\")\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(\"/otherdir\", \"/otherdir1\")\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveDirectory(\"/otherdir1\")\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRootDirCommands(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload}\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload}\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = client.Rename(\"/\", \"rootdir\")\n\t\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\t\terr = client.Symlink(\"/\", \"rootdir\")\n\t\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\t\terr = client.RemoveDirectory(\"/\")\n\t\t\tassert.True(t, errors.Is(err, fs.ErrPermission))\n\t\t}\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\tuser.Permissions = make(map[string][]string)\n\t\t\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRelativePaths(t *testing.T) {\n\tuser := getTestUser(true)\n\tvar path, rel string\n\tfilesystems := []vfs.Fs{vfs.NewOsFs(\"\", user.GetHomeDir(), \"\", nil)}\n\tkeyPrefix := strings.TrimPrefix(user.GetHomeDir(), \"/\") + \"/\"\n\ts3config := vfs.S3FsConfig{\n\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\tKeyPrefix: keyPrefix,\n\t\t},\n\t}\n\ts3fs, _ := vfs.NewS3Fs(\"\", user.GetHomeDir(), \"\", s3config)\n\tgcsConfig := vfs.GCSFsConfig{\n\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\tKeyPrefix: keyPrefix,\n\t\t},\n\t}\n\tgcsfs, _ := vfs.NewGCSFs(\"\", user.GetHomeDir(), \"\", gcsConfig)\n\tsftpconfig := vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: defaultUsername,\n\t\t\tPrefix: keyPrefix,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\tsftpfs, _ := vfs.NewSFTPFs(\"\", \"\", os.TempDir(), []string{user.Username}, sftpconfig)\n\tif runtime.GOOS != osWindows {\n\t\tfilesystems = append(filesystems, s3fs, gcsfs, sftpfs)\n\t}\n\trootPath := \"/\"\n\tfor _, fs := range filesystems {\n\t\tpath = filepath.Join(user.HomeDir, \"/\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"//\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"../..\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"../../../../../\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"/..\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"/../../../..\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \".\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, rootPath, rel)\n\t\tpath = filepath.Join(user.HomeDir, \"somedir\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, \"/somedir\", rel)\n\t\tpath = filepath.Join(user.HomeDir, \"/somedir/subdir\")\n\t\trel = fs.GetRelativePath(path)\n\t\tassert.Equal(t, \"/somedir/subdir\", rel)\n\t}\n}\n\nfunc TestResolvePaths(t *testing.T) {\n\tuser := getTestUser(true)\n\tvar path, resolved string\n\tvar err error\n\tfilesystems := []vfs.Fs{vfs.NewOsFs(\"\", user.GetHomeDir(), \"\", nil)}\n\tkeyPrefix := strings.TrimPrefix(user.GetHomeDir(), \"/\") + \"/\"\n\ts3config := vfs.S3FsConfig{\n\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\tKeyPrefix: keyPrefix,\n\t\t\tBucket: \"bucket\",\n\t\t\tRegion: \"us-east-1\",\n\t\t},\n\t}\n\terr = os.MkdirAll(user.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\ts3fs, err := vfs.NewS3Fs(\"\", user.GetHomeDir(), \"\", s3config)\n\tassert.NoError(t, err)\n\tgcsConfig := vfs.GCSFsConfig{\n\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\tKeyPrefix: keyPrefix,\n\t\t},\n\t}\n\tgcsfs, _ := vfs.NewGCSFs(\"\", user.GetHomeDir(), \"\", gcsConfig)\n\tif runtime.GOOS != osWindows {\n\t\tfilesystems = append(filesystems, s3fs, gcsfs)\n\t}\n\tfor _, fs := range filesystems {\n\t\tpath = \"/\"\n\t\tresolved, _ = fs.ResolvePath(filepath.ToSlash(path))\n\t\tassert.Equal(t, fs.Join(user.GetHomeDir(), \"/\"), resolved)\n\t\tpath = \".\"\n\t\tresolved, _ = fs.ResolvePath(filepath.ToSlash(path))\n\t\tassert.Equal(t, fs.Join(user.GetHomeDir(), \"/\"), resolved)\n\t\tpath = \"test/sub\"\n\t\tresolved, _ = fs.ResolvePath(filepath.ToSlash(path))\n\t\tassert.Equal(t, fs.Join(user.GetHomeDir(), \"/test/sub\"), resolved)\n\t\tpath = \"../test/sub\"\n\t\tresolved, err = fs.ResolvePath(filepath.ToSlash(path))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, fs.Join(user.GetHomeDir(), \"/test/sub\"), resolved)\n\t\tpath = \"../../../test/../sub\"\n\t\tresolved, err = fs.ResolvePath(filepath.ToSlash(path))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, fs.Join(user.GetHomeDir(), \"/sub\"), resolved)\n\t}\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestVirtualRelativePaths(t *testing.T) {\n\tuser := getTestUser(true)\n\tmappedPath := filepath.Join(os.TempDir(), \"mdir\")\n\tvdirPath := \"/vdir\" //nolint:goconst\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\terr := os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tfsRoot := vfs.NewOsFs(\"\", user.GetHomeDir(), \"\", nil)\n\tfsVdir := vfs.NewOsFs(\"\", mappedPath, vdirPath, nil)\n\trel := fsVdir.GetRelativePath(mappedPath)\n\tassert.Equal(t, vdirPath, rel)\n\trel = fsRoot.GetRelativePath(filepath.Join(mappedPath, \"..\"))\n\tassert.Equal(t, \"/\", rel)\n\t// path outside home and virtual dir\n\trel = fsRoot.GetRelativePath(filepath.Join(mappedPath, \"../vdir1\"))\n\tassert.Equal(t, \"/\", rel)\n\trel = fsVdir.GetRelativePath(filepath.Join(mappedPath, \"../vdir1\"))\n\tassert.Equal(t, \"/vdir\", rel)\n\trel = fsVdir.GetRelativePath(filepath.Join(mappedPath, \"file.txt\"))\n\tassert.Equal(t, \"/vdir/file.txt\", rel)\n\trel = fsRoot.GetRelativePath(filepath.Join(user.HomeDir, \"vdir1/file.txt\"))\n\tassert.Equal(t, \"/vdir1/file.txt\", rel)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestUserPerms(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems}\n\tuser.Permissions[\"/p\"] = []string{dataprovider.PermDelete}\n\tuser.Permissions[\"/p/1\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload}\n\tuser.Permissions[\"/p/2\"] = []string{dataprovider.PermCreateDirs}\n\tuser.Permissions[\"/p/3\"] = []string{dataprovider.PermChmod}\n\tuser.Permissions[\"/p/3/4\"] = []string{dataprovider.PermChtimes}\n\tuser.Permissions[\"/tmp\"] = []string{dataprovider.PermRename}\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"/\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \".\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"../\"))\n\t// path p and /p are the same\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/p\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDownload, \"/p/1\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermCreateDirs, \"p/2\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChmod, \"/p/3\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChtimes, \"p/3/4/\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChtimes, \"p/3/4/../4\"))\n\t// undefined paths have permissions of the nearest path\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"/p34\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"/p34/p1/file.dat\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChtimes, \"/p/3/4/5/6\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDownload, \"/p/1/test/file.dat\"))\n}\n\nfunc TestWildcardPermissions(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems}\n\tuser.Permissions[\"/p*\"] = []string{dataprovider.PermDelete}\n\tuser.Permissions[\"/p/*\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload}\n\tuser.Permissions[\"/p/2\"] = []string{dataprovider.PermCreateDirs}\n\tuser.Permissions[\"/pa\"] = []string{dataprovider.PermChmod}\n\tuser.Permissions[\"/p/3/4\"] = []string{dataprovider.PermChtimes}\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"/\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/p1\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/ppppp\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermDelete, \"/pa\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChmod, \"/pa\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermUpload, \"/p/1\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermUpload, \"/p/p\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermUpload, \"/p/2\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDownload, \"/p/3\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDownload, \"/p/a/a/a\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermDownload, \"/p/3/4\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChtimes, \"/p/3/4\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/pb/a/a/a\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermDelete, \"/abc/a/a/a\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"/abc/a/a/a/b\"))\n}\n\nfunc TestRootWildcardPerms(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermListItems}\n\tuser.Permissions[\"/*\"] = []string{dataprovider.PermDelete}\n\tuser.Permissions[\"/p/*\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload}\n\tuser.Permissions[\"/p/2\"] = []string{dataprovider.PermCreateDirs}\n\tuser.Permissions[\"/pa\"] = []string{dataprovider.PermChmod}\n\tuser.Permissions[\"/p/3/4\"] = []string{dataprovider.PermChtimes}\n\tassert.True(t, user.HasPerm(dataprovider.PermListItems, \"/\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/p1\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/ppppp\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermDelete, \"/pa\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChmod, \"/pa\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermUpload, \"/p/1\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermUpload, \"/p/p\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermUpload, \"/p/2\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermCreateDirs, \"/p/2\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermCreateDirs, \"/p/2/a\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDownload, \"/p/3\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDownload, \"/p/a/a/a\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermDownload, \"/p/3/4\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermChtimes, \"/p/3/4\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/pb/a/a/a\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/abc/a/a/a\"))\n\tassert.False(t, user.HasPerm(dataprovider.PermListItems, \"/abc/a/a/a/b\"))\n\tassert.True(t, user.HasPerm(dataprovider.PermDelete, \"/abc/a/a/a/b\"))\n}\n\nfunc TestFilterFilePatterns(t *testing.T) {\n\tuser := getTestUser(true)\n\tpattern := sdk.PatternsFilter{\n\t\tPath: \"/test\",\n\t\tAllowedPatterns: []string{\"*.jpg\", \"*.png\"},\n\t\tDeniedPatterns: []string{\"*.pdf\"},\n\t}\n\tfilters := dataprovider.UserFilters{\n\t\tBaseUserFilters: sdk.BaseUserFilters{\n\t\t\tFilePatterns: []sdk.PatternsFilter{pattern},\n\t\t},\n\t}\n\tuser.Filters = filters\n\tok, _ := user.IsFileAllowed(\"/test/test.jPg\")\n\tassert.True(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test/test.pdf\")\n\tassert.False(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test.pDf\")\n\tassert.True(t, ok)\n\n\tfilters.FilePatterns = append(filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/\",\n\t\tAllowedPatterns: []string{\"*.zip\", \"*.rar\", \"*.pdf\"},\n\t\tDeniedPatterns: []string{\"*.gz\"},\n\t})\n\tuser.Filters = filters\n\tok, _ = user.IsFileAllowed(\"/test1/test.gz\")\n\tassert.False(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test1/test.zip\")\n\tassert.True(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test/sub/test.pdf\")\n\tassert.False(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test1/test.png\")\n\tassert.False(t, ok)\n\n\tfilters.FilePatterns = append(filters.FilePatterns, sdk.PatternsFilter{\n\t\tPath: \"/test/sub\",\n\t\tDeniedPatterns: []string{\"*.tar\"},\n\t})\n\tuser.Filters = filters\n\tok, _ = user.IsFileAllowed(\"/test/sub/sub/test.tar\")\n\tassert.False(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test/sub/test.gz\")\n\tassert.True(t, ok)\n\tok, _ = user.IsFileAllowed(\"/test/test.zip\")\n\tassert.False(t, ok)\n}\n\nfunc TestUserAllowedLoginMethods(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Filters.DeniedLoginMethods = dataprovider.ValidLoginMethods\n\tallowedMethods := user.GetAllowedLoginMethods()\n\tassert.Equal(t, 0, len(allowedMethods))\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tallowedMethods = user.GetAllowedLoginMethods()\n\tassert.Equal(t, 4, len(allowedMethods))\n\n\tassert.True(t, slices.Contains(allowedMethods, dataprovider.SSHLoginMethodKeyAndKeyboardInt))\n\tassert.True(t, slices.Contains(allowedMethods, dataprovider.SSHLoginMethodKeyAndPassword))\n}\n\nfunc TestUserPartialAuth(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tassert.True(t, user.IsPartialAuth())\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tassert.False(t, user.IsPartialAuth())\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t}\n\tassert.False(t, user.IsPartialAuth())\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tassert.True(t, user.IsPartialAuth())\n}\n\nfunc TestUserGetNextAuthMethods(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tmethods := user.GetNextAuthMethods()\n\trequire.Len(t, methods, 2)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, methods[0])\n\tassert.Equal(t, dataprovider.SSHLoginMethodKeyboardInteractive, methods[1])\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt,\n\t}\n\tmethods = user.GetNextAuthMethods()\n\trequire.Len(t, methods, 1)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, methods[0])\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t\tdataprovider.SSHLoginMethodKeyAndPassword,\n\t}\n\tmethods = user.GetNextAuthMethods()\n\trequire.Len(t, methods, 1)\n\tassert.Equal(t, dataprovider.SSHLoginMethodKeyboardInteractive, methods[0])\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt,\n\t}\n\tmethods = user.GetNextAuthMethods()\n\trequire.Len(t, methods, 0)\n}\n\nfunc TestUserIsLoginMethodAllowed(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.LoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tassert.False(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolSSH))\n\tassert.False(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolFTP))\n\tassert.False(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolWebDAV))\n\tassert.False(t, user.IsLoginMethodAllowed(dataprovider.SSHLoginMethodPublicKey, common.ProtocolSSH))\n\tassert.False(t, user.IsLoginMethodAllowed(dataprovider.SSHLoginMethodKeyboardInteractive, common.ProtocolSSH))\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.SSHLoginMethodPublicKey,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive,\n\t}\n\tassert.True(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolSSH))\n\n\tuser.Filters.DeniedLoginMethods = []string{\n\t\tdataprovider.SSHLoginMethodPassword,\n\t}\n\tassert.True(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolHTTP))\n\tassert.True(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolFTP))\n\tassert.True(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolWebDAV))\n\tassert.False(t, user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolSSH))\n}\n\nfunc TestUserEmptySubDirPerms(t *testing.T) {\n\tuser := getTestUser(true)\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/emptyperms\"] = []string{}\n\tfor _, p := range dataprovider.ValidPerms {\n\t\tassert.False(t, user.HasPerm(p, \"/emptyperms\"))\n\t}\n}\n\nfunc TestUserFiltersIPMaskConditions(t *testing.T) {\n\tuser := getTestUser(true)\n\t// with no filter login must be allowed even if the remoteIP is invalid\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"192.168.1.5\"))\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"invalid\"))\n\n\tuser.Filters.DeniedIP = append(user.Filters.DeniedIP, \"192.168.1.0/24\")\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"192.168.1.5\"))\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"192.168.2.6\"))\n\n\tuser.Filters.AllowedIP = append(user.Filters.AllowedIP, \"192.168.1.5/32\")\n\t// if the same ip/mask is both denied and allowed then login must be allowed\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"192.168.1.5\"))\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"192.168.1.3\"))\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"192.168.3.6\"))\n\n\tuser.Filters.DeniedIP = []string{}\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"192.168.1.5\"))\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"192.168.1.6\"))\n\n\tuser.Filters.DeniedIP = []string{\"192.168.0.0/16\", \"172.16.0.0/16\"}\n\tuser.Filters.AllowedIP = []string{}\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"192.168.5.255\"))\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"172.16.1.2\"))\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"172.18.2.1\"))\n\n\tuser.Filters.AllowedIP = []string{\"10.4.4.0/24\"}\n\tassert.False(t, user.IsLoginFromAddrAllowed(\"10.5.4.2\"))\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"10.4.4.2\"))\n\tassert.True(t, user.IsLoginFromAddrAllowed(\"invalid\"))\n}\n\nfunc TestGetVirtualFolderForPath(t *testing.T) {\n\tuser := getTestUser(true)\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vpath1\")\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vpath1\")\n\tmappedPath3 := filepath.Join(os.TempDir(), \"vpath3\")\n\tvdirPath := \"/vdir/sub\"\n\tvSubDirPath := path.Join(vdirPath, \"subdir\", \"subdir\")\n\tvSubDir1Path := path.Join(vSubDirPath, \"subdir\", \"subdir\")\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath1,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath2,\n\t\t},\n\t\tVirtualPath: vSubDir1Path,\n\t})\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tMappedPath: mappedPath3,\n\t\t},\n\t\tVirtualPath: vSubDirPath,\n\t})\n\tfolder, err := user.GetVirtualFolderForPath(path.Join(vSubDirPath, \"file\"))\n\tassert.NoError(t, err)\n\tassert.Equal(t, folder.MappedPath, mappedPath3)\n\t_, err = user.GetVirtualFolderForPath(\"/file\")\n\tassert.Error(t, err)\n\tfolder, err = user.GetVirtualFolderForPath(path.Join(vdirPath, \"/file\"))\n\tassert.NoError(t, err)\n\tassert.Equal(t, folder.MappedPath, mappedPath1)\n\tfolder, err = user.GetVirtualFolderForPath(path.Join(vSubDirPath+\"1\", \"file\"))\n\tassert.NoError(t, err)\n\tassert.Equal(t, folder.MappedPath, mappedPath1)\n\t_, err = user.GetVirtualFolderForPath(\"/vdir/sub1/file\")\n\tassert.Error(t, err)\n\tfolder, err = user.GetVirtualFolderForPath(vdirPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestStatVFS(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(65535)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, stat.ID, uint32(0))\n\t\tassert.Greater(t, stat.Blocks, uint64(0))\n\t\tassert.Greater(t, stat.Bsize, uint64(0))\n\n\t\t_, err = client.StatVFS(\"missing-path\")\n\t\tassert.Error(t, err)\n\t\tassert.True(t, errors.Is(err, fs.ErrNotExist))\n\t}\n\tuser.QuotaFiles = 100\n\tuser.Filters.DisableFsChecks = true\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\n\t\t_, err = client.StatVFS(\"missing-path\")\n\t\tassert.Error(t, err)\n\t\tassert.ErrorIs(t, err, fs.ErrNotExist)\n\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, stat.ID, uint32(0))\n\t\tassert.Greater(t, stat.Blocks, uint64(0))\n\t\tassert.Greater(t, stat.Bsize, uint64(0))\n\t\tassert.Equal(t, uint64(100), stat.Files)\n\t\tassert.Equal(t, uint64(99), stat.Ffree)\n\t}\n\n\tuser.QuotaSize = 8192\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, stat.ID, uint32(0))\n\t\tassert.Greater(t, stat.Blocks, uint64(0))\n\t\tassert.Greater(t, stat.Bsize, uint64(0))\n\t\tassert.Equal(t, uint64(100), stat.Files)\n\t\tassert.Equal(t, uint64(0), stat.Ffree)\n\t\tassert.Equal(t, uint64(2), stat.Blocks)\n\t\tassert.Equal(t, uint64(0), stat.Bfree)\n\t}\n\tuser.QuotaFiles = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, stat.ID, uint32(0))\n\t\tassert.Greater(t, stat.Blocks, uint64(0))\n\t\tassert.Greater(t, stat.Bsize, uint64(0))\n\t\tassert.Greater(t, stat.Files, uint64(0))\n\t\tassert.Equal(t, uint64(0), stat.Ffree)\n\t\tassert.Equal(t, uint64(2), stat.Blocks)\n\t\tassert.Equal(t, uint64(0), stat.Bfree)\n\t}\n\n\tuser.QuotaSize = 1\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, stat.ID, uint32(0))\n\t\tassert.Equal(t, uint64(1), stat.Blocks)\n\t\tassert.Equal(t, uint64(1), stat.Bsize)\n\t\tassert.Greater(t, stat.Files, uint64(0))\n\t\tassert.Equal(t, uint64(0), stat.Ffree)\n\t\tassert.Equal(t, uint64(1), stat.Blocks)\n\t\tassert.Equal(t, uint64(0), stat.Bfree)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestStatVFSCloudBackend(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.FsConfig.Provider = sdk.AzureBlobFilesystemProvider\n\tu.FsConfig.AzBlobConfig.SASURL = kms.NewPlainSecret(\"https://myaccount.blob.core.windows.net/sasurl\")\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\n\t\terr = dataprovider.UpdateUserQuota(&user, 100, 8192, true)\n\t\tassert.NoError(t, err)\n\t\tstat, err := client.StatVFS(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, stat.ID, uint32(0))\n\t\tassert.Greater(t, stat.Blocks, uint64(0))\n\t\tassert.Greater(t, stat.Bsize, uint64(0))\n\t\tassert.Equal(t, uint64(1000000+100), stat.Files)\n\t\tassert.Equal(t, uint64(2147483648+2), stat.Blocks)\n\t\tassert.Equal(t, uint64(1000000), stat.Ffree)\n\t\tassert.Equal(t, uint64(2147483648), stat.Bfree)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHCommands(t *testing.T) {\n\tusePubKey := false\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\t_, err = runSSHCommand(\"ls\", user, usePubKey)\n\tassert.Error(t, err, \"unsupported ssh command must fail\")\n\n\t_, err = runSSHCommand(\"cd\", user, usePubKey)\n\tassert.NoError(t, err)\n\tout, err := runSSHCommand(\"pwd\", user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, \"/\\n\", string(out))\n\t}\n\tout, err = runSSHCommand(\"md5sum\", user, usePubKey)\n\tassert.NoError(t, err)\n\t// echo -n '' | md5sum\n\tassert.Contains(t, string(out), \"d41d8cd98f00b204e9800998ecf8427e\")\n\n\tout, err = runSSHCommand(\"sha1sum\", user, usePubKey)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(out), \"da39a3ee5e6b4b0d3255bfef95601890afd80709\")\n\n\tout, err = runSSHCommand(\"sha256sum\", user, usePubKey)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(out), \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\")\n\n\tout, err = runSSHCommand(\"sha384sum\", user, usePubKey)\n\tassert.NoError(t, err)\n\tassert.Contains(t, string(out), \"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHFileHash(t *testing.T) {\n\tusePubKey := true\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUserWithCryptFs(usePubKey)\n\tu.Username = u.Username + \"_crypt\"\n\tcryptUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser, cryptUser} {\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\t\ttestFileSize := int64(65535)\n\t\t\terr = createTestFile(testFilePath, testFileSize)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Permissions = make(map[string][]string)\n\t\t\tuser.Permissions[\"/\"] = []string{dataprovider.PermUpload}\n\t\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = runSSHCommand(\"sha512sum \"+testFileName, user, usePubKey)\n\t\t\tassert.Error(t, err, \"hash command with no list permission must fail\")\n\n\t\t\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\t\t\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\t\tassert.NoError(t, err)\n\n\t\t\tinitialHash, err := computeHashForFile(sha512.New(), testFilePath)\n\t\t\tassert.NoError(t, err)\n\n\t\t\tout, err := runSSHCommand(\"sha512sum \"+testFileName, user, usePubKey)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.Contains(t, string(out), initialHash)\n\t\t\t}\n\t\t\t_, err = runSSHCommand(\"sha512sum invalid_path\", user, usePubKey)\n\t\t\tassert.Error(t, err, \"hash for an invalid path must fail\")\n\n\t\t\terr = os.Remove(testFilePath)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(cryptUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHCopy(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1/subdir\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2/subdir\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 100,\n\t\tQuotaSize: 0,\n\t})\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tDeniedPatterns: []string{\"*.denied\"},\n\t\t},\n\t}\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestDir := \"adir\"\n\ttestDir1 := \"adir1\"\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize1 := int64(65537)\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, testDir1))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir1))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testDir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, testDir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testDir1, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, testDir1, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(path.Join(testDir, testFileName), testFileName)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 4, user.UsedQuotaFiles)\n\t\tassert.Equal(t, 2*testFileSize+2*testFileSize1, user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize+testFileSize1, f.UsedQuotaSize)\n\t\tassert.Equal(t, 2, f.UsedQuotaFiles)\n\n\t\t_, err = client.Stat(testDir1)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s\", path.Join(vdirPath1, testDir1)), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-copy\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", testFileName, testFileName+\".linkcopy\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\tout, err := runSSHCommand(fmt.Sprintf(\"sftpgo-copy %s %s\", path.Join(vdirPath1, testDir1), \".\"), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\tfi, err := client.Stat(testDir1)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.True(t, fi.IsDir())\n\t\t\t}\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, 3*testFileSize+3*testFileSize1, user.UsedQuotaSize)\n\t\t}\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", \"missing\\\\ dir\", \".\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir1), \".\"), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\t// all files are overwritten, quota must remain unchanged\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, 3*testFileSize+3*testFileSize1, user.UsedQuotaSize)\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath2, testDir1, testFileName), testFileName+\".copy\"), //nolint:goconst\n\t\t\tuser, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\tfi, err := client.Stat(testFileName + \".copy\") //nolint:goconst\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.True(t, fi.Mode().IsRegular())\n\t\t\t}\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 7, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, 4*testFileSize+3*testFileSize1, user.UsedQuotaSize)\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir1), path.Join(vdirPath2, testDir1+\"copy\")), //nolint:goconst\n\t\t\tuser, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\tfi, err := client.Stat(path.Join(vdirPath2, testDir1+\"copy\"))\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tassert.True(t, fi.IsDir())\n\t\t\t}\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 7, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, 4*testFileSize+3*testFileSize1, user.UsedQuotaSize)\n\t\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testFileSize*2+testFileSize1*2, f.UsedQuotaSize)\n\t\t\tassert.Equal(t, 4, f.UsedQuotaFiles)\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir1), path.Join(vdirPath1, testDir1+\"copy\")),\n\t\t\tuser, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\t_, err := client.Stat(path.Join(vdirPath2, testDir1+\"copy\"))\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 9, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, 5*testFileSize+4*testFileSize1, user.UsedQuotaSize)\n\t\t\tf, _, err = httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\t}\n\t\t// cross folder copy\n\t\tnewDir := \"newdir\"\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath2, \"..\"), newDir), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(newDir)\n\t\tassert.NoError(t, err)\n\t\t// denied pattern\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(testDir, testFileName), testFileName+\".denied\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\tif runtime.GOOS != osWindows {\n\t\t\tsubPath := filepath.Join(mappedPath1, testDir1, \"asubdir\", \"anothersub\", \"another\")\n\t\t\terr = os.MkdirAll(subPath, os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Chmod(subPath, 0001)\n\t\t\tassert.NoError(t, err)\n\t\t\t// listing contents for subdirs with no permissions will fail\n\t\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", vdirPath1, \"newdir1\"), user, usePubKey)\n\t\t\tassert.Error(t, err)\n\t\t\terr = os.Chmod(subPath, os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t\terr = os.Chmod(filepath.Join(user.GetHomeDir(), testDir1), 0555)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir1, testFileName),\n\t\t\t\tpath.Join(testDir1, \"anewdir\")), user, usePubKey)\n\t\t\tassert.Error(t, err)\n\t\t\terr = os.Chmod(filepath.Join(user.GetHomeDir(), testDir1), os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\n\t\t\terr = os.Chmod(user.GetHomeDir(), os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHCopyPermissions(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/dir1\"] = []string{dataprovider.PermUpload, dataprovider.PermDownload, dataprovider.PermListItems}\n\tu.Permissions[\"/dir2\"] = []string{dataprovider.PermCreateDirs, dataprovider.PermUpload, dataprovider.PermDownload,\n\t\tdataprovider.PermListItems, dataprovider.PermCopy}\n\tu.Permissions[\"/dir3\"] = []string{dataprovider.PermCreateDirs, dataprovider.PermCreateSymlinks, dataprovider.PermDownload,\n\t\tdataprovider.PermListItems}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestDir := \"tDir\"\n\t\ttestFileSize := int64(131072)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(\"/\", testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// test copy file with no permission\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(\"/\", testDir, testFileName), path.Join(\"/dir3\", testFileName)),\n\t\t\tuser, usePubKey)\n\t\tassert.Error(t, err)\n\t\t// test copy dir with no create dirs perm\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(\"/\", testDir), \"/dir1/\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t// dir2 has the needed permissions\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(\"/\", testDir), \"/dir2/\"), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(path.Join(\"/dir2\", testDir))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.IsDir())\n\t\t}\n\t\tinfo, err = client.Stat(path.Join(\"/dir2\", testDir, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.True(t, info.Mode().IsRegular())\n\t\t}\n\t\t// now create a symlink, dir2 has no create symlink permission, but symlinks will be ignored\n\t\terr = client.Symlink(path.Join(\"/\", testDir, testFileName), path.Join(\"/\", testDir, testFileName+\".link\"))\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(\"/\", testDir), \"/dir2/sub\"), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(\"/\", testDir), \"/newdir\"), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t// now delete the file and copy inside /dir3\n\t\terr = client.Remove(path.Join(\"/\", testDir, testFileName))\n\t\tassert.NoError(t, err)\n\t\t// the symlink will be skipped, so no errors\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(\"/\", testDir), \"/dir3\"), user, usePubKey)\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHCopyQuotaLimits(t *testing.T) {\n\tusePubKey := true\n\ttestFileSize := int64(131072)\n\ttestFileSize1 := int64(65536)\n\ttestFileSize2 := int64(32768)\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 3\n\tu.QuotaSize = testFileSize + testFileSize1 + 1\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 3,\n\t\tQuotaSize: testFileSize + testFileSize1 + 1,\n\t})\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tDeniedPatterns: []string{\"*.denied\"},\n\t\t},\n\t}\n\terr := os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestDir := \"testDir\"\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\ttestFileName2 := \"test_file2.dat\"\n\t\ttestFilePath2 := filepath.Join(homeBasePath, testFileName2)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath2, testFileSize2)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath2, path.Join(testDir, testFileName2), testFileSize2, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath2, path.Join(testDir, testFileName2+\".dupl\"), testFileSize2, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath2, path.Join(vdirPath2, testDir, testFileName2), testFileSize2, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath2, path.Join(vdirPath2, testDir, testFileName2+\".dupl\"), testFileSize2, client)\n\t\tassert.NoError(t, err)\n\t\t// user quota: 2 files, size: 32768*2, folder2 quota: 2 files, size: 32768*2\n\t\t// try to duplicate testDir, this will result in 4 file (over quota) and 32768*4 bytes (not over quota)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", testDir, testDir+\"_copy\"), user, usePubKey) //nolint:goconst\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath2, testDir),\n\t\t\tpath.Join(vdirPath2, testDir+\"_copy\")), user, usePubKey)\n\t\tassert.Error(t, err)\n\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", testDir), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath2, testDir)), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t// remove partially copied dirs\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", testDir+\"_copy\"), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath2, testDir+\"_copy\")), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, user.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), user.UsedQuotaSize)\n\t\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\t\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\t\terr = client.Mkdir(path.Join(vdirPath1, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\n\t\t// vdir1 is included in user quota, file limit will be exceeded\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir), \"/\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\n\t\t// vdir2 size limit will be exceeded\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir, testFileName),\n\t\t\tvdirPath2+\"/\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t// now decrease the limits\n\t\tuser.QuotaFiles = 1\n\t\tuser.QuotaSize = testFileSize * 10\n\t\tfor idx, f := range user.VirtualFolders {\n\t\t\tif f.Name == folderName2 {\n\t\t\t\tuser.VirtualFolders[idx].QuotaSize = testFileSize\n\t\t\t\tuser.VirtualFolders[idx].QuotaFiles = 10\n\t\t\t}\n\t\t}\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.QuotaFiles)\n\t\tassert.Equal(t, testFileSize*10, user.QuotaSize)\n\t\tif assert.Len(t, user.VirtualFolders, 2) {\n\t\t\tfor _, f := range user.VirtualFolders {\n\t\t\t\tif f.Name == folderName2 {\n\t\t\t\t\tassert.Equal(t, testFileSize, f.QuotaSize)\n\t\t\t\t\tassert.Equal(t, 10, f.QuotaFiles)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath1, testDir),\n\t\t\tpath.Join(vdirPath2, testDir+\".copy\")), user, usePubKey)\n\t\tassert.Error(t, err)\n\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-copy %v %v\", path.Join(vdirPath2, testDir),\n\t\t\ttestDir+\".copy\"), user, usePubKey)\n\t\tassert.Error(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath2)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHRemove(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1/sub\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2/sub\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 100,\n\t\tQuotaSize: 0,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestFileSize := int64(131072)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFileSize1 := int64(65537)\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\ttestDir := \"testdir\"\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath1, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath1, testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath, path.Join(vdirPath2, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = sftpUploadFile(testFilePath1, path.Join(vdirPath2, testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", testFileName+\".link\"), user, usePubKey)\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-remove /vdir1\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-remove /\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-remove\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\tout, err := runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", testFileName), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\t_, err := client.Stat(testFileName)\n\t\t\tassert.Error(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 3, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize+2*testFileSize1, user.UsedQuotaSize)\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath1, testDir)), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\t_, err := client.Stat(path.Join(vdirPath1, testFileName))\n\t\t\tassert.Error(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t\tassert.Equal(t, testFileSize1, user.UsedQuotaSize)\n\t\t}\n\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", vdirPath1), user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-remove /\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-remove missing_file\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\tif runtime.GOOS != osWindows {\n\t\t\terr = os.Chmod(filepath.Join(mappedPath2, testDir), 0555)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath2, testDir)), user, usePubKey)\n\t\t\tassert.Error(t, err)\n\t\t\terr = os.Chmod(filepath.Join(mappedPath2, testDir), 0001)\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath2, testDir)), user, usePubKey)\n\t\t\tassert.Error(t, err)\n\t\t\terr = os.Chmod(filepath.Join(mappedPath2, testDir), os.ModePerm)\n\t\t\tassert.NoError(t, err)\n\t\t}\n\t}\n\n\t// test remove dir with no delete perm\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermUpload, dataprovider.PermDownload, dataprovider.PermListItems}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tconn, client, err = getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\t_, err = runSSHCommand(\"sftpgo-remove adir\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHRemoveCryptFs(t *testing.T) {\n\tusePubKey := false\n\tu := getTestUserWithCryptFs(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1/sub\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2/sub\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 100,\n\t\tQuotaSize: 0,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\ttestDir := \"tdir\"\n\t\terr = client.Mkdir(testDir)\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath1, testDir))\n\t\tassert.NoError(t, err)\n\t\terr = client.Mkdir(path.Join(vdirPath2, testDir))\n\t\tassert.NoError(t, err)\n\t\ttestFileSize := int64(32768)\n\t\ttestFileSize1 := int64(65536)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\terr = writeSFTPFile(testFileName, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(testFileName1, testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath1, testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testDir, testFileName1), testFileSize1, client)\n\t\tassert.NoError(t, err)\n\t\t_, err = runSSHCommand(\"sftpgo-remove /vdir2\", user, usePubKey)\n\t\tassert.Error(t, err)\n\t\tout, err := runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", testFileName), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t\t_, err := client.Stat(testFileName)\n\t\t\tassert.Error(t, err)\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", testDir), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath1, testDir)), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t}\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath2, testDir, testFileName)), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t}\n\t\terr = writeSFTPFile(path.Join(vdirPath2, testDir, testFileName), testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tout, err = runSSHCommand(fmt.Sprintf(\"sftpgo-remove %v\", path.Join(vdirPath2, testDir)), user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, \"OK\\n\", string(out))\n\t\t}\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\tassert.Greater(t, user.UsedQuotaSize, testFileSize1)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestSSHCommandMaxTransfers(t *testing.T) {\n\tif len(gitPath) == 0 || len(sshPath) == 0 || runtime.GOOS == osWindows {\n\t\tt.Skip(\"git and/or ssh command not found or OS is windows, unable to execute this test\")\n\t}\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 2\n\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\trepoName := \"testrepo\" //nolint:goconst\n\tclonePath := filepath.Join(homeBasePath, repoName)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(filepath.Join(homeBasePath, repoName))\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tf1, err := client.Create(\"file1\")\n\t\tassert.NoError(t, err)\n\t\tf2, err := client.Create(\"file2\")\n\t\tassert.NoError(t, err)\n\t\t_, err = f1.Write([]byte(\" \"))\n\t\tassert.NoError(t, err)\n\t\t_, err = f2.Write([]byte(\" \"))\n\t\tassert.NoError(t, err)\n\n\t\t_, err = client.Create(\"file3\")\n\t\tassert.Error(t, err)\n\n\t\terr = f1.Close()\n\t\tassert.NoError(t, err)\n\t\terr = f2.Close()\n\t\tassert.NoError(t, err)\n\t\terr = client.Close()\n\t\tassert.NoError(t, err)\n\t\terr = conn.Close()\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(clonePath)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\n// Start SCP tests\nfunc TestSCPBasicHandling(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaSize = 6553600\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaSize = 6553600\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(131074)\n\texpectedQuotaSize := testFileSize\n\texpectedQuotaFiles := 1\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\t\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\t\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\t\t// test to download a missing file\n\t\terr = scpDownload(localPath, remoteDownPath, false, false)\n\t\tassert.Error(t, err, \"downloading a missing file via scp must fail\")\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), user.FirstUpload)\n\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\terr = scpDownload(localPath, remoteDownPath, false, false)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\tassert.Greater(t, user.FirstDownload, int64(0))\n\t\tfi, err := os.Stat(localPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, fi.Size())\n\t\t}\n\t\terr = os.Remove(localPath)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPUploadFileOverwrite(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser(usePubKey)\n\tu.QuotaFiles = 1000\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(32760)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\t\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\t\tassert.NoError(t, err)\n\t\t// test a new upload that must overwrite the existing file\n\t\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\t\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\t\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\t\terr = scpDownload(localPath, remoteDownPath, false, false)\n\t\tassert.NoError(t, err)\n\n\t\tfi, err := os.Stat(localPath)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, fi.Size())\n\t\t}\n\t\t// now create a simlink via SFTP, replace the symlink with a file via SCP and check quota usage\n\t\tconn, client, err := getSftpClient(user, usePubKey)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer conn.Close()\n\t\t\tdefer client.Close()\n\t\t\terr = client.Symlink(testFileName, testFileName+\".link\")\n\t\t\tassert.NoError(t, err)\n\t\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\t\t\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\t\t}\n\t\terr = scpUpload(testFilePath, remoteUpPath+\".link\", true, false)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, testFileSize*2, user.UsedQuotaSize)\n\t\tassert.Equal(t, 2, user.UsedQuotaFiles)\n\n\t\terr = os.Remove(localPath)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPRecursive(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tlocalUser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestBaseDirName := \"test_dir\"\n\ttestBaseDirPath := filepath.Join(homeBasePath, testBaseDirName)\n\ttestBaseDirDownName := \"test_dir_down\" //nolint:goconst\n\ttestBaseDirDownPath := filepath.Join(homeBasePath, testBaseDirDownName)\n\ttestFilePath := filepath.Join(homeBasePath, testBaseDirName, testFileName)\n\ttestFilePath1 := filepath.Join(homeBasePath, testBaseDirName, testBaseDirName, testFileName)\n\ttestFileSize := int64(131074)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath1, testFileSize)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testBaseDirName))\n\t\t// test to download a missing dir\n\t\terr = scpDownload(testBaseDirDownPath, remoteDownPath, true, true)\n\t\tassert.Error(t, err, \"downloading a missing dir via scp must fail\")\n\n\t\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\t\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\t\tassert.NoError(t, err)\n\t\t// overwrite existing dir\n\t\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\t\tassert.NoError(t, err)\n\t\terr = scpDownload(testBaseDirDownPath, remoteDownPath, true, true)\n\t\tassert.NoError(t, err)\n\t\t// test download without passing -r\n\t\terr = scpDownload(testBaseDirDownPath, remoteDownPath, true, false)\n\t\tassert.Error(t, err, \"recursive download without -r must fail\")\n\n\t\tfi, err := os.Stat(filepath.Join(testBaseDirDownPath, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, fi.Size())\n\t\t}\n\t\tfi, err = os.Stat(filepath.Join(testBaseDirDownPath, testBaseDirName, testFileName))\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, testFileSize, fi.Size())\n\t\t}\n\t\t// upload to a non existent dir\n\t\tremoteUpPath = fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/non_existent_dir\")\n\t\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\t\tassert.Error(t, err, \"uploading via scp to a non existent dir must fail\")\n\n\t\terr = os.RemoveAll(testBaseDirDownPath)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\n\terr = os.RemoveAll(testBaseDirPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPStartDirectory(t *testing.T) {\n\tusePubKey := true\n\tstartDir := \"/sta rt/dir\"\n\tu := getTestUser(usePubKey)\n\tu.Filters.StartDirectory = startDir\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:\", user.Username)\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.NoError(t, err)\n\t// check that the file is in the start directory\n\t_, err = os.Stat(filepath.Join(user.HomeDir, startDir, testFileName))\n\tassert.NoError(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPPatternsFilter(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(131072)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\tuser.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/\",\n\t\t\tAllowedPatterns: []string{\"*.zip\"},\n\t\t\tDeniedPatterns: []string{},\n\t\t},\n\t}\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.Error(t, err, \"scp download must fail\")\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.Error(t, err, \"scp upload must fail\")\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = os.Stat(localPath)\n\tif err == nil {\n\t\terr = os.Remove(localPath)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPTransferQuotaLimits(t *testing.T) {\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.DownloadDataTransfer = 1\n\tu.UploadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(550000)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(localDownloadPath, remoteDownPath, false, false)\n\tassert.NoError(t, err)\n\t// error while download is active\n\terr = scpDownload(localDownloadPath, remoteDownPath, false, false)\n\tassert.Error(t, err)\n\t// error before starting the download\n\terr = scpDownload(localDownloadPath, remoteDownPath, false, false)\n\tassert.Error(t, err)\n\t// error while upload is active\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.Error(t, err)\n\t// error before starting the upload\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.Error(t, err)\n\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Greater(t, user.UsedDownloadDataTransfer, int64(1024*1024))\n\tif !assert.Greater(t, user.UsedUploadDataTransfer, int64(1024*1024), user.UsedDownloadDataTransfer) {\n\t\tprintLatestLogs(30)\n\t}\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPUploadMaxSize(t *testing.T) {\n\ttestFileSize := int64(65535)\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Filters.MaxUploadFileSize = testFileSize + 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\ttestFileSize1 := int64(131072)\n\ttestFileName1 := \"test_file1.dat\"\n\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\terr = createTestFile(testFilePath1, testFileSize1)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\terr = scpUpload(testFilePath1, remoteUpPath, false, false)\n\tassert.Error(t, err)\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath1)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPVirtualFolders(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tmappedPath := filepath.Join(os.TempDir(), \"vdir\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/vdir\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestBaseDirName := \"test_dir\"\n\ttestBaseDirPath := filepath.Join(homeBasePath, testBaseDirName)\n\ttestBaseDirDownName := \"test_dir_down\"\n\ttestBaseDirDownPath := filepath.Join(homeBasePath, testBaseDirDownName)\n\ttestFilePath := filepath.Join(homeBasePath, testBaseDirName, testFileName)\n\ttestFilePath1 := filepath.Join(homeBasePath, testBaseDirName, testBaseDirName, testFileName)\n\ttestFileSize := int64(131074)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath1, testFileSize)\n\tassert.NoError(t, err)\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, vdirPath)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, vdirPath)\n\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(testBaseDirDownPath, remoteDownPath, true, true)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(testBaseDirPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(testBaseDirDownPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPNestedFolders(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tbaseUser, resp, err := httpdtest.AddUser(getTestUser(false), http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.HomeDir += \"_folders\"\n\tu.Username += \"_folders\"\n\tmappedPathSFTP := filepath.Join(os.TempDir(), \"sftp\")\n\tfolderNameSFTP := filepath.Base(mappedPathSFTP)\n\tvdirSFTPPath := \"/vdir/sftp\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameSFTP,\n\t\t},\n\t\tVirtualPath: vdirSFTPPath,\n\t})\n\tmappedPathCrypt := filepath.Join(os.TempDir(), \"crypt\")\n\tfolderNameCrypt := filepath.Base(mappedPathCrypt)\n\tvdirCryptPath := \"/vdir/crypt\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameCrypt,\n\t\t},\n\t\tVirtualPath: vdirCryptPath,\n\t})\n\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderNameSFTP,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: baseUser.Username,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderNameCrypt,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t\tMappedPath: mappedPathCrypt,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser, resp, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tbaseDirDownPath := filepath.Join(os.TempDir(), \"basedir-down\")\n\terr = os.Mkdir(baseDirDownPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tbaseDir := filepath.Join(os.TempDir(), \"basedir\")\n\terr = os.Mkdir(baseDir, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(filepath.Join(baseDir, vdirSFTPPath), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(filepath.Join(baseDir, vdirCryptPath), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = createTestFile(filepath.Join(baseDir, vdirSFTPPath, testFileName), 32768)\n\tassert.NoError(t, err)\n\terr = createTestFile(filepath.Join(baseDir, vdirCryptPath, testFileName), 65535)\n\tassert.NoError(t, err)\n\terr = createTestFile(filepath.Join(baseDir, \"vdir\", testFileName), 65536)\n\tassert.NoError(t, err)\n\n\tremoteRootPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\terr = scpUpload(filepath.Join(baseDir, \"vdir\"), remoteRootPath, true, false)\n\tassert.NoError(t, err)\n\n\tconn, client, err := getSftpClient(user, usePubKey)\n\tif assert.NoError(t, err) {\n\t\tdefer conn.Close()\n\t\tdefer client.Close()\n\t\tinfo, err := client.Stat(path.Join(vdirCryptPath, testFileName))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(65535), info.Size())\n\t\tinfo, err = client.Stat(path.Join(vdirSFTPPath, testFileName))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(32768), info.Size())\n\t\tinfo, err = client.Stat(path.Join(\"/vdir\", testFileName))\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(65536), info.Size())\n\t}\n\n\terr = scpDownload(baseDirDownPath, remoteRootPath, true, true)\n\tassert.NoError(t, err)\n\n\tassert.FileExists(t, filepath.Join(baseDirDownPath, user.Username, \"vdir\", testFileName))\n\tassert.FileExists(t, filepath.Join(baseDirDownPath, user.Username, vdirCryptPath, testFileName))\n\tassert.FileExists(t, filepath.Join(baseDirDownPath, user.Username, vdirSFTPPath, testFileName))\n\n\tif runtime.GOOS != osWindows {\n\t\terr = os.Chmod(filepath.Join(baseUser.GetHomeDir(), testFileName), 0001)\n\t\tassert.NoError(t, err)\n\t\terr = scpDownload(baseDirDownPath, remoteRootPath, true, true)\n\t\tassert.Error(t, err)\n\t\terr = os.Chmod(filepath.Join(baseUser.GetHomeDir(), testFileName), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\n\t// now change the password for the base user, so SFTP folder will not work\n\tbaseUser.Password = defaultPassword + \"_mod\"\n\t_, _, err = httpdtest.UpdateUser(baseUser, http.StatusOK, \"1\")\n\tassert.NoError(t, err)\n\n\terr = scpUpload(filepath.Join(baseDir, \"vdir\"), remoteRootPath, true, false)\n\tassert.Error(t, err)\n\n\terr = scpDownload(baseDirDownPath, remoteRootPath, true, true)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameSFTP}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(baseUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathCrypt)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathSFTP)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseDir)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(baseDirDownPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPVirtualFoldersQuota(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 100\n\tmappedPath1 := filepath.Join(os.TempDir(), \"vdir1\")\n\tfolderName1 := filepath.Base(mappedPath1)\n\tvdirPath1 := \"/vdir1\"\n\tmappedPath2 := filepath.Join(os.TempDir(), \"vdir2\")\n\tfolderName2 := filepath.Base(mappedPath2)\n\tvdirPath2 := \"/vdir2\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName1,\n\t\t},\n\t\tVirtualPath: vdirPath1,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName2,\n\t\t},\n\t\tVirtualPath: vdirPath2,\n\t\tQuotaFiles: 0,\n\t\tQuotaSize: 0,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderName1,\n\t\tMappedPath: mappedPath1,\n\t}\n\t_, _, err := httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName2,\n\t\tMappedPath: mappedPath2,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(mappedPath2, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestBaseDirName := \"test_dir\"\n\ttestBaseDirPath := filepath.Join(homeBasePath, testBaseDirName)\n\ttestBaseDirDownName := \"test_dir_down\"\n\ttestBaseDirDownPath := filepath.Join(homeBasePath, testBaseDirDownName)\n\ttestFilePath := filepath.Join(homeBasePath, testBaseDirName, testFileName)\n\ttestFilePath1 := filepath.Join(homeBasePath, testBaseDirName, testBaseDirName, testFileName)\n\ttestFileSize := int64(131074)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath1, testFileSize)\n\tassert.NoError(t, err)\n\tremoteDownPath1 := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", vdirPath1))\n\tremoteUpPath1 := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, vdirPath1)\n\tremoteDownPath2 := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", vdirPath2))\n\tremoteUpPath2 := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, vdirPath2)\n\t// we upload two times to test overwrite\n\terr = scpUpload(testBaseDirPath, remoteUpPath1, true, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(testBaseDirDownPath, remoteDownPath1, true, true)\n\tassert.NoError(t, err)\n\terr = scpUpload(testBaseDirPath, remoteUpPath1, true, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(testBaseDirDownPath, remoteDownPath1, true, true)\n\tassert.NoError(t, err)\n\terr = scpUpload(testBaseDirPath, remoteUpPath2, true, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(testBaseDirDownPath, remoteDownPath2, true, true)\n\tassert.NoError(t, err)\n\texpectedQuotaFiles := 2\n\texpectedQuotaSize := testFileSize * 2\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\tf, _, err := httpdtest.GetFolderByName(folderName1, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), f.UsedQuotaSize)\n\tassert.Equal(t, 0, f.UsedQuotaFiles)\n\tf, _, err = httpdtest.GetFolderByName(folderName2, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaSize, f.UsedQuotaSize)\n\tassert.Equal(t, expectedQuotaFiles, f.UsedQuotaFiles)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName1}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName2}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(testBaseDirPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(testBaseDirDownPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath1)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath2)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPPermsSubDirs(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.Permissions[\"/somedir\"] = []string{dataprovider.PermListItems, dataprovider.PermUpload}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\tsubPath := filepath.Join(user.GetHomeDir(), \"somedir\")\n\ttestFileSize := int64(65535)\n\terr = os.MkdirAll(subPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/somedir\")\n\terr = scpDownload(localPath, remoteDownPath, false, true)\n\tassert.Error(t, err, \"download a dir with no permissions must fail\")\n\terr = os.Remove(subPath)\n\tassert.NoError(t, err)\n\terr = createTestFile(subPath, testFileSize)\n\tassert.NoError(t, err)\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.NoError(t, err)\n\tif runtime.GOOS != osWindows {\n\t\terr = os.Chmod(subPath, 0001)\n\t\tassert.NoError(t, err)\n\t\terr = scpDownload(localPath, remoteDownPath, false, false)\n\t\tassert.Error(t, err, \"download a file with no system permissions must fail\")\n\t\terr = os.Chmod(subPath, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t}\n\terr = os.Remove(localPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPPermCreateDirs(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDownload, dataprovider.PermUpload}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(32760)\n\ttestBaseDirName := \"test_dir\"\n\ttestBaseDirPath := filepath.Join(homeBasePath, testBaseDirName)\n\ttestFilePath1 := filepath.Join(homeBasePath, testBaseDirName, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath1, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/tmp/\")\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.Error(t, err, \"scp upload must fail, the user cannot create files in a missing dir\")\n\terr = scpUpload(testBaseDirPath, remoteUpPath, true, false)\n\tassert.Error(t, err, \"scp upload must fail, the user cannot create new dirs\")\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(testBaseDirPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPPermUpload(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermDownload, dataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65536)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/tmp\")\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.Error(t, err, \"scp upload must fail, the user cannot upload\")\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPPermOverwrite(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermUpload, dataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65536)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/tmp\")\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.Error(t, err, \"scp upload must fail, the user cannot ovewrite existing files\")\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPPermDownload(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tu := getTestUser(usePubKey)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermUpload, dataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65537)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.Error(t, err, \"scp download must fail, the user cannot download\")\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPQuotaSize(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\ttestFileSize := int64(65535)\n\tu := getTestUser(usePubKey)\n\tu.QuotaFiles = 1\n\tu.QuotaSize = testFileSize + 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\ttestFileSize1 := int64(131072)\n\ttestFileName1 := \"test_file1.dat\"\n\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\terr = createTestFile(testFilePath1, testFileSize1)\n\tassert.NoError(t, err)\n\ttestFileSize2 := int64(32768)\n\ttestFileName2 := \"test_file2.dat\"\n\ttestFilePath2 := filepath.Join(homeBasePath, testFileName2)\n\terr = createTestFile(testFilePath2, testFileSize2)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\terr = scpUpload(testFilePath, remoteUpPath+\".quota\", true, false)\n\tassert.Error(t, err, \"user is over quota scp upload must fail\")\n\n\t// now test quota limits while uploading the current file, we have 1 bytes remaining\n\tuser.QuotaSize = testFileSize + 1\n\tuser.QuotaFiles = 0\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\terr = scpUpload(testFilePath2, remoteUpPath+\".quota\", true, false)\n\tassert.Error(t, err, \"user is over quota scp upload must fail\")\n\t// overwriting an existing file will work if the resulting size is lesser or equal than the current one\n\terr = scpUpload(testFilePath1, remoteUpPath, true, false)\n\tassert.Error(t, err)\n\terr = scpUpload(testFilePath2, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\terr = scpUpload(testFilePath, remoteUpPath, true, false)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath1)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath2)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPEscapeHomeDir(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(user.GetHomeDir(), os.ModePerm)\n\tassert.NoError(t, err)\n\ttestDir := \"testDir\"\n\tlinkPath := filepath.Join(homeBasePath, defaultUsername, testDir)\n\terr = os.Symlink(homeBasePath, linkPath)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(testDir, testDir))\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.Error(t, err, \"uploading to a dir with a symlink outside home dir must fail\")\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testDir, testFileName))\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.Error(t, err, \"scp download must fail, the requested file has a symlink outside user home\")\n\tremoteDownPath = fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testDir))\n\terr = scpDownload(homeBasePath, remoteDownPath, false, true)\n\tassert.Error(t, err, \"scp download must fail, the requested dir is a symlink outside user home\")\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPUploadPaths(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\ttestDirName := \"testDir\"\n\ttestDirPath := filepath.Join(user.GetHomeDir(), testDirName)\n\terr = os.MkdirAll(testDirPath, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, testDirName)\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(testDirName, testFileName))\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\terr = scpDownload(localPath, remoteDownPath, false, false)\n\tassert.NoError(t, err)\n\t// upload a file to a missing dir\n\tremoteUpPath = fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(testDirName, testDirName, testFileName))\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.Error(t, err, \"scp upload to a missing dir must fail\")\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.Remove(localPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPOverwriteDirWithFile(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\ttestDirPath := filepath.Join(user.GetHomeDir(), testFileName)\n\terr = os.MkdirAll(testDirPath, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.Error(t, err, \"copying a file over an existing dir must fail\")\n\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPRemoteToRemote(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"scp between remote hosts is not supported on Windows\")\n\t}\n\tusePubKey := true\n\tuser, _, err := httpdtest.AddUser(getTestUser(usePubKey), http.StatusCreated)\n\tassert.NoError(t, err)\n\tu := getTestUser(usePubKey)\n\tu.Username += \"1\"\n\tu.HomeDir += \"1\"\n\tuser1, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\tremote1UpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user1.Username, path.Join(\"/\", testFileName))\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\terr = scpUpload(remoteUpPath, remote1UpPath, false, true)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestSCPErrors(t *testing.T) {\n\tif scpPath == \"\" {\n\t\tt.Skip(\"scp command not found, unable to execute this test\")\n\t}\n\tu := getTestUser(true)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttestFileSize := int64(524288)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tremoteUpPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, \"/\")\n\tremoteDownPath := fmt.Sprintf(\"%v@127.0.0.1:%v\", user.Username, path.Join(\"/\", testFileName))\n\tlocalPath := filepath.Join(homeBasePath, \"scp_download.dat\")\n\terr = scpUpload(testFilePath, remoteUpPath, false, false)\n\tassert.NoError(t, err)\n\tuser.UploadBandwidth = 512\n\tuser.DownloadBandwidth = 512\n\t_, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tcmd := getScpDownloadCommand(localPath, remoteDownPath, false, false)\n\tgo func() {\n\t\terr := cmd.Run()\n\t\tassert.Error(t, err, \"SCP download must fail\")\n\t}()\n\twaitForActiveTransfers(t)\n\t// wait some additional arbitrary time to wait for transfer activity to happen\n\t// it is need to reach all the code in CheckIdleConnections\n\ttime.Sleep(100 * time.Millisecond)\n\terr = cmd.Process.Kill()\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 2*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\tcmd = getScpUploadCommand(testFilePath, remoteUpPath, false, false)\n\tgo func() {\n\t\terr := cmd.Run()\n\t\tassert.Error(t, err, \"SCP upload must fail\")\n\t}()\n\twaitForActiveTransfers(t)\n\t// wait some additional arbitrary time to wait for transfer activity to happen\n\t// it is need to reach all the code in CheckIdleConnections\n\ttime.Sleep(100 * time.Millisecond)\n\terr = cmd.Process.Kill()\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 }, 2*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\tos.Remove(localPath)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\n// End SCP tests\n\nfunc waitTCPListening(address string) {\n\tfor {\n\t\tconn, err := net.Dial(\"tcp\", address)\n\t\tif err != nil {\n\t\t\tlogger.WarnToConsole(\"tcp server %v not listening: %v\", address, err)\n\t\t\ttime.Sleep(100 * time.Millisecond)\n\t\t\tcontinue\n\t\t}\n\t\tlogger.InfoToConsole(\"tcp server %v now listening\", address)\n\t\tconn.Close()\n\t\tbreak\n\t}\n}\n\nfunc getTestGroup() dataprovider.Group {\n\treturn dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"test_group\",\n\t\t\tDescription: \"test group description\",\n\t\t},\n\t}\n}\n\nfunc getTestUser(usePubKey bool) dataprovider.User {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: defaultUsername,\n\t\t\tPassword: defaultPassword,\n\t\t\tHomeDir: filepath.Join(homeBasePath, defaultUsername),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = allPerms\n\tif usePubKey {\n\t\tuser.PublicKeys = []string{testPubKey}\n\t\tuser.Password = \"\"\n\t}\n\treturn user\n}\n\nfunc getTestSFTPUser(usePubKey bool) dataprovider.User {\n\tu := getTestUser(usePubKey)\n\tu.Username = defaultSFTPUsername\n\tu.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tu.FsConfig.SFTPConfig.Endpoint = sftpServerAddr\n\tu.FsConfig.SFTPConfig.Username = defaultUsername\n\tu.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\tif usePubKey {\n\t\tu.FsConfig.SFTPConfig.PrivateKey = kms.NewPlainSecret(testPrivateKey)\n\t\tu.FsConfig.SFTPConfig.Fingerprints = hostKeyFPs\n\t}\n\treturn u\n}\n\nfunc runSSHCommand(command string, user dataprovider.User, usePubKey bool) ([]byte, error) {\n\tvar sshSession *ssh.Session\n\tvar output []byte\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif usePubKey {\n\t\tkey, err := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\t\tif err != nil {\n\t\t\treturn output, err\n\t\t}\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.PublicKeys(key)}\n\t} else {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t}\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn output, err\n\t}\n\tdefer conn.Close()\n\tsshSession, err = conn.NewSession()\n\tif err != nil {\n\t\treturn output, err\n\t}\n\tvar stdout, stderr bytes.Buffer\n\tsshSession.Stdout = &stdout\n\tsshSession.Stderr = &stderr\n\terr = sshSession.Run(command)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to run command %v: %v\", command, stderr.Bytes())\n\t}\n\treturn stdout.Bytes(), err\n}\n\nfunc getSignerForUserCert(certBytes []byte) (ssh.Signer, error) {\n\tsigner, err := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcert, _, _, _, err := ssh.ParseAuthorizedKey(certBytes) //nolint:dogsled\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn ssh.NewCertSigner(cert.(*ssh.Certificate), signer)\n}\n\nfunc getSftpClientWithAddr(user dataprovider.User, usePubKey bool, addr string) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif usePubKey {\n\t\tsigner, err := ssh.ParsePrivateKey([]byte(testPrivateKey))\n\t\tif err != nil {\n\t\t\treturn nil, nil, err\n\t\t}\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}\n\t} else {\n\t\tif user.Password != \"\" {\n\t\t\tif user.Password == \"empty\" {\n\t\t\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(\"\")}\n\t\t\t} else {\n\t\t\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}\n\t\t\t}\n\t\t} else {\n\t\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t\t}\n\t}\n\tconn, err := ssh.Dial(\"tcp\", addr, config)\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc getSftpClient(user dataprovider.User, usePubKey bool) (*ssh.Client, *sftp.Client, error) {\n\treturn getSftpClientWithAddr(user, usePubKey, sftpServerAddr)\n}\n\nfunc getKeyboardInteractiveSftpClient(user dataprovider.User, answers []string) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tAuth: []ssh.AuthMethod{\n\t\t\tssh.KeyboardInteractive(func(_, _ string, _ []string, _ []bool) ([]string, error) {\n\t\t\t\treturn answers, nil\n\t\t\t}),\n\t\t},\n\t\tTimeout: 5 * time.Second,\n\t}\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn nil, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc getCustomAuthSftpClient(user dataprovider.User, authMethods []ssh.AuthMethod, addr string) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tAuth: authMethods,\n\t\tTimeout: 5 * time.Second,\n\t}\n\tvar err error\n\tvar conn *ssh.Client\n\tif addr != \"\" {\n\t\tconn, err = ssh.Dial(\"tcp\", addr, config)\n\t} else {\n\t\tconn, err = ssh.Dial(\"tcp\", sftpServerAddr, config)\n\t}\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc createTestFile(path string, size int64) error {\n\tbaseDir := filepath.Dir(path)\n\tif _, err := os.Stat(baseDir); errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(baseDir, os.ModePerm)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tcontent := make([]byte, size)\n\t_, err := rand.Read(content)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn os.WriteFile(path, content, os.ModePerm)\n}\n\nfunc appendToTestFile(path string, size int64) error {\n\tcontent := make([]byte, size)\n\t_, err := rand.Read(content)\n\tif err != nil {\n\t\treturn err\n\t}\n\tf, err := os.OpenFile(path, os.O_APPEND|os.O_WRONLY, os.ModePerm)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\twritten, err := io.Copy(f, bytes.NewReader(content))\n\tif err != nil {\n\t\treturn err\n\t}\n\tif written != size {\n\t\treturn fmt.Errorf(\"write error, written: %v/%v\", written, size)\n\t}\n\treturn nil\n}\n\nfunc checkBasicSFTP(client *sftp.Client) error {\n\t_, err := client.Getwd()\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = client.ReadDir(\".\")\n\treturn err\n}\n\nfunc writeSFTPFile(name string, size int64, client *sftp.Client) error {\n\tcontent := make([]byte, size)\n\t_, err := rand.Read(content)\n\tif err != nil {\n\t\treturn err\n\t}\n\tf, err := client.Create(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = io.Copy(f, bytes.NewBuffer(content))\n\tif err != nil {\n\t\tf.Close()\n\t\treturn err\n\t}\n\terr = f.Close()\n\tif err != nil {\n\t\treturn err\n\t}\n\tinfo, err := client.Stat(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif info.Size() != size {\n\t\treturn fmt.Errorf(\"file size mismatch, wanted %v, actual %v\", size, info.Size())\n\t}\n\treturn nil\n}\n\nfunc sftpUploadFile(localSourcePath string, remoteDestPath string, expectedSize int64, client *sftp.Client) error {\n\tsrcFile, err := os.Open(localSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer srcFile.Close()\n\tdestFile, err := client.Create(remoteDestPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = io.Copy(destFile, srcFile)\n\tif err != nil {\n\t\tdestFile.Close()\n\t\treturn err\n\t}\n\t// we need to close the file to trigger the server side close method\n\t// we cannot defer closing otherwise Stat will fail for upload atomic mode\n\tdestFile.Close()\n\tif expectedSize > 0 {\n\t\tfi, err := client.Stat(remoteDestPath)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif fi.Size() != expectedSize {\n\t\t\treturn fmt.Errorf(\"uploaded file size does not match, actual: %v, expected: %v\", fi.Size(), expectedSize)\n\t\t}\n\t}\n\treturn err\n}\n\nfunc sftpUploadResumeFile(localSourcePath string, remoteDestPath string, expectedSize int64, invalidOffset bool, //nolint:unparam\n\tclient *sftp.Client) error {\n\tsrcFile, err := os.Open(localSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer srcFile.Close()\n\tfi, err := client.Lstat(remoteDestPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !invalidOffset {\n\t\t_, err = srcFile.Seek(fi.Size(), 0)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tdestFile, err := client.OpenFile(remoteDestPath, os.O_WRONLY|os.O_APPEND)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !invalidOffset {\n\t\t_, err = destFile.Seek(fi.Size(), 0)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\t_, err = io.Copy(destFile, srcFile)\n\tif err != nil {\n\t\tdestFile.Close()\n\t\treturn err\n\t}\n\t// we need to close the file to trigger the server side close method\n\t// we cannot defer closing otherwise Stat will fail for upload atomic mode\n\tdestFile.Close()\n\tif expectedSize > 0 {\n\t\tfi, err := client.Lstat(remoteDestPath)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif fi.Size() != expectedSize {\n\t\t\treturn fmt.Errorf(\"uploaded file size does not match, actual: %v, expected: %v\", fi.Size(), expectedSize)\n\t\t}\n\t}\n\treturn err\n}\n\nfunc sftpDownloadFile(remoteSourcePath string, localDestPath string, expectedSize int64, client *sftp.Client) error {\n\tdownloadDest, err := os.Create(localDestPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer downloadDest.Close()\n\tsftpSrcFile, err := client.Open(remoteSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer sftpSrcFile.Close()\n\t_, err = io.Copy(downloadDest, sftpSrcFile)\n\tif err != nil {\n\t\treturn err\n\t}\n\terr = downloadDest.Sync()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif expectedSize > 0 {\n\t\tfi, err := downloadDest.Stat()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif fi.Size() != expectedSize {\n\t\t\treturn fmt.Errorf(\"downloaded file size does not match, actual: %v, expected: %v\", fi.Size(), expectedSize)\n\t\t}\n\t}\n\treturn err\n}\n\nfunc sftpUploadNonBlocking(localSourcePath string, remoteDestPath string, expectedSize int64, client *sftp.Client) <-chan error {\n\tc := make(chan error, 1)\n\tgo func() {\n\t\tc <- sftpUploadFile(localSourcePath, remoteDestPath, expectedSize, client)\n\t}()\n\treturn c\n}\n\nfunc sftpDownloadNonBlocking(remoteSourcePath string, localDestPath string, expectedSize int64, client *sftp.Client) <-chan error {\n\tc := make(chan error, 1)\n\tgo func() {\n\t\tc <- sftpDownloadFile(remoteSourcePath, localDestPath, expectedSize, client)\n\t}()\n\treturn c\n}\n\nfunc scpUpload(localPath, remotePath string, preserveTime, remoteToRemote bool) error {\n\tcmd := getScpUploadCommand(localPath, remotePath, preserveTime, remoteToRemote)\n\treturn cmd.Run()\n}\n\nfunc scpDownload(localPath, remotePath string, preserveTime, recursive bool) error {\n\tcmd := getScpDownloadCommand(localPath, remotePath, preserveTime, recursive)\n\treturn cmd.Run()\n}\n\nfunc getScpDownloadCommand(localPath, remotePath string, preserveTime, recursive bool) *exec.Cmd {\n\tvar args []string\n\tif preserveTime {\n\t\targs = append(args, \"-p\")\n\t}\n\tif recursive {\n\t\targs = append(args, \"-r\")\n\t}\n\tif scpForce {\n\t\targs = append(args, \"-O\")\n\t}\n\targs = append(args, \"-P\")\n\targs = append(args, \"2022\")\n\targs = append(args, \"-o\")\n\targs = append(args, \"StrictHostKeyChecking=no\")\n\targs = append(args, \"-i\")\n\targs = append(args, privateKeyPath)\n\targs = append(args, remotePath)\n\targs = append(args, localPath)\n\treturn exec.Command(scpPath, args...)\n}\n\nfunc getScpUploadCommand(localPath, remotePath string, preserveTime, remoteToRemote bool) *exec.Cmd {\n\tvar args []string\n\tif remoteToRemote {\n\t\targs = append(args, \"-3\")\n\t}\n\tif preserveTime {\n\t\targs = append(args, \"-p\")\n\t}\n\tfi, err := os.Stat(localPath)\n\tif err == nil {\n\t\tif fi.IsDir() {\n\t\t\targs = append(args, \"-r\")\n\t\t}\n\t}\n\tif scpForce {\n\t\targs = append(args, \"-O\")\n\t}\n\targs = append(args, \"-P\")\n\targs = append(args, \"2022\")\n\targs = append(args, \"-o\")\n\targs = append(args, \"StrictHostKeyChecking=no\")\n\targs = append(args, \"-o\")\n\targs = append(args, \"HostKeyAlgorithms=+ssh-rsa\")\n\targs = append(args, \"-i\")\n\targs = append(args, privateKeyPath)\n\targs = append(args, localPath)\n\targs = append(args, remotePath)\n\treturn exec.Command(scpPath, args...)\n}\n\nfunc computeHashForFile(hasher hash.Hash, path string) (string, error) {\n\thash := \"\"\n\tf, err := os.Open(path)\n\tif err != nil {\n\t\treturn hash, err\n\t}\n\tdefer f.Close()\n\t_, err = io.Copy(hasher, f)\n\tif err == nil {\n\t\thash = fmt.Sprintf(\"%x\", hasher.Sum(nil))\n\t}\n\treturn hash, err\n}\n\nfunc waitForActiveTransfers(t *testing.T) {\n\tassert.Eventually(t, func() bool {\n\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\tif len(stat.Transfers) > 0 {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t\treturn false\n\t}, 1*time.Second, 50*time.Millisecond)\n}\n\nfunc checkSystemCommands() {\n\tvar err error\n\tgitPath, err = exec.LookPath(\"git\")\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to get git command. GIT tests will be skipped, err: %v\", err)\n\t\tlogger.WarnToConsole(\"unable to get git command. GIT tests will be skipped, err: %v\", err)\n\t\tgitPath = \"\"\n\t}\n\n\tsshPath, err = exec.LookPath(\"ssh\")\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to get ssh command. GIT tests will be skipped, err: %v\", err)\n\t\tlogger.WarnToConsole(\"unable to get ssh command. GIT tests will be skipped, err: %v\", err)\n\t\tgitPath = \"\"\n\t}\n\thookCmdPath, err = exec.LookPath(\"true\")\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to get hook command: %v\", err)\n\t\tlogger.WarnToConsole(\"unable to get hook command: %v\", err)\n\t}\n\tscpPath, err = exec.LookPath(\"scp\")\n\tif err != nil {\n\t\tlogger.Warn(logSender, \"\", \"unable to get scp command. SCP tests will be skipped, err: %v\", err)\n\t\tlogger.WarnToConsole(\"unable to get scp command. SCP tests will be skipped, err: %v\", err)\n\t\tscpPath = \"\"\n\t} else {\n\t\tctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)\n\t\tdefer cancel()\n\t\tcmd := exec.CommandContext(ctx, scpPath, \"-O\")\n\t\tout, _ := cmd.CombinedOutput()\n\t\tscpForce = !strings.Contains(string(out), \"option -- O\")\n\t}\n}\n\nfunc getKeyboardInteractiveScriptForBuiltinChecks(addPasscode bool, result int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\techos := []bool{false}\n\tq, _ := json.Marshal([]string{\"Password: \"})\n\te, _ := json.Marshal(echos)\n\tcontent = append(content, []byte(fmt.Sprintf(\"echo '{\\\"questions\\\":%v,\\\"echos\\\":%v,\\\"check_password\\\":1}'\\n\", string(q), string(e)))...)\n\tcontent = append(content, []byte(\"read ANSWER\\n\\n\")...)\n\tcontent = append(content, []byte(\"if test \\\"$ANSWER\\\" != \\\"OK\\\"; then\\n\")...)\n\tcontent = append(content, []byte(\"exit 1\\n\")...)\n\tcontent = append(content, []byte(\"fi\\n\\n\")...)\n\tif addPasscode {\n\t\tq, _ := json.Marshal([]string{\"Passcode: \"})\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo '{\\\"questions\\\":%v,\\\"echos\\\":%v,\\\"check_password\\\":2}'\\n\", string(q), string(e)))...)\n\t\tcontent = append(content, []byte(\"read ANSWER\\n\\n\")...)\n\t\tcontent = append(content, []byte(\"if test \\\"$ANSWER\\\" != \\\"OK\\\"; then\\n\")...)\n\t\tcontent = append(content, []byte(\"exit 1\\n\")...)\n\t\tcontent = append(content, []byte(\"fi\\n\\n\")...)\n\t}\n\tcontent = append(content, []byte(fmt.Sprintf(\"echo '{\\\"auth_result\\\":%v}'\\n\", result))...)\n\treturn content\n}\n\nfunc getKeyboardInteractiveScriptContent(questions []string, sleepTime int, nonJSONResponse bool, result int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tq, _ := json.Marshal(questions)\n\techos := []bool{}\n\tfor index := range questions {\n\t\techos = append(echos, index%2 == 0)\n\t}\n\te, _ := json.Marshal(echos)\n\tif nonJSONResponse {\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo 'questions: %v echos: %v\\n\", string(q), string(e)))...)\n\t} else {\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo '{\\\"questions\\\":%v,\\\"echos\\\":%v}'\\n\", string(q), string(e)))...)\n\t}\n\tfor index := range questions {\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"read ANSWER%v\\n\", index))...)\n\t}\n\tif sleepTime > 0 {\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"sleep %v\\n\", sleepTime))...)\n\t}\n\tcontent = append(content, []byte(fmt.Sprintf(\"echo '{\\\"auth_result\\\":%v}'\\n\", result))...)\n\treturn content\n}\n\nfunc getExtAuthScriptContent(user dataprovider.User, nonJSONResponse, emptyResponse bool, username string) []byte {\n\textAuthContent := []byte(\"#!/bin/sh\\n\\n\")\n\tif emptyResponse {\n\t\treturn extAuthContent\n\t}\n\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"if test \\\"$SFTPGO_AUTHD_USERNAME\\\" = \\\"%v\\\"; then\\n\", user.Username))...)\n\tif username != \"\" {\n\t\tuser.Username = username\n\t}\n\tu, _ := json.Marshal(user)\n\tif nonJSONResponse {\n\t\textAuthContent = append(extAuthContent, []byte(\"echo 'text response'\\n\")...)\n\t} else {\n\t\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"echo '%v'\\n\", string(u)))...)\n\t}\n\textAuthContent = append(extAuthContent, []byte(\"else\\n\")...)\n\tif nonJSONResponse {\n\t\textAuthContent = append(extAuthContent, []byte(\"echo 'text response'\\n\")...)\n\t} else {\n\t\textAuthContent = append(extAuthContent, []byte(\"echo '{\\\"username\\\":\\\"\\\"}'\\n\")...)\n\t}\n\textAuthContent = append(extAuthContent, []byte(\"fi\\n\")...)\n\treturn extAuthContent\n}\n\nfunc getPreLoginScriptContent(user dataprovider.User, nonJSONResponse bool) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tif nonJSONResponse {\n\t\tcontent = append(content, []byte(\"echo 'text response'\\n\")...)\n\t\treturn content\n\t}\n\tif len(user.Username) > 0 {\n\t\tu, _ := json.Marshal(user)\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo '%v'\\n\", string(u)))...)\n\t}\n\treturn content\n}\n\nfunc getExitCodeScriptContent(exitCode int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"exit %v\", exitCode))...)\n\treturn content\n}\n\nfunc getCheckPwdScriptsContents(status int, toVerify string) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"echo '{\\\"status\\\":%v,\\\"to_verify\\\":\\\"%v\\\"}'\\n\", status, toVerify))...)\n\tif status > 0 {\n\t\tcontent = append(content, []byte(\"exit 0\")...)\n\t} else {\n\t\tcontent = append(content, []byte(\"exit 1\")...)\n\t}\n\treturn content\n}\n\nfunc printLatestLogs(maxNumberOfLines int) {\n\tvar lines []string\n\tf, err := os.Open(logFilePath)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer f.Close()\n\tscanner := bufio.NewScanner(f)\n\tfor scanner.Scan() {\n\t\tlines = append(lines, scanner.Text()+\"\\r\\n\")\n\t\tfor len(lines) > maxNumberOfLines {\n\t\t\tlines = lines[1:]\n\t\t}\n\t}\n\tif scanner.Err() != nil {\n\t\tlogger.WarnToConsole(\"Unable to print latest logs: %v\", scanner.Err())\n\t\treturn\n\t}\n\tfor _, line := range lines {\n\t\tlogger.DebugToConsole(\"%s\", line)\n\t}\n}\n\nfunc getHostKeyFingerprint(name string) (string, error) {\n\tprivateBytes, err := os.ReadFile(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tprivate, err := ssh.ParsePrivateKey(privateBytes)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn ssh.FingerprintSHA256(private.PublicKey()), nil\n}\n\nfunc getHostKeysFingerprints(hostKeys []string) {\n\tfor _, k := range hostKeys {\n\t\tfp, err := getHostKeyFingerprint(filepath.Join(configDir, k))\n\t\tif err != nil {\n\t\t\tlogger.ErrorToConsole(\"unable to get fingerprint for host key %q: %v\", k, err)\n\t\t\tos.Exit(1)\n\t\t}\n\t\thostKeyFPs = append(hostKeyFPs, fp)\n\t}\n}\n\nfunc createInitialFiles(scriptArgs string) {\n\tpubKeyPath = filepath.Join(homeBasePath, \"ssh_key.pub\")\n\tprivateKeyPath = filepath.Join(homeBasePath, \"ssh_key\")\n\ttrustedCAUserKey = filepath.Join(homeBasePath, \"ca_user_key\")\n\tgitWrapPath = filepath.Join(homeBasePath, \"gitwrap.sh\")\n\textAuthPath = filepath.Join(homeBasePath, \"extauth.sh\")\n\tpreLoginPath = filepath.Join(homeBasePath, \"prelogin.sh\")\n\tpostConnectPath = filepath.Join(homeBasePath, \"postconnect.sh\")\n\tcheckPwdPath = filepath.Join(homeBasePath, \"checkpwd.sh\")\n\tpreDownloadPath = filepath.Join(homeBasePath, \"predownload.sh\")\n\tpreUploadPath = filepath.Join(homeBasePath, \"preupload.sh\")\n\trevokeUserCerts = filepath.Join(homeBasePath, \"revoked_certs.json\")\n\terr := os.WriteFile(pubKeyPath, []byte(testPubKey+\"\\n\"), 0600)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"unable to save public key to file: %v\", err)\n\t}\n\terr = os.WriteFile(privateKeyPath, []byte(testPrivateKey+\"\\n\"), 0600)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"unable to save private key to file: %v\", err)\n\t}\n\terr = os.WriteFile(gitWrapPath, []byte(fmt.Sprintf(\"%v -i %v -oStrictHostKeyChecking=no %v\\n\",\n\t\tsshPath, privateKeyPath, scriptArgs)), os.ModePerm)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"unable to save gitwrap shell script: %v\", err)\n\t}\n\terr = os.WriteFile(trustedCAUserKey, []byte(testCAUserKey), 0600)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"unable to save trusted CA user key: %v\", err)\n\t}\n\terr = os.WriteFile(revokeUserCerts, []byte(`[]`), 0644)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"unable to save revoked user certs: %v\", err)\n\t}\n}\n" }, { "path": "internal/sftpd/ssh_cmd.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"crypto/md5\"\n\t\"crypto/sha1\"\n\t\"crypto/sha256\"\n\t\"crypto/sha512\"\n\t\"errors\"\n\t\"fmt\"\n\t\"hash\"\n\t\"io\"\n\t\"runtime/debug\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/google/shlex\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\tscpCmdName = \"scp\"\n\tsshCommandLogSender = \"SSHCommand\"\n)\n\ntype sshCommand struct {\n\tcommand string\n\targs []string\n\tconnection *Connection\n\tstartTime time.Time\n}\n\nfunc processSSHCommand(payload []byte, connection *Connection, enabledSSHCommands []string) bool {\n\tvar msg sshSubsystemExecMsg\n\tif err := ssh.Unmarshal(payload, &msg); err == nil {\n\t\tname, args, err := parseCommandPayload(msg.Command)\n\t\tconnection.Log(logger.LevelDebug, \"new ssh command: %q args: %v num args: %d user: %s, error: %v\",\n\t\t\tname, args, len(args), connection.User.Username, err)\n\t\tif err == nil && slices.Contains(enabledSSHCommands, name) {\n\t\t\tconnection.command = msg.Command\n\t\t\tif name == scpCmdName && len(args) >= 2 {\n\t\t\t\tconnection.SetProtocol(common.ProtocolSCP)\n\t\t\t\tscpCommand := scpCommand{\n\t\t\t\t\tsshCommand: sshCommand{\n\t\t\t\t\t\tcommand: name,\n\t\t\t\t\t\tconnection: connection,\n\t\t\t\t\t\tstartTime: time.Now(),\n\t\t\t\t\t\targs: args},\n\t\t\t\t}\n\t\t\t\tgo scpCommand.handle() //nolint:errcheck\n\t\t\t\treturn true\n\t\t\t}\n\t\t\tif name != scpCmdName {\n\t\t\t\tconnection.SetProtocol(common.ProtocolSSH)\n\t\t\t\tsshCommand := sshCommand{\n\t\t\t\t\tcommand: name,\n\t\t\t\t\tconnection: connection,\n\t\t\t\t\tstartTime: time.Now(),\n\t\t\t\t\targs: args,\n\t\t\t\t}\n\t\t\t\tgo sshCommand.handle() //nolint:errcheck\n\t\t\t\treturn true\n\t\t\t}\n\t\t} else {\n\t\t\tconnection.Log(logger.LevelInfo, \"ssh command not enabled/supported: %q\", name)\n\t\t}\n\t}\n\terr := connection.CloseFS()\n\tconnection.Log(logger.LevelError, \"unable to unmarshal ssh command, close fs, err: %v\", err)\n\treturn false\n}\n\nfunc (c *sshCommand) handle() (err error) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tlogger.Error(logSender, \"\", \"panic in handle ssh command: %q stack trace: %v\", r, string(debug.Stack()))\n\t\t\terr = common.ErrGenericFailure\n\t\t}\n\t}()\n\tif err := common.Connections.Add(c.connection); err != nil {\n\t\tdefer c.connection.CloseFS() //nolint:errcheck\n\t\tlogger.Info(logSender, \"\", \"unable to add SSH command connection: %v\", err)\n\t\treturn c.sendErrorResponse(err)\n\t}\n\tdefer common.Connections.Remove(c.connection.GetID())\n\n\tc.connection.UpdateLastActivity()\n\tif slices.Contains(sshHashCommands, c.command) {\n\t\treturn c.handleHashCommands()\n\t} else if c.command == \"cd\" {\n\t\tc.sendExitStatus(nil)\n\t} else if c.command == \"pwd\" {\n\t\t// hard coded response to the start directory\n\t\tc.connection.channel.Write([]byte(util.CleanPath(c.connection.User.Filters.StartDirectory) + \"\\n\")) //nolint:errcheck\n\t\tc.sendExitStatus(nil)\n\t} else if c.command == \"sftpgo-copy\" {\n\t\treturn c.handleSFTPGoCopy()\n\t} else if c.command == \"sftpgo-remove\" {\n\t\treturn c.handleSFTPGoRemove()\n\t}\n\treturn\n}\n\nfunc (c *sshCommand) handleSFTPGoCopy() error {\n\tsshSourcePath := c.getSourcePath()\n\tsshDestPath := c.getDestPath()\n\tif sshSourcePath == \"\" || sshDestPath == \"\" || len(c.args) != 2 {\n\t\treturn c.sendErrorResponse(errors.New(\"usage sftpgo-copy \"))\n\t}\n\tc.connection.Log(logger.LevelDebug, \"requested copy %q -> %q\", sshSourcePath, sshDestPath)\n\tif err := c.connection.Copy(sshSourcePath, sshDestPath); err != nil {\n\t\treturn c.sendErrorResponse(err)\n\t}\n\tc.connection.channel.Write([]byte(\"OK\\n\")) //nolint:errcheck\n\tc.sendExitStatus(nil)\n\treturn nil\n}\n\nfunc (c *sshCommand) handleSFTPGoRemove() error {\n\tsshDestPath, err := c.getRemovePath()\n\tif err != nil {\n\t\treturn c.sendErrorResponse(err)\n\t}\n\tif err := c.connection.RemoveAll(sshDestPath); err != nil {\n\t\treturn c.sendErrorResponse(err)\n\t}\n\tc.connection.channel.Write([]byte(\"OK\\n\")) //nolint:errcheck\n\tc.sendExitStatus(nil)\n\treturn nil\n}\n\nfunc (c *sshCommand) handleHashCommands() error {\n\tvar h hash.Hash\n\tswitch c.command {\n\tcase \"md5sum\":\n\t\th = md5.New()\n\tcase \"sha1sum\":\n\t\th = sha1.New()\n\tcase \"sha256sum\":\n\t\th = sha256.New()\n\tcase \"sha384sum\":\n\t\th = sha512.New384()\n\tdefault:\n\t\th = sha512.New()\n\t}\n\tvar response string\n\tif len(c.args) == 0 {\n\t\t// without args we need to read the string to hash from stdin\n\t\tbuf := make([]byte, 4096)\n\t\tn, err := c.connection.channel.Read(buf)\n\t\tif err != nil && err != io.EOF {\n\t\t\treturn c.sendErrorResponse(err)\n\t\t}\n\t\th.Write(buf[:n]) //nolint:errcheck\n\t\tresponse = fmt.Sprintf(\"%x -\\n\", h.Sum(nil))\n\t} else {\n\t\tsshPath := c.getDestPath()\n\t\tif ok, policy := c.connection.User.IsFileAllowed(sshPath); !ok {\n\t\t\tc.connection.Log(logger.LevelInfo, \"hash not allowed for file %q\", sshPath)\n\t\t\treturn c.sendErrorResponse(c.connection.GetErrorForDeniedFile(policy))\n\t\t}\n\t\tfs, fsPath, err := c.connection.GetFsAndResolvedPath(sshPath)\n\t\tif err != nil {\n\t\t\treturn c.sendErrorResponse(err)\n\t\t}\n\t\tif !c.connection.User.HasPerm(dataprovider.PermListItems, sshPath) {\n\t\t\treturn c.sendErrorResponse(c.connection.GetPermissionDeniedError())\n\t\t}\n\t\thash, err := c.computeHashForFile(fs, h, fsPath)\n\t\tif err != nil {\n\t\t\treturn c.sendErrorResponse(c.connection.GetFsError(fs, err))\n\t\t}\n\t\tresponse = fmt.Sprintf(\"%v %v\\n\", hash, sshPath)\n\t}\n\tc.connection.channel.Write([]byte(response)) //nolint:errcheck\n\tc.sendExitStatus(nil)\n\treturn nil\n}\n\n// for the supported commands, the destination path, if any, is the last argument\nfunc (c *sshCommand) getDestPath() string {\n\tif len(c.args) == 0 {\n\t\treturn \"\"\n\t}\n\treturn c.cleanCommandPath(c.args[len(c.args)-1])\n}\n\n// for the supported commands, the destination path, if any, is the second-last argument\nfunc (c *sshCommand) getSourcePath() string {\n\tif len(c.args) < 2 {\n\t\treturn \"\"\n\t}\n\treturn c.cleanCommandPath(c.args[len(c.args)-2])\n}\n\nfunc (c *sshCommand) cleanCommandPath(name string) string {\n\tname = strings.Trim(name, \"'\")\n\tname = strings.Trim(name, \"\\\"\")\n\tresult := c.connection.User.GetCleanedPath(name)\n\tif strings.HasSuffix(name, \"/\") && !strings.HasSuffix(result, \"/\") {\n\t\tresult += \"/\"\n\t}\n\treturn result\n}\n\nfunc (c *sshCommand) getRemovePath() (string, error) {\n\tsshDestPath := c.getDestPath()\n\tif sshDestPath == \"\" || len(c.args) != 1 {\n\t\terr := errors.New(\"usage sftpgo-remove \")\n\t\treturn \"\", err\n\t}\n\tif len(sshDestPath) > 1 {\n\t\tsshDestPath = strings.TrimSuffix(sshDestPath, \"/\")\n\t}\n\treturn sshDestPath, nil\n}\n\nfunc (c *sshCommand) sendErrorResponse(err error) error {\n\terrorString := fmt.Sprintf(\"%v: %v %v\\n\", c.command, c.getDestPath(), err)\n\tc.connection.channel.Write([]byte(errorString)) //nolint:errcheck\n\tc.sendExitStatus(err)\n\treturn err\n}\n\nfunc (c *sshCommand) sendExitStatus(err error) {\n\tstatus := uint32(0)\n\tvCmdPath := c.getDestPath()\n\tcmdPath := \"\"\n\ttargetPath := \"\"\n\tvTargetPath := \"\"\n\tif c.command == \"sftpgo-copy\" {\n\t\tvTargetPath = vCmdPath\n\t\tvCmdPath = c.getSourcePath()\n\t}\n\tif err != nil {\n\t\tstatus = uint32(1)\n\t\tc.connection.Log(logger.LevelError, \"command failed: %q args: %v user: %s err: %v\",\n\t\t\tc.command, c.args, c.connection.User.Username, err)\n\t}\n\texitStatus := sshSubsystemExitStatus{\n\t\tStatus: status,\n\t}\n\t_, errClose := c.connection.channel.(ssh.Channel).SendRequest(\"exit-status\", false, ssh.Marshal(&exitStatus))\n\tc.connection.Log(logger.LevelDebug, \"exit status sent, error: %v\", errClose)\n\tc.connection.channel.Close()\n\t// for scp we notify single uploads/downloads\n\tif c.command != scpCmdName {\n\t\telapsed := time.Since(c.startTime).Nanoseconds() / 1000000\n\t\tmetric.SSHCommandCompleted(err)\n\t\tif vCmdPath != \"\" {\n\t\t\t_, p, errFs := c.connection.GetFsAndResolvedPath(vCmdPath)\n\t\t\tif errFs == nil {\n\t\t\t\tcmdPath = p\n\t\t\t}\n\t\t}\n\t\tif vTargetPath != \"\" {\n\t\t\t_, p, errFs := c.connection.GetFsAndResolvedPath(vTargetPath)\n\t\t\tif errFs == nil {\n\t\t\t\ttargetPath = p\n\t\t\t}\n\t\t}\n\t\tcommon.ExecuteActionNotification(c.connection.BaseConnection, common.OperationSSHCmd, cmdPath, vCmdPath, //nolint:errcheck\n\t\t\ttargetPath, vTargetPath, c.command, 0, err, elapsed, nil)\n\t\tif err == nil {\n\t\t\tlogger.CommandLog(sshCommandLogSender, cmdPath, targetPath, c.connection.User.Username, \"\", c.connection.ID,\n\t\t\t\tcommon.ProtocolSSH, -1, -1, \"\", \"\", c.connection.command, -1, c.connection.GetLocalAddress(),\n\t\t\t\tc.connection.GetRemoteAddress(), elapsed)\n\t\t}\n\t}\n}\n\nfunc (c *sshCommand) computeHashForFile(fs vfs.Fs, hasher hash.Hash, path string) (string, error) {\n\thash := \"\"\n\tf, r, _, err := fs.Open(path, 0)\n\tif err != nil {\n\t\treturn hash, err\n\t}\n\tvar reader io.ReadCloser\n\tif f != nil {\n\t\treader = f\n\t} else {\n\t\treader = r\n\t}\n\tdefer reader.Close()\n\t_, err = io.Copy(hasher, reader)\n\tif err == nil {\n\t\thash = fmt.Sprintf(\"%x\", hasher.Sum(nil))\n\t}\n\treturn hash, err\n}\n\nfunc parseCommandPayload(command string) (string, []string, error) {\n\tparts, err := shlex.Split(command)\n\tif err == nil && len(parts) == 0 {\n\t\terr = fmt.Errorf(\"invalid command: %q\", command)\n\t}\n\tif err != nil {\n\t\treturn \"\", []string{}, err\n\t}\n\tif len(parts) < 2 {\n\t\treturn parts[0], []string{}, nil\n\t}\n\treturn parts[0], parts[1:], nil\n}\n" }, { "path": "internal/sftpd/transfer.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage sftpd\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\ntype writerAtCloser interface {\n\tio.WriterAt\n\tio.Closer\n}\n\ntype readerAtCloser interface {\n\tio.ReaderAt\n\tio.Closer\n}\n\ntype failingReader struct {\n\tinnerReader readerAtCloser\n\terrRead error\n}\n\nfunc (r *failingReader) ReadAt(_ []byte, _ int64) (n int, err error) {\n\treturn 0, r.errRead\n}\n\nfunc (r *failingReader) Close() error {\n\tif r.innerReader == nil {\n\t\treturn nil\n\t}\n\treturn r.innerReader.Close()\n}\n\n// transfer defines the transfer details.\n// It implements the io.ReaderAt and io.WriterAt interfaces to handle SFTP downloads and uploads\ntype transfer struct {\n\t*common.BaseTransfer\n\twriterAt writerAtCloser\n\treaderAt readerAtCloser\n\tisFinished bool\n}\n\nfunc newTransfer(baseTransfer *common.BaseTransfer, pipeWriter vfs.PipeWriter, pipeReader vfs.PipeReader,\n\terrForRead error) *transfer {\n\tvar writer writerAtCloser\n\tvar reader readerAtCloser\n\tif baseTransfer.File != nil {\n\t\twriter = baseTransfer.File\n\t\tif errForRead == nil {\n\t\t\treader = baseTransfer.File\n\t\t} else {\n\t\t\treader = &failingReader{\n\t\t\t\tinnerReader: baseTransfer.File,\n\t\t\t\terrRead: errForRead,\n\t\t\t}\n\t\t}\n\t} else if pipeWriter != nil {\n\t\twriter = pipeWriter\n\t} else if pipeReader != nil {\n\t\tif errForRead == nil {\n\t\t\treader = pipeReader\n\t\t} else {\n\t\t\treader = &failingReader{\n\t\t\t\tinnerReader: pipeReader,\n\t\t\t\terrRead: errForRead,\n\t\t\t}\n\t\t}\n\t}\n\tif baseTransfer.File == nil && errForRead != nil && pipeReader == nil {\n\t\treader = &failingReader{\n\t\t\tinnerReader: nil,\n\t\t\terrRead: errForRead,\n\t\t}\n\t}\n\treturn &transfer{\n\t\tBaseTransfer: baseTransfer,\n\t\twriterAt: writer,\n\t\treaderAt: reader,\n\t\tisFinished: false,\n\t}\n}\n\n// ReadAt reads len(p) bytes from the File to download starting at byte offset off and updates the bytes sent.\n// It handles download bandwidth throttling too\nfunc (t *transfer) ReadAt(p []byte, off int64) (n int, err error) {\n\tt.Connection.UpdateLastActivity()\n\n\tn, err = t.readerAt.ReadAt(p, off)\n\tt.BytesSent.Add(int64(n))\n\n\tif err == nil {\n\t\terr = t.CheckRead()\n\t}\n\tif err != nil && err != io.EOF {\n\t\tif t.GetType() == common.TransferDownload {\n\t\t\tt.TransferError(err)\n\t\t}\n\t\terr = t.ConvertError(err)\n\t\treturn\n\t}\n\tt.HandleThrottle()\n\treturn\n}\n\n// WriteAt writes len(p) bytes to the uploaded file starting at byte offset off and updates the bytes received.\n// It handles upload bandwidth throttling too\nfunc (t *transfer) WriteAt(p []byte, off int64) (n int, err error) {\n\tt.Connection.UpdateLastActivity()\n\tif off < t.MinWriteOffset {\n\t\terr := fmt.Errorf(\"invalid write offset: %v minimum valid value: %v\", off, t.MinWriteOffset)\n\t\tt.TransferError(err)\n\t\treturn 0, err\n\t}\n\n\tn, err = t.writerAt.WriteAt(p, off)\n\tt.BytesReceived.Add(int64(n))\n\n\tif err == nil {\n\t\terr = t.CheckWrite()\n\t}\n\tif err != nil {\n\t\tt.TransferError(err)\n\t\terr = t.ConvertError(err)\n\t\treturn\n\t}\n\tt.HandleThrottle()\n\treturn\n}\n\n// Close it is called when the transfer is completed.\n// It closes the underlying file, logs the transfer info, updates the user quota (for uploads)\n// and executes any defined action.\n// If there is an error no action will be executed and, in atomic mode, we try to delete\n// the temporary file\nfunc (t *transfer) Close() error {\n\tif err := t.setFinished(); err != nil {\n\t\treturn err\n\t}\n\terr := t.closeIO()\n\terrBaseClose := t.BaseTransfer.Close()\n\tif errBaseClose != nil {\n\t\terr = errBaseClose\n\t}\n\treturn t.Connection.GetFsError(t.Fs, err)\n}\n\nfunc (t *transfer) closeIO() error {\n\tvar err error\n\tif t.File != nil {\n\t\terr = t.File.Close()\n\t} else if t.writerAt != nil {\n\t\terr = t.writerAt.Close()\n\t\tt.Lock()\n\t\t// we set ErrTransfer here so quota is not updated, in this case the uploads are atomic\n\t\tif err != nil && t.ErrTransfer == nil {\n\t\t\tt.ErrTransfer = err\n\t\t}\n\t\tt.Unlock()\n\t} else if t.readerAt != nil {\n\t\terr = t.readerAt.Close()\n\t\tif metadater, ok := t.readerAt.(vfs.Metadater); ok {\n\t\t\tt.SetMetadata(metadater.Metadata())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc (t *transfer) setFinished() error {\n\tt.Lock()\n\tdefer t.Unlock()\n\tif t.isFinished {\n\t\treturn common.ErrTransferClosed\n\t}\n\tt.isFinished = true\n\treturn nil\n}\n" }, { "path": "internal/smtp/oauth2.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package smtp provides supports for sending emails\npackage smtp\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"golang.org/x/oauth2\"\n\t\"golang.org/x/oauth2/google\"\n\t\"golang.org/x/oauth2/microsoft\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// Supported OAuth2 providers\nconst (\n\tOAuth2ProviderGoogle = iota\n\tOAuth2ProviderMicrosoft\n)\n\nvar supportedOAuth2Providers = []int{OAuth2ProviderGoogle, OAuth2ProviderMicrosoft}\n\n// OAuth2Config defines OAuth2 settings\ntype OAuth2Config struct {\n\tProvider int `json:\"provider\" mapstructure:\"provider\"`\n\t// Tenant for Microsoft provider, if empty \"common\" is used\n\tTenant string `json:\"tenant\" mapstructure:\"tenant\"`\n\t// ClientID is the application's ID\n\tClientID string `json:\"client_id\" mapstructure:\"client_id\"`\n\t// ClientSecret is the application's secret\n\tClientSecret string `json:\"client_secret\" mapstructure:\"client_secret\"`\n\t// Token to use to get/renew access tokens\n\tRefreshToken string `json:\"refresh_token\" mapstructure:\"refresh_token\"`\n\tmu *sync.RWMutex\n\tconfig *oauth2.Config\n\taccessToken *oauth2.Token\n}\n\n// Validate validates and initializes the configuration\nfunc (c *OAuth2Config) Validate() error {\n\tif !slices.Contains(supportedOAuth2Providers, c.Provider) {\n\t\treturn fmt.Errorf(\"smtp oauth2: unsupported provider %d\", c.Provider)\n\t}\n\tif c.ClientID == \"\" {\n\t\treturn errors.New(\"smtp oauth2: client id is required\")\n\t}\n\tif c.ClientSecret == \"\" {\n\t\treturn errors.New(\"smtp oauth2: client secret is required\")\n\t}\n\tif c.RefreshToken == \"\" {\n\t\treturn errors.New(\"smtp oauth2: refresh token is required\")\n\t}\n\tc.initialize()\n\treturn nil\n}\n\nfunc (c *OAuth2Config) isEqual(other *OAuth2Config) bool {\n\tif c.Provider != other.Provider {\n\t\treturn false\n\t}\n\tif c.Tenant != other.Tenant {\n\t\treturn false\n\t}\n\tif c.ClientID != other.ClientID {\n\t\treturn false\n\t}\n\tif c.ClientSecret != other.ClientSecret {\n\t\treturn false\n\t}\n\tif c.RefreshToken != other.RefreshToken {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (c *OAuth2Config) getAccessToken() (string, error) {\n\tc.mu.RLock()\n\tif c.accessToken.Expiry.After(time.Now().Add(30 * time.Second)) {\n\t\taccessToken := c.accessToken.AccessToken\n\t\tc.mu.RUnlock()\n\n\t\treturn accessToken, nil\n\t}\n\tlogger.Debug(logSender, \"\", \"renew oauth2 token required, current token expires at %s\", c.accessToken.Expiry)\n\ttoken := new(oauth2.Token)\n\t*token = *c.accessToken\n\tc.mu.RUnlock()\n\n\tctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)\n\tdefer cancel()\n\n\tnewToken, err := c.config.TokenSource(ctx, token).Token()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to get new token: %v\", err)\n\t\treturn \"\", err\n\t}\n\taccessToken := newToken.AccessToken\n\trefreshToken := newToken.RefreshToken\n\tif refreshToken != \"\" && refreshToken != token.RefreshToken {\n\t\tc.mu.Lock()\n\t\tc.RefreshToken = refreshToken\n\t\tc.accessToken = newToken\n\t\tc.mu.Unlock()\n\n\t\tlogger.Debug(logSender, \"\", \"oauth2 refresh token changed\")\n\t\tgo updateRefreshToken(refreshToken)\n\t}\n\tif accessToken != token.AccessToken {\n\t\tc.mu.Lock()\n\t\tc.accessToken = newToken\n\t\tc.mu.Unlock()\n\n\t\tlogger.Debug(logSender, \"\", \"new oauth2 token saved, expires at %s\", c.accessToken.Expiry)\n\t}\n\treturn accessToken, nil\n}\n\nfunc (c *OAuth2Config) initialize() {\n\tc.mu = new(sync.RWMutex)\n\tc.config = c.GetOAuth2()\n\tc.accessToken = &oauth2.Token{\n\t\tTokenType: \"Bearer\",\n\t\tRefreshToken: c.RefreshToken,\n\t}\n}\n\n// GetOAuth2 returns the oauth2 configuration for the provided parameters.\nfunc (c *OAuth2Config) GetOAuth2() *oauth2.Config {\n\tvar endpoint oauth2.Endpoint\n\tvar scopes []string\n\n\tswitch c.Provider {\n\tcase OAuth2ProviderMicrosoft:\n\t\tendpoint = microsoft.AzureADEndpoint(c.Tenant)\n\t\tscopes = []string{\"offline_access\", \"https://outlook.office.com/SMTP.Send\"}\n\tdefault:\n\t\tendpoint = google.Endpoint\n\t\tscopes = []string{\"https://mail.google.com/\"}\n\t}\n\n\treturn &oauth2.Config{\n\t\tClientID: c.ClientID,\n\t\tClientSecret: c.ClientSecret,\n\t\tScopes: scopes,\n\t\tEndpoint: endpoint,\n\t}\n}\n" }, { "path": "internal/smtp/smtp.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package smtp provides supports for sending emails\npackage smtp\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"html/template\"\n\t\"path/filepath\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/rs/xid\"\n\t\"github.com/wneessen/go-mail\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tlogSender = \"smtp\"\n)\n\n// EmailContentType defines the support content types for email body\ntype EmailContentType int\n\n// Supported email body content type\nconst (\n\tEmailContentTypeTextPlain EmailContentType = iota\n\tEmailContentTypeTextHTML\n)\n\nconst (\n\ttemplateEmailDir = \"email\"\n\ttemplatePasswordReset = \"reset-password.html\"\n\ttemplatePasswordExpiration = \"password-expiration.html\"\n\tdialTimeout = 10 * time.Second\n)\n\nvar (\n\tconfig = &activeConfig{}\n\tinitialConfig *Config\n\temailTemplates = make(map[string]*template.Template)\n)\n\ntype activeConfig struct {\n\tsync.RWMutex\n\tconfig *Config\n}\n\nfunc (c *activeConfig) isEnabled() bool {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\treturn c.config != nil && c.config.Host != \"\"\n}\n\nfunc (c *activeConfig) Set(cfg *dataprovider.SMTPConfigs) {\n\tvar config *Config\n\tif cfg != nil {\n\t\tconfig = &Config{\n\t\t\tHost: cfg.Host,\n\t\t\tPort: cfg.Port,\n\t\t\tFrom: cfg.From,\n\t\t\tUser: cfg.User,\n\t\t\tPassword: cfg.Password.GetPayload(),\n\t\t\tAuthType: cfg.AuthType,\n\t\t\tEncryption: cfg.Encryption,\n\t\t\tDomain: cfg.Domain,\n\t\t\tDebug: cfg.Debug,\n\t\t\tOAuth2: OAuth2Config{\n\t\t\t\tProvider: cfg.OAuth2.Provider,\n\t\t\t\tTenant: cfg.OAuth2.Tenant,\n\t\t\t\tClientID: cfg.OAuth2.ClientID,\n\t\t\t\tClientSecret: cfg.OAuth2.ClientSecret.GetPayload(),\n\t\t\t\tRefreshToken: cfg.OAuth2.RefreshToken.GetPayload(),\n\t\t\t},\n\t\t}\n\t\tconfig.OAuth2.initialize()\n\t}\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tif config != nil && config.Host != \"\" {\n\t\tif c.config != nil && c.config.isEqual(config) {\n\t\t\treturn\n\t\t}\n\t\tc.config = config\n\t\tlogger.Info(logSender, \"\", \"activated new config, server %s:%d\", c.config.Host, c.config.Port)\n\t} else {\n\t\tlogger.Debug(logSender, \"\", \"activating initial config\")\n\t\tc.config = initialConfig\n\t\tif c.config == nil || c.config.Host == \"\" {\n\t\t\tlogger.Debug(logSender, \"\", \"configuration disabled, email capabilities will not be available\")\n\t\t}\n\t}\n}\n\nfunc (c *activeConfig) getSMTPClientAndMsg(to, bcc []string, subject, body string, contentType EmailContentType,\n\tattachments ...*mail.File,\n) (*mail.Client, *mail.Msg, error) {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tif c.config == nil || c.config.Host == \"\" {\n\t\treturn nil, nil, errors.New(\"smtp: not configured\")\n\t}\n\n\treturn c.config.getSMTPClientAndMsg(to, bcc, subject, body, contentType, attachments...)\n}\n\nfunc (c *activeConfig) sendEmail(to, bcc []string, subject, body string, contentType EmailContentType, attachments ...*mail.File) error {\n\tclient, msg, err := c.getSMTPClientAndMsg(to, bcc, subject, body, contentType, attachments...)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tctx, cancelFn := context.WithTimeout(context.Background(), dialTimeout)\n\tdefer cancelFn()\n\n\treturn client.DialAndSendWithContext(ctx, msg)\n}\n\n// IsEnabled returns true if an SMTP server is configured\nfunc IsEnabled() bool {\n\treturn config.isEnabled()\n}\n\n// Activate sets the specified config as active\nfunc Activate(c *dataprovider.SMTPConfigs) {\n\tconfig.Set(c)\n}\n\n// Config defines the SMTP configuration to use to send emails\ntype Config struct {\n\t// Location of SMTP email server. Leavy empty to disable email sending capabilities\n\tHost string `json:\"host\" mapstructure:\"host\"`\n\t// Port of SMTP email server\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\t// From address, for example \"SFTPGo \".\n\t// Many SMTP servers reject emails without a `From` header so, if not set,\n\t// SFTPGo will try to use the username as fallback, this may or may not be appropriate\n\tFrom string `json:\"from\" mapstructure:\"from\"`\n\t// SMTP username\n\tUser string `json:\"user\" mapstructure:\"user\"`\n\t// SMTP password. Leaving both username and password empty the SMTP authentication\n\t// will be disabled\n\tPassword string `json:\"password\" mapstructure:\"password\"`\n\t// 0 Plain\n\t// 1 Login\n\t// 2 CRAM-MD5\n\t// 3 OAuth2\n\tAuthType int `json:\"auth_type\" mapstructure:\"auth_type\"`\n\t// 0 no encryption\n\t// 1 TLS\n\t// 2 start TLS\n\tEncryption int `json:\"encryption\" mapstructure:\"encryption\"`\n\t// Domain to use for HELO command, if empty localhost will be used\n\tDomain string `json:\"domain\" mapstructure:\"domain\"`\n\t// Path to the email templates. This can be an absolute path or a path relative to the config dir.\n\t// Templates are searched within a subdirectory named \"email\" in the specified path\n\tTemplatesPath string `json:\"templates_path\" mapstructure:\"templates_path\"`\n\t// Set to 1 to enable debug logs\n\tDebug int `json:\"debug\" mapstructure:\"debug\"`\n\t// OAuth2 related settings\n\tOAuth2 OAuth2Config `json:\"oauth2\" mapstructure:\"oauth2\"`\n}\n\nfunc (c *Config) isEqual(other *Config) bool {\n\tif c.Host != other.Host {\n\t\treturn false\n\t}\n\tif c.Port != other.Port {\n\t\treturn false\n\t}\n\tif c.From != other.From {\n\t\treturn false\n\t}\n\tif c.User != other.User {\n\t\treturn false\n\t}\n\tif c.Password != other.Password {\n\t\treturn false\n\t}\n\tif c.AuthType != other.AuthType {\n\t\treturn false\n\t}\n\tif c.Encryption != other.Encryption {\n\t\treturn false\n\t}\n\tif c.Domain != other.Domain {\n\t\treturn false\n\t}\n\tif c.Debug != other.Debug {\n\t\treturn false\n\t}\n\treturn c.OAuth2.isEqual(&other.OAuth2)\n}\n\nfunc (c *Config) validate() error {\n\tif c.Port <= 0 || c.Port > 65535 {\n\t\treturn fmt.Errorf(\"smtp: invalid port %d\", c.Port)\n\t}\n\tif c.AuthType < 0 || c.AuthType > 3 {\n\t\treturn fmt.Errorf(\"smtp: invalid auth type %d\", c.AuthType)\n\t}\n\tif c.Encryption < 0 || c.Encryption > 2 {\n\t\treturn fmt.Errorf(\"smtp: invalid encryption %d\", c.Encryption)\n\t}\n\tif c.From == \"\" && c.User == \"\" {\n\t\treturn errors.New(`smtp: from address and user cannot both be empty`)\n\t}\n\tif c.AuthType == 3 {\n\t\treturn c.OAuth2.Validate()\n\t}\n\treturn nil\n}\n\nfunc (c *Config) loadTemplates(configDir string) error {\n\tif c.TemplatesPath == \"\" {\n\t\tlogger.Debug(logSender, \"\", \"templates path empty, using default\")\n\t\tc.TemplatesPath = \"templates\"\n\t}\n\ttemplatesPath := util.FindSharedDataPath(c.TemplatesPath, configDir)\n\tif templatesPath == \"\" {\n\t\treturn fmt.Errorf(\"smtp: invalid templates path %q\", templatesPath)\n\t}\n\tloadTemplates(filepath.Join(templatesPath, templateEmailDir))\n\treturn nil\n}\n\n// Initialize initializes and validates the SMTP configuration\nfunc (c *Config) Initialize(configDir string, isService bool) error {\n\tif !isService && c.Host == \"\" {\n\t\tif err := loadConfigFromProvider(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !config.isEnabled() {\n\t\t\treturn nil\n\t\t}\n\t\t// If not running as a service, templates will only be loaded if required.\n\t\treturn c.loadTemplates(configDir)\n\t}\n\t// In service mode SMTP can be enabled from the WebAdmin at runtime so we\n\t// always load templates.\n\tif err := c.loadTemplates(configDir); err != nil {\n\t\treturn err\n\t}\n\tif c.Host == \"\" {\n\t\treturn loadConfigFromProvider()\n\t}\n\tif err := c.validate(); err != nil {\n\t\treturn err\n\t}\n\tinitialConfig = c\n\tconfig.Set(nil)\n\tlogger.Debug(logSender, \"\", \"configuration successfully initialized, host: %q, port: %d, username: %q, auth: %d, encryption: %d, helo: %q\",\n\t\tc.Host, c.Port, c.User, c.AuthType, c.Encryption, c.Domain)\n\treturn loadConfigFromProvider()\n}\n\nfunc (c *Config) getMailClientOptions() []mail.Option {\n\toptions := []mail.Option{mail.WithPort(c.Port), mail.WithoutNoop()}\n\n\tswitch c.Encryption {\n\tcase 1:\n\t\toptions = append(options, mail.WithSSL())\n\tcase 2:\n\t\toptions = append(options, mail.WithTLSPolicy(mail.TLSMandatory))\n\tdefault:\n\t\toptions = append(options, mail.WithTLSPolicy(mail.NoTLS))\n\t}\n\tif c.User != \"\" {\n\t\toptions = append(options, mail.WithUsername(c.User))\n\t}\n\tif c.Password != \"\" {\n\t\toptions = append(options, mail.WithPassword(c.Password))\n\t}\n\tif c.User != \"\" || c.Password != \"\" {\n\t\tswitch c.AuthType {\n\t\tcase 1:\n\t\t\toptions = append(options, mail.WithSMTPAuth(mail.SMTPAuthLogin))\n\t\tcase 2:\n\t\t\toptions = append(options, mail.WithSMTPAuth(mail.SMTPAuthCramMD5))\n\t\tcase 3:\n\t\t\toptions = append(options, mail.WithSMTPAuth(mail.SMTPAuthXOAUTH2))\n\t\tdefault:\n\t\t\toptions = append(options, mail.WithSMTPAuth(mail.SMTPAuthPlain))\n\t\t}\n\t}\n\tif c.Domain != \"\" {\n\t\toptions = append(options, mail.WithHELO(c.Domain))\n\t}\n\tif c.Debug > 0 {\n\t\toptions = append(options,\n\t\t\tmail.WithLogger(&logger.MailAdapter{\n\t\t\t\tConnectionID: xid.New().String(),\n\t\t\t}),\n\t\t\tmail.WithDebugLog())\n\t}\n\treturn options\n}\n\nfunc (c *Config) getSMTPClientAndMsg(to, bcc []string, subject, body string, contentType EmailContentType,\n\tattachments ...*mail.File) (*mail.Client, *mail.Msg, error) {\n\tmsg := mail.NewMsg()\n\tmsg.SetUserAgent(version.GetServerVersion(\" \", false))\n\n\tvar from string\n\tif c.From != \"\" {\n\t\tfrom = c.From\n\t} else {\n\t\tfrom = c.User\n\t}\n\tif err := msg.From(from); err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"invalid from address: %w\", err)\n\t}\n\tif err := msg.To(to...); err != nil {\n\t\treturn nil, nil, err\n\t}\n\tif len(bcc) > 0 {\n\t\tif err := msg.Bcc(bcc...); err != nil {\n\t\t\treturn nil, nil, err\n\t\t}\n\t}\n\tmsg.Subject(subject)\n\tmsg.SetDate()\n\tmsg.SetMessageID()\n\tmsg.SetAttachments(attachments)\n\n\tswitch contentType {\n\tcase EmailContentTypeTextPlain:\n\t\tmsg.SetBodyString(mail.TypeTextPlain, body)\n\tcase EmailContentTypeTextHTML:\n\t\tmsg.SetBodyString(mail.TypeTextHTML, body)\n\tdefault:\n\t\treturn nil, nil, fmt.Errorf(\"smtp: unsupported body content type %v\", contentType)\n\t}\n\n\tclient, err := mail.NewClient(c.Host, c.getMailClientOptions()...)\n\tif err != nil {\n\t\treturn nil, nil, fmt.Errorf(\"unable to create mail client: %w\", err)\n\t}\n\tif c.AuthType == 3 {\n\t\ttoken, err := c.OAuth2.getAccessToken()\n\t\tif err != nil {\n\t\t\treturn nil, nil, fmt.Errorf(\"unable to get oauth2 access token: %w\", err)\n\t\t}\n\t\tclient.SetPassword(token)\n\t}\n\treturn client, msg, nil\n}\n\n// SendEmail tries to send an email using the specified parameters\nfunc (c *Config) SendEmail(to, bcc []string, subject, body string, contentType EmailContentType, attachments ...*mail.File) error {\n\tclient, msg, err := c.getSMTPClientAndMsg(to, bcc, subject, body, contentType, attachments...)\n\tif err != nil {\n\t\treturn err\n\t}\n\tctx, cancelFn := context.WithTimeout(context.Background(), dialTimeout)\n\tdefer cancelFn()\n\n\treturn client.DialAndSendWithContext(ctx, msg)\n}\n\nfunc loadTemplates(templatesPath string) {\n\tlogger.Debug(logSender, \"\", \"loading templates from %q\", templatesPath)\n\n\tpasswordResetPath := filepath.Join(templatesPath, templatePasswordReset)\n\tpwdResetTmpl := util.LoadTemplate(nil, passwordResetPath)\n\tpasswordExpirationPath := filepath.Join(templatesPath, templatePasswordExpiration)\n\tpwdExpirationTmpl := util.LoadTemplate(nil, passwordExpirationPath)\n\n\temailTemplates[templatePasswordReset] = pwdResetTmpl\n\temailTemplates[templatePasswordExpiration] = pwdExpirationTmpl\n}\n\n// RenderPasswordResetTemplate executes the password reset template\nfunc RenderPasswordResetTemplate(buf *bytes.Buffer, data any) error {\n\tif !IsEnabled() {\n\t\treturn errors.New(\"smtp: not configured\")\n\t}\n\treturn emailTemplates[templatePasswordReset].Execute(buf, data)\n}\n\n// RenderPasswordExpirationTemplate executes the password expiration template\nfunc RenderPasswordExpirationTemplate(buf *bytes.Buffer, data any) error {\n\tif !IsEnabled() {\n\t\treturn errors.New(\"smtp: not configured\")\n\t}\n\treturn emailTemplates[templatePasswordExpiration].Execute(buf, data)\n}\n\n// SendEmail tries to send an email using the specified parameters.\nfunc SendEmail(to, bcc []string, subject, body string, contentType EmailContentType, attachments ...*mail.File) error {\n\treturn config.sendEmail(to, bcc, subject, body, contentType, attachments...)\n}\n\nfunc loadConfigFromProvider() error {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to load config from provider: %v\", err)\n\t\treturn fmt.Errorf(\"smtp: unable to load config from provider: %w\", err)\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif err := configs.SMTP.TryDecrypt(); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to decrypt smtp config: %v\", err)\n\t\treturn fmt.Errorf(\"smtp: unable to decrypt smtp config: %w\", err)\n\t}\n\tconfig.Set(configs.SMTP)\n\treturn nil\n}\n\nfunc updateRefreshToken(token string) {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to load config from provider, updating refresh token not possible: %v\", err)\n\t\treturn\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif configs.SMTP.IsEmpty() {\n\t\tlogger.Warn(logSender, \"\", \"unable to update refresh token, smtp not configured in the data provider\")\n\t\treturn\n\t}\n\tconfigs.SMTP.OAuth2.RefreshToken = kms.NewPlainSecret(token)\n\tif err := dataprovider.UpdateConfigs(&configs, dataprovider.ActionExecutorSystem, \"\", \"\"); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to save new refresh token: %v\", err)\n\t\treturn\n\t}\n\tlogger.Info(logSender, \"\", \"refresh token updated\")\n}\n" }, { "path": "internal/telemetry/router.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage telemetry\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/go-chi/render\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n)\n\nfunc initializeRouter(enableProfiler bool) {\n\trouter = chi.NewRouter()\n\n\trouter.Use(middleware.GetHead)\n\trouter.Use(logger.NewStructuredLogger(logger.GetLogger()))\n\trouter.Use(middleware.Recoverer)\n\n\trouter.Group(func(r chi.Router) {\n\t\tr.Get(\"/healthz\", func(w http.ResponseWriter, r *http.Request) {\n\t\t\trender.PlainText(w, r, \"ok\")\n\t\t})\n\t})\n\n\trouter.Group(func(router chi.Router) {\n\t\trouter.Use(checkAuth)\n\t\tmetric.AddMetricsEndpoint(metricsPath, router)\n\n\t\tif enableProfiler {\n\t\t\tlogger.InfoToConsole(\"enabling the built-in profiler\")\n\t\t\tlogger.Info(logSender, \"\", \"enabling the built-in profiler\")\n\t\t\trouter.Mount(pprofBasePath, middleware.Profiler())\n\t\t}\n\t})\n}\n\nfunc checkAuth(next http.Handler) http.Handler {\n\treturn http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tif !validateCredentials(r) {\n\t\t\tw.Header().Set(common.HTTPAuthenticationHeader, \"Basic realm=\\\"SFTPGo telemetry\\\"\")\n\t\t\thttp.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t\tnext.ServeHTTP(w, r)\n\t})\n}\n\nfunc validateCredentials(r *http.Request) bool {\n\tif !httpAuth.IsEnabled() {\n\t\treturn true\n\t}\n\tusername, password, ok := r.BasicAuth()\n\tif !ok {\n\t\treturn false\n\t}\n\treturn httpAuth.ValidateCredentials(username, password)\n}\n" }, { "path": "internal/telemetry/telemetry.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package telemetry provides telemetry information for SFTPGo, such as:\n// - health information (for health checks)\n// - metrics\n// - profiling information\npackage telemetry\n\nimport (\n\t\"crypto/tls\"\n\t\"log\"\n\t\"net/http\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tlogSender = \"telemetry\"\n\tmetricsPath = \"/metrics\"\n\tpprofBasePath = \"/debug\"\n)\n\nvar (\n\trouter *chi.Mux\n\thttpAuth common.HTTPAuthProvider\n\tcertMgr *common.CertManager\n)\n\n// Conf telemetry server configuration.\ntype Conf struct {\n\t// The port used for serving HTTP requests. 0 disable the HTTP server. Default: 0\n\tBindPort int `json:\"bind_port\" mapstructure:\"bind_port\"`\n\t// The address to listen on. A blank value means listen on all available network interfaces. Default: \"127.0.0.1\"\n\tBindAddress string `json:\"bind_address\" mapstructure:\"bind_address\"`\n\t// Enable the built-in profiler.\n\t// The profiler will be accessible via HTTP/HTTPS using the base URL \"/debug/pprof/\"\n\tEnableProfiler bool `json:\"enable_profiler\" mapstructure:\"enable_profiler\"`\n\t// Path to a file used to store usernames and password for basic authentication.\n\t// This can be an absolute path or a path relative to the config dir.\n\t// We support HTTP basic authentication and the file format must conform to the one generated using the Apache\n\t// htpasswd tool. The supported password formats are bcrypt ($2y$ prefix) and md5 crypt ($apr1$ prefix).\n\t// If empty HTTP authentication is disabled\n\tAuthUserFile string `json:\"auth_user_file\" mapstructure:\"auth_user_file\"`\n\t// If files containing a certificate and matching private key for the server are provided the server will expect\n\t// HTTPS connections.\n\t// Certificate and key files can be reloaded on demand sending a \"SIGHUP\" signal on Unix based systems and a\n\t// \"paramchange\" request to the running service on Windows.\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.\n\t// If CipherSuites is nil/empty, a default list of secure cipher suites\n\t// is used, with a preference order based on hardware performance.\n\t// Note that TLS 1.3 ciphersuites are not configurable.\n\t// The supported ciphersuites names are defined here:\n\t//\n\t// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53\n\t//\n\t// any invalid name will be silently ignored.\n\t// The order matters, the ciphers listed first will be the preferred ones.\n\tTLSCipherSuites []string `json:\"tls_cipher_suites\" mapstructure:\"tls_cipher_suites\"`\n\t// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2\n\tMinTLSVersion int `json:\"min_tls_version\" mapstructure:\"min_tls_version\"`\n\t// HTTP protocols to enable in preference order. Supported values: http/1.1, h2\n\tProtocols []string `json:\"tls_protocols\" mapstructure:\"tls_protocols\"`\n}\n\n// ShouldBind returns true if there service must be started\nfunc (c Conf) ShouldBind() bool {\n\tif c.BindPort > 0 {\n\t\treturn true\n\t}\n\tif filepath.IsAbs(c.BindAddress) && runtime.GOOS != \"windows\" {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// Initialize configures and starts the telemetry server.\nfunc (c Conf) Initialize(configDir string) error {\n\tvar err error\n\tlogger.Info(logSender, \"\", \"initializing telemetry server with config %+v\", c)\n\tauthUserFile := getConfigPath(c.AuthUserFile, configDir)\n\thttpAuth, err = common.NewBasicAuthProvider(authUserFile)\n\tif err != nil {\n\t\treturn err\n\t}\n\tcertificateFile := getConfigPath(c.CertificateFile, configDir)\n\tcertificateKeyFile := getConfigPath(c.CertificateKeyFile, configDir)\n\tinitializeRouter(c.EnableProfiler)\n\thttpServer := &http.Server{\n\t\tHandler: router,\n\t\tReadHeaderTimeout: 30 * time.Second,\n\t\tReadTimeout: 60 * time.Second,\n\t\tWriteTimeout: 60 * time.Second,\n\t\tIdleTimeout: 60 * time.Second,\n\t\tMaxHeaderBytes: 1 << 14, // 16KB\n\t\tErrorLog: log.New(&logger.StdLoggerWrapper{Sender: logSender}, \"\", 0),\n\t}\n\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\tkeyPairs := []common.TLSKeyPair{\n\t\t\t{\n\t\t\t\tCert: certificateFile,\n\t\t\t\tKey: certificateKeyFile,\n\t\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t\t},\n\t\t}\n\t\tcertMgr, err = common.NewCertManager(keyPairs, configDir, logSender)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconfig := &tls.Config{\n\t\t\tGetCertificate: certMgr.GetCertificateFunc(common.DefaultTLSKeyPaidID),\n\t\t\tMinVersion: util.GetTLSVersion(c.MinTLSVersion),\n\t\t\tNextProtos: util.GetALPNProtocols(c.Protocols),\n\t\t\tCipherSuites: util.GetTLSCiphersFromNames(c.TLSCipherSuites),\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"configured TLS cipher suites: %v\", config.CipherSuites)\n\t\thttpServer.TLSConfig = config\n\t\treturn util.HTTPListenAndServe(httpServer, c.BindAddress, c.BindPort, true, nil, logSender)\n\t}\n\treturn util.HTTPListenAndServe(httpServer, c.BindAddress, c.BindPort, false, nil, logSender)\n}\n\n// ReloadCertificateMgr reloads the certificate manager\nfunc ReloadCertificateMgr() error {\n\tif certMgr != nil {\n\t\treturn certMgr.Reload()\n\t}\n\treturn nil\n}\n\nfunc getConfigPath(name, configDir string) string {\n\tif !util.IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif name != \"\" && !filepath.IsAbs(name) {\n\t\treturn filepath.Join(configDir, name)\n\t}\n\treturn name\n}\n" }, { "path": "internal/telemetry/telemetry_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage telemetry\n\nimport (\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n)\n\nconst (\n\thttpsCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\thttpsKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n)\n\nfunc TestInitialization(t *testing.T) {\n\tconfigDir := filepath.Join(\".\", \"..\", \"..\")\n\tproviderConf := dataprovider.Config{\n\t\tDriver: dataprovider.MemoryDataProviderName,\n\t\tBackupsPath: \"backups\",\n\t}\n\terr := dataprovider.Initialize(providerConf, configDir, false)\n\trequire.NoError(t, err)\n\tcommonConfig := common.Configuration{}\n\terr = common.Initialize(commonConfig, 0)\n\trequire.NoError(t, err)\n\tc := Conf{\n\t\tBindPort: 10000,\n\t\tBindAddress: \"invalid address\",\n\t\tEnableProfiler: false,\n\t}\n\terr = c.Initialize(configDir)\n\trequire.Error(t, err)\n\n\tc.AuthUserFile = \"missing\"\n\terr = c.Initialize(\".\")\n\trequire.Error(t, err)\n\n\terr = ReloadCertificateMgr()\n\trequire.NoError(t, err)\n\n\tc.AuthUserFile = \"\"\n\tc.CertificateFile = \"crt\"\n\tc.CertificateKeyFile = \"key\"\n\n\terr = c.Initialize(\".\")\n\trequire.Error(t, err)\n\n\tcertPath := filepath.Join(os.TempDir(), \"test.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test.key\")\n\terr = os.WriteFile(certPath, []byte(httpsCert), os.ModePerm)\n\trequire.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(httpsKey), os.ModePerm)\n\trequire.NoError(t, err)\n\n\tc.CertificateFile = certPath\n\tc.CertificateKeyFile = keyPath\n\n\terr = c.Initialize(\".\")\n\trequire.Error(t, err)\n\n\terr = ReloadCertificateMgr()\n\trequire.NoError(t, err)\n\n\terr = os.Remove(certPath)\n\trequire.NoError(t, err)\n\terr = os.Remove(keyPath)\n\trequire.NoError(t, err)\n}\n\nfunc TestShouldBind(t *testing.T) {\n\tc := Conf{\n\t\tBindPort: 10000,\n\t\tEnableProfiler: false,\n\t}\n\trequire.True(t, c.ShouldBind())\n\n\tc.BindPort = 0\n\trequire.False(t, c.ShouldBind())\n\n\tif runtime.GOOS != \"windows\" {\n\t\tc.BindAddress = \"/absolute/path\"\n\t\trequire.True(t, c.ShouldBind())\n\t}\n}\n\nfunc TestRouter(t *testing.T) {\n\tauthUserFile := filepath.Join(os.TempDir(), \"http_users.txt\")\n\tauthUserData := []byte(\"test1:$2y$05$bcHSED7aO1cfLto6ZdDBOOKzlwftslVhtpIkRhAtSa4GuLmk5mola\\n\")\n\terr := os.WriteFile(authUserFile, authUserData, os.ModePerm)\n\trequire.NoError(t, err)\n\n\thttpAuth, err = common.NewBasicAuthProvider(authUserFile)\n\trequire.NoError(t, err)\n\n\tinitializeRouter(true)\n\ttestServer := httptest.NewServer(router)\n\tdefer testServer.Close()\n\n\treq, err := http.NewRequest(http.MethodGet, \"/healthz\", nil)\n\trequire.NoError(t, err)\n\trr := httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\trequire.Equal(t, http.StatusOK, rr.Code)\n\trequire.Equal(t, \"ok\", rr.Body.String())\n\n\treq, err = http.NewRequest(http.MethodGet, \"/metrics\", nil)\n\trequire.NoError(t, err)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\trequire.Equal(t, http.StatusUnauthorized, rr.Code)\n\n\treq.SetBasicAuth(\"test1\", \"password1\")\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\trequire.Equal(t, http.StatusOK, rr.Code)\n\n\treq, err = http.NewRequest(http.MethodGet, pprofBasePath+\"/pprof/\", nil)\n\trequire.NoError(t, err)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\trequire.Equal(t, http.StatusUnauthorized, rr.Code)\n\n\treq.SetBasicAuth(\"test1\", \"password1\")\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\trequire.Equal(t, http.StatusOK, rr.Code)\n\n\thttpAuth, err = common.NewBasicAuthProvider(\"\")\n\trequire.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodGet, \"/metrics\", nil)\n\trequire.NoError(t, err)\n\trr = httptest.NewRecorder()\n\ttestServer.Config.Handler.ServeHTTP(rr, req)\n\trequire.Equal(t, http.StatusOK, rr.Code)\n\n\terr = os.Remove(authUserFile)\n\trequire.NoError(t, err)\n}\n" }, { "path": "internal/util/errors.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage util\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n)\n\nconst (\n\ttemplateLoadErrorHints = \"Try setting the absolute templates path in your configuration file \" +\n\t\t\"or specifying the config directory adding the `-c` flag to the serve options. For example: \" +\n\t\t\"sftpgo serve -c \\\"\\\"\"\n)\n\n// MaxRecursion defines the maximum number of allowed recursions\nconst MaxRecursion = 1000\n\n// errors definitions\nvar (\n\tErrValidation = NewValidationError(\"\")\n\tErrNotFound = NewRecordNotFoundError(\"\")\n\tErrMethodDisabled = NewMethodDisabledError(\"\")\n\tErrGeneric = NewGenericError(\"\")\n\tErrRecursionTooDeep = errors.New(\"recursion too deep\")\n)\n\n// ValidationError raised if input data is not valid\ntype ValidationError struct {\n\terr string\n}\n\n// Validation error details\nfunc (e *ValidationError) Error() string {\n\treturn fmt.Sprintf(\"Validation error: %s\", e.err)\n}\n\n// GetErrorString returns the unmodified error string\nfunc (e *ValidationError) GetErrorString() string {\n\treturn e.err\n}\n\n// Is reports if target matches\nfunc (e *ValidationError) Is(target error) bool {\n\t_, ok := target.(*ValidationError)\n\treturn ok\n}\n\n// NewValidationError returns a validation errors\nfunc NewValidationError(errorString string) *ValidationError {\n\treturn &ValidationError{\n\t\terr: errorString,\n\t}\n}\n\n// RecordNotFoundError raised if a requested object is not found\ntype RecordNotFoundError struct {\n\terr string\n}\n\nfunc (e *RecordNotFoundError) Error() string {\n\treturn fmt.Sprintf(\"not found: %s\", e.err)\n}\n\n// Is reports if target matches\nfunc (e *RecordNotFoundError) Is(target error) bool {\n\t_, ok := target.(*RecordNotFoundError)\n\treturn ok\n}\n\n// NewRecordNotFoundError returns a not found error\nfunc NewRecordNotFoundError(errorString string) *RecordNotFoundError {\n\treturn &RecordNotFoundError{\n\t\terr: errorString,\n\t}\n}\n\n// MethodDisabledError raised if a method is disabled in config file.\n// For example, if user management is disabled, this error is raised\n// every time a user operation is done using the REST API\ntype MethodDisabledError struct {\n\terr string\n}\n\n// Method disabled error details\nfunc (e *MethodDisabledError) Error() string {\n\treturn fmt.Sprintf(\"Method disabled error: %s\", e.err)\n}\n\n// Is reports if target matches\nfunc (e *MethodDisabledError) Is(target error) bool {\n\t_, ok := target.(*MethodDisabledError)\n\treturn ok\n}\n\n// NewMethodDisabledError returns a method disabled error\nfunc NewMethodDisabledError(errorString string) *MethodDisabledError {\n\treturn &MethodDisabledError{\n\t\terr: errorString,\n\t}\n}\n\n// GenericError raised for not well categorized error\ntype GenericError struct {\n\terr string\n}\n\nfunc (e *GenericError) Error() string {\n\treturn e.err\n}\n\n// Is reports if target matches\nfunc (e *GenericError) Is(target error) bool {\n\t_, ok := target.(*GenericError)\n\treturn ok\n}\n\n// NewGenericError returns a generic error\nfunc NewGenericError(errorString string) *GenericError {\n\treturn &GenericError{\n\t\terr: errorString,\n\t}\n}\n" }, { "path": "internal/util/i18n.go", "content": "// Copyright (C) 2023 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage util\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n)\n\n// localization id for the Web frontend\nconst (\n\tI18nSetupTitle = \"title.setup\"\n\tI18nLoginTitle = \"title.login\"\n\tI18nShareLoginTitle = \"title.share_login\"\n\tI18nFilesTitle = \"title.files\"\n\tI18nSharesTitle = \"title.shares\"\n\tI18nShareAddTitle = \"title.add_share\"\n\tI18nShareUpdateTitle = \"title.update_share\"\n\tI18nProfileTitle = \"title.profile\"\n\tI18nUsersTitle = \"title.users\"\n\tI18nGroupsTitle = \"title.groups\"\n\tI18nFoldersTitle = \"title.folders\"\n\tI18nChangePwdTitle = \"title.change_password\"\n\tI18n2FATitle = \"title.two_factor_auth\"\n\tI18nEditFileTitle = \"title.edit_file\"\n\tI18nViewFileTitle = \"title.view_file\"\n\tI18nForgotPwdTitle = \"title.recovery_password\"\n\tI18nResetPwdTitle = \"title.reset_password\"\n\tI18nSharedFilesTitle = \"title.shared_files\"\n\tI18nShareUploadTitle = \"title.upload_to_share\"\n\tI18nShareDownloadTitle = \"title.download_shared_file\"\n\tI18nShareAccessErrorTitle = \"title.share_access_error\"\n\tI18nInvalidAuthReqTitle = \"title.invalid_auth_request\"\n\tI18nError403Title = \"title.error403\"\n\tI18nError400Title = \"title.error400\"\n\tI18nError404Title = \"title.error404\"\n\tI18nError416Title = \"title.error416\"\n\tI18nError429Title = \"title.error429\"\n\tI18nError500Title = \"title.error500\"\n\tI18nErrorPDFTitle = \"title.errorPDF\"\n\tI18nErrorEditorTitle = \"title.error_editor\"\n\tI18nAddUserTitle = \"title.add_user\"\n\tI18nUpdateUserTitle = \"title.update_user\"\n\tI18nAddAdminTitle = \"title.add_admin\"\n\tI18nUpdateAdminTitle = \"title.update_admin\"\n\tI18nTemplateUserTitle = \"title.template_user\"\n\tI18nMaintenanceTitle = \"title.maintenance\"\n\tI18nConfigsTitle = \"title.configs\"\n\tI18nOAuth2Title = \"title.oauth2_success\"\n\tI18nOAuth2ErrorTitle = \"title.oauth2_error\"\n\tI18nSessionsTitle = \"title.connections\"\n\tI18nRolesTitle = \"title.roles\"\n\tI18nAdminsTitle = \"title.admins\"\n\tI18nIPListsTitle = \"title.ip_lists\"\n\tI18nAddIPListTitle = \"title.add_ip_list\"\n\tI18nUpdateIPListTitle = \"title.update_ip_list\"\n\tI18nDefenderTitle = \"title.defender\"\n\tI18nEventsTitle = \"title.logs\"\n\tI18nActionsTitle = \"title.event_actions\"\n\tI18nRulesTitle = \"title.event_rules\"\n\tI18nAddActionTitle = \"title.add_action\"\n\tI18nUpdateActionTitle = \"title.update_action\"\n\tI18nAddRuleTitle = \"title.add_rule\"\n\tI18nUpdateRuleTitle = \"title.update_rule\"\n\tI18nStatusTitle = \"status.desc\"\n\tI18nErrorSetupInstallCode = \"setup.install_code_mismatch\"\n\tI18nInvalidAuth = \"general.invalid_auth_request\"\n\tI18nError429Message = \"general.error429\"\n\tI18nError400Message = \"general.error400\"\n\tI18nError403Message = \"general.error403\"\n\tI18nError404Message = \"general.error404\"\n\tI18nError416Message = \"general.error416\"\n\tI18nError500Message = \"general.error500\"\n\tI18nErrorPDFMessage = \"general.errorPDF\"\n\tI18nErrorInvalidToken = \"general.invalid_token\"\n\tI18nErrorInvalidForm = \"general.invalid_form\"\n\tI18nErrorInvalidCredentials = \"general.invalid_credentials\"\n\tI18nErrorInvalidCSRF = \"general.invalid_csrf\"\n\tI18nErrorFsGeneric = \"fs.err_generic\"\n\tI18nErrorDirListGeneric = \"fs.dir_list.err_generic\"\n\tI18nErrorDirList403 = \"fs.dir_list.err_403\"\n\tI18nErrorDirList429 = \"fs.dir_list.err_429\"\n\tI18nErrorDirListUser = \"fs.dir_list.err_user\"\n\tI18nErrorFsValidation = \"fs.err_validation\"\n\tI18nErrorChangePwdRequiredFields = \"change_pwd.required_fields\"\n\tI18nErrorChangePwdNoMatch = \"change_pwd.no_match\"\n\tI18nErrorChangePwdGeneric = \"change_pwd.generic\"\n\tI18nErrorChangePwdNoDifferent = \"change_pwd.no_different\"\n\tI18nErrorChangePwdCurrentNoMatch = \"change_pwd.current_no_match\"\n\tI18nErrorChangePwdRequired = \"change_pwd.required\"\n\tI18nErrorUsernameRequired = \"general.username_required\"\n\tI18nErrorPasswordRequired = \"general.password_required\"\n\tI18nErrorPermissionsRequired = \"general.permissions_required\"\n\tI18nErrorGetUser = \"general.err_user\"\n\tI18nErrorPwdResetForbidded = \"login.reset_pwd_forbidden\"\n\tI18nErrorPwdResetNoEmail = \"login.reset_pwd_no_email\"\n\tI18nErrorPwdResetSendEmail = \"login.reset_pwd_send_email_err\"\n\tI18nErrorPwdResetGeneric = \"login.reset_pwd_err_generic\"\n\tI18nErrorProtocolForbidden = \"general.err_protocol_forbidden\"\n\tI18nErrorPwdLoginForbidden = \"general.pwd_login_forbidden\"\n\tI18nErrorIPForbidden = \"general.ip_forbidden\"\n\tI18nErrorConnectionForbidden = \"general.connection_forbidden\"\n\tI18nErrorReservedUsername = \"user.username_reserved\"\n\tI18nErrorInvalidEmail = \"general.email_invalid\"\n\tI18nErrorInvalidInput = \"general.invalid_input\"\n\tI18nErrorInvalidUser = \"user.username_invalid\"\n\tI18nErrorInvalidName = \"general.name_invalid\"\n\tI18nErrorHomeRequired = \"user.home_required\"\n\tI18nErrorHomeInvalid = \"user.home_invalid\"\n\tI18nErrorPubKeyInvalid = \"user.pub_key_invalid\"\n\tI18nErrorPrivKeyInvalid = \"user.priv_key_invalid\"\n\tI18nErrorKeySizeInvalid = \"user.key_invalid_size\"\n\tI18nErrorKeyInsecure = \"user.key_insecure\"\n\tI18nErrorPrimaryGroup = \"user.err_primary_group\"\n\tI18nErrorDuplicateGroup = \"user.err_duplicate_group\"\n\tI18nErrorNoPermission = \"user.no_permissions\"\n\tI18nErrorNoRootPermission = \"user.no_root_permissions\"\n\tI18nErrorGenericPermission = \"user.err_permissions_generic\"\n\tI18nError2FAInvalid = \"user.2fa_invalid\"\n\tI18nErrorRecoveryCodesInvalid = \"user.recovery_codes_invalid\"\n\tI18nErrorFolderNameRequired = \"general.foldername_required\"\n\tI18nErrorFolderMountPathRequired = \"user.folder_path_required\"\n\tI18nErrorDuplicatedFolders = \"user.folder_duplicated\"\n\tI18nErrorOverlappedFolders = \"user.folder_overlapped\"\n\tI18nErrorFolderQuotaSizeInvalid = \"user.folder_quota_size_invalid\"\n\tI18nErrorFolderQuotaFileInvalid = \"user.folder_quota_file_invalid\"\n\tI18nErrorFolderQuotaInvalid = \"user.folder_quota_invalid\"\n\tI18nErrorPasswordComplexity = \"general.err_password_complexity\"\n\tI18nErrorIPFiltersInvalid = \"user.ip_filters_invalid\"\n\tI18nErrorSourceBWLimitInvalid = \"user.src_bw_limits_invalid\"\n\tI18nErrorShareExpirationInvalid = \"user.share_expiration_invalid\"\n\tI18nErrorFilePatternPathInvalid = \"user.file_pattern_path_invalid\"\n\tI18nErrorFilePatternDuplicated = \"user.file_pattern_duplicated\"\n\tI18nErrorFilePatternInvalid = \"user.file_pattern_invalid\"\n\tI18nErrorDisableActive2FA = \"user.disable_active_2fa\"\n\tI18nErrorPwdChangeConflict = \"user.pwd_change_conflict\"\n\tI18nError2FAConflict = \"user.two_factor_conflict\"\n\tI18nErrorLoginAfterReset = \"login.reset_ok_login_error\"\n\tI18nErrorShareScope = \"share.scope_invalid\"\n\tI18nErrorShareMaxTokens = \"share.max_tokens_invalid\"\n\tI18nErrorShareExpiration = \"share.expiration_invalid\"\n\tI18nErrorShareNoPwd = \"share.err_no_password\"\n\tI18nErrorShareExpirationOutOfRange = \"share.expiration_out_of_range\"\n\tI18nErrorShareGeneric = \"share.generic\"\n\tI18nErrorNameRequired = \"general.name_required\"\n\tI18nErrorSharePathRequired = \"share.path_required\"\n\tI18nErrorShareWriteScope = \"share.path_write_scope\"\n\tI18nErrorShareNestedPaths = \"share.nested_paths\"\n\tI18nErrorShareExpirationPast = \"share.expiration_past\"\n\tI18nErrorInvalidIPMask = \"general.allowed_ip_mask_invalid\"\n\tI18nErrorShareUsage = \"share.usage_exceed\"\n\tI18nErrorShareExpired = \"share.expired\"\n\tI18nErrorLoginFromIPDenied = \"login.ip_not_allowed\"\n\tI18nError2FARequired = \"login.two_factor_required\"\n\tI18nError2FARequiredGeneric = \"login.two_factor_required_generic\"\n\tI18nErrorNoOIDCFeature = \"general.no_oidc_feature\"\n\tI18nErrorNoPermissions = \"general.no_permissions\"\n\tI18nErrorShareBrowsePaths = \"share.browsable_multiple_paths\"\n\tI18nErrorShareBrowseNoDir = \"share.browsable_non_dir\"\n\tI18nErrorShareInvalidPath = \"share.invalid_path\"\n\tI18nErrorPathInvalid = \"general.path_invalid\"\n\tI18nErrorQuotaRead = \"general.err_quota_read\"\n\tI18nErrorEditDir = \"general.error_edit_dir\"\n\tI18nErrorEditSize = \"general.error_edit_size\"\n\tI18nProfileUpdated = \"general.profile_updated\"\n\tI18nShareLoginOK = \"general.share_ok\"\n\tI18n2FADisabled = \"2fa.disabled\"\n\tI18nOIDCTokenExpired = \"oidc.token_expired\"\n\tI18nOIDCTokenInvalidAdmin = \"oidc.token_invalid_webadmin\"\n\tI18nOIDCTokenInvalidUser = \"oidc.token_invalid_webclient\"\n\tI18nOIDCErrTokenExchange = \"oidc.token_exchange_err\"\n\tI18nOIDCTokenInvalid = \"oidc.token_invalid\"\n\tI18nOIDCTokenInvalidRoleAdmin = \"oidc.role_admin_err\"\n\tI18nOIDCTokenInvalidRoleUser = \"oidc.role_user_err\"\n\tI18nOIDCErrGetUser = \"oidc.get_user_err\"\n\tI18nErrorInvalidQuotaSize = \"user.invalid_quota_size\"\n\tI18nErrorTimeOfDayInvalid = \"user.time_of_day_invalid\"\n\tI18nErrorTimeOfDayConflict = \"user.time_of_day_conflict\"\n\tI18nErrorInvalidMaxFilesize = \"filters.max_upload_size_invalid\"\n\tI18nErrorInvalidHomeDir = \"storage.home_dir_invalid\"\n\tI18nErrorBucketRequired = \"storage.bucket_required\"\n\tI18nErrorRegionRequired = \"storage.region_required\"\n\tI18nErrorKeyPrefixInvalid = \"storage.key_prefix_invalid\"\n\tI18nErrorULPartSizeInvalid = \"storage.ul_part_size_invalid\"\n\tI18nErrorDLPartSizeInvalid = \"storage.dl_part_size_invalid\"\n\tI18nErrorULConcurrencyInvalid = \"storage.ul_concurrency_invalid\"\n\tI18nErrorDLConcurrencyInvalid = \"storage.dl_concurrency_invalid\"\n\tI18nErrorAccessKeyRequired = \"storage.access_key_required\"\n\tI18nErrorAccessSecretRequired = \"storage.access_secret_required\"\n\tI18nErrorFsCredentialsRequired = \"storage.credentials_required\"\n\tI18nErrorContainerRequired = \"storage.container_required\"\n\tI18nErrorAccountNameRequired = \"storage.account_name_required\"\n\tI18nErrorSASURLInvalid = \"storage.sas_url_invalid\"\n\tI18nErrorPassphraseRequired = \"storage.passphrase_required\"\n\tI18nErrorEndpointInvalid = \"storage.endpoint_invalid\"\n\tI18nErrorEndpointRequired = \"storage.endpoint_required\"\n\tI18nErrorFsUsernameRequired = \"storage.username_required\"\n\tI18nAddGroupTitle = \"title.add_group\"\n\tI18nUpdateGroupTitle = \"title.update_group\"\n\tI18nRoleAddTitle = \"title.add_role\"\n\tI18nRoleUpdateTitle = \"title.update_role\"\n\tI18nErrorInvalidTLSCert = \"user.tls_cert_invalid\"\n\tI18nAddFolderTitle = \"title.add_folder\"\n\tI18nUpdateFolderTitle = \"title.update_folder\"\n\tI18nTemplateFolderTitle = \"title.template_folder\"\n\tI18nErrorDuplicatedUsername = \"general.duplicated_username\"\n\tI18nErrorDuplicatedName = \"general.duplicated_name\"\n\tI18nErrorDuplicatedIPNet = \"ip_list.duplicated\"\n\tI18nErrorRoleAdminPerms = \"admin.role_permissions\"\n\tI18nBackupOK = \"maintenance.backup_ok\"\n\tI18nErrorFolderTemplate = \"virtual_folders.template_no_folder\"\n\tI18nErrorUserTemplate = \"user.template_no_user\"\n\tI18nConfigsOK = \"general.configs_saved\"\n\tI18nOAuth2ErrorVerifyState = \"oauth2.auth_verify_error\"\n\tI18nOAuth2ErrorValidateState = \"oauth2.auth_validation_error\"\n\tI18nOAuth2InvalidState = \"oauth2.auth_invalid\"\n\tI18nOAuth2ErrTokenExchange = \"oauth2.token_exchange_err\"\n\tI18nOAuth2ErrNoRefreshToken = \"oauth2.no_refresh_token\"\n\tI18nOAuth2OK = \"oauth2.success\"\n\tI18nErrorAdminSelfPerms = \"admin.self_permissions\"\n\tI18nErrorAdminSelfDisable = \"admin.self_disable\"\n\tI18nErrorAdminSelfRole = \"admin.self_role\"\n\tI18nErrorIPInvalid = \"ip_list.ip_invalid\"\n\tI18nErrorNetInvalid = \"ip_list.net_invalid\"\n\tI18nFTPTLSDisabled = \"status.tls_disabled\"\n\tI18nFTPTLSExplicit = \"status.tls_explicit\"\n\tI18nFTPTLSImplicit = \"status.tls_implicit\"\n\tI18nFTPTLSMixed = \"status.tls_mixed\"\n\tI18nErrorBackupFile = \"maintenance.backup_invalid_file\"\n\tI18nErrorRestore = \"maintenance.restore_error\"\n\tI18nErrorACMEGeneric = \"acme.generic_error\"\n\tI18nErrorSMTPRequiredFields = \"smtp.err_required_fields\"\n\tI18nErrorClientIDRequired = \"oauth2.client_id_required\"\n\tI18nErrorClientSecretRequired = \"oauth2.client_secret_required\"\n\tI18nErrorRefreshTokenRequired = \"oauth2.refresh_token_required\"\n\tI18nErrorURLRequired = \"actions.http_url_required\"\n\tI18nErrorURLInvalid = \"actions.http_url_invalid\"\n\tI18nErrorHTTPPartNameRequired = \"actions.http_part_name_required\"\n\tI18nErrorHTTPPartBodyRequired = \"actions.http_part_body_required\"\n\tI18nErrorMultipartBody = \"actions.http_multipart_body_error\"\n\tI18nErrorMultipartCType = \"actions.http_multipart_ctype_error\"\n\tI18nErrorPathDuplicated = \"actions.path_duplicated\"\n\tI18nErrorCommandRequired = \"actions.command_required\"\n\tI18nErrorCommandInvalid = \"actions.command_invalid\"\n\tI18nErrorEmailRecipientRequired = \"actions.email_recipient_required\"\n\tI18nErrorEmailSubjectRequired = \"actions.email_subject_required\"\n\tI18nErrorEmailBodyRequired = \"actions.email_body_required\"\n\tI18nErrorRetentionDirRequired = \"actions.retention_directory_required\"\n\tI18nErrorPathRequired = \"actions.path_required\"\n\tI18nErrorSourceDestMatch = \"actions.source_dest_different\"\n\tI18nErrorRootNotAllowed = \"actions.root_not_allowed\"\n\tI18nErrorArchiveNameRequired = \"actions.archive_name_required\"\n\tI18nErrorIDPTemplateRequired = \"actions.idp_template_required\"\n\tI18nActionTypeHTTP = \"actions.types.http\"\n\tI18nActionTypeEmail = \"actions.types.email\"\n\tI18nActionTypeBackup = \"actions.types.backup\"\n\tI18nActionTypeUserQuotaReset = \"actions.types.user_quota_reset\"\n\tI18nActionTypeFolderQuotaReset = \"actions.types.folder_quota_reset\"\n\tI18nActionTypeTransferQuotaReset = \"actions.types.transfer_quota_reset\"\n\tI18nActionTypeDataRetentionCheck = \"actions.types.data_retention_check\"\n\tI18nActionTypeFilesystem = \"actions.types.filesystem\"\n\tI18nActionTypePwdExpirationCheck = \"actions.types.password_expiration_check\"\n\tI18nActionTypeUserExpirationCheck = \"actions.types.user_expiration_check\"\n\tI18nActionTypeUserInactivityCheck = \"actions.types.user_inactivity_check\"\n\tI18nActionTypeIDPCheck = \"actions.types.idp_check\"\n\tI18nActionTypeCommand = \"actions.types.command\"\n\tI18nActionTypeRotateLogs = \"actions.types.rotate_logs\"\n\tI18nActionFsTypeRename = \"actions.fs_types.rename\"\n\tI18nActionFsTypeDelete = \"actions.fs_types.delete\"\n\tI18nActionFsTypePathExists = \"actions.fs_types.path_exists\"\n\tI18nActionFsTypeCompress = \"actions.fs_types.compress\"\n\tI18nActionFsTypeCopy = \"actions.fs_types.copy\"\n\tI18nActionFsTypeCreateDirs = \"actions.fs_types.create_dirs\"\n\tI18nActionThresholdRequired = \"actions.inactivity_threshold_required\"\n\tI18nActionThresholdsInvalid = \"actions.inactivity_thresholds_invalid\"\n\tI18nTriggerFsEvent = \"rules.triggers.fs_event\"\n\tI18nTriggerProviderEvent = \"rules.triggers.provider_event\"\n\tI18nTriggerIPBlockedEvent = \"rules.triggers.ip_blocked\"\n\tI18nTriggerCertificateRenewEvent = \"rules.triggers.certificate_renewal\"\n\tI18nTriggerOnDemandEvent = \"rules.triggers.on_demand\"\n\tI18nTriggerIDPLoginEvent = \"rules.triggers.idp_login\"\n\tI18nTriggerScheduleEvent = \"rules.triggers.schedule\"\n\tI18nErrorInvalidMinSize = \"rules.invalid_fs_min_size\"\n\tI18nErrorInvalidMaxSize = \"rules.invalid_fs_max_size\"\n\tI18nErrorRuleActionRequired = \"rules.action_required\"\n\tI18nErrorRuleFsEventRequired = \"rules.fs_event_required\"\n\tI18nErrorRuleProviderEventRequired = \"rules.provider_event_required\"\n\tI18nErrorRuleScheduleRequired = \"rules.schedule_required\"\n\tI18nErrorRuleScheduleInvalid = \"rules.schedule_invalid\"\n\tI18nErrorRuleDuplicateActions = \"rules.duplicate_actions\"\n\tI18nErrorEvSyncFailureActions = \"rules.sync_failure_actions\"\n\tI18nErrorEvSyncUnsupported = \"rules.sync_unsupported\"\n\tI18nErrorEvSyncUnsupportedFs = \"rules.sync_unsupported_fs_event\"\n\tI18nErrorRuleFailureActionsOnly = \"rules.only_failure_actions\"\n\tI18nErrorRuleSyncActionRequired = \"rules.sync_action_required\"\n\tI18nErrorInvalidPNG = \"branding.invalid_png\"\n\tI18nErrorInvalidPNGSize = \"branding.invalid_png_size\"\n\tI18nErrorInvalidDisclaimerURL = \"branding.invalid_disclaimer_url\"\n)\n\n// NewI18nError returns a I18nError wrappring the provided error\nfunc NewI18nError(err error, message string, options ...I18nErrorOption) *I18nError {\n\tvar errI18n *I18nError\n\tif errors.As(err, &errI18n) {\n\t\treturn errI18n\n\t}\n\terrI18n = &I18nError{\n\t\terr: err,\n\t\tMessage: message,\n\t\targs: nil,\n\t}\n\tfor _, opt := range options {\n\t\topt(errI18n)\n\t}\n\treturn errI18n\n}\n\n// I18nErrorOption defines a functional option type that allows to configure the I18nError.\ntype I18nErrorOption func(*I18nError)\n\n// I18nErrorArgs is a functional option to set I18nError arguments.\nfunc I18nErrorArgs(args map[string]any) I18nErrorOption {\n\treturn func(e *I18nError) {\n\t\te.args = args\n\t}\n}\n\n// I18nError is an error wrapper that add a message to use for localization.\ntype I18nError struct {\n\terr error\n\tMessage string\n\targs map[string]any\n}\n\n// Error returns the wrapped error string.\nfunc (e *I18nError) Error() string {\n\treturn e.err.Error()\n}\n\n// Unwrap returns the underlying error\nfunc (e *I18nError) Unwrap() error {\n\treturn e.err\n}\n\n// Is reports if target matches\nfunc (e *I18nError) Is(target error) bool {\n\tif errors.Is(e.err, target) {\n\t\treturn true\n\t}\n\t_, ok := target.(*I18nError)\n\treturn ok\n}\n\n// HasArgs returns true if the error has i18n args.\nfunc (e *I18nError) HasArgs() bool {\n\treturn len(e.args) > 0\n}\n\n// Args returns the provided args in JSON format\nfunc (e *I18nError) Args() string {\n\tif len(e.args) > 0 {\n\t\tdata, err := json.Marshal(e.args)\n\t\tif err == nil {\n\t\t\treturn BytesToString(data)\n\t\t}\n\t}\n\treturn \"{}\"\n}\n" }, { "path": "internal/util/resources.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !bundle\n\npackage util\n\nimport (\n\t\"html/template\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// FindSharedDataPath searches for the specified directory name in searchDir\n// and in system-wide shared data directories.\n// If name is an absolute path it is returned unmodified.\nfunc FindSharedDataPath(name, searchDir string) string {\n\tif !IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif name != \"\" && !filepath.IsAbs(name) {\n\t\tsearchList := []string{searchDir}\n\t\tif additionalSharedDataSearchPath != \"\" {\n\t\t\tsearchList = append(searchList, additionalSharedDataSearchPath)\n\t\t}\n\t\tif runtime.GOOS != osWindows {\n\t\t\tsearchList = append(searchList, \"/usr/share/sftpgo\")\n\t\t\tsearchList = append(searchList, \"/usr/local/share/sftpgo\")\n\t\t}\n\t\tsearchList = RemoveDuplicates(searchList, false)\n\t\tfor _, basePath := range searchList {\n\t\t\tres := filepath.Join(basePath, name)\n\t\t\t_, err := os.Stat(res)\n\t\t\tif err == nil {\n\t\t\t\tlogger.Debug(logSender, \"\", \"found share data path for name %q: %q\", name, res)\n\t\t\t\treturn res\n\t\t\t}\n\t\t}\n\t\treturn filepath.Join(searchDir, name)\n\t}\n\treturn name\n}\n\n// LoadTemplate parses the given template paths.\n// It behaves like template.Must but it writes a log before exiting.\nfunc LoadTemplate(base *template.Template, paths ...string) *template.Template {\n\tif base != nil {\n\t\tbaseTmpl, err := base.Clone()\n\t\tif err != nil {\n\t\t\tshowTemplateLoadingError(err)\n\t\t}\n\t\tt, err := baseTmpl.ParseFiles(paths...)\n\t\tif err != nil {\n\t\t\tshowTemplateLoadingError(err)\n\t\t}\n\t\treturn t\n\t}\n\n\tt, err := template.ParseFiles(paths...)\n\tif err != nil {\n\t\tshowTemplateLoadingError(err)\n\t}\n\treturn t\n}\n\nfunc showTemplateLoadingError(err error) {\n\tlogger.ErrorToConsole(\"error loading required template: %v\", err)\n\tlogger.ErrorToConsole(templateLoadErrorHints)\n\tlogger.Error(logSender, \"\", \"error loading required template: %v\", err)\n\tos.Exit(1)\n}\n" }, { "path": "internal/util/resources_embedded.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build bundle\n\npackage util\n\nimport (\n\t\"html/template\"\n\t\"os\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/bundle\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// FindSharedDataPath searches for the specified directory name in searchDir\n// and in system-wide shared data directories.\n// If name is an absolute path it is returned unmodified.\nfunc FindSharedDataPath(name, _ string) string {\n\treturn name\n}\n\n// LoadTemplate parses the given template paths.\n// It behaves like template.Must but it writes a log before exiting.\n// You can optionally provide a base template (e.g. to define some custom functions)\nfunc LoadTemplate(base *template.Template, paths ...string) *template.Template {\n\tvar t *template.Template\n\tvar err error\n\n\ttemplateFs := bundle.GetTemplatesFs()\n\tif base != nil {\n\t\tbase, err = base.Clone()\n\t\tif err == nil {\n\t\t\tt, err = base.ParseFS(templateFs, paths...)\n\t\t}\n\t} else {\n\t\tt, err = template.ParseFS(templateFs, paths...)\n\t}\n\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error loading required template: %v\", err)\n\t\tlogger.ErrorToConsole(templateLoadErrorHints)\n\t\tlogger.Error(logSender, \"\", \"error loading required template: %v\", err)\n\t\tos.Exit(1)\n\t}\n\treturn t\n}\n" }, { "path": "internal/util/util.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package util provides some common utility methods\npackage util\n\nimport (\n\t\"bytes\"\n\t\"crypto/ecdsa\"\n\t\"crypto/ed25519\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/sha256\"\n\t\"crypto/subtle\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"fmt\"\n\t\"hash\"\n\t\"io\"\n\t\"io/fs\"\n\t\"math\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/netip\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\t\"unicode\"\n\t\"unsafe\"\n\n\t\"github.com/google/uuid\"\n\t\"github.com/lithammer/shortuuid/v4\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\nconst (\n\tlogSender = \"util\"\n\tosWindows = \"windows\"\n\tpubKeySuffix = \".pub\"\n)\n\nvar (\n\temailRegex = regexp.MustCompile(\"^(?:(?:(?:(?:[a-zA-Z]|\\\\d|[!#\\\\$%&'\\\\*\\\\+\\\\-\\\\/=\\\\?\\\\^_`{\\\\|}~]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])+(?:\\\\.([a-zA-Z]|\\\\d|[!#\\\\$%&'\\\\*\\\\+\\\\-\\\\/=\\\\?\\\\^_`{\\\\|}~]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])+)*)|(?:(?:\\\\x22)(?:(?:(?:(?:\\\\x20|\\\\x09)*(?:\\\\x0d\\\\x0a))?(?:\\\\x20|\\\\x09)+)?(?:(?:[\\\\x01-\\\\x08\\\\x0b\\\\x0c\\\\x0e-\\\\x1f\\\\x7f]|\\\\x21|[\\\\x23-\\\\x5b]|[\\\\x5d-\\\\x7e]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])|(?:(?:[\\\\x01-\\\\x09\\\\x0b\\\\x0c\\\\x0d-\\\\x7f]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}]))))*(?:(?:(?:\\\\x20|\\\\x09)*(?:\\\\x0d\\\\x0a))?(\\\\x20|\\\\x09)+)?(?:\\\\x22))))@(?:(?:(?:[a-zA-Z]|\\\\d|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])|(?:(?:[a-zA-Z]|\\\\d|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])(?:[a-zA-Z]|\\\\d|-|\\\\.|~|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])*(?:[a-zA-Z]|\\\\d|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])))\\\\.)+(?:(?:[a-zA-Z]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])|(?:(?:[a-zA-Z]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])(?:[a-zA-Z]|\\\\d|-|\\\\.|~|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])*(?:[a-zA-Z]|[\\\\x{00A0}-\\\\x{D7FF}\\\\x{F900}-\\\\x{FDCF}\\\\x{FDF0}-\\\\x{FFEF}])))\\\\.?$\")\n\t// this can be set at build time\n\tadditionalSharedDataSearchPath = \"\"\n\t// CertsBasePath defines base path for certificates obtained using the built-in ACME protocol.\n\t// It is empty is ACME support is disabled\n\tCertsBasePath string\n\t// Defines the TLS ciphers used by default for TLS 1.0-1.2 if no preference is specified.\n\tdefaultTLSCiphers = []uint16{\n\t\ttls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n\t\ttls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n\t\ttls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n\t}\n)\n\n// IEC Sizes.\n// kibis of bits\nconst (\n\toneByte = 1 << (iota * 10)\n\tkiByte\n\tmiByte\n\tgiByte\n\ttiByte\n\tpiByte\n\teiByte\n)\n\n// SI Sizes.\nconst (\n\tiByte = 1\n\tkbByte = iByte * 1000\n\tmByte = kbByte * 1000\n\tgByte = mByte * 1000\n\ttByte = gByte * 1000\n\tpByte = tByte * 1000\n\teByte = pByte * 1000\n)\n\nvar bytesSizeTable = map[string]uint64{\n\t\"b\": oneByte,\n\t\"kib\": kiByte,\n\t\"kb\": kbByte,\n\t\"mib\": miByte,\n\t\"mb\": mByte,\n\t\"gib\": giByte,\n\t\"gb\": gByte,\n\t\"tib\": tiByte,\n\t\"tb\": tByte,\n\t\"pib\": piByte,\n\t\"pb\": pByte,\n\t\"eib\": eiByte,\n\t\"eb\": eByte,\n\t// Without suffix\n\t\"\": oneByte,\n\t\"ki\": kiByte,\n\t\"k\": kbByte,\n\t\"mi\": miByte,\n\t\"m\": mByte,\n\t\"gi\": giByte,\n\t\"g\": gByte,\n\t\"ti\": tiByte,\n\t\"t\": tByte,\n\t\"pi\": piByte,\n\t\"p\": pByte,\n\t\"ei\": eiByte,\n\t\"e\": eByte,\n}\n\n// IsStringPrefixInSlice searches a string prefix in a slice and returns true\n// if a matching prefix is found\nfunc IsStringPrefixInSlice(obj string, list []string) bool {\n\tfor i := 0; i < len(list); i++ {\n\t\tif strings.HasPrefix(obj, list[i]) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// RemoveDuplicates returns a new slice removing any duplicate element from the initial one\nfunc RemoveDuplicates(obj []string, trim bool) []string {\n\tif len(obj) == 0 {\n\t\treturn obj\n\t}\n\tseen := make(map[string]bool)\n\tvalidIdx := 0\n\tfor _, item := range obj {\n\t\tif trim {\n\t\t\titem = strings.TrimSpace(item)\n\t\t}\n\t\tif !seen[item] {\n\t\t\tseen[item] = true\n\t\t\tobj[validIdx] = item\n\t\t\tvalidIdx++\n\t\t}\n\t}\n\treturn obj[:validIdx]\n}\n\n// IsNameValid validates that a name/username contains only safe characters.\nfunc IsNameValid(name string) bool {\n\tif name == \"\" {\n\t\treturn false\n\t}\n\tif len(name) > 255 {\n\t\treturn false\n\t}\n\tfor _, r := range name {\n\t\tif unicode.IsControl(r) {\n\t\t\treturn false\n\t\t}\n\n\t\tswitch r {\n\t\tcase '/', '\\\\':\n\t\t\treturn false\n\t\tcase ':', '*', '?', '\"', '<', '>', '|':\n\t\t\treturn false\n\t\t}\n\t}\n\n\tif name == \".\" || name == \"..\" {\n\t\treturn false\n\t}\n\n\tupperName := strings.ToUpper(name)\n\tbaseName := strings.Split(upperName, \".\")[0]\n\n\tswitch baseName {\n\tcase \"CON\", \"PRN\", \"AUX\", \"NUL\",\n\t\t\"COM1\", \"COM2\", \"COM3\", \"COM4\", \"COM5\", \"COM6\", \"COM7\", \"COM8\", \"COM9\",\n\t\t\"LPT1\", \"LPT2\", \"LPT3\", \"LPT4\", \"LPT5\", \"LPT6\", \"LPT7\", \"LPT8\", \"LPT9\":\n\t\treturn false\n\t}\n\n\tif strings.HasSuffix(name, \" \") || strings.HasSuffix(name, \".\") {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\n// GetTimeAsMsSinceEpoch returns unix timestamp as milliseconds from a time struct\nfunc GetTimeAsMsSinceEpoch(t time.Time) int64 {\n\treturn t.UnixMilli()\n}\n\n// GetTimeFromMsecSinceEpoch return a time struct from a unix timestamp with millisecond precision\nfunc GetTimeFromMsecSinceEpoch(msec int64) time.Time {\n\treturn time.Unix(0, msec*1000000)\n}\n\n// GetDurationAsString returns a string representation for a time.Duration\nfunc GetDurationAsString(d time.Duration) string {\n\td = d.Round(time.Second)\n\th := d / time.Hour\n\td -= h * time.Hour\n\tm := d / time.Minute\n\td -= m * time.Minute\n\ts := d / time.Second\n\tif h > 0 {\n\t\treturn fmt.Sprintf(\"%02d:%02d:%02d\", h, m, s)\n\t}\n\treturn fmt.Sprintf(\"%02d:%02d\", m, s)\n}\n\n// ByteCountSI returns humanized size in SI (decimal) format\nfunc ByteCountSI(b int64) string {\n\treturn byteCount(b, 1000, true)\n}\n\n// ByteCountIEC returns humanized size in IEC (binary) format\nfunc ByteCountIEC(b int64) string {\n\treturn byteCount(b, 1024, false)\n}\n\nfunc byteCount(b int64, unit int64, maxPrecision bool) string {\n\tif b <= 0 && maxPrecision {\n\t\treturn strconv.FormatInt(b, 10)\n\t}\n\tif b < unit {\n\t\treturn fmt.Sprintf(\"%d B\", b)\n\t}\n\tdiv, exp := unit, 0\n\tfor n := b / unit; n >= unit; n /= unit {\n\t\tdiv *= unit\n\t\texp++\n\t}\n\tvar val string\n\tif maxPrecision {\n\t\tval = strconv.FormatFloat(float64(b)/float64(div), 'f', -1, 64)\n\t} else {\n\t\tval = fmt.Sprintf(\"%.1f\", float64(b)/float64(div))\n\t}\n\tif unit == 1000 {\n\t\treturn fmt.Sprintf(\"%s %cB\", val, \"KMGTPE\"[exp])\n\t}\n\treturn fmt.Sprintf(\"%s %ciB\", val, \"KMGTPE\"[exp])\n}\n\n// ParseBytes parses a string representation of bytes into the number\n// of bytes it represents.\n//\n// ParseBytes(\"42 MB\") -> 42000000, nil\n// ParseBytes(\"42 mib\") -> 44040192, nil\n//\n// copied from here:\n//\n// https://github.com/dustin/go-humanize/blob/master/bytes.go\n//\n// with minor modifications\nfunc ParseBytes(s string) (int64, error) {\n\ts = strings.TrimSpace(s)\n\tlastDigit := 0\n\thasComma := false\n\tfor _, r := range s {\n\t\tif !unicode.IsDigit(r) && r != '.' && r != ',' {\n\t\t\tbreak\n\t\t}\n\t\tif r == ',' {\n\t\t\thasComma = true\n\t\t}\n\t\tlastDigit++\n\t}\n\n\tnum := s[:lastDigit]\n\tif hasComma {\n\t\tnum = strings.ReplaceAll(num, \",\", \"\")\n\t}\n\n\tf, err := strconv.ParseFloat(num, 64)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\textra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))\n\tif m, ok := bytesSizeTable[extra]; ok {\n\t\tf *= float64(m)\n\t\tif f >= math.MaxInt64 {\n\t\t\treturn 0, fmt.Errorf(\"value too large: %v\", s)\n\t\t}\n\t\tif f < 0 {\n\t\t\treturn 0, fmt.Errorf(\"negative value not allowed: %v\", s)\n\t\t}\n\t\treturn int64(f), nil\n\t}\n\n\treturn 0, fmt.Errorf(\"unhandled size name: %v\", extra)\n}\n\n// BytesToString converts []byte to string without allocations.\n// https://github.com/kubernetes/kubernetes/blob/e4b74dd12fa8cb63c174091d5536a10b8ec19d34/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go#L278\n// Use only if strictly required, this method uses unsafe.\nfunc BytesToString(b []byte) string {\n\t// unsafe.SliceData relies on cap whereas we want to rely on len\n\tif len(b) == 0 {\n\t\treturn \"\"\n\t}\n\t// https://github.com/golang/go/blob/4ed358b57efdad9ed710be7f4fc51495a7620ce2/src/strings/builder.go#L41\n\treturn unsafe.String(unsafe.SliceData(b), len(b))\n}\n\n// StringToBytes convert string to []byte without allocations.\n// https://github.com/kubernetes/kubernetes/blob/e4b74dd12fa8cb63c174091d5536a10b8ec19d34/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go#L289\n// Use only if strictly required, this method uses unsafe.\nfunc StringToBytes(s string) []byte {\n\t// unsafe.StringData is unspecified for the empty string, so we provide a strict interpretation\n\tif s == \"\" {\n\t\treturn nil\n\t}\n\t// https://github.com/golang/go/blob/4ed358b57efdad9ed710be7f4fc51495a7620ce2/src/os/file.go#L300\n\treturn unsafe.Slice(unsafe.StringData(s), len(s))\n}\n\n// GetIPFromRemoteAddress returns the IP from the remote address.\n// If the given remote address cannot be parsed it will be returned unchanged\nfunc GetIPFromRemoteAddress(remoteAddress string) string {\n\tip, _, err := net.SplitHostPort(remoteAddress)\n\tif err == nil {\n\t\treturn ip\n\t}\n\treturn remoteAddress\n}\n\n// GetIPFromNetAddr returns the IP from the network address\nfunc GetIPFromNetAddr(upstream net.Addr) (net.IP, error) {\n\tif upstream == nil {\n\t\treturn nil, errors.New(\"invalid address\")\n\t}\n\tupstreamString, _, err := net.SplitHostPort(upstream.String())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tupstreamIP := net.ParseIP(upstreamString)\n\tif upstreamIP == nil {\n\t\treturn nil, fmt.Errorf(\"invalid IP address: %q\", upstreamString)\n\t}\n\n\treturn upstreamIP, nil\n}\n\n// NilIfEmpty returns nil if the input string is empty\nfunc NilIfEmpty(s string) *string {\n\tif s == \"\" {\n\t\treturn nil\n\t}\n\treturn &s\n}\n\n// GetStringFromPointer returns the string value or empty if nil\nfunc GetStringFromPointer(val *string) string {\n\tif val == nil {\n\t\treturn \"\"\n\t}\n\treturn *val\n}\n\n// GetIntFromPointer returns the int value or zero\nfunc GetIntFromPointer(val *int64) int64 {\n\tif val == nil {\n\t\treturn 0\n\t}\n\treturn *val\n}\n\n// GetTimeFromPointer returns the time value or now\nfunc GetTimeFromPointer(val *time.Time) time.Time {\n\tif val == nil {\n\t\treturn time.Unix(0, 0)\n\t}\n\treturn *val\n}\n\n// GenerateRSAKeys generate rsa private and public keys and write the\n// private key to specified file and the public key to the specified\n// file adding the .pub suffix\nfunc GenerateRSAKeys(file string) error {\n\tif err := createDirPathIfMissing(file, 0700); err != nil {\n\t\treturn err\n\t}\n\tkey, err := rsa.GenerateKey(rand.Reader, 3072)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\to, err := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer o.Close()\n\n\tpriv := &pem.Block{\n\t\tType: \"RSA PRIVATE KEY\",\n\t\tBytes: x509.MarshalPKCS1PrivateKey(key),\n\t}\n\n\tif err := pem.Encode(o, priv); err != nil {\n\t\treturn err\n\t}\n\n\tpub, err := ssh.NewPublicKey(&key.PublicKey)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn os.WriteFile(file+pubKeySuffix, ssh.MarshalAuthorizedKey(pub), 0600)\n}\n\n// GenerateECDSAKeys generate ecdsa private and public keys and write the\n// private key to specified file and the public key to the specified\n// file adding the .pub suffix\nfunc GenerateECDSAKeys(file string) error {\n\tif err := createDirPathIfMissing(file, 0700); err != nil {\n\t\treturn err\n\t}\n\tkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tkeyBytes, err := x509.MarshalECPrivateKey(key)\n\tif err != nil {\n\t\treturn err\n\t}\n\tpriv := &pem.Block{\n\t\tType: \"EC PRIVATE KEY\",\n\t\tBytes: keyBytes,\n\t}\n\n\to, err := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer o.Close()\n\n\tif err := pem.Encode(o, priv); err != nil {\n\t\treturn err\n\t}\n\n\tpub, err := ssh.NewPublicKey(&key.PublicKey)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn os.WriteFile(file+pubKeySuffix, ssh.MarshalAuthorizedKey(pub), 0600)\n}\n\n// GenerateEd25519Keys generate ed25519 private and public keys and write the\n// private key to specified file and the public key to the specified\n// file adding the .pub suffix\nfunc GenerateEd25519Keys(file string) error {\n\tpubKey, privKey, err := ed25519.GenerateKey(rand.Reader)\n\tif err != nil {\n\t\treturn err\n\t}\n\tkeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)\n\tif err != nil {\n\t\treturn err\n\t}\n\tpriv := &pem.Block{\n\t\tType: \"PRIVATE KEY\",\n\t\tBytes: keyBytes,\n\t}\n\to, err := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer o.Close()\n\n\tif err := pem.Encode(o, priv); err != nil {\n\t\treturn err\n\t}\n\tpub, err := ssh.NewPublicKey(pubKey)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn os.WriteFile(file+pubKeySuffix, ssh.MarshalAuthorizedKey(pub), 0600)\n}\n\n// IsDirOverlapped returns true if dir1 and dir2 overlap\nfunc IsDirOverlapped(dir1, dir2 string, fullCheck bool, separator string) bool {\n\tif dir1 == dir2 {\n\t\treturn true\n\t}\n\tif fullCheck {\n\t\tif len(dir1) > len(dir2) {\n\t\t\tif strings.HasPrefix(dir1, dir2+separator) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t\tif len(dir2) > len(dir1) {\n\t\t\tif strings.HasPrefix(dir2, dir1+separator) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// GetDirsForVirtualPath returns all the directory for the given path in reverse order\n// for example if the path is: /1/2/3/4 it returns:\n// [ \"/1/2/3/4\", \"/1/2/3\", \"/1/2\", \"/1\", \"/\" ]\nfunc GetDirsForVirtualPath(virtualPath string) []string {\n\tif virtualPath == \"\" || virtualPath == \".\" {\n\t\tvirtualPath = \"/\"\n\t} else {\n\t\tif !path.IsAbs(virtualPath) {\n\t\t\tvirtualPath = CleanPath(virtualPath)\n\t\t}\n\t}\n\tdirsForPath := []string{virtualPath}\n\tfor virtualPath != \"/\" {\n\t\tvirtualPath = path.Dir(virtualPath)\n\t\tdirsForPath = append(dirsForPath, virtualPath)\n\t}\n\treturn dirsForPath\n}\n\n// CleanPath returns a clean POSIX (/) absolute path to work with\nfunc CleanPath(p string) string {\n\treturn CleanPathWithBase(\"/\", p)\n}\n\n// CleanPathWithBase returns a clean POSIX (/) absolute path to work with.\n// The specified base will be used if the provided path is not absolute\nfunc CleanPathWithBase(base, p string) string {\n\tp = strings.ReplaceAll(p, \"\\\\\", \"/\")\n\tif !path.IsAbs(p) {\n\t\tp = path.Join(base, p)\n\t}\n\treturn path.Clean(p)\n}\n\n// IsFileInputValid returns true this is a valid file name.\n// This method must be used before joining a file name, generally provided as\n// user input, with a directory\nfunc IsFileInputValid(fileInput string) bool {\n\tcleanInput := filepath.Clean(fileInput)\n\tif cleanInput == \".\" || cleanInput == \"..\" {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// CleanDirInput sanitizes user input for directories.\n// On Windows it removes any trailing `\"`.\n// We try to help windows users that set an invalid path such as \"C:\\ProgramData\\SFTPGO\\\".\n// This will only help if the invalid path is the last argument, for example in this command:\n// sftpgo.exe serve -c \"C:\\ProgramData\\SFTPGO\\\" -l \"sftpgo.log\"\n// the -l flag will be ignored and the -c flag will get the value `C:\\ProgramData\\SFTPGO\" -l sftpgo.log`\n// since the backslash after SFTPGO escape the double quote. This is definitely a bad user input\nfunc CleanDirInput(dirInput string) string {\n\tif runtime.GOOS == osWindows {\n\t\tfor strings.HasSuffix(dirInput, \"\\\"\") {\n\t\t\tdirInput = strings.TrimSuffix(dirInput, \"\\\"\")\n\t\t}\n\t}\n\treturn filepath.Clean(dirInput)\n}\n\nfunc createDirPathIfMissing(file string, perm os.FileMode) error {\n\tdirPath := filepath.Dir(file)\n\tif _, err := os.Stat(dirPath); errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(dirPath, perm)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// GenerateRandomBytes generates random bytes with the specified length\nfunc GenerateRandomBytes(length int) []byte {\n\tb := make([]byte, length)\n\t_, err := io.ReadFull(rand.Reader, b)\n\tif err != nil {\n\t\tPanicOnError(fmt.Errorf(\"failed to read random data (see https://go.dev/issue/66821): %w\", err))\n\t}\n\treturn b\n}\n\n// GenerateOpaqueString generates a cryptographically secure opaque string\nfunc GenerateOpaqueString() string {\n\trandomBytes := sha256.Sum256(GenerateRandomBytes(32))\n\treturn hex.EncodeToString(randomBytes[:])\n}\n\n// GenerateUniqueID returns an unique ID\nfunc GenerateUniqueID() string {\n\tu, err := uuid.NewRandom()\n\tif err != nil {\n\t\tPanicOnError(fmt.Errorf(\"failed to read random data (see https://go.dev/issue/66821): %w\", err))\n\t}\n\treturn shortuuid.DefaultEncoder.Encode(u)\n}\n\n// HTTPListenAndServe is a wrapper for ListenAndServe that support both tcp\n// and Unix-domain sockets\nfunc HTTPListenAndServe(srv *http.Server, address string, port int, isTLS bool,\n\tlistenerWrapper func(net.Listener) (net.Listener, error),\n\tlogSender string,\n) error {\n\tvar listener net.Listener\n\tvar err error\n\n\tif filepath.IsAbs(address) && runtime.GOOS != osWindows {\n\t\tif !IsFileInputValid(address) {\n\t\t\treturn fmt.Errorf(\"invalid socket address %q\", address)\n\t\t}\n\t\terr = createDirPathIfMissing(address, 0770)\n\t\tif err != nil {\n\t\t\tlogger.ErrorToConsole(\"error creating Unix-domain socket parent dir: %v\", err)\n\t\t\tlogger.Error(logSender, \"\", \"error creating Unix-domain socket parent dir: %v\", err)\n\t\t}\n\t\tos.Remove(address)\n\t\tlistener, err = net.Listen(\"unix\", address)\n\t\tif err == nil {\n\t\t\t// should a chmod err be fatal?\n\t\t\tif errChmod := os.Chmod(address, 0770); errChmod != nil {\n\t\t\t\tlogger.Warn(logSender, \"\", \"unable to set the Unix-domain socket group writable: %v\", errChmod)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tCheckTCP4Port(port)\n\t\tlistener, err = net.Listen(\"tcp\", fmt.Sprintf(\"%s:%d\", address, port))\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\tif listenerWrapper != nil {\n\t\tlistener, err = listenerWrapper(listener)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tlogger.Info(logSender, \"\", \"server listener registered, address: %s TLS enabled: %t\", listener.Addr().String(), isTLS)\n\n\tdefer listener.Close()\n\n\tif isTLS {\n\t\treturn srv.ServeTLS(listener, \"\", \"\")\n\t}\n\treturn srv.Serve(listener)\n}\n\n// GetTLSCiphersFromNames returns the TLS ciphers from the specified names\nfunc GetTLSCiphersFromNames(cipherNames []string) []uint16 {\n\tvar ciphers []uint16\n\n\tfor _, name := range RemoveDuplicates(cipherNames, false) {\n\t\tfor _, c := range tls.CipherSuites() {\n\t\t\tif c.Name == strings.TrimSpace(name) {\n\t\t\t\tciphers = append(ciphers, c.ID)\n\t\t\t}\n\t\t}\n\t\tfor _, c := range tls.InsecureCipherSuites() {\n\t\t\tif c.Name == strings.TrimSpace(name) {\n\t\t\t\tciphers = append(ciphers, c.ID)\n\t\t\t}\n\t\t}\n\t}\n\n\tif len(ciphers) == 0 {\n\t\t// return a secure default\n\t\treturn defaultTLSCiphers\n\t}\n\n\treturn ciphers\n}\n\n// GetALPNProtocols returns the ALPN protocols, any invalid protocol will be\n// silently ignored. If no protocol or no valid protocol is provided the default\n// is http/1.1, h2\nfunc GetALPNProtocols(protocols []string) []string {\n\tvar result []string\n\tfor _, p := range protocols {\n\t\tswitch p {\n\t\tcase \"http/1.1\", \"h2\":\n\t\t\tresult = append(result, p)\n\t\t}\n\t}\n\tif len(result) == 0 {\n\t\treturn []string{\"http/1.1\", \"h2\"}\n\t}\n\treturn result\n}\n\n// EncodeTLSCertToPem returns the specified certificate PEM encoded.\n// This can be verified using openssl x509 -in cert.crt -text -noout\nfunc EncodeTLSCertToPem(tlsCert *x509.Certificate) (string, error) {\n\tif len(tlsCert.Raw) == 0 {\n\t\treturn \"\", errors.New(\"invalid x509 certificate, no der contents\")\n\t}\n\tpublicKeyBlock := pem.Block{\n\t\tType: \"CERTIFICATE\",\n\t\tBytes: tlsCert.Raw,\n\t}\n\treturn BytesToString(pem.EncodeToMemory(&publicKeyBlock)), nil\n}\n\n// CheckTCP4Port quits the app if bind on the given IPv4 port fails.\n// This is a ugly hack to avoid to bind on an already used port.\n// It is required on Windows only. Upstream does not consider this\n// behaviour a bug:\n// https://github.com/golang/go/issues/45150\nfunc CheckTCP4Port(port int) {\n\tif runtime.GOOS != osWindows {\n\t\treturn\n\t}\n\tlistener, err := net.Listen(\"tcp4\", fmt.Sprintf(\":%d\", port))\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"unable to bind on tcp4 address: %v\", err)\n\t\tlogger.Error(logSender, \"\", \"unable to bind on tcp4 address: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tlistener.Close()\n}\n\n// IsByteArrayEmpty return true if the byte array is empty or a new line\nfunc IsByteArrayEmpty(b []byte) bool {\n\tif len(b) == 0 {\n\t\treturn true\n\t}\n\tif bytes.Equal(b, []byte(\"\\n\")) {\n\t\treturn true\n\t}\n\tif bytes.Equal(b, []byte(\"\\r\\n\")) {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// GetSSHPublicKeyAsString returns an SSH public key serialized as string\nfunc GetSSHPublicKeyAsString(pubKey []byte) (string, error) {\n\tif len(pubKey) == 0 {\n\t\treturn \"\", nil\n\t}\n\tk, err := ssh.ParsePublicKey(pubKey)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn BytesToString(ssh.MarshalAuthorizedKey(k)), nil\n}\n\n// GetRealIP returns the ip address as result of parsing the specified\n// header and using the specified depth\nfunc GetRealIP(r *http.Request, header string, depth int) string {\n\tif header == \"\" {\n\t\treturn \"\"\n\t}\n\tvar ipAddresses []string\n\n\tfor _, h := range r.Header.Values(header) {\n\t\tfor ipStr := range strings.SplitSeq(h, \",\") {\n\t\t\tipStr = strings.TrimSpace(ipStr)\n\t\t\tipAddresses = append(ipAddresses, ipStr)\n\t\t}\n\t}\n\n\tidx := len(ipAddresses) - 1 - depth\n\tif idx >= 0 {\n\t\tip := strings.TrimSpace(ipAddresses[idx])\n\t\tif ip == \"\" || net.ParseIP(ip) == nil {\n\t\t\treturn \"\"\n\t\t}\n\t\treturn ip\n\t}\n\n\treturn \"\"\n}\n\n// GetHTTPLocalAddress returns the local address for an http.Request\n// or empty if it cannot be determined\nfunc GetHTTPLocalAddress(r *http.Request) string {\n\tif r == nil {\n\t\treturn \"\"\n\t}\n\tlocalAddr, ok := r.Context().Value(http.LocalAddrContextKey).(net.Addr)\n\tif ok {\n\t\treturn localAddr.String()\n\t}\n\treturn \"\"\n}\n\n// ParseAllowedIPAndRanges returns a list of functions that allow to find if an\n// IP is equal or is contained within the allowed list\nfunc ParseAllowedIPAndRanges(allowed []string) ([]func(net.IP) bool, error) {\n\tres := make([]func(net.IP) bool, len(allowed))\n\tfor i, allowFrom := range allowed {\n\t\tif strings.LastIndex(allowFrom, \"/\") > 0 {\n\t\t\t_, ipRange, err := net.ParseCIDR(allowFrom)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"given string %q is not a valid IP range: %v\", allowFrom, err)\n\t\t\t}\n\n\t\t\tres[i] = ipRange.Contains\n\t\t} else {\n\t\t\tallowed := net.ParseIP(allowFrom)\n\t\t\tif allowed == nil {\n\t\t\t\treturn nil, fmt.Errorf(\"given string %q is not a valid IP address\", allowFrom)\n\t\t\t}\n\n\t\t\tres[i] = allowed.Equal\n\t\t}\n\t}\n\n\treturn res, nil\n}\n\n// GetRedactedURL returns the url redacting the password if any\nfunc GetRedactedURL(rawurl string) string {\n\tif !strings.HasPrefix(rawurl, \"http\") {\n\t\treturn rawurl\n\t}\n\tu, err := url.Parse(rawurl)\n\tif err != nil {\n\t\treturn rawurl\n\t}\n\treturn u.Redacted()\n}\n\n// GetTLSVersion returns the TLS version from an integer value:\n// - 10 means TLS 1.0\n// - 11 means TLS 1.1\n// - 12 means TLS 1.2\n// - 13 means TLS 1.3\n// default is TLS 1.2\nfunc GetTLSVersion(val int) uint16 {\n\tswitch val {\n\tcase 13:\n\t\treturn tls.VersionTLS13\n\tcase 11:\n\t\treturn tls.VersionTLS11\n\tcase 10:\n\t\treturn tls.VersionTLS10\n\tdefault:\n\t\treturn tls.VersionTLS12\n\t}\n}\n\n// IsEmailValid returns true if the specified email address is valid\nfunc IsEmailValid(email string) bool {\n\treturn emailRegex.MatchString(email)\n}\n\n// SanitizeDomain return the specified domain name in a form suitable to save as file\nfunc SanitizeDomain(domain string) string {\n\treturn strings.NewReplacer(\":\", \"_\", \"*\", \"_\", \",\", \"_\", \" \", \"_\").Replace(domain)\n}\n\n// PanicOnError calls panic if err is not nil\nfunc PanicOnError(err error) {\n\tif err != nil {\n\t\tpanic(fmt.Errorf(\"unexpected error: %w\", err))\n\t}\n}\n\n// GetAbsolutePath returns an absolute path using the current dir as base\n// if name defines a relative path\nfunc GetAbsolutePath(name string) (string, error) {\n\tif name == \"\" {\n\t\treturn name, errors.New(\"input path cannot be empty\")\n\t}\n\tif filepath.IsAbs(name) {\n\t\treturn name, nil\n\t}\n\tcurDir, err := os.Getwd()\n\tif err != nil {\n\t\treturn name, err\n\t}\n\treturn filepath.Join(curDir, name), nil\n}\n\n// GetACMECertificateKeyPair returns the path to the ACME TLS crt and key for the specified domain\nfunc GetACMECertificateKeyPair(domain string) (string, string) {\n\tif CertsBasePath == \"\" {\n\t\treturn \"\", \"\"\n\t}\n\tdomain = SanitizeDomain(domain)\n\treturn filepath.Join(CertsBasePath, domain+\".crt\"), filepath.Join(CertsBasePath, domain+\".key\")\n}\n\n// GetLastIPForPrefix returns the last IP for the given prefix\n// https://github.com/go4org/netipx/blob/8449b0a6169f5140fb0340cb4fc0de4c9b281ef6/netipx.go#L173\nfunc GetLastIPForPrefix(p netip.Prefix) netip.Addr {\n\tif !p.IsValid() {\n\t\treturn netip.Addr{}\n\t}\n\ta16 := p.Addr().As16()\n\tvar off uint8\n\tvar bits uint8 = 128\n\tif p.Addr().Is4() {\n\t\toff = 12\n\t\tbits = 32\n\t}\n\tfor b := uint8(p.Bits()); b < bits; b++ {\n\t\tbyteNum, bitInByte := b/8, 7-(b%8)\n\t\ta16[off+byteNum] |= 1 << uint(bitInByte)\n\t}\n\tif p.Addr().Is4() {\n\t\treturn netip.AddrFrom16(a16).Unmap()\n\t}\n\treturn netip.AddrFrom16(a16) // doesn't unmap\n}\n\n// JSONEscape returns the JSON escaped format for the input string\nfunc JSONEscape(val string) string {\n\tif val == \"\" {\n\t\treturn val\n\t}\n\tb, err := json.Marshal(val)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\treturn BytesToString(b[1 : len(b)-1])\n}\n\n// ReadConfigFromFile reads a configuration parameter from the specified file\nfunc ReadConfigFromFile(name, configDir string) (string, error) {\n\tif !IsFileInputValid(name) {\n\t\treturn \"\", fmt.Errorf(\"invalid file input: %q\", name)\n\t}\n\tif configDir == \"\" {\n\t\tif !filepath.IsAbs(name) {\n\t\t\treturn \"\", fmt.Errorf(\"%q must be an absolute file path\", name)\n\t\t}\n\t} else {\n\t\tif name != \"\" && !filepath.IsAbs(name) {\n\t\t\tname = filepath.Join(configDir, name)\n\t\t}\n\t}\n\tval, err := os.ReadFile(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strings.TrimSpace(BytesToString(val)), nil\n}\n\n// SlicesEqual checks if the provided slices contain the same elements,\n// also in different order.\nfunc SlicesEqual(s1, s2 []string) bool {\n\tif len(s1) != len(s2) {\n\t\treturn false\n\t}\n\tfor _, v := range s1 {\n\t\tif !slices.Contains(s2, v) {\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n\n// VerifyFileChecksum computes the hash of the given file using the provided\n// hash algorithm and compares it against the expected checksum (in hex format).\n// It returns an error if the checksum does not match or if the operation fails.\nfunc VerifyFileChecksum(filePath string, h hash.Hash, expectedHex string, maxSize int64) error {\n\texpected, err := hex.DecodeString(expectedHex)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"invalid checksum %q: %w\", expectedHex, err)\n\t}\n\n\tf, err := os.Open(filePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\tif maxSize > 0 {\n\t\tfi, err := f.Stat()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif fi.Size() > maxSize {\n\t\t\treturn fmt.Errorf(\"file too large: %s\", ByteCountIEC(fi.Size()))\n\t\t}\n\t}\n\n\tif _, err := io.Copy(h, f); err != nil {\n\t\treturn err\n\t}\n\n\tactual := h.Sum(nil)\n\tif subtle.ConstantTimeCompare(actual, expected) != 1 {\n\t\treturn errors.New(\"checksum mismatch\")\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/util/util_fallback.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !unix\n\npackage util\n\nimport (\n\t\"runtime\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// SetUmask sets the specified umask\nfunc SetUmask(val string) {\n\tif val == \"\" {\n\t\treturn\n\t}\n\tlogger.Debug(logSender, \"\", \"umask not supported on OS %q\", runtime.GOOS)\n}\n" }, { "path": "internal/util/util_unix.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build unix\n\npackage util\n\nimport (\n\t\"strconv\"\n\t\"syscall\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\n// SetUmask sets the specified umask\nfunc SetUmask(val string) {\n\tif val == \"\" {\n\t\treturn\n\t}\n\tumask, err := strconv.ParseUint(val, 8, 31)\n\tif err != nil {\n\t\tlogger.Error(logSender, \"\", \"invalid umask %q: %v\", val, err)\n\t\treturn\n\t}\n\tlogger.Debug(logSender, \"\", \"set umask to: %d, configured value: %q\", umask, val)\n\tsyscall.Umask(int(umask))\n}\n" }, { "path": "internal/version/version.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package version defines SFTPGo version details\npackage version\n\nimport \"strings\"\n\nconst (\n\tversion = \"2.7.99-dev\"\n\tappName = \"SFTPGo\"\n)\n\nvar (\n\tcommit = \"\"\n\tdate = \"\"\n\tinfo Info\n)\n\nvar (\n\tconfig string\n)\n\n// Info defines version details\ntype Info struct {\n\tVersion string `json:\"version\"`\n\tBuildDate string `json:\"build_date\"`\n\tCommitHash string `json:\"commit_hash\"`\n\tFeatures []string `json:\"features\"`\n}\n\n// GetAsString returns the string representation of the version\nfunc GetAsString() string {\n\tvar sb strings.Builder\n\tsb.WriteString(info.Version)\n\tif info.CommitHash != \"\" {\n\t\tsb.WriteString(\"-\")\n\t\tsb.WriteString(info.CommitHash)\n\t}\n\tif info.BuildDate != \"\" {\n\t\tsb.WriteString(\"-\")\n\t\tsb.WriteString(info.BuildDate)\n\t}\n\tif len(info.Features) > 0 {\n\t\tsb.WriteString(\" \")\n\t\tsb.WriteString(strings.Join(info.Features, \" \"))\n\t}\n\treturn sb.String()\n}\n\nfunc init() {\n\tinfo = Info{\n\t\tVersion: version,\n\t\tCommitHash: commit,\n\t\tBuildDate: date,\n\t}\n}\n\n// AddFeature adds a feature description\nfunc AddFeature(feature string) {\n\tinfo.Features = append(info.Features, feature)\n}\n\n// Get returns the Info struct\nfunc Get() Info {\n\treturn info\n}\n\n// SetConfig sets the version configuration\nfunc SetConfig(val string) {\n\tconfig = val\n}\n\n// GetServerVersion returns the server version according to the configuration\n// and the provided parameters.\nfunc GetServerVersion(separator string, addHash bool) string {\n\tvar sb strings.Builder\n\tsb.WriteString(appName)\n\tif config != \"short\" {\n\t\tsb.WriteString(separator)\n\t\tsb.WriteString(info.Version)\n\t}\n\tif addHash {\n\t\tsb.WriteString(separator)\n\t\tsb.WriteString(info.CommitHash)\n\t}\n\treturn sb.String()\n}\n\n// GetVersionHash returns the server identification string with the commit hash.\nfunc GetVersionHash() string {\n\tvar sb strings.Builder\n\tsb.WriteString(appName)\n\tsb.WriteString(\"-\")\n\tsb.WriteString(info.CommitHash)\n\treturn sb.String()\n}\n" }, { "path": "internal/vfs/azblobfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !noazblob\n\npackage vfs\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"mime\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azcore\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azcore/to\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/azidentity\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob\"\n\t\"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container\"\n\t\"github.com/google/uuid\"\n\t\"github.com/pkg/sftp\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tazureDefaultEndpoint = \"blob.core.windows.net\"\n\tazFolderKey = \"hdi_isfolder\"\n)\n\nvar (\n\tazureBlobDefaultPageSize = int32(5000)\n)\n\n// AzureBlobFs is a Fs implementation for Azure Blob storage.\ntype AzureBlobFs struct {\n\tconnectionID string\n\tlocalTempDir string\n\t// if not empty this fs is mouted as virtual folder in the specified path\n\tmountPath string\n\tconfig *AzBlobFsConfig\n\tcontainerClient *container.Client\n\tctxTimeout time.Duration\n\tctxLongTimeout time.Duration\n}\n\nfunc init() {\n\tversion.AddFeature(\"+azblob\")\n}\n\n// NewAzBlobFs returns an AzBlobFs object that allows to interact with Azure Blob storage\nfunc NewAzBlobFs(connectionID, localTempDir, mountPath string, config AzBlobFsConfig) (Fs, error) {\n\tif localTempDir == \"\" {\n\t\tlocalTempDir = getLocalTempDir()\n\t}\n\tfs := &AzureBlobFs{\n\t\tconnectionID: connectionID,\n\t\tlocalTempDir: localTempDir,\n\t\tmountPath: getMountPath(mountPath),\n\t\tconfig: &config,\n\t\tctxTimeout: 30 * time.Second,\n\t\tctxLongTimeout: 90 * time.Second,\n\t}\n\tif err := fs.config.validate(); err != nil {\n\t\treturn fs, err\n\t}\n\n\tif err := fs.config.tryDecrypt(); err != nil {\n\t\treturn fs, err\n\t}\n\n\tfs.setConfigDefaults()\n\n\tif fs.config.SASURL.GetPayload() != \"\" {\n\t\treturn fs.initFromSASURL()\n\t}\n\n\tvar endpoint string\n\tif fs.config.UseEmulator {\n\t\tendpoint = fmt.Sprintf(\"%s/%s\", fs.config.Endpoint, fs.config.AccountName)\n\t} else {\n\t\tendpoint = fmt.Sprintf(\"https://%s.%s/\", fs.config.AccountName, fs.config.Endpoint)\n\t}\n\tcontainerURL := runtime.JoinPaths(endpoint, fs.config.Container)\n\tif fs.config.AccountKey.GetPayload() != \"\" {\n\t\tcredential, err := blob.NewSharedKeyCredential(fs.config.AccountName, fs.config.AccountKey.GetPayload())\n\t\tif err != nil {\n\t\t\treturn fs, fmt.Errorf(\"invalid credentials: %v\", err)\n\t\t}\n\t\tsvc, err := container.NewClientWithSharedKeyCredential(containerURL, credential, getAzContainerClientOptions())\n\t\tif err != nil {\n\t\t\treturn fs, fmt.Errorf(\"unable to create the storage client using shared key credentials: %v\", err)\n\t\t}\n\t\tfs.containerClient = svc\n\t\treturn fs, err\n\t}\n\tcredential, err := azidentity.NewDefaultAzureCredential(nil)\n\tif err != nil {\n\t\treturn fs, fmt.Errorf(\"invalid default azure credentials: %v\", err)\n\t}\n\tsvc, err := container.NewClient(containerURL, credential, getAzContainerClientOptions())\n\tif err != nil {\n\t\treturn fs, fmt.Errorf(\"unable to create the storage client using azure credentials: %v\", err)\n\t}\n\tfs.containerClient = svc\n\treturn fs, err\n}\n\nfunc (fs *AzureBlobFs) initFromSASURL() (Fs, error) {\n\tparts, err := blob.ParseURL(fs.config.SASURL.GetPayload())\n\tif err != nil {\n\t\treturn fs, fmt.Errorf(\"invalid SAS URL: %w\", err)\n\t}\n\tif parts.BlobName != \"\" {\n\t\treturn fs, fmt.Errorf(\"SAS URL with blob name not supported\")\n\t}\n\tif parts.ContainerName != \"\" {\n\t\tif fs.config.Container != \"\" && fs.config.Container != parts.ContainerName {\n\t\t\treturn fs, fmt.Errorf(\"container name in SAS URL %q and container provided %q do not match\",\n\t\t\t\tparts.ContainerName, fs.config.Container)\n\t\t}\n\t\tsvc, err := container.NewClientWithNoCredential(fs.config.SASURL.GetPayload(), getAzContainerClientOptions())\n\t\tif err != nil {\n\t\t\treturn fs, fmt.Errorf(\"invalid credentials: %v\", err)\n\t\t}\n\t\tfs.config.Container = parts.ContainerName\n\t\tfs.containerClient = svc\n\t\treturn fs, nil\n\t}\n\tif fs.config.Container == \"\" {\n\t\treturn fs, errors.New(\"container is required with this SAS URL\")\n\t}\n\tsasURL := runtime.JoinPaths(fs.config.SASURL.GetPayload(), fs.config.Container)\n\tsvc, err := container.NewClientWithNoCredential(sasURL, getAzContainerClientOptions())\n\tif err != nil {\n\t\treturn fs, fmt.Errorf(\"invalid credentials: %v\", err)\n\t}\n\tfs.containerClient = svc\n\treturn fs, nil\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *AzureBlobFs) Name() string {\n\tif !fs.config.SASURL.IsEmpty() {\n\t\treturn fmt.Sprintf(\"%s with SAS URL, container %q\", azBlobFsName, fs.config.Container)\n\t}\n\treturn fmt.Sprintf(\"%s container %q\", azBlobFsName, fs.config.Container)\n}\n\n// ConnectionID returns the connection ID associated to this Fs implementation\nfunc (fs *AzureBlobFs) ConnectionID() string {\n\treturn fs.connectionID\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs *AzureBlobFs) Stat(name string) (os.FileInfo, error) {\n\tif name == \"\" || name == \"/\" || name == \".\" {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\tif fs.config.KeyPrefix == name+\"/\" {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\n\tattrs, err := fs.headObject(name)\n\tif err == nil {\n\t\tcontentType := util.GetStringFromPointer(attrs.ContentType)\n\t\tisDir := checkDirectoryMarkers(contentType, attrs.Metadata)\n\t\tlastModified := util.GetTimeFromPointer(attrs.LastModified)\n\t\tif val := getAzureLastModified(attrs.Metadata); val > 0 {\n\t\t\tlastModified = util.GetTimeFromMsecSinceEpoch(val)\n\t\t}\n\t\tinfo := NewFileInfo(name, isDir, util.GetIntFromPointer(attrs.ContentLength), lastModified, false)\n\t\tif !isDir {\n\t\t\tinfo.setMetadataFromPointerVal(attrs.Metadata)\n\t\t}\n\t\treturn info, nil\n\t}\n\tif !fs.IsNotExist(err) {\n\t\treturn nil, err\n\t}\n\t// now check if this is a prefix (virtual directory)\n\thasContents, err := fs.hasContents(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif hasContents {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\treturn nil, os.ErrNotExist\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs *AzureBlobFs) Lstat(name string) (os.FileInfo, error) {\n\treturn fs.Stat(name)\n}\n\n// Open opens the named file for reading\nfunc (fs *AzureBlobFs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tr, w, err := createPipeFn(fs.localTempDir, fs.config.DownloadPartSize*int64(fs.config.DownloadConcurrency)+1)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\tblockBlob := fs.containerClient.NewBlockBlobClient(name)\n\t\terr := fs.handleMultipartDownload(ctx, blockBlob, offset, w, p)\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path: %q size: %v, err: %+v\", name, w.GetWrittenBytes(), err)\n\t\tmetric.AZTransferCompleted(w.GetWrittenBytes(), 1, err)\n\t}()\n\n\treturn nil, p, cancelFn, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *AzureBlobFs) Create(name string, flag, checks int) (File, PipeWriter, func(), error) {\n\tif checks&CheckParentDir != 0 {\n\t\t_, err := fs.Stat(path.Dir(name))\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, fs.config.UploadPartSize+1024*1024)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tvar p PipeWriter\n\tif checks&CheckResume != 0 {\n\t\tp = newPipeWriterAtOffset(w, 0)\n\t} else {\n\t\tp = NewPipeWriter(w)\n\t}\n\theaders := blob.HTTPHeaders{}\n\tvar contentType string\n\tvar metadata map[string]*string\n\tif flag == -1 {\n\t\tcontentType = dirMimeType\n\t\tmetadata = map[string]*string{\n\t\t\tazFolderKey: util.NilIfEmpty(\"true\"),\n\t\t}\n\t} else {\n\t\tcontentType = mime.TypeByExtension(path.Ext(name))\n\t}\n\tif contentType != \"\" {\n\t\theaders.BlobContentType = &contentType\n\t}\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\tblockBlob := fs.containerClient.NewBlockBlobClient(name)\n\t\terr := fs.handleMultipartUpload(ctx, r, blockBlob, &headers, metadata)\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, readed bytes: %v, err: %+v\", name, r.GetReadedBytes(), err)\n\t\tmetric.AZTransferCompleted(r.GetReadedBytes(), 0, err)\n\t}()\n\n\tif checks&CheckResume != 0 {\n\t\treadCh := make(chan error, 1)\n\n\t\tgo func() {\n\t\t\tn, err := fs.downloadToWriter(name, p)\n\t\t\tpw := p.(*pipeWriterAtOffset)\n\t\t\tpw.offset = 0\n\t\t\tpw.writeOffset = n\n\t\t\treadCh <- err\n\t\t}()\n\n\t\terr = <-readCh\n\t\tif err != nil {\n\t\t\tcancelFn()\n\t\t\tp.Close()\n\t\t\tfsLog(fs, logger.LevelDebug, \"download before resume failed, writer closed and read cancelled\")\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\n\tif uploadMode&16 != 0 {\n\t\treturn nil, p, nil, nil\n\t}\n\treturn nil, p, cancelFn, nil\n}\n\n// Rename renames (moves) source to target.\nfunc (fs *AzureBlobFs) Rename(source, target string, checks int) (int, int64, error) {\n\tif source == target {\n\t\treturn -1, -1, nil\n\t}\n\tif checks&CheckParentDir != 0 {\n\t\t_, err := fs.Stat(path.Dir(target))\n\t\tif err != nil {\n\t\t\treturn -1, -1, err\n\t\t}\n\t}\n\tfi, err := fs.Stat(source)\n\tif err != nil {\n\t\treturn -1, -1, err\n\t}\n\treturn fs.renameInternal(source, target, fi, 0, checks&CheckUpdateModTime != 0)\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs *AzureBlobFs) Remove(name string, isDir bool) error {\n\tif isDir {\n\t\thasContents, err := fs.hasContents(name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif hasContents {\n\t\t\treturn fmt.Errorf(\"cannot remove non empty directory: %q\", name)\n\t\t}\n\t}\n\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tblobBlock := fs.containerClient.NewBlockBlobClient(name)\n\tvar deletSnapshots blob.DeleteSnapshotsOptionType\n\tif !isDir {\n\t\tdeletSnapshots = blob.DeleteSnapshotsOptionTypeInclude\n\t}\n\t_, err := blobBlock.Delete(ctx, &blob.DeleteOptions{\n\t\tDeleteSnapshots: &deletSnapshots,\n\t})\n\tif err != nil && isDir {\n\t\tif fs.isBadRequestError(err) {\n\t\t\tdeletSnapshots = blob.DeleteSnapshotsOptionTypeInclude\n\t\t\t_, err = blobBlock.Delete(ctx, &blob.DeleteOptions{\n\t\t\t\tDeleteSnapshots: &deletSnapshots,\n\t\t\t})\n\t\t}\n\t}\n\tmetric.AZDeleteObjectCompleted(err)\n\treturn err\n}\n\n// Mkdir creates a new directory with the specified name and default permissions\nfunc (fs *AzureBlobFs) Mkdir(name string) error {\n\t_, err := fs.Stat(name)\n\tif !fs.IsNotExist(err) {\n\t\treturn err\n\t}\n\treturn fs.mkdirInternal(name)\n}\n\n// Symlink creates source as a symbolic link to target.\nfunc (*AzureBlobFs) Symlink(_, _ string) error {\n\treturn ErrVfsUnsupported\n}\n\n// Readlink returns the destination of the named symbolic link\nfunc (*AzureBlobFs) Readlink(_ string) (string, error) {\n\treturn \"\", ErrVfsUnsupported\n}\n\n// Chown changes the numeric uid and gid of the named file.\nfunc (*AzureBlobFs) Chown(_ string, _ int, _ int) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chmod changes the mode of the named file to mode.\nfunc (*AzureBlobFs) Chmod(_ string, _ os.FileMode) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chtimes changes the access and modification times of the named file.\nfunc (fs *AzureBlobFs) Chtimes(name string, _, mtime time.Time, isUploading bool) error {\n\tif isUploading {\n\t\treturn nil\n\t}\n\tprops, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tmetadata := props.Metadata\n\tif metadata == nil {\n\t\tmetadata = make(map[string]*string)\n\t}\n\tfound := false\n\tfor k := range metadata {\n\t\tif strings.EqualFold(k, lastModifiedField) {\n\t\t\tmetadata[k] = to.Ptr(strconv.FormatInt(mtime.UnixMilli(), 10))\n\t\t\tfound = true\n\t\t\tbreak\n\t\t}\n\t}\n\tif !found {\n\t\tmetadata[lastModifiedField] = to.Ptr(strconv.FormatInt(mtime.UnixMilli(), 10))\n\t}\n\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\t_, err = fs.containerClient.NewBlockBlobClient(name).SetMetadata(ctx, metadata, &blob.SetMetadataOptions{})\n\treturn err\n}\n\n// Truncate changes the size of the named file.\n// Truncate by path is not supported, while truncating an opened\n// file is handled inside base transfer\nfunc (*AzureBlobFs) Truncate(_ string, _ int64) error {\n\treturn ErrVfsUnsupported\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (fs *AzureBlobFs) ReadDir(dirname string) (DirLister, error) {\n\t// dirname must be already cleaned\n\tprefix := fs.getPrefix(dirname)\n\tpager := fs.containerClient.NewListBlobsHierarchyPager(\"/\", &container.ListBlobsHierarchyOptions{\n\t\tInclude: container.ListBlobsInclude{\n\t\t\tMetadata: true,\n\t\t},\n\t\tPrefix: &prefix,\n\t\tMaxResults: &azureBlobDefaultPageSize,\n\t})\n\n\treturn &azureBlobDirLister{\n\t\tpaginator: pager,\n\t\ttimeout: fs.ctxTimeout,\n\t\tprefix: prefix,\n\t\tprefixes: make(map[string]bool),\n\t}, nil\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported.\n// Resuming uploads is not supported on Azure Blob\nfunc (*AzureBlobFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (*AzureBlobFs) IsConditionalUploadResumeSupported(size int64) bool {\n\treturn size <= resumeMaxSize\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported.\n// Azure Blob uploads are already atomic, we don't need to upload to a temporary\n// file\nfunc (*AzureBlobFs) IsAtomicUploadSupported() bool {\n\treturn false\n}\n\n// IsNotExist returns a boolean indicating whether the error is known to\n// report that a file or directory does not exist\nfunc (*AzureBlobFs) IsNotExist(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\tvar respErr *azcore.ResponseError\n\tif errors.As(err, &respErr) {\n\t\treturn respErr.StatusCode == http.StatusNotFound\n\t}\n\t// os.ErrNotExist can be returned internally by fs.Stat\n\treturn errors.Is(err, os.ErrNotExist)\n}\n\n// IsPermission returns a boolean indicating whether the error is known to\n// report that permission is denied.\nfunc (*AzureBlobFs) IsPermission(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\tvar respErr *azcore.ResponseError\n\tif errors.As(err, &respErr) {\n\t\treturn respErr.StatusCode == http.StatusForbidden || respErr.StatusCode == http.StatusUnauthorized\n\t}\n\treturn false\n}\n\n// IsNotSupported returns true if the error indicate an unsupported operation\nfunc (*AzureBlobFs) IsNotSupported(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn errors.Is(err, ErrVfsUnsupported)\n}\n\nfunc (*AzureBlobFs) isBadRequestError(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\tvar respErr *azcore.ResponseError\n\tif errors.As(err, &respErr) {\n\t\treturn respErr.StatusCode == http.StatusBadRequest\n\t}\n\treturn false\n}\n\n// CheckRootPath creates the specified local root directory if it does not exists\nfunc (fs *AzureBlobFs) CheckRootPath(username string, uid int, gid int) bool {\n\t// we need a local directory for temporary files\n\tosFs := NewOsFs(fs.ConnectionID(), fs.localTempDir, \"\", nil)\n\treturn osFs.CheckRootPath(username, uid, gid)\n}\n\n// ScanRootDirContents returns the number of files contained in the bucket,\n// and their size\nfunc (fs *AzureBlobFs) ScanRootDirContents() (int, int64, error) {\n\treturn fs.GetDirSize(fs.config.KeyPrefix)\n}\n\n// GetDirSize returns the number of files and the size for a folder\n// including any subfolders\nfunc (fs *AzureBlobFs) GetDirSize(dirname string) (int, int64, error) {\n\tnumFiles := 0\n\tsize := int64(0)\n\tprefix := fs.getPrefix(dirname)\n\n\tpager := fs.containerClient.NewListBlobsFlatPager(&container.ListBlobsFlatOptions{\n\t\tInclude: container.ListBlobsInclude{\n\t\t\tMetadata: true,\n\t\t},\n\t\tPrefix: &prefix,\n\t\tMaxResults: &azureBlobDefaultPageSize,\n\t})\n\n\tfor pager.More() {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tresp, err := pager.NextPage(ctx)\n\t\tif err != nil {\n\t\t\tmetric.AZListObjectsCompleted(err)\n\t\t\treturn numFiles, size, err\n\t\t}\n\t\tfor _, blobItem := range resp.Segment.BlobItems {\n\t\t\tif blobItem.Properties != nil {\n\t\t\t\tcontentType := util.GetStringFromPointer(blobItem.Properties.ContentType)\n\t\t\t\tisDir := checkDirectoryMarkers(contentType, blobItem.Metadata)\n\t\t\t\tblobSize := util.GetIntFromPointer(blobItem.Properties.ContentLength)\n\t\t\t\tif isDir && blobSize == 0 {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tnumFiles++\n\t\t\t\tsize += blobSize\n\t\t\t}\n\t\t}\n\t\tfsLog(fs, logger.LevelDebug, \"scan in progress for %q, files: %d, size: %d\", dirname, numFiles, size)\n\t}\n\tmetric.AZListObjectsCompleted(nil)\n\n\treturn numFiles, size, nil\n}\n\n// GetAtomicUploadPath returns the path to use for an atomic upload.\n// Azure Blob Storage uploads are already atomic, we never call this method\nfunc (*AzureBlobFs) GetAtomicUploadPath(_ string) string {\n\treturn \"\"\n}\n\n// GetRelativePath returns the path for a file relative to the user's home dir.\n// This is the path as seen by SFTPGo users\nfunc (fs *AzureBlobFs) GetRelativePath(name string) string {\n\trel := path.Clean(name)\n\tif rel == \".\" {\n\t\trel = \"\"\n\t}\n\tif !path.IsAbs(rel) {\n\t\trel = \"/\" + rel\n\t}\n\tif fs.config.KeyPrefix != \"\" {\n\t\tif !strings.HasPrefix(rel, \"/\"+fs.config.KeyPrefix) {\n\t\t\trel = \"/\"\n\t\t}\n\t\trel = path.Clean(\"/\" + strings.TrimPrefix(rel, \"/\"+fs.config.KeyPrefix))\n\t}\n\tif fs.mountPath != \"\" {\n\t\trel = path.Join(fs.mountPath, rel)\n\t}\n\treturn rel\n}\n\n// Walk walks the file tree rooted at root, calling walkFn for each file or\n// directory in the tree, including root\nfunc (fs *AzureBlobFs) Walk(root string, walkFn filepath.WalkFunc) error {\n\tprefix := fs.getPrefix(root)\n\tpager := fs.containerClient.NewListBlobsFlatPager(&container.ListBlobsFlatOptions{\n\t\tInclude: container.ListBlobsInclude{\n\t\t\tMetadata: true,\n\t\t},\n\t\tPrefix: &prefix,\n\t\tMaxResults: &azureBlobDefaultPageSize,\n\t})\n\n\tfor pager.More() {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tresp, err := pager.NextPage(ctx)\n\t\tif err != nil {\n\t\t\tmetric.AZListObjectsCompleted(err)\n\t\t\treturn err\n\t\t}\n\t\tfor _, blobItem := range resp.Segment.BlobItems {\n\t\t\tname := util.GetStringFromPointer(blobItem.Name)\n\t\t\tif fs.isEqual(name, prefix) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tblobSize := int64(0)\n\t\t\tlastModified := time.Unix(0, 0)\n\t\t\tisDir := false\n\t\t\tif blobItem.Properties != nil {\n\t\t\t\tcontentType := util.GetStringFromPointer(blobItem.Properties.ContentType)\n\t\t\t\tisDir = checkDirectoryMarkers(contentType, blobItem.Metadata)\n\t\t\t\tblobSize = util.GetIntFromPointer(blobItem.Properties.ContentLength)\n\t\t\t\tlastModified = util.GetTimeFromPointer(blobItem.Properties.LastModified)\n\t\t\t\tif val := getAzureLastModified(blobItem.Metadata); val > 0 {\n\t\t\t\t\tlastModified = util.GetTimeFromMsecSinceEpoch(val)\n\t\t\t\t}\n\t\t\t}\n\t\t\terr := walkFn(name, NewFileInfo(name, isDir, blobSize, lastModified, false), nil)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\n\tmetric.AZListObjectsCompleted(nil)\n\treturn walkFn(root, NewFileInfo(root, true, 0, time.Unix(0, 0), false), nil)\n}\n\n// Join joins any number of path elements into a single path\nfunc (*AzureBlobFs) Join(elem ...string) string {\n\treturn strings.TrimPrefix(path.Join(elem...), \"/\")\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (*AzureBlobFs) HasVirtualFolders() bool {\n\treturn true\n}\n\n// ResolvePath returns the matching filesystem path for the specified sftp path\nfunc (fs *AzureBlobFs) ResolvePath(virtualPath string) (string, error) {\n\tif fs.mountPath != \"\" {\n\t\tif after, found := strings.CutPrefix(virtualPath, fs.mountPath); found {\n\t\t\tvirtualPath = after\n\t\t}\n\t}\n\tvirtualPath = path.Clean(\"/\" + virtualPath)\n\treturn fs.Join(fs.config.KeyPrefix, strings.TrimPrefix(virtualPath, \"/\")), nil\n}\n\n// CopyFile implements the FsFileCopier interface\nfunc (fs *AzureBlobFs) CopyFile(source, target string, srcInfo os.FileInfo) (int, int64, error) {\n\tnumFiles := 1\n\tsizeDiff := srcInfo.Size()\n\tattrs, err := fs.headObject(target)\n\tif err == nil {\n\t\tsizeDiff -= util.GetIntFromPointer(attrs.ContentLength)\n\t\tnumFiles = 0\n\t} else {\n\t\tif !fs.IsNotExist(err) {\n\t\t\treturn 0, 0, err\n\t\t}\n\t}\n\tif err := fs.copyFileInternal(source, target, srcInfo, true); err != nil {\n\t\treturn 0, 0, err\n\t}\n\treturn numFiles, sizeDiff, nil\n}\n\nfunc (fs *AzureBlobFs) headObject(name string) (blob.GetPropertiesResponse, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.containerClient.NewBlockBlobClient(name).GetProperties(ctx, &blob.GetPropertiesOptions{})\n\n\tmetric.AZHeadObjectCompleted(err)\n\treturn resp, err\n}\n\n// GetMimeType returns the content type\nfunc (fs *AzureBlobFs) GetMimeType(name string) (string, error) {\n\tresponse, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn util.GetStringFromPointer(response.ContentType), nil\n}\n\n// Close closes the fs\nfunc (*AzureBlobFs) Close() error {\n\treturn nil\n}\n\n// GetAvailableDiskSize returns the available size for the specified path\nfunc (*AzureBlobFs) GetAvailableDiskSize(_ string) (*sftp.StatVFS, error) {\n\treturn nil, ErrStorageSizeUnavailable\n}\n\nfunc (*AzureBlobFs) getPrefix(name string) string {\n\tprefix := \"\"\n\tif name != \"\" && name != \".\" {\n\t\tprefix = strings.TrimPrefix(name, \"/\")\n\t\tif !strings.HasSuffix(prefix, \"/\") {\n\t\t\tprefix += \"/\"\n\t\t}\n\t}\n\treturn prefix\n}\n\nfunc (fs *AzureBlobFs) isEqual(key string, virtualName string) bool {\n\tif key == virtualName {\n\t\treturn true\n\t}\n\tif key == virtualName+\"/\" {\n\t\treturn true\n\t}\n\tif key+\"/\" == virtualName {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (fs *AzureBlobFs) setConfigDefaults() {\n\tif fs.config.Endpoint == \"\" {\n\t\tfs.config.Endpoint = azureDefaultEndpoint\n\t}\n\tif fs.config.UploadPartSize == 0 {\n\t\tfs.config.UploadPartSize = 5\n\t}\n\tif fs.config.UploadPartSize < 1024*1024 {\n\t\tfs.config.UploadPartSize *= 1024 * 1024\n\t}\n\tif fs.config.UploadConcurrency == 0 {\n\t\tfs.config.UploadConcurrency = 5\n\t}\n\tif fs.config.DownloadPartSize == 0 {\n\t\tfs.config.DownloadPartSize = 5\n\t}\n\tif fs.config.DownloadPartSize < 1024*1024 {\n\t\tfs.config.DownloadPartSize *= 1024 * 1024\n\t}\n\tif fs.config.DownloadConcurrency == 0 {\n\t\tfs.config.DownloadConcurrency = 5\n\t}\n}\n\nfunc (fs *AzureBlobFs) copyFileInternal(source, target string, srcInfo os.FileInfo, updateModTime bool) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxLongTimeout))\n\tdefer cancelFn()\n\n\tsrcBlob := fs.containerClient.NewBlockBlobClient(source)\n\tdstBlob := fs.containerClient.NewBlockBlobClient(target)\n\tresp, err := dstBlob.StartCopyFromURL(ctx, srcBlob.URL(), fs.getCopyOptions(srcInfo, updateModTime))\n\tif err != nil {\n\t\tmetric.AZCopyObjectCompleted(err)\n\t\treturn err\n\t}\n\tcopyStatus := blob.CopyStatusType(util.GetStringFromPointer((*string)(resp.CopyStatus)))\n\tnErrors := 0\n\tfor copyStatus == blob.CopyStatusTypePending {\n\t\t// Poll until the copy is complete.\n\t\ttime.Sleep(500 * time.Millisecond)\n\t\tresp, err := dstBlob.GetProperties(ctx, &blob.GetPropertiesOptions{})\n\t\tif err != nil {\n\t\t\t// A GetProperties failure may be transient, so allow a couple\n\t\t\t// of them before giving up.\n\t\t\tnErrors++\n\t\t\tif ctx.Err() != nil || nErrors == 3 {\n\t\t\t\tmetric.AZCopyObjectCompleted(err)\n\t\t\t\treturn err\n\t\t\t}\n\t\t} else {\n\t\t\tcopyStatus = blob.CopyStatusType(util.GetStringFromPointer((*string)(resp.CopyStatus)))\n\t\t}\n\t}\n\tif copyStatus != blob.CopyStatusTypeSuccess {\n\t\terr := fmt.Errorf(\"copy failed with status: %s\", copyStatus)\n\t\tmetric.AZCopyObjectCompleted(err)\n\t\treturn err\n\t}\n\n\tmetric.AZCopyObjectCompleted(nil)\n\treturn nil\n}\n\nfunc (fs *AzureBlobFs) renameInternal(source, target string, srcInfo os.FileInfo, recursion int,\n\tupdateModTime bool,\n) (int, int64, error) {\n\tvar numFiles int\n\tvar filesSize int64\n\n\tif srcInfo.IsDir() {\n\t\tif renameMode == 0 {\n\t\t\thasContents, err := fs.hasContents(source)\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t\tif hasContents {\n\t\t\t\treturn numFiles, filesSize, fmt.Errorf(\"%w: cannot rename non empty directory: %q\", ErrVfsUnsupported, source)\n\t\t\t}\n\t\t}\n\t\tif err := fs.mkdirInternal(target); err != nil {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tif renameMode == 1 {\n\t\t\tfiles, size, err := doRecursiveRename(fs, source, target, fs.renameInternal, recursion, updateModTime)\n\t\t\tnumFiles += files\n\t\t\tfilesSize += size\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif err := fs.copyFileInternal(source, target, srcInfo, updateModTime); err != nil {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tnumFiles++\n\t\tfilesSize += srcInfo.Size()\n\t}\n\terr := fs.skipNotExistErr(fs.Remove(source, srcInfo.IsDir()))\n\treturn numFiles, filesSize, err\n}\n\nfunc (fs *AzureBlobFs) skipNotExistErr(err error) error {\n\tif fs.IsNotExist(err) {\n\t\treturn nil\n\t}\n\treturn err\n}\n\nfunc (fs *AzureBlobFs) mkdirInternal(name string) error {\n\t_, w, _, err := fs.Create(name, -1, 0)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn w.Close()\n}\n\nfunc (fs *AzureBlobFs) hasContents(name string) (bool, error) {\n\tresult := false\n\tprefix := fs.getPrefix(name)\n\n\tmaxResults := int32(1)\n\tpager := fs.containerClient.NewListBlobsFlatPager(&container.ListBlobsFlatOptions{\n\t\tMaxResults: &maxResults,\n\t\tPrefix: &prefix,\n\t})\n\n\tif pager.More() {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tresp, err := pager.NextPage(ctx)\n\t\tif err != nil {\n\t\t\tmetric.AZListObjectsCompleted(err)\n\t\t\treturn result, err\n\t\t}\n\n\t\tresult = len(resp.Segment.BlobItems) > 0\n\t}\n\n\tmetric.AZListObjectsCompleted(nil)\n\treturn result, nil\n}\n\nfunc (fs *AzureBlobFs) downloadPart(ctx context.Context, blockBlob *blockblob.Client, buf []byte,\n\tw io.WriterAt, offset, count, writeOffset int64,\n) error {\n\tif count == 0 {\n\t\treturn nil\n\t}\n\n\tresp, err := blockBlob.DownloadStream(ctx, &blob.DownloadStreamOptions{\n\t\tRange: blob.HTTPRange{\n\t\t\tOffset: offset,\n\t\t\tCount: count,\n\t\t},\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\t_, err = io.ReadAtLeast(resp.Body, buf, int(count))\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn writeAtFull(w, buf, writeOffset, int(count))\n}\n\nfunc (fs *AzureBlobFs) handleMultipartDownload(ctx context.Context, blockBlob *blockblob.Client,\n\toffset int64, writer io.WriterAt, pipeReader PipeReader,\n) error {\n\tprops, err := blockBlob.GetProperties(ctx, &blob.GetPropertiesOptions{})\n\tmetric.AZHeadObjectCompleted(err)\n\tif err != nil {\n\t\tfsLog(fs, logger.LevelError, \"unable to get blob properties, download aborted: %+v\", err)\n\t\treturn err\n\t}\n\tif readMetadata > 0 && pipeReader != nil {\n\t\tpipeReader.setMetadataFromPointerVal(props.Metadata)\n\t}\n\tcontentLength := util.GetIntFromPointer(props.ContentLength)\n\tsizeToDownload := contentLength - offset\n\tif sizeToDownload < 0 {\n\t\tfsLog(fs, logger.LevelError, \"invalid multipart download size or offset, size: %v, offset: %v, size to download: %v\",\n\t\t\tcontentLength, offset, sizeToDownload)\n\t\treturn errors.New(\"the requested offset exceeds the file size\")\n\t}\n\tif sizeToDownload == 0 {\n\t\tfsLog(fs, logger.LevelDebug, \"nothing to download, offset %v, content length %v\", offset, contentLength)\n\t\treturn nil\n\t}\n\tpartSize := fs.config.DownloadPartSize\n\tguard := make(chan struct{}, fs.config.DownloadConcurrency)\n\tblockCtxTimeout := time.Duration(fs.config.DownloadPartSize/(1024*1024)) * time.Minute\n\tpool := newBufferAllocator(int(partSize))\n\tdefer pool.free()\n\n\tfinished := false\n\tvar wg sync.WaitGroup\n\tvar errOnce sync.Once\n\tvar hasError atomic.Bool\n\tvar poolError error\n\n\tpoolCtx, poolCancel := context.WithCancel(ctx)\n\tdefer poolCancel()\n\n\tfor part := 0; !finished; part++ {\n\t\tstart := offset\n\t\tend := offset + partSize\n\t\tif end >= contentLength {\n\t\t\tend = contentLength\n\t\t\tfinished = true\n\t\t}\n\t\twriteOffset := int64(part) * partSize\n\t\toffset = end\n\n\t\tguard <- struct{}{}\n\t\tif hasError.Load() {\n\t\t\tfsLog(fs, logger.LevelDebug, \"pool error, download for part %v not started\", part)\n\t\t\tbreak\n\t\t}\n\n\t\tbuf := pool.getBuffer()\n\t\twg.Add(1)\n\t\tgo func(start, end, writeOffset int64, buf []byte) {\n\t\t\tdefer func() {\n\t\t\t\tpool.releaseBuffer(buf)\n\t\t\t\t<-guard\n\t\t\t\twg.Done()\n\t\t\t}()\n\n\t\t\tinnerCtx, cancelFn := context.WithDeadline(poolCtx, time.Now().Add(blockCtxTimeout))\n\t\t\tdefer cancelFn()\n\n\t\t\tcount := end - start\n\n\t\t\terr := fs.downloadPart(innerCtx, blockBlob, buf, writer, start, count, writeOffset)\n\t\t\tif err != nil {\n\t\t\t\terrOnce.Do(func() {\n\t\t\t\t\tfsLog(fs, logger.LevelError, \"multipart download error: %+v\", err)\n\t\t\t\t\thasError.Store(true)\n\t\t\t\t\tpoolError = fmt.Errorf(\"multipart download error: %w\", err)\n\t\t\t\t\tpoolCancel()\n\t\t\t\t})\n\t\t\t}\n\t\t}(start, end, writeOffset, buf)\n\t}\n\n\twg.Wait()\n\tclose(guard)\n\n\treturn poolError\n}\n\nfunc (fs *AzureBlobFs) handleMultipartUpload(ctx context.Context, reader io.Reader,\n\tblockBlob *blockblob.Client, httpHeaders *blob.HTTPHeaders, metadata map[string]*string,\n) error {\n\tpartSize := fs.config.UploadPartSize\n\tguard := make(chan struct{}, fs.config.UploadConcurrency)\n\tblockCtxTimeout := time.Duration(fs.config.UploadPartSize/(1024*1024)) * time.Minute\n\n\t// sync.Pool seems to use a lot of memory so prefer our own, very simple, allocator\n\t// we only need to recycle few byte slices\n\tpool := newBufferAllocator(int(partSize))\n\tdefer pool.free()\n\n\tfinished := false\n\tvar blocks []string\n\tvar wg sync.WaitGroup\n\tvar errOnce sync.Once\n\tvar hasError atomic.Bool\n\tvar poolError error\n\n\tpoolCtx, poolCancel := context.WithCancel(ctx)\n\tdefer poolCancel()\n\n\tfinalizeFailedUpload := func(err error) {\n\t\tfsLog(fs, logger.LevelDebug, \"multipart upload error: %+v\", err)\n\t\thasError.Store(true)\n\t\tpoolError = fmt.Errorf(\"multipart upload error: %w\", err)\n\t\tpoolCancel()\n\t}\n\n\tfor part := 0; !finished; part++ {\n\t\tbuf := pool.getBuffer()\n\n\t\tn, err := readFill(reader, buf)\n\t\tif err == io.EOF {\n\t\t\t// read finished, if n > 0 we need to process the last data chunck\n\t\t\tif n == 0 {\n\t\t\t\tpool.releaseBuffer(buf)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tfinished = true\n\t\t} else if err != nil {\n\t\t\tpool.releaseBuffer(buf)\n\t\t\terrOnce.Do(func() {\n\t\t\t\tfinalizeFailedUpload(err)\n\t\t\t})\n\t\t\tbreak\n\t\t}\n\n\t\t// Block IDs are unique values to avoid issue if 2+ clients are uploading blocks\n\t\t// at the same time causing CommitBlockList to get a mix of blocks from all the clients.\n\t\tgeneratedUUID, err := uuid.NewRandom()\n\t\tif err != nil {\n\t\t\tpool.releaseBuffer(buf)\n\t\t\terrOnce.Do(func() {\n\t\t\t\tfinalizeFailedUpload(err)\n\t\t\t})\n\t\t\tbreak\n\t\t}\n\t\tblockID := base64.StdEncoding.EncodeToString([]byte(generatedUUID.String()))\n\t\tblocks = append(blocks, blockID)\n\n\t\tguard <- struct{}{}\n\t\tif hasError.Load() {\n\t\t\tfsLog(fs, logger.LevelError, \"pool error, upload for part %d not started\", part)\n\t\t\tpool.releaseBuffer(buf)\n\t\t\tbreak\n\t\t}\n\n\t\twg.Add(1)\n\t\tgo func(blockID string, buf []byte, bufSize int) {\n\t\t\tdefer func() {\n\t\t\t\tpool.releaseBuffer(buf)\n\t\t\t\t<-guard\n\t\t\t\twg.Done()\n\t\t\t}()\n\n\t\t\tbufferReader := &bytesReaderWrapper{\n\t\t\t\tReader: bytes.NewReader(buf[:bufSize]),\n\t\t\t}\n\t\t\tinnerCtx, cancelFn := context.WithDeadline(poolCtx, time.Now().Add(blockCtxTimeout))\n\t\t\tdefer cancelFn()\n\n\t\t\t_, err := blockBlob.StageBlock(innerCtx, blockID, bufferReader, &blockblob.StageBlockOptions{})\n\t\t\tif err != nil {\n\t\t\t\terrOnce.Do(func() {\n\t\t\t\t\tfsLog(fs, logger.LevelDebug, \"multipart upload error: %+v\", err)\n\t\t\t\t\tfinalizeFailedUpload(err)\n\t\t\t\t})\n\t\t\t}\n\t\t}(blockID, buf, n)\n\t}\n\n\twg.Wait()\n\tclose(guard)\n\n\tif poolError != nil {\n\t\treturn poolError\n\t}\n\n\tcommitOptions := blockblob.CommitBlockListOptions{\n\t\tHTTPHeaders: httpHeaders,\n\t\tMetadata: metadata,\n\t}\n\tif fs.config.AccessTier != \"\" {\n\t\tcommitOptions.Tier = (*blob.AccessTier)(&fs.config.AccessTier)\n\t}\n\n\t_, err := blockBlob.CommitBlockList(ctx, blocks, &commitOptions)\n\treturn err\n}\n\nfunc (fs *AzureBlobFs) getCopyOptions(srcInfo os.FileInfo, updateModTime bool) *blob.StartCopyFromURLOptions {\n\tcopyOptions := &blob.StartCopyFromURLOptions{}\n\tif fs.config.AccessTier != \"\" {\n\t\tcopyOptions.Tier = (*blob.AccessTier)(&fs.config.AccessTier)\n\t}\n\tif updateModTime {\n\t\tmetadata := make(map[string]*string)\n\t\tfor k, v := range getMetadata(srcInfo) {\n\t\t\tif v != \"\" {\n\t\t\t\tif strings.EqualFold(k, lastModifiedField) {\n\t\t\t\t\tmetadata[k] = to.Ptr(\"0\")\n\t\t\t\t} else {\n\t\t\t\t\tmetadata[k] = to.Ptr(v)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif len(metadata) > 0 {\n\t\t\tcopyOptions.Metadata = metadata\n\t\t}\n\t}\n\n\treturn copyOptions\n}\n\nfunc (fs *AzureBlobFs) downloadToWriter(name string, w PipeWriter) (int64, error) {\n\tfsLog(fs, logger.LevelDebug, \"starting download before resuming upload, path %q\", name)\n\tctx, cancelFn := context.WithTimeout(context.Background(), preResumeTimeout)\n\tdefer cancelFn()\n\n\tblockBlob := fs.containerClient.NewBlockBlobClient(name)\n\terr := fs.handleMultipartDownload(ctx, blockBlob, 0, w, nil)\n\tn := w.GetWrittenBytes()\n\tfsLog(fs, logger.LevelDebug, \"download before resuming upload completed, path %q size: %d, err: %+v\",\n\t\tname, n, err)\n\tmetric.AZTransferCompleted(n, 1, err)\n\treturn n, err\n}\n\nfunc checkDirectoryMarkers(contentType string, metadata map[string]*string) bool {\n\tif contentType == dirMimeType {\n\t\treturn true\n\t}\n\tfor k, v := range metadata {\n\t\tif strings.EqualFold(k, azFolderKey) {\n\t\t\treturn strings.EqualFold(util.GetStringFromPointer(v), \"true\")\n\t\t}\n\t}\n\treturn false\n}\n\nfunc getAzContainerClientOptions() *container.ClientOptions {\n\treturn &container.ClientOptions{\n\t\tClientOptions: azcore.ClientOptions{\n\t\t\tTelemetry: policy.TelemetryOptions{\n\t\t\t\tApplicationID: version.GetVersionHash(),\n\t\t\t},\n\t\t},\n\t}\n}\n\ntype azureBlobDirLister struct {\n\tbaseDirLister\n\tpaginator *runtime.Pager[container.ListBlobsHierarchyResponse]\n\ttimeout time.Duration\n\tprefix string\n\tprefixes map[string]bool\n\tmetricUpdated bool\n}\n\nfunc (l *azureBlobDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tif limit <= 0 {\n\t\treturn nil, errInvalidDirListerLimit\n\t}\n\tif len(l.cache) >= limit {\n\t\treturn l.returnFromCache(limit), nil\n\t}\n\tif !l.paginator.More() {\n\t\tif !l.metricUpdated {\n\t\t\tl.metricUpdated = true\n\t\t\tmetric.AZListObjectsCompleted(nil)\n\t\t}\n\t\treturn l.returnFromCache(limit), io.EOF\n\t}\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(l.timeout))\n\tdefer cancelFn()\n\n\tpage, err := l.paginator.NextPage(ctx)\n\tif err != nil {\n\t\tmetric.AZListObjectsCompleted(err)\n\t\treturn l.cache, err\n\t}\n\n\tfor _, blobPrefix := range page.Segment.BlobPrefixes {\n\t\tname := util.GetStringFromPointer(blobPrefix.Name)\n\t\t// we don't support prefixes == \"/\" this will be sent if a key starts with \"/\"\n\t\tif name == \"\" || name == \"/\" {\n\t\t\tcontinue\n\t\t}\n\t\t// sometime we have duplicate prefixes, maybe an Azurite bug\n\t\tname = strings.TrimPrefix(name, l.prefix)\n\t\tif _, ok := l.prefixes[strings.TrimSuffix(name, \"/\")]; ok {\n\t\t\tcontinue\n\t\t}\n\t\tl.cache = append(l.cache, NewFileInfo(name, true, 0, time.Unix(0, 0), false))\n\t\tl.prefixes[strings.TrimSuffix(name, \"/\")] = true\n\t}\n\n\tfor _, blobItem := range page.Segment.BlobItems {\n\t\tname := util.GetStringFromPointer(blobItem.Name)\n\t\tname = strings.TrimPrefix(name, l.prefix)\n\t\tsize := int64(0)\n\t\tisDir := false\n\t\tvar metadata map[string]*string\n\t\tmodTime := time.Unix(0, 0)\n\t\tif blobItem.Properties != nil {\n\t\t\tsize = util.GetIntFromPointer(blobItem.Properties.ContentLength)\n\t\t\tmodTime = util.GetTimeFromPointer(blobItem.Properties.LastModified)\n\t\t\tcontentType := util.GetStringFromPointer(blobItem.Properties.ContentType)\n\t\t\tisDir = checkDirectoryMarkers(contentType, blobItem.Metadata)\n\t\t\tif isDir {\n\t\t\t\t// check if the dir is already included, it will be sent as blob prefix if it contains at least one item\n\t\t\t\tif _, ok := l.prefixes[name]; ok {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tl.prefixes[name] = true\n\t\t\t} else {\n\t\t\t\tmetadata = blobItem.Metadata\n\t\t\t}\n\t\t\tif val := getAzureLastModified(blobItem.Metadata); val > 0 {\n\t\t\t\tmodTime = util.GetTimeFromMsecSinceEpoch(val)\n\t\t\t}\n\t\t}\n\t\tinfo := NewFileInfo(name, isDir, size, modTime, false)\n\t\tinfo.setMetadataFromPointerVal(metadata)\n\t\tl.cache = append(l.cache, info)\n\t}\n\n\treturn l.returnFromCache(limit), nil\n}\n\nfunc (l *azureBlobDirLister) Close() error {\n\tclear(l.prefixes)\n\treturn l.baseDirLister.Close()\n}\n" }, { "path": "internal/vfs/azblobfs_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build noazblob\n\npackage vfs\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-azblob\")\n}\n\n// NewAzBlobFs returns an error, Azure Blob storage is disabled\nfunc NewAzBlobFs(_, _, _ string, _ AzBlobFsConfig) (Fs, error) {\n\treturn nil, errors.New(\"Azure Blob Storage disabled at build time\")\n}\n" }, { "path": "internal/vfs/cryptfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"crypto/sha256\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\n\t\"github.com/minio/sio\"\n\t\"golang.org/x/crypto/hkdf\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\nconst (\n\t// cryptFsName is the name for the local Fs implementation with encryption support\n\tcryptFsName = \"cryptfs\"\n\tversion10 byte = 0x10\n\tnonceV10Size int = 32\n\theaderV10Size int64 = 33 // 1 (version byte) + 32 (nonce size)\n)\n\n// CryptFs is a Fs implementation that allows to encrypts/decrypts local files\ntype CryptFs struct {\n\t*OsFs\n\tlocalTempDir string\n\tmasterKey []byte\n}\n\n// NewCryptFs returns a CryptFs object\nfunc NewCryptFs(connectionID, rootDir, mountPath string, config CryptFsConfig) (Fs, error) {\n\tif err := config.validate(); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := config.Passphrase.TryDecrypt(); err != nil {\n\t\treturn nil, err\n\t}\n\tfs := &CryptFs{\n\t\tOsFs: &OsFs{\n\t\t\tname: cryptFsName,\n\t\t\tconnectionID: connectionID,\n\t\t\trootDir: rootDir,\n\t\t\tmountPath: getMountPath(mountPath),\n\t\t\treadBufferSize: config.ReadBufferSize * 1024 * 1024,\n\t\t\twriteBufferSize: config.WriteBufferSize * 1024 * 1024,\n\t\t},\n\t\tmasterKey: []byte(config.Passphrase.GetPayload()),\n\t}\n\tif tempPath == \"\" {\n\t\tfs.localTempDir = rootDir\n\t} else {\n\t\tfs.localTempDir = tempPath\n\t}\n\treturn fs, nil\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *CryptFs) Name() string {\n\treturn fs.name\n}\n\n// Open opens the named file for reading\nfunc (fs *CryptFs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tf, key, err := fs.getFileAndEncryptionKey(name)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tisZeroDownload, err := isZeroBytesDownload(f, offset)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\n\tgo func() {\n\t\tif isZeroDownload {\n\t\t\tw.CloseWithError(err) //nolint:errcheck\n\t\t\tf.Close()\n\t\t\tfsLog(fs, logger.LevelDebug, \"zero bytes download completed, path: %q\", name)\n\t\t\treturn\n\t\t}\n\t\tvar n int64\n\t\tvar err error\n\n\t\tif offset == 0 {\n\t\t\tn, err = fs.decryptWrapper(w, f, fs.getSIOConfig(key))\n\t\t} else {\n\t\t\tvar readerAt io.ReaderAt\n\t\t\tvar readed, written int\n\t\t\tbuf := make([]byte, 65568)\n\t\t\twrapper := &cryptedFileWrapper{\n\t\t\t\tFile: f,\n\t\t\t}\n\t\t\treaderAt, err = sio.DecryptReaderAt(wrapper, fs.getSIOConfig(key))\n\t\t\tif err == nil {\n\t\t\t\tfinished := false\n\t\t\t\tfor !finished {\n\t\t\t\t\treaded, err = readerAt.ReadAt(buf, offset)\n\t\t\t\t\toffset += int64(readed)\n\t\t\t\t\tif err != nil && err != io.EOF {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t\tif err == io.EOF {\n\t\t\t\t\t\tfinished = true\n\t\t\t\t\t\terr = nil\n\t\t\t\t\t}\n\t\t\t\t\tif readed > 0 {\n\t\t\t\t\t\twritten, err = w.Write(buf[:readed])\n\t\t\t\t\t\tn += int64(written)\n\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\tif err == io.EOF {\n\t\t\t\t\t\t\t\terr = io.ErrUnexpectedEOF\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif readed != written {\n\t\t\t\t\t\t\terr = io.ErrShortWrite\n\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tf.Close()\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path: %q size: %v, err: %v\", name, n, err)\n\t}()\n\n\treturn nil, p, nil, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *CryptFs) Create(name string, _, _ int) (File, PipeWriter, func(), error) {\n\tf, err := os.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\theader := encryptedFileHeader{\n\t\tversion: version10,\n\t\tnonce: make([]byte, 32),\n\t}\n\t_, err = io.ReadFull(rand.Reader, header.nonce)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tvar key [32]byte\n\tkdf := hkdf.New(sha256.New, fs.masterKey, header.nonce, nil)\n\t_, err = io.ReadFull(kdf, key[:])\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\terr = header.Store(f)\n\tif err != nil {\n\t\tr.Close()\n\t\tw.Close()\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeWriter(w)\n\n\tgo func() {\n\t\tvar n int64\n\t\tvar err error\n\t\tif fs.writeBufferSize <= 0 {\n\t\t\tn, err = sio.Encrypt(f, r, fs.getSIOConfig(key))\n\t\t} else {\n\t\t\tbw := bufio.NewWriterSize(f, fs.writeBufferSize)\n\t\t\tn, err = fs.encryptWrapper(bw, r, fs.getSIOConfig(key))\n\t\t\terrFlush := bw.Flush()\n\t\t\tif err == nil && errFlush != nil {\n\t\t\t\terr = errFlush\n\t\t\t}\n\t\t}\n\t\terrClose := f.Close()\n\t\tif err == nil && errClose != nil {\n\t\t\terr = errClose\n\t\t}\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, readed bytes: %v, err: %v\", name, n, err)\n\t}()\n\n\treturn nil, p, nil, nil\n}\n\n// Truncate changes the size of the named file\nfunc (*CryptFs) Truncate(_ string, _ int64) error {\n\treturn ErrVfsUnsupported\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (fs *CryptFs) ReadDir(dirname string) (DirLister, error) {\n\tf, err := os.Open(dirname)\n\tif err != nil {\n\t\tif isInvalidNameError(err) {\n\t\t\terr = os.ErrNotExist\n\t\t}\n\t\treturn nil, err\n\t}\n\n\treturn &cryptFsDirLister{f}, nil\n}\n\n// IsUploadResumeSupported returns false sio does not support random access writes\nfunc (*CryptFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (*CryptFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn false\n}\n\n// GetMimeType returns the content type\nfunc (fs *CryptFs) GetMimeType(name string) (string, error) {\n\tf, key, err := fs.getFileAndEncryptionKey(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer f.Close()\n\n\treadSize, err := sio.DecryptedSize(512)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tbuf := make([]byte, readSize)\n\tn, err := io.ReadFull(f, buf)\n\tif err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {\n\t\treturn \"\", err\n\t}\n\n\tdecrypted := bytes.NewBuffer(nil)\n\t_, err = sio.Decrypt(decrypted, bytes.NewBuffer(buf[:n]), fs.getSIOConfig(key))\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tctype := http.DetectContentType(decrypted.Bytes())\n\t// Rewind file.\n\t_, err = f.Seek(0, io.SeekStart)\n\treturn ctype, err\n}\n\nfunc (fs *CryptFs) getSIOConfig(key [32]byte) sio.Config {\n\treturn sio.Config{\n\t\tMinVersion: sio.Version20,\n\t\tMaxVersion: sio.Version20,\n\t\tKey: key[:],\n\t}\n}\n\n// ConvertFileInfo returns a FileInfo with the decrypted size\nfunc (fs *CryptFs) ConvertFileInfo(info os.FileInfo) os.FileInfo {\n\treturn convertCryptFsInfo(info)\n}\n\nfunc (fs *CryptFs) getFileAndEncryptionKey(name string) (*os.File, [32]byte, error) {\n\tvar key [32]byte\n\tf, err := os.Open(name)\n\tif err != nil {\n\t\treturn nil, key, err\n\t}\n\theader := encryptedFileHeader{}\n\terr = header.Load(f)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, key, err\n\t}\n\tkdf := hkdf.New(sha256.New, fs.masterKey, header.nonce, nil)\n\t_, err = io.ReadFull(kdf, key[:])\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, key, err\n\t}\n\treturn f, key, err\n}\n\nfunc (*CryptFs) encryptWrapper(dst io.Writer, src io.Reader, config sio.Config) (int64, error) {\n\tencReader, err := sio.EncryptReader(src, config)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\treturn doCopy(dst, encReader, make([]byte, 65568))\n}\n\nfunc (fs *CryptFs) decryptWrapper(dst io.Writer, src io.Reader, config sio.Config) (int64, error) {\n\tif fs.readBufferSize <= 0 {\n\t\treturn sio.Decrypt(dst, src, config)\n\t}\n\tbr := bufio.NewReaderSize(src, fs.readBufferSize)\n\tdecReader, err := sio.DecryptReader(br, config)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\treturn doCopy(dst, decReader, make([]byte, 65568))\n}\n\nfunc isZeroBytesDownload(f *os.File, offset int64) (bool, error) {\n\tinfo, err := f.Stat()\n\tif err != nil {\n\t\treturn false, err\n\t}\n\tif info.Size() == headerV10Size {\n\t\treturn true, nil\n\t}\n\tif info.Size() > headerV10Size {\n\t\tdecSize, err := sio.DecryptedSize(uint64(info.Size() - headerV10Size))\n\t\tif err != nil {\n\t\t\treturn false, err\n\t\t}\n\t\tif int64(decSize) == offset {\n\t\t\treturn true, nil\n\t\t}\n\t}\n\treturn false, nil\n}\n\nfunc convertCryptFsInfo(info os.FileInfo) os.FileInfo {\n\tif !info.Mode().IsRegular() {\n\t\treturn info\n\t}\n\tsize := info.Size()\n\tif size >= headerV10Size {\n\t\tsize -= headerV10Size\n\t\tdecryptedSize, err := sio.DecryptedSize(uint64(size))\n\t\tif err == nil {\n\t\t\tsize = int64(decryptedSize)\n\t\t}\n\t} else {\n\t\tsize = 0\n\t}\n\treturn NewFileInfo(info.Name(), info.IsDir(), size, info.ModTime(), false)\n}\n\ntype encryptedFileHeader struct {\n\tversion byte\n\tnonce []byte\n}\n\nfunc (h *encryptedFileHeader) Store(f *os.File) error {\n\tbuf := make([]byte, 0, headerV10Size)\n\tbuf = append(buf, version10)\n\tbuf = append(buf, h.nonce...)\n\t_, err := f.Write(buf)\n\treturn err\n}\n\nfunc (h *encryptedFileHeader) Load(f *os.File) error {\n\theader := make([]byte, 1+nonceV10Size)\n\t_, err := io.ReadFull(f, header)\n\tif err != nil {\n\t\treturn err\n\t}\n\th.version = header[0]\n\tif h.version == version10 {\n\t\th.nonce = header[1:]\n\t\treturn nil\n\t}\n\treturn fmt.Errorf(\"unsupported encryption version: %v\", h.version)\n}\n\ntype cryptedFileWrapper struct {\n\t*os.File\n}\n\nfunc (w *cryptedFileWrapper) ReadAt(p []byte, offset int64) (n int, err error) {\n\treturn w.File.ReadAt(p, offset+headerV10Size)\n}\n\ntype cryptFsDirLister struct {\n\tf *os.File\n}\n\nfunc (l *cryptFsDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tif limit <= 0 {\n\t\treturn nil, errInvalidDirListerLimit\n\t}\n\tfiles, err := l.f.Readdir(limit)\n\tfor idx := range files {\n\t\tfiles[idx] = convertCryptFsInfo(files[idx])\n\t}\n\treturn files, err\n}\n\nfunc (l *cryptFsDirLister) Close() error {\n\treturn l.f.Close()\n}\n" }, { "path": "internal/vfs/fileinfo.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"os\"\n\t\"path\"\n\t\"time\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// FileInfo implements os.FileInfo for a Cloud Storage file.\ntype FileInfo struct {\n\tname string\n\tsizeInBytes int64\n\tmodTime time.Time\n\tmode os.FileMode\n\tmetadata map[string]string\n}\n\n// NewFileInfo creates file info.\nfunc NewFileInfo(name string, isDirectory bool, sizeInBytes int64, modTime time.Time, fullName bool) *FileInfo {\n\tmode := os.FileMode(0644)\n\tif isDirectory {\n\t\tmode = os.FileMode(0755) | os.ModeDir\n\t}\n\tif !fullName {\n\t\t// we have always Unix style paths here\n\t\tname = path.Base(name)\n\t}\n\n\treturn &FileInfo{\n\t\tname: name,\n\t\tsizeInBytes: sizeInBytes,\n\t\tmodTime: modTime,\n\t\tmode: mode,\n\t}\n}\n\n// Name provides the base name of the file.\nfunc (fi *FileInfo) Name() string {\n\treturn fi.name\n}\n\n// Size provides the length in bytes for a file.\nfunc (fi *FileInfo) Size() int64 {\n\treturn fi.sizeInBytes\n}\n\n// Mode provides the file mode bits\nfunc (fi *FileInfo) Mode() os.FileMode {\n\treturn fi.mode\n}\n\n// ModTime provides the last modification time.\nfunc (fi *FileInfo) ModTime() time.Time {\n\treturn fi.modTime\n}\n\n// IsDir provides the abbreviation for Mode().IsDir()\nfunc (fi *FileInfo) IsDir() bool {\n\treturn fi.mode&os.ModeDir != 0\n}\n\n// SetMode sets the file mode\nfunc (fi *FileInfo) SetMode(mode os.FileMode) {\n\tfi.mode = mode\n}\n\n// Sys provides the underlying data source (can return nil)\nfunc (fi *FileInfo) Sys() any {\n\treturn fi.metadata\n}\n\nfunc (fi *FileInfo) setMetadata(value map[string]string) {\n\tfi.metadata = value\n}\n\nfunc (fi *FileInfo) setMetadataFromPointerVal(value map[string]*string) {\n\tif len(value) == 0 {\n\t\tfi.metadata = nil\n\t\treturn\n\t}\n\n\tfi.metadata = map[string]string{}\n\tfor k, v := range value {\n\t\tval := util.GetStringFromPointer(v)\n\t\tif val != \"\" {\n\t\t\tfi.metadata[k] = val\n\t\t}\n\t}\n}\n\nfunc getMetadata(fi os.FileInfo) map[string]string {\n\tif fi.Sys() == nil {\n\t\treturn nil\n\t}\n\tif val, ok := fi.Sys().(map[string]string); ok {\n\t\tif len(val) > 0 {\n\t\t\treturn val\n\t\t}\n\t}\n\treturn nil\n}\n" }, { "path": "internal/vfs/filesystem.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"os\"\n\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\n// Filesystem defines filesystem details\ntype Filesystem struct {\n\tRedactedSecret string `json:\"-\"`\n\tProvider sdk.FilesystemProvider `json:\"provider\"`\n\tOSConfig sdk.OSFsConfig `json:\"osconfig,omitempty\"`\n\tS3Config S3FsConfig `json:\"s3config,omitempty\"`\n\tGCSConfig GCSFsConfig `json:\"gcsconfig,omitempty\"`\n\tAzBlobConfig AzBlobFsConfig `json:\"azblobconfig,omitempty\"`\n\tCryptConfig CryptFsConfig `json:\"cryptconfig,omitempty\"`\n\tSFTPConfig SFTPFsConfig `json:\"sftpconfig,omitempty\"`\n\tHTTPConfig HTTPFsConfig `json:\"httpconfig,omitempty\"`\n}\n\n// SetEmptySecrets sets the secrets to empty\nfunc (f *Filesystem) SetEmptySecrets() {\n\tf.S3Config.AccessSecret = kms.NewEmptySecret()\n\tf.S3Config.SSECustomerKey = kms.NewEmptySecret()\n\tf.GCSConfig.Credentials = kms.NewEmptySecret()\n\tf.AzBlobConfig.AccountKey = kms.NewEmptySecret()\n\tf.AzBlobConfig.SASURL = kms.NewEmptySecret()\n\tf.CryptConfig.Passphrase = kms.NewEmptySecret()\n\tf.SFTPConfig.Password = kms.NewEmptySecret()\n\tf.SFTPConfig.PrivateKey = kms.NewEmptySecret()\n\tf.SFTPConfig.KeyPassphrase = kms.NewEmptySecret()\n\tf.HTTPConfig.Password = kms.NewEmptySecret()\n\tf.HTTPConfig.APIKey = kms.NewEmptySecret()\n}\n\n// SetEmptySecretsIfNil sets the secrets to empty if nil\nfunc (f *Filesystem) SetEmptySecretsIfNil() {\n\tif f.S3Config.AccessSecret == nil {\n\t\tf.S3Config.AccessSecret = kms.NewEmptySecret()\n\t}\n\tif f.S3Config.SSECustomerKey == nil {\n\t\tf.S3Config.SSECustomerKey = kms.NewEmptySecret()\n\t}\n\tif f.GCSConfig.Credentials == nil {\n\t\tf.GCSConfig.Credentials = kms.NewEmptySecret()\n\t}\n\tif f.AzBlobConfig.AccountKey == nil {\n\t\tf.AzBlobConfig.AccountKey = kms.NewEmptySecret()\n\t}\n\tif f.AzBlobConfig.SASURL == nil {\n\t\tf.AzBlobConfig.SASURL = kms.NewEmptySecret()\n\t}\n\tif f.CryptConfig.Passphrase == nil {\n\t\tf.CryptConfig.Passphrase = kms.NewEmptySecret()\n\t}\n\tif f.SFTPConfig.Password == nil {\n\t\tf.SFTPConfig.Password = kms.NewEmptySecret()\n\t}\n\tif f.SFTPConfig.PrivateKey == nil {\n\t\tf.SFTPConfig.PrivateKey = kms.NewEmptySecret()\n\t}\n\tif f.SFTPConfig.KeyPassphrase == nil {\n\t\tf.SFTPConfig.KeyPassphrase = kms.NewEmptySecret()\n\t}\n\tif f.HTTPConfig.Password == nil {\n\t\tf.HTTPConfig.Password = kms.NewEmptySecret()\n\t}\n\tif f.HTTPConfig.APIKey == nil {\n\t\tf.HTTPConfig.APIKey = kms.NewEmptySecret()\n\t}\n}\n\n// SetNilSecretsIfEmpty set the secrets to nil if empty.\n// This is useful before rendering as JSON so the empty fields\n// will not be serialized.\nfunc (f *Filesystem) SetNilSecretsIfEmpty() {\n\tif f.S3Config.AccessSecret != nil && f.S3Config.AccessSecret.IsEmpty() {\n\t\tf.S3Config.AccessSecret = nil\n\t}\n\tif f.S3Config.SSECustomerKey != nil && f.S3Config.SSECustomerKey.IsEmpty() {\n\t\tf.S3Config.SSECustomerKey = nil\n\t}\n\tif f.GCSConfig.Credentials != nil && f.GCSConfig.Credentials.IsEmpty() {\n\t\tf.GCSConfig.Credentials = nil\n\t}\n\tif f.AzBlobConfig.AccountKey != nil && f.AzBlobConfig.AccountKey.IsEmpty() {\n\t\tf.AzBlobConfig.AccountKey = nil\n\t}\n\tif f.AzBlobConfig.SASURL != nil && f.AzBlobConfig.SASURL.IsEmpty() {\n\t\tf.AzBlobConfig.SASURL = nil\n\t}\n\tif f.CryptConfig.Passphrase != nil && f.CryptConfig.Passphrase.IsEmpty() {\n\t\tf.CryptConfig.Passphrase = nil\n\t}\n\tf.SFTPConfig.setNilSecretsIfEmpty()\n\tf.HTTPConfig.setNilSecretsIfEmpty()\n}\n\n// IsEqual returns true if the fs is equal to other\nfunc (f *Filesystem) IsEqual(other Filesystem) bool {\n\tif f.Provider != other.Provider {\n\t\treturn false\n\t}\n\tswitch f.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\treturn f.S3Config.isEqual(other.S3Config)\n\tcase sdk.GCSFilesystemProvider:\n\t\treturn f.GCSConfig.isEqual(other.GCSConfig)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\treturn f.AzBlobConfig.isEqual(other.AzBlobConfig)\n\tcase sdk.CryptedFilesystemProvider:\n\t\treturn f.CryptConfig.isEqual(other.CryptConfig)\n\tcase sdk.SFTPFilesystemProvider:\n\t\treturn f.SFTPConfig.isEqual(other.SFTPConfig)\n\tcase sdk.HTTPFilesystemProvider:\n\t\treturn f.HTTPConfig.isEqual(other.HTTPConfig)\n\tdefault:\n\t\treturn true\n\t}\n}\n\n// IsSameResource returns true if fs point to the same resource as other\nfunc (f *Filesystem) IsSameResource(other Filesystem) bool {\n\tif f.Provider != other.Provider {\n\t\treturn false\n\t}\n\tswitch f.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\treturn f.S3Config.isSameResource(other.S3Config)\n\tcase sdk.GCSFilesystemProvider:\n\t\treturn f.GCSConfig.isSameResource(other.GCSConfig)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\treturn f.AzBlobConfig.isSameResource(other.AzBlobConfig)\n\tcase sdk.CryptedFilesystemProvider:\n\t\treturn f.CryptConfig.isSameResource(other.CryptConfig)\n\tcase sdk.SFTPFilesystemProvider:\n\t\treturn f.SFTPConfig.isSameResource(other.SFTPConfig)\n\tcase sdk.HTTPFilesystemProvider:\n\t\treturn f.HTTPConfig.isSameResource(other.HTTPConfig)\n\tdefault:\n\t\treturn true\n\t}\n}\n\n// GetPathSeparator returns the path separator\nfunc (f *Filesystem) GetPathSeparator() string {\n\tswitch f.Provider {\n\tcase sdk.LocalFilesystemProvider, sdk.CryptedFilesystemProvider:\n\t\treturn string(os.PathSeparator)\n\tdefault:\n\t\treturn \"/\"\n\t}\n}\n\n// Validate verifies the FsConfig matching the configured provider and sets all other\n// Filesystem.*Config to their zero value if successful\nfunc (f *Filesystem) Validate(additionalData string) error {\n\tswitch f.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tif err := f.S3Config.ValidateAndEncryptCredentials(additionalData); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tf.OSConfig = sdk.OSFsConfig{}\n\t\tf.GCSConfig = GCSFsConfig{}\n\t\tf.AzBlobConfig = AzBlobFsConfig{}\n\t\tf.CryptConfig = CryptFsConfig{}\n\t\tf.SFTPConfig = SFTPFsConfig{}\n\t\tf.HTTPConfig = HTTPFsConfig{}\n\t\treturn nil\n\tcase sdk.GCSFilesystemProvider:\n\t\tif err := f.GCSConfig.ValidateAndEncryptCredentials(additionalData); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tf.OSConfig = sdk.OSFsConfig{}\n\t\tf.S3Config = S3FsConfig{}\n\t\tf.AzBlobConfig = AzBlobFsConfig{}\n\t\tf.CryptConfig = CryptFsConfig{}\n\t\tf.SFTPConfig = SFTPFsConfig{}\n\t\tf.HTTPConfig = HTTPFsConfig{}\n\t\treturn nil\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tif err := f.AzBlobConfig.ValidateAndEncryptCredentials(additionalData); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tf.OSConfig = sdk.OSFsConfig{}\n\t\tf.S3Config = S3FsConfig{}\n\t\tf.GCSConfig = GCSFsConfig{}\n\t\tf.CryptConfig = CryptFsConfig{}\n\t\tf.SFTPConfig = SFTPFsConfig{}\n\t\tf.HTTPConfig = HTTPFsConfig{}\n\t\treturn nil\n\tcase sdk.CryptedFilesystemProvider:\n\t\tif err := f.CryptConfig.ValidateAndEncryptCredentials(additionalData); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tf.OSConfig = sdk.OSFsConfig{}\n\t\tf.S3Config = S3FsConfig{}\n\t\tf.GCSConfig = GCSFsConfig{}\n\t\tf.AzBlobConfig = AzBlobFsConfig{}\n\t\tf.SFTPConfig = SFTPFsConfig{}\n\t\tf.HTTPConfig = HTTPFsConfig{}\n\t\treturn validateOSFsConfig(&f.CryptConfig.OSFsConfig)\n\tcase sdk.SFTPFilesystemProvider:\n\t\tif err := f.SFTPConfig.ValidateAndEncryptCredentials(additionalData); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tf.OSConfig = sdk.OSFsConfig{}\n\t\tf.S3Config = S3FsConfig{}\n\t\tf.GCSConfig = GCSFsConfig{}\n\t\tf.AzBlobConfig = AzBlobFsConfig{}\n\t\tf.CryptConfig = CryptFsConfig{}\n\t\tf.HTTPConfig = HTTPFsConfig{}\n\t\treturn nil\n\tcase sdk.HTTPFilesystemProvider:\n\t\tif err := f.HTTPConfig.ValidateAndEncryptCredentials(additionalData); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tf.OSConfig = sdk.OSFsConfig{}\n\t\tf.S3Config = S3FsConfig{}\n\t\tf.GCSConfig = GCSFsConfig{}\n\t\tf.AzBlobConfig = AzBlobFsConfig{}\n\t\tf.CryptConfig = CryptFsConfig{}\n\t\tf.SFTPConfig = SFTPFsConfig{}\n\t\treturn nil\n\tcase sdk.LocalFilesystemProvider:\n\t\tf.S3Config = S3FsConfig{}\n\t\tf.GCSConfig = GCSFsConfig{}\n\t\tf.AzBlobConfig = AzBlobFsConfig{}\n\t\tf.CryptConfig = CryptFsConfig{}\n\t\tf.SFTPConfig = SFTPFsConfig{}\n\t\tf.HTTPConfig = HTTPFsConfig{}\n\t\treturn validateOSFsConfig(&f.OSConfig)\n\tdefault:\n\t\treturn util.NewI18nError(\n\t\t\tutil.NewValidationError(\"invalid filesystem provider\"),\n\t\t\tutil.I18nErrorFsValidation,\n\t\t)\n\t}\n}\n\n// HasRedactedSecret returns true if configured the filesystem configuration has a redacted secret\nfunc (f *Filesystem) HasRedactedSecret() bool {\n\t// TODO move vfs specific code into each *FsConfig struct\n\tswitch f.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tif f.S3Config.SSECustomerKey.IsRedacted() {\n\t\t\treturn true\n\t\t}\n\t\treturn f.S3Config.AccessSecret.IsRedacted()\n\tcase sdk.GCSFilesystemProvider:\n\t\treturn f.GCSConfig.Credentials.IsRedacted()\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tif f.AzBlobConfig.AccountKey.IsRedacted() {\n\t\t\treturn true\n\t\t}\n\t\treturn f.AzBlobConfig.SASURL.IsRedacted()\n\tcase sdk.CryptedFilesystemProvider:\n\t\treturn f.CryptConfig.Passphrase.IsRedacted()\n\tcase sdk.SFTPFilesystemProvider:\n\t\tif f.SFTPConfig.Password.IsRedacted() {\n\t\t\treturn true\n\t\t}\n\t\tif f.SFTPConfig.PrivateKey.IsRedacted() {\n\t\t\treturn true\n\t\t}\n\t\treturn f.SFTPConfig.KeyPassphrase.IsRedacted()\n\tcase sdk.HTTPFilesystemProvider:\n\t\tif f.HTTPConfig.Password.IsRedacted() {\n\t\t\treturn true\n\t\t}\n\t\treturn f.HTTPConfig.APIKey.IsRedacted()\n\t}\n\n\treturn false\n}\n\n// HideConfidentialData hides filesystem confidential data\nfunc (f *Filesystem) HideConfidentialData() {\n\tswitch f.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tf.S3Config.HideConfidentialData()\n\tcase sdk.GCSFilesystemProvider:\n\t\tf.GCSConfig.HideConfidentialData()\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tf.AzBlobConfig.HideConfidentialData()\n\tcase sdk.CryptedFilesystemProvider:\n\t\tf.CryptConfig.HideConfidentialData()\n\tcase sdk.SFTPFilesystemProvider:\n\t\tf.SFTPConfig.HideConfidentialData()\n\tcase sdk.HTTPFilesystemProvider:\n\t\tf.HTTPConfig.HideConfidentialData()\n\t}\n}\n\n// GetACopy returns a filesystem copy\nfunc (f *Filesystem) GetACopy() Filesystem {\n\tf.SetEmptySecretsIfNil()\n\tfs := Filesystem{\n\t\tProvider: f.Provider,\n\t\tOSConfig: sdk.OSFsConfig{\n\t\t\tReadBufferSize: f.OSConfig.ReadBufferSize,\n\t\t\tWriteBufferSize: f.OSConfig.WriteBufferSize,\n\t\t},\n\t\tS3Config: S3FsConfig{\n\t\t\tBaseS3FsConfig: sdk.BaseS3FsConfig{\n\t\t\t\tBucket: f.S3Config.Bucket,\n\t\t\t\tRegion: f.S3Config.Region,\n\t\t\t\tAccessKey: f.S3Config.AccessKey,\n\t\t\t\tRoleARN: f.S3Config.RoleARN,\n\t\t\t\tEndpoint: f.S3Config.Endpoint,\n\t\t\t\tStorageClass: f.S3Config.StorageClass,\n\t\t\t\tACL: f.S3Config.ACL,\n\t\t\t\tKeyPrefix: f.S3Config.KeyPrefix,\n\t\t\t\tUploadPartSize: f.S3Config.UploadPartSize,\n\t\t\t\tUploadConcurrency: f.S3Config.UploadConcurrency,\n\t\t\t\tDownloadPartSize: f.S3Config.DownloadPartSize,\n\t\t\t\tDownloadConcurrency: f.S3Config.DownloadConcurrency,\n\t\t\t\tDownloadPartMaxTime: f.S3Config.DownloadPartMaxTime,\n\t\t\t\tUploadPartMaxTime: f.S3Config.UploadPartMaxTime,\n\t\t\t\tForcePathStyle: f.S3Config.ForcePathStyle,\n\t\t\t\tSkipTLSVerify: f.S3Config.SkipTLSVerify,\n\t\t\t},\n\t\t\tAccessSecret: f.S3Config.AccessSecret.Clone(),\n\t\t\tSSECustomerKey: f.S3Config.SSECustomerKey.Clone(),\n\t\t},\n\t\tGCSConfig: GCSFsConfig{\n\t\t\tBaseGCSFsConfig: sdk.BaseGCSFsConfig{\n\t\t\t\tBucket: f.GCSConfig.Bucket,\n\t\t\t\tAutomaticCredentials: f.GCSConfig.AutomaticCredentials,\n\t\t\t\tStorageClass: f.GCSConfig.StorageClass,\n\t\t\t\tACL: f.GCSConfig.ACL,\n\t\t\t\tKeyPrefix: f.GCSConfig.KeyPrefix,\n\t\t\t\tUploadPartSize: f.GCSConfig.UploadPartSize,\n\t\t\t\tUploadPartMaxTime: f.GCSConfig.UploadPartMaxTime,\n\t\t\t},\n\t\t\tCredentials: f.GCSConfig.Credentials.Clone(),\n\t\t},\n\t\tAzBlobConfig: AzBlobFsConfig{\n\t\t\tBaseAzBlobFsConfig: sdk.BaseAzBlobFsConfig{\n\t\t\t\tContainer: f.AzBlobConfig.Container,\n\t\t\t\tAccountName: f.AzBlobConfig.AccountName,\n\t\t\t\tEndpoint: f.AzBlobConfig.Endpoint,\n\t\t\t\tKeyPrefix: f.AzBlobConfig.KeyPrefix,\n\t\t\t\tUploadPartSize: f.AzBlobConfig.UploadPartSize,\n\t\t\t\tUploadConcurrency: f.AzBlobConfig.UploadConcurrency,\n\t\t\t\tDownloadPartSize: f.AzBlobConfig.DownloadPartSize,\n\t\t\t\tDownloadConcurrency: f.AzBlobConfig.DownloadConcurrency,\n\t\t\t\tUseEmulator: f.AzBlobConfig.UseEmulator,\n\t\t\t\tAccessTier: f.AzBlobConfig.AccessTier,\n\t\t\t},\n\t\t\tAccountKey: f.AzBlobConfig.AccountKey.Clone(),\n\t\t\tSASURL: f.AzBlobConfig.SASURL.Clone(),\n\t\t},\n\t\tCryptConfig: CryptFsConfig{\n\t\t\tOSFsConfig: sdk.OSFsConfig{\n\t\t\t\tReadBufferSize: f.CryptConfig.ReadBufferSize,\n\t\t\t\tWriteBufferSize: f.CryptConfig.WriteBufferSize,\n\t\t\t},\n\t\t\tPassphrase: f.CryptConfig.Passphrase.Clone(),\n\t\t},\n\t\tSFTPConfig: SFTPFsConfig{\n\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\tEndpoint: f.SFTPConfig.Endpoint,\n\t\t\t\tUsername: f.SFTPConfig.Username,\n\t\t\t\tPrefix: f.SFTPConfig.Prefix,\n\t\t\t\tDisableCouncurrentReads: f.SFTPConfig.DisableCouncurrentReads,\n\t\t\t\tBufferSize: f.SFTPConfig.BufferSize,\n\t\t\t\tEqualityCheckMode: f.SFTPConfig.EqualityCheckMode,\n\t\t\t},\n\t\t\tPassword: f.SFTPConfig.Password.Clone(),\n\t\t\tPrivateKey: f.SFTPConfig.PrivateKey.Clone(),\n\t\t\tKeyPassphrase: f.SFTPConfig.KeyPassphrase.Clone(),\n\t\t},\n\t\tHTTPConfig: HTTPFsConfig{\n\t\t\tBaseHTTPFsConfig: sdk.BaseHTTPFsConfig{\n\t\t\t\tEndpoint: f.HTTPConfig.Endpoint,\n\t\t\t\tUsername: f.HTTPConfig.Username,\n\t\t\t\tSkipTLSVerify: f.HTTPConfig.SkipTLSVerify,\n\t\t\t\tEqualityCheckMode: f.HTTPConfig.EqualityCheckMode,\n\t\t\t},\n\t\t\tPassword: f.HTTPConfig.Password.Clone(),\n\t\t\tAPIKey: f.HTTPConfig.APIKey.Clone(),\n\t\t},\n\t}\n\tif len(f.SFTPConfig.Fingerprints) > 0 {\n\t\tfs.SFTPConfig.Fingerprints = make([]string, len(f.SFTPConfig.Fingerprints))\n\t\tcopy(fs.SFTPConfig.Fingerprints, f.SFTPConfig.Fingerprints)\n\t}\n\treturn fs\n}\n" }, { "path": "internal/vfs/folder.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n)\n\n// BaseVirtualFolder defines the path for the virtual folder and the used quota limits.\n// The same folder can be shared among multiple users and each user can have different\n// quota limits or a different virtual path.\ntype BaseVirtualFolder struct {\n\tID int64 `json:\"id\"`\n\tName string `json:\"name\"`\n\tMappedPath string `json:\"mapped_path,omitempty\"`\n\tDescription string `json:\"description,omitempty\"`\n\tUsedQuotaSize int64 `json:\"used_quota_size\"`\n\t// Used quota as number of files\n\tUsedQuotaFiles int `json:\"used_quota_files\"`\n\t// Last quota update as unix timestamp in milliseconds\n\tLastQuotaUpdate int64 `json:\"last_quota_update\"`\n\t// list of usernames associated with this virtual folder\n\tUsers []string `json:\"users,omitempty\"`\n\t// list of group names associated with this virtual folder\n\tGroups []string `json:\"groups,omitempty\"`\n\t// Filesystem configuration details\n\tFsConfig Filesystem `json:\"filesystem\"`\n}\n\n// GetEncryptionAdditionalData returns the additional data to use for AEAD\nfunc (v *BaseVirtualFolder) GetEncryptionAdditionalData() string {\n\treturn fmt.Sprintf(\"folder_%v\", v.Name)\n}\n\n// GetACopy returns a copy\nfunc (v *BaseVirtualFolder) GetACopy() BaseVirtualFolder {\n\tusers := make([]string, len(v.Users))\n\tcopy(users, v.Users)\n\tgroups := make([]string, len(v.Groups))\n\tcopy(groups, v.Groups)\n\treturn BaseVirtualFolder{\n\t\tID: v.ID,\n\t\tName: v.Name,\n\t\tDescription: v.Description,\n\t\tMappedPath: v.MappedPath,\n\t\tUsedQuotaSize: v.UsedQuotaSize,\n\t\tUsedQuotaFiles: v.UsedQuotaFiles,\n\t\tLastQuotaUpdate: v.LastQuotaUpdate,\n\t\tUsers: users,\n\t\tGroups: v.Groups,\n\t\tFsConfig: v.FsConfig.GetACopy(),\n\t}\n}\n\n// IsLocalOrLocalCrypted returns true if the folder provider is local or local encrypted\nfunc (v *BaseVirtualFolder) IsLocalOrLocalCrypted() bool {\n\treturn v.FsConfig.Provider == sdk.LocalFilesystemProvider || v.FsConfig.Provider == sdk.CryptedFilesystemProvider\n}\n\n// hideConfidentialData hides folder confidential data\nfunc (v *BaseVirtualFolder) hideConfidentialData() {\n\tswitch v.FsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tv.FsConfig.S3Config.HideConfidentialData()\n\tcase sdk.GCSFilesystemProvider:\n\t\tv.FsConfig.GCSConfig.HideConfidentialData()\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tv.FsConfig.AzBlobConfig.HideConfidentialData()\n\tcase sdk.CryptedFilesystemProvider:\n\t\tv.FsConfig.CryptConfig.HideConfidentialData()\n\tcase sdk.SFTPFilesystemProvider:\n\t\tv.FsConfig.SFTPConfig.HideConfidentialData()\n\tcase sdk.HTTPFilesystemProvider:\n\t\tv.FsConfig.HTTPConfig.HideConfidentialData()\n\t}\n}\n\n// PrepareForRendering prepares a folder for rendering.\n// It hides confidential data and set to nil the empty secrets\n// so they are not serialized\nfunc (v *BaseVirtualFolder) PrepareForRendering() {\n\tv.hideConfidentialData()\n\tv.FsConfig.SetEmptySecretsIfNil()\n}\n\n// HasRedactedSecret returns true if the folder has a redacted secret\nfunc (v *BaseVirtualFolder) HasRedactedSecret() bool {\n\treturn v.FsConfig.HasRedactedSecret()\n}\n\n// hasPathPlaceholder returns true if the folder has a path placeholder\nfunc (v *BaseVirtualFolder) hasPathPlaceholder() bool {\n\tplaceholders := []string{\"%username%\", \"%role%\"}\n\tvar config string\n\tswitch v.FsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\tconfig = v.FsConfig.S3Config.KeyPrefix\n\tcase sdk.GCSFilesystemProvider:\n\t\tconfig = v.FsConfig.GCSConfig.KeyPrefix\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\tconfig = v.FsConfig.AzBlobConfig.KeyPrefix\n\tcase sdk.SFTPFilesystemProvider:\n\t\tconfig = v.FsConfig.SFTPConfig.Prefix\n\tcase sdk.LocalFilesystemProvider, sdk.CryptedFilesystemProvider:\n\t\tconfig = v.MappedPath\n\t}\n\tfor _, placeholder := range placeholders {\n\t\tif strings.Contains(config, placeholder) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// VirtualFolder defines a mapping between an SFTPGo virtual path and a\n// filesystem path outside the user home directory.\n// The specified paths must be absolute and the virtual path cannot be \"/\",\n// it must be a sub directory. The parent directory for the specified virtual\n// path must exist. SFTPGo will try to automatically create any missing\n// parent directory for the configured virtual folders at user login.\ntype VirtualFolder struct {\n\tBaseVirtualFolder\n\tVirtualPath string `json:\"virtual_path\"`\n\t// Maximum size allowed as bytes. 0 means unlimited, -1 included in user quota\n\tQuotaSize int64 `json:\"quota_size\"`\n\t// Maximum number of files allowed. 0 means unlimited, -1 included in user quota\n\tQuotaFiles int `json:\"quota_files\"`\n}\n\n// GetFilesystem returns the filesystem for this folder\nfunc (v *VirtualFolder) GetFilesystem(connectionID string, forbiddenSelfUsers []string) (Fs, error) {\n\tswitch v.FsConfig.Provider {\n\tcase sdk.S3FilesystemProvider:\n\t\treturn NewS3Fs(connectionID, v.MappedPath, v.VirtualPath, v.FsConfig.S3Config)\n\tcase sdk.GCSFilesystemProvider:\n\t\treturn NewGCSFs(connectionID, v.MappedPath, v.VirtualPath, v.FsConfig.GCSConfig)\n\tcase sdk.AzureBlobFilesystemProvider:\n\t\treturn NewAzBlobFs(connectionID, v.MappedPath, v.VirtualPath, v.FsConfig.AzBlobConfig)\n\tcase sdk.CryptedFilesystemProvider:\n\t\treturn NewCryptFs(connectionID, v.MappedPath, v.VirtualPath, v.FsConfig.CryptConfig)\n\tcase sdk.SFTPFilesystemProvider:\n\t\treturn NewSFTPFs(connectionID, v.VirtualPath, v.MappedPath, forbiddenSelfUsers, v.FsConfig.SFTPConfig)\n\tcase sdk.HTTPFilesystemProvider:\n\t\treturn NewHTTPFs(connectionID, v.MappedPath, v.VirtualPath, v.FsConfig.HTTPConfig)\n\tdefault:\n\t\treturn NewOsFs(connectionID, v.MappedPath, v.VirtualPath, &v.FsConfig.OSConfig), nil\n\t}\n}\n\n// ScanQuota scans the folder and returns the number of files and their size\nfunc (v *VirtualFolder) ScanQuota() (int, int64, error) {\n\tif v.hasPathPlaceholder() {\n\t\treturn 0, 0, errors.New(\"cannot scan quota: this folder has a path placeholder\")\n\t}\n\tfs, err := v.GetFilesystem(xid.New().String(), nil)\n\tif err != nil {\n\t\treturn 0, 0, err\n\t}\n\tdefer fs.Close()\n\n\treturn fs.ScanRootDirContents()\n}\n\n// IsIncludedInUserQuota returns true if the virtual folder is included in user quota\nfunc (v *VirtualFolder) IsIncludedInUserQuota() bool {\n\treturn v.QuotaFiles == -1 && v.QuotaSize == -1\n}\n\n// HasNoQuotaRestrictions returns true if no quota restrictions need to be applyed\nfunc (v *VirtualFolder) HasNoQuotaRestrictions(checkFiles bool) bool {\n\tif v.QuotaSize == 0 && (!checkFiles || v.QuotaFiles == 0) {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// GetACopy returns a copy\nfunc (v *VirtualFolder) GetACopy() VirtualFolder {\n\treturn VirtualFolder{\n\t\tBaseVirtualFolder: v.BaseVirtualFolder.GetACopy(),\n\t\tVirtualPath: v.VirtualPath,\n\t\tQuotaSize: v.QuotaSize,\n\t\tQuotaFiles: v.QuotaFiles,\n\t}\n}\n" }, { "path": "internal/vfs/gcsfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nogcs\n\npackage vfs\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"mime\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"cloud.google.com/go/storage\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/rs/xid\"\n\t\"google.golang.org/api/googleapi\"\n\t\"google.golang.org/api/iterator\"\n\t\"google.golang.org/api/option\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\tdefaultGCSPageSize = 5000\n)\n\nvar (\n\tgcsDefaultFieldsSelection = []string{\"Name\", \"Size\", \"Deleted\", \"Updated\", \"ContentType\", \"Metadata\"}\n)\n\n// GCSFs is a Fs implementation for Google Cloud Storage.\ntype GCSFs struct {\n\tconnectionID string\n\tlocalTempDir string\n\t// if not empty this fs is mouted as virtual folder in the specified path\n\tmountPath string\n\tconfig *GCSFsConfig\n\tsvc *storage.Client\n\tctxTimeout time.Duration\n\tctxLongTimeout time.Duration\n}\n\nfunc init() {\n\tversion.AddFeature(\"+gcs\")\n}\n\n// NewGCSFs returns an GCSFs object that allows to interact with Google Cloud Storage\nfunc NewGCSFs(connectionID, localTempDir, mountPath string, config GCSFsConfig) (Fs, error) {\n\tif localTempDir == \"\" {\n\t\tlocalTempDir = getLocalTempDir()\n\t}\n\n\tvar err error\n\tfs := &GCSFs{\n\t\tconnectionID: connectionID,\n\t\tlocalTempDir: localTempDir,\n\t\tmountPath: getMountPath(mountPath),\n\t\tconfig: &config,\n\t\tctxTimeout: 30 * time.Second,\n\t\tctxLongTimeout: 300 * time.Second,\n\t}\n\tif err = fs.config.validate(); err != nil {\n\t\treturn fs, err\n\t}\n\tctx := context.Background()\n\tif fs.config.AutomaticCredentials > 0 {\n\t\tfs.svc, err = storage.NewClient(ctx,\n\t\t\tstorage.WithJSONReads(),\n\t\t\toption.WithUserAgent(version.GetVersionHash()),\n\t\t)\n\t} else {\n\t\terr = fs.config.Credentials.TryDecrypt()\n\t\tif err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tfs.svc, err = storage.NewClient(ctx,\n\t\t\tstorage.WithJSONReads(),\n\t\t\toption.WithUserAgent(version.GetVersionHash()),\n\t\t\toption.WithAuthCredentialsJSON(option.ServiceAccount, []byte(fs.config.Credentials.GetPayload())),\n\t\t)\n\t}\n\treturn fs, err\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *GCSFs) Name() string {\n\treturn fmt.Sprintf(\"%s bucket %q\", gcsfsName, fs.config.Bucket)\n}\n\n// ConnectionID returns the connection ID associated to this Fs implementation\nfunc (fs *GCSFs) ConnectionID() string {\n\treturn fs.connectionID\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs *GCSFs) Stat(name string) (os.FileInfo, error) {\n\tif name == \"\" || name == \"/\" || name == \".\" {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\tif fs.config.KeyPrefix == name+\"/\" {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\treturn fs.getObjectStat(name)\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs *GCSFs) Lstat(name string) (os.FileInfo, error) {\n\treturn fs.Stat(name)\n}\n\n// Open opens the named file for reading\nfunc (fs *GCSFs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\tif readMetadata > 0 {\n\t\tattrs, err := fs.headObject(name)\n\t\tif err != nil {\n\t\t\tr.Close()\n\t\t\tw.Close()\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t\tp.setMetadata(attrs.Metadata)\n\t}\n\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\tobj := bkt.Object(name)\n\tctx, cancelFn := context.WithCancel(context.Background())\n\tobjectReader, err := obj.NewRangeReader(ctx, offset, -1)\n\tif err == nil && offset > 0 && objectReader.Attrs.ContentEncoding == \"gzip\" {\n\t\terr = fmt.Errorf(\"range request is not possible for gzip content encoding, requested offset %d\", offset)\n\t\tobjectReader.Close()\n\t}\n\tif err != nil {\n\t\tr.Close()\n\t\tw.Close()\n\t\tcancelFn()\n\t\treturn nil, nil, nil, err\n\t}\n\tgo func() {\n\t\tdefer cancelFn()\n\t\tdefer objectReader.Close()\n\n\t\tn, err := io.Copy(w, objectReader)\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path: %q size: %v, err: %+v\", name, n, err)\n\t\tmetric.GCSTransferCompleted(n, 1, err)\n\t}()\n\treturn nil, p, cancelFn, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *GCSFs) Create(name string, flag, checks int) (File, PipeWriter, func(), error) {\n\tif checks&CheckParentDir != 0 {\n\t\t_, err := fs.Stat(path.Dir(name))\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\tchunkSize := googleapi.DefaultUploadChunkSize\n\tif fs.config.UploadPartSize > 0 {\n\t\tchunkSize = int(fs.config.UploadPartSize) * 1024 * 1024\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, int64(chunkSize+1024*1024))\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tvar partialFileName string\n\tvar attrs *storage.ObjectAttrs\n\tvar statErr error\n\n\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\tobj := bkt.Object(name)\n\n\tif flag == -1 {\n\t\tobj = obj.If(storage.Conditions{DoesNotExist: true})\n\t} else {\n\t\tattrs, statErr = fs.headObject(name)\n\t\tif statErr == nil {\n\t\t\tobj = obj.If(storage.Conditions{GenerationMatch: attrs.Generation})\n\t\t} else if fs.IsNotExist(statErr) {\n\t\t\tobj = obj.If(storage.Conditions{DoesNotExist: true})\n\t\t} else {\n\t\t\tfsLog(fs, logger.LevelWarn, \"unable to set precondition for %q, stat err: %v\", name, statErr)\n\t\t}\n\t}\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tvar p PipeWriter\n\tvar objectWriter *storage.Writer\n\tif checks&CheckResume != 0 {\n\t\tif statErr != nil {\n\t\t\tcancelFn()\n\t\t\tr.Close()\n\t\t\tw.Close()\n\t\t\treturn nil, nil, nil, fmt.Errorf(\"unable to resume %q stat error: %w\", name, statErr)\n\t\t}\n\t\tp = newPipeWriterAtOffset(w, attrs.Size)\n\t\tpartialFileName = fs.getTempObject(name)\n\t\tpartialObj := bkt.Object(partialFileName)\n\t\tpartialObj = partialObj.If(storage.Conditions{DoesNotExist: true})\n\t\tobjectWriter = partialObj.NewWriter(ctx)\n\t} else {\n\t\tp = NewPipeWriter(w)\n\t\tobjectWriter = obj.NewWriter(ctx)\n\t}\n\n\tobjectWriter.ChunkSize = chunkSize\n\tif fs.config.UploadPartMaxTime > 0 {\n\t\tobjectWriter.ChunkRetryDeadline = time.Duration(fs.config.UploadPartMaxTime) * time.Second\n\t}\n\tfs.setWriterAttrs(objectWriter, flag, name)\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\tn, err := io.Copy(objectWriter, r)\n\t\tcloseErr := objectWriter.Close()\n\t\tif err == nil {\n\t\t\terr = closeErr\n\t\t}\n\t\tif err == nil && partialFileName != \"\" {\n\t\t\tpartialObject := bkt.Object(partialFileName)\n\t\t\tpartialObject = partialObject.If(storage.Conditions{GenerationMatch: objectWriter.Attrs().Generation})\n\t\t\terr = fs.composeObjects(ctx, obj, partialObject)\n\t\t}\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, acl: %q, readed bytes: %v, err: %+v\",\n\t\t\tname, fs.config.ACL, n, err)\n\t\tmetric.GCSTransferCompleted(n, 0, err)\n\t}()\n\n\tif uploadMode&8 != 0 {\n\t\treturn nil, p, nil, nil\n\t}\n\treturn nil, p, cancelFn, nil\n}\n\n// Rename renames (moves) source to target.\nfunc (fs *GCSFs) Rename(source, target string, checks int) (int, int64, error) {\n\tif source == target {\n\t\treturn -1, -1, nil\n\t}\n\tif checks&CheckParentDir != 0 {\n\t\t_, err := fs.Stat(path.Dir(target))\n\t\tif err != nil {\n\t\t\treturn -1, -1, err\n\t\t}\n\t}\n\tfi, err := fs.getObjectStat(source)\n\tif err != nil {\n\t\treturn -1, -1, err\n\t}\n\treturn fs.renameInternal(source, target, fi, 0, checks&CheckUpdateModTime != 0)\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs *GCSFs) Remove(name string, isDir bool) error {\n\tif isDir {\n\t\thasContents, err := fs.hasContents(name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif hasContents {\n\t\t\treturn fmt.Errorf(\"cannot remove non empty directory: %q\", name)\n\t\t}\n\t\tif !strings.HasSuffix(name, \"/\") {\n\t\t\tname += \"/\"\n\t\t}\n\t}\n\tobj := fs.svc.Bucket(fs.config.Bucket).Object(name)\n\tattrs, statErr := fs.headObject(name)\n\tif statErr == nil {\n\t\tobj = obj.If(storage.Conditions{GenerationMatch: attrs.Generation})\n\t} else {\n\t\tfsLog(fs, logger.LevelWarn, \"unable to set precondition for deleting %q, stat err: %v\",\n\t\t\tname, statErr)\n\t}\n\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\terr := obj.Delete(ctx)\n\tif isDir && fs.IsNotExist(err) {\n\t\t// we can have directories without a trailing \"/\" (created using v2.1.0 and before)\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\terr = fs.svc.Bucket(fs.config.Bucket).Object(strings.TrimSuffix(name, \"/\")).Delete(ctx)\n\t}\n\tmetric.GCSDeleteObjectCompleted(err)\n\treturn err\n}\n\n// Mkdir creates a new directory with the specified name and default permissions\nfunc (fs *GCSFs) Mkdir(name string) error {\n\t_, err := fs.Stat(name)\n\tif !fs.IsNotExist(err) {\n\t\treturn err\n\t}\n\treturn fs.mkdirInternal(name)\n}\n\n// Symlink creates source as a symbolic link to target.\nfunc (*GCSFs) Symlink(_, _ string) error {\n\treturn ErrVfsUnsupported\n}\n\n// Readlink returns the destination of the named symbolic link\nfunc (*GCSFs) Readlink(_ string) (string, error) {\n\treturn \"\", ErrVfsUnsupported\n}\n\n// Chown changes the numeric uid and gid of the named file.\nfunc (*GCSFs) Chown(_ string, _ int, _ int) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chmod changes the mode of the named file to mode.\nfunc (*GCSFs) Chmod(_ string, _ os.FileMode) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chtimes changes the access and modification times of the named file.\nfunc (fs *GCSFs) Chtimes(name string, _, mtime time.Time, isUploading bool) error {\n\tif isUploading {\n\t\treturn nil\n\t}\n\tobj := fs.svc.Bucket(fs.config.Bucket).Object(name)\n\tattrs, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn err\n\t}\n\tobj = obj.If(storage.Conditions{MetagenerationMatch: attrs.Metageneration})\n\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tmetadata := attrs.Metadata\n\tif metadata == nil {\n\t\tmetadata = make(map[string]string)\n\t}\n\tmetadata[lastModifiedField] = strconv.FormatInt(mtime.UnixMilli(), 10)\n\n\tobjectAttrsToUpdate := storage.ObjectAttrsToUpdate{\n\t\tMetadata: metadata,\n\t}\n\t_, err = obj.Update(ctx, objectAttrsToUpdate)\n\n\treturn err\n}\n\n// Truncate changes the size of the named file.\n// Truncate by path is not supported, while truncating an opened\n// file is handled inside base transfer\nfunc (*GCSFs) Truncate(_ string, _ int64) error {\n\treturn ErrVfsUnsupported\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (fs *GCSFs) ReadDir(dirname string) (DirLister, error) {\n\t// dirname must be already cleaned\n\tprefix := fs.getPrefix(dirname)\n\tquery := &storage.Query{Prefix: prefix, Delimiter: \"/\"}\n\terr := query.SetAttrSelection(gcsDefaultFieldsSelection)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\n\treturn &gcsDirLister{\n\t\tbucket: bkt,\n\t\tquery: query,\n\t\ttimeout: fs.ctxTimeout,\n\t\tprefix: prefix,\n\t\tprefixes: make(map[string]bool),\n\t}, nil\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported.\n// Resuming uploads is not supported on GCS\nfunc (*GCSFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (*GCSFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn true\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported.\n// S3 uploads are already atomic, we don't need to upload to a temporary\n// file\nfunc (*GCSFs) IsAtomicUploadSupported() bool {\n\treturn false\n}\n\n// IsNotExist returns a boolean indicating whether the error is known to\n// report that a file or directory does not exist\nfunc (*GCSFs) IsNotExist(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\tif errors.Is(err, storage.ErrObjectNotExist) {\n\t\treturn true\n\t}\n\tvar apiErr *googleapi.Error\n\tif errors.As(err, &apiErr) {\n\t\tif apiErr.Code == http.StatusNotFound {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// IsPermission returns a boolean indicating whether the error is known to\n// report that permission is denied.\nfunc (*GCSFs) IsPermission(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\tvar apiErr *googleapi.Error\n\tif errors.As(err, &apiErr) {\n\t\tif apiErr.Code == http.StatusForbidden || apiErr.Code == http.StatusUnauthorized {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// IsNotSupported returns true if the error indicate an unsupported operation\nfunc (*GCSFs) IsNotSupported(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn errors.Is(err, ErrVfsUnsupported)\n}\n\n// CheckRootPath creates the specified local root directory if it does not exists\nfunc (fs *GCSFs) CheckRootPath(username string, uid int, gid int) bool {\n\t// we need a local directory for temporary files\n\tosFs := NewOsFs(fs.ConnectionID(), fs.localTempDir, \"\", nil)\n\treturn osFs.CheckRootPath(username, uid, gid)\n}\n\n// ScanRootDirContents returns the number of files contained in the bucket,\n// and their size\nfunc (fs *GCSFs) ScanRootDirContents() (int, int64, error) {\n\treturn fs.GetDirSize(fs.config.KeyPrefix)\n}\n\n// GetDirSize returns the number of files and the size for a folder\n// including any subfolders\nfunc (fs *GCSFs) GetDirSize(dirname string) (int, int64, error) {\n\tprefix := fs.getPrefix(dirname)\n\tnumFiles := 0\n\tsize := int64(0)\n\n\tquery := &storage.Query{Prefix: prefix}\n\terr := query.SetAttrSelection(gcsDefaultFieldsSelection)\n\tif err != nil {\n\t\treturn numFiles, size, err\n\t}\n\n\titeratePage := func(nextPageToken string) (string, error) {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\t\tit := bkt.Objects(ctx, query)\n\t\tpager := iterator.NewPager(it, defaultGCSPageSize, nextPageToken)\n\n\t\tvar objects []*storage.ObjectAttrs\n\t\tpageToken, err := pager.NextPage(&objects)\n\t\tif err != nil {\n\t\t\treturn pageToken, err\n\t\t}\n\t\tfor _, attrs := range objects {\n\t\t\tif !attrs.Deleted.IsZero() {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tisDir := strings.HasSuffix(attrs.Name, \"/\") || attrs.ContentType == dirMimeType\n\t\t\tif isDir && attrs.Size == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tnumFiles++\n\t\t\tsize += attrs.Size\n\t\t}\n\t\treturn pageToken, nil\n\t}\n\n\tpageToken := \"\"\n\tfor {\n\t\tpageToken, err = iteratePage(pageToken)\n\t\tif err != nil {\n\t\t\tmetric.GCSListObjectsCompleted(err)\n\t\t\treturn numFiles, size, err\n\t\t}\n\t\tfsLog(fs, logger.LevelDebug, \"scan in progress for %q, files: %d, size: %d\", dirname, numFiles, size)\n\t\tif pageToken == \"\" {\n\t\t\tbreak\n\t\t}\n\t}\n\n\tmetric.GCSListObjectsCompleted(nil)\n\treturn numFiles, size, err\n}\n\n// GetAtomicUploadPath returns the path to use for an atomic upload.\n// GCS uploads are already atomic, we never call this method for GCS\nfunc (*GCSFs) GetAtomicUploadPath(_ string) string {\n\treturn \"\"\n}\n\n// GetRelativePath returns the path for a file relative to the user's home dir.\n// This is the path as seen by SFTPGo users\nfunc (fs *GCSFs) GetRelativePath(name string) string {\n\trel := path.Clean(name)\n\tif rel == \".\" {\n\t\trel = \"\"\n\t}\n\tif !path.IsAbs(rel) {\n\t\trel = \"/\" + rel\n\t}\n\tif fs.config.KeyPrefix != \"\" {\n\t\tif !strings.HasPrefix(rel, \"/\"+fs.config.KeyPrefix) {\n\t\t\trel = \"/\"\n\t\t}\n\t\trel = path.Clean(\"/\" + strings.TrimPrefix(rel, \"/\"+fs.config.KeyPrefix))\n\t}\n\tif fs.mountPath != \"\" {\n\t\trel = path.Join(fs.mountPath, rel)\n\t}\n\treturn rel\n}\n\n// Walk walks the file tree rooted at root, calling walkFn for each file or\n// directory in the tree, including root\nfunc (fs *GCSFs) Walk(root string, walkFn filepath.WalkFunc) error {\n\tprefix := fs.getPrefix(root)\n\n\tquery := &storage.Query{Prefix: prefix}\n\terr := query.SetAttrSelection(gcsDefaultFieldsSelection)\n\tif err != nil {\n\t\twalkFn(root, nil, err) //nolint:errcheck\n\t\treturn err\n\t}\n\n\titeratePage := func(nextPageToken string) (string, error) {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\t\tit := bkt.Objects(ctx, query)\n\t\tpager := iterator.NewPager(it, defaultGCSPageSize, nextPageToken)\n\n\t\tvar objects []*storage.ObjectAttrs\n\t\tpageToken, err := pager.NextPage(&objects)\n\t\tif err != nil {\n\t\t\twalkFn(root, nil, err) //nolint:errcheck\n\t\t\treturn pageToken, err\n\t\t}\n\t\tfor _, attrs := range objects {\n\t\t\tif !attrs.Deleted.IsZero() {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tname, isDir := fs.resolve(attrs.Name, prefix, attrs.ContentType)\n\t\t\tif name == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tobjectModTime := attrs.Updated\n\t\t\tif val := getLastModified(attrs.Metadata); val > 0 {\n\t\t\t\tobjectModTime = util.GetTimeFromMsecSinceEpoch(val)\n\t\t\t}\n\t\t\terr = walkFn(attrs.Name, NewFileInfo(name, isDir, attrs.Size, objectModTime, false), nil)\n\t\t\tif err != nil {\n\t\t\t\treturn pageToken, err\n\t\t\t}\n\t\t}\n\n\t\treturn pageToken, nil\n\t}\n\n\tpageToken := \"\"\n\tfor {\n\t\tpageToken, err = iteratePage(pageToken)\n\t\tif err != nil {\n\t\t\tmetric.GCSListObjectsCompleted(err)\n\t\t\treturn err\n\t\t}\n\t\tif pageToken == \"\" {\n\t\t\tbreak\n\t\t}\n\t}\n\n\twalkFn(root, NewFileInfo(root, true, 0, time.Unix(0, 0), false), err) //nolint:errcheck\n\tmetric.GCSListObjectsCompleted(err)\n\treturn err\n}\n\n// Join joins any number of path elements into a single path\nfunc (*GCSFs) Join(elem ...string) string {\n\treturn strings.TrimPrefix(path.Join(elem...), \"/\")\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (*GCSFs) HasVirtualFolders() bool {\n\treturn true\n}\n\n// ResolvePath returns the matching filesystem path for the specified virtual path\nfunc (fs *GCSFs) ResolvePath(virtualPath string) (string, error) {\n\tif fs.mountPath != \"\" {\n\t\tif after, found := strings.CutPrefix(virtualPath, fs.mountPath); found {\n\t\t\tvirtualPath = after\n\t\t}\n\t}\n\tvirtualPath = path.Clean(\"/\" + virtualPath)\n\treturn fs.Join(fs.config.KeyPrefix, strings.TrimPrefix(virtualPath, \"/\")), nil\n}\n\n// CopyFile implements the FsFileCopier interface\nfunc (fs *GCSFs) CopyFile(source, target string, srcInfo os.FileInfo) (int, int64, error) {\n\tnumFiles := 1\n\tsizeDiff := srcInfo.Size()\n\tvar conditions *storage.Conditions\n\tattrs, err := fs.headObject(target)\n\tif err == nil {\n\t\tsizeDiff -= attrs.Size\n\t\tnumFiles = 0\n\t\tconditions = &storage.Conditions{GenerationMatch: attrs.Generation}\n\t} else {\n\t\tif !fs.IsNotExist(err) {\n\t\t\treturn 0, 0, err\n\t\t}\n\t\tconditions = &storage.Conditions{DoesNotExist: true}\n\t}\n\tif err := fs.copyFileInternal(source, target, conditions, srcInfo, true); err != nil {\n\t\treturn 0, 0, err\n\t}\n\treturn numFiles, sizeDiff, nil\n}\n\nfunc (fs *GCSFs) resolve(name, prefix, contentType string) (string, bool) {\n\tresult := strings.TrimPrefix(name, prefix)\n\tisDir := strings.HasSuffix(result, \"/\")\n\tif isDir {\n\t\tresult = strings.TrimSuffix(result, \"/\")\n\t}\n\tif contentType == dirMimeType {\n\t\tisDir = true\n\t}\n\treturn result, isDir\n}\n\n// getObjectStat returns the stat result\nfunc (fs *GCSFs) getObjectStat(name string) (os.FileInfo, error) {\n\tattrs, err := fs.headObject(name)\n\tif err == nil {\n\t\tobjSize := attrs.Size\n\t\tobjectModTime := attrs.Updated\n\t\tif val := getLastModified(attrs.Metadata); val > 0 {\n\t\t\tobjectModTime = util.GetTimeFromMsecSinceEpoch(val)\n\t\t}\n\t\tisDir := attrs.ContentType == dirMimeType || strings.HasSuffix(attrs.Name, \"/\")\n\t\tinfo := NewFileInfo(name, isDir, objSize, objectModTime, false)\n\t\tif !isDir {\n\t\t\tinfo.setMetadata(attrs.Metadata)\n\t\t}\n\t\treturn info, nil\n\t}\n\tif !fs.IsNotExist(err) {\n\t\treturn nil, err\n\t}\n\t// now check if this is a prefix (virtual directory)\n\thasContents, err := fs.hasContents(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif hasContents {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\t// finally check if this is an object with a trailing /\n\tattrs, err = fs.headObject(name + \"/\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tobjectModTime := attrs.Updated\n\tif val := getLastModified(attrs.Metadata); val > 0 {\n\t\tobjectModTime = util.GetTimeFromMsecSinceEpoch(val)\n\t}\n\treturn NewFileInfo(name, true, attrs.Size, objectModTime, false), nil\n}\n\nfunc (fs *GCSFs) setWriterAttrs(objectWriter *storage.Writer, flag int, name string) {\n\tvar contentType string\n\tif flag == -1 {\n\t\tcontentType = dirMimeType\n\t} else {\n\t\tcontentType = mime.TypeByExtension(path.Ext(name))\n\t}\n\tif contentType != \"\" {\n\t\tobjectWriter.ContentType = contentType\n\t}\n\tif fs.config.StorageClass != \"\" {\n\t\tobjectWriter.StorageClass = fs.config.StorageClass\n\t}\n\tif fs.config.ACL != \"\" {\n\t\tobjectWriter.PredefinedACL = fs.config.ACL\n\t}\n}\n\nfunc (fs *GCSFs) composeObjects(ctx context.Context, dst, partialObject *storage.ObjectHandle) error {\n\tfsLog(fs, logger.LevelDebug, \"start object compose for partial file %q, destination %q\",\n\t\tpartialObject.ObjectName(), dst.ObjectName())\n\tcomposer := dst.ComposerFrom(dst, partialObject)\n\tif fs.config.StorageClass != \"\" {\n\t\tcomposer.StorageClass = fs.config.StorageClass\n\t}\n\tif fs.config.ACL != \"\" {\n\t\tcomposer.PredefinedACL = fs.config.ACL\n\t}\n\tcontentType := mime.TypeByExtension(path.Ext(dst.ObjectName()))\n\tif contentType != \"\" {\n\t\tcomposer.ContentType = contentType\n\t}\n\t_, err := composer.Run(ctx)\n\tfsLog(fs, logger.LevelDebug, \"object compose for %q finished, err: %v\", dst.ObjectName(), err)\n\n\tdelCtx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\terrDelete := partialObject.Delete(delCtx)\n\tmetric.GCSDeleteObjectCompleted(errDelete)\n\tfsLog(fs, logger.LevelDebug, \"deleted partial file %q after composing with %q, err: %v\",\n\t\tpartialObject.ObjectName(), dst.ObjectName(), errDelete)\n\treturn err\n}\n\nfunc (fs *GCSFs) copyFileInternal(source, target string, conditions *storage.Conditions,\n\tsrcInfo os.FileInfo, updateModTime bool,\n) error {\n\tsrc := fs.svc.Bucket(fs.config.Bucket).Object(source)\n\tdst := fs.svc.Bucket(fs.config.Bucket).Object(target)\n\tif conditions != nil {\n\t\tdst = dst.If(*conditions)\n\t} else {\n\t\tattrs, err := fs.headObject(target)\n\t\tif err == nil {\n\t\t\tdst = dst.If(storage.Conditions{GenerationMatch: attrs.Generation})\n\t\t} else if fs.IsNotExist(err) {\n\t\t\tdst = dst.If(storage.Conditions{DoesNotExist: true})\n\t\t} else {\n\t\t\tfsLog(fs, logger.LevelWarn, \"unable to set precondition for copy, target %q, stat err: %v\",\n\t\t\t\ttarget, err)\n\t\t}\n\t}\n\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxLongTimeout))\n\tdefer cancelFn()\n\n\tcopier := dst.CopierFrom(src)\n\tif fs.config.StorageClass != \"\" {\n\t\tcopier.StorageClass = fs.config.StorageClass\n\t}\n\tif fs.config.ACL != \"\" {\n\t\tcopier.PredefinedACL = fs.config.ACL\n\t}\n\tcontentType := mime.TypeByExtension(path.Ext(source))\n\tif contentType != \"\" {\n\t\tcopier.ContentType = contentType\n\t}\n\tmetadata := getMetadata(srcInfo)\n\tif updateModTime && len(metadata) > 0 {\n\t\tdelete(metadata, lastModifiedField)\n\t}\n\tif len(metadata) > 0 {\n\t\tcopier.Metadata = metadata\n\t}\n\t_, err := copier.Run(ctx)\n\tmetric.GCSCopyObjectCompleted(err)\n\treturn err\n}\n\nfunc (fs *GCSFs) renameInternal(source, target string, srcInfo os.FileInfo, recursion int,\n\tupdateModTime bool,\n) (int, int64, error) {\n\tvar numFiles int\n\tvar filesSize int64\n\n\tif srcInfo.IsDir() {\n\t\tif renameMode == 0 {\n\t\t\thasContents, err := fs.hasContents(source)\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t\tif hasContents {\n\t\t\t\treturn numFiles, filesSize, fmt.Errorf(\"%w: cannot rename non empty directory: %q\", ErrVfsUnsupported, source)\n\t\t\t}\n\t\t}\n\t\tif err := fs.mkdirInternal(target); err != nil {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tif renameMode == 1 {\n\t\t\tfiles, size, err := doRecursiveRename(fs, source, target, fs.renameInternal, recursion, updateModTime)\n\t\t\tnumFiles += files\n\t\t\tfilesSize += size\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif err := fs.copyFileInternal(source, target, nil, srcInfo, updateModTime); err != nil {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tnumFiles++\n\t\tfilesSize += srcInfo.Size()\n\t}\n\terr := fs.Remove(source, srcInfo.IsDir())\n\tif fs.IsNotExist(err) {\n\t\terr = nil\n\t}\n\treturn numFiles, filesSize, err\n}\n\nfunc (fs *GCSFs) mkdirInternal(name string) error {\n\tif !strings.HasSuffix(name, \"/\") {\n\t\tname += \"/\"\n\t}\n\t_, w, _, err := fs.Create(name, -1, 0)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn w.Close()\n}\n\nfunc (fs *GCSFs) hasContents(name string) (bool, error) {\n\tresult := false\n\tprefix := fs.getPrefix(name)\n\tquery := &storage.Query{Prefix: prefix}\n\terr := query.SetAttrSelection(gcsDefaultFieldsSelection)\n\tif err != nil {\n\t\treturn result, err\n\t}\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\tit := bkt.Objects(ctx, query)\n\t// if we have a dir object with a trailing slash it will be returned so we set the size to 2\n\tpager := iterator.NewPager(it, 2, \"\")\n\n\tvar objects []*storage.ObjectAttrs\n\t_, err = pager.NextPage(&objects)\n\tif err != nil {\n\t\tmetric.GCSListObjectsCompleted(err)\n\t\treturn result, err\n\t}\n\n\tfor _, attrs := range objects {\n\t\tname, _ := fs.resolve(attrs.Name, prefix, attrs.ContentType)\n\t\t// a dir object with a trailing slash will result in an empty name\n\t\tif name == \"/\" || name == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tresult = true\n\t\tbreak\n\t}\n\n\tmetric.GCSListObjectsCompleted(nil)\n\treturn result, nil\n}\n\nfunc (fs *GCSFs) getPrefix(name string) string {\n\tprefix := \"\"\n\tif name != \"\" && name != \".\" && name != \"/\" {\n\t\tprefix = strings.TrimPrefix(name, \"/\")\n\t\tif !strings.HasSuffix(prefix, \"/\") {\n\t\t\tprefix += \"/\"\n\t\t}\n\t}\n\treturn prefix\n}\n\nfunc (fs *GCSFs) headObject(name string) (*storage.ObjectAttrs, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tbkt := fs.svc.Bucket(fs.config.Bucket)\n\tobj := bkt.Object(name)\n\tattrs, err := obj.Attrs(ctx)\n\tmetric.GCSHeadObjectCompleted(err)\n\treturn attrs, err\n}\n\n// GetMimeType returns the content type\nfunc (fs *GCSFs) GetMimeType(name string) (string, error) {\n\tattrs, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn attrs.ContentType, nil\n}\n\n// Close closes the fs\nfunc (fs *GCSFs) Close() error {\n\treturn nil\n}\n\n// GetAvailableDiskSize returns the available size for the specified path\nfunc (*GCSFs) GetAvailableDiskSize(_ string) (*sftp.StatVFS, error) {\n\treturn nil, ErrStorageSizeUnavailable\n}\n\nfunc (*GCSFs) getTempObject(name string) string {\n\tdir := filepath.Dir(name)\n\tguid := xid.New().String()\n\treturn filepath.Join(dir, \".sftpgo-partial.\"+guid+\".\"+filepath.Base(name))\n}\n\ntype gcsDirLister struct {\n\tbaseDirLister\n\tbucket *storage.BucketHandle\n\tquery *storage.Query\n\ttimeout time.Duration\n\tnextPageToken string\n\tnoMorePages bool\n\tprefix string\n\tprefixes map[string]bool\n\tmetricUpdated bool\n}\n\nfunc (l *gcsDirLister) resolve(name, contentType string) (string, bool) {\n\tresult := strings.TrimPrefix(name, l.prefix)\n\tisDir := strings.HasSuffix(result, \"/\")\n\tif isDir {\n\t\tresult = strings.TrimSuffix(result, \"/\")\n\t}\n\tif contentType == dirMimeType {\n\t\tisDir = true\n\t}\n\treturn result, isDir\n}\n\nfunc (l *gcsDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tif limit <= 0 {\n\t\treturn nil, errInvalidDirListerLimit\n\t}\n\tif len(l.cache) >= limit {\n\t\treturn l.returnFromCache(limit), nil\n\t}\n\n\tif l.noMorePages {\n\t\tif !l.metricUpdated {\n\t\t\tl.metricUpdated = true\n\t\t\tmetric.GCSListObjectsCompleted(nil)\n\t\t}\n\t\treturn l.returnFromCache(limit), io.EOF\n\t}\n\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(l.timeout))\n\tdefer cancelFn()\n\n\tit := l.bucket.Objects(ctx, l.query)\n\tpaginator := iterator.NewPager(it, defaultGCSPageSize, l.nextPageToken)\n\tvar objects []*storage.ObjectAttrs\n\n\tpageToken, err := paginator.NextPage(&objects)\n\tif err != nil {\n\t\tmetric.GCSListObjectsCompleted(err)\n\t\treturn l.cache, err\n\t}\n\n\tfor _, attrs := range objects {\n\t\tif attrs.Prefix != \"\" {\n\t\t\tname, _ := l.resolve(attrs.Prefix, attrs.ContentType)\n\t\t\tif name == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif _, ok := l.prefixes[name]; ok {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tl.cache = append(l.cache, NewFileInfo(name, true, 0, time.Unix(0, 0), false))\n\t\t\tl.prefixes[name] = true\n\t\t} else {\n\t\t\tname, isDir := l.resolve(attrs.Name, attrs.ContentType)\n\t\t\tif name == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif !attrs.Deleted.IsZero() {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif isDir {\n\t\t\t\t// check if the dir is already included, it will be sent as blob prefix if it contains at least one item\n\t\t\t\tif _, ok := l.prefixes[name]; ok {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tl.prefixes[name] = true\n\t\t\t}\n\t\t\tmodTime := attrs.Updated\n\t\t\tif val := getLastModified(attrs.Metadata); val > 0 {\n\t\t\t\tmodTime = util.GetTimeFromMsecSinceEpoch(val)\n\t\t\t}\n\t\t\tinfo := NewFileInfo(name, isDir, attrs.Size, modTime, false)\n\t\t\tinfo.setMetadata(attrs.Metadata)\n\t\t\tl.cache = append(l.cache, info)\n\t\t}\n\t}\n\n\tl.nextPageToken = pageToken\n\tl.noMorePages = (l.nextPageToken == \"\")\n\n\treturn l.returnFromCache(limit), nil\n}\n\nfunc (l *gcsDirLister) Close() error {\n\tclear(l.prefixes)\n\treturn l.baseDirLister.Close()\n}\n" }, { "path": "internal/vfs/gcsfs_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nogcs\n\npackage vfs\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-gcs\")\n}\n\n// NewGCSFs returns an error, GCS is disabled\nfunc NewGCSFs(_, _, _ string, _ GCSFsConfig) (Fs, error) {\n\treturn nil, errors.New(\"Google Cloud Storage disabled at build time\")\n}\n" }, { "path": "internal/vfs/httpfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"mime\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\t// httpFsName is the name for the HTTP Fs implementation\n\thttpFsName = \"httpfs\"\n\tmaxHTTPFsResponseSize = 1048576\n)\n\nvar (\n\tsupportedEndpointSchema = []string{\"http://\", \"https://\"}\n)\n\n// HTTPFsConfig defines the configuration for HTTP based filesystem\ntype HTTPFsConfig struct {\n\tsdk.BaseHTTPFsConfig\n\tPassword *kms.Secret `json:\"password,omitempty\"`\n\tAPIKey *kms.Secret `json:\"api_key,omitempty\"`\n}\n\nfunc (c *HTTPFsConfig) isUnixDomainSocket() bool {\n\treturn strings.HasPrefix(c.Endpoint, \"http://unix\") || strings.HasPrefix(c.Endpoint, \"https://unix\")\n}\n\n// HideConfidentialData hides confidential data\nfunc (c *HTTPFsConfig) HideConfidentialData() {\n\tif c.Password != nil {\n\t\tc.Password.Hide()\n\t}\n\tif c.APIKey != nil {\n\t\tc.APIKey.Hide()\n\t}\n}\n\nfunc (c *HTTPFsConfig) setNilSecretsIfEmpty() {\n\tif c.Password != nil && c.Password.IsEmpty() {\n\t\tc.Password = nil\n\t}\n\tif c.APIKey != nil && c.APIKey.IsEmpty() {\n\t\tc.APIKey = nil\n\t}\n}\n\nfunc (c *HTTPFsConfig) setEmptyCredentialsIfNil() {\n\tif c.Password == nil {\n\t\tc.Password = kms.NewEmptySecret()\n\t}\n\tif c.APIKey == nil {\n\t\tc.APIKey = kms.NewEmptySecret()\n\t}\n}\n\nfunc (c *HTTPFsConfig) isEqual(other HTTPFsConfig) bool {\n\tif c.Endpoint != other.Endpoint {\n\t\treturn false\n\t}\n\tif c.Username != other.Username {\n\t\treturn false\n\t}\n\tif c.SkipTLSVerify != other.SkipTLSVerify {\n\t\treturn false\n\t}\n\tc.setEmptyCredentialsIfNil()\n\tother.setEmptyCredentialsIfNil()\n\tif !c.Password.IsEqual(other.Password) {\n\t\treturn false\n\t}\n\treturn c.APIKey.IsEqual(other.APIKey)\n}\n\nfunc (c *HTTPFsConfig) isSameResource(other HTTPFsConfig) bool {\n\tif c.EqualityCheckMode > 0 || other.EqualityCheckMode > 0 {\n\t\tif c.Username != other.Username {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn c.Endpoint == other.Endpoint\n}\n\n// validate returns an error if the configuration is not valid\nfunc (c *HTTPFsConfig) validate() error {\n\tc.setEmptyCredentialsIfNil()\n\tif c.Endpoint == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"httpfs: endpoint cannot be empty\"), util.I18nErrorEndpointRequired)\n\t}\n\tc.Endpoint = strings.TrimRight(c.Endpoint, \"/\")\n\tendpointURL, err := url.Parse(c.Endpoint)\n\tif err != nil {\n\t\treturn util.NewI18nError(fmt.Errorf(\"httpfs: invalid endpoint: %w\", err), util.I18nErrorEndpointInvalid)\n\t}\n\tif !util.IsStringPrefixInSlice(c.Endpoint, supportedEndpointSchema) {\n\t\treturn util.NewI18nError(\n\t\t\terrors.New(\"httpfs: invalid endpoint schema: http and https are supported\"),\n\t\t\tutil.I18nErrorEndpointInvalid,\n\t\t)\n\t}\n\tif endpointURL.Host == \"unix\" {\n\t\tsocketPath := endpointURL.Query().Get(\"socket_path\")\n\t\tif !filepath.IsAbs(socketPath) {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tfmt.Errorf(\"httpfs: invalid unix domain socket path: %q\", socketPath),\n\t\t\t\tutil.I18nErrorEndpointInvalid,\n\t\t\t)\n\t\t}\n\t}\n\tif !isEqualityCheckModeValid(c.EqualityCheckMode) {\n\t\treturn errors.New(\"invalid equality_check_mode\")\n\t}\n\tif c.Password.IsEncrypted() && !c.Password.IsValid() {\n\t\treturn errors.New(\"httpfs: invalid encrypted password\")\n\t}\n\tif !c.Password.IsEmpty() && !c.Password.IsValidInput() {\n\t\treturn errors.New(\"httpfs: invalid password\")\n\t}\n\tif c.APIKey.IsEncrypted() && !c.APIKey.IsValid() {\n\t\treturn errors.New(\"httpfs: invalid encrypted API key\")\n\t}\n\tif !c.APIKey.IsEmpty() && !c.APIKey.IsValidInput() {\n\t\treturn errors.New(\"httpfs: invalid API key\")\n\t}\n\treturn nil\n}\n\n// ValidateAndEncryptCredentials validates the config and encrypts credentials if they are in plain text\nfunc (c *HTTPFsConfig) ValidateAndEncryptCredentials(additionalData string) error {\n\terr := c.validate()\n\tif err != nil {\n\t\tvar errI18n *util.I18nError\n\t\terrValidation := util.NewValidationError(fmt.Sprintf(\"could not validate HTTP fs config: %v\", err))\n\t\tif errors.As(err, &errI18n) {\n\t\t\treturn util.NewI18nError(errValidation, errI18n.Message)\n\t\t}\n\t\treturn util.NewI18nError(errValidation, util.I18nErrorFsValidation)\n\t}\n\tif c.Password.IsPlain() {\n\t\tc.Password.SetAdditionalData(additionalData)\n\t\tif err := c.Password.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt HTTP fs password: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\tif c.APIKey.IsPlain() {\n\t\tc.APIKey.SetAdditionalData(additionalData)\n\t\tif err := c.APIKey.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt HTTP fs API key: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\n// HTTPFs is a Fs implementation for the SFTPGo HTTP filesystem backend\ntype HTTPFs struct {\n\tconnectionID string\n\tlocalTempDir string\n\t// if not empty this fs is mouted as virtual folder in the specified path\n\tmountPath string\n\tconfig *HTTPFsConfig\n\tclient *http.Client\n\tctxTimeout time.Duration\n}\n\n// NewHTTPFs returns an HTTPFs object that allows to interact with SFTPGo HTTP filesystem backends\nfunc NewHTTPFs(connectionID, localTempDir, mountPath string, config HTTPFsConfig) (Fs, error) {\n\tif localTempDir == \"\" {\n\t\tlocalTempDir = getLocalTempDir()\n\t}\n\tconfig.setEmptyCredentialsIfNil()\n\tif !config.Password.IsEmpty() {\n\t\tif err := config.Password.TryDecrypt(); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tif !config.APIKey.IsEmpty() {\n\t\tif err := config.APIKey.TryDecrypt(); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tfs := &HTTPFs{\n\t\tconnectionID: connectionID,\n\t\tlocalTempDir: localTempDir,\n\t\tmountPath: mountPath,\n\t\tconfig: &config,\n\t\tctxTimeout: 30 * time.Second,\n\t}\n\ttransport := http.DefaultTransport.(*http.Transport).Clone()\n\ttransport.MaxResponseHeaderBytes = 1 << 16\n\ttransport.WriteBufferSize = 1 << 16\n\ttransport.ReadBufferSize = 1 << 16\n\tif fs.config.isUnixDomainSocket() {\n\t\tendpointURL, err := url.Parse(fs.config.Endpoint)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif endpointURL.Host == \"unix\" {\n\t\t\tsocketPath := endpointURL.Query().Get(\"socket_path\")\n\t\t\tif !filepath.IsAbs(socketPath) {\n\t\t\t\treturn nil, fmt.Errorf(\"httpfs: invalid unix domain socket path: %q\", socketPath)\n\t\t\t}\n\t\t\tif endpointURL.Scheme == \"https\" {\n\t\t\t\ttransport.DialTLSContext = func(ctx context.Context, _, _ string) (net.Conn, error) {\n\t\t\t\t\tvar tlsConfig *tls.Config\n\t\t\t\t\tvar d tls.Dialer\n\t\t\t\t\tif config.SkipTLSVerify {\n\t\t\t\t\t\ttlsConfig = getInsecureTLSConfig()\n\t\t\t\t\t}\n\t\t\t\t\td.Config = tlsConfig\n\t\t\t\t\treturn d.DialContext(ctx, \"unix\", socketPath)\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\ttransport.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {\n\t\t\t\t\tvar d net.Dialer\n\t\t\t\t\treturn d.DialContext(ctx, \"unix\", socketPath)\n\t\t\t\t}\n\t\t\t}\n\t\t\tendpointURL.Path = path.Join(endpointURL.Path, endpointURL.Query().Get(\"api_prefix\"))\n\t\t\tendpointURL.RawQuery = \"\"\n\t\t\tendpointURL.RawFragment = \"\"\n\t\t\tfs.config.Endpoint = endpointURL.String()\n\t\t}\n\t}\n\tif config.SkipTLSVerify {\n\t\tif transport.TLSClientConfig != nil {\n\t\t\ttransport.TLSClientConfig.InsecureSkipVerify = true\n\t\t} else {\n\t\t\ttransport.TLSClientConfig = getInsecureTLSConfig()\n\t\t}\n\t}\n\tfs.client = &http.Client{\n\t\tTransport: transport,\n\t}\n\treturn fs, nil\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *HTTPFs) Name() string {\n\treturn fmt.Sprintf(\"%v %q\", httpFsName, fs.config.Endpoint)\n}\n\n// ConnectionID returns the connection ID associated to this Fs implementation\nfunc (fs *HTTPFs) ConnectionID() string {\n\treturn fs.connectionID\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs *HTTPFs) Stat(name string) (os.FileInfo, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodGet, \"stat\", name, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\trespBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar response statResponse\n\terr = json.Unmarshal(respBody, &response)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn response.getFileInfo(), nil\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs *HTTPFs) Lstat(name string) (os.FileInfo, error) {\n\treturn fs.Stat(name)\n}\n\n// Open opens the named file for reading\nfunc (fs *HTTPFs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tvar queryString string\n\tif offset > 0 {\n\t\tqueryString = fmt.Sprintf(\"?offset=%d\", offset)\n\t}\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\tresp, err := fs.sendHTTPRequest(ctx, http.MethodGet, \"open\", name, queryString, \"\", nil)\n\t\tif err != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"download error, path %q, err: %v\", name, err)\n\t\t\tw.CloseWithError(err) //nolint:errcheck\n\t\t\tmetric.HTTPFsTransferCompleted(0, 1, err)\n\t\t\treturn\n\t\t}\n\t\tdefer resp.Body.Close()\n\t\tn, err := io.Copy(w, resp.Body)\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path %q size: %v, err: %+v\", name, n, err)\n\t\tmetric.HTTPFsTransferCompleted(n, 1, err)\n\t}()\n\n\treturn nil, p, cancelFn, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *HTTPFs) Create(name string, flag, checks int) (File, PipeWriter, func(), error) {\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeWriter(w)\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\tcontentType := mime.TypeByExtension(path.Ext(name))\n\t\tqueryString := fmt.Sprintf(\"?flags=%d&checks=%d\", flag, checks)\n\t\tresp, err := fs.sendHTTPRequest(ctx, http.MethodPost, \"create\", name, queryString, contentType,\n\t\t\t&wrapReader{reader: r})\n\t\tif err != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"upload error, path %q, err: %v\", name, err)\n\t\t\tr.CloseWithError(err) //nolint:errcheck\n\t\t\tp.Done(err)\n\t\t\tmetric.HTTPFsTransferCompleted(0, 0, err)\n\t\t\treturn\n\t\t}\n\t\tdefer resp.Body.Close()\n\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, readed bytes: %d\", name, r.GetReadedBytes())\n\t\tmetric.HTTPFsTransferCompleted(r.GetReadedBytes(), 0, err)\n\t}()\n\n\treturn nil, p, cancelFn, nil\n}\n\n// Rename renames (moves) source to target.\nfunc (fs *HTTPFs) Rename(source, target string, checks int) (int, int64, error) {\n\tif source == target {\n\t\treturn -1, -1, nil\n\t}\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tqueryString := fmt.Sprintf(\"?target=%s\", url.QueryEscape(target))\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodPatch, \"rename\", source, queryString, \"\", nil)\n\tif err != nil {\n\t\treturn -1, -1, err\n\t}\n\tdefer resp.Body.Close()\n\tif checks&CheckUpdateModTime != 0 {\n\t\tfs.Chtimes(target, time.Now(), time.Now(), false) //nolint:errcheck\n\t}\n\treturn -1, -1, nil\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs *HTTPFs) Remove(name string, _ bool) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodDelete, \"remove\", name, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\treturn nil\n}\n\n// Mkdir creates a new directory with the specified name and default permissions\nfunc (fs *HTTPFs) Mkdir(name string) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodPost, \"mkdir\", name, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\treturn nil\n}\n\n// Symlink creates source as a symbolic link to target.\nfunc (*HTTPFs) Symlink(_, _ string) error {\n\treturn ErrVfsUnsupported\n}\n\n// Readlink returns the destination of the named symbolic link\nfunc (*HTTPFs) Readlink(_ string) (string, error) {\n\treturn \"\", ErrVfsUnsupported\n}\n\n// Chown changes the numeric uid and gid of the named file.\nfunc (fs *HTTPFs) Chown(_ string, _ int, _ int) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chmod changes the mode of the named file to mode.\nfunc (fs *HTTPFs) Chmod(name string, mode os.FileMode) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tqueryString := fmt.Sprintf(\"?mode=%d\", mode)\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodPatch, \"chmod\", name, queryString, \"\", nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\treturn nil\n}\n\n// Chtimes changes the access and modification times of the named file.\nfunc (fs *HTTPFs) Chtimes(name string, atime, mtime time.Time, _ bool) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tqueryString := fmt.Sprintf(\"?access_time=%s&modification_time=%s\", atime.UTC().Format(time.RFC3339),\n\t\tmtime.UTC().Format(time.RFC3339))\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodPatch, \"chtimes\", name, queryString, \"\", nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\treturn nil\n}\n\n// Truncate changes the size of the named file.\n// Truncate by path is not supported, while truncating an opened\n// file is handled inside base transfer\nfunc (fs *HTTPFs) Truncate(name string, size int64) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tqueryString := fmt.Sprintf(\"?size=%d\", size)\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodPatch, \"truncate\", name, queryString, \"\", nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\treturn nil\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (fs *HTTPFs) ReadDir(dirname string) (DirLister, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodGet, \"readdir\", dirname, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\trespBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize*10))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tvar response []statResponse\n\terr = json.Unmarshal(respBody, &response)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tresult := make([]os.FileInfo, 0, len(response))\n\tfor _, stat := range response {\n\t\tresult = append(result, stat.getFileInfo())\n\t}\n\treturn &baseDirLister{result}, nil\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported.\nfunc (*HTTPFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (*HTTPFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn false\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported.\nfunc (*HTTPFs) IsAtomicUploadSupported() bool {\n\treturn false\n}\n\n// IsNotExist returns a boolean indicating whether the error is known to\n// report that a file or directory does not exist\nfunc (*HTTPFs) IsNotExist(err error) bool {\n\treturn errors.Is(err, fs.ErrNotExist)\n}\n\n// IsPermission returns a boolean indicating whether the error is known to\n// report that permission is denied.\nfunc (*HTTPFs) IsPermission(err error) bool {\n\treturn errors.Is(err, fs.ErrPermission)\n}\n\n// IsNotSupported returns true if the error indicate an unsupported operation\nfunc (*HTTPFs) IsNotSupported(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn err == ErrVfsUnsupported\n}\n\n// CheckRootPath creates the specified local root directory if it does not exists\nfunc (fs *HTTPFs) CheckRootPath(username string, uid int, gid int) bool {\n\t// we need a local directory for temporary files\n\tosFs := NewOsFs(fs.ConnectionID(), fs.localTempDir, \"\", nil)\n\treturn osFs.CheckRootPath(username, uid, gid)\n}\n\n// ScanRootDirContents returns the number of files and their size\nfunc (fs *HTTPFs) ScanRootDirContents() (int, int64, error) {\n\treturn fs.GetDirSize(\"/\")\n}\n\n// CheckMetadata checks the metadata consistency\nfunc (*HTTPFs) CheckMetadata() error {\n\treturn nil\n}\n\n// GetDirSize returns the number of files and the size for a folder\n// including any subfolders\nfunc (fs *HTTPFs) GetDirSize(dirname string) (int, int64, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodGet, \"dirsize\", dirname, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn 0, 0, err\n\t}\n\tdefer resp.Body.Close()\n\n\trespBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))\n\tif err != nil {\n\t\treturn 0, 0, err\n\t}\n\n\tvar response dirSizeResponse\n\terr = json.Unmarshal(respBody, &response)\n\tif err != nil {\n\t\treturn 0, 0, err\n\t}\n\treturn response.Files, response.Size, nil\n}\n\n// GetAtomicUploadPath returns the path to use for an atomic upload.\nfunc (*HTTPFs) GetAtomicUploadPath(_ string) string {\n\treturn \"\"\n}\n\n// GetRelativePath returns the path for a file relative to the user's home dir.\n// This is the path as seen by SFTPGo users\nfunc (fs *HTTPFs) GetRelativePath(name string) string {\n\trel := path.Clean(name)\n\tif rel == \".\" {\n\t\trel = \"\"\n\t}\n\tif !path.IsAbs(rel) {\n\t\trel = \"/\" + rel\n\t}\n\tif fs.mountPath != \"\" {\n\t\trel = path.Join(fs.mountPath, rel)\n\t}\n\treturn rel\n}\n\n// Walk walks the file tree rooted at root, calling walkFn for each file or\n// directory in the tree, including root. The result are unordered\nfunc (fs *HTTPFs) Walk(root string, walkFn filepath.WalkFunc) error {\n\tinfo, err := fs.Lstat(root)\n\tif err != nil {\n\t\treturn walkFn(root, nil, err)\n\t}\n\treturn fs.walk(root, info, walkFn)\n}\n\n// Join joins any number of path elements into a single path\nfunc (*HTTPFs) Join(elem ...string) string {\n\treturn strings.TrimPrefix(path.Join(elem...), \"/\")\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (*HTTPFs) HasVirtualFolders() bool {\n\treturn false\n}\n\n// ResolvePath returns the matching filesystem path for the specified virtual path\nfunc (fs *HTTPFs) ResolvePath(virtualPath string) (string, error) {\n\tif fs.mountPath != \"\" {\n\t\tif after, found := strings.CutPrefix(virtualPath, fs.mountPath); found {\n\t\t\tvirtualPath = after\n\t\t}\n\t}\n\treturn path.Clean(\"/\" + virtualPath), nil\n}\n\n// GetMimeType returns the content type\nfunc (fs *HTTPFs) GetMimeType(name string) (string, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodGet, \"stat\", name, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer resp.Body.Close()\n\n\trespBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tvar response mimeTypeResponse\n\terr = json.Unmarshal(respBody, &response)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn response.Mime, nil\n}\n\n// Close closes the fs\nfunc (fs *HTTPFs) Close() error {\n\tfs.client.CloseIdleConnections()\n\treturn nil\n}\n\n// GetAvailableDiskSize returns the available size for the specified path\nfunc (fs *HTTPFs) GetAvailableDiskSize(dirName string) (*sftp.StatVFS, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.sendHTTPRequest(ctx, http.MethodGet, \"statvfs\", dirName, \"\", \"\", nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer resp.Body.Close()\n\n\trespBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar response statVFSResponse\n\terr = json.Unmarshal(respBody, &response)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn response.toSFTPStatVFS(), nil\n}\n\nfunc (fs *HTTPFs) sendHTTPRequest(ctx context.Context, method, base, name, queryString, contentType string,\n\tbody io.Reader,\n) (*http.Response, error) {\n\turl := fmt.Sprintf(\"%s/%s/%s%s\", fs.config.Endpoint, base, url.PathEscape(name), queryString)\n\treq, err := http.NewRequest(method, url, body)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif contentType != \"\" {\n\t\treq.Header.Set(\"Content-Type\", contentType)\n\t}\n\tif fs.config.APIKey.GetPayload() != \"\" {\n\t\treq.Header.Set(\"X-API-KEY\", fs.config.APIKey.GetPayload())\n\t}\n\tif fs.config.Username != \"\" || fs.config.Password.GetPayload() != \"\" {\n\t\treq.SetBasicAuth(fs.config.Username, fs.config.Password.GetPayload())\n\t}\n\tresp, err := fs.client.Do(req.WithContext(ctx))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to send HTTP request to URL %v: %w\", url, err)\n\t}\n\tif err = getErrorFromResponseCode(resp.StatusCode); err != nil {\n\t\tresp.Body.Close()\n\t\treturn nil, err\n\t}\n\treturn resp, nil\n}\n\n// walk recursively descends path, calling walkFn.\nfunc (fs *HTTPFs) walk(filePath string, info fs.FileInfo, walkFn filepath.WalkFunc) error {\n\tif !info.IsDir() {\n\t\treturn walkFn(filePath, info, nil)\n\t}\n\tlister, err := fs.ReadDir(filePath)\n\terr1 := walkFn(filePath, info, err)\n\tif err != nil || err1 != nil {\n\t\tif err == nil {\n\t\t\tlister.Close()\n\t\t}\n\t\treturn err1\n\t}\n\tdefer lister.Close()\n\n\tfor {\n\t\tfiles, err := lister.Next(ListerBatchSize)\n\t\tfinished := errors.Is(err, io.EOF)\n\t\tif err != nil && !finished {\n\t\t\treturn err\n\t\t}\n\t\tfor _, fi := range files {\n\t\t\tobjName := path.Join(filePath, fi.Name())\n\t\t\terr = fs.walk(objName, fi, walkFn)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\tif finished {\n\t\t\treturn nil\n\t\t}\n\t}\n}\n\nfunc getErrorFromResponseCode(code int) error {\n\tswitch code {\n\tcase 401, 403:\n\t\treturn os.ErrPermission\n\tcase 404:\n\t\treturn os.ErrNotExist\n\tcase 501:\n\t\treturn ErrVfsUnsupported\n\tcase 200, 201:\n\t\treturn nil\n\tdefault:\n\t\treturn fmt.Errorf(\"unexpected response code: %v\", code)\n\t}\n}\n\nfunc getInsecureTLSConfig() *tls.Config {\n\treturn &tls.Config{\n\t\tInsecureSkipVerify: true,\n\t}\n}\n\ntype wrapReader struct {\n\treader io.Reader\n}\n\nfunc (r *wrapReader) Read(p []byte) (n int, err error) {\n\treturn r.reader.Read(p)\n}\n\ntype statResponse struct {\n\tName string `json:\"name\"`\n\tSize int64 `json:\"size\"`\n\tMode uint32 `json:\"mode\"`\n\tLastModified time.Time `json:\"last_modified\"`\n}\n\nfunc (s *statResponse) getFileInfo() os.FileInfo {\n\tinfo := NewFileInfo(s.Name, false, s.Size, s.LastModified, false)\n\tinfo.SetMode(fs.FileMode(s.Mode))\n\treturn info\n}\n\ntype dirSizeResponse struct {\n\tFiles int `json:\"files\"`\n\tSize int64 `json:\"size\"`\n}\n\ntype mimeTypeResponse struct {\n\tMime string `json:\"mime\"`\n}\n\ntype statVFSResponse struct {\n\tID uint32 `json:\"-\"`\n\tBsize uint64 `json:\"bsize\"`\n\tFrsize uint64 `json:\"frsize\"`\n\tBlocks uint64 `json:\"blocks\"`\n\tBfree uint64 `json:\"bfree\"`\n\tBavail uint64 `json:\"bavail\"`\n\tFiles uint64 `json:\"files\"`\n\tFfree uint64 `json:\"ffree\"`\n\tFavail uint64 `json:\"favail\"`\n\tFsid uint64 `json:\"fsid\"`\n\tFlag uint64 `json:\"flag\"`\n\tNamemax uint64 `json:\"namemax\"`\n}\n\nfunc (s *statVFSResponse) toSFTPStatVFS() *sftp.StatVFS {\n\treturn &sftp.StatVFS{\n\t\tBsize: s.Bsize,\n\t\tFrsize: s.Frsize,\n\t\tBlocks: s.Blocks,\n\t\tBfree: s.Bfree,\n\t\tBavail: s.Bavail,\n\t\tFiles: s.Files,\n\t\tFfree: s.Ffree,\n\t\tFavail: s.Ffree,\n\t\tFlag: s.Flag,\n\t\tNamemax: s.Namemax,\n\t}\n}\n" }, { "path": "internal/vfs/osfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"bufio\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\tfscopy \"github.com/otiai10/copy\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n)\n\nconst (\n\t// osFsName is the name for the local Fs implementation\n\tosFsName = \"osfs\"\n)\n\ntype pathResolutionError struct {\n\terr string\n}\n\nfunc (e *pathResolutionError) Error() string {\n\treturn fmt.Sprintf(\"Path resolution error: %s\", e.err)\n}\n\n// OsFs is a Fs implementation that uses functions provided by the os package.\ntype OsFs struct {\n\tname string\n\tconnectionID string\n\trootDir string\n\t// if not empty this fs is mouted as virtual folder in the specified path\n\tmountPath string\n\tlocalTempDir string\n\treadBufferSize int\n\twriteBufferSize int\n}\n\n// NewOsFs returns an OsFs object that allows to interact with local Os filesystem\nfunc NewOsFs(connectionID, rootDir, mountPath string, config *sdk.OSFsConfig) Fs {\n\tvar readBufferSize, writeBufferSize int\n\tif config != nil {\n\t\treadBufferSize = config.ReadBufferSize * 1024 * 1024\n\t\twriteBufferSize = config.WriteBufferSize * 1024 * 1024\n\t}\n\treturn &OsFs{\n\t\tname: osFsName,\n\t\tconnectionID: connectionID,\n\t\trootDir: rootDir,\n\t\tmountPath: getMountPath(mountPath),\n\t\tlocalTempDir: getLocalTempDir(),\n\t\treadBufferSize: readBufferSize,\n\t\twriteBufferSize: writeBufferSize,\n\t}\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *OsFs) Name() string {\n\treturn fs.name\n}\n\n// ConnectionID returns the SSH connection ID associated to this Fs implementation\nfunc (fs *OsFs) ConnectionID() string {\n\treturn fs.connectionID\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs *OsFs) Stat(name string) (os.FileInfo, error) {\n\treturn os.Stat(name)\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs *OsFs) Lstat(name string) (os.FileInfo, error) {\n\treturn os.Lstat(name)\n}\n\n// Open opens the named file for reading\nfunc (fs *OsFs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tf, err := os.Open(name)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tif offset > 0 {\n\t\t_, err = f.Seek(offset, io.SeekStart)\n\t\tif err != nil {\n\t\t\tf.Close()\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\tif fs.readBufferSize <= 0 {\n\t\treturn f, nil, nil, err\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\tgo func() {\n\t\tbr := bufio.NewReaderSize(f, fs.readBufferSize)\n\t\tn, err := doCopy(w, br, nil)\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tf.Close()\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path: %q size: %v, err: %v\", name, n, err)\n\t}()\n\n\treturn nil, p, nil, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *OsFs) Create(name string, flag, _ int) (File, PipeWriter, func(), error) {\n\tif !fs.useWriteBuffering(flag) {\n\t\tvar err error\n\t\tvar f *os.File\n\t\tif flag == 0 {\n\t\t\tf, err = os.Create(name)\n\t\t} else {\n\t\t\tf, err = os.OpenFile(name, flag, 0666)\n\t\t}\n\t\treturn f, nil, nil, err\n\t}\n\tf, err := os.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeWriter(w)\n\n\tgo func() {\n\t\tbw := bufio.NewWriterSize(f, fs.writeBufferSize)\n\t\tn, err := doCopy(bw, r, nil)\n\t\terrFlush := bw.Flush()\n\t\tif err == nil && errFlush != nil {\n\t\t\terr = errFlush\n\t\t}\n\t\terrClose := f.Close()\n\t\tif err == nil && errClose != nil {\n\t\t\terr = errClose\n\t\t}\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, readed bytes: %v, err: %v\", name, n, err)\n\t}()\n\n\treturn nil, p, nil, nil\n}\n\n// Rename renames (moves) source to target\nfunc (fs *OsFs) Rename(source, target string, checks int) (int, int64, error) {\n\tif source == target {\n\t\treturn -1, -1, nil\n\t}\n\terr := os.Rename(source, target)\n\tif err != nil && isCrossDeviceError(err) {\n\t\tfsLog(fs, logger.LevelError, \"cross device error detected while renaming %q -> %q. Trying a copy and remove, this could take a long time\",\n\t\t\tsource, target)\n\t\tvar readBufferSize uint\n\t\tif fs.readBufferSize > 0 {\n\t\t\treadBufferSize = uint(fs.readBufferSize)\n\t\t}\n\n\t\terr = fscopy.Copy(source, target, fscopy.Options{\n\t\t\tOnSymlink: func(_ string) fscopy.SymlinkAction {\n\t\t\t\treturn fscopy.Skip\n\t\t\t},\n\t\t\tCopyBufferSize: readBufferSize,\n\t\t})\n\t\tif err != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"cross device copy error: %v\", err)\n\t\t\treturn -1, -1, err\n\t\t}\n\t\tif checks&CheckUpdateModTime != 0 {\n\t\t\tfs.Chtimes(target, time.Now(), time.Now(), false) //nolint:errcheck\n\t\t}\n\t\terr = os.RemoveAll(source)\n\t\treturn -1, -1, err\n\t}\n\tif checks&CheckUpdateModTime != 0 && err == nil {\n\t\tfs.Chtimes(target, time.Now(), time.Now(), false) //nolint:errcheck\n\t}\n\treturn -1, -1, err\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (*OsFs) Remove(name string, _ bool) error {\n\treturn os.Remove(name)\n}\n\n// Mkdir creates a new directory with the specified name and default permissions\nfunc (*OsFs) Mkdir(name string) error {\n\treturn os.Mkdir(name, os.ModePerm)\n}\n\n// Symlink creates source as a symbolic link to target.\nfunc (*OsFs) Symlink(source, target string) error {\n\treturn os.Symlink(source, target)\n}\n\n// Readlink returns the destination of the named symbolic link\n// as absolute virtual path\nfunc (fs *OsFs) Readlink(name string) (string, error) {\n\t// we don't have to follow multiple links:\n\t// https://github.com/openssh/openssh-portable/blob/7bf2eb958fbb551e7d61e75c176bb3200383285d/sftp-server.c#L1329\n\tresolved, err := os.Readlink(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tresolved = filepath.Clean(resolved)\n\tif !filepath.IsAbs(resolved) {\n\t\tresolved = filepath.Join(filepath.Dir(name), resolved)\n\t}\n\treturn fs.GetRelativePath(resolved), nil\n}\n\n// Chown changes the numeric uid and gid of the named file.\nfunc (*OsFs) Chown(name string, uid int, gid int) error {\n\treturn os.Chown(name, uid, gid)\n}\n\n// Chmod changes the mode of the named file to mode\nfunc (*OsFs) Chmod(name string, mode os.FileMode) error {\n\treturn os.Chmod(name, mode)\n}\n\n// Chtimes changes the access and modification times of the named file\nfunc (*OsFs) Chtimes(name string, atime, mtime time.Time, _ bool) error {\n\treturn os.Chtimes(name, atime, mtime)\n}\n\n// Truncate changes the size of the named file\nfunc (*OsFs) Truncate(name string, size int64) error {\n\treturn os.Truncate(name, size)\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (*OsFs) ReadDir(dirname string) (DirLister, error) {\n\tf, err := os.Open(dirname)\n\tif err != nil {\n\t\tif isInvalidNameError(err) {\n\t\t\terr = os.ErrNotExist\n\t\t}\n\t\treturn nil, err\n\t}\n\treturn &osFsDirLister{f}, nil\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported\nfunc (*OsFs) IsUploadResumeSupported() bool {\n\treturn true\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (*OsFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn true\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported\nfunc (*OsFs) IsAtomicUploadSupported() bool {\n\treturn true\n}\n\n// IsNotExist returns a boolean indicating whether the error is known to\n// report that a file or directory does not exist\nfunc (*OsFs) IsNotExist(err error) bool {\n\treturn errors.Is(err, fs.ErrNotExist)\n}\n\n// IsPermission returns a boolean indicating whether the error is known to\n// report that permission is denied.\nfunc (*OsFs) IsPermission(err error) bool {\n\tif _, ok := err.(*pathResolutionError); ok {\n\t\treturn true\n\t}\n\treturn errors.Is(err, fs.ErrPermission)\n}\n\n// IsNotSupported returns true if the error indicate an unsupported operation\nfunc (*OsFs) IsNotSupported(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn err == ErrVfsUnsupported\n}\n\n// CheckRootPath creates the root directory if it does not exists\nfunc (fs *OsFs) CheckRootPath(username string, uid int, gid int) bool {\n\tvar err error\n\tif _, err = fs.Stat(fs.rootDir); fs.IsNotExist(err) {\n\t\terr = os.MkdirAll(fs.rootDir, os.ModePerm)\n\t\tif err == nil {\n\t\t\tSetPathPermissions(fs, fs.rootDir, uid, gid)\n\t\t} else {\n\t\t\tfsLog(fs, logger.LevelError, \"error creating root directory %q for user %q: %v\", fs.rootDir, username, err)\n\t\t}\n\t}\n\treturn err == nil\n}\n\n// ScanRootDirContents returns the number of files contained in the root\n// directory and their size\nfunc (fs *OsFs) ScanRootDirContents() (int, int64, error) {\n\treturn fs.GetDirSize(fs.rootDir)\n}\n\n// CheckMetadata checks the metadata consistency\nfunc (*OsFs) CheckMetadata() error {\n\treturn nil\n}\n\n// GetAtomicUploadPath returns the path to use for an atomic upload\nfunc (*OsFs) GetAtomicUploadPath(name string) string {\n\tdir := filepath.Dir(name)\n\tif tempPath != \"\" {\n\t\tdir = tempPath\n\t}\n\tguid := xid.New().String()\n\treturn filepath.Join(dir, \".sftpgo-upload.\"+guid+\".\"+filepath.Base(name))\n}\n\n// GetRelativePath returns the path for a file relative to the user's home dir.\n// This is the path as seen by SFTPGo users\nfunc (fs *OsFs) GetRelativePath(name string) string {\n\tvirtualPath := \"/\"\n\tif fs.mountPath != \"\" {\n\t\tvirtualPath = fs.mountPath\n\t}\n\trel, err := filepath.Rel(fs.rootDir, filepath.Clean(name))\n\tif err != nil {\n\t\treturn virtualPath\n\t}\n\trel = filepath.ToSlash(rel)\n\tif rel == \"..\" || strings.HasPrefix(rel, \"../\") {\n\t\treturn virtualPath\n\t}\n\tif rel == \".\" {\n\t\trel = \"\"\n\t}\n\treturn path.Join(virtualPath, rel)\n}\n\n// Walk walks the file tree rooted at root, calling walkFn for each file or\n// directory in the tree, including root\nfunc (*OsFs) Walk(root string, walkFn filepath.WalkFunc) error {\n\treturn filepath.Walk(root, walkFn)\n}\n\n// Join joins any number of path elements into a single path\nfunc (*OsFs) Join(elem ...string) string {\n\treturn filepath.Join(elem...)\n}\n\n// ResolvePath returns the matching filesystem path for the specified sftp path\nfunc (fs *OsFs) ResolvePath(virtualPath string) (string, error) {\n\tif !filepath.IsAbs(fs.rootDir) {\n\t\treturn \"\", fmt.Errorf(\"invalid root path %q\", fs.rootDir)\n\t}\n\tif fs.mountPath != \"\" {\n\t\tif after, found := strings.CutPrefix(virtualPath, fs.mountPath); found {\n\t\t\tvirtualPath = after\n\t\t}\n\t}\n\tvirtualPath = path.Clean(\"/\" + virtualPath)\n\tr := filepath.Clean(filepath.Join(fs.rootDir, virtualPath))\n\tp, err := filepath.EvalSymlinks(r)\n\tif isInvalidNameError(err) {\n\t\terr = os.ErrNotExist\n\t}\n\tisNotExist := fs.IsNotExist(err)\n\tif err != nil && !isNotExist {\n\t\treturn \"\", err\n\t} else if isNotExist {\n\t\t// The requested path doesn't exist, so at this point we need to iterate up the\n\t\t// path chain until we hit a directory that _does_ exist and can be validated.\n\t\t_, err = fs.findFirstExistingDir(r)\n\t\tif err != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"error resolving non-existent path %q\", err)\n\t\t}\n\t\treturn r, err\n\t}\n\n\terr = fs.isSubDir(p)\n\tif err != nil {\n\t\tfsLog(fs, logger.LevelError, \"Invalid path resolution, path %q original path %q resolved %q err: %v\",\n\t\t\tp, virtualPath, r, err)\n\t}\n\treturn r, err\n}\n\n// RealPath implements the FsRealPather interface\nfunc (fs *OsFs) RealPath(p string) (string, error) {\n\tlinksWalked := 0\n\tfor {\n\t\tinfo, err := os.Lstat(p)\n\t\tif err != nil {\n\t\t\tif errors.Is(err, os.ErrNotExist) {\n\t\t\t\treturn fs.GetRelativePath(p), nil\n\t\t\t}\n\t\t\treturn \"\", err\n\t\t}\n\t\tif info.Mode()&os.ModeSymlink == 0 {\n\t\t\treturn fs.GetRelativePath(p), nil\n\t\t}\n\t\tresolvedLink, err := os.Readlink(p)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\tresolvedLink = filepath.Clean(resolvedLink)\n\t\tif filepath.IsAbs(resolvedLink) {\n\t\t\tp = resolvedLink\n\t\t} else {\n\t\t\tp = filepath.Join(filepath.Dir(p), resolvedLink)\n\t\t}\n\t\tlinksWalked++\n\t\tif linksWalked > 10 {\n\t\t\tfsLog(fs, logger.LevelError, \"unable to get real path, too many links: %d\", linksWalked)\n\t\t\treturn \"\", &pathResolutionError{err: \"too many links\"}\n\t\t}\n\t}\n}\n\n// GetDirSize returns the number of files and the size for a folder\n// including any subfolders\nfunc (fs *OsFs) GetDirSize(dirname string) (int, int64, error) {\n\tnumFiles := 0\n\tsize := int64(0)\n\tisDir, err := isDirectory(fs, dirname)\n\tif err == nil && isDir {\n\t\terr = filepath.Walk(dirname, func(_ string, info os.FileInfo, err error) error {\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif info != nil && info.Mode().IsRegular() {\n\t\t\t\tsize += info.Size()\n\t\t\t\tnumFiles++\n\t\t\t\tif numFiles%1000 == 0 {\n\t\t\t\t\tfsLog(fs, logger.LevelDebug, \"dirname %q scan in progress, files: %d, size: %d\", dirname, numFiles, size)\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn err\n\t\t})\n\t}\n\treturn numFiles, size, err\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (*OsFs) HasVirtualFolders() bool {\n\treturn false\n}\n\nfunc (fs *OsFs) findNonexistentDirs(filePath string) ([]string, error) {\n\tresults := []string{}\n\tcleanPath := filepath.Clean(filePath)\n\tparent := filepath.Dir(cleanPath)\n\t_, err := os.Stat(parent)\n\n\tfor fs.IsNotExist(err) {\n\t\tresults = append(results, parent)\n\t\tparent = filepath.Dir(parent)\n\t\tif slices.Contains(results, parent) {\n\t\t\tbreak\n\t\t}\n\t\t_, err = os.Stat(parent)\n\t}\n\tif err != nil {\n\t\treturn results, err\n\t}\n\tp, err := filepath.EvalSymlinks(parent)\n\tif err != nil {\n\t\treturn results, err\n\t}\n\terr = fs.isSubDir(p)\n\tif err != nil {\n\t\tfsLog(fs, logger.LevelError, \"error finding non existing dir: %v\", err)\n\t}\n\treturn results, err\n}\n\nfunc (fs *OsFs) findFirstExistingDir(path string) (string, error) {\n\tresults, err := fs.findNonexistentDirs(path)\n\tif err != nil {\n\t\tfsLog(fs, logger.LevelError, \"unable to find non existent dirs: %v\", err)\n\t\treturn \"\", err\n\t}\n\tvar parent string\n\tif len(results) > 0 {\n\t\tlastMissingDir := results[len(results)-1]\n\t\tparent = filepath.Dir(lastMissingDir)\n\t} else {\n\t\tparent = fs.rootDir\n\t}\n\tp, err := filepath.EvalSymlinks(parent)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tfileInfo, err := os.Stat(p)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif !fileInfo.IsDir() {\n\t\treturn \"\", fmt.Errorf(\"resolved path is not a dir: %q\", p)\n\t}\n\terr = fs.isSubDir(p)\n\treturn p, err\n}\n\nfunc (fs *OsFs) isSubDir(sub string) error {\n\t// fs.rootDir must exist and it is already a validated absolute path\n\tparent, err := filepath.EvalSymlinks(fs.rootDir)\n\tif err != nil {\n\t\tfsLog(fs, logger.LevelError, \"invalid root path %q: %v\", fs.rootDir, err)\n\t\treturn err\n\t}\n\tif parent == sub {\n\t\treturn nil\n\t}\n\tif len(sub) < len(parent) {\n\t\terr = fmt.Errorf(\"path %q is not inside %q\", sub, parent)\n\t\treturn &pathResolutionError{err: err.Error()}\n\t}\n\tseparator := string(os.PathSeparator)\n\tif parent == filepath.Dir(parent) {\n\t\t// parent is the root dir, on Windows we can have C:\\, D:\\ and so on here\n\t\t// so we still need the prefix check\n\t\tseparator = \"\"\n\t}\n\tif !strings.HasPrefix(sub, parent+separator) {\n\t\terr = fmt.Errorf(\"path %q is not inside %q\", sub, parent)\n\t\treturn &pathResolutionError{err: err.Error()}\n\t}\n\treturn nil\n}\n\n// GetMimeType returns the content type\nfunc (fs *OsFs) GetMimeType(name string) (string, error) {\n\tf, err := os.OpenFile(name, os.O_RDONLY, 0)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer f.Close()\n\tvar buf [512]byte\n\tn, err := io.ReadFull(f, buf[:])\n\tif err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {\n\t\treturn \"\", err\n\t}\n\tctype := http.DetectContentType(buf[:n])\n\t// Rewind file.\n\t_, err = f.Seek(0, io.SeekStart)\n\treturn ctype, err\n}\n\n// Close closes the fs\nfunc (*OsFs) Close() error {\n\treturn nil\n}\n\n// GetAvailableDiskSize returns the available size for the specified path\nfunc (*OsFs) GetAvailableDiskSize(dirName string) (*sftp.StatVFS, error) {\n\treturn getStatFS(dirName)\n}\n\nfunc (fs *OsFs) useWriteBuffering(flag int) bool {\n\tif fs.writeBufferSize <= 0 {\n\t\treturn false\n\t}\n\tif flag == 0 {\n\t\treturn true\n\t}\n\tif flag&os.O_TRUNC == 0 {\n\t\tfsLog(fs, logger.LevelDebug, \"truncate flag missing, buffering write not possible\")\n\t\treturn false\n\t}\n\tif flag&os.O_RDWR != 0 {\n\t\tfsLog(fs, logger.LevelDebug, \"read and write flag found, buffering write not possible\")\n\t\treturn false\n\t}\n\treturn true\n}\n\ntype osFsDirLister struct {\n\tf *os.File\n}\n\nfunc (l *osFsDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tif limit <= 0 {\n\t\treturn nil, errInvalidDirListerLimit\n\t}\n\treturn l.f.Readdir(limit)\n}\n\nfunc (l *osFsDirLister) Close() error {\n\treturn l.f.Close()\n}\n" }, { "path": "internal/vfs/s3fs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !nos3\n\npackage vfs\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/md5\"\n\t\"crypto/sha256\"\n\t\"crypto/tls\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"mime\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"sort\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/aws/aws-sdk-go-v2/aws\"\n\tawshttp \"github.com/aws/aws-sdk-go-v2/aws/transport/http\"\n\t\"github.com/aws/aws-sdk-go-v2/config\"\n\t\"github.com/aws/aws-sdk-go-v2/credentials\"\n\t\"github.com/aws/aws-sdk-go-v2/credentials/stscreds\"\n\t\"github.com/aws/aws-sdk-go-v2/service/s3\"\n\t\"github.com/aws/aws-sdk-go-v2/service/s3/types\"\n\t\"github.com/aws/aws-sdk-go-v2/service/sts\"\n\t\"github.com/pkg/sftp\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\t// using this mime type for directories improves compatibility with s3fs-fuse\n\ts3DirMimeType = \"application/x-directory\"\n\ts3TransferBufferSize = 256 * 1024\n\ts3CopyObjectThreshold = 500 * 1024 * 1024\n)\n\nvar (\n\ts3DirMimeTypes = []string{s3DirMimeType, \"httpd/unix-directory\"}\n\ts3DefaultPageSize = int32(1000)\n)\n\n// S3Fs is a Fs implementation for AWS S3 compatible object storages\ntype S3Fs struct {\n\tconnectionID string\n\tlocalTempDir string\n\t// if not empty this fs is mouted as virtual folder in the specified path\n\tmountPath string\n\tconfig *S3FsConfig\n\tsvc *s3.Client\n\tctxTimeout time.Duration\n\tsseCustomerKey string\n\tsseCustomerKeyMD5 string\n\tsseCustomerAlgo string\n}\n\nfunc init() {\n\tversion.AddFeature(\"+s3\")\n}\n\n// NewS3Fs returns an S3Fs object that allows to interact with an s3 compatible\n// object storage\nfunc NewS3Fs(connectionID, localTempDir, mountPath string, s3Config S3FsConfig) (Fs, error) {\n\tif localTempDir == \"\" {\n\t\tlocalTempDir = getLocalTempDir()\n\t}\n\tfs := &S3Fs{\n\t\tconnectionID: connectionID,\n\t\tlocalTempDir: localTempDir,\n\t\tmountPath: getMountPath(mountPath),\n\t\tconfig: &s3Config,\n\t\tctxTimeout: 30 * time.Second,\n\t}\n\tif err := fs.config.validate(); err != nil {\n\t\treturn fs, err\n\t}\n\tctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)\n\tdefer cancel()\n\n\tawsConfig, err := config.LoadDefaultConfig(ctx, config.WithHTTPClient(\n\t\tgetAWSHTTPClient(0, 30*time.Second, fs.config.SkipTLSVerify)),\n\t)\n\tif err != nil {\n\t\treturn fs, fmt.Errorf(\"unable to get AWS config: %w\", err)\n\t}\n\tif fs.config.Region != \"\" {\n\t\tawsConfig.Region = fs.config.Region\n\t}\n\tif !fs.config.AccessSecret.IsEmpty() {\n\t\tif err := fs.config.AccessSecret.TryDecrypt(); err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tawsConfig.Credentials = aws.NewCredentialsCache(\n\t\t\tcredentials.NewStaticCredentialsProvider(\n\t\t\t\tfs.config.AccessKey,\n\t\t\t\tfs.config.AccessSecret.GetPayload(),\n\t\t\t\tfs.config.SessionToken),\n\t\t)\n\t}\n\tif !fs.config.SSECustomerKey.IsEmpty() {\n\t\tif err := fs.config.SSECustomerKey.TryDecrypt(); err != nil {\n\t\t\treturn fs, err\n\t\t}\n\t\tkey := fs.config.SSECustomerKey.GetPayload()\n\t\tif len(key) == 32 {\n\t\t\tmd5sumBinary := md5.Sum([]byte(key))\n\t\t\tfs.sseCustomerKey = base64.StdEncoding.EncodeToString([]byte(key))\n\t\t\tfs.sseCustomerKeyMD5 = base64.StdEncoding.EncodeToString(md5sumBinary[:])\n\t\t} else {\n\t\t\tkeyHash := sha256.Sum256([]byte(key))\n\t\t\tmd5sumBinary := md5.Sum(keyHash[:])\n\t\t\tfs.sseCustomerKey = base64.StdEncoding.EncodeToString(keyHash[:])\n\t\t\tfs.sseCustomerKeyMD5 = base64.StdEncoding.EncodeToString(md5sumBinary[:])\n\t\t}\n\t\tfs.sseCustomerAlgo = \"AES256\"\n\t}\n\n\tfs.setConfigDefaults()\n\n\tif fs.config.RoleARN != \"\" {\n\t\tclient := sts.NewFromConfig(awsConfig)\n\t\tcreds := stscreds.NewAssumeRoleProvider(client, fs.config.RoleARN)\n\t\tawsConfig.Credentials = creds\n\t}\n\tfs.svc = s3.NewFromConfig(awsConfig, func(o *s3.Options) {\n\t\to.AppID = version.GetVersionHash()\n\t\to.UsePathStyle = fs.config.ForcePathStyle\n\t\to.RequestChecksumCalculation = aws.RequestChecksumCalculationWhenRequired\n\t\to.ResponseChecksumValidation = aws.ResponseChecksumValidationWhenRequired\n\t\tif fs.config.Endpoint != \"\" {\n\t\t\to.BaseEndpoint = aws.String(fs.config.Endpoint)\n\t\t}\n\t})\n\treturn fs, nil\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *S3Fs) Name() string {\n\treturn fmt.Sprintf(\"%s bucket %q\", s3fsName, fs.config.Bucket)\n}\n\n// ConnectionID returns the connection ID associated to this Fs implementation\nfunc (fs *S3Fs) ConnectionID() string {\n\treturn fs.connectionID\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs *S3Fs) Stat(name string) (os.FileInfo, error) {\n\tvar result *FileInfo\n\tif name == \"\" || name == \"/\" || name == \".\" {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\tif fs.config.KeyPrefix == name+\"/\" {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t}\n\tobj, err := fs.headObject(name)\n\tif err == nil {\n\t\t// Some S3 providers (like SeaweedFS) remove the trailing '/' from object keys.\n\t\t// So we check some common content types to detect if this is a \"directory\".\n\t\tisDir := slices.Contains(s3DirMimeTypes, util.GetStringFromPointer(obj.ContentType))\n\t\tif util.GetIntFromPointer(obj.ContentLength) == 0 && !isDir {\n\t\t\t_, err = fs.headObject(name + \"/\")\n\t\t\tisDir = err == nil\n\t\t}\n\t\tinfo := NewFileInfo(name, isDir, util.GetIntFromPointer(obj.ContentLength), util.GetTimeFromPointer(obj.LastModified), false)\n\t\treturn info, nil\n\t}\n\tif !fs.IsNotExist(err) {\n\t\treturn result, err\n\t}\n\t// now check if this is a prefix (virtual directory)\n\thasContents, err := fs.hasContents(name)\n\tif err == nil && hasContents {\n\t\treturn NewFileInfo(name, true, 0, time.Unix(0, 0), false), nil\n\t} else if err != nil {\n\t\treturn nil, err\n\t}\n\t// the requested file may still be a directory as a zero bytes key\n\t// with a trailing forward slash (created using mkdir).\n\t// S3 doesn't return content type when listing objects, so we have\n\t// create \"dirs\" adding a trailing \"/\" to the key\n\treturn fs.getStatForDir(name)\n}\n\nfunc (fs *S3Fs) getStatForDir(name string) (os.FileInfo, error) {\n\tvar result *FileInfo\n\tobj, err := fs.headObject(name + \"/\")\n\tif err != nil {\n\t\treturn result, err\n\t}\n\treturn NewFileInfo(name, true, util.GetIntFromPointer(obj.ContentLength), util.GetTimeFromPointer(obj.LastModified), false), nil\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs *S3Fs) Lstat(name string) (os.FileInfo, error) {\n\treturn fs.Stat(name)\n}\n\n// Open opens the named file for reading\nfunc (fs *S3Fs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tattrs, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, fs.config.DownloadPartSize*int64(fs.config.DownloadConcurrency)+1)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\tif readMetadata > 0 {\n\t\tp.setMetadata(attrs.Metadata)\n\t}\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\terr := fs.handleDownload(ctx, name, offset, w, attrs)\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path: %q size: %d, err: %+v\", name, w.GetWrittenBytes(), err)\n\t\tmetric.S3TransferCompleted(w.GetWrittenBytes(), 1, err)\n\t}()\n\n\treturn nil, p, cancelFn, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *S3Fs) Create(name string, flag, checks int) (File, PipeWriter, func(), error) {\n\tif checks&CheckParentDir != 0 {\n\t\t_, err := fs.Stat(path.Dir(name))\n\t\tif err != nil {\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, fs.config.UploadPartSize+1024*1024)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tvar p PipeWriter\n\tif checks&CheckResume != 0 {\n\t\tp = newPipeWriterAtOffset(w, 0)\n\t} else {\n\t\tp = NewPipeWriter(w)\n\t}\n\tctx, cancelFn := context.WithCancel(context.Background())\n\n\tgo func() {\n\t\tdefer cancelFn()\n\n\t\tvar contentType string\n\t\tif flag == -1 {\n\t\t\tcontentType = s3DirMimeType\n\t\t} else {\n\t\t\tcontentType = mime.TypeByExtension(path.Ext(name))\n\t\t}\n\t\terr := fs.handleUpload(ctx, r, name, contentType)\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, acl: %q, readed bytes: %d, err: %+v\",\n\t\t\tname, fs.config.ACL, r.GetReadedBytes(), err)\n\t\tmetric.S3TransferCompleted(r.GetReadedBytes(), 0, err)\n\t}()\n\n\tif checks&CheckResume != 0 {\n\t\treadCh := make(chan error, 1)\n\n\t\tgo func() {\n\t\t\tn, err := fs.downloadToWriter(name, p)\n\t\t\tpw := p.(*pipeWriterAtOffset)\n\t\t\tpw.offset = 0\n\t\t\tpw.writeOffset = n\n\t\t\treadCh <- err\n\t\t}()\n\n\t\terr = <-readCh\n\t\tif err != nil {\n\t\t\tcancelFn()\n\t\t\tp.Close()\n\t\t\tfsLog(fs, logger.LevelDebug, \"download before resume failed, writer closed and read cancelled\")\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\n\tif uploadMode&4 != 0 {\n\t\treturn nil, p, nil, nil\n\t}\n\treturn nil, p, cancelFn, nil\n}\n\n// Rename renames (moves) source to target.\nfunc (fs *S3Fs) Rename(source, target string, checks int) (int, int64, error) {\n\tif source == target {\n\t\treturn -1, -1, nil\n\t}\n\tif checks&CheckParentDir != 0 {\n\t\t_, err := fs.Stat(path.Dir(target))\n\t\tif err != nil {\n\t\t\treturn -1, -1, err\n\t\t}\n\t}\n\tfi, err := fs.Stat(source)\n\tif err != nil {\n\t\treturn -1, -1, err\n\t}\n\treturn fs.renameInternal(source, target, fi, 0, checks&CheckUpdateModTime != 0)\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs *S3Fs) Remove(name string, isDir bool) error {\n\tif isDir {\n\t\thasContents, err := fs.hasContents(name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif hasContents {\n\t\t\treturn fmt.Errorf(\"cannot remove non empty directory: %q\", name)\n\t\t}\n\t\tif !strings.HasSuffix(name, \"/\") {\n\t\t\tname += \"/\"\n\t\t}\n\t}\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\t_, err := fs.svc.DeleteObject(ctx, &s3.DeleteObjectInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t})\n\tmetric.S3DeleteObjectCompleted(err)\n\treturn err\n}\n\n// Mkdir creates a new directory with the specified name and default permissions\nfunc (fs *S3Fs) Mkdir(name string) error {\n\t_, err := fs.Stat(name)\n\tif !fs.IsNotExist(err) {\n\t\treturn err\n\t}\n\treturn fs.mkdirInternal(name)\n}\n\n// Symlink creates source as a symbolic link to target.\nfunc (*S3Fs) Symlink(_, _ string) error {\n\treturn ErrVfsUnsupported\n}\n\n// Readlink returns the destination of the named symbolic link\nfunc (*S3Fs) Readlink(_ string) (string, error) {\n\treturn \"\", ErrVfsUnsupported\n}\n\n// Chown changes the numeric uid and gid of the named file.\nfunc (*S3Fs) Chown(_ string, _ int, _ int) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chmod changes the mode of the named file to mode.\nfunc (*S3Fs) Chmod(_ string, _ os.FileMode) error {\n\treturn ErrVfsUnsupported\n}\n\n// Chtimes changes the access and modification times of the named file.\nfunc (fs *S3Fs) Chtimes(_ string, _, _ time.Time, _ bool) error {\n\treturn ErrVfsUnsupported\n}\n\n// Truncate changes the size of the named file.\n// Truncate by path is not supported, while truncating an opened\n// file is handled inside base transfer\nfunc (*S3Fs) Truncate(_ string, _ int64) error {\n\treturn ErrVfsUnsupported\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (fs *S3Fs) ReadDir(dirname string) (DirLister, error) {\n\t// dirname must be already cleaned\n\tprefix := fs.getPrefix(dirname)\n\tpaginator := s3.NewListObjectsV2Paginator(fs.svc, &s3.ListObjectsV2Input{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tPrefix: aws.String(prefix),\n\t\tDelimiter: aws.String(\"/\"),\n\t\tMaxKeys: &s3DefaultPageSize,\n\t})\n\n\treturn &s3DirLister{\n\t\tpaginator: paginator,\n\t\ttimeout: fs.ctxTimeout,\n\t\tprefix: prefix,\n\t\tprefixes: make(map[string]bool),\n\t}, nil\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported.\n// Resuming uploads is not supported on S3\nfunc (*S3Fs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (*S3Fs) IsConditionalUploadResumeSupported(size int64) bool {\n\treturn size <= resumeMaxSize\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported.\n// S3 uploads are already atomic, we don't need to upload to a temporary\n// file\nfunc (*S3Fs) IsAtomicUploadSupported() bool {\n\treturn false\n}\n\n// IsNotExist returns a boolean indicating whether the error is known to\n// report that a file or directory does not exist\nfunc (*S3Fs) IsNotExist(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\n\tvar re *awshttp.ResponseError\n\tif errors.As(err, &re) {\n\t\tif re.Response != nil {\n\t\t\treturn re.Response.StatusCode == http.StatusNotFound\n\t\t}\n\t}\n\treturn false\n}\n\n// IsPermission returns a boolean indicating whether the error is known to\n// report that permission is denied.\nfunc (*S3Fs) IsPermission(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\n\tvar re *awshttp.ResponseError\n\tif errors.As(err, &re) {\n\t\tif re.Response != nil {\n\t\t\treturn re.Response.StatusCode == http.StatusForbidden ||\n\t\t\t\tre.Response.StatusCode == http.StatusUnauthorized\n\t\t}\n\t}\n\treturn false\n}\n\n// IsNotSupported returns true if the error indicate an unsupported operation\nfunc (*S3Fs) IsNotSupported(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn errors.Is(err, ErrVfsUnsupported)\n}\n\n// CheckRootPath creates the specified local root directory if it does not exists\nfunc (fs *S3Fs) CheckRootPath(username string, uid int, gid int) bool {\n\t// we need a local directory for temporary files\n\tosFs := NewOsFs(fs.ConnectionID(), fs.localTempDir, \"\", nil)\n\treturn osFs.CheckRootPath(username, uid, gid)\n}\n\n// ScanRootDirContents returns the number of files contained in the bucket,\n// and their size\nfunc (fs *S3Fs) ScanRootDirContents() (int, int64, error) {\n\treturn fs.GetDirSize(fs.config.KeyPrefix)\n}\n\n// GetDirSize returns the number of files and the size for a folder\n// including any subfolders\nfunc (fs *S3Fs) GetDirSize(dirname string) (int, int64, error) {\n\tprefix := fs.getPrefix(dirname)\n\tnumFiles := 0\n\tsize := int64(0)\n\n\tpaginator := s3.NewListObjectsV2Paginator(fs.svc, &s3.ListObjectsV2Input{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tPrefix: aws.String(prefix),\n\t\tMaxKeys: &s3DefaultPageSize,\n\t})\n\n\tfor paginator.HasMorePages() {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tpage, err := paginator.NextPage(ctx)\n\t\tif err != nil {\n\t\t\tmetric.S3ListObjectsCompleted(err)\n\t\t\treturn numFiles, size, err\n\t\t}\n\t\tfor _, fileObject := range page.Contents {\n\t\t\tisDir := strings.HasSuffix(util.GetStringFromPointer(fileObject.Key), \"/\")\n\t\t\tobjectSize := util.GetIntFromPointer(fileObject.Size)\n\t\t\tif isDir && objectSize == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tnumFiles++\n\t\t\tsize += objectSize\n\t\t}\n\t\tfsLog(fs, logger.LevelDebug, \"scan in progress for %q, files: %d, size: %d\", dirname, numFiles, size)\n\t}\n\n\tmetric.S3ListObjectsCompleted(nil)\n\treturn numFiles, size, nil\n}\n\n// GetAtomicUploadPath returns the path to use for an atomic upload.\n// S3 uploads are already atomic, we never call this method for S3\nfunc (*S3Fs) GetAtomicUploadPath(_ string) string {\n\treturn \"\"\n}\n\n// GetRelativePath returns the path for a file relative to the user's home dir.\n// This is the path as seen by SFTPGo users\nfunc (fs *S3Fs) GetRelativePath(name string) string {\n\trel := path.Clean(name)\n\tif rel == \".\" {\n\t\trel = \"\"\n\t}\n\tif !path.IsAbs(rel) {\n\t\trel = \"/\" + rel\n\t}\n\tif fs.config.KeyPrefix != \"\" {\n\t\tif !strings.HasPrefix(rel, \"/\"+fs.config.KeyPrefix) {\n\t\t\trel = \"/\"\n\t\t}\n\t\trel = path.Clean(\"/\" + strings.TrimPrefix(rel, \"/\"+fs.config.KeyPrefix))\n\t}\n\tif fs.mountPath != \"\" {\n\t\trel = path.Join(fs.mountPath, rel)\n\t}\n\treturn rel\n}\n\n// Walk walks the file tree rooted at root, calling walkFn for each file or\n// directory in the tree, including root. The result are unordered\nfunc (fs *S3Fs) Walk(root string, walkFn filepath.WalkFunc) error {\n\tprefix := fs.getPrefix(root)\n\n\tpaginator := s3.NewListObjectsV2Paginator(fs.svc, &s3.ListObjectsV2Input{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tPrefix: aws.String(prefix),\n\t\tMaxKeys: &s3DefaultPageSize,\n\t})\n\n\tfor paginator.HasMorePages() {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tpage, err := paginator.NextPage(ctx)\n\t\tif err != nil {\n\t\t\tmetric.S3ListObjectsCompleted(err)\n\t\t\twalkFn(root, NewFileInfo(root, true, 0, time.Unix(0, 0), false), err) //nolint:errcheck\n\t\t\treturn err\n\t\t}\n\t\tfor _, fileObject := range page.Contents {\n\t\t\tname, isDir := fs.resolve(fileObject.Key, prefix)\n\t\t\tif name == \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\terr := walkFn(util.GetStringFromPointer(fileObject.Key),\n\t\t\t\tNewFileInfo(name, isDir, util.GetIntFromPointer(fileObject.Size),\n\t\t\t\t\tutil.GetTimeFromPointer(fileObject.LastModified), false), nil)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\n\tmetric.S3ListObjectsCompleted(nil)\n\twalkFn(root, NewFileInfo(root, true, 0, time.Unix(0, 0), false), nil) //nolint:errcheck\n\treturn nil\n}\n\n// Join joins any number of path elements into a single path\nfunc (*S3Fs) Join(elem ...string) string {\n\treturn strings.TrimPrefix(path.Join(elem...), \"/\")\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (*S3Fs) HasVirtualFolders() bool {\n\treturn true\n}\n\n// ResolvePath returns the matching filesystem path for the specified virtual path\nfunc (fs *S3Fs) ResolvePath(virtualPath string) (string, error) {\n\tif fs.mountPath != \"\" {\n\t\tif after, found := strings.CutPrefix(virtualPath, fs.mountPath); found {\n\t\t\tvirtualPath = after\n\t\t}\n\t}\n\tvirtualPath = path.Clean(\"/\" + virtualPath)\n\treturn fs.Join(fs.config.KeyPrefix, strings.TrimPrefix(virtualPath, \"/\")), nil\n}\n\n// CopyFile implements the FsFileCopier interface\nfunc (fs *S3Fs) CopyFile(source, target string, srcInfo os.FileInfo) (int, int64, error) {\n\tnumFiles := 1\n\tsizeDiff := srcInfo.Size()\n\tattrs, err := fs.headObject(target)\n\tif err == nil {\n\t\tsizeDiff -= util.GetIntFromPointer(attrs.ContentLength)\n\t\tnumFiles = 0\n\t} else {\n\t\tif !fs.IsNotExist(err) {\n\t\t\treturn 0, 0, err\n\t\t}\n\t}\n\tif err := fs.copyFileInternal(source, target, srcInfo); err != nil {\n\t\treturn 0, 0, err\n\t}\n\treturn numFiles, sizeDiff, nil\n}\n\nfunc (fs *S3Fs) resolve(name *string, prefix string) (string, bool) {\n\tresult := strings.TrimPrefix(util.GetStringFromPointer(name), prefix)\n\tisDir := strings.HasSuffix(result, \"/\")\n\tif isDir {\n\t\tresult = strings.TrimSuffix(result, \"/\")\n\t}\n\treturn result, isDir\n}\n\nfunc (fs *S3Fs) setConfigDefaults() {\n\tconst defaultPartSize = 1024 * 1024 * 5\n\tconst defaultConcurrency = 5\n\n\tif fs.config.UploadPartSize == 0 {\n\t\tfs.config.UploadPartSize = defaultPartSize\n\t} else {\n\t\tif fs.config.UploadPartSize < 1024*1024 {\n\t\t\tfs.config.UploadPartSize *= 1024 * 1024\n\t\t}\n\t}\n\tif fs.config.UploadConcurrency == 0 {\n\t\tfs.config.UploadConcurrency = defaultConcurrency\n\t}\n\tif fs.config.DownloadPartSize == 0 {\n\t\tfs.config.DownloadPartSize = defaultPartSize\n\t} else {\n\t\tif fs.config.DownloadPartSize < 1024*1024 {\n\t\t\tfs.config.DownloadPartSize *= 1024 * 1024\n\t\t}\n\t}\n\tif fs.config.DownloadConcurrency == 0 {\n\t\tfs.config.DownloadConcurrency = defaultConcurrency\n\t}\n}\n\nfunc (fs *S3Fs) copyFileInternal(source, target string, srcInfo os.FileInfo) error {\n\tcontentType := mime.TypeByExtension(path.Ext(source))\n\tcopySource := pathEscape(fs.Join(fs.config.Bucket, source))\n\n\tif srcInfo.Size() > s3CopyObjectThreshold {\n\t\tfsLog(fs, logger.LevelDebug, \"renaming file %q with size %d using multipart copy\",\n\t\t\tsource, srcInfo.Size())\n\t\terr := fs.doMultipartCopy(copySource, target, contentType, srcInfo.Size())\n\t\tmetric.S3CopyObjectCompleted(err)\n\t\treturn err\n\t}\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tcopyObject := &s3.CopyObjectInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tCopySource: aws.String(copySource),\n\t\tKey: aws.String(target),\n\t\tStorageClass: types.StorageClass(fs.config.StorageClass),\n\t\tACL: types.ObjectCannedACL(fs.config.ACL),\n\t\tContentType: util.NilIfEmpty(contentType),\n\t\tCopySourceSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tCopySourceSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tCopySourceSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t}\n\n\t_, err := fs.svc.CopyObject(ctx, copyObject)\n\n\tmetric.S3CopyObjectCompleted(err)\n\treturn err\n}\n\nfunc (fs *S3Fs) renameInternal(source, target string, srcInfo os.FileInfo, recursion int,\n\tupdateModTime bool,\n) (int, int64, error) {\n\tvar numFiles int\n\tvar filesSize int64\n\n\tif srcInfo.IsDir() {\n\t\tif renameMode == 0 {\n\t\t\thasContents, err := fs.hasContents(source)\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t\tif hasContents {\n\t\t\t\treturn numFiles, filesSize, fmt.Errorf(\"%w: cannot rename non empty directory: %q\", ErrVfsUnsupported, source)\n\t\t\t}\n\t\t}\n\t\tif err := fs.mkdirInternal(target); err != nil {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tif renameMode == 1 {\n\t\t\tfiles, size, err := doRecursiveRename(fs, source, target, fs.renameInternal, recursion, updateModTime)\n\t\t\tnumFiles += files\n\t\t\tfilesSize += size\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t}\n\t} else {\n\t\tif err := fs.copyFileInternal(source, target, srcInfo); err != nil {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tnumFiles++\n\t\tfilesSize += srcInfo.Size()\n\t}\n\terr := fs.Remove(source, srcInfo.IsDir())\n\tif fs.IsNotExist(err) {\n\t\terr = nil\n\t}\n\treturn numFiles, filesSize, err\n}\n\nfunc (fs *S3Fs) mkdirInternal(name string) error {\n\tif !strings.HasSuffix(name, \"/\") {\n\t\tname += \"/\"\n\t}\n\t_, w, _, err := fs.Create(name, -1, 0)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn w.Close()\n}\n\nfunc (fs *S3Fs) hasContents(name string) (bool, error) {\n\tprefix := fs.getPrefix(name)\n\tmaxKeys := int32(2)\n\tpaginator := s3.NewListObjectsV2Paginator(fs.svc, &s3.ListObjectsV2Input{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tPrefix: aws.String(prefix),\n\t\tMaxKeys: &maxKeys,\n\t})\n\n\tif paginator.HasMorePages() {\n\t\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\t\tdefer cancelFn()\n\n\t\tpage, err := paginator.NextPage(ctx)\n\t\tmetric.S3ListObjectsCompleted(err)\n\t\tif err != nil {\n\t\t\treturn false, err\n\t\t}\n\n\t\tfor _, obj := range page.Contents {\n\t\t\tname, _ := fs.resolve(obj.Key, prefix)\n\t\t\tif name == \"\" || name == \"/\" {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treturn true, nil\n\t\t}\n\t\treturn false, nil\n\t}\n\n\tmetric.S3ListObjectsCompleted(nil)\n\treturn false, nil\n}\n\nfunc (fs *S3Fs) downloadPart(ctx context.Context, name string, buf []byte, w io.WriterAt, start, count, writeOffset int64) error {\n\tif count == 0 {\n\t\treturn nil\n\t}\n\trangeHeader := fmt.Sprintf(\"bytes=%d-%d\", start, start+count-1)\n\n\tresp, err := fs.svc.GetObject(ctx, &s3.GetObjectInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tRange: &rangeHeader,\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\n\t_, err = io.ReadAtLeast(resp.Body, buf, int(count))\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn writeAtFull(w, buf, writeOffset, int(count))\n}\n\nfunc (fs *S3Fs) handleDownload(ctx context.Context, name string, offset int64, writer io.WriterAt, attrs *s3.HeadObjectOutput) error {\n\tcontentLength := util.GetIntFromPointer(attrs.ContentLength)\n\tsizeToDownload := contentLength - offset\n\tif sizeToDownload < 0 {\n\t\tfsLog(fs, logger.LevelError, \"invalid multipart download size or offset, size: %d, offset: %d, size to download: %d\",\n\t\t\tcontentLength, offset, sizeToDownload)\n\t\treturn errors.New(\"the requested offset exceeds the file size\")\n\t}\n\tif sizeToDownload == 0 {\n\t\tfsLog(fs, logger.LevelDebug, \"nothing to download, offset %d, content length %d\", offset, contentLength)\n\t\treturn nil\n\t}\n\tpartSize := fs.config.DownloadPartSize\n\tguard := make(chan struct{}, fs.config.DownloadConcurrency)\n\tvar blockCtxTimeout time.Duration\n\tif fs.config.DownloadPartMaxTime > 0 {\n\t\tblockCtxTimeout = time.Duration(fs.config.DownloadPartMaxTime) * time.Second\n\t} else {\n\t\tblockCtxTimeout = time.Duration(fs.config.DownloadPartSize/(1024*1024)) * time.Minute\n\t}\n\tpool := newBufferAllocator(int(partSize))\n\tdefer pool.free()\n\n\tfinished := false\n\tvar wg sync.WaitGroup\n\tvar errOnce sync.Once\n\tvar hasError atomic.Bool\n\tvar poolError error\n\n\tpoolCtx, poolCancel := context.WithCancel(ctx)\n\tdefer poolCancel()\n\n\tfor part := 0; !finished; part++ {\n\t\tstart := offset\n\t\tend := offset + partSize\n\t\tif end >= contentLength {\n\t\t\tend = contentLength\n\t\t\tfinished = true\n\t\t}\n\t\twriteOffset := int64(part) * partSize\n\t\toffset = end\n\n\t\tguard <- struct{}{}\n\t\tif hasError.Load() {\n\t\t\tfsLog(fs, logger.LevelDebug, \"pool error, download for part %d not started\", part)\n\t\t\tbreak\n\t\t}\n\n\t\tbuf := pool.getBuffer()\n\t\twg.Add(1)\n\t\tgo func(start, end, writeOffset int64, buf []byte) {\n\t\t\tdefer func() {\n\t\t\t\tpool.releaseBuffer(buf)\n\t\t\t\t<-guard\n\t\t\t\twg.Done()\n\t\t\t}()\n\n\t\t\tinnerCtx, cancelFn := context.WithDeadline(poolCtx, time.Now().Add(blockCtxTimeout))\n\t\t\tdefer cancelFn()\n\n\t\t\terr := fs.downloadPart(innerCtx, name, buf, writer, start, end-start, writeOffset)\n\t\t\tif err != nil {\n\t\t\t\terrOnce.Do(func() {\n\t\t\t\t\tfsLog(fs, logger.LevelError, \"multipart download error: %+v\", err)\n\t\t\t\t\thasError.Store(true)\n\t\t\t\t\tpoolError = fmt.Errorf(\"multipart download error: %w\", err)\n\t\t\t\t\tpoolCancel()\n\t\t\t\t})\n\t\t\t}\n\t\t}(start, end, writeOffset, buf)\n\t}\n\n\twg.Wait()\n\tclose(guard)\n\n\treturn poolError\n}\n\nfunc (fs *S3Fs) initiateMultipartUpload(ctx context.Context, name, contentType string) (string, error) {\n\tctx, cancelFn := context.WithDeadline(ctx, time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tres, err := fs.svc.CreateMultipartUpload(ctx, &s3.CreateMultipartUploadInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tStorageClass: types.StorageClass(fs.config.StorageClass),\n\t\tACL: types.ObjectCannedACL(fs.config.ACL),\n\t\tContentType: util.NilIfEmpty(contentType),\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t})\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"unable to create multipart upload request: %w\", err)\n\t}\n\tuploadID := util.GetStringFromPointer(res.UploadId)\n\tif uploadID == \"\" {\n\t\treturn \"\", errors.New(\"unable to get multipart upload ID\")\n\t}\n\treturn uploadID, nil\n}\n\nfunc (fs *S3Fs) uploadPart(ctx context.Context, name, uploadID string, partNumber int32, data []byte) (*string, error) {\n\ttimeout := time.Duration(fs.config.UploadPartSize/(1024*1024)) * time.Minute\n\tif fs.config.UploadPartMaxTime > 0 {\n\t\ttimeout = time.Duration(fs.config.UploadPartMaxTime) * time.Second\n\t}\n\tctx, cancelFn := context.WithDeadline(ctx, time.Now().Add(timeout))\n\tdefer cancelFn()\n\n\tresp, err := fs.svc.UploadPart(ctx, &s3.UploadPartInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tPartNumber: &partNumber,\n\t\tUploadId: aws.String(uploadID),\n\t\tBody: bytes.NewReader(data),\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t})\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to upload part number %d: %w\", partNumber, err)\n\t}\n\treturn resp.ETag, nil\n}\n\nfunc (fs *S3Fs) completeMultipartUpload(ctx context.Context, name, uploadID string, completedParts []types.CompletedPart) error {\n\tctx, cancelFn := context.WithDeadline(ctx, time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\t_, err := fs.svc.CompleteMultipartUpload(ctx, &s3.CompleteMultipartUploadInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tUploadId: aws.String(uploadID),\n\t\tMultipartUpload: &types.CompletedMultipartUpload{\n\t\t\tParts: completedParts,\n\t\t},\n\t})\n\treturn err\n}\n\nfunc (fs *S3Fs) abortMultipartUpload(name, uploadID string) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\t_, err := fs.svc.AbortMultipartUpload(ctx, &s3.AbortMultipartUploadInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tUploadId: aws.String(uploadID),\n\t})\n\treturn err\n}\n\nfunc (fs *S3Fs) singlePartUpload(ctx context.Context, name, contentType string, data []byte) error {\n\ttimeout := time.Duration(fs.config.UploadPartSize/(1024*1024)) * time.Minute\n\tif fs.config.UploadPartMaxTime > 0 {\n\t\ttimeout = time.Duration(fs.config.UploadPartMaxTime) * time.Second\n\t}\n\tctx, cancelFn := context.WithDeadline(ctx, time.Now().Add(timeout))\n\tdefer cancelFn()\n\n\tcontentLength := int64(len(data))\n\t_, err := fs.svc.PutObject(ctx, &s3.PutObjectInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tACL: types.ObjectCannedACL(fs.config.ACL),\n\t\tBody: bytes.NewReader(data),\n\t\tContentType: util.NilIfEmpty(contentType),\n\t\tContentLength: &contentLength,\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t\tStorageClass: types.StorageClass(fs.config.StorageClass),\n\t})\n\treturn err\n}\n\nfunc (fs *S3Fs) handleUpload(ctx context.Context, reader io.Reader, name, contentType string) error {\n\tpool := newBufferAllocator(int(fs.config.UploadPartSize))\n\tdefer pool.free()\n\n\tfirstBuf := pool.getBuffer()\n\tfirstReadSize, err := readFill(reader, firstBuf)\n\tif err == io.EOF {\n\t\treturn fs.singlePartUpload(ctx, name, contentType, firstBuf[:firstReadSize])\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tuploadID, err := fs.initiateMultipartUpload(ctx, name, contentType)\n\tif err != nil {\n\t\treturn err\n\t}\n\tguard := make(chan struct{}, fs.config.UploadConcurrency)\n\tfinished := false\n\tvar partMutex sync.Mutex\n\tvar completedParts []types.CompletedPart\n\tvar wg sync.WaitGroup\n\tvar hasError atomic.Bool\n\tvar poolErr error\n\tvar errOnce sync.Once\n\tvar partNumber int32\n\n\tpoolCtx, poolCancel := context.WithCancel(ctx)\n\tdefer poolCancel()\n\n\tfinalizeFailedUpload := func(err error) {\n\t\tfsLog(fs, logger.LevelError, \"finalize failed multipart upload after error: %v\", err)\n\t\thasError.Store(true)\n\t\tpoolErr = err\n\t\tpoolCancel()\n\t\tif abortErr := fs.abortMultipartUpload(name, uploadID); abortErr != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"unable to abort multipart upload: %+v\", abortErr)\n\t\t}\n\t}\n\n\tuploadPart := func(partNum int32, buf []byte, bytesRead int) {\n\t\tdefer func() {\n\t\t\tpool.releaseBuffer(buf)\n\t\t\t<-guard\n\t\t\twg.Done()\n\t\t}()\n\n\t\tetag, err := fs.uploadPart(poolCtx, name, uploadID, partNum, buf[:bytesRead])\n\t\tif err != nil {\n\t\t\terrOnce.Do(func() {\n\t\t\t\tfinalizeFailedUpload(err)\n\t\t\t})\n\t\t\treturn\n\t\t}\n\t\tpartMutex.Lock()\n\t\tcompletedParts = append(completedParts, types.CompletedPart{\n\t\t\tPartNumber: &partNum,\n\t\t\tETag: etag,\n\t\t})\n\t\tpartMutex.Unlock()\n\t}\n\n\tpartNumber = 1\n\tguard <- struct{}{}\n\n\twg.Add(1)\n\tgo uploadPart(partNumber, firstBuf, firstReadSize)\n\n\tfor partNumber = 2; !finished; partNumber++ {\n\t\tbuf := pool.getBuffer()\n\n\t\tn, err := readFill(reader, buf)\n\t\tif err == io.EOF {\n\t\t\tif n == 0 {\n\t\t\t\tpool.releaseBuffer(buf)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tfinished = true\n\t\t} else if err != nil {\n\t\t\tpool.releaseBuffer(buf)\n\t\t\terrOnce.Do(func() {\n\t\t\t\tfinalizeFailedUpload(err)\n\t\t\t})\n\t\t\tbreak\n\t\t}\n\t\tguard <- struct{}{}\n\t\tif hasError.Load() {\n\t\t\tfsLog(fs, logger.LevelError, \"pool error, upload for part %d not started\", partNumber)\n\t\t\tpool.releaseBuffer(buf)\n\t\t\tbreak\n\t\t}\n\n\t\twg.Add(1)\n\t\tgo uploadPart(partNumber, buf, n)\n\t}\n\n\twg.Wait()\n\tclose(guard)\n\n\tif poolErr != nil {\n\t\treturn poolErr\n\t}\n\n\tsort.Slice(completedParts, func(i, j int) bool {\n\t\tgetPartNumber := func(number *int32) int32 {\n\t\t\tif number == nil {\n\t\t\t\treturn 0\n\t\t\t}\n\t\t\treturn *number\n\t\t}\n\n\t\treturn getPartNumber(completedParts[i].PartNumber) < getPartNumber(completedParts[j].PartNumber)\n\t})\n\n\treturn fs.completeMultipartUpload(ctx, name, uploadID, completedParts)\n}\n\nfunc (fs *S3Fs) doMultipartCopy(source, target, contentType string, fileSize int64) error {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tres, err := fs.svc.CreateMultipartUpload(ctx, &s3.CreateMultipartUploadInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(target),\n\t\tStorageClass: types.StorageClass(fs.config.StorageClass),\n\t\tACL: types.ObjectCannedACL(fs.config.ACL),\n\t\tContentType: util.NilIfEmpty(contentType),\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t})\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to create multipart copy request: %w\", err)\n\t}\n\tuploadID := util.GetStringFromPointer(res.UploadId)\n\tif uploadID == \"\" {\n\t\treturn errors.New(\"unable to get multipart copy upload ID\")\n\t}\n\t// We use 32 MB part size and copy 10 parts in parallel.\n\t// These values are arbitrary. We don't want to start too many goroutines\n\tmaxPartSize := int64(32 * 1024 * 1024)\n\tif fileSize > int64(100*1024*1024*1024) {\n\t\tmaxPartSize = int64(500 * 1024 * 1024)\n\t}\n\tguard := make(chan struct{}, 10)\n\tfinished := false\n\tvar completedParts []types.CompletedPart\n\tvar partMutex sync.Mutex\n\tvar wg sync.WaitGroup\n\tvar hasError atomic.Bool\n\tvar errOnce sync.Once\n\tvar copyError error\n\tvar partNumber int32\n\tvar offset int64\n\n\topCtx, opCancel := context.WithCancel(context.Background())\n\tdefer opCancel()\n\n\tfor partNumber = 1; !finished; partNumber++ {\n\t\tstart := offset\n\t\tend := offset + maxPartSize\n\t\tif end >= fileSize {\n\t\t\tend = fileSize\n\t\t\tfinished = true\n\t\t}\n\t\toffset = end\n\n\t\tguard <- struct{}{}\n\t\tif hasError.Load() {\n\t\t\tfsLog(fs, logger.LevelDebug, \"previous multipart copy error, copy for part %d not started\", partNumber)\n\t\t\tbreak\n\t\t}\n\n\t\twg.Add(1)\n\t\tgo func(partNum int32, partStart, partEnd int64) {\n\t\t\tdefer func() {\n\t\t\t\t<-guard\n\t\t\t\twg.Done()\n\t\t\t}()\n\n\t\t\tinnerCtx, innerCancelFn := context.WithDeadline(opCtx, time.Now().Add(fs.ctxTimeout))\n\t\t\tdefer innerCancelFn()\n\n\t\t\tpartResp, err := fs.svc.UploadPartCopy(innerCtx, &s3.UploadPartCopyInput{\n\t\t\t\tBucket: aws.String(fs.config.Bucket),\n\t\t\t\tCopySource: aws.String(source),\n\t\t\t\tKey: aws.String(target),\n\t\t\t\tPartNumber: &partNum,\n\t\t\t\tUploadId: aws.String(uploadID),\n\t\t\t\tCopySourceRange: aws.String(fmt.Sprintf(\"bytes=%d-%d\", partStart, partEnd-1)),\n\t\t\t\tCopySourceSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\t\t\tCopySourceSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\t\t\tCopySourceSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t\t\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\t\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\t\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t\t\t})\n\t\t\tif err != nil {\n\t\t\t\terrOnce.Do(func() {\n\t\t\t\t\tfsLog(fs, logger.LevelError, \"unable to copy part number %d: %+v\", partNum, err)\n\t\t\t\t\thasError.Store(true)\n\t\t\t\t\tcopyError = fmt.Errorf(\"error copying part number %d: %w\", partNum, err)\n\t\t\t\t\topCancel()\n\n\t\t\t\t\tif errAbort := fs.abortMultipartUpload(target, uploadID); errAbort != nil {\n\t\t\t\t\t\tfsLog(fs, logger.LevelError, \"unable to abort multipart copy: %+v\", errAbort)\n\t\t\t\t\t}\n\t\t\t\t})\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tpartMutex.Lock()\n\t\t\tcompletedParts = append(completedParts, types.CompletedPart{\n\t\t\t\tETag: partResp.CopyPartResult.ETag,\n\t\t\t\tPartNumber: &partNum,\n\t\t\t})\n\t\t\tpartMutex.Unlock()\n\t\t}(partNumber, start, end)\n\t}\n\n\twg.Wait()\n\tclose(guard)\n\n\tif copyError != nil {\n\t\treturn copyError\n\t}\n\tsort.Slice(completedParts, func(i, j int) bool {\n\t\tgetPartNumber := func(number *int32) int32 {\n\t\t\tif number == nil {\n\t\t\t\treturn 0\n\t\t\t}\n\t\t\treturn *number\n\t\t}\n\n\t\treturn getPartNumber(completedParts[i].PartNumber) < getPartNumber(completedParts[j].PartNumber)\n\t})\n\n\tcompleteCtx, completeCancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer completeCancelFn()\n\n\t_, err = fs.svc.CompleteMultipartUpload(completeCtx, &s3.CompleteMultipartUploadInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(target),\n\t\tUploadId: aws.String(uploadID),\n\t\tMultipartUpload: &types.CompletedMultipartUpload{\n\t\t\tParts: completedParts,\n\t\t},\n\t})\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to complete multipart upload: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc (fs *S3Fs) getPrefix(name string) string {\n\tprefix := \"\"\n\tif name != \"\" && name != \".\" && name != \"/\" {\n\t\tprefix = strings.TrimPrefix(name, \"/\")\n\t\tif !strings.HasSuffix(prefix, \"/\") {\n\t\t\tprefix += \"/\"\n\t\t}\n\t}\n\treturn prefix\n}\n\nfunc (fs *S3Fs) headObject(name string) (*s3.HeadObjectOutput, error) {\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))\n\tdefer cancelFn()\n\n\tobj, err := fs.svc.HeadObject(ctx, &s3.HeadObjectInput{\n\t\tBucket: aws.String(fs.config.Bucket),\n\t\tKey: aws.String(name),\n\t\tSSECustomerKey: util.NilIfEmpty(fs.sseCustomerKey),\n\t\tSSECustomerAlgorithm: util.NilIfEmpty(fs.sseCustomerAlgo),\n\t\tSSECustomerKeyMD5: util.NilIfEmpty(fs.sseCustomerKeyMD5),\n\t})\n\tmetric.S3HeadObjectCompleted(err)\n\treturn obj, err\n}\n\n// GetMimeType returns the content type\nfunc (fs *S3Fs) GetMimeType(name string) (string, error) {\n\tobj, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn util.GetStringFromPointer(obj.ContentType), nil\n}\n\n// Close closes the fs\nfunc (*S3Fs) Close() error {\n\treturn nil\n}\n\n// GetAvailableDiskSize returns the available size for the specified path\nfunc (*S3Fs) GetAvailableDiskSize(_ string) (*sftp.StatVFS, error) {\n\treturn nil, ErrStorageSizeUnavailable\n}\n\nfunc (fs *S3Fs) downloadToWriter(name string, w PipeWriter) (int64, error) {\n\tfsLog(fs, logger.LevelDebug, \"starting download before resuming upload, path %q\", name)\n\tattrs, err := fs.headObject(name)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\tctx, cancelFn := context.WithTimeout(context.Background(), preResumeTimeout)\n\tdefer cancelFn()\n\n\terr = fs.handleDownload(ctx, name, 0, w, attrs)\n\tfsLog(fs, logger.LevelDebug, \"download before resuming upload completed, path %q size: %d, err: %+v\",\n\t\tname, w.GetWrittenBytes(), err)\n\tmetric.S3TransferCompleted(w.GetWrittenBytes(), 1, err)\n\treturn w.GetWrittenBytes(), err\n}\n\ntype s3DirLister struct {\n\tbaseDirLister\n\tpaginator *s3.ListObjectsV2Paginator\n\ttimeout time.Duration\n\tprefix string\n\tprefixes map[string]bool\n\tmetricUpdated bool\n}\n\nfunc (l *s3DirLister) resolve(name *string) (string, bool) {\n\tresult := strings.TrimPrefix(util.GetStringFromPointer(name), l.prefix)\n\tisDir := strings.HasSuffix(result, \"/\")\n\tif isDir {\n\t\tresult = strings.TrimSuffix(result, \"/\")\n\t}\n\treturn result, isDir\n}\n\nfunc (l *s3DirLister) Next(limit int) ([]os.FileInfo, error) {\n\tif limit <= 0 {\n\t\treturn nil, errInvalidDirListerLimit\n\t}\n\tif len(l.cache) >= limit {\n\t\treturn l.returnFromCache(limit), nil\n\t}\n\tif !l.paginator.HasMorePages() {\n\t\tif !l.metricUpdated {\n\t\t\tl.metricUpdated = true\n\t\t\tmetric.S3ListObjectsCompleted(nil)\n\t\t}\n\t\treturn l.returnFromCache(limit), io.EOF\n\t}\n\tctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(l.timeout))\n\tdefer cancelFn()\n\n\tpage, err := l.paginator.NextPage(ctx)\n\tif err != nil {\n\t\tmetric.S3ListObjectsCompleted(err)\n\t\treturn l.cache, err\n\t}\n\tfor _, p := range page.CommonPrefixes {\n\t\t// prefixes have a trailing slash\n\t\tname, _ := l.resolve(p.Prefix)\n\t\tif name == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tif _, ok := l.prefixes[name]; ok {\n\t\t\tcontinue\n\t\t}\n\t\tl.cache = append(l.cache, NewFileInfo(name, true, 0, time.Unix(0, 0), false))\n\t\tl.prefixes[name] = true\n\t}\n\tfor _, fileObject := range page.Contents {\n\t\tobjectModTime := util.GetTimeFromPointer(fileObject.LastModified)\n\t\tobjectSize := util.GetIntFromPointer(fileObject.Size)\n\t\tname, isDir := l.resolve(fileObject.Key)\n\t\tif name == \"\" || name == \"/\" {\n\t\t\tcontinue\n\t\t}\n\t\tif isDir {\n\t\t\tif _, ok := l.prefixes[name]; ok {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tl.prefixes[name] = true\n\t\t}\n\n\t\tl.cache = append(l.cache, NewFileInfo(name, (isDir && objectSize == 0), objectSize, objectModTime, false))\n\t}\n\treturn l.returnFromCache(limit), nil\n}\n\nfunc (l *s3DirLister) Close() error {\n\treturn l.baseDirLister.Close()\n}\n\nfunc getAWSHTTPClient(timeout int, idleConnectionTimeout time.Duration, skipTLSVerify bool) *awshttp.BuildableClient {\n\tc := awshttp.NewBuildableClient().\n\t\tWithDialerOptions(func(d *net.Dialer) {\n\t\t\td.Timeout = 8 * time.Second\n\t\t}).\n\t\tWithTransportOptions(func(tr *http.Transport) {\n\t\t\ttr.IdleConnTimeout = idleConnectionTimeout\n\t\t\ttr.WriteBufferSize = s3TransferBufferSize\n\t\t\ttr.ReadBufferSize = s3TransferBufferSize\n\t\t\tif skipTLSVerify {\n\t\t\t\tif tr.TLSClientConfig != nil {\n\t\t\t\t\ttr.TLSClientConfig.InsecureSkipVerify = skipTLSVerify\n\t\t\t\t} else {\n\t\t\t\t\ttr.TLSClientConfig = &tls.Config{\n\t\t\t\t\t\tMinVersion: awshttp.DefaultHTTPTransportTLSMinVersion,\n\t\t\t\t\t\tInsecureSkipVerify: skipTLSVerify,\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\tif timeout > 0 {\n\t\tc = c.WithTimeout(time.Duration(timeout) * time.Second)\n\t}\n\treturn c\n}\n\n// ideally we should simply use url.PathEscape:\n//\n// https://github.com/awsdocs/aws-doc-sdk-examples/blob/master/go/example_code/s3/s3_copy_object.go#L65\n//\n// but this cause issue with some vendors, see #483, the code below is copied from rclone\nfunc pathEscape(in string) string {\n\tvar u url.URL\n\tu.Path = in\n\treturn strings.ReplaceAll(u.String(), \"+\", \"%2B\")\n}\n" }, { "path": "internal/vfs/s3fs_disabled.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build nos3\n\npackage vfs\n\nimport (\n\t\"errors\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nfunc init() {\n\tversion.AddFeature(\"-s3\")\n}\n\n// NewS3Fs returns an error, S3 is disabled\nfunc NewS3Fs(_, _, _ string, _ S3FsConfig) (Fs, error) {\n\treturn nil, errors.New(\"S3 disabled at build time\")\n}\n" }, { "path": "internal/vfs/sftpfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"crypto/rsa\"\n\t\"crypto/sha256\"\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/pkg/sftp\"\n\t\"github.com/robfig/cron/v3\"\n\t\"github.com/rs/xid\"\n\t\"github.com/sftpgo/sdk\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\nconst (\n\t// sftpFsName is the name for the SFTP Fs implementation\n\tsftpFsName = \"sftpfs\"\n\tlogSenderSFTPCache = \"sftpCache\"\n\tmaxSessionsPerConnection = 5\n)\n\nvar (\n\t// ErrSFTPLoop defines the error to return if an SFTP loop is detected\n\tErrSFTPLoop = errors.New(\"SFTP loop or nested local SFTP folders detected\")\n\tsftpConnsCache = newSFTPConnectionCache()\n)\n\n// SFTPFsConfig defines the configuration for SFTP based filesystem\ntype SFTPFsConfig struct {\n\tsdk.BaseSFTPFsConfig\n\tPassword *kms.Secret `json:\"password,omitempty\"`\n\tPrivateKey *kms.Secret `json:\"private_key,omitempty\"`\n\tKeyPassphrase *kms.Secret `json:\"key_passphrase,omitempty\"`\n\tforbiddenSelfUsernames []string `json:\"-\"`\n}\n\nfunc (c *SFTPFsConfig) getKeySigner() (ssh.Signer, error) {\n\tprivPayload := c.PrivateKey.GetPayload()\n\tif privPayload == \"\" {\n\t\treturn nil, nil\n\t}\n\tif key := c.KeyPassphrase.GetPayload(); key != \"\" {\n\t\treturn ssh.ParsePrivateKeyWithPassphrase([]byte(privPayload), []byte(key))\n\t}\n\treturn ssh.ParsePrivateKey([]byte(privPayload))\n}\n\n// HideConfidentialData hides confidential data\nfunc (c *SFTPFsConfig) HideConfidentialData() {\n\tif c.Password != nil {\n\t\tc.Password.Hide()\n\t}\n\tif c.PrivateKey != nil {\n\t\tc.PrivateKey.Hide()\n\t}\n\tif c.KeyPassphrase != nil {\n\t\tc.KeyPassphrase.Hide()\n\t}\n}\n\nfunc (c *SFTPFsConfig) setNilSecretsIfEmpty() {\n\tif c.Password != nil && c.Password.IsEmpty() {\n\t\tc.Password = nil\n\t}\n\tif c.PrivateKey != nil && c.PrivateKey.IsEmpty() {\n\t\tc.PrivateKey = nil\n\t}\n\tif c.KeyPassphrase != nil && c.KeyPassphrase.IsEmpty() {\n\t\tc.KeyPassphrase = nil\n\t}\n}\n\nfunc (c *SFTPFsConfig) isEqual(other SFTPFsConfig) bool {\n\tif c.Endpoint != other.Endpoint {\n\t\treturn false\n\t}\n\tif c.Username != other.Username {\n\t\treturn false\n\t}\n\tif c.Prefix != other.Prefix {\n\t\treturn false\n\t}\n\tif c.DisableCouncurrentReads != other.DisableCouncurrentReads {\n\t\treturn false\n\t}\n\tif c.BufferSize != other.BufferSize {\n\t\treturn false\n\t}\n\tif len(c.Fingerprints) != len(other.Fingerprints) {\n\t\treturn false\n\t}\n\tfor _, fp := range c.Fingerprints {\n\t\tif !slices.Contains(other.Fingerprints, fp) {\n\t\t\treturn false\n\t\t}\n\t}\n\tc.setEmptyCredentialsIfNil()\n\tother.setEmptyCredentialsIfNil()\n\tif !c.Password.IsEqual(other.Password) {\n\t\treturn false\n\t}\n\tif !c.KeyPassphrase.IsEqual(other.KeyPassphrase) {\n\t\treturn false\n\t}\n\treturn c.PrivateKey.IsEqual(other.PrivateKey)\n}\n\nfunc (c *SFTPFsConfig) setEmptyCredentialsIfNil() {\n\tif c.Password == nil {\n\t\tc.Password = kms.NewEmptySecret()\n\t}\n\tif c.PrivateKey == nil {\n\t\tc.PrivateKey = kms.NewEmptySecret()\n\t}\n\tif c.KeyPassphrase == nil {\n\t\tc.KeyPassphrase = kms.NewEmptySecret()\n\t}\n}\n\nfunc (c *SFTPFsConfig) isSameResource(other SFTPFsConfig) bool {\n\tif c.EqualityCheckMode > 0 || other.EqualityCheckMode > 0 {\n\t\tif c.Username != other.Username {\n\t\t\treturn false\n\t\t}\n\t}\n\treturn c.Endpoint == other.Endpoint\n}\n\n// validate returns an error if the configuration is not valid\nfunc (c *SFTPFsConfig) validate() error {\n\tc.setEmptyCredentialsIfNil()\n\tif c.Endpoint == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"endpoint cannot be empty\"), util.I18nErrorEndpointRequired)\n\t}\n\tif !strings.Contains(c.Endpoint, \":\") {\n\t\tc.Endpoint += \":22\"\n\t}\n\t_, _, err := net.SplitHostPort(c.Endpoint)\n\tif err != nil {\n\t\treturn util.NewI18nError(fmt.Errorf(\"invalid endpoint: %v\", err), util.I18nErrorEndpointInvalid)\n\t}\n\tif c.Username == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"username cannot be empty\"), util.I18nErrorFsUsernameRequired)\n\t}\n\tif c.BufferSize < 0 || c.BufferSize > 16 {\n\t\treturn errors.New(\"invalid buffer_size, valid range is 0-16\")\n\t}\n\tif !isEqualityCheckModeValid(c.EqualityCheckMode) {\n\t\treturn errors.New(\"invalid equality_check_mode\")\n\t}\n\tif err := c.validateCredentials(); err != nil {\n\t\treturn err\n\t}\n\tif c.Prefix != \"\" {\n\t\tc.Prefix = util.CleanPath(c.Prefix)\n\t} else {\n\t\tc.Prefix = \"/\"\n\t}\n\treturn c.validatePrivateKey()\n}\n\nfunc (c *SFTPFsConfig) validatePrivateKey() error {\n\tif c.PrivateKey.IsPlain() {\n\t\tsigner, err := c.getKeySigner()\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(fmt.Errorf(\"invalid private key: %w\", err), util.I18nErrorPrivKeyInvalid)\n\t\t}\n\t\tif signer != nil {\n\t\t\tif key, ok := signer.PublicKey().(ssh.CryptoPublicKey); ok {\n\t\t\t\tcryptoKey := key.CryptoPublicKey()\n\t\t\t\tif rsaKey, ok := cryptoKey.(*rsa.PublicKey); ok {\n\t\t\t\t\tif size := rsaKey.N.BitLen(); size < 2048 {\n\t\t\t\t\t\treturn util.NewI18nError(\n\t\t\t\t\t\t\tfmt.Errorf(\"rsa key with size %d not accepted, minimum 2048\", size),\n\t\t\t\t\t\t\tutil.I18nErrorKeySizeInvalid,\n\t\t\t\t\t\t)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *SFTPFsConfig) validateCredentials() error {\n\tif c.Password.IsEmpty() && c.PrivateKey.IsEmpty() {\n\t\treturn util.NewI18nError(errors.New(\"credentials cannot be empty\"), util.I18nErrorFsCredentialsRequired)\n\t}\n\tif c.Password.IsEncrypted() && !c.Password.IsValid() {\n\t\treturn errors.New(\"invalid encrypted password\")\n\t}\n\tif !c.Password.IsEmpty() && !c.Password.IsValidInput() {\n\t\treturn errors.New(\"invalid password\")\n\t}\n\tif c.PrivateKey.IsEncrypted() && !c.PrivateKey.IsValid() {\n\t\treturn errors.New(\"invalid encrypted private key\")\n\t}\n\tif !c.PrivateKey.IsEmpty() && !c.PrivateKey.IsValidInput() {\n\t\treturn errors.New(\"invalid private key\")\n\t}\n\tif c.KeyPassphrase.IsEncrypted() && !c.KeyPassphrase.IsValid() {\n\t\treturn errors.New(\"invalid encrypted private key passphrase\")\n\t}\n\tif !c.KeyPassphrase.IsEmpty() && !c.KeyPassphrase.IsValidInput() {\n\t\treturn errors.New(\"invalid private key passphrase\")\n\t}\n\treturn nil\n}\n\n// ValidateAndEncryptCredentials validates the config and encrypts credentials if they are in plain text\nfunc (c *SFTPFsConfig) ValidateAndEncryptCredentials(additionalData string) error {\n\tif err := c.validate(); err != nil {\n\t\tvar errI18n *util.I18nError\n\t\terrValidation := util.NewValidationError(fmt.Sprintf(\"could not validate SFTP fs config: %v\", err))\n\t\tif errors.As(err, &errI18n) {\n\t\t\treturn util.NewI18nError(errValidation, errI18n.Message)\n\t\t}\n\t\treturn util.NewI18nError(errValidation, util.I18nErrorFsValidation)\n\t}\n\tif c.Password.IsPlain() {\n\t\tc.Password.SetAdditionalData(additionalData)\n\t\tif err := c.Password.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt SFTP fs password: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\tif c.PrivateKey.IsPlain() {\n\t\tc.PrivateKey.SetAdditionalData(additionalData)\n\t\tif err := c.PrivateKey.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt SFTP fs private key: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\tif c.KeyPassphrase.IsPlain() {\n\t\tc.KeyPassphrase.SetAdditionalData(additionalData)\n\t\tif err := c.KeyPassphrase.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt SFTP fs private key passphrase: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\n// getUniqueID returns an hash of the settings used to connect to the SFTP server\nfunc (c *SFTPFsConfig) getUniqueID(partition int) string {\n\th := sha256.New()\n\tvar b bytes.Buffer\n\n\tb.WriteString(c.Endpoint)\n\tb.WriteString(c.Username)\n\tb.WriteString(strings.Join(c.Fingerprints, \"\"))\n\tb.WriteString(strconv.FormatBool(c.DisableCouncurrentReads))\n\tb.WriteString(strconv.FormatInt(c.BufferSize, 10))\n\tb.WriteString(c.Password.GetPayload())\n\tb.WriteString(c.PrivateKey.GetPayload())\n\tb.WriteString(c.KeyPassphrase.GetPayload())\n\tif allowSelfConnections != 0 {\n\t\tb.WriteString(strings.Join(c.forbiddenSelfUsernames, \"\"))\n\t}\n\tb.WriteString(strconv.Itoa(partition))\n\n\th.Write(b.Bytes())\n\treturn hex.EncodeToString(h.Sum(nil))\n}\n\n// SFTPFs is a Fs implementation for SFTP backends\ntype SFTPFs struct {\n\tconnectionID string\n\t// if not empty this fs is mouted as virtual folder in the specified path\n\tmountPath string\n\tlocalTempDir string\n\tconfig *SFTPFsConfig\n\tconn *sftpConnection\n}\n\n// NewSFTPFs returns an SFTPFs object that allows to interact with an SFTP server\nfunc NewSFTPFs(connectionID, mountPath, localTempDir string, forbiddenSelfUsernames []string, config SFTPFsConfig) (Fs, error) {\n\tif localTempDir == \"\" {\n\t\tlocalTempDir = getLocalTempDir()\n\t}\n\tif err := config.validate(); err != nil {\n\t\treturn nil, err\n\t}\n\tif !config.Password.IsEmpty() {\n\t\tif err := config.Password.TryDecrypt(); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tif !config.PrivateKey.IsEmpty() {\n\t\tif err := config.PrivateKey.TryDecrypt(); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tif !config.KeyPassphrase.IsEmpty() {\n\t\tif err := config.KeyPassphrase.TryDecrypt(); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\tconn, err := sftpConnsCache.Get(&config, connectionID)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tconfig.forbiddenSelfUsernames = forbiddenSelfUsernames\n\tsftpFs := &SFTPFs{\n\t\tconnectionID: connectionID,\n\t\tmountPath: getMountPath(mountPath),\n\t\tlocalTempDir: localTempDir,\n\t\tconfig: &config,\n\t\tconn: conn,\n\t}\n\terr = sftpFs.createConnection()\n\tif err != nil {\n\t\tsftpFs.Close() //nolint:errcheck\n\t}\n\treturn sftpFs, err\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *SFTPFs) Name() string {\n\treturn fmt.Sprintf(`%s %q@%q`, sftpFsName, fs.config.Username, fs.config.Endpoint)\n}\n\n// ConnectionID returns the connection ID associated to this Fs implementation\nfunc (fs *SFTPFs) ConnectionID() string {\n\treturn fs.connectionID\n}\n\n// Stat returns a FileInfo describing the named file\nfunc (fs *SFTPFs) Stat(name string) (os.FileInfo, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client.Stat(name)\n}\n\n// Lstat returns a FileInfo describing the named file\nfunc (fs *SFTPFs) Lstat(name string) (os.FileInfo, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn client.Lstat(name)\n}\n\n// Open opens the named file for reading\nfunc (fs *SFTPFs) Open(name string, offset int64) (File, PipeReader, func(), error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tf, err := client.Open(name)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tif offset > 0 {\n\t\t_, err = f.Seek(offset, io.SeekStart)\n\t\tif err != nil {\n\t\t\tf.Close()\n\t\t\treturn nil, nil, nil, err\n\t\t}\n\t}\n\tif fs.config.BufferSize == 0 {\n\t\treturn f, nil, nil, nil\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeReader(r)\n\n\tgo func() {\n\t\t// if we enable buffering the client stalls\n\t\t//br := bufio.NewReaderSize(f, int(fs.config.BufferSize)*1024*1024)\n\t\t//n, err := fs.copy(w, br)\n\t\tn, err := io.Copy(w, f)\n\t\tw.CloseWithError(err) //nolint:errcheck\n\t\tf.Close()\n\t\tfsLog(fs, logger.LevelDebug, \"download completed, path: %q size: %v, err: %v\", name, n, err)\n\t}()\n\n\treturn nil, p, nil, nil\n}\n\n// Create creates or opens the named file for writing\nfunc (fs *SFTPFs) Create(name string, flag, _ int) (File, PipeWriter, func(), error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tif fs.config.BufferSize == 0 {\n\t\tvar f File\n\t\tif flag == 0 {\n\t\t\tf, err = client.Create(name)\n\t\t} else {\n\t\t\tf, err = client.OpenFile(name, flag)\n\t\t}\n\t\treturn f, nil, nil, err\n\t}\n\t// buffering is enabled\n\tf, err := client.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC)\n\tif err != nil {\n\t\treturn nil, nil, nil, err\n\t}\n\tr, w, err := createPipeFn(fs.localTempDir, 0)\n\tif err != nil {\n\t\tf.Close()\n\t\treturn nil, nil, nil, err\n\t}\n\tp := NewPipeWriter(w)\n\n\tgo func() {\n\t\tbw := bufio.NewWriterSize(f, int(fs.config.BufferSize)*1024*1024)\n\t\t// we don't use io.Copy since bufio.Writer implements io.WriterTo and\n\t\t// so it calls the sftp.File WriteTo method without buffering\n\t\tn, err := doCopy(bw, r, nil)\n\t\terrFlush := bw.Flush()\n\t\tif err == nil && errFlush != nil {\n\t\t\terr = errFlush\n\t\t}\n\t\tvar errTruncate error\n\t\tif err != nil {\n\t\t\terrTruncate = f.Truncate(n)\n\t\t}\n\t\terrClose := f.Close()\n\t\tif err == nil && errClose != nil {\n\t\t\terr = errClose\n\t\t}\n\t\tr.CloseWithError(err) //nolint:errcheck\n\t\tp.Done(err)\n\t\tfsLog(fs, logger.LevelDebug, \"upload completed, path: %q, readed bytes: %v, err: %v err truncate: %v\",\n\t\t\tname, n, err, errTruncate)\n\t}()\n\n\treturn nil, p, nil, nil\n}\n\n// Rename renames (moves) source to target.\nfunc (fs *SFTPFs) Rename(source, target string, checks int) (int, int64, error) {\n\tif source == target {\n\t\treturn -1, -1, nil\n\t}\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn -1, -1, err\n\t}\n\tif _, ok := client.HasExtension(\"posix-rename@openssh.com\"); ok {\n\t\terr := client.PosixRename(source, target)\n\t\tif checks&CheckUpdateModTime != 0 && err == nil {\n\t\t\tfs.Chtimes(target, time.Now(), time.Now(), false) //nolint:errcheck\n\t\t}\n\t\treturn -1, -1, err\n\t}\n\terr = client.Rename(source, target)\n\tif checks&CheckUpdateModTime != 0 && err == nil {\n\t\tfs.Chtimes(target, time.Now(), time.Now(), false) //nolint:errcheck\n\t}\n\treturn -1, -1, err\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs *SFTPFs) Remove(name string, isDir bool) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\tif isDir {\n\t\treturn client.RemoveDirectory(name)\n\t}\n\treturn client.Remove(name)\n}\n\n// Mkdir creates a new directory with the specified name and default permissions\nfunc (fs *SFTPFs) Mkdir(name string) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn client.Mkdir(name)\n}\n\n// Symlink creates source as a symbolic link to target.\nfunc (fs *SFTPFs) Symlink(source, target string) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn client.Symlink(source, target)\n}\n\n// Readlink returns the destination of the named symbolic link\nfunc (fs *SFTPFs) Readlink(name string) (string, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tresolved, err := client.ReadLink(name)\n\tif err != nil {\n\t\treturn resolved, err\n\t}\n\tresolved = path.Clean(strings.ReplaceAll(resolved, \"\\\\\", \"/\"))\n\tif !path.IsAbs(resolved) {\n\t\t// we assume that multiple links are not followed\n\t\tresolved = path.Join(path.Dir(name), resolved)\n\t}\n\treturn fs.GetRelativePath(resolved), nil\n}\n\n// Chown changes the numeric uid and gid of the named file.\nfunc (fs *SFTPFs) Chown(name string, uid int, gid int) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn client.Chown(name, uid, gid)\n}\n\n// Chmod changes the mode of the named file to mode.\nfunc (fs *SFTPFs) Chmod(name string, mode os.FileMode) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn client.Chmod(name, mode)\n}\n\n// Chtimes changes the access and modification times of the named file.\nfunc (fs *SFTPFs) Chtimes(name string, atime, mtime time.Time, _ bool) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn client.Chtimes(name, atime, mtime)\n}\n\n// Truncate changes the size of the named file.\nfunc (fs *SFTPFs) Truncate(name string, size int64) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn client.Truncate(name, size)\n}\n\n// ReadDir reads the directory named by dirname and returns\n// a list of directory entries.\nfunc (fs *SFTPFs) ReadDir(dirname string) (DirLister, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfiles, err := client.ReadDir(dirname)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &baseDirLister{files}, nil\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported.\nfunc (fs *SFTPFs) IsUploadResumeSupported() bool {\n\treturn fs.config.BufferSize == 0\n}\n\n// IsConditionalUploadResumeSupported returns if resuming uploads is supported\n// for the specified size\nfunc (fs *SFTPFs) IsConditionalUploadResumeSupported(_ int64) bool {\n\treturn fs.IsUploadResumeSupported()\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported.\nfunc (fs *SFTPFs) IsAtomicUploadSupported() bool {\n\treturn fs.config.BufferSize == 0\n}\n\n// IsNotExist returns a boolean indicating whether the error is known to\n// report that a file or directory does not exist\nfunc (*SFTPFs) IsNotExist(err error) bool {\n\treturn errors.Is(err, fs.ErrNotExist)\n}\n\n// IsPermission returns a boolean indicating whether the error is known to\n// report that permission is denied.\nfunc (*SFTPFs) IsPermission(err error) bool {\n\tif _, ok := err.(*pathResolutionError); ok {\n\t\treturn true\n\t}\n\treturn errors.Is(err, fs.ErrPermission)\n}\n\n// IsNotSupported returns true if the error indicate an unsupported operation\nfunc (*SFTPFs) IsNotSupported(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn err == ErrVfsUnsupported\n}\n\n// CheckRootPath creates the specified local root directory if it does not exists\nfunc (fs *SFTPFs) CheckRootPath(username string, uid int, gid int) bool {\n\t// local directory for temporary files in buffer mode\n\tosFs := NewOsFs(fs.ConnectionID(), fs.localTempDir, \"\", nil)\n\tosFs.CheckRootPath(username, uid, gid)\n\tif fs.config.Prefix == \"/\" {\n\t\treturn true\n\t}\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn false\n\t}\n\tif err := client.MkdirAll(fs.config.Prefix); err != nil {\n\t\tfsLog(fs, logger.LevelDebug, \"error creating root directory %q for user %q: %v\", fs.config.Prefix, username, err)\n\t\treturn false\n\t}\n\treturn true\n}\n\n// ScanRootDirContents returns the number of files contained in a directory and\n// their size\nfunc (fs *SFTPFs) ScanRootDirContents() (int, int64, error) {\n\treturn fs.GetDirSize(fs.config.Prefix)\n}\n\n// CheckMetadata checks the metadata consistency\nfunc (*SFTPFs) CheckMetadata() error {\n\treturn nil\n}\n\n// GetAtomicUploadPath returns the path to use for an atomic upload\nfunc (*SFTPFs) GetAtomicUploadPath(name string) string {\n\tdir := path.Dir(name)\n\tguid := xid.New().String()\n\treturn path.Join(dir, \".sftpgo-upload.\"+guid+\".\"+path.Base(name))\n}\n\n// GetRelativePath returns the path for a file relative to the sftp prefix if any.\n// This is the path as seen by SFTPGo users\nfunc (fs *SFTPFs) GetRelativePath(name string) string {\n\trel := path.Clean(name)\n\tif rel == \".\" {\n\t\trel = \"\"\n\t}\n\tif !path.IsAbs(rel) {\n\t\t// If we have a relative path we assume it is already relative to the virtual root\n\t\trel = \"/\" + rel\n\t} else if fs.config.Prefix != \"/\" {\n\t\tprefixDir := fs.config.Prefix\n\t\tif !strings.HasSuffix(prefixDir, \"/\") {\n\t\t\tprefixDir += \"/\"\n\t\t}\n\n\t\tif rel == fs.config.Prefix {\n\t\t\trel = \"/\"\n\t\t} else if after, found := strings.CutPrefix(rel, prefixDir); found {\n\t\t\trel = path.Clean(\"/\" + after)\n\t\t} else {\n\t\t\t// Absolute path outside of the configured prefix\n\t\t\tfsLog(fs, logger.LevelWarn, \"path %q is an absolute path outside %q\", name, fs.config.Prefix)\n\t\t\trel = \"/\"\n\t\t}\n\t}\n\tif fs.mountPath != \"\" {\n\t\trel = path.Join(fs.mountPath, rel)\n\t}\n\treturn rel\n}\n\n// Walk walks the file tree rooted at root, calling walkFn for each file or\n// directory in the tree, including root\nfunc (fs *SFTPFs) Walk(root string, walkFn filepath.WalkFunc) error {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn err\n\t}\n\twalker := client.Walk(root)\n\tfor walker.Step() {\n\t\terr := walker.Err()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\terr = walkFn(walker.Path(), walker.Stat(), err)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\n// Join joins any number of path elements into a single path\nfunc (*SFTPFs) Join(elem ...string) string {\n\treturn path.Join(elem...)\n}\n\n// HasVirtualFolders returns true if folders are emulated\nfunc (*SFTPFs) HasVirtualFolders() bool {\n\treturn false\n}\n\n// ResolvePath returns the matching filesystem path for the specified virtual path\nfunc (fs *SFTPFs) ResolvePath(virtualPath string) (string, error) {\n\tif fs.mountPath != \"\" {\n\t\tif after, found := strings.CutPrefix(virtualPath, fs.mountPath); found {\n\t\t\tvirtualPath = after\n\t\t}\n\t}\n\tvirtualPath = path.Clean(\"/\" + virtualPath)\n\tfsPath := fs.Join(fs.config.Prefix, virtualPath)\n\tif fs.config.Prefix != \"/\" && fsPath != \"/\" {\n\t\t// we need to check if this path is a symlink outside the given prefix\n\t\t// or a file/dir inside a dir symlinked outside the prefix\n\t\tvar validatedPath string\n\t\tvar err error\n\t\tvalidatedPath, err = fs.getRealPath(fsPath)\n\t\tisNotExist := fs.IsNotExist(err)\n\t\tif err != nil && !isNotExist {\n\t\t\tfsLog(fs, logger.LevelError, \"Invalid path resolution, original path %v resolved %q err: %v\",\n\t\t\t\tvirtualPath, fsPath, err)\n\t\t\treturn \"\", err\n\t\t} else if isNotExist {\n\t\t\tfor fs.IsNotExist(err) {\n\t\t\t\tvalidatedPath = path.Dir(validatedPath)\n\t\t\t\tif validatedPath == \"/\" {\n\t\t\t\t\terr = nil\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\tvalidatedPath, err = fs.getRealPath(validatedPath)\n\t\t\t}\n\t\t\tif err != nil {\n\t\t\t\tfsLog(fs, logger.LevelError, \"Invalid path resolution, dir %q original path %q resolved %q err: %v\",\n\t\t\t\t\tvalidatedPath, virtualPath, fsPath, err)\n\t\t\t\treturn \"\", err\n\t\t\t}\n\t\t}\n\t\tif err := fs.isSubDir(validatedPath); err != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"Invalid path resolution, dir %q original path %q resolved %q err: %v\",\n\t\t\t\tvalidatedPath, virtualPath, fsPath, err)\n\t\t\treturn \"\", err\n\t\t}\n\t}\n\treturn fsPath, nil\n}\n\n// RealPath implements the FsRealPather interface\nfunc (fs *SFTPFs) RealPath(p string) (string, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tresolved, err := client.RealPath(p)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tresolved = path.Clean(strings.ReplaceAll(resolved, \"\\\\\", \"/\"))\n\tif fs.config.Prefix != \"/\" {\n\t\tif err := fs.isSubDir(resolved); err != nil {\n\t\t\tfsLog(fs, logger.LevelError, \"Invalid real path resolution, original path %q resolved %q err: %v\",\n\t\t\t\tp, resolved, err)\n\t\t\treturn \"\", err\n\t\t}\n\t}\n\treturn fs.GetRelativePath(resolved), nil\n}\n\n// getRealPath returns the real remote path trying to resolve symbolic links if any\nfunc (fs *SFTPFs) getRealPath(name string) (string, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tlinksWalked := 0\n\tfor {\n\t\tinfo, err := client.Lstat(name)\n\t\tif err != nil {\n\t\t\treturn name, err\n\t\t}\n\t\tif info.Mode()&os.ModeSymlink == 0 {\n\t\t\treturn name, nil\n\t\t}\n\t\tresolvedLink, err := client.ReadLink(name)\n\t\tif err != nil {\n\t\t\treturn name, fmt.Errorf(\"unable to resolve link to %q: %w\", name, err)\n\t\t}\n\t\tresolvedLink = strings.ReplaceAll(resolvedLink, \"\\\\\", \"/\")\n\t\tresolvedLink = path.Clean(resolvedLink)\n\t\tif path.IsAbs(resolvedLink) {\n\t\t\tname = resolvedLink\n\t\t} else {\n\t\t\tname = path.Join(path.Dir(name), resolvedLink)\n\t\t}\n\t\tlinksWalked++\n\t\tif linksWalked > 10 {\n\t\t\tfsLog(fs, logger.LevelError, \"unable to get real path, too many links: %d\", linksWalked)\n\t\t\treturn \"\", &pathResolutionError{err: \"too many links\"}\n\t\t}\n\t}\n}\n\nfunc (fs *SFTPFs) isSubDir(name string) error {\n\tif name == fs.config.Prefix {\n\t\treturn nil\n\t}\n\tif len(name) < len(fs.config.Prefix) {\n\t\terr := fmt.Errorf(\"path %q is not inside: %q\", name, fs.config.Prefix)\n\t\treturn &pathResolutionError{err: err.Error()}\n\t}\n\tif !strings.HasPrefix(name, fs.config.Prefix+\"/\") {\n\t\terr := fmt.Errorf(\"path %q is not inside: %q\", name, fs.config.Prefix)\n\t\treturn &pathResolutionError{err: err.Error()}\n\t}\n\treturn nil\n}\n\n// GetDirSize returns the number of files and the size for a folder\n// including any subfolders\nfunc (fs *SFTPFs) GetDirSize(dirname string) (int, int64, error) {\n\tnumFiles := 0\n\tsize := int64(0)\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn numFiles, size, err\n\t}\n\tisDir, err := isDirectory(fs, dirname)\n\tif err == nil && isDir {\n\t\twalker := client.Walk(dirname)\n\t\tfor walker.Step() {\n\t\t\terr := walker.Err()\n\t\t\tif err != nil {\n\t\t\t\treturn numFiles, size, err\n\t\t\t}\n\t\t\tif walker.Stat().Mode().IsRegular() {\n\t\t\t\tsize += walker.Stat().Size()\n\t\t\t\tnumFiles++\n\t\t\t\tif numFiles%1000 == 0 {\n\t\t\t\t\tfsLog(fs, logger.LevelDebug, \"dirname %q scan in progress, files: %d, size: %d\", dirname, numFiles, size)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn numFiles, size, err\n}\n\n// GetMimeType returns the content type\nfunc (fs *SFTPFs) GetMimeType(name string) (string, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tf, err := client.OpenFile(name, os.O_RDONLY)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tdefer f.Close()\n\tvar buf [512]byte\n\tn, err := io.ReadFull(f, buf[:])\n\tif err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {\n\t\treturn \"\", err\n\t}\n\tctype := http.DetectContentType(buf[:n])\n\t// Rewind file.\n\t_, err = f.Seek(0, io.SeekStart)\n\treturn ctype, err\n}\n\n// GetAvailableDiskSize returns the available size for the specified path\nfunc (fs *SFTPFs) GetAvailableDiskSize(dirName string) (*sftp.StatVFS, error) {\n\tclient, err := fs.conn.getClient()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif _, ok := client.HasExtension(\"statvfs@openssh.com\"); !ok {\n\t\treturn nil, ErrStorageSizeUnavailable\n\t}\n\treturn client.StatVFS(dirName)\n}\n\n// Close the connection\nfunc (fs *SFTPFs) Close() error {\n\tfs.conn.RemoveSession(fs.connectionID)\n\treturn nil\n}\n\nfunc (fs *SFTPFs) createConnection() error {\n\terr := fs.conn.OpenConnection()\n\tif err != nil {\n\t\tfsLog(fs, logger.LevelError, \"error opening connection: %v\", err)\n\t\treturn err\n\t}\n\treturn nil\n}\n\ntype sftpConnection struct {\n\tconfig *SFTPFsConfig\n\tlogSender string\n\tsshClient *ssh.Client\n\tsftpClient *sftp.Client\n\tmu sync.RWMutex\n\tisConnected bool\n\tsessions map[string]bool\n\tlastActivity time.Time\n\tsigner ssh.Signer\n}\n\nfunc newSFTPConnection(config *SFTPFsConfig, sessionID string) *sftpConnection {\n\tc := &sftpConnection{\n\t\tconfig: config,\n\t\tlogSender: fmt.Sprintf(`%s \"%s@%s\"`, sftpFsName, config.Username, config.Endpoint),\n\t\tisConnected: false,\n\t\tsessions: map[string]bool{},\n\t\tlastActivity: time.Now().UTC(),\n\t\tsigner: nil,\n\t}\n\tc.sessions[sessionID] = true\n\treturn c\n}\n\nfunc (c *sftpConnection) OpenConnection() error {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\treturn c.openConnNoLock()\n}\n\nfunc (c *sftpConnection) openConnNoLock() error {\n\tif c.isConnected {\n\t\tlogger.Debug(c.logSender, \"\", \"reusing connection\")\n\t\treturn nil\n\t}\n\n\tlogger.Debug(c.logSender, \"\", \"try to open a new connection\")\n\tclientConfig := &ssh.ClientConfig{\n\t\tUser: c.config.Username,\n\t\tHostKeyCallback: func(_ string, _ net.Addr, key ssh.PublicKey) error {\n\t\t\tfp := ssh.FingerprintSHA256(key)\n\t\t\tif slices.Contains(sftpFingerprints, fp) {\n\t\t\t\tif allowSelfConnections == 0 {\n\t\t\t\t\tlogger.Log(logger.LevelError, c.logSender, \"\", \"SFTP self connections not allowed\")\n\t\t\t\t\treturn ErrSFTPLoop\n\t\t\t\t}\n\t\t\t\tif slices.Contains(c.config.forbiddenSelfUsernames, c.config.Username) {\n\t\t\t\t\tlogger.Log(logger.LevelError, c.logSender, \"\",\n\t\t\t\t\t\t\"SFTP loop or nested local SFTP folders detected, username %q, forbidden usernames: %+v\",\n\t\t\t\t\t\tc.config.Username, c.config.forbiddenSelfUsernames)\n\t\t\t\t\treturn ErrSFTPLoop\n\t\t\t\t}\n\t\t\t}\n\t\t\tif len(c.config.Fingerprints) > 0 {\n\t\t\t\tfor _, provided := range c.config.Fingerprints {\n\t\t\t\t\tif provided == fp {\n\t\t\t\t\t\treturn nil\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn fmt.Errorf(\"invalid fingerprint %q\", fp)\n\t\t\t}\n\t\t\tlogger.Log(logger.LevelWarn, c.logSender, \"\", \"login without host key validation, please provide at least a fingerprint!\")\n\t\t\treturn nil\n\t\t},\n\t\tTimeout: 15 * time.Second,\n\t\tClientVersion: fmt.Sprintf(\"SSH-2.0-%s\", version.GetServerVersion(\"_\", false)),\n\t}\n\tif c.signer != nil {\n\t\tclientConfig.Auth = append(clientConfig.Auth, ssh.PublicKeys(c.signer))\n\t}\n\tif pwd := c.config.Password.GetPayload(); pwd != \"\" {\n\t\tclientConfig.Auth = append(clientConfig.Auth, ssh.Password(pwd))\n\t}\n\tsupportedAlgos := ssh.SupportedAlgorithms()\n\tinsecureAlgos := ssh.InsecureAlgorithms()\n\t// add all available ciphers, KEXs and MACs, they are negotiated according to the order\n\tclientConfig.Ciphers = append(supportedAlgos.Ciphers, ssh.InsecureCipherAES128CBC)\n\tclientConfig.KeyExchanges = append(supportedAlgos.KeyExchanges, insecureAlgos.KeyExchanges...)\n\tclientConfig.MACs = append(supportedAlgos.MACs, insecureAlgos.MACs...)\n\tsshClient, err := ssh.Dial(\"tcp\", c.config.Endpoint, clientConfig)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"sftpfs: unable to connect: %w\", err)\n\t}\n\tsftpClient, err := sftp.NewClient(sshClient, c.getClientOptions()...)\n\tif err != nil {\n\t\tsshClient.Close()\n\t\treturn fmt.Errorf(\"sftpfs: unable to create SFTP client: %w\", err)\n\t}\n\tc.sshClient = sshClient\n\tc.sftpClient = sftpClient\n\tc.isConnected = true\n\tgo c.Wait()\n\treturn nil\n}\n\nfunc (c *sftpConnection) getClientOptions() []sftp.ClientOption {\n\tvar options []sftp.ClientOption\n\tif c.config.DisableCouncurrentReads {\n\t\toptions = append(options, sftp.UseConcurrentReads(false))\n\t\tlogger.Debug(c.logSender, \"\", \"disabling concurrent reads\")\n\t}\n\tif c.config.BufferSize > 0 {\n\t\toptions = append(options, sftp.UseConcurrentWrites(true))\n\t\tlogger.Debug(c.logSender, \"\", \"enabling concurrent writes\")\n\t}\n\treturn options\n}\n\nfunc (c *sftpConnection) getClient() (*sftp.Client, error) {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tif c.isConnected {\n\t\treturn c.sftpClient, nil\n\t}\n\terr := c.openConnNoLock()\n\treturn c.sftpClient, err\n}\n\nfunc (c *sftpConnection) Wait() {\n\tdone := make(chan struct{})\n\n\tgo func() {\n\t\tvar watchdogInProgress atomic.Bool\n\t\tticker := time.NewTicker(30 * time.Second)\n\t\tdefer ticker.Stop()\n\n\t\tfor {\n\t\t\tselect {\n\t\t\tcase <-ticker.C:\n\t\t\t\tif watchdogInProgress.Load() {\n\t\t\t\t\tlogger.Error(c.logSender, \"\", \"watchdog still in progress, closing hanging connection\")\n\t\t\t\t\tc.sshClient.Close()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tgo func() {\n\t\t\t\t\twatchdogInProgress.Store(true)\n\t\t\t\t\tdefer watchdogInProgress.Store(false)\n\n\t\t\t\t\t_, err := c.sftpClient.Getwd()\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tlogger.Error(c.logSender, \"\", \"watchdog error: %v\", err)\n\t\t\t\t\t}\n\t\t\t\t}()\n\t\t\tcase <-done:\n\t\t\t\tlogger.Debug(c.logSender, \"\", \"quitting watchdog\")\n\t\t\t\treturn\n\t\t\t}\n\t\t}\n\t}()\n\n\t// we wait on the sftp client otherwise if the channel is closed but not the connection\n\t// we don't detect the event.\n\terr := c.sftpClient.Wait()\n\tlogger.Log(logger.LevelDebug, c.logSender, \"\", \"sftp channel closed: %v\", err)\n\tclose(done)\n\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tc.isConnected = false\n\tif c.sshClient != nil {\n\t\tc.sshClient.Close()\n\t}\n}\n\nfunc (c *sftpConnection) Close() error {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tlogger.Debug(c.logSender, \"\", \"closing connection\")\n\tvar sftpErr, sshErr error\n\tif c.sftpClient != nil {\n\t\tsftpErr = c.sftpClient.Close()\n\t}\n\tif c.sshClient != nil {\n\t\tsshErr = c.sshClient.Close()\n\t}\n\tif sftpErr != nil {\n\t\treturn sftpErr\n\t}\n\tc.isConnected = false\n\treturn sshErr\n}\n\nfunc (c *sftpConnection) AddSession(sessionID string) {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tc.sessions[sessionID] = true\n\tlogger.Debug(c.logSender, \"\", \"added session %s, active sessions: %d\", sessionID, len(c.sessions))\n}\n\nfunc (c *sftpConnection) RemoveSession(sessionID string) {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tdelete(c.sessions, sessionID)\n\tlogger.Debug(c.logSender, \"\", \"removed session %s, active sessions: %d\", sessionID, len(c.sessions))\n\tif len(c.sessions) == 0 {\n\t\tc.lastActivity = time.Now().UTC()\n\t}\n}\n\nfunc (c *sftpConnection) ActiveSessions() int {\n\tc.mu.RLock()\n\tdefer c.mu.RUnlock()\n\n\treturn len(c.sessions)\n}\n\nfunc (c *sftpConnection) GetLastActivity() time.Time {\n\tc.mu.RLock()\n\tdefer c.mu.RUnlock()\n\n\tif len(c.sessions) > 0 {\n\t\treturn time.Now().UTC()\n\t}\n\tlogger.Debug(c.logSender, \"\", \"last activity %s\", c.lastActivity)\n\treturn c.lastActivity\n}\n\ntype sftpConnectionsCache struct {\n\tscheduler *cron.Cron\n\tsync.Mutex\n\titems map[string]*sftpConnection\n}\n\nfunc newSFTPConnectionCache() *sftpConnectionsCache {\n\tc := &sftpConnectionsCache{\n\t\tscheduler: cron.New(cron.WithLocation(time.UTC), cron.WithLogger(cron.DiscardLogger)),\n\t\titems: make(map[string]*sftpConnection),\n\t}\n\t_, err := c.scheduler.AddFunc(\"@every 1m\", c.Cleanup)\n\tutil.PanicOnError(err)\n\tc.scheduler.Start()\n\treturn c\n}\n\nfunc (c *sftpConnectionsCache) Get(config *SFTPFsConfig, sessionID string) (*sftpConnection, error) {\n\tpartition := 0\n\tkey := config.getUniqueID(partition)\n\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tfor {\n\t\tif val, ok := c.items[key]; ok {\n\t\t\tactiveSessions := val.ActiveSessions()\n\t\t\tif activeSessions < maxSessionsPerConnection {\n\t\t\t\tlogger.Debug(logSenderSFTPCache, \"\",\n\t\t\t\t\t\"reusing connection for session ID %q, key %s, active sessions %d, active connections: %d\",\n\t\t\t\t\tsessionID, key, activeSessions+1, len(c.items))\n\t\t\t\tval.AddSession(sessionID)\n\t\t\t\treturn val, nil\n\t\t\t}\n\t\t\tpartition++\n\t\t\tkey = config.getUniqueID(partition)\n\t\t\tlogger.Debug(logSenderSFTPCache, \"\",\n\t\t\t\t\"connection full, generated new key for partition: %d, active sessions: %d, key: %s\",\n\t\t\t\tpartition, activeSessions, key)\n\t\t} else {\n\t\t\tconn := newSFTPConnection(config, sessionID)\n\t\t\tsigner, err := config.getKeySigner()\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"sftpfs: unable to parse the private key: %w\", err)\n\t\t\t}\n\t\t\tconn.signer = signer\n\t\t\tc.items[key] = conn\n\t\t\tlogger.Debug(logSenderSFTPCache, \"\",\n\t\t\t\t\"adding new connection for session ID %q, partition: %d, key: %s, active connections: %d\",\n\t\t\t\tsessionID, partition, key, len(c.items))\n\t\t\treturn conn, nil\n\t\t}\n\t}\n}\n\nfunc (c *sftpConnectionsCache) Cleanup() {\n\tc.Lock()\n\n\tvar connectionsToClose []*sftpConnection\n\n\tfor k, conn := range c.items {\n\t\tif val := conn.GetLastActivity(); val.Before(time.Now().Add(-30 * time.Second)) {\n\t\t\tdelete(c.items, k)\n\t\t\tlogger.Debug(logSenderSFTPCache, \"\", \"removed connection with key %s, last activity %s, active connections: %d\",\n\t\t\t\tk, val, len(c.items))\n\t\t\tconnectionsToClose = append(connectionsToClose, conn)\n\t\t}\n\t}\n\n\tc.Unlock()\n\n\tfor _, conn := range connectionsToClose {\n\t\terr := conn.Close()\n\t\tlogger.Debug(logSenderSFTPCache, \"\", \"connection closed, err: %v\", err)\n\t}\n}\n" }, { "path": "internal/vfs/statvfs_fallback.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !darwin && !linux && !freebsd\n\npackage vfs\n\nimport (\n\t\"github.com/pkg/sftp\"\n\t\"github.com/shirou/gopsutil/v3/disk\"\n)\n\nconst bsize = uint64(4096)\n\nfunc getStatFS(path string) (*sftp.StatVFS, error) {\n\tusage, err := disk.Usage(path)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// we assume block size = 4096\n\tblocks := usage.Total / bsize\n\tbfree := usage.Free / bsize\n\tfiles := usage.InodesTotal\n\tffree := usage.InodesFree\n\tif files == 0 {\n\t\t// these assumptions are wrong but still better than returning 0\n\t\tfiles = blocks / 4\n\t\tffree = bfree / 4\n\t}\n\treturn &sftp.StatVFS{\n\t\tBsize: bsize,\n\t\tFrsize: bsize,\n\t\tBlocks: blocks,\n\t\tBfree: bfree,\n\t\tBavail: bfree,\n\t\tFiles: files,\n\t\tFfree: ffree,\n\t\tFavail: ffree,\n\t\tNamemax: 255,\n\t}, nil\n}\n" }, { "path": "internal/vfs/statvfs_linux.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build linux\n\npackage vfs\n\nimport (\n\t\"github.com/pkg/sftp\"\n\t\"golang.org/x/sys/unix\"\n)\n\nfunc getStatFS(path string) (*sftp.StatVFS, error) {\n\tstat := unix.Statfs_t{}\n\terr := unix.Statfs(path, &stat)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &sftp.StatVFS{\n\t\tBsize: uint64(stat.Bsize),\n\t\tFrsize: uint64(stat.Frsize),\n\t\tBlocks: stat.Blocks,\n\t\tBfree: stat.Bfree,\n\t\tBavail: stat.Bavail,\n\t\tFiles: stat.Files,\n\t\tFfree: stat.Ffree,\n\t\tFavail: stat.Ffree, // not sure how to calculate Favail\n\t\tFlag: uint64(stat.Flags),\n\t\tNamemax: uint64(stat.Namelen),\n\t}, nil\n}\n" }, { "path": "internal/vfs/statvfs_unix.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build freebsd || darwin\n\npackage vfs\n\nimport (\n\t\"github.com/pkg/sftp\"\n\t\"golang.org/x/sys/unix\"\n)\n\nfunc getStatFS(path string) (*sftp.StatVFS, error) {\n\tstat := unix.Statfs_t{}\n\terr := unix.Statfs(path, &stat)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &sftp.StatVFS{\n\t\tBsize: uint64(stat.Bsize),\n\t\tFrsize: uint64(stat.Bsize),\n\t\tBlocks: stat.Blocks,\n\t\tBfree: stat.Bfree,\n\t\tBavail: uint64(stat.Bavail),\n\t\tFiles: stat.Files,\n\t\tFfree: uint64(stat.Ffree),\n\t\tFavail: uint64(stat.Ffree), // not sure how to calculate Favail\n\t\tFlag: uint64(stat.Flags),\n\t\tNamemax: 255, // we use a conservative value here\n\t}, nil\n}\n" }, { "path": "internal/vfs/sys_unix.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n//go:build !windows\n\npackage vfs\n\nimport (\n\t\"errors\"\n\n\t\"golang.org/x/sys/unix\"\n)\n\nfunc isCrossDeviceError(err error) bool {\n\treturn errors.Is(err, unix.EXDEV)\n}\n\nfunc isInvalidNameError(_ error) bool {\n\treturn false\n}\n" }, { "path": "internal/vfs/sys_windows.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage vfs\n\nimport (\n\t\"errors\"\n\n\t\"golang.org/x/sys/windows\"\n)\n\nfunc isCrossDeviceError(err error) bool {\n\treturn errors.Is(err, windows.ERROR_NOT_SAME_DEVICE)\n}\n\nfunc isInvalidNameError(err error) bool {\n\tif err == nil {\n\t\treturn false\n\t}\n\treturn errors.Is(err, windows.ERROR_INVALID_NAME)\n}\n" }, { "path": "internal/vfs/vfs.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package vfs provides local and remote filesystems support\npackage vfs\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/url\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/eikenb/pipeat\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/sftpgo/sdk\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\nconst (\n\tdirMimeType = \"inode/directory\"\n\ts3fsName = \"S3Fs\"\n\tgcsfsName = \"GCSFs\"\n\tazBlobFsName = \"AzureBlobFs\"\n\tlastModifiedField = \"sftpgo_last_modified\"\n\tpreResumeTimeout = 90 * time.Second\n\t// ListerBatchSize defines the default limit for DirLister implementations\n\tListerBatchSize = 1000\n)\n\n// Additional checks for files\nconst (\n\tCheckParentDir = 1\n\tCheckResume = 2\n\tCheckUpdateModTime = 4\n)\n\nvar (\n\tvalidAzAccessTier = []string{\"\", \"Archive\", \"Hot\", \"Cool\"}\n\t// ErrStorageSizeUnavailable is returned if the storage backend does not support getting the size\n\tErrStorageSizeUnavailable = errors.New(\"unable to get available size for this storage backend\")\n\t// ErrVfsUnsupported defines the error for an unsupported VFS operation\n\tErrVfsUnsupported = errors.New(\"not supported\")\n\terrInvalidDirListerLimit = errors.New(\"dir lister: invalid limit, must be > 0\")\n\ttempPath string\n\tsftpFingerprints []string\n\tallowSelfConnections int\n\trenameMode int\n\treadMetadata int\n\tresumeMaxSize int64\n\tuploadMode int\n)\n\nvar (\n\tcreatePipeFn = func(dirPath string, _ int64) (pipeReaderAt, pipeWriterAt, error) {\n\t\treturn pipeat.PipeInDir(dirPath)\n\t}\n)\n\n// SetAllowSelfConnections sets the desired behaviour for self connections\nfunc SetAllowSelfConnections(value int) {\n\tallowSelfConnections = value\n}\n\n// SetTempPath sets the path for temporary files\nfunc SetTempPath(fsPath string) {\n\ttempPath = fsPath\n}\n\n// GetTempPath returns the path for temporary files\nfunc GetTempPath() string {\n\treturn tempPath\n}\n\n// SetSFTPFingerprints sets the SFTP host key fingerprints\nfunc SetSFTPFingerprints(fp []string) {\n\tsftpFingerprints = fp\n}\n\n// SetRenameMode sets the rename mode\nfunc SetRenameMode(val int) {\n\trenameMode = val\n}\n\n// SetReadMetadataMode sets the read metadata mode\nfunc SetReadMetadataMode(val int) {\n\treadMetadata = val\n}\n\n// SetResumeMaxSize sets the max size allowed for resuming uploads for backends\n// with immutable objects\nfunc SetResumeMaxSize(val int64) {\n\tresumeMaxSize = val\n}\n\n// SetUploadMode sets the upload mode\nfunc SetUploadMode(val int) {\n\tuploadMode = val\n}\n\n// Fs defines the interface for filesystem backends\ntype Fs interface {\n\tName() string\n\tConnectionID() string\n\tStat(name string) (os.FileInfo, error)\n\tLstat(name string) (os.FileInfo, error)\n\tOpen(name string, offset int64) (File, PipeReader, func(), error)\n\tCreate(name string, flag, checks int) (File, PipeWriter, func(), error)\n\tRename(source, target string, checks int) (int, int64, error)\n\tRemove(name string, isDir bool) error\n\tMkdir(name string) error\n\tSymlink(source, target string) error\n\tChown(name string, uid int, gid int) error\n\tChmod(name string, mode os.FileMode) error\n\tChtimes(name string, atime, mtime time.Time, isUploading bool) error\n\tTruncate(name string, size int64) error\n\tReadDir(dirname string) (DirLister, error)\n\tReadlink(name string) (string, error)\n\tIsUploadResumeSupported() bool\n\tIsConditionalUploadResumeSupported(size int64) bool\n\tIsAtomicUploadSupported() bool\n\tCheckRootPath(username string, uid int, gid int) bool\n\tResolvePath(virtualPath string) (string, error)\n\tIsNotExist(err error) bool\n\tIsPermission(err error) bool\n\tIsNotSupported(err error) bool\n\tScanRootDirContents() (int, int64, error)\n\tGetDirSize(dirname string) (int, int64, error)\n\tGetAtomicUploadPath(name string) string\n\tGetRelativePath(name string) string\n\tWalk(root string, walkFn filepath.WalkFunc) error\n\tJoin(elem ...string) string\n\tHasVirtualFolders() bool\n\tGetMimeType(name string) (string, error)\n\tGetAvailableDiskSize(dirName string) (*sftp.StatVFS, error)\n\tClose() error\n}\n\n// FsRealPather is a Fs that implements the RealPath method.\ntype FsRealPather interface {\n\tFs\n\tRealPath(p string) (string, error)\n}\n\n// FsFileCopier is a Fs that implements the CopyFile method.\ntype FsFileCopier interface {\n\tFs\n\tCopyFile(source, target string, srcInfo os.FileInfo) (int, int64, error)\n}\n\n// File defines an interface representing a SFTPGo file\ntype File interface {\n\tio.Reader\n\tio.Writer\n\tio.Closer\n\tio.ReaderAt\n\tio.WriterAt\n\tio.Seeker\n\tStat() (os.FileInfo, error)\n\tName() string\n\tTruncate(size int64) error\n}\n\n// PipeWriter defines an interface representing a SFTPGo pipe writer\ntype PipeWriter interface {\n\tio.Writer\n\tio.WriterAt\n\tio.Closer\n\tDone(err error)\n\tGetWrittenBytes() int64\n}\n\n// PipeReader defines an interface representing a SFTPGo pipe reader\ntype PipeReader interface {\n\tio.Reader\n\tio.ReaderAt\n\tio.Closer\n\tsetMetadata(value map[string]string)\n\tsetMetadataFromPointerVal(value map[string]*string)\n\tMetadata() map[string]string\n}\n\ntype pipeReaderAt interface {\n\tRead(p []byte) (int, error)\n\tReadAt(p []byte, offset int64) (int, error)\n\tGetReadedBytes() int64\n\tClose() error\n\tCloseWithError(err error) error\n}\n\ntype pipeWriterAt interface {\n\tWrite(p []byte) (int, error)\n\tWriteAt(p []byte, offset int64) (int, error)\n\tGetWrittenBytes() int64\n\tClose() error\n\tCloseWithError(err error) error\n}\n\n// DirLister defines an interface for a directory lister\ntype DirLister interface {\n\tNext(limit int) ([]os.FileInfo, error)\n\tClose() error\n}\n\n// Metadater defines an interface to implement to return metadata for a file\ntype Metadater interface {\n\tMetadata() map[string]string\n}\n\ntype baseDirLister struct {\n\tcache []os.FileInfo\n}\n\nfunc (l *baseDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tif limit <= 0 {\n\t\treturn nil, errInvalidDirListerLimit\n\t}\n\tif len(l.cache) >= limit {\n\t\treturn l.returnFromCache(limit), nil\n\t}\n\treturn l.returnFromCache(limit), io.EOF\n}\n\nfunc (l *baseDirLister) returnFromCache(limit int) []os.FileInfo {\n\tif len(l.cache) >= limit {\n\t\tresult := l.cache[:limit]\n\t\tl.cache = l.cache[limit:]\n\t\treturn result\n\t}\n\tresult := l.cache\n\tl.cache = nil\n\treturn result\n}\n\nfunc (l *baseDirLister) Close() error {\n\tl.cache = nil\n\treturn nil\n}\n\n// QuotaCheckResult defines the result for a quota check\ntype QuotaCheckResult struct {\n\tHasSpace bool\n\tAllowedSize int64\n\tAllowedFiles int\n\tUsedSize int64\n\tUsedFiles int\n\tQuotaSize int64\n\tQuotaFiles int\n}\n\n// GetRemainingSize returns the remaining allowed size\nfunc (q *QuotaCheckResult) GetRemainingSize() int64 {\n\tif q.QuotaSize > 0 {\n\t\treturn q.QuotaSize - q.UsedSize\n\t}\n\treturn 0\n}\n\n// GetRemainingFiles returns the remaining allowed files\nfunc (q *QuotaCheckResult) GetRemainingFiles() int {\n\tif q.QuotaFiles > 0 {\n\t\treturn q.QuotaFiles - q.UsedFiles\n\t}\n\treturn 0\n}\n\n// S3FsConfig defines the configuration for S3 based filesystem\ntype S3FsConfig struct {\n\tsdk.BaseS3FsConfig\n\tAccessSecret *kms.Secret `json:\"access_secret,omitempty\"`\n\tSSECustomerKey *kms.Secret `json:\"sse_customer_key,omitempty\"`\n}\n\n// HideConfidentialData hides confidential data\nfunc (c *S3FsConfig) HideConfidentialData() {\n\tif c.AccessSecret != nil {\n\t\tc.AccessSecret.Hide()\n\t}\n\tif c.SSECustomerKey != nil {\n\t\tc.SSECustomerKey.Hide()\n\t}\n}\n\nfunc (c *S3FsConfig) isEqual(other S3FsConfig) bool {\n\tif c.Bucket != other.Bucket {\n\t\treturn false\n\t}\n\tif c.KeyPrefix != other.KeyPrefix {\n\t\treturn false\n\t}\n\tif c.Region != other.Region {\n\t\treturn false\n\t}\n\tif c.AccessKey != other.AccessKey {\n\t\treturn false\n\t}\n\tif c.RoleARN != other.RoleARN {\n\t\treturn false\n\t}\n\tif c.Endpoint != other.Endpoint {\n\t\treturn false\n\t}\n\tif c.StorageClass != other.StorageClass {\n\t\treturn false\n\t}\n\tif c.ACL != other.ACL {\n\t\treturn false\n\t}\n\tif !c.areMultipartFieldsEqual(other) {\n\t\treturn false\n\t}\n\tif c.ForcePathStyle != other.ForcePathStyle {\n\t\treturn false\n\t}\n\tif c.SkipTLSVerify != other.SkipTLSVerify {\n\t\treturn false\n\t}\n\treturn c.isSecretEqual(other)\n}\n\nfunc (c *S3FsConfig) areMultipartFieldsEqual(other S3FsConfig) bool {\n\tif c.UploadPartSize != other.UploadPartSize {\n\t\treturn false\n\t}\n\tif c.UploadConcurrency != other.UploadConcurrency {\n\t\treturn false\n\t}\n\tif c.DownloadConcurrency != other.DownloadConcurrency {\n\t\treturn false\n\t}\n\tif c.DownloadPartSize != other.DownloadPartSize {\n\t\treturn false\n\t}\n\tif c.DownloadPartMaxTime != other.DownloadPartMaxTime {\n\t\treturn false\n\t}\n\tif c.UploadPartMaxTime != other.UploadPartMaxTime {\n\t\treturn false\n\t}\n\treturn true\n}\n\nfunc (c *S3FsConfig) isSecretEqual(other S3FsConfig) bool {\n\tif c.SSECustomerKey == nil {\n\t\tc.SSECustomerKey = kms.NewEmptySecret()\n\t}\n\tif other.SSECustomerKey == nil {\n\t\tother.SSECustomerKey = kms.NewEmptySecret()\n\t}\n\tif !c.SSECustomerKey.IsEqual(other.SSECustomerKey) {\n\t\treturn false\n\t}\n\tif c.AccessSecret == nil {\n\t\tc.AccessSecret = kms.NewEmptySecret()\n\t}\n\tif other.AccessSecret == nil {\n\t\tother.AccessSecret = kms.NewEmptySecret()\n\t}\n\treturn c.AccessSecret.IsEqual(other.AccessSecret)\n}\n\nfunc (c *S3FsConfig) checkCredentials() error {\n\tif c.AccessKey == \"\" && !c.AccessSecret.IsEmpty() {\n\t\treturn util.NewI18nError(\n\t\t\terrors.New(\"access_key cannot be empty with access_secret not empty\"),\n\t\t\tutil.I18nErrorAccessKeyRequired,\n\t\t)\n\t}\n\tif c.AccessSecret.IsEmpty() && c.AccessKey != \"\" {\n\t\treturn util.NewI18nError(\n\t\t\terrors.New(\"access_secret cannot be empty with access_key not empty\"),\n\t\t\tutil.I18nErrorAccessSecretRequired,\n\t\t)\n\t}\n\tif c.AccessSecret.IsEncrypted() && !c.AccessSecret.IsValid() {\n\t\treturn errors.New(\"invalid encrypted access_secret\")\n\t}\n\tif !c.AccessSecret.IsEmpty() && !c.AccessSecret.IsValidInput() {\n\t\treturn errors.New(\"invalid access_secret\")\n\t}\n\tif c.SSECustomerKey.IsEncrypted() && !c.SSECustomerKey.IsValid() {\n\t\treturn errors.New(\"invalid encrypted sse_customer_key\")\n\t}\n\tif !c.SSECustomerKey.IsEmpty() && !c.SSECustomerKey.IsValidInput() {\n\t\treturn errors.New(\"invalid sse_customer_key\")\n\t}\n\treturn nil\n}\n\n// ValidateAndEncryptCredentials validates the configuration and encrypts access secret if it is in plain text\nfunc (c *S3FsConfig) ValidateAndEncryptCredentials(additionalData string) error {\n\tif err := c.validate(); err != nil {\n\t\tvar errI18n *util.I18nError\n\t\terrValidation := util.NewValidationError(fmt.Sprintf(\"could not validate s3config: %v\", err))\n\t\tif errors.As(err, &errI18n) {\n\t\t\treturn util.NewI18nError(errValidation, errI18n.Message)\n\t\t}\n\t\treturn util.NewI18nError(errValidation, util.I18nErrorFsValidation)\n\t}\n\tif c.AccessSecret.IsPlain() {\n\t\tc.AccessSecret.SetAdditionalData(additionalData)\n\t\terr := c.AccessSecret.Encrypt()\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt s3 access secret: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\tif c.SSECustomerKey.IsPlain() {\n\t\tc.SSECustomerKey.SetAdditionalData(additionalData)\n\t\terr := c.SSECustomerKey.Encrypt()\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt s3 SSE customer key: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *S3FsConfig) checkPartSizeAndConcurrency() error {\n\tif c.UploadPartSize != 0 && (c.UploadPartSize < 5 || c.UploadPartSize > 2000) {\n\t\treturn util.NewI18nError(\n\t\t\terrors.New(\"upload_part_size cannot be != 0, lower than 5 (MB) or greater than 2000 (MB)\"),\n\t\t\tutil.I18nErrorULPartSizeInvalid,\n\t\t)\n\t}\n\tif c.UploadConcurrency < 0 || c.UploadConcurrency > 64 {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid upload concurrency: %v\", c.UploadConcurrency),\n\t\t\tutil.I18nErrorULConcurrencyInvalid,\n\t\t)\n\t}\n\tif c.DownloadPartSize != 0 && (c.DownloadPartSize < 5 || c.DownloadPartSize > 2000) {\n\t\treturn util.NewI18nError(\n\t\t\terrors.New(\"download_part_size cannot be != 0, lower than 5 (MB) or greater than 2000 (MB)\"),\n\t\t\tutil.I18nErrorDLPartSizeInvalid,\n\t\t)\n\t}\n\tif c.DownloadConcurrency < 0 || c.DownloadConcurrency > 64 {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid download concurrency: %v\", c.DownloadConcurrency),\n\t\t\tutil.I18nErrorDLConcurrencyInvalid,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc (c *S3FsConfig) isSameResource(other S3FsConfig) bool {\n\tif c.Bucket != other.Bucket {\n\t\treturn false\n\t}\n\tif c.Endpoint != other.Endpoint {\n\t\treturn false\n\t}\n\treturn c.Region == other.Region\n}\n\n// validate returns an error if the configuration is not valid\nfunc (c *S3FsConfig) validate() error {\n\tif c.AccessSecret == nil {\n\t\tc.AccessSecret = kms.NewEmptySecret()\n\t}\n\tif c.SSECustomerKey == nil {\n\t\tc.SSECustomerKey = kms.NewEmptySecret()\n\t}\n\tif c.Bucket == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"bucket cannot be empty\"), util.I18nErrorBucketRequired)\n\t}\n\t// the region may be embedded within the endpoint for some S3 compatible\n\t// object storage, for example B2\n\tif c.Endpoint == \"\" && c.Region == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"region cannot be empty\"), util.I18nErrorRegionRequired)\n\t}\n\tif err := c.checkCredentials(); err != nil {\n\t\treturn err\n\t}\n\tif c.KeyPrefix != \"\" {\n\t\tif strings.HasPrefix(c.KeyPrefix, \"/\") {\n\t\t\treturn util.NewI18nError(errors.New(\"key_prefix cannot start with /\"), util.I18nErrorKeyPrefixInvalid)\n\t\t}\n\t\tc.KeyPrefix = path.Clean(c.KeyPrefix)\n\t\tif !strings.HasSuffix(c.KeyPrefix, \"/\") {\n\t\t\tc.KeyPrefix += \"/\"\n\t\t}\n\t}\n\tc.StorageClass = strings.TrimSpace(c.StorageClass)\n\tc.ACL = strings.TrimSpace(c.ACL)\n\treturn c.checkPartSizeAndConcurrency()\n}\n\n// GCSFsConfig defines the configuration for Google Cloud Storage based filesystem\ntype GCSFsConfig struct {\n\tsdk.BaseGCSFsConfig\n\tCredentials *kms.Secret `json:\"credentials,omitempty\"`\n}\n\n// HideConfidentialData hides confidential data\nfunc (c *GCSFsConfig) HideConfidentialData() {\n\tif c.Credentials != nil {\n\t\tc.Credentials.Hide()\n\t}\n}\n\n// ValidateAndEncryptCredentials validates the configuration and encrypts credentials if they are in plain text\nfunc (c *GCSFsConfig) ValidateAndEncryptCredentials(additionalData string) error {\n\tif err := c.validate(); err != nil {\n\t\tvar errI18n *util.I18nError\n\t\terrValidation := util.NewValidationError(fmt.Sprintf(\"could not validate GCS config: %v\", err))\n\t\tif errors.As(err, &errI18n) {\n\t\t\treturn util.NewI18nError(errValidation, errI18n.Message)\n\t\t}\n\t\treturn util.NewI18nError(errValidation, util.I18nErrorFsValidation)\n\t}\n\tif c.Credentials.IsPlain() {\n\t\tc.Credentials.SetAdditionalData(additionalData)\n\t\terr := c.Credentials.Encrypt()\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt GCS credentials: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *GCSFsConfig) isEqual(other GCSFsConfig) bool {\n\tif c.Bucket != other.Bucket {\n\t\treturn false\n\t}\n\tif c.KeyPrefix != other.KeyPrefix {\n\t\treturn false\n\t}\n\tif c.AutomaticCredentials != other.AutomaticCredentials {\n\t\treturn false\n\t}\n\tif c.StorageClass != other.StorageClass {\n\t\treturn false\n\t}\n\tif c.ACL != other.ACL {\n\t\treturn false\n\t}\n\tif c.UploadPartSize != other.UploadPartSize {\n\t\treturn false\n\t}\n\tif c.UploadPartMaxTime != other.UploadPartMaxTime {\n\t\treturn false\n\t}\n\tif c.Credentials == nil {\n\t\tc.Credentials = kms.NewEmptySecret()\n\t}\n\tif other.Credentials == nil {\n\t\tother.Credentials = kms.NewEmptySecret()\n\t}\n\treturn c.Credentials.IsEqual(other.Credentials)\n}\n\nfunc (c *GCSFsConfig) isSameResource(other GCSFsConfig) bool {\n\treturn c.Bucket == other.Bucket\n}\n\n// validate returns an error if the configuration is not valid\nfunc (c *GCSFsConfig) validate() error { //nolint:gocyclo\n\tif c.Credentials == nil || c.AutomaticCredentials == 1 {\n\t\tc.Credentials = kms.NewEmptySecret()\n\t}\n\tif c.Bucket == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"bucket cannot be empty\"), util.I18nErrorBucketRequired)\n\t}\n\tif c.KeyPrefix != \"\" {\n\t\tif strings.HasPrefix(c.KeyPrefix, \"/\") {\n\t\t\treturn util.NewI18nError(errors.New(\"key_prefix cannot start with /\"), util.I18nErrorKeyPrefixInvalid)\n\t\t}\n\t\tc.KeyPrefix = path.Clean(c.KeyPrefix)\n\t\tif !strings.HasSuffix(c.KeyPrefix, \"/\") {\n\t\t\tc.KeyPrefix += \"/\"\n\t\t}\n\t}\n\tif c.Credentials.IsEncrypted() && !c.Credentials.IsValid() {\n\t\treturn errors.New(\"invalid encrypted credentials\")\n\t}\n\tif c.AutomaticCredentials == 0 && !c.Credentials.IsValidInput() {\n\t\treturn util.NewI18nError(errors.New(\"invalid credentials\"), util.I18nErrorFsCredentialsRequired)\n\t}\n\tc.StorageClass = strings.TrimSpace(c.StorageClass)\n\tc.ACL = strings.TrimSpace(c.ACL)\n\tif c.UploadPartSize < 0 || c.UploadPartSize > 2000 {\n\t\tc.UploadPartSize = 0\n\t}\n\tif c.UploadPartMaxTime < 0 {\n\t\tc.UploadPartMaxTime = 0\n\t}\n\treturn nil\n}\n\n// AzBlobFsConfig defines the configuration for Azure Blob Storage based filesystem\ntype AzBlobFsConfig struct {\n\tsdk.BaseAzBlobFsConfig\n\t// Storage Account Key leave blank to use SAS URL.\n\t// The access key is stored encrypted based on the kms configuration\n\tAccountKey *kms.Secret `json:\"account_key,omitempty\"`\n\t// Shared access signature URL, leave blank if using account/key\n\tSASURL *kms.Secret `json:\"sas_url,omitempty\"`\n}\n\n// HideConfidentialData hides confidential data\nfunc (c *AzBlobFsConfig) HideConfidentialData() {\n\tif c.AccountKey != nil {\n\t\tc.AccountKey.Hide()\n\t}\n\tif c.SASURL != nil {\n\t\tc.SASURL.Hide()\n\t}\n}\n\nfunc (c *AzBlobFsConfig) isEqual(other AzBlobFsConfig) bool {\n\tif c.Container != other.Container {\n\t\treturn false\n\t}\n\tif c.AccountName != other.AccountName {\n\t\treturn false\n\t}\n\tif c.Endpoint != other.Endpoint {\n\t\treturn false\n\t}\n\tif c.SASURL.IsEmpty() {\n\t\tc.SASURL = kms.NewEmptySecret()\n\t}\n\tif other.SASURL.IsEmpty() {\n\t\tother.SASURL = kms.NewEmptySecret()\n\t}\n\tif !c.SASURL.IsEqual(other.SASURL) {\n\t\treturn false\n\t}\n\tif c.KeyPrefix != other.KeyPrefix {\n\t\treturn false\n\t}\n\tif c.UploadPartSize != other.UploadPartSize {\n\t\treturn false\n\t}\n\tif c.UploadConcurrency != other.UploadConcurrency {\n\t\treturn false\n\t}\n\tif c.DownloadPartSize != other.DownloadPartSize {\n\t\treturn false\n\t}\n\tif c.DownloadConcurrency != other.DownloadConcurrency {\n\t\treturn false\n\t}\n\tif c.UseEmulator != other.UseEmulator {\n\t\treturn false\n\t}\n\tif c.AccessTier != other.AccessTier {\n\t\treturn false\n\t}\n\treturn c.isSecretEqual(other)\n}\n\nfunc (c *AzBlobFsConfig) isSecretEqual(other AzBlobFsConfig) bool {\n\tif c.AccountKey == nil {\n\t\tc.AccountKey = kms.NewEmptySecret()\n\t}\n\tif other.AccountKey == nil {\n\t\tother.AccountKey = kms.NewEmptySecret()\n\t}\n\treturn c.AccountKey.IsEqual(other.AccountKey)\n}\n\n// ValidateAndEncryptCredentials validates the configuration and encrypts access secret if it is in plain text\nfunc (c *AzBlobFsConfig) ValidateAndEncryptCredentials(additionalData string) error {\n\tif err := c.validate(); err != nil {\n\t\tvar errI18n *util.I18nError\n\t\terrValidation := util.NewValidationError(fmt.Sprintf(\"could not validate Azure Blob config: %v\", err))\n\t\tif errors.As(err, &errI18n) {\n\t\t\treturn util.NewI18nError(errValidation, errI18n.Message)\n\t\t}\n\t\treturn util.NewI18nError(errValidation, util.I18nErrorFsValidation)\n\t}\n\tif c.AccountKey.IsPlain() {\n\t\tc.AccountKey.SetAdditionalData(additionalData)\n\t\tif err := c.AccountKey.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt Azure blob account key: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\tif c.SASURL.IsPlain() {\n\t\tc.SASURL.SetAdditionalData(additionalData)\n\t\tif err := c.SASURL.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt Azure blob SAS URL: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *AzBlobFsConfig) checkCredentials() error {\n\tif c.SASURL.IsPlain() {\n\t\t_, err := url.Parse(c.SASURL.GetPayload())\n\t\tif err != nil {\n\t\t\treturn util.NewI18nError(err, util.I18nErrorSASURLInvalid)\n\t\t}\n\t\treturn nil\n\t}\n\tif c.SASURL.IsEncrypted() && !c.SASURL.IsValid() {\n\t\treturn errors.New(\"invalid encrypted sas_url\")\n\t}\n\tif !c.SASURL.IsEmpty() {\n\t\treturn nil\n\t}\n\tif c.AccountName == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"account name is required\"), util.I18nErrorAccountNameRequired)\n\t}\n\tif c.AccountKey.IsEncrypted() && !c.AccountKey.IsValid() {\n\t\treturn errors.New(\"invalid encrypted account_key\")\n\t}\n\treturn nil\n}\n\nfunc (c *AzBlobFsConfig) checkPartSizeAndConcurrency() error {\n\tif c.UploadPartSize < 0 || c.UploadPartSize > 2000 {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid upload part size: %v\", c.UploadPartSize),\n\t\t\tutil.I18nErrorULPartSizeInvalid,\n\t\t)\n\t}\n\tif c.UploadConcurrency < 0 || c.UploadConcurrency > 64 {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid upload concurrency: %v\", c.UploadConcurrency),\n\t\t\tutil.I18nErrorULConcurrencyInvalid,\n\t\t)\n\t}\n\tif c.DownloadPartSize < 0 || c.DownloadPartSize > 2000 {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid download part size: %v\", c.DownloadPartSize),\n\t\t\tutil.I18nErrorDLPartSizeInvalid,\n\t\t)\n\t}\n\tif c.DownloadConcurrency < 0 || c.DownloadConcurrency > 64 {\n\t\treturn util.NewI18nError(\n\t\t\tfmt.Errorf(\"invalid upload concurrency: %v\", c.DownloadConcurrency),\n\t\t\tutil.I18nErrorDLConcurrencyInvalid,\n\t\t)\n\t}\n\treturn nil\n}\n\nfunc (c *AzBlobFsConfig) tryDecrypt() error {\n\tif err := c.AccountKey.TryDecrypt(); err != nil {\n\t\treturn fmt.Errorf(\"unable to decrypt account key: %w\", err)\n\t}\n\tif err := c.SASURL.TryDecrypt(); err != nil {\n\t\treturn fmt.Errorf(\"unable to decrypt SAS URL: %w\", err)\n\t}\n\treturn nil\n}\n\nfunc (c *AzBlobFsConfig) isSameResource(other AzBlobFsConfig) bool {\n\tif c.AccountName != other.AccountName {\n\t\treturn false\n\t}\n\tif c.Endpoint != other.Endpoint {\n\t\treturn false\n\t}\n\tif c.SASURL == nil {\n\t\tc.SASURL = kms.NewEmptySecret()\n\t}\n\tif other.SASURL == nil {\n\t\tother.SASURL = kms.NewEmptySecret()\n\t}\n\treturn c.SASURL.GetPayload() == other.SASURL.GetPayload()\n}\n\n// validate returns an error if the configuration is not valid\nfunc (c *AzBlobFsConfig) validate() error {\n\tif c.AccountKey == nil {\n\t\tc.AccountKey = kms.NewEmptySecret()\n\t}\n\tif c.SASURL == nil {\n\t\tc.SASURL = kms.NewEmptySecret()\n\t}\n\t// container could be embedded within SAS URL we check this at runtime\n\tif c.SASURL.IsEmpty() && c.Container == \"\" {\n\t\treturn util.NewI18nError(errors.New(\"container cannot be empty\"), util.I18nErrorContainerRequired)\n\t}\n\tif err := c.checkCredentials(); err != nil {\n\t\treturn err\n\t}\n\tif c.KeyPrefix != \"\" {\n\t\tif strings.HasPrefix(c.KeyPrefix, \"/\") {\n\t\t\treturn util.NewI18nError(errors.New(\"key_prefix cannot start with /\"), util.I18nErrorKeyPrefixInvalid)\n\t\t}\n\t\tc.KeyPrefix = path.Clean(c.KeyPrefix)\n\t\tif !strings.HasSuffix(c.KeyPrefix, \"/\") {\n\t\t\tc.KeyPrefix += \"/\"\n\t\t}\n\t}\n\tif err := c.checkPartSizeAndConcurrency(); err != nil {\n\t\treturn err\n\t}\n\tif !slices.Contains(validAzAccessTier, c.AccessTier) {\n\t\treturn fmt.Errorf(\"invalid access tier %q, valid values: \\\"''%v\\\"\", c.AccessTier, strings.Join(validAzAccessTier, \", \"))\n\t}\n\treturn nil\n}\n\n// CryptFsConfig defines the configuration to store local files as encrypted\ntype CryptFsConfig struct {\n\tsdk.OSFsConfig\n\tPassphrase *kms.Secret `json:\"passphrase,omitempty\"`\n}\n\n// HideConfidentialData hides confidential data\nfunc (c *CryptFsConfig) HideConfidentialData() {\n\tif c.Passphrase != nil {\n\t\tc.Passphrase.Hide()\n\t}\n}\n\nfunc (c *CryptFsConfig) isEqual(other CryptFsConfig) bool {\n\tif c.Passphrase == nil {\n\t\tc.Passphrase = kms.NewEmptySecret()\n\t}\n\tif other.Passphrase == nil {\n\t\tother.Passphrase = kms.NewEmptySecret()\n\t}\n\treturn c.Passphrase.IsEqual(other.Passphrase)\n}\n\n// ValidateAndEncryptCredentials validates the configuration and encrypts the passphrase if it is in plain text\nfunc (c *CryptFsConfig) ValidateAndEncryptCredentials(additionalData string) error {\n\tif err := c.validate(); err != nil {\n\t\tvar errI18n *util.I18nError\n\t\terrValidation := util.NewValidationError(fmt.Sprintf(\"could not validate crypt fs config: %v\", err))\n\t\tif errors.As(err, &errI18n) {\n\t\t\treturn util.NewI18nError(errValidation, errI18n.Message)\n\t\t}\n\t\treturn util.NewI18nError(errValidation, util.I18nErrorFsValidation)\n\t}\n\tif c.Passphrase.IsPlain() {\n\t\tc.Passphrase.SetAdditionalData(additionalData)\n\t\tif err := c.Passphrase.Encrypt(); err != nil {\n\t\t\treturn util.NewI18nError(\n\t\t\t\tutil.NewValidationError(fmt.Sprintf(\"could not encrypt Crypt fs passphrase: %v\", err)),\n\t\t\t\tutil.I18nErrorFsValidation,\n\t\t\t)\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc (c *CryptFsConfig) isSameResource(other CryptFsConfig) bool {\n\treturn c.Passphrase.GetPayload() == other.Passphrase.GetPayload()\n}\n\n// validate returns an error if the configuration is not valid\nfunc (c *CryptFsConfig) validate() error {\n\tif c.Passphrase == nil || c.Passphrase.IsEmpty() {\n\t\treturn util.NewI18nError(errors.New(\"invalid passphrase\"), util.I18nErrorPassphraseRequired)\n\t}\n\tif !c.Passphrase.IsValidInput() {\n\t\treturn util.NewI18nError(errors.New(\"passphrase cannot be empty or invalid\"), util.I18nErrorPassphraseRequired)\n\t}\n\tif c.Passphrase.IsEncrypted() && !c.Passphrase.IsValid() {\n\t\treturn errors.New(\"invalid encrypted passphrase\")\n\t}\n\treturn nil\n}\n\n// pipeWriter defines a wrapper for a pipeWriterAt.\ntype pipeWriter struct {\n\tpipeWriterAt\n\terr error\n\tdone chan bool\n}\n\n// NewPipeWriter initializes a new PipeWriter\nfunc NewPipeWriter(w pipeWriterAt) PipeWriter {\n\treturn &pipeWriter{\n\t\tpipeWriterAt: w,\n\t\terr: nil,\n\t\tdone: make(chan bool),\n\t}\n}\n\n// Close waits for the upload to end, closes the pipeWriterAt and returns an error if any.\nfunc (p *pipeWriter) Close() error {\n\tp.pipeWriterAt.Close() //nolint:errcheck // the returned error is always null\n\t<-p.done\n\treturn p.err\n}\n\n// Done unlocks other goroutines waiting on Close().\n// It must be called when the upload ends\nfunc (p *pipeWriter) Done(err error) {\n\tp.err = err\n\tp.done <- true\n}\n\nfunc newPipeWriterAtOffset(w pipeWriterAt, offset int64) PipeWriter {\n\treturn &pipeWriterAtOffset{\n\t\tpipeWriter: &pipeWriter{\n\t\t\tpipeWriterAt: w,\n\t\t\terr: nil,\n\t\t\tdone: make(chan bool),\n\t\t},\n\t\toffset: offset,\n\t\twriteOffset: offset,\n\t}\n}\n\ntype pipeWriterAtOffset struct {\n\t*pipeWriter\n\toffset int64\n\twriteOffset int64\n}\n\nfunc (p *pipeWriterAtOffset) WriteAt(buf []byte, off int64) (int, error) {\n\tif off < p.offset {\n\t\treturn 0, fmt.Errorf(\"invalid offset %d, minimum accepted %d\", off, p.offset)\n\t}\n\treturn p.pipeWriter.WriteAt(buf, off-p.offset)\n}\n\nfunc (p *pipeWriterAtOffset) Write(buf []byte) (int, error) {\n\tn, err := p.WriteAt(buf, p.writeOffset)\n\tp.writeOffset += int64(n)\n\treturn n, err\n}\n\n// NewPipeReader initializes a new PipeReader\nfunc NewPipeReader(r pipeReaderAt) PipeReader {\n\treturn &pipeReader{\n\t\tpipeReaderAt: r,\n\t}\n}\n\n// pipeReader defines a wrapper for pipeat.PipeReaderAt.\ntype pipeReader struct {\n\tpipeReaderAt\n\tmu sync.RWMutex\n\tmetadata map[string]string\n}\n\nfunc (p *pipeReader) setMetadata(value map[string]string) {\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\n\tp.metadata = value\n}\n\nfunc (p *pipeReader) setMetadataFromPointerVal(value map[string]*string) {\n\tp.mu.Lock()\n\tdefer p.mu.Unlock()\n\n\tif len(value) == 0 {\n\t\tp.metadata = nil\n\t\treturn\n\t}\n\n\tp.metadata = map[string]string{}\n\tfor k, v := range value {\n\t\tval := util.GetStringFromPointer(v)\n\t\tif val != \"\" {\n\t\t\tp.metadata[k] = val\n\t\t}\n\t}\n}\n\n// Metadata implements the Metadater interface\nfunc (p *pipeReader) Metadata() map[string]string {\n\tp.mu.RLock()\n\tdefer p.mu.RUnlock()\n\n\tif len(p.metadata) == 0 {\n\t\treturn nil\n\t}\n\tresult := make(map[string]string)\n\tfor k, v := range p.metadata {\n\t\tresult[k] = v\n\t}\n\treturn result\n}\n\nfunc isEqualityCheckModeValid(mode int) bool {\n\treturn mode >= 0 || mode <= 1\n}\n\n// isDirectory checks if a path exists and is a directory\nfunc isDirectory(fs Fs, path string) (bool, error) {\n\tfileInfo, err := fs.Stat(path)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\treturn fileInfo.IsDir(), err\n}\n\n// IsLocalOsFs returns true if fs is a local filesystem implementation\nfunc IsLocalOsFs(fs Fs) bool {\n\treturn fs.Name() == osFsName\n}\n\n// IsCryptOsFs returns true if fs is an encrypted local filesystem implementation\nfunc IsCryptOsFs(fs Fs) bool {\n\treturn fs.Name() == cryptFsName\n}\n\n// IsSFTPFs returns true if fs is an SFTP filesystem\nfunc IsSFTPFs(fs Fs) bool {\n\treturn strings.HasPrefix(fs.Name(), sftpFsName)\n}\n\n// IsHTTPFs returns true if fs is an HTTP filesystem\nfunc IsHTTPFs(fs Fs) bool {\n\treturn strings.HasPrefix(fs.Name(), httpFsName)\n}\n\n// IsBufferedLocalOrSFTPFs returns true if this is a buffered SFTP or local filesystem\nfunc IsBufferedLocalOrSFTPFs(fs Fs) bool {\n\tif osFs, ok := fs.(*OsFs); ok {\n\t\treturn osFs.writeBufferSize > 0\n\t}\n\tif !IsSFTPFs(fs) {\n\t\treturn false\n\t}\n\treturn !fs.IsUploadResumeSupported()\n}\n\n// FsOpenReturnsFile returns true if fs.Open returns a *os.File handle\nfunc FsOpenReturnsFile(fs Fs) bool {\n\tif osFs, ok := fs.(*OsFs); ok {\n\t\treturn osFs.readBufferSize == 0\n\t}\n\tif sftpFs, ok := fs.(*SFTPFs); ok {\n\t\treturn sftpFs.config.BufferSize == 0\n\t}\n\treturn false\n}\n\n// IsLocalOrSFTPFs returns true if fs is local or SFTP\nfunc IsLocalOrSFTPFs(fs Fs) bool {\n\treturn IsLocalOsFs(fs) || IsSFTPFs(fs)\n}\n\n// HasTruncateSupport returns true if the fs supports truncate files\nfunc HasTruncateSupport(fs Fs) bool {\n\treturn IsLocalOsFs(fs) || IsSFTPFs(fs) || IsHTTPFs(fs)\n}\n\n// IsRenameAtomic returns true if renaming a directory is supposed to be atomic\nfunc IsRenameAtomic(fs Fs) bool {\n\tif strings.HasPrefix(fs.Name(), s3fsName) {\n\t\treturn false\n\t}\n\tif strings.HasPrefix(fs.Name(), gcsfsName) {\n\t\treturn false\n\t}\n\tif strings.HasPrefix(fs.Name(), azBlobFsName) {\n\t\treturn false\n\t}\n\treturn true\n}\n\n// HasImplicitAtomicUploads returns true if the fs don't persists partial files on error\nfunc HasImplicitAtomicUploads(fs Fs) bool {\n\tif strings.HasPrefix(fs.Name(), s3fsName) {\n\t\treturn uploadMode&4 == 0\n\t}\n\tif strings.HasPrefix(fs.Name(), gcsfsName) {\n\t\treturn uploadMode&8 == 0\n\t}\n\tif strings.HasPrefix(fs.Name(), azBlobFsName) {\n\t\treturn uploadMode&16 == 0\n\t}\n\treturn false\n}\n\n// HasOpenRWSupport returns true if the fs can open a file\n// for reading and writing at the same time\nfunc HasOpenRWSupport(fs Fs) bool {\n\tif IsLocalOsFs(fs) {\n\t\treturn true\n\t}\n\tif IsSFTPFs(fs) && fs.IsUploadResumeSupported() {\n\t\treturn true\n\t}\n\treturn false\n}\n\n// IsLocalOrCryptoFs returns true if fs is local or local encrypted\nfunc IsLocalOrCryptoFs(fs Fs) bool {\n\treturn IsLocalOsFs(fs) || IsCryptOsFs(fs)\n}\n\n// SetPathPermissions calls fs.Chown.\n// It does nothing for local filesystem on windows\nfunc SetPathPermissions(fs Fs, path string, uid int, gid int) {\n\tif uid == -1 && gid == -1 {\n\t\treturn\n\t}\n\tif IsLocalOsFs(fs) {\n\t\tif runtime.GOOS == \"windows\" {\n\t\t\treturn\n\t\t}\n\t}\n\tif err := fs.Chown(path, uid, gid); err != nil {\n\t\tfsLog(fs, logger.LevelWarn, \"error chowning path %v: %v\", path, err)\n\t}\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported\nfunc IsUploadResumeSupported(fs Fs, size int64) bool {\n\tif fs.IsUploadResumeSupported() {\n\t\treturn true\n\t}\n\treturn fs.IsConditionalUploadResumeSupported(size)\n}\n\nfunc getLastModified(metadata map[string]string) int64 {\n\tif val, ok := metadata[lastModifiedField]; ok && val != \"\" {\n\t\tlastModified, err := strconv.ParseInt(val, 10, 64)\n\t\tif err == nil {\n\t\t\treturn lastModified\n\t\t}\n\t}\n\treturn 0\n}\n\nfunc getAzureLastModified(metadata map[string]*string) int64 {\n\tfor k, v := range metadata {\n\t\tif strings.EqualFold(k, lastModifiedField) {\n\t\t\tif val := util.GetStringFromPointer(v); val != \"\" {\n\t\t\t\tlastModified, err := strconv.ParseInt(val, 10, 64)\n\t\t\t\tif err == nil {\n\t\t\t\t\treturn lastModified\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn 0\n\t\t}\n\t}\n\treturn 0\n}\n\nfunc validateOSFsConfig(config *sdk.OSFsConfig) error {\n\tif config.ReadBufferSize < 0 || config.ReadBufferSize > 10 {\n\t\treturn fmt.Errorf(\"invalid read buffer size must be between 0 and 10 MB\")\n\t}\n\tif config.WriteBufferSize < 0 || config.WriteBufferSize > 10 {\n\t\treturn fmt.Errorf(\"invalid write buffer size must be between 0 and 10 MB\")\n\t}\n\treturn nil\n}\n\nfunc doCopy(dst io.Writer, src io.Reader, buf []byte) (written int64, err error) {\n\tif buf == nil {\n\t\tbuf = make([]byte, 32768)\n\t}\n\tfor {\n\t\tnr, er := src.Read(buf)\n\t\tif nr > 0 {\n\t\t\tnw, ew := dst.Write(buf[0:nr])\n\t\t\tif nw < 0 || nr < nw {\n\t\t\t\tnw = 0\n\t\t\t\tif ew == nil {\n\t\t\t\t\tew = errors.New(\"invalid write\")\n\t\t\t\t}\n\t\t\t}\n\t\t\twritten += int64(nw)\n\t\t\tif ew != nil {\n\t\t\t\terr = ew\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif nr != nw {\n\t\t\t\terr = io.ErrShortWrite\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif er != nil {\n\t\t\tif er != io.EOF {\n\t\t\t\terr = er\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t}\n\treturn written, err\n}\n\nfunc getMountPath(mountPath string) string {\n\tif mountPath == \"/\" {\n\t\treturn \"\"\n\t}\n\treturn mountPath\n}\n\nfunc getLocalTempDir() string {\n\tif tempPath != \"\" {\n\t\treturn tempPath\n\t}\n\treturn filepath.Clean(os.TempDir())\n}\n\nfunc doRecursiveRename(fs Fs, source, target string,\n\trenameFn func(string, string, os.FileInfo, int, bool) (int, int64, error),\n\trecursion int, updateModTime bool,\n) (int, int64, error) {\n\tvar numFiles int\n\tvar filesSize int64\n\n\tif recursion > util.MaxRecursion {\n\t\treturn numFiles, filesSize, util.ErrRecursionTooDeep\n\t}\n\trecursion++\n\n\tlister, err := fs.ReadDir(source)\n\tif err != nil {\n\t\treturn numFiles, filesSize, err\n\t}\n\tdefer lister.Close()\n\n\tfor {\n\t\tentries, err := lister.Next(ListerBatchSize)\n\t\tfinished := errors.Is(err, io.EOF)\n\t\tif err != nil && !finished {\n\t\t\treturn numFiles, filesSize, err\n\t\t}\n\t\tfor _, info := range entries {\n\t\t\tsourceEntry := fs.Join(source, info.Name())\n\t\t\ttargetEntry := fs.Join(target, info.Name())\n\t\t\tfiles, size, err := renameFn(sourceEntry, targetEntry, info, recursion, updateModTime)\n\t\t\tif err != nil {\n\t\t\t\tif fs.IsNotExist(err) {\n\t\t\t\t\tfsLog(fs, logger.LevelInfo, \"skipping rename for %q: %v\", sourceEntry, err)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\treturn numFiles, filesSize, err\n\t\t\t}\n\t\t\tnumFiles += files\n\t\t\tfilesSize += size\n\t\t}\n\t\tif finished {\n\t\t\treturn numFiles, filesSize, nil\n\t\t}\n\t}\n}\n\n// copied from rclone\nfunc readFill(r io.Reader, buf []byte) (n int, err error) {\n\tvar nn int\n\tfor n < len(buf) && err == nil {\n\t\tnn, err = r.Read(buf[n:])\n\t\tn += nn\n\t}\n\treturn n, err\n}\n\nfunc writeAtFull(w io.WriterAt, buf []byte, offset int64, count int) error {\n\twritten := 0\n\tfor written < count {\n\t\tn, err := w.WriteAt(buf[written:count], offset+int64(written))\n\t\twritten += n\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn nil\n}\n\ntype bytesReaderWrapper struct {\n\t*bytes.Reader\n}\n\nfunc (b *bytesReaderWrapper) Close() error {\n\treturn nil\n}\n\ntype bufferAllocator struct {\n\tsync.Mutex\n\tavailable [][]byte\n\tbufferSize int\n\tfinalized bool\n}\n\nfunc newBufferAllocator(size int) *bufferAllocator {\n\treturn &bufferAllocator{\n\t\tbufferSize: size,\n\t\tfinalized: false,\n\t}\n}\n\nfunc (b *bufferAllocator) getBuffer() []byte {\n\tb.Lock()\n\tdefer b.Unlock()\n\n\tif len(b.available) > 0 {\n\t\tvar result []byte\n\n\t\ttruncLength := len(b.available) - 1\n\t\tresult = b.available[truncLength]\n\n\t\tb.available[truncLength] = nil\n\t\tb.available = b.available[:truncLength]\n\n\t\treturn result\n\t}\n\n\treturn make([]byte, b.bufferSize)\n}\n\nfunc (b *bufferAllocator) releaseBuffer(buf []byte) {\n\tb.Lock()\n\tdefer b.Unlock()\n\n\tif b.finalized || len(buf) != b.bufferSize {\n\t\treturn\n\t}\n\n\tb.available = append(b.available, buf)\n}\n\nfunc (b *bufferAllocator) free() {\n\tb.Lock()\n\tdefer b.Unlock()\n\n\tb.available = nil\n\tb.finalized = true\n}\n\nfunc fsLog(fs Fs, level logger.LogLevel, format string, v ...any) {\n\tlogger.Log(level, fs.Name(), fs.ConnectionID(), format, v...)\n}\n" }, { "path": "internal/webdavd/file.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage webdavd\n\nimport (\n\t\"context\"\n\t\"encoding/xml\"\n\t\"errors\"\n\t\"io\"\n\t\"mime\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"slices\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"github.com/drakkan/webdav\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nvar (\n\terrTransferAborted = errors.New(\"transfer aborted\")\n\tlastModifiedProps = []string{\"Win32LastModifiedTime\", \"getlastmodified\"}\n)\n\ntype webDavFile struct {\n\t*common.BaseTransfer\n\twriter io.WriteCloser\n\treader io.ReadCloser\n\tinfo os.FileInfo\n\tstartOffset int64\n\tisFinished bool\n\treadTried atomic.Bool\n}\n\nfunc newWebDavFile(baseTransfer *common.BaseTransfer, pipeWriter vfs.PipeWriter, pipeReader vfs.PipeReader) *webDavFile {\n\tvar writer io.WriteCloser\n\tvar reader io.ReadCloser\n\tif baseTransfer.File != nil {\n\t\twriter = baseTransfer.File\n\t\treader = baseTransfer.File\n\t} else if pipeWriter != nil {\n\t\twriter = pipeWriter\n\t} else if pipeReader != nil {\n\t\treader = pipeReader\n\t}\n\tf := &webDavFile{\n\t\tBaseTransfer: baseTransfer,\n\t\twriter: writer,\n\t\treader: reader,\n\t\tisFinished: false,\n\t\tstartOffset: 0,\n\t\tinfo: nil,\n\t}\n\tf.readTried.Store(false)\n\treturn f\n}\n\ntype webDavFileInfo struct {\n\tos.FileInfo\n\tFs vfs.Fs\n\tvirtualPath string\n\tfsPath string\n}\n\n// ContentType implements webdav.ContentTyper interface\nfunc (fi *webDavFileInfo) ContentType(_ context.Context) (string, error) {\n\textension := path.Ext(fi.virtualPath)\n\tif ctype, ok := customMimeTypeMapping[extension]; ok {\n\t\treturn ctype, nil\n\t}\n\tif extension == \"\" || extension == \".dat\" {\n\t\treturn \"application/octet-stream\", nil\n\t}\n\tcontentType := mime.TypeByExtension(extension)\n\tif contentType != \"\" {\n\t\treturn contentType, nil\n\t}\n\tcontentType = mimeTypeCache.getMimeFromCache(extension)\n\tif contentType != \"\" {\n\t\treturn contentType, nil\n\t}\n\tcontentType, err := fi.Fs.GetMimeType(fi.fsPath)\n\tif contentType != \"\" {\n\t\tmimeTypeCache.addMimeToCache(extension, contentType)\n\t\treturn contentType, err\n\t}\n\treturn \"\", webdav.ErrNotImplemented\n}\n\n// Readdir reads directory entries from the handle\nfunc (f *webDavFile) Readdir(_ int) ([]os.FileInfo, error) {\n\treturn nil, webdav.ErrNotImplemented\n}\n\n// ReadDir implements the FileDirLister interface\nfunc (f *webDavFile) ReadDir() (webdav.DirLister, error) {\n\tif !f.Connection.User.HasPerm(dataprovider.PermListItems, f.GetVirtualPath()) {\n\t\treturn nil, f.Connection.GetPermissionDeniedError()\n\t}\n\tlister, err := f.Connection.ListDir(f.GetVirtualPath())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn &webDavDirLister{\n\t\tDirLister: lister,\n\t\tfs: f.Fs,\n\t\tvirtualDirPath: f.GetVirtualPath(),\n\t\tfsDirPath: f.GetFsPath(),\n\t}, nil\n}\n\n// Stat the handle\nfunc (f *webDavFile) Stat() (os.FileInfo, error) {\n\tif f.GetType() == common.TransferDownload && !f.Connection.User.HasPerm(dataprovider.PermListItems, path.Dir(f.GetVirtualPath())) {\n\t\treturn nil, f.Connection.GetPermissionDeniedError()\n\t}\n\tf.Lock()\n\terrUpload := f.ErrTransfer\n\tf.Unlock()\n\tif f.GetType() == common.TransferUpload && errUpload == nil {\n\t\tinfo := &webDavFileInfo{\n\t\t\tFileInfo: vfs.NewFileInfo(f.GetFsPath(), false, f.BytesReceived.Load(), time.Now(), false),\n\t\t\tFs: f.Fs,\n\t\t\tvirtualPath: f.GetVirtualPath(),\n\t\t\tfsPath: f.GetFsPath(),\n\t\t}\n\t\treturn info, nil\n\t}\n\tinfo, err := f.Fs.Stat(f.GetFsPath())\n\tif err != nil {\n\t\treturn nil, f.Connection.GetFsError(f.Fs, err)\n\t}\n\tif vfs.IsCryptOsFs(f.Fs) {\n\t\tinfo = f.Fs.(*vfs.CryptFs).ConvertFileInfo(info)\n\t}\n\tfi := &webDavFileInfo{\n\t\tFileInfo: info,\n\t\tFs: f.Fs,\n\t\tvirtualPath: f.GetVirtualPath(),\n\t\tfsPath: f.GetFsPath(),\n\t}\n\treturn fi, nil\n}\n\nfunc (f *webDavFile) checkFirstRead() error {\n\tif !f.Connection.User.HasPerm(dataprovider.PermDownload, path.Dir(f.GetVirtualPath())) {\n\t\treturn f.Connection.GetPermissionDeniedError()\n\t}\n\ttransferQuota := f.GetTransferQuota()\n\tif !transferQuota.HasDownloadSpace() {\n\t\tf.Connection.Log(logger.LevelInfo, \"denying file read due to quota limits\")\n\t\treturn f.Connection.GetReadQuotaExceededError()\n\t}\n\tif ok, policy := f.Connection.User.IsFileAllowed(f.GetVirtualPath()); !ok {\n\t\tf.Connection.Log(logger.LevelWarn, \"reading file %q is not allowed\", f.GetVirtualPath())\n\t\treturn f.Connection.GetErrorForDeniedFile(policy)\n\t}\n\t_, err := common.ExecutePreAction(f.Connection, common.OperationPreDownload, f.GetFsPath(), f.GetVirtualPath(), 0, 0)\n\tif err != nil {\n\t\tf.Connection.Log(logger.LevelDebug, \"download for file %q denied by pre action: %v\", f.GetVirtualPath(), err)\n\t\treturn f.Connection.GetPermissionDeniedError()\n\t}\n\tf.readTried.Store(true)\n\treturn nil\n}\n\n// Read reads the contents to downloads.\nfunc (f *webDavFile) Read(p []byte) (n int, err error) {\n\tif f.AbortTransfer.Load() {\n\t\treturn 0, errTransferAborted\n\t}\n\tif !f.readTried.Load() {\n\t\tif err := f.checkFirstRead(); err != nil {\n\t\t\treturn 0, err\n\t\t}\n\t}\n\tf.Connection.UpdateLastActivity()\n\n\t// the file is read sequentially we don't need to check for concurrent reads and so\n\t// lock the transfer while opening the remote file\n\tif f.reader == nil {\n\t\tif f.GetType() != common.TransferDownload {\n\t\t\tf.TransferError(common.ErrOpUnsupported)\n\t\t\treturn 0, common.ErrOpUnsupported\n\t\t}\n\t\tfile, r, cancelFn, e := f.Fs.Open(f.GetFsPath(), 0)\n\t\tf.Lock()\n\t\tif e == nil {\n\t\t\tif file != nil {\n\t\t\t\tf.File = file\n\t\t\t\tf.writer = f.File\n\t\t\t\tf.reader = f.File\n\t\t\t} else if r != nil {\n\t\t\t\tf.reader = r\n\t\t\t}\n\t\t\tf.SetCancelFn(cancelFn)\n\t\t}\n\t\tf.ErrTransfer = e\n\t\tf.startOffset = 0\n\t\tf.Unlock()\n\t\tif e != nil {\n\t\t\treturn 0, f.Connection.GetFsError(f.Fs, e)\n\t\t}\n\t}\n\n\tn, err = f.reader.Read(p)\n\tf.BytesSent.Add(int64(n))\n\tif err == nil {\n\t\terr = f.CheckRead()\n\t}\n\tif err != nil && err != io.EOF {\n\t\tf.TransferError(err)\n\t\terr = f.ConvertError(err)\n\t\treturn\n\t}\n\tf.HandleThrottle()\n\treturn\n}\n\n// Write writes the uploaded contents.\nfunc (f *webDavFile) Write(p []byte) (n int, err error) {\n\tif f.AbortTransfer.Load() {\n\t\treturn 0, errTransferAborted\n\t}\n\n\tf.Connection.UpdateLastActivity()\n\n\tn, err = f.writer.Write(p)\n\tf.BytesReceived.Add(int64(n))\n\n\tif err == nil {\n\t\terr = f.CheckWrite()\n\t}\n\tif err != nil {\n\t\tf.TransferError(err)\n\t\terr = f.ConvertError(err)\n\t\treturn\n\t}\n\tf.HandleThrottle()\n\treturn\n}\n\nfunc (f *webDavFile) updateStatInfo() error {\n\tif f.info != nil {\n\t\treturn nil\n\t}\n\tinfo, err := f.Fs.Stat(f.GetFsPath())\n\tif err != nil {\n\t\treturn err\n\t}\n\tif vfs.IsCryptOsFs(f.Fs) {\n\t\tinfo = f.Fs.(*vfs.CryptFs).ConvertFileInfo(info)\n\t}\n\tf.info = info\n\treturn nil\n}\n\nfunc (f *webDavFile) updateTransferQuotaOnSeek() {\n\ttransferQuota := f.GetTransferQuota()\n\tif transferQuota.HasSizeLimits() {\n\t\tgo func(ulSize, dlSize int64, user dataprovider.User) {\n\t\t\tdataprovider.UpdateUserTransferQuota(&user, ulSize, dlSize, false) //nolint:errcheck\n\t\t}(f.BytesReceived.Load(), f.BytesSent.Load(), f.Connection.User)\n\t}\n}\n\nfunc (f *webDavFile) checkFile() error {\n\tif f.File == nil && vfs.FsOpenReturnsFile(f.Fs) {\n\t\tfile, _, _, err := f.Fs.Open(f.GetFsPath(), 0)\n\t\tif err != nil {\n\t\t\tf.Connection.Log(logger.LevelWarn, \"could not open file %q for seeking: %v\",\n\t\t\t\tf.GetFsPath(), err)\n\t\t\tf.TransferError(err)\n\t\t\treturn err\n\t\t}\n\t\tf.File = file\n\t\tf.reader = file\n\t\tf.writer = file\n\t}\n\treturn nil\n}\n\nfunc (f *webDavFile) seekFile(offset int64, whence int) (int64, error) {\n\tret, err := f.File.Seek(offset, whence)\n\tif err != nil {\n\t\tf.TransferError(err)\n\t}\n\treturn ret, err\n}\n\n// Seek sets the offset for the next Read or Write on the writer to offset,\n// interpreted according to whence: 0 means relative to the origin of the file,\n// 1 means relative to the current offset, and 2 means relative to the end.\n// It returns the new offset and an error, if any.\nfunc (f *webDavFile) Seek(offset int64, whence int) (int64, error) {\n\tf.Connection.UpdateLastActivity()\n\tif err := f.checkFile(); err != nil {\n\t\treturn 0, err\n\t}\n\tif f.File != nil {\n\t\treturn f.seekFile(offset, whence)\n\t}\n\tif f.GetType() == common.TransferDownload {\n\t\treadOffset := f.startOffset + f.BytesSent.Load()\n\t\tif offset == 0 && readOffset == 0 {\n\t\t\tswitch whence {\n\t\t\tcase io.SeekStart:\n\t\t\t\treturn 0, nil\n\t\t\tcase io.SeekEnd:\n\t\t\t\tif err := f.updateStatInfo(); err != nil {\n\t\t\t\t\treturn 0, err\n\t\t\t\t}\n\t\t\t\treturn f.info.Size(), nil\n\t\t\t}\n\t\t}\n\n\t\t// close the reader and create a new one at startByte\n\t\tif f.reader != nil {\n\t\t\tf.reader.Close() //nolint:errcheck\n\t\t\tf.reader = nil\n\t\t}\n\t\tstartByte := int64(0)\n\t\tf.BytesReceived.Store(0)\n\t\tf.BytesSent.Store(0)\n\t\tf.updateTransferQuotaOnSeek()\n\n\t\tswitch whence {\n\t\tcase io.SeekStart:\n\t\t\tstartByte = offset\n\t\tcase io.SeekCurrent:\n\t\t\tstartByte = readOffset + offset\n\t\tcase io.SeekEnd:\n\t\t\tif err := f.updateStatInfo(); err != nil {\n\t\t\t\tf.TransferError(err)\n\t\t\t\treturn 0, err\n\t\t\t}\n\t\t\tstartByte = f.info.Size() - offset\n\t\t}\n\n\t\t_, r, cancelFn, err := f.Fs.Open(f.GetFsPath(), startByte)\n\n\t\tf.Lock()\n\t\tif err == nil {\n\t\t\tf.startOffset = startByte\n\t\t\tf.reader = r\n\t\t}\n\t\tf.ErrTransfer = err\n\t\tf.SetCancelFn(cancelFn)\n\t\tf.Unlock()\n\n\t\treturn startByte, err\n\t}\n\treturn 0, common.ErrOpUnsupported\n}\n\n// Close closes the open directory or the current transfer\nfunc (f *webDavFile) Close() error {\n\tif err := f.setFinished(); err != nil {\n\t\treturn err\n\t}\n\terr := f.closeIO()\n\tif f.isTransfer() {\n\t\terrBaseClose := f.BaseTransfer.Close()\n\t\tif errBaseClose != nil {\n\t\t\terr = errBaseClose\n\t\t}\n\t} else {\n\t\tf.Connection.RemoveTransfer(f.BaseTransfer)\n\t}\n\treturn f.Connection.GetFsError(f.Fs, err)\n}\n\nfunc (f *webDavFile) closeIO() error {\n\tvar err error\n\tif f.File != nil {\n\t\terr = f.File.Close()\n\t} else if f.writer != nil {\n\t\terr = f.writer.Close()\n\t\tf.Lock()\n\t\t// we set ErrTransfer here so quota is not updated, in this case the uploads are atomic\n\t\tif err != nil && f.ErrTransfer == nil {\n\t\t\tf.ErrTransfer = err\n\t\t}\n\t\tf.Unlock()\n\t} else if f.reader != nil {\n\t\terr = f.reader.Close()\n\t\tif metadater, ok := f.reader.(vfs.Metadater); ok {\n\t\t\tf.SetMetadata(metadater.Metadata())\n\t\t}\n\t}\n\treturn err\n}\n\nfunc (f *webDavFile) setFinished() error {\n\tf.Lock()\n\tdefer f.Unlock()\n\n\tif f.isFinished {\n\t\treturn common.ErrTransferClosed\n\t}\n\tf.isFinished = true\n\treturn nil\n}\n\nfunc (f *webDavFile) isTransfer() bool {\n\tif f.GetType() == common.TransferDownload {\n\t\treturn f.readTried.Load()\n\t}\n\treturn true\n}\n\n// DeadProps returns a copy of the dead properties held.\n// We always return nil for now, we only support the last modification time\n// and it is already included in \"live\" properties\nfunc (f *webDavFile) DeadProps() (map[xml.Name]webdav.Property, error) {\n\treturn nil, nil\n}\n\n// Patch patches the dead properties held.\n// In our minimal implementation we just support Win32LastModifiedTime and\n// getlastmodified to set the the modification time.\n// We ignore any other property and just return an OK response if the patch sets\n// the modification time, otherwise a Forbidden response\nfunc (f *webDavFile) Patch(patches []webdav.Proppatch) ([]webdav.Propstat, error) {\n\tresp := make([]webdav.Propstat, 0, len(patches))\n\thasError := false\n\tfor _, patch := range patches {\n\t\tstatus := http.StatusForbidden\n\t\tpstat := webdav.Propstat{}\n\t\tfor _, p := range patch.Props {\n\t\t\tif status == http.StatusForbidden && !hasError {\n\t\t\t\tif !patch.Remove && slices.Contains(lastModifiedProps, p.XMLName.Local) {\n\t\t\t\t\tparsed, err := parseTime(util.BytesToString(p.InnerXML))\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tf.Connection.Log(logger.LevelWarn, \"unsupported last modification time: %q, err: %v\",\n\t\t\t\t\t\t\tp.InnerXML, err)\n\t\t\t\t\t\thasError = true\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tattrs := &common.StatAttributes{\n\t\t\t\t\t\tFlags: common.StatAttrTimes,\n\t\t\t\t\t\tAtime: parsed,\n\t\t\t\t\t\tMtime: parsed,\n\t\t\t\t\t}\n\t\t\t\t\tif err := f.Connection.SetStat(f.GetVirtualPath(), attrs); err != nil {\n\t\t\t\t\t\tf.Connection.Log(logger.LevelWarn, \"unable to set modification time for %q, err :%v\",\n\t\t\t\t\t\t\tf.GetVirtualPath(), err)\n\t\t\t\t\t\thasError = true\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tstatus = http.StatusOK\n\t\t\t\t}\n\t\t\t}\n\t\t\tpstat.Props = append(pstat.Props, webdav.Property{XMLName: p.XMLName})\n\t\t}\n\t\tpstat.Status = status\n\t\tresp = append(resp, pstat)\n\t}\n\treturn resp, nil\n}\n\ntype webDavDirLister struct {\n\tvfs.DirLister\n\tfs vfs.Fs\n\tvirtualDirPath string\n\tfsDirPath string\n}\n\nfunc (l *webDavDirLister) Next(limit int) ([]os.FileInfo, error) {\n\tfiles, err := l.DirLister.Next(limit)\n\tfor idx := range files {\n\t\tinfo := files[idx]\n\t\tfiles[idx] = &webDavFileInfo{\n\t\t\tFileInfo: info,\n\t\t\tFs: l.fs,\n\t\t\tvirtualPath: path.Join(l.virtualDirPath, info.Name()),\n\t\t\tfsPath: l.fs.Join(l.fsDirPath, info.Name()),\n\t\t}\n\t}\n\treturn files, err\n}\n" }, { "path": "internal/webdavd/handler.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage webdavd\n\nimport (\n\t\"context\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"strconv\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/drakkan/webdav\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\n// Connection details for a WebDav connection.\ntype Connection struct {\n\t*common.BaseConnection\n\trequest *http.Request\n\trc *http.ResponseController\n}\n\nfunc newConnection(conn *common.BaseConnection, w http.ResponseWriter, r *http.Request) *Connection {\n\trc := http.NewResponseController(w)\n\tresponseControllerDeadlines(rc, time.Time{}, time.Time{})\n\treturn &Connection{\n\t\tBaseConnection: conn,\n\t\trequest: r,\n\t\trc: rc,\n\t}\n}\n\nfunc (c *Connection) getModificationTime() time.Time {\n\tif c.request == nil {\n\t\treturn time.Time{}\n\t}\n\tif val := c.request.Header.Get(\"X-OC-Mtime\"); val != \"\" {\n\t\tif unixTime, err := strconv.ParseInt(val, 10, 64); err == nil {\n\t\t\treturn time.Unix(unixTime, 0)\n\t\t}\n\t}\n\treturn time.Time{}\n}\n\n// GetClientVersion returns the connected client's version.\nfunc (c *Connection) GetClientVersion() string {\n\tif c.request != nil {\n\t\treturn c.request.UserAgent()\n\t}\n\treturn \"\"\n}\n\n// GetLocalAddress returns local connection address\nfunc (c *Connection) GetLocalAddress() string {\n\treturn util.GetHTTPLocalAddress(c.request)\n}\n\n// GetRemoteAddress returns the connected client's address\nfunc (c *Connection) GetRemoteAddress() string {\n\tif c.request != nil {\n\t\treturn c.request.RemoteAddr\n\t}\n\treturn \"\"\n}\n\n// Disconnect closes the active transfer\nfunc (c *Connection) Disconnect() error {\n\tif c.rc != nil {\n\t\tresponseControllerDeadlines(c.rc, time.Now().Add(5*time.Second), time.Now().Add(5*time.Second))\n\t}\n\treturn c.SignalTransfersAbort()\n}\n\n// GetCommand returns the request method\nfunc (c *Connection) GetCommand() string {\n\tif c.request != nil {\n\t\treturn strings.ToUpper(c.request.Method)\n\t}\n\treturn \"\"\n}\n\n// Mkdir creates a directory using the connection filesystem\nfunc (c *Connection) Mkdir(_ context.Context, name string, _ os.FileMode) error {\n\tc.UpdateLastActivity()\n\n\tname = util.CleanPath(name)\n\treturn c.CreateDir(name, true)\n}\n\n// Rename renames a file or a directory\nfunc (c *Connection) Rename(_ context.Context, oldName, newName string) error {\n\tc.UpdateLastActivity()\n\n\toldName = util.CleanPath(oldName)\n\tnewName = util.CleanPath(newName)\n\n\terr := c.BaseConnection.Rename(oldName, newName)\n\tif err == nil {\n\t\tif mtime := c.getModificationTime(); !mtime.IsZero() {\n\t\t\tattrs := &common.StatAttributes{\n\t\t\t\tFlags: common.StatAttrTimes,\n\t\t\t\tAtime: mtime,\n\t\t\t\tMtime: mtime,\n\t\t\t}\n\t\t\tsetStatErr := c.SetStat(newName, attrs)\n\t\t\tc.Log(logger.LevelDebug, \"mtime header found for %q, value: %s, err: %v\", newName, mtime, setStatErr)\n\t\t}\n\t}\n\treturn err\n}\n\n// Stat returns a FileInfo describing the named file/directory, or an error,\n// if any happens\nfunc (c *Connection) Stat(_ context.Context, name string) (os.FileInfo, error) {\n\tc.UpdateLastActivity()\n\n\tname = util.CleanPath(name)\n\tif !c.User.HasPerm(dataprovider.PermListItems, path.Dir(name)) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfi, err := c.DoStat(name, 0, true)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn fi, err\n}\n\n// RemoveAll removes path and any children it contains.\n// If the path does not exist, RemoveAll returns nil (no error).\nfunc (c *Connection) RemoveAll(_ context.Context, name string) error {\n\tc.UpdateLastActivity()\n\n\tname = util.CleanPath(name)\n\treturn c.BaseConnection.RemoveAll(name)\n}\n\n// OpenFile opens the named file with specified flag.\n// This method is used for uploads and downloads but also for Stat and Readdir\nfunc (c *Connection) OpenFile(_ context.Context, name string, flag int, _ os.FileMode) (webdav.File, error) {\n\tc.UpdateLastActivity()\n\n\tif err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {\n\t\tc.Log(logger.LevelInfo, \"denying transfer due to count limits\")\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tname = util.CleanPath(name)\n\tfs, p, err := c.GetFsAndResolvedPath(name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif flag == os.O_RDONLY || c.request.Method == \"PROPPATCH\" {\n\t\t// Download, Stat, Readdir or simply open/close\n\t\treturn c.getFile(fs, p, name)\n\t}\n\treturn c.putFile(fs, p, name)\n}\n\nfunc (c *Connection) getFile(fs vfs.Fs, fsPath, virtualPath string) (webdav.File, error) {\n\tvar cancelFn func()\n\n\t// we open the file when we receive the first read so we only open the file if necessary\n\tbaseTransfer := common.NewBaseTransfer(nil, c.BaseConnection, cancelFn, fsPath, fsPath, virtualPath,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, c.GetTransferQuota())\n\n\treturn newWebDavFile(baseTransfer, nil, nil), nil\n}\n\nfunc (c *Connection) putFile(fs vfs.Fs, fsPath, virtualPath string) (webdav.File, error) {\n\tif ok, _ := c.User.IsFileAllowed(virtualPath); !ok {\n\t\tc.Log(logger.LevelWarn, \"writing file %q is not allowed\", virtualPath)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\tfilePath := fsPath\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\tfilePath = fs.GetAtomicUploadPath(fsPath)\n\t}\n\n\tstat, statErr := fs.Lstat(fsPath)\n\tif (statErr == nil && stat.Mode()&os.ModeSymlink != 0) || fs.IsNotExist(statErr) {\n\t\tif !c.User.HasPerm(dataprovider.PermUpload, path.Dir(virtualPath)) {\n\t\t\treturn nil, c.GetPermissionDeniedError()\n\t\t}\n\t\treturn c.handleUploadToNewFile(fs, fsPath, filePath, virtualPath)\n\t}\n\n\tif statErr != nil {\n\t\tc.Log(logger.LevelError, \"error performing file stat %q: %+v\", fsPath, statErr)\n\t\treturn nil, c.GetFsError(fs, statErr)\n\t}\n\n\t// This happen if we upload a file that has the same name of an existing directory\n\tif stat.IsDir() {\n\t\tc.Log(logger.LevelError, \"attempted to open a directory for writing to: %q\", fsPath)\n\t\treturn nil, c.GetOpUnsupportedError()\n\t}\n\n\tif !c.User.HasPerm(dataprovider.PermOverwrite, path.Dir(virtualPath)) {\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\treturn c.handleUploadToExistingFile(fs, fsPath, filePath, stat.Size(), virtualPath)\n}\n\nfunc (c *Connection) handleUploadToNewFile(fs vfs.Fs, resolvedPath, filePath, requestPath string) (webdav.File, error) {\n\tdiskQuota, transferQuota := c.HasSpace(true, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, common.ErrQuotaExceeded\n\t}\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath, 0, 0); err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\tfile, w, cancelFn, err := fs.Create(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, c.GetCreateChecks(requestPath, true, false))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error creating file %q: %+v\", resolvedPath, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\t// we can get an error only for resume\n\tmaxWriteSize, _ := c.GetMaxWriteSize(diskQuota, false, 0, fs.IsUploadResumeSupported())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, 0, 0, maxWriteSize, 0, true, fs, transferQuota)\n\tmtime := c.getModificationTime()\n\tbaseTransfer.SetTimes(resolvedPath, mtime, mtime)\n\n\treturn newWebDavFile(baseTransfer, w, nil), nil\n}\n\nfunc (c *Connection) handleUploadToExistingFile(fs vfs.Fs, resolvedPath, filePath string, fileSize int64,\n\trequestPath string,\n) (webdav.File, error) {\n\tvar err error\n\tdiskQuota, transferQuota := c.HasSpace(false, false, requestPath)\n\tif !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {\n\t\tc.Log(logger.LevelInfo, \"denying file write due to quota limits\")\n\t\treturn nil, common.ErrQuotaExceeded\n\t}\n\tif _, err := common.ExecutePreAction(c.BaseConnection, common.OperationPreUpload, resolvedPath, requestPath,\n\t\tfileSize, os.O_TRUNC); err != nil {\n\t\tc.Log(logger.LevelDebug, \"upload for file %q denied by pre action: %v\", requestPath, err)\n\t\treturn nil, c.GetPermissionDeniedError()\n\t}\n\n\t// if there is a size limit remaining size cannot be 0 here, since quotaResult.HasSpace\n\t// will return false in this case and we deny the upload before\n\tmaxWriteSize, _ := c.GetMaxWriteSize(diskQuota, false, fileSize, fs.IsUploadResumeSupported())\n\n\tif common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {\n\t\t_, _, err = fs.Rename(resolvedPath, filePath, 0)\n\t\tif err != nil {\n\t\t\tc.Log(logger.LevelError, \"error renaming existing file for atomic upload, source: %q, dest: %q, err: %+v\",\n\t\t\t\tresolvedPath, filePath, err)\n\t\t\treturn nil, c.GetFsError(fs, err)\n\t\t}\n\t}\n\n\tfile, w, cancelFn, err := fs.Create(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, c.GetCreateChecks(requestPath, false, false))\n\tif err != nil {\n\t\tc.Log(logger.LevelError, \"error creating file %q: %+v\", resolvedPath, err)\n\t\treturn nil, c.GetFsError(fs, err)\n\t}\n\tinitialSize := int64(0)\n\ttruncatedSize := int64(0) // bytes truncated and not included in quota\n\tif vfs.HasTruncateSupport(fs) {\n\t\tvfolder, err := c.User.GetVirtualFolderForPath(path.Dir(requestPath))\n\t\tif err == nil {\n\t\t\tdataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -fileSize, false)\n\t\t} else {\n\t\t\tdataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck\n\t\t}\n\t} else {\n\t\tinitialSize = fileSize\n\t\ttruncatedSize = fileSize\n\t}\n\n\tvfs.SetPathPermissions(fs, filePath, c.User.GetUID(), c.User.GetGID())\n\n\tbaseTransfer := common.NewBaseTransfer(file, c.BaseConnection, cancelFn, resolvedPath, filePath, requestPath,\n\t\tcommon.TransferUpload, 0, initialSize, maxWriteSize, truncatedSize, false, fs, transferQuota)\n\tmtime := c.getModificationTime()\n\tbaseTransfer.SetTimes(resolvedPath, mtime, mtime)\n\n\treturn newWebDavFile(baseTransfer, w, nil), nil\n}\n" }, { "path": "internal/webdavd/internal_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage webdavd\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/xml\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/drakkan/webdav\"\n\t\"github.com/eikenb/pipeat\"\n\t\"github.com/sftpgo/sdk\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/stretchr/testify/require\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n)\n\nconst (\n\ttestFile = \"test_dav_file\"\n\twebDavCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\twebDavKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n\tcaCRT = `-----BEGIN CERTIFICATE-----\nMIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0\nQXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT\nCENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m\nfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1\nv03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh\nyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL\nCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U\n4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb\nKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo\nNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb\nS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i\nM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY\n/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy\nOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD\nAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu\nXgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F\nsYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki\npAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE\njbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX\ny2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy\nWFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV\noUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV\nL/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5\nDvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E\neL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli\nSXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w\nkK8u1YiiVenmoQ==\n-----END CERTIFICATE-----`\n\tcaKey = `-----BEGIN RSA PRIVATE KEY-----\nMIIJKgIBAAKCAgEA7WHW216mfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7x\nb64rkpdzx1aWetSiCrEyc3D1v03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvD\nOBUYZgtMqHZzpE6xRrqQ84zhyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKz\nn/2uEVt33qmO85WtN3RzbSqLCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj\n7B5P5MeamkkogwbExUjdHp3U4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZ\nDe67V/Q8iB2May1k7zBz1ZtbKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmOb\ncn8AIfH6smLQrn0C3cs7CYfoNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLq\nR/BJTbbyXUB0imne1u00fuzbS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb7\n8x7ivdyXSF5LVQJ1JvhhWu6iM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpB\nP8d2jcRZVUVrSXGc2mAGuGOY/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2Z\nxugCXULtRWJ9p4C9zUl40HEyOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEA\nAQKCAgEA4x0OoceG54ZrVxifqVaQd8qw3uRmUKUMIMdfuMlsdideeLO97ynmSlRY\n00kGo/I4Lp6mNEjI9gUie9+uBrcUhri4YLcujHCH+YlNnCBDbGjwbe0ds9SLCWaa\nKztZHMSlW5Q4Bqytgu+MpOnxSgqjlOk+vz9TcGFKVnUkHIkAcqKFJX8gOFxPZA/t\nOb1kJaz4kuv5W2Kur/ISKvQtvFvOtQeV0aJyZm8LqXnvS4cPI7yN4329NDU0HyDR\ny/deqS2aqV4zII3FFqbz8zix/m1xtVQzWCugZGMKrz0iuJMfNeCABb8rRGc6GsZz\n+465v/kobqgeyyneJ1s5rMFrLp2o+dwmnIVMNsFDUiN1lIZDHLvlgonaUO3IdTZc\n9asamFWKFKUMgWqM4zB1vmUO12CKowLNIIKb0L+kf1ixaLLDRGf/f9vLtSHE+oyx\nlATiS18VNA8+CGsHF6uXMRwf2auZdRI9+s6AAeyRISSbO1khyWKHo+bpOvmPAkDR\nnknTjbYgkoZOV+mrsU5oxV8s6vMkuvA3rwFhT2gie8pokuACFcCRrZi9MVs4LmUQ\nu0GYTHvp2WJUjMWBm6XX7Hk3g2HV842qpk/mdtTjNsXws81djtJPn4I/soIXSgXz\npY3SvKTuOckP9OZVF0yqKGeZXKpD288PKpC+MAg3GvEJaednagECggEBAPsfLwuP\nL1kiDjXyMcRoKlrQ6Q/zBGyBmJbZ5uVGa02+XtYtDAzLoVupPESXL0E7+r8ZpZ39\n0dV4CEJKpbVS/BBtTEkPpTK5kz778Ib04TAyj+YLhsZjsnuja3T5bIBZXFDeDVDM\n0ZaoFoKpIjTu2aO6pzngsgXs6EYbo2MTuJD3h0nkGZsICL7xvT9Mw0P1p2Ftt/hN\n+jKk3vN220wTWUsq43AePi45VwK+PNP12ZXv9HpWDxlPo3j0nXtgYXittYNAT92u\nBZbFAzldEIX9WKKZgsWtIzLaASjVRntpxDCTby/nlzQ5dw3DHU1DV3PIqxZS2+Oe\nKV+7XFWgZ44YjYECggEBAPH+VDu3QSrqSahkZLkgBtGRkiZPkZFXYvU6kL8qf5wO\nZ/uXMeqHtznAupLea8I4YZLfQim/NfC0v1cAcFa9Ckt9g3GwTSirVcN0AC1iOyv3\n/hMZCA1zIyIcuUplNr8qewoX71uPOvCNH0dix77423mKFkJmNwzy4Q+rV+qkRdLn\nv+AAgh7g5N91pxNd6LQJjoyfi1Ka6rRP2yGXM5v7QOwD16eN4JmExUxX1YQ7uNuX\npVS+HRxnBquA+3/DB1LtBX6pa2cUa+LRUmE/NCPHMvJcyuNkYpJKlNTd9vnbfo0H\nRNSJSWm+aGxDFMjuPjV3JLj2OdKMPwpnXdh2vBZCPpMCggEAM+yTvrEhmi2HgLIO\nhkz/jP2rYyfdn04ArhhqPLgd0dpuI5z24+Jq/9fzZT9ZfwSW6VK1QwDLlXcXRhXH\nQ8Hf6smev3CjuORURO61IkKaGWwrAucZPAY7ToNQ4cP9ImDXzMTNPgrLv3oMBYJR\nV16X09nxX+9NABqnQG/QjdjzDc6Qw7+NZ9f2bvzvI5qMuY2eyW91XbtJ45ThoLfP\nymAp03gPxQwL0WT7z85kJ3OrROxzwaPvxU0JQSZbNbqNDPXmFTiECxNDhpRAAWlz\n1DC5Vg2l05fkMkyPdtD6nOQWs/CYSfB5/EtxiX/xnBszhvZUIe6KFvuKFIhaJD5h\niykagQKCAQEAoBRm8k3KbTIo4ZzvyEq4V/+dF3zBRczx6FkCkYLygXBCNvsQiR2Y\nBjtI8Ijz7bnQShEoOmeDriRTAqGGrspEuiVgQ1+l2wZkKHRe/aaij/Zv+4AuhH8q\nuZEYvW7w5Uqbs9SbgQzhp2kjTNy6V8lVnjPLf8cQGZ+9Y9krwktC6T5m/i435WdN\n38h7amNP4XEE/F86Eb3rDrZYtgLIoCF4E+iCyxMehU+AGH1uABhls9XAB6vvo+8/\nSUp8lEqWWLP0U5KNOtYWfCeOAEiIHDbUq+DYUc4BKtbtV1cx3pzlPTOWw6XBi5Lq\njttdL4HyYvnasAQpwe8GcMJqIRyCVZMiwwKCAQEAhQTTS3CC8PwcoYrpBdTjW1ck\nvVFeF1YbfqPZfYxASCOtdx6wRnnEJ+bjqntagns9e88muxj9UhxSL6q9XaXQBD8+\n2AmKUxphCZQiYFZcTucjQEQEI2nN+nAKgRrUSMMGiR8Ekc2iFrcxBU0dnSohw+aB\nPbMKVypQCREu9PcDFIp9rXQTeElbaNsIg1C1w/SQjODbmN/QFHTVbRODYqLeX1J/\nVcGsykSIq7hv6bjn7JGkr2JTdANbjk9LnMjMdJFsKRYxPKkOQfYred6Hiojp5Sor\nPW5am8ejnNSPhIfqQp3uV3KhwPDKIeIpzvrB4uPfTjQWhekHCb8cKSWux3flqw==\n-----END RSA PRIVATE KEY-----`\n\tcaCRL = `-----BEGIN X509 CRL-----\nMIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN\nMjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg\nZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r\nrl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV\n+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199\nXSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE\njF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF\nDouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD\nMSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4\niYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE\nypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4\nhVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94\ncp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67\nsn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn\nw7bXJGfJcIMrrKs=\n-----END X509 CRL-----`\n\tclient1Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6\nHUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE\nOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7\nQie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf\nXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO\nc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo\nGzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU\nOrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC\nsDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I\nl59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb\nBbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz\nMYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7\nQPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz\nJ20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+\noffI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX\nG8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr\nkvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au\nMU3Bo0A=\n-----END CERTIFICATE-----`\n\tclient1Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki\nJ3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi\n85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW\neYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4\nZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy\nbbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO\nhHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw\neezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl\nX3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ\nCFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL\nj+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU\nNhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf\nsXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB\nZ29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB\nLGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g\nmCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67\nT8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn\nRunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa\nItjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW\nasmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+\nDYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59\n0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls\nujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY\nnXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe\nyEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==\n-----END RSA PRIVATE KEY-----`\n\t// client 2 crt is revoked\n\tclient2Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b\nQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua\neq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ\ncr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT\nA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0\n6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f\nZjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz\nPQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY\nxcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D\nEP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB\n4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO\n78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925\n7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e\nqc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N\nf5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv\n/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S\nANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR\nE0+r2+4=\n-----END CERTIFICATE-----`\n\tclient2Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV\njm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP\nkZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK\nh4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P\nQAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu\n4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq\nop4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM\nqLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt\nRvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL\nVBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO\nqkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy\nVILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl\nNiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7\n4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl\n/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd\naoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu\nkhrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz\n3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/\neMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i\nvG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB\nGcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb\nAp157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D\n8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl\nRKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA\nubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl\n-----END RSA PRIVATE KEY-----`\n\tosWindows = \"windows\"\n)\n\n// MockOsFs mockable OsFs\ntype MockOsFs struct {\n\tvfs.Fs\n\terr error\n\tisAtomicUploadSupported bool\n\treader *pipeat.PipeReaderAt\n}\n\n// Name returns the name for the Fs implementation\nfunc (fs *MockOsFs) Name() string {\n\treturn \"mockOsFs\"\n}\n\n// Open returns nil\nfunc (fs *MockOsFs) Open(name string, offset int64) (vfs.File, vfs.PipeReader, func(), error) {\n\tif fs.reader != nil {\n\t\treturn nil, vfs.NewPipeReader(fs.reader), nil, nil\n\t}\n\treturn fs.Fs.Open(name, offset)\n}\n\n// IsUploadResumeSupported returns true if resuming uploads is supported\nfunc (*MockOsFs) IsUploadResumeSupported() bool {\n\treturn false\n}\n\n// IsAtomicUploadSupported returns true if atomic upload is supported\nfunc (fs *MockOsFs) IsAtomicUploadSupported() bool {\n\treturn fs.isAtomicUploadSupported\n}\n\n// Remove removes the named file or (empty) directory.\nfunc (fs *MockOsFs) Remove(name string, _ bool) error {\n\tif fs.err != nil {\n\t\treturn fs.err\n\t}\n\treturn os.Remove(name)\n}\n\n// Rename renames (moves) source to target\nfunc (fs *MockOsFs) Rename(source, target string, _ int) (int, int64, error) {\n\terr := os.Rename(source, target)\n\treturn -1, -1, err\n}\n\n// GetMimeType returns the content type\nfunc (fs *MockOsFs) GetMimeType(_ string) (string, error) {\n\tif fs.err != nil {\n\t\treturn \"\", fs.err\n\t}\n\treturn \"application/custom-mime\", nil\n}\n\nfunc newMockOsFs(atomicUpload bool, connectionID, rootDir string, reader *pipeat.PipeReaderAt, err error) vfs.Fs {\n\treturn &MockOsFs{\n\t\tFs: vfs.NewOsFs(connectionID, rootDir, \"\", nil),\n\t\tisAtomicUploadSupported: atomicUpload,\n\t\treader: reader,\n\t\terr: err,\n\t}\n}\n\nfunc TestUserInvalidParams(t *testing.T) {\n\tu := &dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: \"username\",\n\t\t\tHomeDir: \"invalid\",\n\t\t},\n\t}\n\tc := &Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 9000,\n\t\t\t},\n\t\t},\n\t}\n\n\tserver := webDavServer{\n\t\tconfig: c,\n\t\tbinding: c.Bindings[0],\n\t}\n\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", u.Username), nil)\n\tassert.NoError(t, err)\n\n\t_, err = server.validateUser(u, req, dataprovider.LoginMethodPassword)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, fmt.Sprintf(\"cannot login user with invalid home dir: %q\", u.HomeDir))\n\t}\n\n\treq.TLS = &tls.ConnectionState{}\n\twriteLog(req, http.StatusOK, nil)\n}\n\nfunc TestAllowedProxyUnixDomainSocket(t *testing.T) {\n\tb := Binding{\n\t\tAddress: filepath.Join(os.TempDir(), \"sock\"),\n\t\tProxyAllowed: []string{\"127.0.0.1\", \"127.0.1.1\"},\n\t}\n\terr := b.parseAllowedProxy()\n\tassert.NoError(t, err)\n\tif assert.Len(t, b.allowHeadersFrom, 1) {\n\t\tassert.True(t, b.allowHeadersFrom[0](nil))\n\t}\n}\n\nfunc TestProxyListenerWrapper(t *testing.T) {\n\tb := Binding{\n\t\tProxyMode: 0,\n\t}\n\trequire.Nil(t, b.listenerWrapper())\n\tb.ProxyMode = 1\n\trequire.NotNil(t, b.listenerWrapper())\n}\n\nfunc TestRemoteAddress(t *testing.T) {\n\tremoteAddr1 := \"100.100.100.100\"\n\tremoteAddr2 := \"172.172.172.172\"\n\n\tc := &Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 9000,\n\t\t\t\tProxyAllowed: []string{remoteAddr2, \"10.8.0.0/30\"},\n\t\t\t},\n\t\t},\n\t}\n\n\tserver := webDavServer{\n\t\tconfig: c,\n\t\tbinding: c.Bindings[0],\n\t}\n\terr := server.binding.parseAllowedProxy()\n\tassert.NoError(t, err)\n\treq, err := http.NewRequest(http.MethodGet, \"/\", nil)\n\tassert.NoError(t, err)\n\tassert.Empty(t, req.RemoteAddr)\n\n\ttrueClientIP := \"True-Client-IP\"\n\tcfConnectingIP := \"CF-Connecting-IP\"\n\txff := \"X-Forwarded-For\"\n\txRealIP := \"X-Real-IP\"\n\n\treq.Header.Set(trueClientIP, remoteAddr1)\n\tip := util.GetRealIP(req, trueClientIP, 0)\n\tassert.Equal(t, remoteAddr1, ip)\n\tip = util.GetRealIP(req, trueClientIP, 2)\n\tassert.Empty(t, ip)\n\treq.Header.Del(trueClientIP)\n\treq.Header.Set(cfConnectingIP, remoteAddr1)\n\tip = util.GetRealIP(req, cfConnectingIP, 0)\n\tassert.Equal(t, remoteAddr1, ip)\n\treq.Header.Del(cfConnectingIP)\n\treq.Header.Set(xff, remoteAddr1)\n\tip = util.GetRealIP(req, xff, 0)\n\tassert.Equal(t, remoteAddr1, ip)\n\t// this will be ignored, remoteAddr1 is not allowed to se this header\n\treq.Header.Set(xff, remoteAddr2)\n\treq.RemoteAddr = remoteAddr1\n\tip = server.checkRemoteAddress(req)\n\tassert.Equal(t, remoteAddr1, ip)\n\treq.RemoteAddr = \"\"\n\tip = server.checkRemoteAddress(req)\n\tassert.Empty(t, ip)\n\n\treq.Header.Set(xff, fmt.Sprintf(\"%v , %v\", remoteAddr2, remoteAddr1))\n\tip = util.GetRealIP(req, xff, 1)\n\tassert.Equal(t, remoteAddr2, ip)\n\n\treq.RemoteAddr = remoteAddr2\n\treq.Header.Set(xff, fmt.Sprintf(\"%v,%v\", \"12.34.56.78\", \"172.16.2.4\"))\n\tserver.binding.ClientIPHeaderDepth = 1\n\tserver.binding.ClientIPProxyHeader = xff\n\tip = server.checkRemoteAddress(req)\n\tassert.Equal(t, \"12.34.56.78\", ip)\n\tassert.Equal(t, ip, req.RemoteAddr)\n\n\treq.RemoteAddr = remoteAddr2\n\treq.Header.Set(xff, fmt.Sprintf(\"%v,%v\", \"12.34.56.79\", \"172.16.2.5\"))\n\tserver.binding.ClientIPHeaderDepth = 0\n\tip = server.checkRemoteAddress(req)\n\tassert.Equal(t, \"172.16.2.5\", ip)\n\tassert.Equal(t, ip, req.RemoteAddr)\n\n\treq.RemoteAddr = \"10.8.0.2\"\n\treq.Header.Set(xff, remoteAddr1)\n\tip = server.checkRemoteAddress(req)\n\tassert.Equal(t, remoteAddr1, ip)\n\tassert.Equal(t, ip, req.RemoteAddr)\n\n\treq.RemoteAddr = \"10.8.0.3\"\n\treq.Header.Set(xff, \"not an ip\")\n\tip = server.checkRemoteAddress(req)\n\tassert.Equal(t, \"10.8.0.3\", ip)\n\tassert.Equal(t, ip, req.RemoteAddr)\n\n\treq.Header.Del(xff)\n\treq.RemoteAddr = \"\"\n\treq.Header.Set(xRealIP, remoteAddr1)\n\tip = util.GetRealIP(req, \"x-real-ip\", 0)\n\tassert.Equal(t, remoteAddr1, ip)\n\treq.RemoteAddr = \"\"\n}\n\nfunc TestConnWithNilRequest(t *testing.T) {\n\tc := &Connection{}\n\tassert.Empty(t, c.GetClientVersion())\n\tassert.Empty(t, c.GetCommand())\n\tassert.Empty(t, c.GetRemoteAddress())\n\tassert.True(t, c.getModificationTime().IsZero())\n}\n\nfunc TestResolvePathErrors(t *testing.T) {\n\tctx := context.Background()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: \"invalid\",\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := vfs.NewOsFs(\"connID\", user.HomeDir, \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\n\terr := connection.Mkdir(ctx, \"\", os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\n\terr = connection.Rename(ctx, \"oldName\", \"newName\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\n\t_, err = connection.Stat(ctx, \"name\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\n\terr = connection.RemoveAll(ctx, \"\")\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\n\t_, err = connection.OpenFile(ctx, \"\", 0, os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\t}\n\n\tif runtime.GOOS != osWindows {\n\t\tuser.HomeDir = filepath.Clean(os.TempDir())\n\t\tconnection.User = user\n\t\tfs := vfs.NewOsFs(\"connID\", connection.User.HomeDir, \"\", nil)\n\t\tsubDir := \"sub\"\n\t\ttestTxtFile := \"file.txt\"\n\t\terr = os.MkdirAll(filepath.Join(os.TempDir(), subDir, subDir), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(filepath.Join(os.TempDir(), subDir, subDir, testTxtFile), []byte(\"content\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.Chmod(filepath.Join(os.TempDir(), subDir, subDir), 0001)\n\t\tassert.NoError(t, err)\n\t\terr = os.WriteFile(filepath.Join(os.TempDir(), testTxtFile), []byte(\"test content\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = connection.Rename(ctx, testTxtFile, path.Join(subDir, subDir, testTxtFile))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.EqualError(t, err, common.ErrPermissionDenied.Error())\n\t\t}\n\t\t_, err = connection.putFile(fs, filepath.Join(connection.User.HomeDir, subDir, subDir, testTxtFile),\n\t\t\tpath.Join(subDir, subDir, testTxtFile))\n\t\tif assert.Error(t, err) {\n\t\t\tassert.EqualError(t, err, common.ErrPermissionDenied.Error())\n\t\t}\n\t\terr = os.Chmod(filepath.Join(os.TempDir(), subDir, subDir), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(filepath.Join(os.TempDir(), subDir))\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(filepath.Join(os.TempDir(), testTxtFile))\n\t\tassert.NoError(t, err)\n\t}\n}\n\nfunc TestFileAccessErrors(t *testing.T) {\n\tctx := context.Background()\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := vfs.NewOsFs(\"connID\", user.HomeDir, \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\tmissingPath := \"missing path\"\n\tfsMissingPath := filepath.Join(user.HomeDir, missingPath)\n\terr := connection.RemoveAll(ctx, missingPath)\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\tdavFile, err := connection.getFile(fs, fsMissingPath, missingPath)\n\tassert.NoError(t, err)\n\tbuf := make([]byte, 64)\n\t_, err = davFile.Read(buf)\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\terr = davFile.Close()\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\tp := filepath.Join(user.HomeDir, \"adir\", missingPath)\n\t_, err = connection.handleUploadToNewFile(fs, p, p, path.Join(\"adir\", missingPath))\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t_, err = connection.handleUploadToExistingFile(fs, p, \"_\"+p, 0, path.Join(\"adir\", missingPath))\n\tif assert.Error(t, err) {\n\t\tassert.ErrorIs(t, err, os.ErrNotExist)\n\t}\n\n\tfs = newMockOsFs(false, fs.ConnectionID(), user.HomeDir, nil, nil)\n\t_, err = connection.handleUploadToExistingFile(fs, p, p, 0, path.Join(\"adir\", missingPath))\n\tassert.ErrorIs(t, err, os.ErrNotExist)\n\n\tf, err := os.CreateTemp(\"\", \"temp\")\n\tassert.NoError(t, err)\n\terr = f.Close()\n\tassert.NoError(t, err)\n\tdavFile, err = connection.handleUploadToExistingFile(fs, f.Name(), f.Name(), 123, f.Name())\n\tif assert.NoError(t, err) {\n\t\ttransfer := davFile.(*webDavFile)\n\t\ttransfers := connection.GetTransfers()\n\t\tif assert.Equal(t, 1, len(transfers)) {\n\t\t\tassert.Equal(t, transfers[0].ID, transfer.GetID())\n\t\t\tassert.Equal(t, int64(123), transfer.InitialSize)\n\t\t\terr = transfer.Close()\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, 0, len(connection.GetTransfers()))\n\t\t}\n\t\t// test PROPPATCH date parsing error\n\t\tpstats, err := transfer.Patch([]webdav.Proppatch{\n\t\t\t{\n\t\t\t\tProps: []webdav.Property{\n\t\t\t\t\t{\n\t\t\t\t\t\tXMLName: xml.Name{\n\t\t\t\t\t\t\tSpace: \"DAV\",\n\t\t\t\t\t\t\tLocal: \"getlastmodified\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tInnerXML: []byte(`Wid, 04 Nov 2020 13:25:51 GMT`),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tassert.NoError(t, err)\n\t\tfor _, pstat := range pstats {\n\t\t\tassert.Equal(t, http.StatusForbidden, pstat.Status)\n\t\t}\n\n\t\terr = os.Remove(f.Name())\n\t\tassert.NoError(t, err)\n\t\t// the file is deleted PROPPATCH should fail\n\t\tpstats, err = transfer.Patch([]webdav.Proppatch{\n\t\t\t{\n\t\t\t\tProps: []webdav.Property{\n\t\t\t\t\t{\n\t\t\t\t\t\tXMLName: xml.Name{\n\t\t\t\t\t\t\tSpace: \"DAV\",\n\t\t\t\t\t\t\tLocal: \"getlastmodified\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tInnerXML: []byte(`Wed, 04 Nov 2020 13:25:51 GMT`),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tassert.NoError(t, err)\n\t\tfor _, pstat := range pstats {\n\t\t\tassert.Equal(t, http.StatusForbidden, pstat.Status)\n\t\t}\n\t}\n}\n\nfunc TestCheckRequestMethodWithPrefix(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t\tPermissions: map[string][]string{\n\t\t\t\t\"/\": {dataprovider.PermAny},\n\t\t\t},\n\t\t},\n\t}\n\tfs := vfs.NewOsFs(\"connID\", user.HomeDir, \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\tserver := webDavServer{\n\t\tbinding: Binding{\n\t\t\tPrefix: \"/dav\",\n\t\t},\n\t}\n\treq, err := http.NewRequest(http.MethodGet, \"/../dav\", nil)\n\trequire.NoError(t, err)\n\tserver.checkRequestMethod(context.Background(), req, connection)\n\trequire.Equal(t, \"PROPFIND\", req.Method)\n\trequire.Equal(t, \"1\", req.Header.Get(\"Depth\"))\n}\n\nfunc TestContentType(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := vfs.NewOsFs(\"connID\", user.HomeDir, \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\ttestFilePath := filepath.Join(user.HomeDir, testFile)\n\tctx := context.Background()\n\tbaseTransfer := common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile+\".unknown\",\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tfs = newMockOsFs(false, fs.ConnectionID(), user.GetHomeDir(), nil, nil)\n\terr := os.WriteFile(testFilePath, []byte(\"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tdavFile := newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = fs\n\tfi, err := davFile.Stat()\n\tif assert.NoError(t, err) {\n\t\tctype, err := fi.(*webDavFileInfo).ContentType(ctx)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"application/custom-mime\", ctype)\n\t}\n\t_, err = davFile.Readdir(-1)\n\tassert.ErrorIs(t, err, webdav.ErrNotImplemented)\n\t_, err = davFile.ReadDir()\n\tassert.Error(t, err)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile+\".unknown1\",\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = vfs.NewOsFs(\"id\", user.HomeDir, \"\", nil)\n\tfi, err = davFile.Stat()\n\tif assert.NoError(t, err) {\n\t\tctype, err := fi.(*webDavFileInfo).ContentType(ctx)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"text/plain; charset=utf-8\", ctype)\n\t}\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = vfs.NewOsFs(\"id\", user.HomeDir, \"\", nil)\n\tfi, err = davFile.Stat()\n\tif assert.NoError(t, err) {\n\t\tctype, err := fi.(*webDavFileInfo).ContentType(ctx)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"application/octet-stream\", ctype)\n\t}\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tfor i := 0; i < 2; i++ {\n\t\t// the second time the cache will be used\n\t\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile+\".custom\",\n\t\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\t\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\t\tdavFile.Fs = vfs.NewOsFs(\"id\", user.HomeDir, \"\", nil)\n\t\tfi, err = davFile.Stat()\n\t\tif assert.NoError(t, err) {\n\t\t\tctype, err := fi.(*webDavFileInfo).ContentType(ctx)\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, \"text/plain; charset=utf-8\", ctype)\n\t\t}\n\t\terr = davFile.Close()\n\t\tassert.NoError(t, err)\n\t}\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile+\".sftpgo\",\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tfs = newMockOsFs(false, fs.ConnectionID(), user.GetHomeDir(), nil, os.ErrInvalid)\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = fs\n\tfi, err = davFile.Stat()\n\tif assert.NoError(t, err) {\n\t\tctype, err := fi.(*webDavFileInfo).ContentType(ctx)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"application/sftpgo\", ctype)\n\t}\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile+\".unknown2\",\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tfs = newMockOsFs(false, fs.ConnectionID(), user.GetHomeDir(), nil, os.ErrInvalid)\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = fs\n\tfi, err = davFile.Stat()\n\tif assert.NoError(t, err) {\n\t\tctype, err := fi.(*webDavFileInfo).ContentType(ctx)\n\t\tassert.EqualError(t, err, webdav.ErrNotImplemented.Error(), \"unexpected content type %q\", ctype)\n\t}\n\tcache := mimeCache{\n\t\tmaxSize: 10,\n\t\tmimeTypes: map[string]string{},\n\t}\n\tcache.addMimeToCache(\"\", \"\")\n\tcache.RLock()\n\tassert.Len(t, cache.mimeTypes, 0)\n\tcache.RUnlock()\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferReadWriteErrors(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := vfs.NewOsFs(\"connID\", user.HomeDir, \"\", nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\ttestFilePath := filepath.Join(user.HomeDir, testFile)\n\tbaseTransfer := common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferUpload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tdavFile := newWebDavFile(baseTransfer, nil, nil)\n\tp := make([]byte, 1)\n\t_, err := davFile.Read(p)\n\tassert.EqualError(t, err, common.ErrOpUnsupported.Error())\n\n\tr, w, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tdavFile = newWebDavFile(baseTransfer, nil, vfs.NewPipeReader(r))\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\tdavFile = newWebDavFile(baseTransfer, vfs.NewPipeWriter(w), nil)\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\terr = r.Close()\n\tassert.NoError(t, err)\n\terr = w.Close()\n\tassert.NoError(t, err)\n\terr = davFile.BaseTransfer.Close()\n\tassert.Error(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\t_, err = davFile.Read(p)\n\tassert.True(t, fs.IsNotExist(err))\n\t_, err = davFile.Stat()\n\tassert.True(t, fs.IsNotExist(err))\n\terr = davFile.Close()\n\tassert.Error(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\terr = os.WriteFile(testFilePath, []byte(\"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tf, err := os.Open(testFilePath)\n\tif assert.NoError(t, err) {\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t}\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.reader = f\n\terr = davFile.Close()\n\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\terr = davFile.Close()\n\tassert.EqualError(t, err, common.ErrTransferClosed.Error())\n\t_, err = davFile.Read(p)\n\tassert.Error(t, err)\n\tinfo, err := davFile.Stat()\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, int64(0), info.Size())\n\t}\n\terr = davFile.Close()\n\tassert.Error(t, err)\n\n\tr, w, err = pipeat.Pipe()\n\tassert.NoError(t, err)\n\tmockFs := newMockOsFs(false, fs.ConnectionID(), user.HomeDir, r, nil)\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, mockFs, dataprovider.TransferQuota{})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\n\twriteContent := []byte(\"content\\r\\n\")\n\tgo func() {\n\t\tn, err := w.Write(writeContent)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, len(writeContent), n)\n\t\terr = w.Close()\n\t\tassert.NoError(t, err)\n\t}()\n\n\tp = make([]byte, 64)\n\tn, err := davFile.Read(p)\n\tassert.EqualError(t, err, io.EOF.Error())\n\tassert.Equal(t, len(writeContent), n)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.writer = f\n\terr = davFile.Close()\n\tassert.EqualError(t, err, common.ErrGenericFailure.Error())\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferSeek(t *testing.T) {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Clean(os.TempDir()),\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tfs := newMockOsFs(true, \"connID\", user.HomeDir, nil, nil)\n\tconnection := &Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\ttestFilePath := filepath.Join(user.HomeDir, testFile)\n\ttestFileContents := []byte(\"content\")\n\tbaseTransfer := common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferUpload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile := newWebDavFile(baseTransfer, nil, nil)\n\t_, err := davFile.Seek(0, io.SeekStart)\n\tassert.EqualError(t, err, common.ErrOpUnsupported.Error())\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\t_, err = davFile.Seek(0, io.SeekCurrent)\n\tassert.True(t, fs.IsNotExist(err))\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\n\terr = os.WriteFile(testFilePath, testFileContents, os.ModePerm)\n\tassert.NoError(t, err)\n\tf, err := os.Open(testFilePath)\n\tif assert.NoError(t, err) {\n\t\terr = f.Close()\n\t\tassert.NoError(t, err)\n\t}\n\tbaseTransfer = common.NewBaseTransfer(f, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\t_, err = davFile.Seek(0, io.SeekStart)\n\tassert.Error(t, err)\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tres, err := davFile.Seek(0, io.SeekStart)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), res)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tres, err = davFile.Seek(0, io.SeekEnd)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(len(testFileContents)), res)\n\terr = davFile.updateStatInfo()\n\tassert.NoError(t, err)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath+\"1\", testFilePath+\"1\", testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\t_, err = davFile.Seek(0, io.SeekEnd)\n\tassert.True(t, fs.IsNotExist(err))\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\n\tfs = vfs.NewOsFs(fs.ConnectionID(), user.GetHomeDir(), \"\", nil)\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath+\"1\", testFilePath+\"1\", testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\t_, err = davFile.Seek(0, io.SeekEnd)\n\tassert.True(t, fs.IsNotExist(err))\n\tdavFile.Connection.RemoveTransfer(davFile.BaseTransfer)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath, testFilePath, testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.reader = f\n\tr, _, err := pipeat.Pipe()\n\tassert.NoError(t, err)\n\tdavFile.Fs = newMockOsFs(true, fs.ConnectionID(), user.GetHomeDir(), r, nil)\n\tres, err = davFile.Seek(2, io.SeekStart)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(2), res)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tr, _, err = pipeat.Pipe()\n\tassert.NoError(t, err)\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = newMockOsFs(true, fs.ConnectionID(), user.GetHomeDir(), r, nil)\n\tres, err = davFile.Seek(2, io.SeekEnd)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(5), res)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tbaseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testFilePath+\"1\", testFilePath+\"1\", testFile,\n\t\tcommon.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{AllowedTotalSize: 100})\n\n\tdavFile = newWebDavFile(baseTransfer, nil, nil)\n\tdavFile.Fs = newMockOsFs(true, fs.ConnectionID(), user.GetHomeDir(), nil, nil)\n\tres, err = davFile.Seek(2, io.SeekEnd)\n\tassert.True(t, fs.IsNotExist(err))\n\tassert.Equal(t, int64(0), res)\n\terr = davFile.Close()\n\tassert.NoError(t, err)\n\n\tassert.Len(t, common.Connections.GetStats(\"\"), 0)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicUsersCache(t *testing.T) {\n\tusername := \"webdav_internal_test\"\n\tpassword := \"pwd\"\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: password,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\terr := dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\n\tc := &Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 9000,\n\t\t\t},\n\t\t},\n\t\tCache: Cache{\n\t\t\tUsers: UsersCacheConfig{\n\t\t\t\tMaxSize: 50,\n\t\t\t\tExpirationTime: 1,\n\t\t\t},\n\t\t},\n\t}\n\tdataprovider.InitializeWebDAVUserCache(c.Cache.Users.MaxSize)\n\tserver := webDavServer{\n\t\tconfig: c,\n\t\tbinding: c.Bindings[0],\n\t}\n\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user.Username), nil)\n\tassert.NoError(t, err)\n\n\tipAddr := \"127.0.0.1\"\n\n\t_, _, _, _, err = server.authenticate(req, ipAddr) //nolint:dogsled\n\tassert.Error(t, err)\n\n\tnow := time.Now()\n\treq.SetBasicAuth(username, password)\n\t_, isCached, _, loginMethod, err := server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\t// now the user should be cached\n\tcachedUser, ok := dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.False(t, cachedUser.IsExpired())\n\t\tassert.True(t, cachedUser.Expiration.After(now.Add(time.Duration(c.Cache.Users.ExpirationTime)*time.Minute)))\n\t\t// authenticate must return the cached user now\n\t\tauthUser, isCached, _, _, err := server.authenticate(req, ipAddr)\n\t\tassert.NoError(t, err)\n\t\tassert.True(t, isCached)\n\t\tassert.Equal(t, cachedUser.User, authUser)\n\t}\n\t// a wrong password must fail\n\treq.SetBasicAuth(username, \"wrong\")\n\t_, _, _, _, err = server.authenticate(req, ipAddr) //nolint:dogsled\n\tassert.EqualError(t, err, dataprovider.ErrInvalidCredentials.Error())\n\treq.SetBasicAuth(username, password)\n\n\t// force cached user expiration\n\tcachedUser.Expiration = now\n\tdataprovider.CacheWebDAVUser(cachedUser)\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.True(t, cachedUser.IsExpired())\n\t}\n\t// now authenticate should get the user from the data provider and update the cache\n\t_, isCached, _, loginMethod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.False(t, cachedUser.IsExpired())\n\t}\n\t// cache is not invalidated after a user modification if the fs does not change\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, ok = dataprovider.GetCachedWebDAVUser(username)\n\tassert.True(t, ok)\n\tfolderName := \"testFolder\"\n\tf := &vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: filepath.Join(os.TempDir(), \"mapped\"),\n\t}\n\terr = dataprovider.AddFolder(f, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\n\terr = dataprovider.UpdateUser(&user, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, ok = dataprovider.GetCachedWebDAVUser(username)\n\tassert.False(t, ok)\n\n\t_, isCached, _, loginMethod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\t_, ok = dataprovider.GetCachedWebDAVUser(username)\n\tassert.True(t, ok)\n\t// cache is invalidated after user deletion\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, ok = dataprovider.GetCachedWebDAVUser(username)\n\tassert.False(t, ok)\n\n\terr = dataprovider.DeleteFolder(folderName, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestCachedUserWithFolders(t *testing.T) {\n\tusername := \"webdav_internal_folder_test\"\n\tpassword := \"dav_pwd\"\n\tfolderName := \"test_folder\"\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: password,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vpath\",\n\t})\n\tf := &vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: filepath.Join(os.TempDir(), folderName),\n\t}\n\terr := dataprovider.AddFolder(f, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\n\tc := &Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 9000,\n\t\t\t},\n\t\t},\n\t\tCache: Cache{\n\t\t\tUsers: UsersCacheConfig{\n\t\t\t\tMaxSize: 50,\n\t\t\t\tExpirationTime: 1,\n\t\t\t},\n\t\t},\n\t}\n\tdataprovider.InitializeWebDAVUserCache(c.Cache.Users.MaxSize)\n\tserver := webDavServer{\n\t\tconfig: c,\n\t\tbinding: c.Bindings[0],\n\t}\n\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user.Username), nil)\n\tassert.NoError(t, err)\n\n\tipAddr := \"127.0.0.1\"\n\n\t_, _, _, _, err = server.authenticate(req, ipAddr) //nolint:dogsled\n\tassert.Error(t, err)\n\n\tnow := time.Now()\n\treq.SetBasicAuth(username, password)\n\t_, isCached, _, loginMethod, err := server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\t// now the user should be cached\n\tcachedUser, ok := dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.False(t, cachedUser.IsExpired())\n\t\tassert.True(t, cachedUser.Expiration.After(now.Add(time.Duration(c.Cache.Users.ExpirationTime)*time.Minute)))\n\t\t// authenticate must return the cached user now\n\t\tauthUser, isCached, _, _, err := server.authenticate(req, ipAddr)\n\t\tassert.NoError(t, err)\n\t\tassert.True(t, isCached)\n\t\tassert.Equal(t, cachedUser.User, authUser)\n\t}\n\n\tfolder, err := dataprovider.GetFolderByName(folderName)\n\tassert.NoError(t, err)\n\t// updating a used folder should invalidate the cache only if the fs changed\n\terr = dataprovider.UpdateFolder(&folder, folder.Users, folder.Groups, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\t_, isCached, _, loginMethod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.True(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.False(t, cachedUser.IsExpired())\n\t}\n\t// changing the folder path should invalidate the cache\n\tfolder.MappedPath = filepath.Join(os.TempDir(), \"anotherpath\")\n\terr = dataprovider.UpdateFolder(&folder, folder.Users, folder.Groups, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, isCached, _, loginMethod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.False(t, cachedUser.IsExpired())\n\t}\n\n\terr = dataprovider.DeleteFolder(folderName, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t// removing a used folder should invalidate the cache\n\t_, isCached, _, loginMethod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMethod)\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.False(t, cachedUser.IsExpired())\n\t}\n\n\terr = dataprovider.DeleteUser(user.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, ok = dataprovider.GetCachedWebDAVUser(username)\n\tassert.False(t, ok)\n\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = os.RemoveAll(folder.MappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestUsersCacheSizeAndExpiration(t *testing.T) {\n\tusername := \"webdav_internal_test\"\n\tpassword := \"pwd\"\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tu.Username = username + \"1\"\n\tu.Password = password + \"1\"\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\terr := dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser1, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tu.Username = username + \"2\"\n\tu.Password = password + \"2\"\n\terr = dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser2, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tu.Username = username + \"3\"\n\tu.Password = password + \"3\"\n\terr = dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser3, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tu.Username = username + \"4\"\n\tu.Password = password + \"4\"\n\terr = dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser4, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\n\tc := &Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 9000,\n\t\t\t},\n\t\t},\n\t\tCache: Cache{\n\t\t\tUsers: UsersCacheConfig{\n\t\t\t\tMaxSize: 3,\n\t\t\t\tExpirationTime: 1,\n\t\t\t},\n\t\t},\n\t}\n\tdataprovider.InitializeWebDAVUserCache(c.Cache.Users.MaxSize)\n\tserver := webDavServer{\n\t\tconfig: c,\n\t\tbinding: c.Bindings[0],\n\t}\n\n\tipAddr := \"127.0.1.1\"\n\treq, err := http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user1.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user1.Username, password+\"1\")\n\t_, isCached, _, loginMehod, err := server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user2.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user2.Username, password+\"2\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user3.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user3.Username, password+\"3\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\n\t// the first 3 users are now cached\n\t_, ok := dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user2.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user3.Username)\n\tassert.True(t, ok)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user4.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user4.Username, password+\"4\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\t// user1, the first cached, should be removed now\n\t_, ok = dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.False(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user2.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user3.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user4.Username)\n\tassert.True(t, ok)\n\n\t// a sleep ensures that expiration times are different\n\ttime.Sleep(20 * time.Millisecond)\n\t// user1 logins, user2 should be removed\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user1.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user1.Username, password+\"1\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user2.Username)\n\tassert.False(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user3.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user4.Username)\n\tassert.True(t, ok)\n\n\t// a sleep ensures that expiration times are different\n\ttime.Sleep(20 * time.Millisecond)\n\t// user2 logins, user3 should be removed\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user2.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user2.Username, password+\"2\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user3.Username)\n\tassert.False(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user2.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user4.Username)\n\tassert.True(t, ok)\n\n\t// a sleep ensures that expiration times are different\n\ttime.Sleep(20 * time.Millisecond)\n\t// user3 logins, user4 should be removed\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user3.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user3.Username, password+\"3\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user4.Username)\n\tassert.False(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user2.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user3.Username)\n\tassert.True(t, ok)\n\n\t// now remove user1 after an update\n\tuser1.HomeDir += \"_mod\"\n\terr = dataprovider.UpdateUser(&user1, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.False(t, ok)\n\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user4.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user4.Username, password+\"4\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\n\t// a sleep ensures that expiration times are different\n\ttime.Sleep(20 * time.Millisecond)\n\treq, err = http.NewRequest(http.MethodGet, fmt.Sprintf(\"/%v\", user1.Username), nil)\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(user1.Username, password+\"1\")\n\t_, isCached, _, loginMehod, err = server.authenticate(req, ipAddr)\n\tassert.NoError(t, err)\n\tassert.False(t, isCached)\n\tassert.Equal(t, dataprovider.LoginMethodPassword, loginMehod)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user2.Username)\n\tassert.False(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user1.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user3.Username)\n\tassert.True(t, ok)\n\t_, ok = dataprovider.GetCachedWebDAVUser(user4.Username)\n\tassert.True(t, ok)\n\n\terr = dataprovider.DeleteUser(user1.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(user2.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(user3.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\terr = dataprovider.DeleteUser(user4.Username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\terr = os.RemoveAll(u.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUserCacheIsolation(t *testing.T) {\n\tdataprovider.InitializeWebDAVUserCache(10)\n\tusername := \"webdav_internal_cache_test\"\n\tpassword := \"dav_pwd\"\n\tu := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: username,\n\t\t\tPassword: password,\n\t\t\tHomeDir: filepath.Join(os.TempDir(), username),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tu.Permissions = make(map[string][]string)\n\tu.Permissions[\"/\"] = []string{dataprovider.PermAny}\n\terr := dataprovider.AddUser(&u, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tuser, err := dataprovider.UserExists(u.Username, \"\")\n\tassert.NoError(t, err)\n\tcachedUser := &dataprovider.CachedUser{\n\t\tUser: user,\n\t\tExpiration: time.Now().Add(24 * time.Hour),\n\t\tPassword: password,\n\t\tLockSystem: webdav.NewMemLS(),\n\t}\n\tcachedUser.User.FsConfig.S3Config.AccessSecret = kms.NewPlainSecret(\"test secret\")\n\tcachedUser.User.FsConfig.S3Config.SSECustomerKey = kms.NewPlainSecret(\"test key\")\n\terr = cachedUser.User.FsConfig.S3Config.AccessSecret.Encrypt()\n\tassert.NoError(t, err)\n\terr = cachedUser.User.FsConfig.S3Config.SSECustomerKey.Encrypt()\n\tassert.NoError(t, err)\n\tdataprovider.CacheWebDAVUser(cachedUser)\n\tcachedUser, ok := dataprovider.GetCachedWebDAVUser(username)\n\n\tif assert.True(t, ok) {\n\t\t_, err = cachedUser.User.GetFilesystem(\"\")\n\t\tassert.NoError(t, err)\n\t\t// the filesystem is now cached\n\t}\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.True(t, cachedUser.User.FsConfig.S3Config.AccessSecret.IsEncrypted())\n\t\terr = cachedUser.User.FsConfig.S3Config.AccessSecret.Decrypt()\n\t\tassert.NoError(t, err)\n\t\tassert.True(t, cachedUser.User.FsConfig.S3Config.SSECustomerKey.IsEncrypted())\n\t\terr = cachedUser.User.FsConfig.S3Config.SSECustomerKey.Decrypt()\n\t\tassert.NoError(t, err)\n\t\tcachedUser.User.FsConfig.Provider = sdk.S3FilesystemProvider\n\t\t_, err = cachedUser.User.GetFilesystem(\"\")\n\t\tassert.Error(t, err, \"we don't have to get the previously cached filesystem!\")\n\t}\n\tcachedUser, ok = dataprovider.GetCachedWebDAVUser(username)\n\tif assert.True(t, ok) {\n\t\tassert.Equal(t, sdk.LocalFilesystemProvider, cachedUser.User.FsConfig.Provider)\n\t\tassert.False(t, cachedUser.User.FsConfig.S3Config.AccessSecret.IsEncrypted())\n\t\tassert.False(t, cachedUser.User.FsConfig.S3Config.SSECustomerKey.IsEncrypted())\n\t}\n\n\terr = dataprovider.DeleteUser(username, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\t_, ok = dataprovider.GetCachedWebDAVUser(username)\n\tassert.False(t, ok)\n}\n\nfunc TestRecoverer(t *testing.T) {\n\tc := &Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 9000,\n\t\t\t},\n\t\t},\n\t}\n\tserver := webDavServer{\n\t\tconfig: c,\n\t\tbinding: c.Bindings[0],\n\t}\n\trr := httptest.NewRecorder()\n\tserver.ServeHTTP(rr, nil)\n\tassert.Equal(t, http.StatusInternalServerError, rr.Code)\n}\n\nfunc TestMimeCache(t *testing.T) {\n\tcache := mimeCache{\n\t\tmaxSize: 0,\n\t\tmimeTypes: make(map[string]string),\n\t}\n\tcache.addMimeToCache(\".zip\", \"application/zip\")\n\tmtype := cache.getMimeFromCache(\".zip\")\n\tassert.Equal(t, \"\", mtype)\n\tcache.maxSize = 1\n\tcache.addMimeToCache(\".zip\", \"application/zip\")\n\tmtype = cache.getMimeFromCache(\".zip\")\n\tassert.Equal(t, \"application/zip\", mtype)\n\tcache.addMimeToCache(\".jpg\", \"image/jpeg\")\n\tmtype = cache.getMimeFromCache(\".jpg\")\n\tassert.Equal(t, \"\", mtype)\n}\n\nfunc TestVerifyTLSConnection(t *testing.T) {\n\toldCertMgr := certMgr\n\n\tcaCrlPath := filepath.Join(os.TempDir(), \"testcrl.crt\")\n\tcertPath := filepath.Join(os.TempDir(), \"test.crt\")\n\tkeyPath := filepath.Join(os.TempDir(), \"test.key\")\n\terr := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(certPath, []byte(webDavCert), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(keyPath, []byte(webDavKey), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tkeyPairs := []common.TLSKeyPair{\n\t\t{\n\t\t\tCert: certPath,\n\t\t\tKey: keyPath,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t},\n\t}\n\tcertMgr, err = common.NewCertManager(keyPairs, \"\", \"webdav_test\")\n\tassert.NoError(t, err)\n\n\tcertMgr.SetCARevocationLists([]string{caCrlPath})\n\terr = certMgr.LoadCRLs()\n\tassert.NoError(t, err)\n\n\tcrt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\tx509crt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tserver := webDavServer{}\n\tstate := tls.ConnectionState{\n\t\tPeerCertificates: []*x509.Certificate{x509crt},\n\t}\n\n\terr = server.verifyTLSConnection(state)\n\tassert.Error(t, err) // no verified certification chain\n\n\tcrt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey))\n\tassert.NoError(t, err)\n\n\tx509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tstate.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt})\n\terr = server.verifyTLSConnection(state)\n\tassert.NoError(t, err)\n\n\tcrt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\tx509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0])\n\tassert.NoError(t, err)\n\n\tstate.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt})\n\tstate.PeerCertificates = []*x509.Certificate{x509crtRevoked}\n\terr = server.verifyTLSConnection(state)\n\tassert.EqualError(t, err, common.ErrCrtRevoked.Error())\n\n\terr = os.Remove(caCrlPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(certPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\n\tcertMgr = oldCertMgr\n}\n\nfunc TestMisc(t *testing.T) {\n\toldCertMgr := certMgr\n\n\tcertMgr = nil\n\terr := ReloadCertificateMgr()\n\tassert.Nil(t, err)\n\tval := getConfigPath(\"\", \".\")\n\tassert.Empty(t, val)\n\n\tcertMgr = oldCertMgr\n}\n\nfunc TestParseTime(t *testing.T) {\n\tres, err := parseTime(\"Sat, 4 Feb 2023 17:00:50 GMT\")\n\trequire.NoError(t, err)\n\trequire.Equal(t, int64(1675530050), res.Unix())\n\tres, err = parseTime(\"Wed, 04 Nov 2020 13:25:51 GMT\")\n\trequire.NoError(t, err)\n\trequire.Equal(t, int64(1604496351), res.Unix())\n}\n\nfunc TestConfigsFromProvider(t *testing.T) {\n\tconfigDir := \".\"\n\terr := dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc := Configuration{\n\t\tBindings: []Binding{\n\t\t\t{\n\t\t\t\tPort: 1234,\n\t\t\t},\n\t\t},\n\t}\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tconfigs := dataprovider.Configs{\n\t\tACME: &dataprovider.ACMEConfigs{\n\t\t\tDomain: \"domain.com\",\n\t\t\tEmail: \"info@domain.com\",\n\t\t\tHTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: 80},\n\t\t\tProtocols: 7,\n\t\t},\n\t}\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tutil.CertsBasePath = \"\"\n\t// crt and key empty\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tutil.CertsBasePath = filepath.Clean(os.TempDir())\n\t// crt not found\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs := c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\tcrtPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+\".crt\")\n\terr = os.WriteFile(crtPath, nil, 0666)\n\tassert.NoError(t, err)\n\t// key not found\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\tkeyPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+\".key\")\n\terr = os.WriteFile(keyPath, nil, 0666)\n\tassert.NoError(t, err)\n\t// acme cert used\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Equal(t, configs.ACME.Domain, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 1)\n\tassert.True(t, c.Bindings[0].EnableHTTPS)\n\t// protocols does not match\n\tconfigs.ACME.Protocols = 3\n\terr = dataprovider.UpdateConfigs(&configs, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\tc.acmeDomain = \"\"\n\terr = c.loadFromProvider()\n\tassert.NoError(t, err)\n\tassert.Empty(t, c.acmeDomain)\n\tkeyPairs = c.getKeyPairs(configDir)\n\tassert.Len(t, keyPairs, 0)\n\n\terr = os.Remove(crtPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(keyPath)\n\tassert.NoError(t, err)\n\tutil.CertsBasePath = \"\"\n\terr = dataprovider.UpdateConfigs(nil, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n}\n\nfunc TestGetCacheExpirationTime(t *testing.T) {\n\tc := UsersCacheConfig{}\n\tassert.True(t, c.getExpirationTime().IsZero())\n\tc.ExpirationTime = 1\n\tassert.False(t, c.getExpirationTime().IsZero())\n}\n\nfunc TestBindingGetAddress(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tbinding Binding\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"IP address with port\",\n\t\t\tbinding: Binding{Address: \"127.0.0.1\", Port: 8080},\n\t\t\twant: \"127.0.0.1:8080\",\n\t\t},\n\t\t{\n\t\t\tname: \"Unix socket path (no port)\",\n\t\t\tbinding: Binding{Address: \"/tmp/app.sock\", Port: 0},\n\t\t\twant: \"/tmp/app.sock\",\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := tt.binding.GetAddress(); got != tt.want {\n\t\t\t\tt.Errorf(\"GetAddress() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestBindingIsValid(t *testing.T) {\n\ttests := []struct {\n\t\tname string\n\t\tbinding Binding\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"Valid: Positive port\",\n\t\t\tbinding: Binding{Address: \"127.0.0.1\", Port: 10080},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Valid: Absolute path on Unix (non-Windows)\",\n\t\t\tbinding: Binding{Address: \"/var/run/app.sock\", Port: 0},\n\t\t\t// This test outcome is dynamic based on the OS\n\t\t\twant: runtime.GOOS != osWindows,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid: Port 0 and relative path\",\n\t\t\tbinding: Binding{Address: \"relative/path\", Port: 0},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Invalid: Empty address and port 0\",\n\t\t\tbinding: Binding{Address: \"\", Port: 0},\n\t\t\twant: false,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tif got := tt.binding.IsValid(); got != tt.want {\n\t\t\t\tt.Errorf(\"IsValid() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/webdavd/mimecache.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage webdavd\n\nimport \"sync\"\n\ntype mimeCache struct {\n\tmaxSize int\n\tsync.RWMutex\n\tmimeTypes map[string]string\n}\n\nvar (\n\tmimeTypeCache mimeCache\n\tcustomMimeTypeMapping map[string]string\n)\n\nfunc (c *mimeCache) addMimeToCache(key, value string) {\n\tc.Lock()\n\tdefer c.Unlock()\n\n\tif key == \"\" || value == \"\" {\n\t\treturn\n\t}\n\n\tif len(c.mimeTypes) >= c.maxSize {\n\t\treturn\n\t}\n\tc.mimeTypes[key] = value\n}\n\nfunc (c *mimeCache) getMimeFromCache(key string) string {\n\tc.RLock()\n\tdefer c.RUnlock()\n\n\tif val, ok := c.mimeTypes[key]; ok {\n\t\treturn val\n\t}\n\treturn \"\"\n}\n" }, { "path": "internal/webdavd/server.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage webdavd\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"net/http\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"runtime/debug\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/drakkan/webdav\"\n\t\"github.com/go-chi/chi/v5/middleware\"\n\t\"github.com/rs/cors\"\n\t\"github.com/rs/xid\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/sftpgo/sdk/plugin/notifier\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/metric\"\n\t\"github.com/drakkan/sftpgo/v2/internal/plugin\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/version\"\n)\n\ntype webDavServer struct {\n\tconfig *Configuration\n\tbinding Binding\n}\n\nfunc (s *webDavServer) listenAndServe(compressor *middleware.Compressor) error {\n\thandler := compressor.Handler(s)\n\thttpServer := &http.Server{\n\t\tReadHeaderTimeout: 30 * time.Second,\n\t\tIdleTimeout: 60 * time.Second,\n\t\tMaxHeaderBytes: 1 << 16, // 64KB\n\t\tErrorLog: log.New(&logger.StdLoggerWrapper{Sender: logSender}, \"\", 0),\n\t}\n\tif s.config.Cors.Enabled {\n\t\tc := cors.New(cors.Options{\n\t\t\tAllowedOrigins: util.RemoveDuplicates(s.config.Cors.AllowedOrigins, true),\n\t\t\tAllowedMethods: util.RemoveDuplicates(s.config.Cors.AllowedMethods, true),\n\t\t\tAllowedHeaders: util.RemoveDuplicates(s.config.Cors.AllowedHeaders, true),\n\t\t\tExposedHeaders: util.RemoveDuplicates(s.config.Cors.ExposedHeaders, true),\n\t\t\tMaxAge: s.config.Cors.MaxAge,\n\t\t\tAllowCredentials: s.config.Cors.AllowCredentials,\n\t\t\tOptionsPassthrough: s.config.Cors.OptionsPassthrough,\n\t\t\tOptionsSuccessStatus: s.config.Cors.OptionsSuccessStatus,\n\t\t\tAllowPrivateNetwork: s.config.Cors.AllowPrivateNetwork,\n\t\t})\n\t\thandler = c.Handler(handler)\n\t}\n\thttpServer.Handler = handler\n\tif certMgr != nil && s.binding.EnableHTTPS {\n\t\tserviceStatus.Bindings = append(serviceStatus.Bindings, s.binding)\n\t\tcertID := common.DefaultTLSKeyPaidID\n\t\tif getConfigPath(s.binding.CertificateFile, \"\") != \"\" && getConfigPath(s.binding.CertificateKeyFile, \"\") != \"\" {\n\t\t\tcertID = s.binding.GetAddress()\n\t\t}\n\t\thttpServer.TLSConfig = &tls.Config{\n\t\t\tGetCertificate: certMgr.GetCertificateFunc(certID),\n\t\t\tMinVersion: util.GetTLSVersion(s.binding.MinTLSVersion),\n\t\t\tNextProtos: util.GetALPNProtocols(s.binding.Protocols),\n\t\t\tCipherSuites: util.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),\n\t\t}\n\t\tlogger.Debug(logSender, \"\", \"configured TLS cipher suites for binding %q: %v, certID: %v\",\n\t\t\ts.binding.GetAddress(), httpServer.TLSConfig.CipherSuites, certID)\n\t\tif s.binding.isMutualTLSEnabled() {\n\t\t\thttpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs()\n\t\t\thttpServer.TLSConfig.VerifyConnection = s.verifyTLSConnection\n\t\t\tswitch s.binding.ClientAuthType {\n\t\t\tcase 1:\n\t\t\t\thttpServer.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert\n\t\t\tcase 2:\n\t\t\t\thttpServer.TLSConfig.ClientAuth = tls.VerifyClientCertIfGiven\n\t\t\t}\n\t\t}\n\t\treturn util.HTTPListenAndServe(httpServer, s.binding.Address, s.binding.Port, true,\n\t\t\ts.binding.listenerWrapper(), logSender)\n\t}\n\ts.binding.EnableHTTPS = false\n\tserviceStatus.Bindings = append(serviceStatus.Bindings, s.binding)\n\treturn util.HTTPListenAndServe(httpServer, s.binding.Address, s.binding.Port, false,\n\t\ts.binding.listenerWrapper(), logSender)\n}\n\nfunc (s *webDavServer) verifyTLSConnection(state tls.ConnectionState) error {\n\tif certMgr != nil {\n\t\tvar clientCrt *x509.Certificate\n\t\tvar clientCrtName string\n\t\tif len(state.PeerCertificates) > 0 {\n\t\t\tclientCrt = state.PeerCertificates[0]\n\t\t\tclientCrtName = clientCrt.Subject.String()\n\t\t}\n\t\tif len(state.VerifiedChains) == 0 {\n\t\t\tif s.binding.ClientAuthType == 2 {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\tlogger.Warn(logSender, \"\", \"TLS connection cannot be verified: unable to get verification chain\")\n\t\t\treturn errors.New(\"TLS connection cannot be verified: unable to get verification chain\")\n\t\t}\n\t\tfor _, verifiedChain := range state.VerifiedChains {\n\t\t\tvar caCrt *x509.Certificate\n\t\t\tif len(verifiedChain) > 0 {\n\t\t\t\tcaCrt = verifiedChain[len(verifiedChain)-1]\n\t\t\t}\n\t\t\tif certMgr.IsRevoked(clientCrt, caCrt) {\n\t\t\t\tlogger.Debug(logSender, \"\", \"tls handshake error, client certificate %q has been revoked\", clientCrtName)\n\t\t\t\treturn common.ErrCrtRevoked\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// returns true if we have to handle a HEAD response, for a directory, ourself\nfunc (s *webDavServer) checkRequestMethod(ctx context.Context, r *http.Request, connection *Connection) bool {\n\t// see RFC4918, section 9.4\n\tif r.Method == http.MethodGet || r.Method == http.MethodHead {\n\t\tp := path.Clean(r.URL.Path)\n\t\tif s.binding.Prefix != \"\" {\n\t\t\tp = strings.TrimPrefix(p, s.binding.Prefix)\n\t\t}\n\t\tinfo, err := connection.Stat(ctx, p)\n\t\tif err == nil && info.IsDir() {\n\t\t\tif r.Method == http.MethodHead {\n\t\t\t\treturn true\n\t\t\t}\n\t\t\tr.Method = \"PROPFIND\"\n\t\t\tif r.Header.Get(\"Depth\") == \"\" {\n\t\t\t\tr.Header.Add(\"Depth\", \"1\")\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\n// ServeHTTP implements the http.Handler interface\nfunc (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tlogger.Error(logSender, \"\", \"panic in ServeHTTP: %q stack trace: %v\", r, string(debug.Stack()))\n\t\t\thttp.Error(w, common.ErrGenericFailure.Error(), http.StatusInternalServerError)\n\t\t}\n\t}()\n\n\tresponseControllerDeadlines(\n\t\thttp.NewResponseController(w),\n\t\ttime.Now().Add(60*time.Second),\n\t\ttime.Now().Add(60*time.Second),\n\t)\n\tw.Header().Set(\"Server\", version.GetServerVersion(\"/\", false))\n\tipAddr := s.checkRemoteAddress(r)\n\n\tcommon.Connections.AddClientConnection(ipAddr)\n\tdefer common.Connections.RemoveClientConnection(ipAddr)\n\n\tif err := common.Connections.IsNewConnectionAllowed(ipAddr, common.ProtocolWebDAV); err != nil {\n\t\tlogger.Log(logger.LevelDebug, common.ProtocolWebDAV, \"\", \"connection not allowed from ip %q: %v\", ipAddr, err)\n\t\thttp.Error(w, err.Error(), http.StatusServiceUnavailable)\n\t\treturn\n\t}\n\tif common.IsBanned(ipAddr, common.ProtocolWebDAV) {\n\t\thttp.Error(w, common.ErrConnectionDenied.Error(), http.StatusForbidden)\n\t\treturn\n\t}\n\tdelay, err := common.LimitRate(common.ProtocolWebDAV, ipAddr)\n\tif err != nil {\n\t\tdelay += 499999999 * time.Nanosecond\n\t\tw.Header().Set(\"Retry-After\", fmt.Sprintf(\"%.0f\", delay.Seconds()))\n\t\tw.Header().Set(\"X-Retry-In\", delay.String())\n\t\thttp.Error(w, err.Error(), http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tif err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolWebDAV); err != nil {\n\t\thttp.Error(w, common.ErrConnectionDenied.Error(), http.StatusForbidden)\n\t\treturn\n\t}\n\tuser, isCached, lockSystem, loginMethod, err := s.authenticate(r, ipAddr)\n\tif err != nil {\n\t\tif !s.binding.DisableWWWAuthHeader {\n\t\t\tw.Header().Set(\"WWW-Authenticate\", fmt.Sprintf(\"Basic realm=\\\"%s WebDAV\\\"\", version.GetServerVersion(\"_\", false)))\n\t\t}\n\t\thttp.Error(w, fmt.Sprintf(\"Authentication error: %v\", err), http.StatusUnauthorized)\n\t\treturn\n\t}\n\n\tconnectionID, err := s.validateUser(&user, r, loginMethod)\n\tif err != nil {\n\t\t// remove the cached user, we have not yet validated its filesystem\n\t\tdataprovider.RemoveCachedWebDAVUser(user.Username)\n\t\tupdateLoginMetrics(&user, ipAddr, loginMethod, err, r)\n\t\thttp.Error(w, err.Error(), http.StatusForbidden)\n\t\treturn\n\t}\n\n\tif !isCached {\n\t\terr = user.CheckFsRoot(connectionID)\n\t} else {\n\t\t_, err = user.GetFilesystemForPath(\"/\", connectionID)\n\t}\n\tif err != nil {\n\t\terrClose := user.CloseFs()\n\t\tlogger.Warn(logSender, connectionID, \"unable to check fs root: %v close fs error: %v\", err, errClose)\n\t\tupdateLoginMetrics(&user, ipAddr, loginMethod, common.ErrInternalFailure, r)\n\t\thttp.Error(w, err.Error(), http.StatusInternalServerError)\n\t\treturn\n\t}\n\n\tbaseConn := common.NewBaseConnection(connectionID, common.ProtocolWebDAV, util.GetHTTPLocalAddress(r),\n\t\tr.RemoteAddr, user)\n\tconnection := newConnection(baseConn, w, r)\n\tif err = common.Connections.Add(connection); err != nil {\n\t\terrClose := user.CloseFs()\n\t\tlogger.Warn(logSender, connectionID, \"unable add connection: %v close fs error: %v\", err, errClose)\n\t\tupdateLoginMetrics(&user, ipAddr, loginMethod, err, r)\n\t\thttp.Error(w, err.Error(), http.StatusTooManyRequests)\n\t\treturn\n\t}\n\tdefer common.Connections.Remove(connection.GetID())\n\n\tupdateLoginMetrics(&user, ipAddr, loginMethod, err, r)\n\n\tctx := context.WithValue(r.Context(), requestIDKey, connectionID)\n\tctx = context.WithValue(ctx, requestStartKey, time.Now())\n\n\tdataprovider.UpdateLastLogin(&user)\n\n\tif s.checkRequestMethod(ctx, r, connection) {\n\t\tw.Header().Set(\"Content-Type\", \"text/xml; charset=utf-8\")\n\t\tw.WriteHeader(http.StatusMultiStatus)\n\t\tw.Write([]byte(\"\")) //nolint:errcheck\n\t\twriteLog(r, http.StatusMultiStatus, nil)\n\t\treturn\n\t}\n\n\thandler := webdav.Handler{\n\t\tPrefix: s.binding.Prefix,\n\t\tFileSystem: connection,\n\t\tLockSystem: lockSystem,\n\t\tLogger: writeLog,\n\t}\n\thandler.ServeHTTP(w, r.WithContext(ctx))\n}\n\nfunc (s *webDavServer) getCredentialsAndLoginMethod(r *http.Request) (string, string, string, *x509.Certificate, bool) {\n\tvar tlsCert *x509.Certificate\n\tloginMethod := dataprovider.LoginMethodPassword\n\tusername, password, ok := r.BasicAuth()\n\tif s.binding.isMutualTLSEnabled() && r.TLS != nil {\n\t\tif len(r.TLS.PeerCertificates) > 0 {\n\t\t\ttlsCert = r.TLS.PeerCertificates[0]\n\t\t\tif ok {\n\t\t\t\tloginMethod = dataprovider.LoginMethodTLSCertificateAndPwd\n\t\t\t} else {\n\t\t\t\tloginMethod = dataprovider.LoginMethodTLSCertificate\n\t\t\t\tusername = tlsCert.Subject.CommonName\n\t\t\t\tpassword = \"\"\n\t\t\t}\n\t\t\tok = true\n\t\t}\n\t}\n\treturn username, password, loginMethod, tlsCert, ok\n}\n\nfunc (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.User, bool, webdav.LockSystem, string, error) {\n\tvar user dataprovider.User\n\tvar err error\n\tusername, password, loginMethod, tlsCert, ok := s.getCredentialsAndLoginMethod(r)\n\tif !ok {\n\t\tuser.Username = username\n\t\treturn user, false, nil, loginMethod, common.ErrNoCredentials\n\t}\n\tcachedUser, ok := dataprovider.GetCachedWebDAVUser(username)\n\tif ok {\n\t\tif cachedUser.IsExpired() {\n\t\t\tdataprovider.RemoveCachedWebDAVUser(username)\n\t\t} else {\n\t\t\tif !cachedUser.User.IsTLSVerificationEnabled() {\n\t\t\t\t// for backward compatibility with 2.0.x we only check the password\n\t\t\t\ttlsCert = nil\n\t\t\t\tloginMethod = dataprovider.LoginMethodPassword\n\t\t\t}\n\t\t\tcu, u, err := dataprovider.CheckCachedUserCredentials(cachedUser, password, ip, loginMethod, common.ProtocolWebDAV, tlsCert)\n\t\t\tif err == nil {\n\t\t\t\tif cu != nil {\n\t\t\t\t\treturn cu.User, true, cu.LockSystem, loginMethod, nil\n\t\t\t\t}\n\t\t\t\tlockSystem := webdav.NewMemLS()\n\t\t\t\tcachedUser = &dataprovider.CachedUser{\n\t\t\t\t\tUser: *u,\n\t\t\t\t\tPassword: password,\n\t\t\t\t\tLockSystem: lockSystem,\n\t\t\t\t\tExpiration: s.config.Cache.Users.getExpirationTime(),\n\t\t\t\t}\n\t\t\t\tdataprovider.CacheWebDAVUser(cachedUser)\n\t\t\t\treturn cachedUser.User, false, cachedUser.LockSystem, loginMethod, nil\n\t\t\t}\n\t\t\tupdateLoginMetrics(&cachedUser.User, ip, loginMethod, dataprovider.ErrInvalidCredentials, r)\n\t\t\treturn user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials\n\t\t}\n\t}\n\tuser, loginMethod, err = dataprovider.CheckCompositeCredentials(username, password, ip, loginMethod,\n\t\tcommon.ProtocolWebDAV, tlsCert)\n\tif err != nil {\n\t\tuser.Username = username\n\t\tupdateLoginMetrics(&user, ip, loginMethod, err, r)\n\t\treturn user, false, nil, loginMethod, dataprovider.ErrInvalidCredentials\n\t}\n\tlockSystem := webdav.NewMemLS()\n\tcachedUser = &dataprovider.CachedUser{\n\t\tUser: user,\n\t\tPassword: password,\n\t\tLockSystem: lockSystem,\n\t\tExpiration: s.config.Cache.Users.getExpirationTime(),\n\t}\n\tdataprovider.CacheWebDAVUser(cachedUser)\n\treturn user, false, lockSystem, loginMethod, nil\n}\n\nfunc (s *webDavServer) validateUser(user *dataprovider.User, r *http.Request, loginMethod string) (string, error) {\n\tconnID := xid.New().String()\n\tconnectionID := fmt.Sprintf(\"%v_%v\", common.ProtocolWebDAV, connID)\n\n\tif !filepath.IsAbs(user.HomeDir) {\n\t\tlogger.Warn(logSender, connectionID, \"user %q has an invalid home dir: %q. Home dir must be an absolute path, login not allowed\",\n\t\t\tuser.Username, user.HomeDir)\n\t\treturn connID, fmt.Errorf(\"cannot login user with invalid home dir: %q\", user.HomeDir)\n\t}\n\tif slices.Contains(user.Filters.DeniedProtocols, common.ProtocolWebDAV) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, protocol DAV is not allowed\", user.Username)\n\t\treturn connID, fmt.Errorf(\"protocol DAV is not allowed for user %q\", user.Username)\n\t}\n\tif !user.IsLoginMethodAllowed(loginMethod, common.ProtocolWebDAV) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, %v login method is not allowed\",\n\t\t\tuser.Username, loginMethod)\n\t\treturn connID, fmt.Errorf(\"login method %v is not allowed for user %q\", loginMethod, user.Username)\n\t}\n\tif !user.IsLoginFromAddrAllowed(r.RemoteAddr) {\n\t\tlogger.Info(logSender, connectionID, \"cannot login user %q, remote address is not allowed: %v\",\n\t\t\tuser.Username, r.RemoteAddr)\n\t\treturn connID, fmt.Errorf(\"login for user %q is not allowed from this address: %v\", user.Username, r.RemoteAddr)\n\t}\n\treturn connID, nil\n}\n\nfunc (s *webDavServer) checkRemoteAddress(r *http.Request) string {\n\tipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)\n\tvar ip net.IP\n\tisUnixSocket := filepath.IsAbs(s.binding.Address)\n\tif !isUnixSocket {\n\t\tip = net.ParseIP(ipAddr)\n\t}\n\tif isUnixSocket || ip != nil {\n\t\tfor _, allow := range s.binding.allowHeadersFrom {\n\t\t\tif allow(ip) {\n\t\t\t\tparsedIP := util.GetRealIP(r, s.binding.ClientIPProxyHeader, s.binding.ClientIPHeaderDepth)\n\t\t\t\tif parsedIP != \"\" {\n\t\t\t\t\tipAddr = parsedIP\n\t\t\t\t\tr.RemoteAddr = ipAddr\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\treturn ipAddr\n}\n\nfunc responseControllerDeadlines(rc *http.ResponseController, read, write time.Time) {\n\tif err := rc.SetReadDeadline(read); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to set read timeout to %s: %v\", read, err)\n\t}\n\tif err := rc.SetWriteDeadline(write); err != nil {\n\t\tlogger.Error(logSender, \"\", \"unable to set write timeout to %s: %v\", write, err)\n\t}\n}\n\nfunc writeLog(r *http.Request, status int, err error) {\n\tscheme := \"http\"\n\tcipherSuite := \"\"\n\tif r.TLS != nil {\n\t\tscheme = \"https\"\n\t\tcipherSuite = tls.CipherSuiteName(r.TLS.CipherSuite)\n\t}\n\tfields := map[string]any{\n\t\t\"remote_addr\": r.RemoteAddr,\n\t\t\"proto\": r.Proto,\n\t\t\"method\": r.Method,\n\t\t\"user_agent\": r.UserAgent(),\n\t\t\"uri\": fmt.Sprintf(\"%s://%s%s\", scheme, r.Host, r.RequestURI),\n\t\t\"cipher_suite\": cipherSuite,\n\t}\n\tif reqID, ok := r.Context().Value(requestIDKey).(string); ok {\n\t\tfields[\"request_id\"] = reqID\n\t}\n\tif reqStart, ok := r.Context().Value(requestStartKey).(time.Time); ok {\n\t\tfields[\"elapsed_ms\"] = time.Since(reqStart).Nanoseconds() / 1000000\n\t}\n\tif depth := r.Header.Get(\"Depth\"); depth != \"\" {\n\t\tfields[\"depth\"] = depth\n\t}\n\tif contentLength := r.Header.Get(\"Content-Length\"); contentLength != \"\" {\n\t\tfields[\"content_length\"] = contentLength\n\t}\n\tif timeout := r.Header.Get(\"Timeout\"); timeout != \"\" {\n\t\tfields[\"timeout\"] = timeout\n\t}\n\tif status != 0 {\n\t\tfields[\"resp_status\"] = status\n\t}\n\tvar ev *zerolog.Event\n\tif status >= http.StatusInternalServerError {\n\t\tev = logger.GetLogger().Error()\n\t} else if status >= http.StatusBadRequest {\n\t\tev = logger.GetLogger().Warn()\n\t} else {\n\t\tev = logger.GetLogger().Debug()\n\t}\n\tev.\n\t\tTimestamp().\n\t\tStr(\"sender\", logSender).\n\t\tFields(fields).\n\t\tErr(err).\n\t\tSend()\n}\n\nfunc updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, r *http.Request) {\n\tmetric.AddLoginAttempt(loginMethod)\n\tif err == nil {\n\t\tlogger.LoginLog(user.Username, ip, loginMethod, common.ProtocolWebDAV, \"\", r.UserAgent(), r.TLS != nil, \"\")\n\t\tplugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolWebDAV, user.Username, ip, \"\", nil)\n\t\tcommon.DelayLogin(nil)\n\t} else if err != common.ErrInternalFailure && err != common.ErrNoCredentials {\n\t\tlogger.ConnectionFailedLog(user.Username, ip, loginMethod, common.ProtocolWebDAV, err.Error())\n\t\tevent := common.HostEventLoginFailed\n\t\tlogEv := notifier.LogEventTypeLoginFailed\n\t\tif errors.Is(err, util.ErrNotFound) {\n\t\t\tevent = common.HostEventUserNotFound\n\t\t\tlogEv = notifier.LogEventTypeLoginNoUser\n\t\t}\n\t\tcommon.AddDefenderEvent(ip, common.ProtocolWebDAV, event)\n\t\tplugin.Handler.NotifyLogEvent(logEv, common.ProtocolWebDAV, user.Username, ip, \"\", err)\n\t\tif loginMethod != dataprovider.LoginMethodTLSCertificate {\n\t\t\tcommon.DelayLogin(err)\n\t\t}\n\t}\n\tmetric.AddLoginResult(loginMethod, err)\n\tdataprovider.ExecutePostLoginHook(user, loginMethod, ip, common.ProtocolWebDAV, err)\n}\n" }, { "path": "internal/webdavd/webdavd.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Package webdavd implements the WebDAV protocol\npackage webdavd\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"time\"\n\n\t\"github.com/go-chi/chi/v5/middleware\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n)\n\ntype ctxReqParams int\n\nconst (\n\trequestIDKey ctxReqParams = iota\n\trequestStartKey\n)\n\nconst (\n\tlogSender = \"webdavd\"\n)\n\nvar (\n\tcertMgr *common.CertManager\n\tserviceStatus ServiceStatus\n\ttimeFormats = []string{\n\t\thttp.TimeFormat,\n\t\t\"Mon, _2 Jan 2006 15:04:05 GMT\",\n\t\ttime.RFC850,\n\t\ttime.ANSIC,\n\t}\n)\n\n// ServiceStatus defines the service status\ntype ServiceStatus struct {\n\tIsActive bool `json:\"is_active\"`\n\tBindings []Binding `json:\"bindings\"`\n}\n\n// CorsConfig defines the CORS configuration\ntype CorsConfig struct {\n\tAllowedOrigins []string `json:\"allowed_origins\" mapstructure:\"allowed_origins\"`\n\tAllowedMethods []string `json:\"allowed_methods\" mapstructure:\"allowed_methods\"`\n\tAllowedHeaders []string `json:\"allowed_headers\" mapstructure:\"allowed_headers\"`\n\tExposedHeaders []string `json:\"exposed_headers\" mapstructure:\"exposed_headers\"`\n\tAllowCredentials bool `json:\"allow_credentials\" mapstructure:\"allow_credentials\"`\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n\tMaxAge int `json:\"max_age\" mapstructure:\"max_age\"`\n\tOptionsPassthrough bool `json:\"options_passthrough\" mapstructure:\"options_passthrough\"`\n\tOptionsSuccessStatus int `json:\"options_success_status\" mapstructure:\"options_success_status\"`\n\tAllowPrivateNetwork bool `json:\"allow_private_network\" mapstructure:\"allow_private_network\"`\n}\n\n// CustomMimeMapping defines additional, user defined mime mappings\ntype CustomMimeMapping struct {\n\tExt string `json:\"ext\" mapstructure:\"ext\"`\n\tMime string `json:\"mime\" mapstructure:\"mime\"`\n}\n\n// UsersCacheConfig defines the cache configuration for users\ntype UsersCacheConfig struct {\n\tExpirationTime int `json:\"expiration_time\" mapstructure:\"expiration_time\"`\n\tMaxSize int `json:\"max_size\" mapstructure:\"max_size\"`\n}\n\nfunc (c *UsersCacheConfig) getExpirationTime() time.Time {\n\tif c.ExpirationTime > 0 {\n\t\treturn time.Now().Add(time.Duration(c.ExpirationTime) * time.Minute)\n\t}\n\treturn time.Time{}\n}\n\n// MimeCacheConfig defines the cache configuration for mime types\ntype MimeCacheConfig struct {\n\tEnabled bool `json:\"enabled\" mapstructure:\"enabled\"`\n\tMaxSize int `json:\"max_size\" mapstructure:\"max_size\"`\n\tCustomMappings []CustomMimeMapping `json:\"custom_mappings\" mapstructure:\"custom_mappings\"`\n}\n\n// Cache configuration\ntype Cache struct {\n\tUsers UsersCacheConfig `json:\"users\" mapstructure:\"users\"`\n\tMimeTypes MimeCacheConfig `json:\"mime_types\" mapstructure:\"mime_types\"`\n}\n\n// Binding defines the configuration for a network listener\ntype Binding struct {\n\t// The address to listen on. A blank value means listen on all available network interfaces.\n\tAddress string `json:\"address\" mapstructure:\"address\"`\n\t// The port used for serving requests\n\tPort int `json:\"port\" mapstructure:\"port\"`\n\t// you also need to provide a certificate for enabling HTTPS\n\tEnableHTTPS bool `json:\"enable_https\" mapstructure:\"enable_https\"`\n\t// Certificate and matching private key for this specific binding, if empty the global\n\t// ones will be used, if any\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2\n\tMinTLSVersion int `json:\"min_tls_version\" mapstructure:\"min_tls_version\"`\n\t// set to 1 to require client certificate authentication in addition to basic auth.\n\t// You need to define at least a certificate authority for this to work\n\tClientAuthType int `json:\"client_auth_type\" mapstructure:\"client_auth_type\"`\n\t// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.\n\t// If CipherSuites is nil/empty, a default list of secure cipher suites\n\t// is used, with a preference order based on hardware performance.\n\t// Note that TLS 1.3 ciphersuites are not configurable.\n\t// The supported ciphersuites names are defined here:\n\t//\n\t// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53\n\t//\n\t// any invalid name will be silently ignored.\n\t// The order matters, the ciphers listed first will be the preferred ones.\n\tTLSCipherSuites []string `json:\"tls_cipher_suites\" mapstructure:\"tls_cipher_suites\"`\n\t// HTTP protocols to enable in preference order. Supported values: http/1.1, h2\n\tProtocols []string `json:\"tls_protocols\" mapstructure:\"tls_protocols\"`\n\t// Prefix for WebDAV resources, if empty WebDAV resources will be available at the\n\t// root (\"/\") URI. If defined it must be an absolute URI.\n\tPrefix string `json:\"prefix\" mapstructure:\"prefix\"`\n\t// Defines whether to use the common proxy protocol configuration or the\n\t// binding-specific proxy header configuration.\n\tProxyMode int `json:\"proxy_mode\" mapstructure:\"proxy_mode\"`\n\t// List of IP addresses and IP ranges allowed to set client IP proxy headers\n\tProxyAllowed []string `json:\"proxy_allowed\" mapstructure:\"proxy_allowed\"`\n\t// Allowed client IP proxy header such as \"X-Forwarded-For\", \"X-Real-IP\"\n\tClientIPProxyHeader string `json:\"client_ip_proxy_header\" mapstructure:\"client_ip_proxy_header\"`\n\t// Some client IP headers such as \"X-Forwarded-For\" can contain multiple IP address, this setting\n\t// define the position to trust starting from the right. For example if we have:\n\t// \"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1\" and the depth is 0, SFTPGo will use \"13.0.0.1\"\n\t// as client IP, if depth is 1, \"12.0.0.1\" will be used and so on\n\tClientIPHeaderDepth int `json:\"client_ip_header_depth\" mapstructure:\"client_ip_header_depth\"`\n\t// Do not add the WWW-Authenticate header after an authentication error,\n\t// only the 401 status code will be sent\n\tDisableWWWAuthHeader bool `json:\"disable_www_auth_header\" mapstructure:\"disable_www_auth_header\"`\n\tallowHeadersFrom []func(net.IP) bool\n}\n\nfunc (b *Binding) parseAllowedProxy() error {\n\tif filepath.IsAbs(b.Address) && len(b.ProxyAllowed) > 0 {\n\t\t// unix domain socket\n\t\tb.allowHeadersFrom = []func(net.IP) bool{func(_ net.IP) bool { return true }}\n\t\treturn nil\n\t}\n\tallowedFuncs, err := util.ParseAllowedIPAndRanges(b.ProxyAllowed)\n\tif err != nil {\n\t\treturn err\n\t}\n\tb.allowHeadersFrom = allowedFuncs\n\treturn nil\n}\n\nfunc (b *Binding) isMutualTLSEnabled() bool {\n\treturn b.ClientAuthType == 1 || b.ClientAuthType == 2\n}\n\n// GetAddress returns the binding address\nfunc (b *Binding) GetAddress() string {\n\tif b.Port > 0 {\n\t\treturn fmt.Sprintf(\"%s:%d\", b.Address, b.Port)\n\t}\n\treturn b.Address\n}\n\n// IsValid returns true if the binding is valid\nfunc (b *Binding) IsValid() bool {\n\tif b.Port > 0 {\n\t\treturn true\n\t}\n\tif filepath.IsAbs(b.Address) && runtime.GOOS != \"windows\" {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc (b *Binding) listenerWrapper() func(net.Listener) (net.Listener, error) {\n\tif b.ProxyMode == 1 {\n\t\treturn common.Config.GetProxyListener\n\t}\n\treturn nil\n}\n\n// Configuration defines the configuration for the WevDAV server\ntype Configuration struct {\n\t// Addresses and ports to bind to\n\tBindings []Binding `json:\"bindings\" mapstructure:\"bindings\"`\n\t// If files containing a certificate and matching private key for the server are provided you\n\t// can enable HTTPS connections for the configured bindings\n\t// Certificate and key files can be reloaded on demand sending a \"SIGHUP\" signal on Unix based systems and a\n\t// \"paramchange\" request to the running service on Windows.\n\tCertificateFile string `json:\"certificate_file\" mapstructure:\"certificate_file\"`\n\tCertificateKeyFile string `json:\"certificate_key_file\" mapstructure:\"certificate_key_file\"`\n\t// CACertificates defines the set of root certificate authorities to be used to verify client certificates.\n\tCACertificates []string `json:\"ca_certificates\" mapstructure:\"ca_certificates\"`\n\t// CARevocationLists defines a set a revocation lists, one for each root CA, to be used to check\n\t// if a client certificate has been revoked\n\tCARevocationLists []string `json:\"ca_revocation_lists\" mapstructure:\"ca_revocation_lists\"`\n\t// CORS configuration\n\tCors CorsConfig `json:\"cors\" mapstructure:\"cors\"`\n\t// Cache configuration\n\tCache Cache `json:\"cache\" mapstructure:\"cache\"`\n\tacmeDomain string\n}\n\n// GetStatus returns the server status\nfunc GetStatus() ServiceStatus {\n\treturn serviceStatus\n}\n\n// ShouldBind returns true if there is at least a valid binding\nfunc (c *Configuration) ShouldBind() bool {\n\tfor _, binding := range c.Bindings {\n\t\tif binding.IsValid() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (c *Configuration) getKeyPairs(configDir string) []common.TLSKeyPair {\n\tvar keyPairs []common.TLSKeyPair\n\n\tfor _, binding := range c.Bindings {\n\t\tcertificateFile := getConfigPath(binding.CertificateFile, configDir)\n\t\tcertificateKeyFile := getConfigPath(binding.CertificateKeyFile, configDir)\n\t\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\t\tkeyPairs = append(keyPairs, common.TLSKeyPair{\n\t\t\t\tCert: certificateFile,\n\t\t\t\tKey: certificateKeyFile,\n\t\t\t\tID: binding.GetAddress(),\n\t\t\t})\n\t\t}\n\t}\n\tvar certificateFile, certificateKeyFile string\n\tif c.acmeDomain != \"\" {\n\t\tcertificateFile, certificateKeyFile = util.GetACMECertificateKeyPair(c.acmeDomain)\n\t} else {\n\t\tcertificateFile = getConfigPath(c.CertificateFile, configDir)\n\t\tcertificateKeyFile = getConfigPath(c.CertificateKeyFile, configDir)\n\t}\n\tif certificateFile != \"\" && certificateKeyFile != \"\" {\n\t\tkeyPairs = append(keyPairs, common.TLSKeyPair{\n\t\t\tCert: certificateFile,\n\t\t\tKey: certificateKeyFile,\n\t\t\tID: common.DefaultTLSKeyPaidID,\n\t\t})\n\t}\n\treturn keyPairs\n}\n\nfunc (c *Configuration) loadFromProvider() error {\n\tconfigs, err := dataprovider.GetConfigs()\n\tif err != nil {\n\t\treturn fmt.Errorf(\"unable to load config from provider: %w\", err)\n\t}\n\tconfigs.SetNilsToEmpty()\n\tif configs.ACME.Domain == \"\" || !configs.ACME.HasProtocol(common.ProtocolWebDAV) {\n\t\treturn nil\n\t}\n\tcrt, key := util.GetACMECertificateKeyPair(configs.ACME.Domain)\n\tif crt != \"\" && key != \"\" {\n\t\tif _, err := os.Stat(crt); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to load acme cert file %q: %v\", crt, err)\n\t\t\treturn nil\n\t\t}\n\t\tif _, err := os.Stat(key); err != nil {\n\t\t\tlogger.Error(logSender, \"\", \"unable to load acme key file %q: %v\", key, err)\n\t\t\treturn nil\n\t\t}\n\t\tfor idx := range c.Bindings {\n\t\t\tc.Bindings[idx].EnableHTTPS = true\n\t\t}\n\t\tc.acmeDomain = configs.ACME.Domain\n\t\tlogger.Info(logSender, \"\", \"acme domain set to %q\", c.acmeDomain)\n\t\treturn nil\n\t}\n\treturn nil\n}\n\n// Initialize configures and starts the WebDAV server\nfunc (c *Configuration) Initialize(configDir string) error {\n\tif err := c.loadFromProvider(); err != nil {\n\t\treturn err\n\t}\n\tlogger.Info(logSender, \"\", \"initializing WebDAV server with config %+v\", *c)\n\tmimeTypeCache = mimeCache{\n\t\tmaxSize: c.Cache.MimeTypes.MaxSize,\n\t\tmimeTypes: make(map[string]string),\n\t}\n\tif !c.Cache.MimeTypes.Enabled {\n\t\tmimeTypeCache.maxSize = 0\n\t} else {\n\t\tcustomMimeTypeMapping = make(map[string]string)\n\t\tfor _, m := range c.Cache.MimeTypes.CustomMappings {\n\t\t\tif m.Mime != \"\" {\n\t\t\t\tlogger.Debug(logSender, \"\", \"adding custom mime mapping for extension %q, mime type %q\", m.Ext, m.Mime)\n\t\t\t\tcustomMimeTypeMapping[m.Ext] = m.Mime\n\t\t\t}\n\t\t}\n\t}\n\n\tif !c.ShouldBind() {\n\t\treturn common.ErrNoBinding\n\t}\n\n\tkeyPairs := c.getKeyPairs(configDir)\n\tif len(keyPairs) > 0 {\n\t\tmgr, err := common.NewCertManager(keyPairs, configDir, logSender)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmgr.SetCACertificates(c.CACertificates)\n\t\tif err := mgr.LoadRootCAs(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmgr.SetCARevocationLists(c.CARevocationLists)\n\t\tif err := mgr.LoadCRLs(); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcertMgr = mgr\n\t}\n\tcompressor := middleware.NewCompressor(5, \"text/*\")\n\tdataprovider.InitializeWebDAVUserCache(c.Cache.Users.MaxSize)\n\n\tserviceStatus = ServiceStatus{\n\t\tBindings: nil,\n\t}\n\n\texitChannel := make(chan error, 1)\n\n\tfor _, binding := range c.Bindings {\n\t\tif !binding.IsValid() {\n\t\t\tcontinue\n\t\t}\n\t\tif err := binding.parseAllowedProxy(); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tgo func(binding Binding) {\n\t\t\tserver := webDavServer{\n\t\t\t\tconfig: c,\n\t\t\t\tbinding: binding,\n\t\t\t}\n\t\t\texitChannel <- server.listenAndServe(compressor)\n\t\t}(binding)\n\t}\n\n\tserviceStatus.IsActive = true\n\n\treturn <-exitChannel\n}\n\n// ReloadCertificateMgr reloads the certificate manager\nfunc ReloadCertificateMgr() error {\n\tif certMgr != nil {\n\t\treturn certMgr.Reload()\n\t}\n\treturn nil\n}\n\nfunc getConfigPath(name, configDir string) string {\n\tif !util.IsFileInputValid(name) {\n\t\treturn \"\"\n\t}\n\tif name != \"\" && !filepath.IsAbs(name) {\n\t\treturn filepath.Join(configDir, name)\n\t}\n\treturn name\n}\n\nfunc parseTime(text string) (t time.Time, err error) {\n\tfor _, layout := range timeFormats {\n\t\tt, err = time.Parse(layout, text)\n\t\tif err == nil {\n\t\t\treturn\n\t\t}\n\t}\n\treturn\n}\n" }, { "path": "internal/webdavd/webdavd_test.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\npackage webdavd_test\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/minio/sio\"\n\t\"github.com/pkg/sftp\"\n\t\"github.com/rs/zerolog\"\n\t\"github.com/sftpgo/sdk\"\n\tsdkkms \"github.com/sftpgo/sdk/kms\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"github.com/studio-b12/gowebdav\"\n\t\"golang.org/x/crypto/ssh\"\n\n\t\"github.com/drakkan/sftpgo/v2/internal/common\"\n\t\"github.com/drakkan/sftpgo/v2/internal/config\"\n\t\"github.com/drakkan/sftpgo/v2/internal/dataprovider\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpclient\"\n\t\"github.com/drakkan/sftpgo/v2/internal/httpdtest\"\n\t\"github.com/drakkan/sftpgo/v2/internal/kms\"\n\t\"github.com/drakkan/sftpgo/v2/internal/logger\"\n\t\"github.com/drakkan/sftpgo/v2/internal/sftpd\"\n\t\"github.com/drakkan/sftpgo/v2/internal/util\"\n\t\"github.com/drakkan/sftpgo/v2/internal/vfs\"\n\t\"github.com/drakkan/sftpgo/v2/internal/webdavd\"\n)\n\nconst (\n\tlogSender = \"webavdTesting\"\n\twebDavServerAddr = \"localhost:9090\"\n\twebDavTLSServerAddr = \"localhost:9443\"\n\twebDavServerPort = 9090\n\twebDavTLSServerPort = 9443\n\tsftpServerAddr = \"127.0.0.1:9022\"\n\tdefaultUsername = \"test_user_dav\"\n\tdefaultPassword = \"test_password\"\n\tosWindows = \"windows\"\n\twebDavCert = `-----BEGIN CERTIFICATE-----\nMIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw\nRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu\ndGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw\nOTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD\nVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA\nIgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA\nNXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM\n3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME\nGDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG\nSM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY\n/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI\ndV4vKmHUzwK/eIx+8Ay3neE=\n-----END CERTIFICATE-----`\n\twebDavKey = `-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3\nUM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq\nWvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV\nCzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=\n-----END EC PRIVATE KEY-----`\n\tcaCRT = `-----BEGIN CERTIFICATE-----\nMIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0\nQXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT\nCENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m\nfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1\nv03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh\nyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL\nCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U\n4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb\nKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo\nNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb\nS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i\nM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY\n/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy\nOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD\nAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu\nXgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F\nsYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki\npAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE\njbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX\ny2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy\nWFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV\noUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV\nL/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5\nDvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E\neL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli\nSXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w\nkK8u1YiiVenmoQ==\n-----END CERTIFICATE-----`\n\tcaCRL = `-----BEGIN X509 CRL-----\nMIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN\nMjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg\nZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r\nrl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV\n+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199\nXSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE\njF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF\nDouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD\nMSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4\niYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE\nypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4\nhVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94\ncp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67\nsn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn\nw7bXJGfJcIMrrKs=\n-----END X509 CRL-----`\n\tclient1Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6\nHUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE\nOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7\nQie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf\nXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO\nc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo\nGzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU\nOrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC\nsDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I\nl59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb\nBbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz\nMYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7\nQPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz\nJ20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+\noffI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX\nG8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr\nkvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au\nMU3Bo0A=\n-----END CERTIFICATE-----`\n\tclient1Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki\nJ3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi\n85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW\neYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4\nZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy\nbbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO\nhHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw\neezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl\nX3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ\nCFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL\nj+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU\nNhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf\nsXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB\nZ29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB\nLGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g\nmCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67\nT8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn\nRunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa\nItjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW\nasmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+\nDYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59\n0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls\nujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY\nnXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe\nyEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==\n-----END RSA PRIVATE KEY-----`\n\t// client 2 crt is revoked\n\tclient2Crt = `-----BEGIN CERTIFICATE-----\nMIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw\nEzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy\nMTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b\nQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua\neq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ\ncr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT\nA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0\n6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC\nA7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f\nZjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp\nuTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz\nPQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY\nxcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D\nEP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB\n4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO\n78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925\n7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e\nqc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N\nf5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv\n/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S\nANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR\nE0+r2+4=\n-----END CERTIFICATE-----`\n\tclient2Key = `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV\njm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP\nkZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK\nh4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P\nQAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu\n4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq\nop4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM\nqLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt\nRvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL\nVBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO\nqkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy\nVILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl\nNiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7\n4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl\n/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd\naoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu\nkhrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz\n3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/\neMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i\nvG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB\nGcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb\nAp157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D\n8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl\nRKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA\nubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl\n-----END RSA PRIVATE KEY-----`\n\ttestFileName = \"test_file_dav.dat\"\n\ttestDLFileName = \"test_download_dav.dat\"\n\ttlsClient1Username = \"client1\"\n\ttlsClient2Username = \"client2\"\n\temptyPwdPlaceholder = \"empty\"\n\tocMtimeHeader = \"X-OC-Mtime\"\n)\n\nvar (\n\tconfigDir = filepath.Join(\".\", \"..\", \"..\")\n\tallPerms = []string{dataprovider.PermAny}\n\thomeBasePath string\n\thookCmdPath string\n\textAuthPath string\n\tpreLoginPath string\n\tpostConnectPath string\n\tpreDownloadPath string\n\tpreUploadPath string\n\tlogFilePath string\n\tcertPath string\n\tkeyPath string\n\tcaCrtPath string\n\tcaCRLPath string\n)\n\nfunc TestMain(m *testing.M) {\n\tlogFilePath = filepath.Join(configDir, \"sftpgo_webdavd_test.log\")\n\tlogger.InitLogger(logFilePath, 5, 1, 28, false, false, zerolog.DebugLevel)\n\tos.Setenv(\"SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN\", \"1\")\n\tos.Setenv(\"SFTPGO_COMMON__ALLOW_SELF_CONNECTIONS\", \"1\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_USERNAME\", \"admin\")\n\tos.Setenv(\"SFTPGO_DEFAULT_ADMIN_PASSWORD\", \"password\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__0__EXT\", \".sftpgo\")\n\tos.Setenv(\"SFTPGO_WEBDAVD__CACHE__MIME_TYPES__CUSTOM_MAPPINGS__0__MIME\", \"application/sftpgo\")\n\terr := config.LoadConfig(configDir, \"\")\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error loading configuration: %v\", err)\n\t\tos.Exit(1)\n\t}\n\tproviderConf := config.GetProviderConf()\n\tlogger.InfoToConsole(\"Starting WebDAVD tests, provider: %v\", providerConf.Driver)\n\tcommonConf := config.GetCommonConfig()\n\tcommonConf.UploadMode = 2\n\thomeBasePath = os.TempDir()\n\tif runtime.GOOS != osWindows {\n\t\tcommonConf.Actions.ExecuteOn = []string{\"download\", \"upload\", \"rename\", \"delete\"}\n\t\tcommonConf.Actions.Hook = hookCmdPath\n\t\thookCmdPath, err = exec.LookPath(\"true\")\n\t\tif err != nil {\n\t\t\tlogger.Warn(logSender, \"\", \"unable to get hook command: %v\", err)\n\t\t\tlogger.WarnToConsole(\"unable to get hook command: %v\", err)\n\t\t}\n\t}\n\n\tcertPath = filepath.Join(os.TempDir(), \"test_dav.crt\")\n\tkeyPath = filepath.Join(os.TempDir(), \"test_dav.key\")\n\tcaCrtPath = filepath.Join(os.TempDir(), \"test_dav_ca.crt\")\n\tcaCRLPath = filepath.Join(os.TempDir(), \"test_dav_crl.crt\")\n\terr = os.WriteFile(certPath, []byte(webDavCert), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing WebDAV certificate: %v\", err)\n\t\tos.Exit(1)\n\t}\n\terr = os.WriteFile(keyPath, []byte(webDavKey), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing WebDAV private key: %v\", err)\n\t\tos.Exit(1)\n\t}\n\terr = os.WriteFile(caCrtPath, []byte(caCRT), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing WebDAV CA crt: %v\", err)\n\t\tos.Exit(1)\n\t}\n\terr = os.WriteFile(caCRLPath, []byte(caCRL), os.ModePerm)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error writing WebDAV CRL: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing data provider: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\terr = common.Initialize(commonConf, 0)\n\tif err != nil {\n\t\tlogger.WarnToConsole(\"error initializing common: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\thttpConfig := config.GetHTTPConfig()\n\thttpConfig.Initialize(configDir) //nolint:errcheck\n\tkmsConfig := config.GetKMSConfig()\n\terr = kmsConfig.Initialize()\n\tif err != nil {\n\t\tlogger.ErrorToConsole(\"error initializing kms: %v\", err)\n\t\tos.Exit(1)\n\t}\n\n\thttpdConf := config.GetHTTPDConfig()\n\thttpdConf.Bindings[0].Port = 8078\n\thttpdtest.SetBaseURL(\"http://127.0.0.1:8078\")\n\n\t// required to test sftpfs\n\tsftpdConf := config.GetSFTPDConfig()\n\tsftpdConf.Bindings = []sftpd.Binding{\n\t\t{\n\t\t\tPort: 9022,\n\t\t},\n\t}\n\thostKeyPath := filepath.Join(os.TempDir(), \"id_ecdsa\")\n\tsftpdConf.HostKeys = []string{hostKeyPath}\n\n\twebDavConf := config.GetWebDAVDConfig()\n\twebDavConf.CACertificates = []string{caCrtPath}\n\twebDavConf.CARevocationLists = []string{caCRLPath}\n\twebDavConf.Bindings = []webdavd.Binding{\n\t\t{\n\t\t\tPort: webDavServerPort,\n\t\t},\n\t\t{\n\t\t\tPort: webDavTLSServerPort,\n\t\t\tEnableHTTPS: true,\n\t\t\tCertificateFile: certPath,\n\t\t\tCertificateKeyFile: keyPath,\n\t\t\tClientAuthType: 2,\n\t\t},\n\t}\n\twebDavConf.Cors = webdavd.CorsConfig{\n\t\tEnabled: true,\n\t\tAllowedOrigins: []string{\"*\"},\n\t\tAllowedMethods: []string{\n\t\t\thttp.MethodHead,\n\t\t\thttp.MethodGet,\n\t\t\thttp.MethodPost,\n\t\t\thttp.MethodPut,\n\t\t\thttp.MethodPatch,\n\t\t\thttp.MethodDelete,\n\t\t},\n\t\tAllowedHeaders: []string{\"*\"},\n\t\tAllowCredentials: true,\n\t}\n\n\tstatus := webdavd.GetStatus()\n\tif status.IsActive {\n\t\tlogger.ErrorToConsole(\"webdav server is already active\")\n\t\tos.Exit(1)\n\t}\n\n\textAuthPath = filepath.Join(homeBasePath, \"extauth.sh\")\n\tpreLoginPath = filepath.Join(homeBasePath, \"prelogin.sh\")\n\tpostConnectPath = filepath.Join(homeBasePath, \"postconnect.sh\")\n\tpreDownloadPath = filepath.Join(homeBasePath, \"predownload.sh\")\n\tpreUploadPath = filepath.Join(homeBasePath, \"preupload.sh\")\n\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing WebDAV server with config %+v\", webDavConf)\n\t\tif err := webDavConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start WebDAV server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tif err := httpdConf.Initialize(configDir, 0); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start HTTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\tgo func() {\n\t\tlogger.Debug(logSender, \"\", \"initializing SFTP server with config %+v\", sftpdConf)\n\t\tif err := sftpdConf.Initialize(configDir); err != nil {\n\t\t\tlogger.ErrorToConsole(\"could not start SFTP server: %v\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t}()\n\n\twaitTCPListening(webDavConf.Bindings[0].GetAddress())\n\twaitTCPListening(webDavConf.Bindings[1].GetAddress())\n\twaitTCPListening(httpdConf.Bindings[0].GetAddress())\n\twaitTCPListening(sftpdConf.Bindings[0].GetAddress())\n\twebdavd.ReloadCertificateMgr() //nolint:errcheck\n\n\texitCode := m.Run()\n\tos.Remove(logFilePath)\n\tos.Remove(extAuthPath)\n\tos.Remove(preLoginPath)\n\tos.Remove(postConnectPath)\n\tos.Remove(preDownloadPath)\n\tos.Remove(preUploadPath)\n\tos.Remove(certPath)\n\tos.Remove(keyPath)\n\tos.Remove(caCrtPath)\n\tos.Remove(caCRLPath)\n\tos.Remove(hostKeyPath)\n\tos.Remove(hostKeyPath + \".pub\")\n\tos.Exit(exitCode)\n}\n\nfunc TestInitialization(t *testing.T) {\n\tcfg := webdavd.Configuration{\n\t\tBindings: []webdavd.Binding{\n\t\t\t{\n\t\t\t\tPort: 1234,\n\t\t\t\tEnableHTTPS: true,\n\t\t\t},\n\t\t\t{\n\t\t\t\tPort: 0,\n\t\t\t},\n\t\t},\n\t\tCertificateFile: \"missing path\",\n\t\tCertificateKeyFile: \"bad path\",\n\t}\n\terr := cfg.Initialize(configDir)\n\tassert.Error(t, err)\n\n\tcfg.Cache = config.GetWebDAVDConfig().Cache\n\tcfg.Bindings[0].Port = webDavServerPort\n\tcfg.CertificateFile = certPath\n\tcfg.CertificateKeyFile = keyPath\n\terr = cfg.Initialize(configDir)\n\tassert.Error(t, err)\n\terr = webdavd.ReloadCertificateMgr()\n\tassert.NoError(t, err)\n\n\tcfg.Bindings = []webdavd.Binding{\n\t\t{\n\t\t\tPort: 0,\n\t\t},\n\t}\n\terr = cfg.Initialize(configDir)\n\tassert.EqualError(t, err, common.ErrNoBinding.Error())\n\n\tcfg.CertificateFile = certPath\n\tcfg.CertificateKeyFile = keyPath\n\tcfg.CACertificates = []string{\"\"}\n\n\tcfg.Bindings = []webdavd.Binding{\n\t\t{\n\t\t\tPort: 9022,\n\t\t\tClientAuthType: 1,\n\t\t\tEnableHTTPS: true,\n\t\t},\n\t}\n\terr = cfg.Initialize(configDir)\n\tassert.Error(t, err)\n\n\tcfg.CACertificates = nil\n\tcfg.CARevocationLists = []string{\"\"}\n\terr = cfg.Initialize(configDir)\n\tassert.Error(t, err)\n\n\tcfg.CARevocationLists = nil\n\terr = cfg.Initialize(configDir)\n\tassert.Error(t, err)\n\n\tcfg.CertificateFile = certPath\n\tcfg.CertificateKeyFile = keyPath\n\tcfg.CACertificates = []string{caCrtPath}\n\tcfg.CARevocationLists = []string{caCRLPath}\n\tcfg.Bindings[0].ProxyAllowed = []string{\"not valid\"}\n\terr = cfg.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"is not a valid IP address\")\n\t}\n\tcfg.Bindings[0].ProxyAllowed = nil\n\terr = cfg.Initialize(configDir)\n\tassert.Error(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = cfg.Initialize(configDir)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"unable to load config from provider\")\n\t}\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n}\n\nfunc TestBasicHandling(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 6553600\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaSize = 6553600\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tclient := getWebDavClient(user, true, nil)\n\t\tassert.NoError(t, checkBasicFunc(client))\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\texpectedQuotaSize := testFileSize\n\t\texpectedQuotaFiles := 1\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, int64(0), user.FirstUpload)\n\t\tassert.Equal(t, int64(0), user.FirstDownload)\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\ttrue, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\tassert.Greater(t, user.FirstDownload, int64(0)) // webdav read the mime type\n\t\t// overwrite an existing file\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\ttrue, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// wrong password\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword+\"1\",\n\t\t\ttrue, testFileSize, client)\n\t\tassert.Error(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\t\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\tassert.Greater(t, user.FirstUpload, int64(0))\n\t\tassert.Greater(t, user.FirstDownload, int64(0))\n\t\terr = client.Rename(testFileName, testFileName+\"1\", false)\n\t\tassert.NoError(t, err)\n\t\t_, err = client.Stat(testFileName)\n\t\tassert.Error(t, err)\n\t\t// the webdav client hide the error we check the quota\n\t\terr = client.Remove(testFileName)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\t\terr = client.Remove(testFileName + \"1\")\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\t\tassert.Equal(t, expectedQuotaSize-testFileSize, user.UsedQuotaSize)\n\t\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\tassert.Error(t, err)\n\n\t\ttestDir := \"testdir\"\n\t\terr = client.Mkdir(testDir, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(path.Join(testDir, \"sub\", \"sub\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(path.Join(testDir, \"sub1\", \"sub1\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = client.MkdirAll(path.Join(testDir, \"sub2\", \"sub2\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, path.Join(testDir, testFileName+\".txt\"),\n\t\t\tuser.Username, defaultPassword, true, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, path.Join(testDir, testFileName),\n\t\t\tuser.Username, defaultPassword, true, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\tfiles, err := client.ReadDir(testDir)\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, files, 5)\n\t\terr = client.Copy(testDir, testDir+\"_copy\", false) //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveAll(testDir)\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\tstatus := webdavd.GetStatus()\n\tassert.True(t, status.IsActive)\n}\n\nfunc TestBasicHandlingCryptFs(t *testing.T) {\n\tu := getTestUserWithCryptFs()\n\tu.QuotaSize = 6553600\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\tencryptedFileSize, err := getEncryptedFileSize(testFileSize)\n\tassert.NoError(t, err)\n\texpectedQuotaSize := user.UsedQuotaSize + encryptedFileSize\n\texpectedQuotaFiles := user.UsedQuotaFiles + 1\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName,\n\t\tuser.Username, defaultPassword, false, testFileSize, client)\n\tassert.NoError(t, err)\n\t// overwrite an existing file\n\terr = uploadFileWithRawClient(testFilePath, testFileName,\n\t\tuser.Username, defaultPassword, false, testFileSize, client)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\tfiles, err := client.ReadDir(\"/\")\n\tassert.NoError(t, err)\n\tif assert.Len(t, files, 1) {\n\t\tassert.Equal(t, testFileSize, files[0].Size())\n\t}\n\terr = client.Remove(testFileName)\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles-1, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize-encryptedFileSize, user.UsedQuotaSize)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.Error(t, err)\n\ttestDir := \"testdir\"\n\terr = client.Mkdir(testDir, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = client.MkdirAll(path.Join(testDir, \"sub\", \"sub\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = client.MkdirAll(path.Join(testDir, \"sub1\", \"sub1\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = client.MkdirAll(path.Join(testDir, \"sub2\", \"sub2\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(testDir, testFileName+\".txt\"),\n\t\tuser.Username, defaultPassword, false, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(testDir, testFileName),\n\t\tuser.Username, defaultPassword, false, testFileSize, client)\n\tassert.NoError(t, err)\n\tfiles, err = client.ReadDir(testDir)\n\tassert.NoError(t, err)\n\tassert.Len(t, files, 5)\n\tfor _, f := range files {\n\t\tif strings.HasPrefix(f.Name(), testFileName) {\n\t\t\tassert.Equal(t, testFileSize, f.Size())\n\t\t} else {\n\t\t\tassert.True(t, f.IsDir())\n\t\t}\n\t}\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestBufferedUser(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.OSConfig = sdk.OSFsConfig{\n\t\tWriteBufferSize: 2,\n\t\tReadBufferSize: 1,\n\t}\n\tvdirPath := \"/crypted\"\n\tmappedPath := filepath.Join(os.TempDir(), util.GenerateUniqueID())\n\tfolderName := filepath.Base(mappedPath)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tOSFsConfig: sdk.OSFsConfig{\n\t\t\t\t\tWriteBufferSize: 3,\n\t\t\t\t\tReadBufferSize: 2,\n\t\t\t\t},\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName,\n\t\tuser.Username, defaultPassword, false, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(vdirPath, testFileName),\n\t\tuser.Username, defaultPassword, false, testFileSize, client)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(path.Join(vdirPath, testFileName), localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginEmptyPassword(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser.Password = emptyPwdPlaceholder\n\tclient := getWebDavClient(user, false, nil)\n\terr = checkBasicFunc(client)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"401\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestAnonymousUser(t *testing.T) {\n\tu := getTestUser()\n\tu.Password = \"\"\n\tu.Filters.IsAnonymous = true\n\t_, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.Error(t, err)\n\tuser, _, err := httpdtest.GetUserByUsername(u.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tuser.Password = emptyPwdPlaceholder\n\tclient = getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\terr = client.Mkdir(\"testdir\", os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLockAfterDelete(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.NoError(t, err)\n\tlockBody := ``\n\treq, err := http.NewRequest(\"LOCK\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), bytes.NewReader([]byte(lockBody)))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(u.Username, u.Password)\n\treq.Header.Set(\"Timeout\", \"Second-3600\")\n\thttpClient := httpclient.GetHTTPClient()\n\tresp, err := httpClient.Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponse, err := io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\tre := regexp.MustCompile(`\\.*`)\n\tlockToken := string(re.Find(response))\n\tlockToken = strings.Replace(lockToken, \"\", \"\", 1)\n\tlockToken = strings.Replace(lockToken, \"\", \"\", 1)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\treq, err = http.NewRequest(http.MethodDelete, fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"If\", fmt.Sprintf(\"(%v)\", lockToken))\n\treq.SetBasicAuth(u.Username, u.Password)\n\tresp, err = httpClient.Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusNoContent, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// if we try to lock again it must succeed, the lock must be deleted with the object\n\treq, err = http.NewRequest(\"LOCK\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), bytes.NewReader([]byte(lockBody)))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(u.Username, u.Password)\n\tresp, err = httpClient.Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusCreated, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMtimeHeader(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client, dataprovider.KeyValue{Key: ocMtimeHeader, Value: \"1668879480\"})\n\tassert.NoError(t, err)\n\t// check the modification time\n\tinfo, err := client.Stat(testFileName)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, time.Unix(1668879480, 0).UTC(), info.ModTime().UTC())\n\t}\n\t// test on overwrite\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client, dataprovider.KeyValue{Key: ocMtimeHeader, Value: \"1667879480\"})\n\tassert.NoError(t, err)\n\tinfo, err = client.Stat(testFileName)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, time.Unix(1667879480, 0).UTC(), info.ModTime().UTC())\n\t}\n\t// invalid time will be silently ignored and the time set to now\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client, dataprovider.KeyValue{Key: ocMtimeHeader, Value: \"not unix time\"})\n\tassert.NoError(t, err)\n\tinfo, err = client.Stat(testFileName)\n\tif assert.NoError(t, err) {\n\t\tassert.NotEqual(t, time.Unix(1667879480, 0).UTC(), info.ModTime().UTC())\n\t}\n\n\treq, err := http.NewRequest(\"MOVE\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"Overwrite\", \"T\")\n\treq.Header.Set(\"Destination\", path.Join(\"/\", testFileName+\"rename\"))\n\treq.Header.Set(ocMtimeHeader, \"1666779480\")\n\treq.SetBasicAuth(u.Username, u.Password)\n\thttpClient := httpclient.GetHTTPClient()\n\tresp, err := httpClient.Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusCreated, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// check the modification time\n\tinfo, err = client.Stat(testFileName + \"rename\")\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, time.Unix(1666779480, 0).UTC(), info.ModTime().UTC())\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestRenameWithLock(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.NoError(t, err)\n\n\tlockBody := ``\n\treq, err := http.NewRequest(\"LOCK\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), bytes.NewReader([]byte(lockBody)))\n\tassert.NoError(t, err)\n\treq.SetBasicAuth(u.Username, u.Password)\n\thttpClient := httpclient.GetHTTPClient()\n\tresp, err := httpClient.Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\tresponse, err := io.ReadAll(resp.Body)\n\tassert.NoError(t, err)\n\tre := regexp.MustCompile(`\\.*`)\n\tlockToken := string(re.Find(response))\n\tlockToken = strings.Replace(lockToken, \"\", \"\", 1)\n\tlockToken = strings.Replace(lockToken, \"\", \"\", 1)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\t// MOVE with a lock should succeeded\n\treq, err = http.NewRequest(\"MOVE\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), nil)\n\tassert.NoError(t, err)\n\treq.Header.Set(\"If\", fmt.Sprintf(\"(%v)\", lockToken))\n\treq.Header.Set(\"Overwrite\", \"T\")\n\treq.Header.Set(\"Destination\", path.Join(\"/\", testFileName+\"1\"))\n\treq.SetBasicAuth(u.Username, u.Password)\n\tresp, err = httpClient.Do(req)\n\tassert.NoError(t, err)\n\tassert.Equal(t, http.StatusCreated, resp.StatusCode)\n\terr = resp.Body.Close()\n\tassert.NoError(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestPropPatch(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = u.Username + \"1\"\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser := getTestSFTPUser()\n\tsftpUser.FsConfig.SFTPConfig.Username = localUser.Username\n\n\tfor _, u := range []dataprovider.User{getTestUser(), getTestUserWithCryptFs(), sftpUser} {\n\t\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t\tclient := getWebDavClient(user, true, nil)\n\t\tassert.NoError(t, checkBasicFunc(client), sftpUser.Username)\n\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\thttpClient := httpclient.GetHTTPClient()\n\t\tpropatchBody := `Wed, 04 Nov 2020 13:25:51 GMTSat, 05 Dec 2020 21:16:12 GMTWed, 04 Nov 2020 13:25:51 GMT00000000`\n\t\treq, err := http.NewRequest(\"PROPPATCH\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), bytes.NewReader([]byte(propatchBody)))\n\t\tassert.NoError(t, err)\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\tresp, err := httpClient.Do(req)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, http.StatusMultiStatus, resp.StatusCode)\n\t\terr = resp.Body.Close()\n\t\tassert.NoError(t, err)\n\t\tinfo, err := client.Stat(testFileName)\n\t\tif assert.NoError(t, err) {\n\t\t\texpected, err := http.ParseTime(\"Wed, 04 Nov 2020 13:25:51 GMT\")\n\t\t\tassert.NoError(t, err)\n\t\t\tassert.Equal(t, testFileSize, info.Size())\n\t\t\tassert.Equal(t, expected.Format(http.TimeFormat), info.ModTime().Format(http.TimeFormat))\n\t\t}\n\t\t// wrong date\n\t\tpropatchBody = `Wed, 04 Nov 2020 13:25:51 GMTSat, 05 Dec 2020 21:16:12 GMTWid, 04 Nov 2020 13:25:51 GMT00000000`\n\t\treq, err = http.NewRequest(\"PROPPATCH\", fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName), bytes.NewReader([]byte(propatchBody)))\n\t\tassert.NoError(t, err)\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\tresp, err = httpClient.Do(req)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, http.StatusMultiStatus, resp.StatusCode)\n\t\terr = resp.Body.Close()\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestLoginInvalidPwd(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\tuser.Password = \"wrong\"\n\tclient = getWebDavClient(user, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginNonExistentUser(t *testing.T) {\n\tuser := getTestUser()\n\tclient := getWebDavClient(user, true, nil)\n\tassert.Error(t, checkBasicFunc(client))\n}\n\nfunc TestRateLimiter(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.RateLimitersConfig = []common.RateLimiterConfig{\n\t\t{\n\t\t\tAverage: 1,\n\t\t\tPeriod: 1000,\n\t\t\tBurst: 3,\n\t\t\tType: 1,\n\t\t\tProtocols: []string{common.ProtocolWebDAV},\n\t\t},\n\t}\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\t_, err = client.ReadDir(\".\")\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"429\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestDefender(t *testing.T) {\n\toldConfig := config.GetCommonConfig()\n\n\tcfg := config.GetCommonConfig()\n\tcfg.DefenderConfig.Enabled = true\n\tcfg.DefenderConfig.Threshold = 3\n\tcfg.DefenderConfig.ScoreLimitExceeded = 2\n\tcfg.DefenderConfig.ScoreValid = 1\n\n\terr := common.Initialize(cfg, 0)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tuser.Password = \"wrong_pwd\"\n\tclient = getWebDavClient(user, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\thosts, _, err := httpdtest.GetDefenderHosts(http.StatusOK)\n\tassert.NoError(t, err)\n\tif assert.Len(t, hosts, 1) {\n\t\thost := hosts[0]\n\t\tassert.Empty(t, host.GetBanTime())\n\t\tassert.Equal(t, 1, host.Score)\n\t}\n\n\tfor i := 0; i < 2; i++ {\n\t\tclient = getWebDavClient(user, false, nil)\n\t\tassert.Error(t, checkBasicFunc(client))\n\t}\n\n\tuser.Password = defaultPassword\n\tclient = getWebDavClient(user, true, nil)\n\terr = checkBasicFunc(client)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\terr = common.Initialize(oldConfig, 0)\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginExternalAuth(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(u, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\tu.Username = defaultUsername + \"1\"\n\tclient = getWebDavClient(u, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultUsername, user.Username)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthPasswordChange(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, defaultPassword), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(u, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\tu.Username = defaultUsername + \"1\"\n\tclient = getWebDavClient(u, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, defaultPassword+\"1\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(u, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\tu.Password = defaultPassword + \"1\"\n\tclient = getWebDavClient(u, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, defaultUsername, user.Username)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tuser, _, err = httpdtest.GetUserByUsername(defaultUsername+\"1\", http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthReturningAnonymousUser(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\tu.Filters.IsAnonymous = true\n\tu.Filters.DeniedProtocols = []string{common.ProtocolSSH}\n\tu.Password = \"\"\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(u, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, u.Username, emptyPwdPlaceholder,\n\t\tfalse, testFileSize, client)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.True(t, user.Filters.IsAnonymous)\n\tassert.Equal(t, []string{dataprovider.PermListItems, dataprovider.PermDownload}, user.Permissions[\"/\"])\n\tassert.Equal(t, []string{common.ProtocolSSH, common.ProtocolHTTP}, user.Filters.DeniedProtocols)\n\tassert.Equal(t, []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodPassword,\n\t\tdataprovider.SSHLoginMethodKeyboardInteractive, dataprovider.SSHLoginMethodKeyAndPassword,\n\t\tdataprovider.SSHLoginMethodKeyAndKeyboardInt, dataprovider.LoginMethodTLSCertificate,\n\t\tdataprovider.LoginMethodTLSCertificateAndPwd}, user.Filters.DeniedLoginMethods)\n\n\tu.Password = emptyPwdPlaceholder\n\tclient = getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\terr = client.Mkdir(\"testdir\", os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestExternalAuthAnonymousGroupInheritance(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tg := dataprovider.Group{\n\t\tBaseGroup: sdk.BaseGroup{\n\t\t\tName: \"test_group\",\n\t\t},\n\t\tUserSettings: dataprovider.GroupUserSettings{\n\t\t\tBaseGroupUserSettings: sdk.BaseGroupUserSettings{\n\t\t\t\tPermissions: map[string][]string{\n\t\t\t\t\t\"/\": allPerms,\n\t\t\t\t},\n\t\t\t\tFilters: sdk.BaseUserFilters{\n\t\t\t\t\tIsAnonymous: true,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tu := getTestUser()\n\tu.Groups = []sdk.GroupMapping{\n\t\t{\n\t\t\tName: g.Name,\n\t\t\tType: sdk.GroupTypePrimary,\n\t\t},\n\t}\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\tgroup, _, err := httpdtest.AddGroup(g, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tu.Password = emptyPwdPlaceholder\n\tclient := getWebDavClient(u, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\terr = client.Mkdir(\"tdir\", os.ModePerm)\n\tif assert.Error(t, err) {\n\t\tassert.Contains(t, err.Error(), \"403\")\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.False(t, user.Filters.IsAnonymous)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveGroup(group, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusNotFound)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(u, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tuser, _, err := httpdtest.GetUserByUsername(defaultUsername, http.StatusOK)\n\tassert.NoError(t, err)\n\t// test login with an existing user\n\tclient = getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, true), os.ModePerm)\n\tassert.NoError(t, err)\n\t// update the user to remove it from the cache\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(defaultPassword)\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\t// update the user to remove it from the cache\n\tuser.FsConfig.Provider = sdk.LocalFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = nil\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tuser.Status = 0\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreDownloadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreDownload}\n\tcommon.Config.Actions.Hook = preDownloadPath\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preDownloadPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(preDownloadPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.Error(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreDownload}\n\tcommon.Config.Actions.Hook = preDownloadPath\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPreUploadHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\toldExecuteOn := common.Config.Actions.ExecuteOn\n\toldHook := common.Config.Actions.Hook\n\n\tcommon.Config.Actions.ExecuteOn = []string{common.OperationPreUpload}\n\tcommon.Config.Actions.Hook = preUploadPath\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(preUploadPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\n\terr = os.WriteFile(preUploadPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.Error(t, err)\n\n\terr = uploadFileWithRawClient(testFilePath, testFileName+\"1\", user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.Error(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.Actions.ExecuteOn = oldExecuteOn\n\tcommon.Config.Actions.Hook = oldHook\n}\n\nfunc TestPostConnectHook(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tcommon.Config.PostConnectHook = postConnectPath\n\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(0), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\terr = os.WriteFile(postConnectPath, getExitCodeScriptContent(1), os.ModePerm)\n\tassert.NoError(t, err)\n\tassert.Error(t, checkBasicFunc(client))\n\n\tcommon.Config.PostConnectHook = \"http://127.0.0.1:8078/healthz\"\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tcommon.Config.PostConnectHook = \"http://127.0.0.1:8078/notfound\"\n\tassert.Error(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\n\tcommon.Config.PostConnectHook = \"\"\n}\n\nfunc TestMaxConnections(t *testing.T) {\n\toldValue := common.Config.MaxTotalConnections\n\tcommon.Config.MaxTotalConnections = 1\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\t// now add a fake connection\n\tfs := vfs.NewOsFs(\"id\", os.TempDir(), \"\", nil)\n\tconnection := &webdavd.Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\terr = common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\tassert.Error(t, checkBasicFunc(client))\n\tcommon.Connections.Remove(connection.GetID())\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.MaxTotalConnections = oldValue\n}\n\nfunc TestMaxPerHostConnections(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 1\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\t// now add a fake connection\n\taddrs, err := net.LookupHost(\"localhost\")\n\tassert.NoError(t, err)\n\tfor _, addr := range addrs {\n\t\tcommon.Connections.AddClientConnection(addr)\n\t}\n\tassert.Error(t, checkBasicFunc(client))\n\tfor _, addr := range addrs {\n\t\tcommon.Connections.RemoveClientConnection(addr)\n\t}\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestMaxTransfers(t *testing.T) {\n\toldValue := common.Config.MaxPerHostConnections\n\tcommon.Config.MaxPerHostConnections = 2\n\n\tassert.Eventually(t, func() bool {\n\t\treturn common.Connections.GetClientConnections() == 0\n\t}, 1000*time.Millisecond, 50*time.Millisecond)\n\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tconn, sftpClient, err := getSftpClient(user)\n\tassert.NoError(t, err)\n\tdefer conn.Close()\n\tdefer sftpClient.Close()\n\n\tf1, err := sftpClient.Create(\"file1\")\n\tassert.NoError(t, err)\n\tf2, err := sftpClient.Create(\"file2\")\n\tassert.NoError(t, err)\n\t_, err = f1.Write([]byte(\" \"))\n\tassert.NoError(t, err)\n\t_, err = f2.Write([]byte(\" \"))\n\tassert.NoError(t, err)\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.Error(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\n\terr = f1.Close()\n\tassert.NoError(t, err)\n\terr = f2.Close()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\tcommon.Config.MaxPerHostConnections = oldValue\n}\n\nfunc TestMustChangePasswordRequirement(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.RequirePasswordChange = true\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\n\terr = dataprovider.UpdateUserPassword(user.Username, defaultPassword, \"\", \"\", \"\")\n\tassert.NoError(t, err)\n\n\tclient = getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestMaxSessions(t *testing.T) {\n\tu := getTestUser()\n\tu.MaxSessions = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\t// now add a fake connection\n\tfs := vfs.NewOsFs(\"id\", os.TempDir(), \"\", nil)\n\tconnection := &webdavd.Connection{\n\t\tBaseConnection: common.NewBaseConnection(fs.ConnectionID(), common.ProtocolWebDAV, \"\", \"\", user),\n\t}\n\terr = common.Connections.Add(connection)\n\tassert.NoError(t, err)\n\tassert.Error(t, checkBasicFunc(client))\n\tcommon.Connections.Remove(connection.GetID())\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc TestLoginWithIPilters(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.DeniedIP = []string{\"192.167.0.0/24\", \"172.18.0.0/16\"}\n\tu.Filters.AllowedIP = []string{\"172.19.0.0/16\"}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDownloadErrors(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1\n\tsubDir1 := \"sub1\"\n\tsubDir2 := \"sub2\"\n\tu.Permissions[path.Join(\"/\", subDir1)] = []string{dataprovider.PermListItems}\n\tu.Permissions[path.Join(\"/\", subDir2)] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermDelete, dataprovider.PermDownload}\n\t// use an unknown mime to trigger content type detection\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/sub2\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{\"*.jpg\", \"*.zipp\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\ttestFilePath1 := filepath.Join(user.HomeDir, subDir1, \"file.zipp\")\n\ttestFilePath2 := filepath.Join(user.HomeDir, subDir2, \"file.zipp\")\n\ttestFilePath3 := filepath.Join(user.HomeDir, subDir2, \"file.jpg\")\n\terr = os.MkdirAll(filepath.Dir(testFilePath1), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.MkdirAll(filepath.Dir(testFilePath2), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFilePath1, []byte(\"file1\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFilePath2, []byte(\"file2\"), os.ModePerm)\n\tassert.NoError(t, err)\n\terr = os.WriteFile(testFilePath3, []byte(\"file3\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = downloadFile(path.Join(\"/\", subDir1, \"file.zipp\"), localDownloadPath, 5, client)\n\tassert.Error(t, err)\n\terr = downloadFile(path.Join(\"/\", subDir2, \"file.zipp\"), localDownloadPath, 5, client)\n\tassert.Error(t, err)\n\terr = downloadFile(path.Join(\"/\", subDir2, \"file.jpg\"), localDownloadPath, 5, client)\n\tassert.Error(t, err)\n\terr = downloadFile(path.Join(\"missing.zip\"), localDownloadPath, 5, client)\n\tassert.Error(t, err)\n\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadErrors(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaSize = 65535\n\tsubDir1 := \"sub1\"\n\tsubDir2 := \"sub2\"\n\t// we need download permission to get size since PROPFIND will open the file\n\tu.Permissions[path.Join(\"/\", subDir1)] = []string{dataprovider.PermListItems, dataprovider.PermDownload}\n\tu.Permissions[path.Join(\"/\", subDir2)] = []string{dataprovider.PermListItems, dataprovider.PermUpload,\n\t\tdataprovider.PermDelete, dataprovider.PermDownload}\n\tu.Filters.FilePatterns = []sdk.PatternsFilter{\n\t\t{\n\t\t\tPath: \"/sub2\",\n\t\t\tAllowedPatterns: []string{},\n\t\t\tDeniedPatterns: []string{\"*.zip\"},\n\t\t},\n\t}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := user.QuotaSize\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = client.Mkdir(subDir1, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = client.Mkdir(subDir2, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(subDir1, testFileName), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.Error(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(subDir2, testFileName+\".zip\"), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\n\tassert.Error(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(subDir2, testFileName), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = client.Rename(path.Join(subDir2, testFileName), path.Join(subDir1, testFileName), false)\n\tassert.Error(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(subDir2, testFileName), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.Error(t, err)\n\terr = uploadFileWithRawClient(testFilePath, subDir1, user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.Error(t, err)\n\t// overquota\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.Error(t, err)\n\terr = client.Remove(path.Join(subDir2, testFileName))\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.Error(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDeniedLoginMethod(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodKeyAndKeyboardInt}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestDeniedProtocols(t *testing.T) {\n\tu := getTestUser()\n\tu.Filters.DeniedProtocols = []string{common.ProtocolWebDAV}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\n\tuser.Filters.DeniedProtocols = []string{common.ProtocolSSH, common.ProtocolFTP}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, false, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestQuotaLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 1\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\ttestFileSize := int64(65536)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize1 := int64(131072)\n\t\ttestFileName1 := \"test_file1.dat\"\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize2 := int64(32768)\n\t\ttestFileName2 := \"test_file2.dat\"\n\t\ttestFilePath2 := filepath.Join(homeBasePath, testFileName2)\n\t\terr = createTestFile(testFilePath2, testFileSize2)\n\t\tassert.NoError(t, err)\n\t\tclient := getWebDavClient(user, false, nil)\n\t\t// test quota files\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName+\".quota\", user.Username, defaultPassword, false, //nolint:goconst\n\t\t\ttestFileSize, client)\n\t\tif !assert.NoError(t, err, \"username: %v\", user.Username) {\n\t\t\tinfo, err := os.Stat(testFilePath)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tfmt.Printf(\"local file size: %v\\n\", info.Size())\n\t\t\t}\n\t\t\tprintLatestLogs(20)\n\t\t}\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName+\".quota1\", user.Username, defaultPassword,\n\t\t\tfalse, testFileSize, client)\n\t\tassert.Error(t, err, \"username: %v\", user.Username)\n\t\terr = client.Rename(testFileName+\".quota\", testFileName, false)\n\t\tassert.NoError(t, err)\n\t\tfiles, err := client.ReadDir(\"/\")\n\t\tassert.NoError(t, err)\n\t\tassert.Len(t, files, 1)\n\t\t// test quota size\n\t\tuser.QuotaSize = testFileSize - 1\n\t\tuser.QuotaFiles = 0\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName+\".quota\", user.Username, defaultPassword,\n\t\t\tfalse, testFileSize, client)\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(testFileName, testFileName+\".quota\", false)\n\t\tassert.NoError(t, err)\n\t\t// now test quota limits while uploading the current file, we have 1 bytes remaining\n\t\tuser.QuotaSize = testFileSize + 1\n\t\tuser.QuotaFiles = 0\n\t\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath1, testFileName1, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize1, client)\n\t\tassert.Error(t, err)\n\t\t_, err = client.Stat(testFileName1)\n\t\tassert.Error(t, err)\n\t\terr = client.Rename(testFileName+\".quota\", testFileName, false)\n\t\tassert.NoError(t, err)\n\t\t// overwriting an existing file will work if the resulting size is lesser or equal than the current one\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath2, testFileName, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize2, client)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath1, testFileName, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize1, client)\n\t\tassert.Error(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath2, testFileName, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize2, client)\n\t\tassert.NoError(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath2)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\tuser.QuotaFiles = 0\n\t\t\tuser.QuotaSize = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestTransferQuotaLimits(t *testing.T) {\n\tu := getTestUser()\n\tu.DownloadDataTransfer = 1\n\tu.UploadDataTransfer = 1\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(550000)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, false, nil)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\t// error while download is active\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.Error(t, err)\n\t// error before starting the download\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.Error(t, err)\n\t// error while upload is active\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.Error(t, err)\n\t// error before starting the upload\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\tfalse, testFileSize, client)\n\tassert.Error(t, err)\n\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadMaxSize(t *testing.T) {\n\ttestFileSize := int64(65535)\n\tu := getTestUser()\n\tu.Filters.MaxUploadFileSize = testFileSize + 1\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.Filters.MaxUploadFileSize = testFileSize + 1\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\ttestFileSize1 := int64(131072)\n\t\ttestFileName1 := \"test_file_dav1.dat\"\n\t\ttestFilePath1 := filepath.Join(homeBasePath, testFileName1)\n\t\terr = createTestFile(testFilePath1, testFileSize1)\n\t\tassert.NoError(t, err)\n\t\tclient := getWebDavClient(user, false, nil)\n\t\terr = uploadFileWithRawClient(testFilePath1, testFileName1, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize1, client)\n\t\tassert.Error(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\t// now test overwrite an existing file with a size bigger than the allowed one\n\t\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFileName1), testFileSize1)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath1, testFileName1, user.Username, defaultPassword,\n\t\t\tfalse, testFileSize1, client)\n\t\tassert.Error(t, err)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\terr = os.Remove(testFilePath1)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Filters.MaxUploadFileSize = 65536000\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientClose(t *testing.T) {\n\tu := getTestUser()\n\tu.UploadBandwidth = 64\n\tu.DownloadBandwidth = 64\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.UploadBandwidth = 64\n\tu.DownloadBandwidth = 64\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\ttestFileSize := int64(1048576)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tclient := getWebDavClient(user, true, nil)\n\t\tassert.NoError(t, checkBasicFunc(client))\n\n\t\tvar wg sync.WaitGroup\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\t\ttrue, testFileSize, client)\n\t\t\tassert.Error(t, err)\n\t\t\twg.Done()\n\t\t}()\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\t\tif len(stat.Transfers) > 0 {\n\t\t\t\t\treturn true\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false\n\t\t}, 1*time.Second, 50*time.Millisecond)\n\n\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\tcommon.Connections.Close(stat.ConnectionID, \"\")\n\t\t}\n\t\twg.Wait()\n\t\t// for the sftp user a stat is done after the failed upload and\n\t\t// this triggers a new connection\n\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\tcommon.Connections.Close(stat.ConnectionID, \"\")\n\t\t}\n\t\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t\t1*time.Second, 100*time.Millisecond)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath = filepath.Join(user.HomeDir, testFileName)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\t\t\tassert.Error(t, err)\n\t\t\twg.Done()\n\t\t}()\n\n\t\tassert.Eventually(t, func() bool {\n\t\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\t\tif len(stat.Transfers) > 0 {\n\t\t\t\t\treturn true\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false\n\t\t}, 1*time.Second, 50*time.Millisecond)\n\n\t\tfor _, stat := range common.Connections.GetStats(\"\") {\n\t\t\tcommon.Connections.Close(stat.ConnectionID, \"\")\n\t\t}\n\t\twg.Wait()\n\t\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t\t1*time.Second, 100*time.Millisecond)\n\t\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n\n\t\terr = os.Remove(localDownloadPath)\n\t\tassert.NoError(t, err)\n\t}\n\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginWithDatabaseCredentials(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(`{ \"type\": \"service_account\", \"private_key\": \" \", \"client_email\": \"example@iam.gserviceaccount.com\" }`)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tassert.Equal(t, sdkkms.SecretStatusSecretBox, user.FsConfig.GCSConfig.Credentials.GetStatus())\n\tassert.NotEmpty(t, user.FsConfig.GCSConfig.Credentials.GetPayload())\n\tassert.Empty(t, user.FsConfig.GCSConfig.Credentials.GetAdditionalData())\n\tassert.Empty(t, user.FsConfig.GCSConfig.Credentials.GetKey())\n\n\tclient := getWebDavClient(user, false, nil)\n\n\terr = client.Connect()\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestLoginInvalidFs(t *testing.T) {\n\tu := getTestUser()\n\tu.FsConfig.Provider = sdk.GCSFilesystemProvider\n\tu.FsConfig.GCSConfig.Bucket = \"test\"\n\tu.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret(\"invalid JSON for credentials\")\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(user, true, nil)\n\tassert.Error(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPBuffered(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 1000\n\tu.HomeDir = filepath.Join(os.TempDir(), u.Username)\n\tu.FsConfig.SFTPConfig.BufferSize = 2\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(sftpUser, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\texpectedQuotaSize := testFileSize\n\texpectedQuotaFiles := 1\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, sftpUser.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\t// overwrite an existing file\n\terr = uploadFileWithRawClient(testFilePath, testFileName, sftpUser.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\n\tuser, _, err := httpdtest.GetUserByUsername(sftpUser.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, expectedQuotaFiles, user.UsedQuotaFiles)\n\tassert.Equal(t, expectedQuotaSize, user.UsedQuotaSize)\n\n\tfileContent := []byte(\"test file contents\")\n\terr = os.WriteFile(testFilePath, fileContent, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, sftpUser.Username, defaultPassword,\n\t\ttrue, int64(len(fileContent)), client)\n\tassert.NoError(t, err)\n\tremotePath := fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName)\n\treq, err := http.NewRequest(http.MethodGet, remotePath, nil)\n\tassert.NoError(t, err)\n\thttpClient := httpclient.GetHTTPClient()\n\treq.SetBasicAuth(user.Username, defaultPassword)\n\treq.Header.Set(\"Range\", \"bytes=5-\")\n\tresp, err := httpClient.Do(req)\n\tif assert.NoError(t, err) {\n\t\tdefer resp.Body.Close()\n\t\tassert.Equal(t, http.StatusPartialContent, resp.StatusCode)\n\t\tbodyBytes, err := io.ReadAll(resp.Body)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"file contents\", string(bodyBytes))\n\t}\n\treq.Header.Set(\"Range\", \"bytes=5-8\")\n\tresp, err = httpClient.Do(req)\n\tif assert.NoError(t, err) {\n\t\tdefer resp.Body.Close()\n\t\tassert.Equal(t, http.StatusPartialContent, resp.StatusCode)\n\t\tbodyBytes, err := io.ReadAll(resp.Body)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, \"file\", string(bodyBytes))\n\t}\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(sftpUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestBytesRangeRequests(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = u.Username + \"1\"\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser := getTestSFTPUser()\n\tsftpUser.FsConfig.SFTPConfig.Username = localUser.Username\n\n\tfor _, u := range []dataprovider.User{getTestUser(), getTestUserWithCryptFs(), sftpUser} {\n\t\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\t\tassert.NoError(t, err)\n\t\ttestFileName := \"test_file.txt\"\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\tfileContent := []byte(\"test file contents\")\n\t\terr = os.WriteFile(testFilePath, fileContent, os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\tclient := getWebDavClient(user, true, nil)\n\t\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\t\ttrue, int64(len(fileContent)), client)\n\t\tassert.NoError(t, err)\n\t\tremotePath := fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName)\n\t\treq, err := http.NewRequest(http.MethodGet, remotePath, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\thttpClient := httpclient.GetHTTPClient()\n\t\t\treq.SetBasicAuth(user.Username, defaultPassword)\n\t\t\treq.Header.Set(\"Range\", \"bytes=5-\")\n\t\t\tresp, err := httpClient.Do(req)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tdefer resp.Body.Close()\n\t\t\t\tassert.Equal(t, http.StatusPartialContent, resp.StatusCode)\n\t\t\t\tbodyBytes, err := io.ReadAll(resp.Body)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, \"file contents\", string(bodyBytes))\n\t\t\t}\n\t\t\treq.Header.Set(\"Range\", \"bytes=5-8\")\n\t\t\tresp, err = httpClient.Do(req)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tdefer resp.Body.Close()\n\t\t\t\tassert.Equal(t, http.StatusPartialContent, resp.StatusCode)\n\t\t\t\tbodyBytes, err := io.ReadAll(resp.Body)\n\t\t\t\tassert.NoError(t, err)\n\t\t\t\tassert.Equal(t, \"file\", string(bodyBytes))\n\t\t\t}\n\t\t}\n\t\t// seek on a missing file\n\t\tremotePath = fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName+\"_missing\")\n\t\treq, err = http.NewRequest(http.MethodGet, remotePath, nil)\n\t\tif assert.NoError(t, err) {\n\t\t\thttpClient := httpclient.GetHTTPClient()\n\t\t\treq.SetBasicAuth(user.Username, defaultPassword)\n\t\t\treq.Header.Set(\"Range\", \"bytes=5-\")\n\t\t\tresp, err := httpClient.Do(req)\n\t\t\tif assert.NoError(t, err) {\n\t\t\t\tdefer resp.Body.Close()\n\t\t\t\tassert.Equal(t, http.StatusNotFound, resp.StatusCode)\n\t\t\t}\n\t\t}\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\tassert.NoError(t, err)\n\t}\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestContentTypeGET(t *testing.T) {\n\tuser, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)\n\tassert.NoError(t, err)\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(64)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\terr = uploadFileWithRawClient(testFilePath, testFileName+\".sftpgo\", user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\tremotePath := fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, testFileName+\".sftpgo\")\n\treq, err := http.NewRequest(http.MethodGet, remotePath, nil)\n\tif assert.NoError(t, err) {\n\t\thttpClient := httpclient.GetHTTPClient()\n\t\treq.SetBasicAuth(user.Username, defaultPassword)\n\t\tresp, err := httpClient.Do(req)\n\t\tif assert.NoError(t, err) {\n\t\t\tdefer resp.Body.Close()\n\t\t\tassert.Equal(t, http.StatusOK, resp.StatusCode)\n\t\t\tassert.Equal(t, \"application/sftpgo\", resp.Header.Get(\"Content-Type\"))\n\t\t}\n\t}\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestHEAD(t *testing.T) {\n\tu := getTestUser()\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\trootPath := fmt.Sprintf(\"http://%v\", webDavServerAddr)\n\thttpClient := httpclient.GetHTTPClient()\n\treq, err := http.NewRequest(http.MethodHead, rootPath, nil)\n\tif assert.NoError(t, err) {\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\tresp, err := httpClient.Do(req)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, http.StatusMultiStatus, resp.StatusCode)\n\t\t\tassert.Equal(t, \"text/xml; charset=utf-8\", resp.Header.Get(\"Content-Type\"))\n\t\t\tresp.Body.Close()\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestGETAsPROPFIND(t *testing.T) {\n\tu := getTestUser()\n\tsubDir1 := \"/sub1\"\n\tu.Permissions[subDir1] = []string{dataprovider.PermUpload, dataprovider.PermCreateDirs}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\trootPath := fmt.Sprintf(\"http://%v/\", webDavServerAddr)\n\thttpClient := httpclient.GetHTTPClient()\n\treq, err := http.NewRequest(http.MethodGet, rootPath, nil)\n\tif assert.NoError(t, err) {\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\tresp, err := httpClient.Do(req)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, http.StatusMultiStatus, resp.StatusCode)\n\t\t\tresp.Body.Close()\n\t\t}\n\t}\n\tclient := getWebDavClient(user, false, nil)\n\terr = client.MkdirAll(path.Join(subDir1, \"sub\", \"sub1\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tsubPath := fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, subDir1)\n\treq, err = http.NewRequest(http.MethodGet, subPath, nil)\n\tif assert.NoError(t, err) {\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\tresp, err := httpClient.Do(req)\n\t\tif assert.NoError(t, err) {\n\t\t\t// before the performance patch we have a 500 here, now we have 207 but an empty list\n\t\t\t//assert.Equal(t, http.StatusInternalServerError, resp.StatusCode)\n\t\t\tassert.Equal(t, http.StatusMultiStatus, resp.StatusCode)\n\t\t\tresp.Body.Close()\n\t\t}\n\t}\n\t// we cannot stat the sub at all\n\tsubPath1 := fmt.Sprintf(\"http://%v/%v\", webDavServerAddr, path.Join(subDir1, \"sub\"))\n\treq, err = http.NewRequest(http.MethodGet, subPath1, nil)\n\tif assert.NoError(t, err) {\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\tresp, err := httpClient.Do(req)\n\t\tif assert.NoError(t, err) {\n\t\t\t// here the stat will fail, so the request will not be changed in propfind\n\t\t\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\t\t\tresp.Body.Close()\n\t\t}\n\t}\n\n\t// we have no permission, we get an empty list\n\tfiles, err := client.ReadDir(subDir1)\n\tassert.NoError(t, err)\n\tassert.Len(t, files, 0)\n\t// if we grant the permissions the files are listed\n\tuser.Permissions[subDir1] = []string{dataprovider.PermDownload, dataprovider.PermListItems}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tfiles, err = client.ReadDir(subDir1)\n\tassert.NoError(t, err)\n\tassert.Len(t, files, 1)\n\t// PROPFIND with infinity depth is forbidden\n\treq, err = http.NewRequest(http.MethodGet, rootPath, nil)\n\tif assert.NoError(t, err) {\n\t\treq.SetBasicAuth(u.Username, u.Password)\n\t\treq.Header.Set(\"Depth\", \"infinity\")\n\t\tresp, err := httpClient.Do(req)\n\t\tif assert.NoError(t, err) {\n\t\t\tassert.Equal(t, http.StatusForbidden, resp.StatusCode)\n\t\t\tresp.Body.Close()\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestStat(t *testing.T) {\n\tu := getTestUser()\n\tu.Permissions[\"/subdir\"] = []string{dataprovider.PermUpload, dataprovider.PermListItems, dataprovider.PermDownload}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, nil)\n\tsubDir := \"subdir\"\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = client.Mkdir(subDir, os.ModePerm)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, testFileName, user.Username, defaultPassword,\n\t\ttrue, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(\"/\", subDir, testFileName), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\tuser.Permissions[\"/subdir\"] = []string{dataprovider.PermUpload, dataprovider.PermDownload}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\t_, err = client.Stat(testFileName)\n\tassert.NoError(t, err)\n\t_, err = client.Stat(path.Join(\"/\", subDir, testFileName))\n\tassert.Error(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestUploadOverwriteVfolder(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 1000\n\tvdir := \"/vdir\"\n\tmappedPath := filepath.Join(os.TempDir(), \"mappedDir\")\n\tfolderName := filepath.Base(mappedPath)\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdir,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\terr = os.MkdirAll(mappedPath, os.ModePerm)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tfiles, err := client.ReadDir(\".\")\n\tassert.NoError(t, err)\n\tvdirFound := false\n\tfor _, info := range files {\n\t\tif info.Name() == path.Base(vdir) {\n\t\t\tvdirFound = true\n\t\t\tbreak\n\t\t}\n\t}\n\tassert.True(t, vdirFound)\n\tinfo, err := client.Stat(vdir)\n\tif assert.NoError(t, err) {\n\t\tassert.Equal(t, path.Base(vdir), info.Name())\n\t}\n\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(vdir, testFileName), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\tfolder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\tassert.Equal(t, 0, folder.UsedQuotaFiles)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\terr = uploadFileWithRawClient(testFilePath, path.Join(vdir, testFileName), user.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\tfolder, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, int64(0), folder.UsedQuotaSize)\n\tassert.Equal(t, 0, folder.UsedQuotaFiles)\n\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, testFileSize, user.UsedQuotaSize)\n\tassert.Equal(t, 1, user.UsedQuotaFiles)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestOsErrors(t *testing.T) {\n\tu := getTestUser()\n\tvdir := \"/vdir\"\n\tmappedPath := filepath.Join(os.TempDir(), \"mappedDir\")\n\tfolderName := filepath.Base(mappedPath)\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdir,\n\t\tQuotaSize: -1,\n\t\tQuotaFiles: -1,\n\t})\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, false, nil)\n\tfiles, err := client.ReadDir(\".\")\n\tassert.NoError(t, err)\n\tassert.Len(t, files, 1)\n\tinfo, err := client.Stat(vdir)\n\tassert.NoError(t, err)\n\tassert.True(t, info.IsDir())\n\t// now remove the folder mapped to vdir. It still appear in directory listing\n\t// virtual folders are automatically added\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n\tfiles, err = client.ReadDir(\".\")\n\tassert.NoError(t, err)\n\tassert.Len(t, files, 1)\n\terr = createTestFile(filepath.Join(user.GetHomeDir(), testFileName), 32768)\n\tassert.NoError(t, err)\n\tfiles, err = client.ReadDir(\".\")\n\tassert.NoError(t, err)\n\tif assert.Len(t, files, 2) {\n\t\tvar names []string\n\t\tfor _, info := range files {\n\t\t\tnames = append(names, info.Name())\n\t\t}\n\t\tassert.Contains(t, names, testFileName)\n\t\tassert.Contains(t, names, \"vdir\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestMiscCommands(t *testing.T) {\n\tu := getTestUser()\n\tu.QuotaFiles = 100\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tu.QuotaFiles = 100\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tfor _, user := range []dataprovider.User{localUser, sftpUser} {\n\t\tdir := \"testDir\"\n\t\tclient := getWebDavClient(user, true, nil)\n\t\terr = client.MkdirAll(path.Join(dir, \"sub1\", \"sub2\"), os.ModePerm)\n\t\tassert.NoError(t, err)\n\t\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\t\ttestFileSize := int64(65535)\n\t\terr = createTestFile(testFilePath, testFileSize)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, path.Join(dir, testFileName), user.Username,\n\t\t\tdefaultPassword, true, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, path.Join(dir, \"sub1\", testFileName), user.Username,\n\t\t\tdefaultPassword, true, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = uploadFileWithRawClient(testFilePath, path.Join(dir, \"sub1\", \"sub2\", testFileName), user.Username,\n\t\t\tdefaultPassword, true, testFileSize, client)\n\t\tassert.NoError(t, err)\n\t\terr = client.Copy(dir, dir+\"_copy\", false)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\tassert.Equal(t, 6*testFileSize, user.UsedQuotaSize)\n\t\terr = client.Copy(dir, dir+\"_copy1\", false) //nolint:goconst\n\t\tassert.NoError(t, err)\n\t\terr = client.Copy(dir+\"_copy\", dir+\"_copy1\", false)\n\t\tassert.Error(t, err)\n\t\terr = client.Copy(dir+\"_copy\", dir+\"_copy1\", true)\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 9, user.UsedQuotaFiles)\n\t\tassert.Equal(t, 9*testFileSize, user.UsedQuotaSize)\n\t\terr = client.Rename(dir+\"_copy1\", dir+\"_copy2\", false)\n\t\tassert.NoError(t, err)\n\t\terr = client.Remove(path.Join(dir+\"_copy\", testFileName))\n\t\tassert.NoError(t, err)\n\t\terr = client.Rename(dir+\"_copy2\", dir+\"_copy\", true)\n\t\tassert.NoError(t, err)\n\t\terr = client.Copy(dir+\"_copy\", dir+\"_copy1\", false)\n\t\tassert.NoError(t, err)\n\t\terr = client.RemoveAll(dir + \"_copy1\")\n\t\tassert.NoError(t, err)\n\t\tuser, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, 6, user.UsedQuotaFiles)\n\t\tassert.Equal(t, 6*testFileSize, user.UsedQuotaSize)\n\n\t\terr = os.Remove(testFilePath)\n\t\tassert.NoError(t, err)\n\t\tif user.Username == defaultUsername {\n\t\t\terr = os.RemoveAll(user.GetHomeDir())\n\t\t\tassert.NoError(t, err)\n\t\t\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\t\t\tassert.NoError(t, err)\n\t\t\tuser.Password = defaultPassword\n\t\t\tuser.ID = 0\n\t\t\tuser.CreatedAt = 0\n\t\t\tuser.QuotaFiles = 0\n\t\t\t_, resp, err := httpdtest.AddUser(user, http.StatusCreated)\n\t\t\tassert.NoError(t, err, string(resp))\n\t\t}\n\t}\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientCertificateAuthRevokedCert(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient2Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient := getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tif assert.Error(t, err) {\n\t\tif !strings.Contains(err.Error(), \"bad certificate\") && !strings.Contains(err.Error(), \"broken pipe\") {\n\t\t\tt.Errorf(\"unexpected error: %v\", err)\n\t\t}\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientCertificateAuth(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword, dataprovider.LoginMethodTLSCertificateAndPwd}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\t// TLS username is not enabled, mutual TLS should fail\n\tresp, err := getTLSHTTPClient(tlsConfig).Get(fmt.Sprintf(\"https://%v/\", webDavTLSServerAddr))\n\tif assert.NoError(t, err) {\n\t\tdefer resp.Body.Close()\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode, string(body))\n\t}\n\n\tuser.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient := getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\tuser.Filters.TLSUsername = sdk.TLSUsernameNone\n\tuser.Filters.TLSCerts = []string{client1Crt}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword, dataprovider.LoginMethodTLSCertificate}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestWrongClientCertificate(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient2Username\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodTLSCertificateAndPwd}\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\n\t// the certificate common name is client1 and it does not exists\n\tresp, err := getTLSHTTPClient(tlsConfig).Get(fmt.Sprintf(\"https://%v/\", webDavTLSServerAddr))\n\tif assert.NoError(t, err) {\n\t\tdefer resp.Body.Close()\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode, string(body))\n\t}\n\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword, dataprovider.LoginMethodTLSCertificate}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\t// now create client1\n\tu = getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword, dataprovider.LoginMethodTLSCertificate}\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tuser1, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tresp, err = getTLSHTTPClient(tlsConfig).Get(fmt.Sprintf(\"https://%v:%v@%v/\", tlsClient2Username, defaultPassword,\n\t\twebDavTLSServerAddr))\n\tif assert.NoError(t, err) {\n\t\tdefer resp.Body.Close()\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode, string(body))\n\t\tassert.Contains(t, string(body), \"invalid credentials\")\n\t}\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestClientCertificateAuthCachedUser(t *testing.T) {\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodTLSCertificateAndPwd}\n\tuser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient := getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\t// the user is now cached without a password, try a simple password login with and without TLS\n\tclient = getWebDavClient(user, true, nil)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\n\tclient = getWebDavClient(user, false, nil)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\n\t// and now with a wrong password\n\tuser.Password = \"wrong\"\n\tclient = getWebDavClient(user, false, nil)\n\terr = checkBasicFunc(client)\n\tassert.Error(t, err)\n\n\t// allow cert+password only\n\tuser.Password = \"\"\n\tuser.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodTLSCertificate}\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\n\tclient = getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\t// the user is now cached\n\tclient = getWebDavClient(user, true, tlsConfig)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\t// password auth should work too\n\tclient = getWebDavClient(user, false, nil)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\n\tclient = getWebDavClient(user, true, nil)\n\terr = checkBasicFunc(client)\n\tassert.NoError(t, err)\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n}\n\nfunc TestExternatAuthWithClientCert(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodTLSCertificate, dataprovider.LoginMethodPassword}\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, \"\"), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.ExternalAuthHook = extAuthPath\n\tproviderConf.ExternalAuthScope = 0\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient := getWebDavClient(u, true, tlsConfig)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tresp, err := getTLSHTTPClient(tlsConfig).Get(fmt.Sprintf(\"https://%v:%v@%v/\", tlsClient2Username, defaultPassword,\n\t\twebDavTLSServerAddr))\n\tif assert.NoError(t, err) {\n\t\tdefer resp.Body.Close()\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\tassert.NoError(t, err)\n\t\tassert.Equal(t, http.StatusUnauthorized, resp.StatusCode, string(body))\n\t\tassert.Contains(t, string(body), \"invalid credentials\")\n\t}\n\n\tuser, _, err := httpdtest.GetUserByUsername(tlsClient1Username, http.StatusOK)\n\tassert.NoError(t, err)\n\tassert.Equal(t, tlsClient1Username, user.Username)\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(extAuthPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestPreLoginHookWithClientCert(t *testing.T) {\n\tif runtime.GOOS == osWindows {\n\t\tt.Skip(\"this test is not available on Windows\")\n\t}\n\tu := getTestUser()\n\tu.Username = tlsClient1Username\n\tu.Filters.TLSUsername = sdk.TLSUsernameCN\n\tu.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodTLSCertificate, dataprovider.LoginMethodPassword}\n\terr := dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf := config.GetProviderConf()\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tproviderConf.PreLoginHook = preLoginPath\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\t_, _, err = httpdtest.GetUserByUsername(tlsClient1Username, http.StatusNotFound)\n\tassert.NoError(t, err)\n\ttlsConfig := &tls.Config{\n\t\tServerName: \"localhost\",\n\t\tInsecureSkipVerify: true, // use this for tests only\n\t\tMinVersion: tls.VersionTLS12,\n\t}\n\ttlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))\n\tassert.NoError(t, err)\n\ttlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)\n\tclient := getWebDavClient(u, true, tlsConfig)\n\tassert.NoError(t, checkBasicFunc(client))\n\n\tuser, _, err := httpdtest.GetUserByUsername(tlsClient1Username, http.StatusOK)\n\tassert.NoError(t, err)\n\t// test login with an existing user\n\tclient = getWebDavClient(user, true, tlsConfig)\n\tassert.NoError(t, checkBasicFunc(client))\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, true), os.ModePerm)\n\tassert.NoError(t, err)\n\t// update the user to remove it from the cache\n\tuser.Password = defaultPassword\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, tlsConfig)\n\tassert.Error(t, checkBasicFunc(client))\n\t// update the user to remove it from the cache\n\tuser.Password = defaultPassword\n\tuser, _, err = httpdtest.UpdateUser(user, http.StatusOK, \"\")\n\tassert.NoError(t, err)\n\tuser.Status = 0\n\terr = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, false), os.ModePerm)\n\tassert.NoError(t, err)\n\tclient = getWebDavClient(user, true, tlsConfig)\n\tassert.Error(t, checkBasicFunc(client))\n\n\t_, err = httpdtest.RemoveUser(user, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user.GetHomeDir())\n\tassert.NoError(t, err)\n\terr = dataprovider.Close()\n\tassert.NoError(t, err)\n\terr = config.LoadConfig(configDir, \"\")\n\tassert.NoError(t, err)\n\tproviderConf = config.GetProviderConf()\n\terr = dataprovider.Initialize(providerConf, configDir, true)\n\tassert.NoError(t, err)\n\terr = os.Remove(preLoginPath)\n\tassert.NoError(t, err)\n}\n\nfunc TestSFTPLoopVirtualFolders(t *testing.T) {\n\tuser1 := getTestUser()\n\tuser2 := getTestUser()\n\tuser1.Username += \"1\"\n\tuser2.Username += \"2\"\n\t// user1 is a local account with a virtual SFTP folder to user2\n\t// user2 has user1 as SFTP fs\n\tfolderName := \"sftp\"\n\tuser1.VirtualFolders = append(user1.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: \"/vdir\",\n\t})\n\tuser2.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tuser2.FsConfig.SFTPConfig = vfs.SFTPFsConfig{\n\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\tEndpoint: sftpServerAddr,\n\t\t\tUsername: user1.Username,\n\t\t},\n\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t}\n\tf := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.SFTPFilesystemProvider,\n\t\t\tSFTPConfig: vfs.SFTPFsConfig{\n\t\t\t\tBaseSFTPFsConfig: sdk.BaseSFTPFsConfig{\n\t\t\t\t\tEndpoint: sftpServerAddr,\n\t\t\t\t\tUsername: user2.Username,\n\t\t\t\t},\n\t\t\t\tPassword: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t}\n\t_, _, err := httpdtest.AddFolder(f, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tuser1, resp, err := httpdtest.AddUser(user1, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\tuser2, resp, err = httpdtest.AddUser(user2, http.StatusCreated)\n\tassert.NoError(t, err, string(resp))\n\n\tclient := getWebDavClient(user1, true, nil)\n\n\ttestDir := \"tdir\"\n\terr = client.Mkdir(testDir, os.ModePerm)\n\tassert.NoError(t, err)\n\n\tcontents, err := client.ReadDir(\"/\")\n\tassert.NoError(t, err)\n\tif assert.Len(t, contents, 2) {\n\t\texpected := 0\n\t\tfor _, info := range contents {\n\t\t\tswitch info.Name() {\n\t\t\tcase testDir, \"vdir\":\n\t\t\t\tassert.True(t, info.IsDir())\n\t\t\t\texpected++\n\t\t\tdefault:\n\t\t\t\tt.Errorf(\"unexpected file/dir %q\", info.Name())\n\t\t\t}\n\t\t}\n\t\tassert.Equal(t, expected, 2)\n\t}\n\n\t_, err = httpdtest.RemoveUser(user1, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user1.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(user2, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(user2.GetHomeDir())\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n}\n\nfunc TestNestedVirtualFolders(t *testing.T) {\n\tu := getTestUser()\n\tlocalUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\tu = getTestSFTPUser()\n\tmappedPathCrypt := filepath.Join(os.TempDir(), \"crypt\")\n\tfolderNameCrypt := filepath.Base(mappedPathCrypt)\n\tvdirCryptPath := \"/vdir/crypt\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameCrypt,\n\t\t},\n\t\tVirtualPath: vdirCryptPath,\n\t})\n\tmappedPath := filepath.Join(os.TempDir(), \"local\")\n\tfolderName := filepath.Base(mappedPath)\n\tvdirPath := \"/vdir/local\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderName,\n\t\t},\n\t\tVirtualPath: vdirPath,\n\t})\n\tmappedPathNested := filepath.Join(os.TempDir(), \"nested\")\n\tfolderNameNested := filepath.Base(mappedPathNested)\n\tvdirNestedPath := \"/vdir/crypt/nested\"\n\tu.VirtualFolders = append(u.VirtualFolders, vfs.VirtualFolder{\n\t\tBaseVirtualFolder: vfs.BaseVirtualFolder{\n\t\t\tName: folderNameNested,\n\t\t},\n\t\tVirtualPath: vdirNestedPath,\n\t\tQuotaFiles: -1,\n\t\tQuotaSize: -1,\n\t})\n\tf1 := vfs.BaseVirtualFolder{\n\t\tName: folderNameCrypt,\n\t\tFsConfig: vfs.Filesystem{\n\t\t\tProvider: sdk.CryptedFilesystemProvider,\n\t\t\tCryptConfig: vfs.CryptFsConfig{\n\t\t\t\tPassphrase: kms.NewPlainSecret(defaultPassword),\n\t\t\t},\n\t\t},\n\t\tMappedPath: mappedPathCrypt,\n\t}\n\t_, _, err = httpdtest.AddFolder(f1, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf2 := vfs.BaseVirtualFolder{\n\t\tName: folderName,\n\t\tMappedPath: mappedPath,\n\t}\n\t_, _, err = httpdtest.AddFolder(f2, http.StatusCreated)\n\tassert.NoError(t, err)\n\tf3 := vfs.BaseVirtualFolder{\n\t\tName: folderNameNested,\n\t\tMappedPath: mappedPathNested,\n\t}\n\t_, _, err = httpdtest.AddFolder(f3, http.StatusCreated)\n\tassert.NoError(t, err)\n\tsftpUser, _, err := httpdtest.AddUser(u, http.StatusCreated)\n\tassert.NoError(t, err)\n\n\tclient := getWebDavClient(sftpUser, true, nil)\n\tassert.NoError(t, checkBasicFunc(client))\n\ttestFilePath := filepath.Join(homeBasePath, testFileName)\n\ttestFileSize := int64(65535)\n\tlocalDownloadPath := filepath.Join(homeBasePath, testDLFileName)\n\terr = createTestFile(testFilePath, testFileSize)\n\tassert.NoError(t, err)\n\n\terr = uploadFileWithRawClient(testFilePath, testFileName, sftpUser.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(testFileName, localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(\"/vdir\", testFileName), sftpUser.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(path.Join(\"/vdir\", testFileName), localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(vdirPath, testFileName), sftpUser.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(path.Join(vdirPath, testFileName), localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(vdirCryptPath, testFileName), sftpUser.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(path.Join(vdirCryptPath, testFileName), localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = uploadFileWithRawClient(testFilePath, path.Join(vdirNestedPath, testFileName), sftpUser.Username,\n\t\tdefaultPassword, true, testFileSize, client)\n\tassert.NoError(t, err)\n\terr = downloadFile(path.Join(vdirNestedPath, testFileName), localDownloadPath, testFileSize, client)\n\tassert.NoError(t, err)\n\n\terr = os.Remove(testFilePath)\n\tassert.NoError(t, err)\n\terr = os.Remove(localDownloadPath)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(sftpUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveUser(localUser, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameCrypt}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderName}, http.StatusOK)\n\tassert.NoError(t, err)\n\t_, err = httpdtest.RemoveFolder(vfs.BaseVirtualFolder{Name: folderNameNested}, http.StatusOK)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathCrypt)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPath)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(mappedPathNested)\n\tassert.NoError(t, err)\n\terr = os.RemoveAll(localUser.GetHomeDir())\n\tassert.NoError(t, err)\n\tassert.Eventually(t, func() bool { return len(common.Connections.GetStats(\"\")) == 0 },\n\t\t1*time.Second, 100*time.Millisecond)\n\tassert.Equal(t, int32(0), common.Connections.GetTotalTransfers())\n}\n\nfunc checkBasicFunc(client *gowebdav.Client) error {\n\terr := client.Connect()\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = client.ReadDir(\"/\")\n\treturn err\n}\n\nfunc checkFileSize(remoteDestPath string, expectedSize int64, client *gowebdav.Client) error {\n\tinfo, err := client.Stat(remoteDestPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif info.Size() != expectedSize {\n\t\treturn fmt.Errorf(\"uploaded file size does not match, actual: %v, expected: %v\", info.Size(), expectedSize)\n\t}\n\treturn nil\n}\n\nfunc uploadFileWithRawClient(localSourcePath string, remoteDestPath string, username, password string,\n\tuseTLS bool, expectedSize int64, client *gowebdav.Client, headers ...dataprovider.KeyValue,\n) error {\n\tsrcFile, err := os.Open(localSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer srcFile.Close()\n\n\tvar tlsConfig *tls.Config\n\trootPath := fmt.Sprintf(\"http://%v/\", webDavServerAddr)\n\tif useTLS {\n\t\trootPath = fmt.Sprintf(\"https://%v/\", webDavTLSServerAddr)\n\t\ttlsConfig = &tls.Config{\n\t\t\tServerName: \"localhost\",\n\t\t\tInsecureSkipVerify: true, // use this for tests only\n\t\t\tMinVersion: tls.VersionTLS12,\n\t\t}\n\t}\n\treq, err := http.NewRequest(http.MethodPut, fmt.Sprintf(\"%v%v\", rootPath, remoteDestPath), srcFile)\n\tif err != nil {\n\t\treturn err\n\t}\n\treq.SetBasicAuth(username, password)\n\tfor _, kv := range headers {\n\t\treq.Header.Set(kv.Key, kv.Value)\n\t}\n\thttpClient := &http.Client{Timeout: 10 * time.Second}\n\tif tlsConfig != nil {\n\t\tcustomTransport := http.DefaultTransport.(*http.Transport).Clone()\n\t\tcustomTransport.TLSClientConfig = tlsConfig\n\t\thttpClient.Transport = customTransport\n\t}\n\tdefer httpClient.CloseIdleConnections()\n\tresp, err := httpClient.Do(req)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusCreated {\n\t\treturn fmt.Errorf(\"unexpected status code: %v\", resp.StatusCode)\n\t}\n\tif expectedSize > 0 {\n\t\treturn checkFileSize(remoteDestPath, expectedSize, client)\n\t}\n\treturn nil\n}\n\n// This method is buggy. I have to find time to better investigate and eventually report the issue upstream.\n// For now we upload using the uploadFileWithRawClient method\n/*func uploadFile(localSourcePath string, remoteDestPath string, expectedSize int64, client *gowebdav.Client) error {\n\tsrcFile, err := os.Open(localSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer srcFile.Close()\n\terr = client.WriteStream(remoteDestPath, srcFile, os.ModePerm)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif expectedSize > 0 {\n\t\treturn checkFileSize(remoteDestPath, expectedSize, client)\n\t}\n\treturn nil\n}*/\n\nfunc downloadFile(remoteSourcePath string, localDestPath string, expectedSize int64, client *gowebdav.Client) error {\n\tdownloadDest, err := os.Create(localDestPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer downloadDest.Close()\n\n\treader, err := client.ReadStream(remoteSourcePath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer reader.Close()\n\twritten, err := io.Copy(downloadDest, reader)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif written != expectedSize {\n\t\treturn fmt.Errorf(\"downloaded file size does not match, actual: %v, expected: %v\", written, expectedSize)\n\t}\n\treturn nil\n}\n\nfunc getTLSHTTPClient(tlsConfig *tls.Config) *http.Client {\n\tcustomTransport := http.DefaultTransport.(*http.Transport).Clone()\n\tcustomTransport.TLSClientConfig = tlsConfig\n\n\treturn &http.Client{\n\t\tTimeout: 5 * time.Second,\n\t\tTransport: customTransport,\n\t}\n}\n\nfunc getWebDavClient(user dataprovider.User, useTLS bool, tlsConfig *tls.Config) *gowebdav.Client {\n\trootPath := fmt.Sprintf(\"http://%v/\", webDavServerAddr)\n\tif useTLS {\n\t\trootPath = fmt.Sprintf(\"https://%v/\", webDavTLSServerAddr)\n\t\tif tlsConfig == nil {\n\t\t\ttlsConfig = &tls.Config{\n\t\t\t\tServerName: \"localhost\",\n\t\t\t\tInsecureSkipVerify: true, // use this for tests only\n\t\t\t\tMinVersion: tls.VersionTLS12,\n\t\t\t}\n\t\t}\n\t}\n\tpwd := defaultPassword\n\tif user.Password != \"\" {\n\t\tif user.Password == emptyPwdPlaceholder {\n\t\t\tpwd = \"\"\n\t\t} else {\n\t\t\tpwd = user.Password\n\t\t}\n\t}\n\tclient := gowebdav.NewClient(rootPath, user.Username, pwd)\n\tclient.SetTimeout(10 * time.Second)\n\tif tlsConfig != nil {\n\t\tcustomTransport := http.DefaultTransport.(*http.Transport).Clone()\n\t\tcustomTransport.TLSClientConfig = tlsConfig\n\t\tclient.SetTransport(customTransport)\n\t}\n\treturn client\n}\n\nfunc waitTCPListening(address string) {\n\tfor {\n\t\tconn, err := net.Dial(\"tcp\", address)\n\t\tif err != nil {\n\t\t\tlogger.WarnToConsole(\"tcp server %v not listening: %v\", address, err)\n\t\t\ttime.Sleep(100 * time.Millisecond)\n\t\t\tcontinue\n\t\t}\n\t\tlogger.InfoToConsole(\"tcp server %v now listening\", address)\n\t\tconn.Close()\n\t\tbreak\n\t}\n}\n\nfunc getTestUser() dataprovider.User {\n\tuser := dataprovider.User{\n\t\tBaseUser: sdk.BaseUser{\n\t\t\tUsername: defaultUsername,\n\t\t\tPassword: defaultPassword,\n\t\t\tHomeDir: filepath.Join(homeBasePath, defaultUsername),\n\t\t\tStatus: 1,\n\t\t\tExpirationDate: 0,\n\t\t},\n\t}\n\tuser.Permissions = make(map[string][]string)\n\tuser.Permissions[\"/\"] = allPerms\n\treturn user\n}\n\nfunc getTestSFTPUser() dataprovider.User {\n\tu := getTestUser()\n\tu.Username = u.Username + \"_sftp\"\n\tu.FsConfig.Provider = sdk.SFTPFilesystemProvider\n\tu.FsConfig.SFTPConfig.Endpoint = sftpServerAddr\n\tu.FsConfig.SFTPConfig.Username = defaultUsername\n\tu.FsConfig.SFTPConfig.Password = kms.NewPlainSecret(defaultPassword)\n\treturn u\n}\n\nfunc getTestUserWithCryptFs() dataprovider.User {\n\tuser := getTestUser()\n\tuser.FsConfig.Provider = sdk.CryptedFilesystemProvider\n\tuser.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret(\"testPassphrase\")\n\treturn user\n}\n\nfunc getSftpClient(user dataprovider.User) (*ssh.Client, *sftp.Client, error) {\n\tvar sftpClient *sftp.Client\n\tconfig := &ssh.ClientConfig{\n\t\tUser: user.Username,\n\t\tHostKeyCallback: ssh.InsecureIgnoreHostKey(),\n\t\tTimeout: 5 * time.Second,\n\t}\n\tif user.Password != \"\" {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}\n\t} else {\n\t\tconfig.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}\n\t}\n\n\tconn, err := ssh.Dial(\"tcp\", sftpServerAddr, config)\n\tif err != nil {\n\t\treturn conn, sftpClient, err\n\t}\n\tsftpClient, err = sftp.NewClient(conn)\n\tif err != nil {\n\t\tconn.Close()\n\t}\n\treturn conn, sftpClient, err\n}\n\nfunc getEncryptedFileSize(size int64) (int64, error) {\n\tencSize, err := sio.EncryptedSize(uint64(size))\n\treturn int64(encSize) + 33, err\n}\n\nfunc getExtAuthScriptContent(user dataprovider.User, password string) []byte {\n\textAuthContent := []byte(\"#!/bin/sh\\n\\n\")\n\tif password != \"\" {\n\t\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"if test \\\"$SFTPGO_AUTHD_USERNAME\\\" = \\\"%s\\\" -a \\\"$SFTPGO_AUTHD_PASSWORD\\\" = \\\"%s\\\"; then\\n\", user.Username, password))...)\n\t} else {\n\t\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"if test \\\"$SFTPGO_AUTHD_USERNAME\\\" = \\\"%s\\\"; then\\n\", user.Username))...)\n\t}\n\tu, _ := json.Marshal(user)\n\textAuthContent = append(extAuthContent, []byte(fmt.Sprintf(\"echo '%s'\\n\", string(u)))...)\n\textAuthContent = append(extAuthContent, []byte(\"else\\n\")...)\n\textAuthContent = append(extAuthContent, []byte(\"echo '{\\\"username\\\":\\\"\\\"}'\\n\")...)\n\textAuthContent = append(extAuthContent, []byte(\"fi\\n\")...)\n\treturn extAuthContent\n}\n\nfunc getPreLoginScriptContent(user dataprovider.User, nonJSONResponse bool) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tif nonJSONResponse {\n\t\tcontent = append(content, []byte(\"echo 'text response'\\n\")...)\n\t\treturn content\n\t}\n\tif len(user.Username) > 0 {\n\t\tu, _ := json.Marshal(user)\n\t\tcontent = append(content, []byte(fmt.Sprintf(\"echo '%v'\\n\", string(u)))...)\n\t}\n\treturn content\n}\n\nfunc getExitCodeScriptContent(exitCode int) []byte {\n\tcontent := []byte(\"#!/bin/sh\\n\\n\")\n\tcontent = append(content, []byte(fmt.Sprintf(\"exit %v\", exitCode))...)\n\treturn content\n}\n\nfunc createTestFile(path string, size int64) error {\n\tbaseDir := filepath.Dir(path)\n\tif _, err := os.Stat(baseDir); errors.Is(err, fs.ErrNotExist) {\n\t\terr = os.MkdirAll(baseDir, os.ModePerm)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\tcontent := make([]byte, size)\n\t_, err := rand.Read(content)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\terr = os.WriteFile(path, content, os.ModePerm)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfi, err := os.Stat(path)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif fi.Size() != size {\n\t\treturn fmt.Errorf(\"unexpected size %v, expected %v\", fi.Size(), size)\n\t}\n\treturn nil\n}\n\nfunc printLatestLogs(maxNumberOfLines int) {\n\tvar lines []string\n\tf, err := os.Open(logFilePath)\n\tif err != nil {\n\t\treturn\n\t}\n\tdefer f.Close()\n\tscanner := bufio.NewScanner(f)\n\tfor scanner.Scan() {\n\t\tlines = append(lines, scanner.Text()+\"\\r\\n\")\n\t\tfor len(lines) > maxNumberOfLines {\n\t\t\tlines = lines[1:]\n\t\t}\n\t}\n\tif scanner.Err() != nil {\n\t\tlogger.WarnToConsole(\"Unable to print latest logs: %v\", scanner.Err())\n\t\treturn\n\t}\n\tfor _, line := range lines {\n\t\tlogger.DebugToConsole(\"%s\", line)\n\t}\n}\n" }, { "path": "main.go", "content": "// Copyright (C) 2019 Nicola Murino\n//\n// This program is free software: you can redistribute it and/or modify\n// it under the terms of the GNU Affero General Public License as published\n// by the Free Software Foundation, version 3.\n//\n// This program is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n// GNU Affero General Public License for more details.\n//\n// You should have received a copy of the GNU Affero General Public License\n// along with this program. If not, see .\n\n// Fully featured and highly configurable SFTP server with optional\n// FTP/S and WebDAV support.\n// For more details about features, installation, configuration and usage\n// please refer to the README inside the source tree:\n// https://github.com/drakkan/sftpgo/blob/main/README.md\npackage main // import \"github.com/drakkan/sftpgo\"\n\nimport (\n\t\"github.com/drakkan/sftpgo/v2/internal/cmd\"\n)\n\nfunc main() {\n\tcmd.Execute()\n}\n" }, { "path": "openapi/httpfs.yaml", "content": "openapi: 3.0.3\ntags:\n - name: fs\ninfo:\n title: SFTPGo HTTPFs\n description: |\n SFTPGo can use custom storage backend implementations compliant with the API defined here.\n HTTPFs is a work in progress and makes no API stability promises.\n version: 0.1.0\n license:\n name: AGPL-3.0-only\n url: 'https://www.gnu.org/licenses/agpl-3.0.en.html'\nservers:\n- url: /v1\nsecurity:\n- ApiKeyAuth: []\n- BasicAuth: []\npaths:\n /stat/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n get:\n tags:\n - fs\n summary: Describes the named object\n operationId: stat\n responses:\n 200:\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/FileInfo'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /open/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n - name: offset\n in: query\n description: 'offset, in bytes, from the start. If not specified 0 must be assumed'\n required: false\n schema:\n type: integer\n format: int64\n get:\n tags:\n - fs\n summary: Opens the named file for reading\n operationId: open\n responses:\n '200':\n description: successful operation\n content:\n '*/*':\n schema:\n type: string\n format: binary\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /create/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n - name: flags\n in: query\n description: 'flags to use for opening the file, if omitted O_RDWR|O_CREATE|O_TRUNC must be assumed. Supported flags: https://pkg.go.dev/os#pkg-constants'\n required: false\n schema:\n type: integer\n format: int32\n - name: checks\n in: query\n description: 'If set to `1`, the parent directory must exist before creating the file'\n required: false\n schema:\n type: integer\n format: int32\n post:\n tags:\n - fs\n summary: Creates or opens the named file for writing\n operationId: create\n requestBody:\n content:\n '*/*':\n schema:\n type: string\n format: binary\n required: true\n responses:\n 201:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /rename/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n - name: target\n in: query\n description: target name\n required: true\n schema:\n type: string\n patch:\n tags:\n - fs\n summary: Renames (moves) source to target\n operationId: rename\n responses:\n 200:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /remove/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n delete:\n tags:\n - fs\n summary: Removes the named file or (empty) directory.\n operationId: delete\n responses:\n 200:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /mkdir/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n post:\n tags:\n - fs\n summary: Creates a new directory with the specified name\n operationId: mkdir\n responses:\n 200:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /chmod/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n - name: mode\n in: query\n required: true\n schema:\n type: integer\n patch:\n tags:\n - fs\n summary: Changes the mode of the named file\n operationId: chmod\n responses:\n 200:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /chtimes/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n - name: access_time\n in: query\n required: true\n schema:\n type: string\n format: date-time\n - name: modification_time\n in: query\n required: true\n schema:\n type: string\n format: date-time\n patch:\n tags:\n - fs\n summary: Changes the access and modification time of the named file\n operationId: chtimes\n responses:\n 200:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /truncate/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n - name: size\n in: query\n required: true\n description: 'new file size in bytes'\n schema:\n type: integer\n format: int64\n patch:\n tags:\n - fs\n summary: Changes the size of the named file\n operationId: truncate\n responses:\n 200:\n $ref: '#/components/responses/OKResponse'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /readdir/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n get:\n tags:\n - fs\n summary: Reads the named directory and returns the contents\n operationId: readdir\n responses:\n 200:\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/FileInfo'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /dirsize/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n get:\n tags:\n - fs\n summary: Returns the number of files and the size for the named directory including any sub-directory\n operationId: dirsize\n responses:\n 200:\n description: successful operation\n content:\n application/json:\n schema:\n type: object\n properties:\n files:\n type: integer\n description: 'Total number of files'\n size:\n type: integer\n format: int64\n description: 'Total size of files'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /mimetype/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n get:\n tags:\n - fs\n summary: Returns the mime type for the named file\n operationId: mimetype\n responses:\n 200:\n description: successful operation\n content:\n application/json:\n schema:\n type: object\n properties:\n mime:\n type: string\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /statvfs/{name}:\n parameters:\n - name: name\n in: path\n description: object name\n required: true\n schema:\n type: string\n get:\n tags:\n - fs\n summary: Returns the VFS stats for the specified path\n operationId: statvfs\n responses:\n 200:\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/StatVFS'\n 401:\n $ref: '#/components/responses/Unauthorized'\n 403:\n $ref: '#/components/responses/Forbidden'\n 404:\n $ref: '#/components/responses/NotFound'\n 500:\n $ref: '#/components/responses/InternalServerError'\n 501:\n $ref: '#/components/responses/NotImplemented'\n default:\n $ref: '#/components/responses/DefaultResponse'\ncomponents:\n responses:\n OKResponse:\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n BadRequest:\n description: Bad Request\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n Unauthorized:\n description: Unauthorized\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n Forbidden:\n description: Forbidden\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n NotFound:\n description: Not Found\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n NotImplemented:\n description: Not Implemented\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n Conflict:\n description: Conflict\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n RequestEntityTooLarge:\n description: Request Entity Too Large, max allowed size exceeded\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n InternalServerError:\n description: Internal Server Error\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n DefaultResponse:\n description: Unexpected Error\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n schemas:\n ApiResponse:\n type: object\n properties:\n message:\n type: string\n description: 'message, can be empty'\n error:\n type: string\n description: error description if any\n FileInfo:\n type: object\n properties:\n name:\n type: string\n description: base name of the file\n size:\n type: integer\n format: int64\n description: length in bytes for regular files; system-dependent for others\n mode:\n type: integer\n description: |\n File mode and permission bits. More details here: https://golang.org/pkg/io/fs/#FileMode.\n Let's see some examples:\n - for a directory mode&2147483648 != 0\n - for a symlink mode&134217728 != 0\n - for a regular file mode&2401763328 == 0\n last_modified:\n type: string\n format: date-time\n StatVFS:\n type: object\n properties:\n bsize:\n type: integer\n description: file system block size\n frsize:\n type: integer\n description: fundamental fs block size\n blocks:\n type: integer\n description: number of blocks\n bfree:\n type: integer\n description: free blocks in file system\n bavail:\n type: integer\n description: free blocks for non-root\n files:\n type: integer\n description: total file inodes\n ffree:\n type: integer\n description: free file inodes\n favail:\n type: integer\n description: free file inodes for non-root\n fsid:\n type: integer\n description: file system id\n flag:\n type: integer\n description: bit mask of f_flag values\n namemax:\n type: integer\n description: maximum filename length\n securitySchemes:\n BasicAuth:\n type: http\n scheme: basic\n ApiKeyAuth:\n type: apiKey\n in: header\n name: X-API-KEY" }, { "path": "openapi/openapi.yaml", "content": "openapi: 3.0.3\ntags:\n - name: healthcheck\n - name: token\n - name: maintenance\n - name: admins\n - name: API keys\n - name: connections\n - name: IP Lists\n - name: defender\n - name: quota\n - name: folders\n - name: groups\n - name: roles\n - name: users\n - name: data retention\n - name: events\n - name: metadata\n - name: user APIs\n - name: public shares\n - name: event manager\ninfo:\n title: SFTPGo\n description: |\n SFTPGo allows you to securely share your files over SFTP and optionally over HTTP/S, FTP/S and WebDAV as well.\n Several storage backends are supported and they are configurable per-user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.\n SFTPGo also supports virtual folders, a virtual folder can use any of the supported storage backends. So you can have, for example, a user with the S3 backend mapping a Google Cloud Storage bucket (or part of it) on a specified path and an encrypted local filesystem on another one.\n Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.\n SFTPGo supports groups to simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.\n The SFTPGo WebClient allows end users to change their credentials, browse and manage their files in the browser and setup two-factor authentication which works with Authy, Google Authenticator and other compatible apps.\n From the WebClient each authorized user can also create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.\n version: v2.7.0\n contact:\n name: API support\n url: 'https://github.com/drakkan/sftpgo'\n license:\n name: AGPL-3.0-only\n url: 'https://www.gnu.org/licenses/agpl-3.0.en.html'\nservers:\n - url: /api/v2\nsecurity:\n - BearerAuth: []\n - APIKeyAuth: []\npaths:\n /healthz:\n get:\n security: []\n servers:\n - url: /\n tags:\n - healthcheck\n summary: health check\n description: This endpoint can be used to check if the application is running and responding to requests\n operationId: healthz\n responses:\n '200':\n description: successful operation\n content:\n text/plain; charset=utf-8:\n schema:\n type: string\n example: ok\n /shares/{id}:\n parameters:\n - name: id\n in: path\n description: the share id\n required: true\n schema:\n type: string\n get:\n security:\n - BasicAuth: []\n tags:\n - public shares\n summary: Download shared files and folders as a single zip file\n description: A zip file, containing the shared files and folders, will be generated on the fly and returned as response body. Only folders and regular files will be included in the zip. The share must be defined with the read scope and the associated user must have list and download permissions\n operationId: get_share\n parameters:\n - in: query\n name: compress\n schema:\n type: boolean\n default: true\n required: false\n responses:\n '200':\n description: successful operation\n content:\n '*/*':\n schema:\n type: string\n format: binary\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n security:\n - BasicAuth: []\n tags:\n - public shares\n summary: Upload one or more files to the shared path\n description: The share must be defined with the write scope and the associated user must have the upload permission\n operationId: upload_to_share\n requestBody:\n content:\n multipart/form-data:\n schema:\n type: object\n properties:\n filenames:\n type: array\n items:\n type: string\n format: binary\n minItems: 1\n uniqueItems: true\n required: true\n responses:\n '201':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '413':\n $ref: '#/components/responses/RequestEntityTooLarge'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /shares/{id}/files:\n parameters:\n - name: id\n in: path\n description: the share id\n required: true\n schema:\n type: string\n get:\n security:\n - BasicAuth: []\n tags:\n - public shares\n summary: Download a single file\n description: Returns the file contents as response body. The share must have exactly one path defined and it must be a directory for this to work\n operationId: download_share_file\n parameters:\n - in: query\n name: path\n required: true\n description: Path to the file to download. It must be URL encoded, for example the path \"my dir/àdir/file.txt\" must be sent as \"my%20dir%2F%C3%A0dir%2Ffile.txt\"\n schema:\n type: string\n - in: query\n name: inline\n required: false\n description: 'If set, the response will not have the Content-Disposition header set to `attachment`'\n schema:\n type: string\n responses:\n '200':\n description: successful operation\n content:\n '*/*':\n schema:\n type: string\n format: binary\n '206':\n description: successful operation\n content:\n '*/*':\n schema:\n type: string\n format: binary\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /shares/{id}/dirs:\n parameters:\n - name: id\n in: path\n description: the share id\n required: true\n schema:\n type: string\n get:\n security:\n - BasicAuth: []\n tags:\n - public shares\n summary: Read directory contents\n description: Returns the contents of the specified directory for the specified share. The share must have exactly one path defined and it must be a directory for this to work\n operationId: get_share_dir_contents\n parameters:\n - in: query\n name: path\n description: Path to the folder to read. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\". If empty or missing the user's start directory is assumed. If relative, the user's start directory is used as the base\n schema:\n type: string\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/DirEntry'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /shares/{id}/{fileName}:\n parameters:\n - name: id\n in: path\n description: the share id\n required: true\n schema:\n type: string\n - name: fileName\n in: path\n description: the name of the new file. It must be path encoded. Sub directories are not accepted\n required: true\n schema:\n type: string\n - name: X-SFTPGO-MTIME\n in: header\n schema:\n type: integer\n description: File modification time as unix timestamp in milliseconds\n post:\n security:\n - BasicAuth: []\n tags:\n - public shares\n summary: Upload a single file to the shared path\n description: The share must be defined with the write scope and the associated user must have the upload/overwrite permissions\n operationId: upload_single_to_share\n requestBody:\n content:\n application/*:\n schema:\n type: string\n format: binary\n text/*:\n schema:\n type: string\n format: binary\n image/*:\n schema:\n type: string\n format: binary\n audio/*:\n schema:\n type: string\n format: binary\n video/*:\n schema:\n type: string\n format: binary\n required: true\n responses:\n '201':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '413':\n $ref: '#/components/responses/RequestEntityTooLarge'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /token:\n get:\n security:\n - BasicAuth: []\n tags:\n - token\n summary: Get a new admin access token\n description: Returns an access token and its expiration\n operationId: get_token\n parameters:\n - in: header\n name: X-SFTPGO-OTP\n schema:\n type: string\n required: false\n description: 'If you have 2FA configured for the admin attempting to log in you need to set the authentication code using this header parameter'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Token'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /logout:\n get:\n security:\n - BearerAuth: []\n tags:\n - token\n summary: Invalidate an admin access token\n description: Allows to invalidate an admin token before its expiration\n operationId: logout\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/token:\n get:\n security:\n - BasicAuth: []\n tags:\n - token\n summary: Get a new user access token\n description: Returns an access token and its expiration\n operationId: get_user_token\n parameters:\n - in: header\n name: X-SFTPGO-OTP\n schema:\n type: string\n required: false\n description: 'If you have 2FA configured, for the HTTP protocol, for the user attempting to log in you need to set the authentication code using this header parameter'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Token'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/logout:\n get:\n security:\n - BearerAuth: []\n tags:\n - token\n summary: Invalidate a user access token\n description: Allows to invalidate a client token before its expiration\n operationId: client_logout\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /version:\n get:\n tags:\n - maintenance\n summary: Get version details\n description: 'Returns version details such as the version number, build date, commit hash and enabled features'\n operationId: get_version\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/VersionInfo'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/changepwd:\n put:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Change admin password\n description: Changes the password for the logged in admin\n operationId: change_admin_password\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/PwdChange'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/profile:\n get:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Get admin profile\n description: 'Returns the profile for the logged in admin'\n operationId: get_admin_profile\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/AdminProfile'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Update admin profile\n description: 'Allows to update the profile for the logged in admin'\n operationId: update_admin_profile\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/AdminProfile'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/2fa/recoverycodes:\n get:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Get recovery codes\n description: 'Returns the recovery codes for the logged in admin. Recovery codes can be used if the admin loses access to their second factor auth device. Recovery codes are returned unencrypted'\n operationId: get_admin_recovery_codes\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/RecoveryCode'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Generate recovery codes\n description: 'Generates new recovery codes for the logged in admin. Generating new recovery codes you automatically invalidate old ones'\n operationId: generate_admin_recovery_codes\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n type: string\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/totp/configs:\n get:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Get available TOTP configuration\n description: Returns the available TOTP configurations for the logged in admin\n operationId: get_admin_totp_configs\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/TOTPConfig'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/totp/generate:\n post:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Generate a new TOTP secret\n description: 'Generates a new TOTP secret, including the QR code as png, using the specified configuration for the logged in admin'\n operationId: generate_admin_totp_secret\n requestBody:\n required: true\n content:\n application/json:\n schema:\n type: object\n properties:\n config_name:\n type: string\n description: 'name of the configuration to use to generate the secret'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: object\n properties:\n config_name:\n type: string\n issuer:\n type: string\n secret:\n type: string\n url:\n type: string\n qr_code:\n type: string\n format: byte\n description: 'QR code png encoded as BASE64'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/totp/validate:\n post:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Validate a one time authentication code\n description: 'Checks if the given authentication code can be validated using the specified secret and config name'\n operationId: validate_admin_totp_secret\n requestBody:\n required: true\n content:\n application/json:\n schema:\n type: object\n properties:\n config_name:\n type: string\n description: 'name of the configuration to use to validate the passcode'\n passcode:\n type: string\n description: 'passcode to validate'\n secret:\n type: string\n description: 'secret to use to validate the passcode'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Passcode successfully validated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admin/totp/save:\n post:\n security:\n - BearerAuth: []\n tags:\n - admins\n summary: Save a TOTP config\n description: 'Saves the specified TOTP config for the logged in admin'\n operationId: save_admin_totp_config\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/AdminTOTPConfig'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: TOTP configuration saved\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /connections:\n get:\n tags:\n - connections\n summary: Get connections details\n description: Returns the active users and info about their current uploads/downloads\n operationId: get_connections\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/ConnectionStatus'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/connections/{connectionID}':\n delete:\n tags:\n - connections\n summary: Close connection\n description: Terminates an active connection\n operationId: close_connection\n parameters:\n - name: connectionID\n in: path\n description: ID of the connection to close\n required: true\n schema:\n type: string\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Connection closed\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /iplists/{type}:\n parameters:\n - name: type\n in: path\n description: IP list type\n required: true\n schema:\n $ref: '#/components/schemas/IPListType'\n get:\n tags:\n - IP Lists\n summary: Get IP list entries\n description: Returns an array with one or more IP list entry\n operationId: get_ip_list_entries\n parameters:\n - in: query\n name: filter\n schema:\n type: string\n description: restrict results to ipornet matching or starting with this filter\n - in: query\n name: from\n schema:\n type: string\n description: ipornet to start from\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering entries by ipornet field. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/IPListEntry'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - IP Lists\n summary: Add a new IP list entry\n description: Add an IP address or a CIDR network to a supported list\n operationId: add_ip_list_entry\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/IPListEntry'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Entry added\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /iplists/{type}/{ipornet}:\n parameters:\n - name: type\n in: path\n description: IP list type\n required: true\n schema:\n $ref: '#/components/schemas/IPListType'\n - name: ipornet\n in: path\n required: true\n schema:\n type: string\n get:\n tags:\n - IP Lists\n summary: Find entry by ipornet\n description: Returns the entry with the given ipornet if it exists.\n operationId: get_ip_list_by_ipornet\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/IPListEntry'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - IP Lists\n summary: Update IP list entry\n description: Updates an existing IP list entry\n operationId: update_ip_list_entry\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/IPListEntry'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Entry updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - IP Lists\n summary: Delete IP list entry\n description: Deletes an existing IP list entry\n operationId: delete_ip_list_entry\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Entry deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /defender/hosts:\n get:\n tags:\n - defender\n summary: Get hosts\n description: Returns hosts that are banned or for which some violations have been detected\n operationId: get_defender_hosts\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/DefenderEntry'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /defender/hosts/{id}:\n parameters:\n - name: id\n in: path\n description: host id\n required: true\n schema:\n type: string\n get:\n tags:\n - defender\n summary: Get host by id\n description: Returns the host with the given id, if it exists\n operationId: get_defender_host_by_id\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/DefenderEntry'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - defender\n summary: Removes a host from the defender lists\n description: Unbans the specified host or clears its violations\n operationId: delete_defender_host_by_id\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /retention/users/checks:\n get:\n tags:\n - data retention\n summary: Get retention checks\n description: Returns the active retention checks\n operationId: get_users_retention_checks\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/RetentionCheck'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/users/scans:\n get:\n tags:\n - quota\n summary: Get active user quota scans\n description: Returns the active user quota scans\n operationId: get_users_quota_scans\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/QuotaScan'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/users/{username}/scan:\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n post:\n tags:\n - quota\n summary: Start a user quota scan\n description: Starts a new quota scan for the given user. A quota scan updates the number of files and their total size for the specified user and the virtual folders, if any, included in his quota\n operationId: start_user_quota_scan\n responses:\n '202':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Scan started\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '409':\n $ref: '#/components/responses/Conflict'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/users/{username}/usage:\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n - in: query\n name: mode\n required: false\n description: the update mode specifies if the given quota usage values should be added or replace the current ones\n schema:\n type: string\n enum:\n - add\n - reset\n description: |\n Update type:\n * `add` - add the specified quota limits to the current used ones\n * `reset` - reset the values to the specified ones. This is the default\n example: reset\n put:\n tags:\n - quota\n summary: Update disk quota usage limits\n description: Sets the current used quota limits for the given user\n operationId: user_quota_update_usage\n requestBody:\n required: true\n description: 'If used_quota_size and used_quota_files are missing they will default to 0, this means that if mode is \"add\" the current value, for the missing field, will remain unchanged, if mode is \"reset\" the missing field is set to 0'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/QuotaUsage'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Quota updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '409':\n $ref: '#/components/responses/Conflict'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/users/{username}/transfer-usage:\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n - in: query\n name: mode\n required: false\n description: the update mode specifies if the given quota usage values should be added or replace the current ones\n schema:\n type: string\n enum:\n - add\n - reset\n description: |\n Update type:\n * `add` - add the specified quota limits to the current used ones\n * `reset` - reset the values to the specified ones. This is the default\n example: reset\n put:\n tags:\n - quota\n summary: Update transfer quota usage limits\n description: Sets the current used transfer quota limits for the given user\n operationId: user_transfer_quota_update_usage\n requestBody:\n required: true\n description: 'If used_upload_data_transfer and used_download_data_transfer are missing they will default to 0, this means that if mode is \"add\" the current value, for the missing field, will remain unchanged, if mode is \"reset\" the missing field is set to 0'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/TransferQuotaUsage'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Quota updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '409':\n $ref: '#/components/responses/Conflict'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/folders/scans:\n get:\n tags:\n - quota\n summary: Get active folder quota scans\n description: Returns the active folder quota scans\n operationId: get_folders_quota_scans\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/FolderQuotaScan'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/folders/{name}/scan:\n parameters:\n - name: name\n in: path\n description: folder name\n required: true\n schema:\n type: string\n post:\n tags:\n - quota\n summary: Start a folder quota scan\n description: Starts a new quota scan for the given folder. A quota scan update the number of files and their total size for the specified folder\n operationId: start_folder_quota_scan\n responses:\n '202':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Scan started\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '409':\n $ref: '#/components/responses/Conflict'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /quotas/folders/{name}/usage:\n parameters:\n - name: name\n in: path\n description: folder name\n required: true\n schema:\n type: string\n - in: query\n name: mode\n required: false\n description: the update mode specifies if the given quota usage values should be added or replace the current ones\n schema:\n type: string\n enum:\n - add\n - reset\n description: |\n Update type:\n * `add` - add the specified quota limits to the current used ones\n * `reset` - reset the values to the specified ones. This is the default\n example: reset\n put:\n tags:\n - quota\n summary: Update folder quota usage limits\n description: Sets the current used quota limits for the given folder\n operationId: folder_quota_update_usage\n parameters:\n - in: query\n name: mode\n required: false\n description: the update mode specifies if the given quota usage values should be added or replace the current ones\n schema:\n type: string\n enum:\n - add\n - reset\n description: |\n Update type:\n * `add` - add the specified quota limits to the current used ones\n * `reset` - reset the values to the specified ones. This is the default\n example: reset\n requestBody:\n required: true\n description: 'If used_quota_size and used_quota_files are missing they will default to 0, this means that if mode is \"add\" the current value, for the missing field, will remain unchanged, if mode is \"reset\" the missing field is set to 0'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/QuotaUsage'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Quota updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '409':\n $ref: '#/components/responses/Conflict'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /folders:\n get:\n tags:\n - folders\n summary: Get folders\n description: Returns an array with one or more folders\n operationId: get_folders\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering folders by name. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/BaseVirtualFolder'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - folders\n summary: Add folder\n operationId: add_folder\n description: Adds a new folder. A quota scan is required to update the used files/size\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseVirtualFolder'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseVirtualFolder'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/folders/{name}':\n parameters:\n - name: name\n in: path\n description: folder name\n required: true\n schema:\n type: string\n get:\n tags:\n - folders\n summary: Find folders by name\n description: Returns the folder with the given name if it exists.\n operationId: get_folder_by_name\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseVirtualFolder'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - folders\n summary: Update folder\n description: Updates an existing folder\n operationId: update_folder\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseVirtualFolder'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Folder updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - folders\n summary: Delete folder\n description: Deletes an existing folder\n operationId: delete_folder\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: User deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /groups:\n get:\n tags:\n - groups\n summary: Get groups\n description: Returns an array with one or more groups\n operationId: get_groups\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering groups by name. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/Group'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - groups\n summary: Add group\n operationId: add_group\n description: Adds a new group\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Group'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Group'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/groups/{name}':\n parameters:\n - name: name\n in: path\n description: group name\n required: true\n schema:\n type: string\n get:\n tags:\n - groups\n summary: Find groups by name\n description: Returns the group with the given name if it exists.\n operationId: get_group_by_name\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Group'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - groups\n summary: Update group\n description: Updates an existing group\n operationId: update_group\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Group'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Group updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - groups\n summary: Delete group\n description: Deletes an existing group\n operationId: delete_group\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Group deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /roles:\n get:\n tags:\n - roles\n summary: Get roles\n description: Returns an array with one or more roles\n operationId: get_roles\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering groups by name. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/Role'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - roles\n summary: Add role\n operationId: add_role\n description: Adds a new role\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Role'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Role'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/roles/{name}':\n parameters:\n - name: name\n in: path\n description: role name\n required: true\n schema:\n type: string\n get:\n tags:\n - roles\n summary: Find roles by name\n description: Returns the role with the given name if it exists.\n operationId: get_role_by_name\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Role'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - roles\n summary: Update role\n description: Updates an existing role\n operationId: update_role\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Role'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Group updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - roles\n summary: Delete role\n description: Deletes an existing role\n operationId: delete_role\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Group deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /eventactions:\n get:\n tags:\n - event manager\n summary: Get event actions\n description: Returns an array with one or more event actions\n operationId: get_event_actons\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering actions by name. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/BaseEventAction'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - event manager\n summary: Add event action\n operationId: add_event_action\n description: Adds a new event actions\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseEventAction'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseEventAction'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/eventactions/{name}':\n parameters:\n - name: name\n in: path\n description: action name\n required: true\n schema:\n type: string\n get:\n tags:\n - event manager\n summary: Find event actions by name\n description: Returns the event action with the given name if it exists.\n operationId: get_event_action_by_name\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseEventAction'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - event manager\n summary: Update event action\n description: Updates an existing event action\n operationId: update_event_action\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BaseEventAction'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Event action updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - event manager\n summary: Delete event action\n description: Deletes an existing event action\n operationId: delete_event_action\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Event action deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /eventrules:\n get:\n tags:\n - event manager\n summary: Get event rules\n description: Returns an array with one or more event rules\n operationId: get_event_rules\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering rules by name. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/EventRule'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - event manager\n summary: Add event rule\n operationId: add_event_rule\n description: Adds a new event rule\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/EventRuleMinimal'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/EventRule'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/eventrules/{name}':\n parameters:\n - name: name\n in: path\n description: rule name\n required: true\n schema:\n type: string\n get:\n tags:\n - event manager\n summary: Find event rules by name\n description: Returns the event rule with the given name if it exists.\n operationId: get_event_rile_by_name\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/EventRule'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - event manager\n summary: Update event rule\n description: Updates an existing event rule\n operationId: update_event_rule\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/EventRuleMinimal'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Event rules updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - event manager\n summary: Delete event rule\n description: Deletes an existing event rule\n operationId: delete_event_rule\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Event rules deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/eventrules/run/{name}':\n parameters:\n - name: name\n in: path\n description: on-demand rule name\n required: true\n schema:\n type: string\n post:\n tags:\n - event manager\n summary: Run an on-demand event rule\n description: The rule's actions will run in background. SFTPGo will not monitor any concurrency and such. If you want to be notified at the end of the execution please add an appropriate action\n operationId: run_event_rule\n responses:\n '202':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Event rule started\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /events/fs:\n get:\n tags:\n - events\n summary: Get filesystem events\n description: 'Returns an array with one or more filesystem events applying the specified filters. This API is only available if you configure an \"eventsearcher\" plugin'\n operationId: get_fs_events\n parameters:\n - in: query\n name: start_timestamp\n schema:\n type: integer\n format: int64\n minimum: 0\n default: 0\n required: false\n description: 'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'\n - in: query\n name: end_timestamp\n schema:\n type: integer\n format: int64\n minimum: 0\n default: 0\n required: false\n description: 'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'\n - in: query\n name: actions\n schema:\n type: array\n items:\n $ref: '#/components/schemas/FsEventAction'\n description: 'the event action must be included among those specified. Empty or missing means omit this filter. Actions must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: username\n schema:\n type: string\n description: 'the event username must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: ip\n schema:\n type: string\n description: 'the event IP must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: ssh_cmd\n schema:\n type: string\n description: 'the event SSH command must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: fs_provider\n schema:\n $ref: '#/components/schemas/FsProviders'\n description: 'the event filesystem provider must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: bucket\n schema:\n type: string\n description: 'the bucket must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: endpoint\n schema:\n type: string\n description: 'the endpoint must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: protocols\n schema:\n type: array\n items:\n $ref: '#/components/schemas/EventProtocols'\n description: 'the event protocol must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: statuses\n schema:\n type: array\n items:\n $ref: '#/components/schemas/FsEventStatus'\n description: 'the event status must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: instance_ids\n schema:\n type: array\n items:\n type: string\n description: 'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: from_id\n schema:\n type: string\n description: 'the event id to start from. This is useful for cursor based pagination. Empty or missing means omit this filter.'\n required: false\n - in: query\n name: role\n schema:\n type: string\n description: 'User role. Empty or missing means omit this filter. Ignored if the admin has a role'\n required: false\n - in: query\n name: csv_export\n schema:\n type: boolean\n default: false\n required: false\n description: 'If enabled, events are exported as a CSV file'\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 1000\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 1000, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering events by timestamp. Default DESC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: DESC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/FsEvent'\n text/csv:\n schema:\n type: string\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /events/provider:\n get:\n tags:\n - events\n summary: Get provider events\n description: 'Returns an array with one or more provider events applying the specified filters. This API is only available if you configure an \"eventsearcher\" plugin'\n operationId: get_provider_events\n parameters:\n - in: query\n name: start_timestamp\n schema:\n type: integer\n format: int64\n minimum: 0\n default: 0\n required: false\n description: 'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'\n - in: query\n name: end_timestamp\n schema:\n type: integer\n format: int64\n minimum: 0\n default: 0\n required: false\n description: 'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'\n - in: query\n name: actions\n schema:\n type: array\n items:\n $ref: '#/components/schemas/ProviderEventAction'\n description: 'the event action must be included among those specified. Empty or missing means omit this filter. Actions must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: username\n schema:\n type: string\n description: 'the event username must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: ip\n schema:\n type: string\n description: 'the event IP must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: object_name\n schema:\n type: string\n description: 'the event object name must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: object_types\n schema:\n type: array\n items:\n $ref: '#/components/schemas/ProviderEventObjectType'\n description: 'the event object type must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: instance_ids\n schema:\n type: array\n items:\n type: string\n description: 'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: from_id\n schema:\n type: string\n description: 'the event id to start from. This is useful for cursor based pagination. Empty or missing means omit this filter.'\n required: false\n - in: query\n name: role\n schema:\n type: string\n description: 'Admin role. Empty or missing means omit this filter. Ignored if the admin has a role'\n required: false\n - in: query\n name: csv_export\n schema:\n type: boolean\n default: false\n required: false\n description: 'If enabled, events are exported as a CSV file'\n - in: query\n name: omit_object_data\n schema:\n type: boolean\n default: false\n required: false\n description: 'If enabled, returned events will not contain the `object_data` field'\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 1000\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 1000, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering events by timestamp. Default DESC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: DESC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/ProviderEvent'\n text/csv:\n schema:\n type: string\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /events/logs:\n get:\n tags:\n - events\n summary: Get log events\n description: 'Returns an array with one or more log events applying the specified filters. This API is only available if you configure an \"eventsearcher\" plugin'\n operationId: get_log_events\n parameters:\n - in: query\n name: start_timestamp\n schema:\n type: integer\n format: int64\n minimum: 0\n default: 0\n required: false\n description: 'the event timestamp, unix timestamp in nanoseconds, must be greater than or equal to the specified one. 0 or missing means omit this filter'\n - in: query\n name: end_timestamp\n schema:\n type: integer\n format: int64\n minimum: 0\n default: 0\n required: false\n description: 'the event timestamp, unix timestamp in nanoseconds, must be less than or equal to the specified one. 0 or missing means omit this filter'\n - in: query\n name: events\n schema:\n type: array\n items:\n $ref: '#/components/schemas/LogEventType'\n description: 'the log events must be included among those specified. Empty or missing means omit this filter. Events must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: username\n schema:\n type: string\n description: 'the event username must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: ip\n schema:\n type: string\n description: 'the event IP must be the same as the one specified. Empty or missing means omit this filter'\n required: false\n - in: query\n name: protocols\n schema:\n type: array\n items:\n $ref: '#/components/schemas/EventProtocols'\n description: 'the event protocol must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: instance_ids\n schema:\n type: array\n items:\n type: string\n description: 'the event instance id must be included among those specified. Empty or missing means omit this filter. Values must be specified comma separated'\n explode: false\n required: false\n - in: query\n name: from_id\n schema:\n type: string\n description: 'the event id to start from. This is useful for cursor based pagination. Empty or missing means omit this filter.'\n required: false\n - in: query\n name: role\n schema:\n type: string\n description: 'User role. Empty or missing means omit this filter. Ignored if the admin has a role'\n required: false\n - in: query\n name: csv_export\n schema:\n type: boolean\n default: false\n required: false\n description: 'If enabled, events are exported as a CSV file'\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 1000\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 1000, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering events by timestamp. Default DESC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: DESC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/LogEvent'\n text/csv:\n schema:\n type: string\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /apikeys:\n get:\n security:\n - BearerAuth: []\n tags:\n - API keys\n summary: Get API keys\n description: Returns an array with one or more API keys. For security reasons hashed keys are omitted in the response\n operationId: get_api_keys\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering API keys by id. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/APIKey'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n security:\n - BearerAuth: []\n tags:\n - API keys\n summary: Add API key\n description: Adds a new API key\n operationId: add_api_key\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/APIKey'\n responses:\n '201':\n description: successful operation\n headers:\n X-Object-ID:\n schema:\n type: string\n description: ID for the new created API key\n Location:\n schema:\n type: string\n description: URI to retrieve the details for the new created API key\n content:\n application/json:\n schema:\n type: object\n properties:\n mesage:\n type: string\n example: 'API key created. This is the only time the API key is visible, please save it.'\n key:\n type: string\n description: 'generated API key'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/apikeys/{id}':\n parameters:\n - name: id\n in: path\n description: the key id\n required: true\n schema:\n type: string\n get:\n security:\n - BearerAuth: []\n tags:\n - API keys\n summary: Find API key by id\n description: Returns the API key with the given id, if it exists. For security reasons the hashed key is omitted in the response\n operationId: get_api_key_by_id\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/APIKey'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n security:\n - BearerAuth: []\n tags:\n - API keys\n summary: Update API key\n description: Updates an existing API key. You cannot update the key itself, the creation date and the last use\n operationId: update_api_key\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/APIKey'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: API key updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n security:\n - BearerAuth: []\n tags:\n - API keys\n summary: Delete API key\n description: Deletes an existing API key\n operationId: delete_api_key\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Admin deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /admins:\n get:\n tags:\n - admins\n summary: Get admins\n description: Returns an array with one or more admins. For security reasons hashed passwords are omitted in the response\n operationId: get_admins\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering admins by username. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/Admin'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - admins\n summary: Add admin\n description: 'Adds a new admin. Recovery codes and TOTP configuration cannot be set using this API: each admin must use the specific APIs'\n operationId: add_admin\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Admin'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Admin'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/admins/{username}':\n parameters:\n - name: username\n in: path\n description: the admin username\n required: true\n schema:\n type: string\n get:\n tags:\n - admins\n summary: Find admins by username\n description: 'Returns the admin with the given username, if it exists. For security reasons the hashed password is omitted in the response'\n operationId: get_admin_by_username\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Admin'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - admins\n summary: Update admin\n description: 'Updates an existing admin. Recovery codes and TOTP configuration cannot be set/updated using this API: each admin must use the specific APIs. You are not allowed to update the admin impersonated using an API key'\n operationId: update_admin\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Admin'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Admin updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - admins\n summary: Delete admin\n description: Deletes an existing admin\n operationId: delete_admin\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Admin deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/admins/{username}/2fa/disable':\n parameters:\n - name: username\n in: path\n description: the admin username\n required: true\n schema:\n type: string\n put:\n tags:\n - admins\n summary: Disable second factor authentication\n description: 'Disables second factor authentication for the given admin. This API must be used if the admin loses access to their second factor auth device and has no recovery codes'\n operationId: disable_admin_2fa\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: 2FA disabled\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/admins/{username}/forgot-password':\n parameters:\n - name: username\n in: path\n description: the admin username\n required: true\n schema:\n type: string\n post:\n security: []\n tags:\n - admins\n summary: Send a password reset code by email\n description: 'You must set up an SMTP server and the account must have a valid email address, in which case SFTPGo will send a code via email to reset the password. If the specified admin does not exist, the request will be silently ignored (a success response will be returned) to avoid disclosing existing admins'\n operationId: admin_forgot_password\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/admins/{username}/reset-password':\n parameters:\n - name: username\n in: path\n description: the admin username\n required: true\n schema:\n type: string\n post:\n security: []\n tags:\n - admins\n summary: Reset the password\n description: 'Set a new password using the code received via email'\n operationId: admin_reset_password\n requestBody:\n content:\n application/json:\n schema:\n type: object\n properties:\n code:\n type: string\n password:\n type: string\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /users:\n get:\n tags:\n - users\n summary: Get users\n description: Returns an array with one or more users. For security reasons hashed passwords are omitted in the response\n operationId: get_users\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering users by username. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/User'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - users\n summary: Add user\n description: 'Adds a new user.Recovery codes and TOTP configuration cannot be set using this API: each user must use the specific APIs'\n operationId: add_user\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the hash of the password and the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n responses:\n '201':\n description: successful operation\n headers:\n Location:\n schema:\n type: string\n description: 'URI of the newly created object'\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/users/{username}':\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n get:\n tags:\n - users\n summary: Find users by username\n description: Returns the user with the given username if it exists. For security reasons the hashed password is omitted in the response\n operationId: get_user_by_username\n parameters:\n - in: query\n name: confidential_data\n schema:\n type: integer\n description: 'If set to 1 confidential data will not be hidden. This means that the response will contain the hash of the password and the key and additional data for secrets. If a master key is not set or an external KMS is used, the data returned are enough to get the secrets in cleartext. Ignored if the * permission is not granted.'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - users\n summary: Update user\n description: 'Updates an existing user and optionally disconnects it, if connected, to apply the new settings. The current password will be preserved if the password field is omitted in the request body. Recovery codes and TOTP configuration cannot be set/updated using this API: each user must use the specific APIs'\n operationId: update_user\n parameters:\n - in: query\n name: disconnect\n schema:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Disconnect:\n * `0` The user will not be disconnected and it will continue to use the old configuration until connected. This is the default\n * `1` The user will be disconnected after a successful update. It must login again and so it will be forced to use the new configuration\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/User'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: User updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - users\n summary: Delete user\n description: Deletes an existing user\n operationId: delete_user\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: User deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/users/{username}/2fa/disable':\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n put:\n tags:\n - users\n summary: Disable second factor authentication\n description: 'Disables second factor authentication for the given user. This API must be used if the user loses access to their second factor auth device and has no recovery codes'\n operationId: disable_user_2fa\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: 2FA disabled\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/users/{username}/forgot-password':\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n post:\n security: []\n tags:\n - users\n summary: Send a password reset code by email\n description: 'You must configure an SMTP server, the account must have a valid email address and must not have the \"reset-password-disabled\" restriction, in which case SFTPGo will send a code via email to reset the password. If the specified user does not exist, the request will be silently ignored (a success response will be returned) to avoid disclosing existing users'\n operationId: user_forgot_password\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/users/{username}/reset-password':\n parameters:\n - name: username\n in: path\n description: the username\n required: true\n schema:\n type: string\n post:\n security: []\n tags:\n - users\n summary: Reset the password\n description: 'Set a new password using the code received via email'\n operationId: user_reset_password\n requestBody:\n content:\n application/json:\n schema:\n type: object\n properties:\n code:\n type: string\n password:\n type: string\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /status:\n get:\n tags:\n - maintenance\n summary: Get status\n description: Retrieves the status of the active services\n operationId: get_status\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ServicesStatus'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /dumpdata:\n get:\n tags:\n - maintenance\n summary: Dump data\n description: 'Backups data as data provider independent JSON. The backup can be saved in a local file on the server, to avoid exposing sensitive data over the network, or returned as response body. The output of dumpdata can be used as input for loaddata'\n operationId: dumpdata\n parameters:\n - in: query\n name: output-file\n schema:\n type: string\n description: Path for the file to write the JSON serialized data to. This path is relative to the configured \"backups_path\". If this file already exists it will be overwritten. To return the backup as response body set `output_data` to true instead.\n - in: query\n name: output-data\n schema:\n type: integer\n enum:\n - 0\n - 1\n description: |\n output data:\n * `0` or any other value != 1, the backup will be saved to a file on the server, `output_file` is required\n * `1` the backup will be returned as response body\n - in: query\n name: indent\n schema:\n type: integer\n enum:\n - 0\n - 1\n description: |\n indent:\n * `0` no indentation. This is the default\n * `1` format the output JSON\n - in: query\n name: scopes\n schema:\n type: array\n items:\n $ref: '#/components/schemas/DumpDataScopes'\n description: 'You can limit the dump contents to the specified scopes. Empty or missing means any supported scope. Scopes must be specified comma separated'\n explode: false\n required: false\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n oneOf:\n - $ref: '#/components/schemas/ApiResponse'\n - $ref: '#/components/schemas/BackupData'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /loaddata:\n parameters:\n - in: query\n name: scan-quota\n schema:\n type: integer\n enum:\n - 0\n - 1\n - 2\n description: |\n Quota scan:\n * `0` no quota scan is done, the imported users/folders will have used_quota_size and used_quota_files = 0 or the existing values if they already exists. This is the default\n * `1` scan quota\n * `2` scan quota if the user has quota restrictions\n required: false\n - in: query\n name: mode\n schema:\n type: integer\n enum:\n - 0\n - 1\n - 2\n description: |\n Mode:\n * `0` New objects are added, existing ones are updated. This is the default\n * `1` New objects are added, existing ones are not modified\n * `2` New objects are added, existing ones are updated and connected users are disconnected and so forced to use the new configuration\n get:\n tags:\n - maintenance\n summary: Load data from path\n description: 'Restores SFTPGo data from a JSON backup file on the server. Objects will be restored one by one and the restore is stopped if a object cannot be added or updated, so it could happen a partial restore'\n operationId: loaddata_from_file\n parameters:\n - in: query\n name: input-file\n schema:\n type: string\n required: true\n description: Path for the file to read the JSON serialized data from. This can be an absolute path or a path relative to the configured \"backups_path\". The max allowed file size is 10MB\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Data restored\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - maintenance\n summary: Load data\n description: 'Restores SFTPGo data from a JSON backup. Objects will be restored one by one and the restore is stopped if a object cannot be added or updated, so it could happen a partial restore'\n operationId: loaddata_from_request_body\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/BackupData'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Data restored\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/changepwd:\n put:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Change user password\n description: Changes the password for the logged in user\n operationId: change_user_password\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/PwdChange'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/profile:\n get:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Get user profile\n description: 'Returns the profile for the logged in user'\n operationId: get_user_profile\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/UserProfile'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Update user profile\n description: 'Allows to update the profile for the logged in user'\n operationId: update_user_profile\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/UserProfile'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/2fa/recoverycodes:\n get:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Get recovery codes\n description: 'Returns the recovery codes for the logged in user. Recovery codes can be used if the user loses access to their second factor auth device. Recovery codes are returned unencrypted'\n operationId: get_user_recovery_codes\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/RecoveryCode'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Generate recovery codes\n description: 'Generates new recovery codes for the logged in user. Generating new recovery codes you automatically invalidate old ones'\n operationId: generate_user_recovery_codes\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n type: string\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/totp/configs:\n get:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Get available TOTP configuration\n description: Returns the available TOTP configurations for the logged in user\n operationId: get_user_totp_configs\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/TOTPConfig'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/totp/generate:\n post:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Generate a new TOTP secret\n description: 'Generates a new TOTP secret, including the QR code as png, using the specified configuration for the logged in user'\n operationId: generate_user_totp_secret\n requestBody:\n required: true\n content:\n application/json:\n schema:\n type: object\n properties:\n config_name:\n type: string\n description: 'name of the configuration to use to generate the secret'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: object\n properties:\n config_name:\n type: string\n issuer:\n type: string\n secret:\n type: string\n qr_code:\n type: string\n format: byte\n description: 'QR code png encoded as BASE64'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/totp/validate:\n post:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Validate a one time authentication code\n description: 'Checks if the given authentication code can be validated using the specified secret and config name'\n operationId: validate_user_totp_secret\n requestBody:\n required: true\n content:\n application/json:\n schema:\n type: object\n properties:\n config_name:\n type: string\n description: 'name of the configuration to use to validate the passcode'\n passcode:\n type: string\n description: 'passcode to validate'\n secret:\n type: string\n description: 'secret to use to validate the passcode'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Passcode successfully validated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/totp/save:\n post:\n security:\n - BearerAuth: []\n tags:\n - user APIs\n summary: Save a TOTP config\n description: 'Saves the specified TOTP config for the logged in user'\n operationId: save_user_totp_config\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/UserTOTPConfig'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: TOTP configuration saved\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/shares:\n get:\n tags:\n - user APIs\n summary: List user shares\n description: Returns the share for the logged in user\n operationId: get_user_shares\n parameters:\n - in: query\n name: offset\n schema:\n type: integer\n minimum: 0\n default: 0\n required: false\n - in: query\n name: limit\n schema:\n type: integer\n minimum: 1\n maximum: 500\n default: 100\n required: false\n description: 'The maximum number of items to return. Max value is 500, default is 100'\n - in: query\n name: order\n required: false\n description: Ordering shares by ID. Default ASC\n schema:\n type: string\n enum:\n - ASC\n - DESC\n example: ASC\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/Share'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - user APIs\n summary: Add a share\n operationId: add_share\n description: 'Adds a new share. The share id will be auto-generated'\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Share'\n responses:\n '201':\n description: successful operation\n headers:\n X-Object-ID:\n schema:\n type: string\n description: ID for the new created share\n Location:\n schema:\n type: string\n description: URI to retrieve the details for the new created share\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n '/user/shares/{id}':\n parameters:\n - name: id\n in: path\n description: the share id\n required: true\n schema:\n type: string\n get:\n tags:\n - user APIs\n summary: Get share by id\n description: Returns a share by id for the logged in user\n operationId: get_user_share_by_id\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Share'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n put:\n tags:\n - user APIs\n summary: Update share\n description: 'Updates an existing share belonging to the logged in user'\n operationId: update_user_share\n requestBody:\n required: true\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/Share'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Share updated\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - user APIs\n summary: Delete share\n description: 'Deletes an existing share belonging to the logged in user'\n operationId: delete_user_share\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n example:\n message: Share deleted\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '404':\n $ref: '#/components/responses/NotFound'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/file-actions/copy:\n parameters:\n - in: query\n name: path\n description: Path to the file/folder to copy. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n - in: query\n name: target\n description: New name. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n post:\n tags:\n - user APIs\n summary: 'Copy a file or a directory'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/file-actions/move:\n parameters:\n - in: query\n name: path\n description: Path to the file/folder to rename. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n - in: query\n name: target\n description: New name. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n post:\n tags:\n - user APIs\n summary: 'Move (rename) a file or a directory'\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/dirs:\n get:\n tags:\n - user APIs\n summary: Read directory contents\n description: Returns the contents of the specified directory for the logged in user\n operationId: get_user_dir_contents\n parameters:\n - in: query\n name: path\n description: Path to the folder to read. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\". If empty or missing the user's start directory is assumed. If relative, the user's start directory is used as the base\n schema:\n type: string\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n type: array\n items:\n $ref: '#/components/schemas/DirEntry'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - user APIs\n summary: Create a directory\n description: Create a directory for the logged in user\n operationId: create_user_dir\n parameters:\n - in: query\n name: path\n description: Path to the folder to create. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n - in: query\n name: mkdir_parents\n description: Create parent directories if they do not exist?\n schema:\n type: boolean\n required: false\n responses:\n '201':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n patch:\n tags:\n - user APIs\n deprecated: true\n summary: 'Rename a directory. Deprecated, use \"file-actions/move\"'\n description: Rename a directory for the logged in user. The rename is allowed for empty directory or for non empty local directories, with no virtual folders inside\n operationId: rename_user_dir\n parameters:\n - in: query\n name: path\n description: Path to the folder to rename. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n - in: query\n name: target\n description: New name. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - user APIs\n summary: Delete a directory\n description: Delete a directory and any children it contains for the logged in user\n operationId: delete_user_dir\n parameters:\n - in: query\n name: path\n description: Path to the folder to delete. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\"\n schema:\n type: string\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/files:\n get:\n tags:\n - user APIs\n summary: Download a single file\n description: Returns the file contents as response body\n operationId: download_user_file\n parameters:\n - in: query\n name: path\n required: true\n description: Path to the file to download. It must be URL encoded, for example the path \"my dir/àdir/file.txt\" must be sent as \"my%20dir%2F%C3%A0dir%2Ffile.txt\"\n schema:\n type: string\n - in: query\n name: inline\n required: false\n description: 'If set, the response will not have the Content-Disposition header set to `attachment`'\n schema:\n type: string\n responses:\n '200':\n description: successful operation\n content:\n '*/*':\n schema:\n type: string\n format: binary\n '206':\n description: successful operation\n content:\n '*/*':\n schema:\n type: string\n format: binary\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n post:\n tags:\n - user APIs\n summary: Upload files\n description: Upload one or more files for the logged in user\n operationId: create_user_files\n parameters:\n - in: query\n name: path\n description: Parent directory for the uploaded files. It must be URL encoded, for example the path \"my dir/àdir\" must be sent as \"my%20dir%2F%C3%A0dir\". If empty or missing the root path is assumed. If a file with the same name already exists, it will be overwritten\n schema:\n type: string\n - in: query\n name: mkdir_parents\n description: Create parent directories if they do not exist?\n schema:\n type: boolean\n required: false\n requestBody:\n content:\n multipart/form-data:\n schema:\n type: object\n properties:\n filenames:\n type: array\n items:\n type: string\n format: binary\n minItems: 1\n uniqueItems: true\n required: true\n responses:\n '201':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '413':\n $ref: '#/components/responses/RequestEntityTooLarge'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n patch:\n tags:\n - user APIs\n deprecated: true\n summary: Rename a file\n description: 'Rename a file for the logged in user. Deprecated, use \"file-actions/move\"'\n operationId: rename_user_file\n parameters:\n - in: query\n name: path\n description: Path to the file to rename. It must be URL encoded\n schema:\n type: string\n required: true\n - in: query\n name: target\n description: New name. It must be URL encoded\n schema:\n type: string\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n delete:\n tags:\n - user APIs\n summary: Delete a file\n description: Delete a file for the logged in user.\n operationId: delete_user_file\n parameters:\n - in: query\n name: path\n description: Path to the file to delete. It must be URL encoded\n schema:\n type: string\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/files/upload:\n post:\n tags:\n - user APIs\n summary: Upload a single file\n description: 'Upload a single file for the logged in user to an existing directory. This API does not use multipart/form-data and so no temporary files are created server side but only a single file can be uploaded as POST body'\n operationId: create_user_file\n parameters:\n - in: query\n name: path\n description: Full file path. It must be path encoded, for example the path \"my dir/àdir/file.txt\" must be sent as \"my%20dir%2F%C3%A0dir%2Ffile.txt\". The parent directory must exist. If a file with the same name already exists, it will be overwritten\n schema:\n type: string\n required: true\n - in: query\n name: mkdir_parents\n description: Create parent directories if they do not exist?\n schema:\n type: boolean\n required: false\n - in: header\n name: X-SFTPGO-MTIME\n schema:\n type: integer\n description: File modification time as unix timestamp in milliseconds\n requestBody:\n content:\n application/*:\n schema:\n type: string\n format: binary\n text/*:\n schema:\n type: string\n format: binary\n image/*:\n schema:\n type: string\n format: binary\n audio/*:\n schema:\n type: string\n format: binary\n video/*:\n schema:\n type: string\n format: binary\n required: true\n responses:\n '201':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '413':\n $ref: '#/components/responses/RequestEntityTooLarge'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/files/metadata:\n patch:\n tags:\n - user APIs\n summary: Set metadata for a file/directory\n description: 'Set supported metadata attributes for the specified file or directory'\n operationId: setprops_user_file\n parameters:\n - in: query\n name: path\n description: Full file/directory path. It must be URL encoded, for example the path \"my dir/àdir/file.txt\" must be sent as \"my%20dir%2F%C3%A0dir%2Ffile.txt\"\n schema:\n type: string\n required: true\n requestBody:\n content:\n application/json:\n schema:\n type: object\n properties:\n modification_time:\n type: integer\n description: File modification time as unix timestamp in milliseconds\n required: true\n responses:\n '200':\n description: successful operation\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '413':\n $ref: '#/components/responses/RequestEntityTooLarge'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\n /user/streamzip:\n post:\n tags:\n - user APIs\n summary: Download multiple files and folders as a single zip file\n description: A zip file, containing the specified files and folders, will be generated on the fly and returned as response body. Only folders and regular files will be included in the zip\n operationId: streamzip\n requestBody:\n required: true\n content:\n application/json:\n schema:\n type: array\n items:\n type: string\n description: Absolute file or folder path\n responses:\n '200':\n description: successful operation\n content:\n 'application/zip':\n schema:\n type: string\n format: binary\n '400':\n $ref: '#/components/responses/BadRequest'\n '401':\n $ref: '#/components/responses/Unauthorized'\n '403':\n $ref: '#/components/responses/Forbidden'\n '500':\n $ref: '#/components/responses/InternalServerError'\n default:\n $ref: '#/components/responses/DefaultResponse'\ncomponents:\n responses:\n BadRequest:\n description: Bad Request\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n Unauthorized:\n description: Unauthorized\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n Forbidden:\n description: Forbidden\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n NotFound:\n description: Not Found\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n Conflict:\n description: Conflict\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n RequestEntityTooLarge:\n description: Request Entity Too Large, max allowed size exceeded\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n InternalServerError:\n description: Internal Server Error\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n DefaultResponse:\n description: Unexpected Error\n content:\n application/json:\n schema:\n $ref: '#/components/schemas/ApiResponse'\n schemas:\n Permission:\n type: string\n enum:\n - '*'\n - list\n - download\n - upload\n - overwrite\n - delete\n - delete_files\n - delete_dirs\n - rename\n - rename_files\n - rename_dirs\n - create_dirs\n - create_symlinks\n - chmod\n - chown\n - chtimes\n - copy\n description: |\n Permissions:\n * `*` - all permissions are granted\n * `list` - list items is allowed\n * `download` - download files is allowed\n * `upload` - upload files is allowed\n * `overwrite` - overwrite an existing file, while uploading, is allowed. upload permission is required to allow file overwrite\n * `delete` - delete files or directories is allowed\n * `delete_files` - delete files is allowed\n * `delete_dirs` - delete directories is allowed\n * `rename` - rename files or directories is allowed\n * `rename_files` - rename files is allowed\n * `rename_dirs` - rename directories is allowed\n * `create_dirs` - create directories is allowed\n * `create_symlinks` - create links is allowed\n * `chmod` changing file or directory permissions is allowed\n * `chown` changing file or directory owner and group is allowed\n * `chtimes` changing file or directory access and modification time is allowed\n * `copy`, copying files or directories is allowed\n AdminPermissions:\n type: string\n enum:\n - '*'\n - add_users\n - edit_users\n - del_users\n - view_users\n - view_conns\n - close_conns\n - view_status\n - manage_folders\n - manage_groups\n - quota_scans\n - manage_defender\n - view_defender\n - view_events\n - disable_mfa\n description: |\n Admin permissions:\n * `*` - super admin permissions are granted\n * `add_users` - add new users is allowed\n * `edit_users` - change existing users is allowed\n * `del_users` - remove users is allowed\n * `view_users` - list users is allowed\n * `view_conns` - list active connections is allowed\n * `close_conns` - close active connections is allowed\n * `view_status` - view the server status is allowed\n * `manage_folders` - manage folders is allowed\n * `manage_groups` - manage groups is allowed\n * `quota_scans` - view and start quota scans is allowed\n * `manage_defender` - remove ip from the dynamic blocklist is allowed\n * `view_defender` - list the dynamic blocklist is allowed\n * `view_events` - view and search filesystem and provider events is allowed\n * `disable_mfa` - allow to disable two-factor authentication for users and admins\n FsProviders:\n type: integer\n enum:\n - 0\n - 1\n - 2\n - 3\n - 4\n - 5\n - 6\n description: |\n Filesystem providers:\n * `0` - Local filesystem\n * `1` - S3 Compatible Object Storage\n * `2` - Google Cloud Storage\n * `3` - Azure Blob Storage\n * `4` - Local filesystem encrypted\n * `5` - SFTP\n * `6` - HTTP filesystem\n EventActionTypes:\n type: integer\n enum:\n - 1\n - 2\n - 3\n - 4\n - 5\n - 6\n - 7\n - 8\n - 9\n - 11\n - 12\n - 13\n - 14\n - 15\n description: |\n Supported event action types:\n * `1` - HTTP\n * `2` - Command\n * `3` - Email\n * `4` - Backup\n * `5` - User quota reset\n * `6` - Folder quota reset\n * `7` - Transfer quota reset\n * `8` - Data retention check\n * `9` - Filesystem\n * `11` - Password expiration check\n * `12` - User expiration check\n * `13` - Identity Provider account check\n * `14` - User inactivity check\n * `15` - Rotate log file\n FilesystemActionTypes:\n type: integer\n enum:\n - 1\n - 2\n - 3\n - 4\n - 5\n - 6\n description: |\n Supported filesystem action types:\n * `1` - Rename\n * `2` - Delete\n * `3` - Mkdis\n * `4` - Exist\n * `5` - Compress\n * `6` - Copy\n EventTriggerTypes:\n type: integer\n enum:\n - 1\n - 2\n - 3\n - 4\n - 5\n - 6\n - 7\n description: |\n Supported event trigger types:\n * `1` - Filesystem event\n * `2` - Provider event\n * `3` - Schedule\n * `4` - IP blocked\n * `5` - Certificate renewal\n * `6` - On demand, like schedule but executed on demand\n * `7` - Identity provider login\n LoginMethods:\n type: string\n enum:\n - publickey\n - password\n - password-over-SSH\n - keyboard-interactive\n - publickey+password\n - publickey+keyboard-interactive\n - TLSCertificate\n - TLSCertificate+password\n description: |\n Available login methods. To enable multi-step authentication you have to allow only multi-step login methods\n * `publickey`\n * `password`, password for all the supported protocols\n * `password-over-SSH`, password over SSH protocol (SSH/SFTP/SCP)\n * `keyboard-interactive`\n * `publickey+password` - multi-step auth: public key and password\n * `publickey+keyboard-interactive` - multi-step auth: public key and keyboard interactive\n * `TLSCertificate`\n * `TLSCertificate+password` - multi-step auth: TLS client certificate and password\n SupportedProtocols:\n type: string\n enum:\n - SSH\n - FTP\n - DAV\n - HTTP\n description: |\n Protocols:\n * `SSH` - includes both SFTP and SSH commands\n * `FTP` - plain FTP and FTPES/FTPS\n * `DAV` - WebDAV over HTTP/HTTPS\n * `HTTP` - WebClient/REST API\n MFAProtocols:\n type: string\n enum:\n - SSH\n - FTP\n - HTTP\n description: |\n Protocols:\n * `SSH` - includes both SFTP and SSH commands\n * `FTP` - plain FTP and FTPES/FTPS\n * `HTTP` - WebClient/REST API\n EventProtocols:\n type: string\n enum:\n - SSH\n - SFTP\n - SCP\n - FTP\n - DAV\n - HTTP\n - HTTPShare\n - DataRetention\n - EventAction\n - OIDC\n description: |\n Protocols:\n * `SSH` - SSH commands\n * `SFTP` - SFTP protocol\n * `SCP` - SCP protocol\n * `FTP` - plain FTP and FTPES/FTPS\n * `DAV` - WebDAV\n * `HTTP` - WebClient/REST API\n * `HTTPShare` - the event is generated in a public share\n * `DataRetention` - the event is generated by a data retention check\n * `EventAction` - the event is generated by an EventManager action\n * `OIDC` - OpenID Connect\n WebClientOptions:\n type: string\n enum:\n - publickey-change-disabled\n - tls-cert-change-disabled\n - write-disabled\n - mfa-disabled\n - password-change-disabled\n - api-key-auth-change-disabled\n - info-change-disabled\n - shares-disabled\n - password-reset-disabled\n - shares-without-password-disabled\n description: |\n Options:\n * `publickey-change-disabled` - changing SSH public keys is not allowed\n * `tls-cert-change-disabled` - changing TLS certificates is not allowed\n * `write-disabled` - upload, rename, delete are not allowed even if the user has permissions for these actions\n * `mfa-disabled` - enabling multi-factor authentication is not allowed. This option cannot be set if the user has MFA already enabled\n * `password-change-disabled` - changing password is not allowed\n * `api-key-auth-change-disabled` - enabling/disabling API key authentication is not allowed\n * `info-change-disabled` - changing info such as email and description is not allowed\n * `shares-disabled` - sharing files and directories with external users is not allowed\n * `password-reset-disabled` - resetting the password is not allowed\n * `shares-without-password-disabled` - creating shares without password protection is not allowed\n APIKeyScope:\n type: integer\n enum:\n - 1\n - 2\n description: |\n Options:\n * `1` - admin scope. The API key will be used to impersonate an SFTPGo admin\n * `2` - user scope. The API key will be used to impersonate an SFTPGo user\n ShareScope:\n type: integer\n enum:\n - 1\n - 2\n description: |\n Options:\n * `1` - read scope\n * `2` - write scope\n TOTPHMacAlgo:\n type: string\n enum:\n - sha1\n - sha256\n - sha512\n description: 'Supported HMAC algorithms for Time-based one time passwords'\n UserType:\n type: string\n enum:\n - ''\n - LDAPUser\n - OSUser\n description: This is an hint for authentication plugins. It is ignored when using SFTPGo internal authentication\n DumpDataScopes:\n type: string\n enum:\n - users\n - folders\n - groups\n - admins\n - api_keys\n - shares\n - actions\n - rules\n - roles\n - ip_lists\n - configs\n LogEventType:\n type: integer\n enum:\n - 1\n - 2\n - 3\n - 4\n - 5\n description: >\n Event status:\n * `1` - Login failed\n * `2` - Login failed non-existent user\n * `3` - No login tried\n * `4` - Algorithm negotiation failed\n * `5` - Login succeeded\n FsEventStatus:\n type: integer\n enum:\n - 1\n - 2\n - 3\n description: >\n Event status:\n * `1` - no error\n * `2` - generic error\n * `3` - quota exceeded error\n FsEventAction:\n type: string\n enum:\n - download\n - upload\n - first-upload\n - first-download\n - delete\n - rename\n - mkdir\n - rmdir\n - ssh_cmd\n ProviderEventAction:\n type: string\n enum:\n - add\n - update\n - delete\n ProviderEventObjectType:\n type: string\n enum:\n - user\n - folder\n - group\n - admin\n - api_key\n - share\n - event_action\n - event_rule\n - role\n SSHAuthentications:\n type: string\n enum:\n - publickey\n - password\n - keyboard-interactive\n - publickey+password\n - publickey+keyboard-interactive\n TLSVersions:\n type: integer\n enum:\n - 12\n - 13\n description: >\n TLS version:\n * `12` - TLS 1.2\n * `13` - TLS 1.3\n IPListType:\n type: integer\n enum:\n - 1\n - 2\n - 3\n description: >\n IP List types:\n * `1` - allow list\n * `2` - defender\n * `3` - rate limiter safe list\n IPListMode:\n type: integer\n enum:\n - 1\n - 2\n description: >\n IP list modes\n * `1` - allow\n * `2` - deny, supported for defender list type only\n TOTPConfig:\n type: object\n properties:\n name:\n type: string\n issuer:\n type: string\n algo:\n $ref: '#/components/schemas/TOTPHMacAlgo'\n RecoveryCode:\n type: object\n properties:\n secret:\n $ref: '#/components/schemas/Secret'\n used:\n type: boolean\n description: 'Recovery codes to use if the user loses access to their second factor auth device. Each code can only be used once, you should use these codes to login and disable or reset 2FA for your account'\n BaseTOTPConfig:\n type: object\n properties:\n enabled:\n type: boolean\n config_name:\n type: string\n description: 'This name must be defined within the \"totp\" section of the SFTPGo configuration file. You will be unable to save a user/admin referencing a missing config_name'\n secret:\n $ref: '#/components/schemas/Secret'\n AdminTOTPConfig:\n allOf:\n - $ref: '#/components/schemas/BaseTOTPConfig'\n UserTOTPConfig:\n allOf:\n - $ref: '#/components/schemas/BaseTOTPConfig'\n - type: object\n properties:\n protocols:\n type: array\n items:\n $ref: '#/components/schemas/MFAProtocols'\n description: 'TOTP will be required for the specified protocols. SSH protocol (SFTP/SCP/SSH commands) will ask for the TOTP passcode if the client uses keyboard interactive authentication. FTP has no standard way to support two factor authentication, if you enable the FTP support, you have to add the TOTP passcode after the password. For example if your password is \"password\" and your one time passcode is \"123456\" you have to use \"password123456\" as password. WebDAV is not supported since each single request must be authenticated and a passcode cannot be reused.'\n PatternsFilter:\n type: object\n properties:\n path:\n type: string\n description: 'virtual path as seen by users, if no other specific filter is defined, the filter applies for sub directories too. For example if filters are defined for the paths \"/\" and \"/sub\" then the filters for \"/\" are applied for any file outside the \"/sub\" directory'\n allowed_patterns:\n type: array\n items:\n type: string\n description: 'list of, case insensitive, allowed shell like patterns. Allowed patterns are evaluated before the denied ones'\n example:\n - '*.jpg'\n - a*b?.png\n denied_patterns:\n type: array\n items:\n type: string\n description: 'list of, case insensitive, denied shell like patterns'\n example:\n - '*.zip'\n deny_policy:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Policies for denied patterns\n * `0` - default policy. Denied files/directories matching the filters are visible in directory listing but cannot be uploaded/downloaded/overwritten/renamed\n * `1` - deny policy hide. This policy applies the same restrictions as the default one and denied files/directories matching the filters will also be hidden in directory listing. This mode may cause performance issues for large directories\n HooksFilter:\n type: object\n properties:\n external_auth_disabled:\n type: boolean\n example: false\n description: If true, the external auth hook, if defined, will not be executed\n pre_login_disabled:\n type: boolean\n example: false\n description: If true, the pre-login hook, if defined, will not be executed\n check_password_disabled:\n type: boolean\n example: false\n description: If true, the check password hook, if defined, will not be executed\n description: User specific hook overrides\n BandwidthLimit:\n type: object\n properties:\n sources:\n type: array\n items:\n type: string\n description: 'Source networks in CIDR notation as defined in RFC 4632 and RFC 4291 for example `192.0.2.0/24` or `2001:db8::/32`. The limit applies if the defined networks contain the client IP'\n upload_bandwidth:\n type: integer\n format: int32\n description: 'Maximum upload bandwidth as KB/s, 0 means unlimited'\n download_bandwidth:\n type: integer\n format: int32\n description: 'Maximum download bandwidth as KB/s, 0 means unlimited'\n TimePeriod:\n type: object\n properties:\n day_of_week:\n type: integer\n enum:\n - 0\n - 1\n - 2\n - 3\n - 4\n - 5\n - 6\n description: Day of week, 0 Sunday, 6 Saturday\n from:\n type: string\n description: Start time in HH:MM format\n to:\n type: string\n description: End time in HH:MM format\n BaseUserFilters:\n type: object\n properties:\n allowed_ip:\n type: array\n items:\n type: string\n description: 'only clients connecting from these IP/Mask are allowed. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example \"192.0.2.0/24\" or \"2001:db8::/32\"'\n example:\n - 192.0.2.0/24\n - '2001:db8::/32'\n denied_ip:\n type: array\n items:\n type: string\n description: clients connecting from these IP/Mask are not allowed. Denied rules are evaluated before allowed ones\n example:\n - 172.16.0.0/16\n denied_login_methods:\n type: array\n items:\n $ref: '#/components/schemas/LoginMethods'\n description: if null or empty any available login method is allowed\n denied_protocols:\n type: array\n items:\n $ref: '#/components/schemas/SupportedProtocols'\n description: if null or empty any available protocol is allowed\n file_patterns:\n type: array\n items:\n $ref: '#/components/schemas/PatternsFilter'\n description: 'filters based on shell like file patterns. These restrictions do not apply to files listing for performance reasons, so a denied file cannot be downloaded/overwritten/renamed but it will still be in the list of files. Please note that these restrictions can be easily bypassed'\n max_upload_file_size:\n type: integer\n format: int64\n description: 'maximum allowed size, as bytes, for a single file upload. The upload will be aborted if/when the size of the file being sent exceeds this limit. 0 means unlimited'\n tls_username:\n type: string\n description: 'defines the TLS certificate field to use as username. For FTP clients it must match the name provided using the \"USER\" command. For WebDAV, if no username is provided, the CN will be used as username. For WebDAV clients it must match the implicit or provided username. Ignored if mutual TLS is disabled. Currently the only supported value is `CommonName`'\n hooks:\n $ref: '#/components/schemas/HooksFilter'\n disable_fs_checks:\n type: boolean\n example: false\n description: Disable checks for existence and automatic creation of home directory and virtual folders. SFTPGo requires that the user's home directory, virtual folder root, and intermediate paths to virtual folders exist to work properly. If you already know that the required directories exist, disabling these checks will speed up login. You could, for example, disable these checks after the first login\n web_client:\n type: array\n items:\n $ref: '#/components/schemas/WebClientOptions'\n description: WebClient/user REST API related configuration options\n allow_api_key_auth:\n type: boolean\n description: 'API key authentication allows to impersonate this user with an API key'\n user_type:\n $ref: '#/components/schemas/UserType'\n bandwidth_limits:\n type: array\n items:\n $ref: '#/components/schemas/BandwidthLimit'\n external_auth_cache_time:\n type: integer\n description: 'Defines the cache time, in seconds, for users authenticated using an external auth hook. 0 means no cache'\n start_directory:\n type: string\n description: 'Specifies an alternate starting directory. If not set, the default is \"/\". This option is supported for SFTP/SCP, FTP and HTTP (WebClient/REST API) protocols. Relative paths will use this directory as base.'\n two_factor_protocols:\n type: array\n items:\n $ref: '#/components/schemas/MFAProtocols'\n description: 'Defines protocols that require two factor authentication'\n ftp_security:\n type: integer\n enum:\n - 0\n - 1\n description: 'Set to `1` to require TLS for both data and control connection. his setting is useful if you want to allow both encrypted and plain text FTP sessions globally and then you want to require encrypted sessions on a per-user basis. It has no effect if TLS is already required for all users in the configuration file.'\n is_anonymous:\n type: boolean\n description: 'If enabled the user can login with any password or no password at all. Anonymous users are supported for FTP and WebDAV protocols and permissions will be automatically set to \"list\" and \"download\" (read only)'\n default_shares_expiration:\n type: integer\n description: 'Defines the default expiration for newly created shares as number of days. 0 means no expiration'\n max_shares_expiration:\n type: integer\n description: 'Defines the maximum allowed expiration, as a number of days, when a user creates or updates a share. 0 means no expiration'\n password_expiration:\n type: integer\n description: 'The password expires after the defined number of days. 0 means no expiration'\n password_strength:\n type: integer\n description: 'Defines the minimum password strength. 0 means disabled, any password will be accepted. Values in the 50-70 range are suggested for common use cases'\n access_time:\n type: array\n items:\n $ref: '#/components/schemas/TimePeriod'\n description: Additional user options\n UserFilters:\n allOf:\n - $ref: '#/components/schemas/BaseUserFilters'\n - type: object\n properties:\n require_password_change:\n type: boolean\n description: 'User must change password from WebClient/REST API at next login'\n totp_config:\n $ref: '#/components/schemas/UserTOTPConfig'\n recovery_codes:\n type: array\n items:\n $ref: '#/components/schemas/RecoveryCode'\n tls_certs:\n type: array\n items:\n type: string\n additional_emails:\n type: array\n items:\n type: string\n format: email\n Secret:\n type: object\n properties:\n status:\n type: string\n enum:\n - Plain\n - AES-256-GCM\n - Secretbox\n - GCP\n - AWS\n - VaultTransit\n - AzureKeyVault\n - Redacted\n description: 'Set to \"Plain\" to add or update an existing secret, set to \"Redacted\" to preserve the existing value'\n payload:\n type: string\n key:\n type: string\n additional_data:\n type: string\n mode:\n type: integer\n description: 1 means encrypted using a master key\n description: The secret is encrypted before saving, so to set a new secret you must provide a payload and set the status to \"Plain\". The encryption key and additional data will be generated automatically. If you set the status to \"Redacted\" the existing secret will be preserved\n S3Config:\n type: object\n properties:\n bucket:\n type: string\n minLength: 1\n region:\n type: string\n minLength: 1\n access_key:\n type: string\n access_secret:\n $ref: '#/components/schemas/Secret'\n sse_customer_key:\n $ref: '#/components/schemas/Secret'\n role_arn:\n type: string\n description: 'Optional IAM Role ARN to assume'\n session_token:\n type: string\n description: 'Optional Session token that is a part of temporary security credentials provisioned by AWS STS'\n endpoint:\n type: string\n description: optional endpoint\n storage_class:\n type: string\n acl:\n type: string\n description: 'The canned ACL to apply to uploaded objects. Leave empty to use the default ACL. For more information and available ACLs, see here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl'\n upload_part_size:\n type: integer\n description: 'the buffer size (in MB) to use for multipart uploads. The minimum allowed part size is 5MB, and if this value is set to zero, the default value (5MB) for the AWS SDK will be used. The minimum allowed value is 5.'\n upload_concurrency:\n type: integer\n description: 'the number of parts to upload in parallel. If this value is set to zero, the default value (5) will be used'\n upload_part_max_time:\n type: integer\n description: 'the maximum time allowed, in seconds, to upload a single chunk (the chunk size is defined via \"upload_part_size\"). 0 means no timeout'\n download_part_size:\n type: integer\n description: 'the buffer size (in MB) to use for multipart downloads. The minimum allowed part size is 5MB, and if this value is set to zero, the default value (5MB) for the AWS SDK will be used. The minimum allowed value is 5. Ignored for partial downloads'\n download_concurrency:\n type: integer\n description: 'the number of parts to download in parallel. If this value is set to zero, the default value (5) will be used. Ignored for partial downloads'\n download_part_max_time:\n type: integer\n description: 'the maximum time allowed, in seconds, to download a single chunk (the chunk size is defined via \"download_part_size\"). 0 means no timeout. Ignored for partial downloads.'\n force_path_style:\n type: boolean\n description: 'Set this to \"true\" to force the request to use path-style addressing, i.e., \"http://s3.amazonaws.com/BUCKET/KEY\". By default, the S3 client will use virtual hosted bucket addressing when possible (\"http://BUCKET.s3.amazonaws.com/KEY\")'\n key_prefix:\n type: string\n description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with \"/\" and must end with \"/\". If empty the whole bucket contents will be available'\n example: folder/subfolder/\n description: S3 Compatible Object Storage configuration details\n GCSConfig:\n type: object\n properties:\n bucket:\n type: string\n minLength: 1\n credentials:\n $ref: '#/components/schemas/Secret'\n automatic_credentials:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Automatic credentials:\n * `0` - disabled, explicit credentials, using a JSON credentials file, must be provided. This is the default value if the field is null\n * `1` - enabled, we try to use the Application Default Credentials (ADC) strategy to find your application's credentials\n storage_class:\n type: string\n acl:\n type: string\n description: 'The ACL to apply to uploaded objects. Leave empty to use the default ACL. For more information and available ACLs, refer to the JSON API here: https://cloud.google.com/storage/docs/access-control/lists#predefined-acl'\n key_prefix:\n type: string\n description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with \"/\" and must end with \"/\". If empty the whole bucket contents will be available'\n example: folder/subfolder/\n upload_part_size:\n type: integer\n description: 'The buffer size (in MB) to use for multipart uploads. The default value is 16MB. 0 means use the default'\n upload_part_max_time:\n type: integer\n description: 'The maximum time allowed, in seconds, to upload a single chunk. The default value is 32. 0 means use the default'\n description: 'Google Cloud Storage configuration details. The \"credentials\" field must be populated only when adding/updating a user. It will be always omitted, since there are sensitive data, when you search/get users'\n AzureBlobFsConfig:\n type: object\n properties:\n container:\n type: string\n account_name:\n type: string\n description: 'Storage Account Name, leave blank to use SAS URL'\n account_key:\n $ref: '#/components/schemas/Secret'\n sas_url:\n $ref: '#/components/schemas/Secret'\n endpoint:\n type: string\n description: 'optional endpoint. Default is \"blob.core.windows.net\". If you use the emulator the endpoint must include the protocol, for example \"http://127.0.0.1:10000\"'\n upload_part_size:\n type: integer\n description: 'the buffer size (in MB) to use for multipart uploads. If this value is set to zero, the default value (5MB) will be used.'\n upload_concurrency:\n type: integer\n description: 'the number of parts to upload in parallel. If this value is set to zero, the default value (5) will be used'\n download_part_size:\n type: integer\n description: 'the buffer size (in MB) to use for multipart downloads. If this value is set to zero, the default value (5MB) will be used.'\n download_concurrency:\n type: integer\n description: 'the number of parts to download in parallel. If this value is set to zero, the default value (5) will be used'\n access_tier:\n type: string\n enum:\n - ''\n - Archive\n - Hot\n - Cool\n key_prefix:\n type: string\n description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with \"/\" and must end with \"/\". If empty the whole container contents will be available'\n example: folder/subfolder/\n use_emulator:\n type: boolean\n description: Azure Blob Storage configuration details\n OSFsConfig:\n type: object\n properties:\n read_buffer_size:\n type: integer\n minimum: 0\n maximum: 10\n description: \"The read buffer size, as MB, to use for downloads. 0 means no buffering, that's fine in most use cases.\"\n write_buffer_size:\n type: integer\n minimum: 0\n maximum: 10\n description: \"The write buffer size, as MB, to use for uploads. 0 means no buffering, that's fine in most use cases.\"\n CryptFsConfig:\n type: object\n properties:\n passphrase:\n $ref: '#/components/schemas/Secret'\n read_buffer_size:\n type: integer\n minimum: 0\n maximum: 10\n description: \"The read buffer size, as MB, to use for downloads. 0 means no buffering, that's fine in most use cases.\"\n write_buffer_size:\n type: integer\n minimum: 0\n maximum: 10\n description: \"The write buffer size, as MB, to use for uploads. 0 means no buffering, that's fine in most use cases.\"\n description: Crypt filesystem configuration details\n SFTPFsConfig:\n type: object\n properties:\n endpoint:\n type: string\n description: 'remote SFTP endpoint as host:port'\n username:\n type: string\n description: you can specify a password or private key or both. In the latter case the private key will be tried first.\n password:\n $ref: '#/components/schemas/Secret'\n private_key:\n $ref: '#/components/schemas/Secret'\n key_passphrase:\n $ref: '#/components/schemas/Secret'\n fingerprints:\n type: array\n items:\n type: string\n description: 'SHA256 fingerprints to use for host key verification. If you don''t provide any fingerprint the remote host key will not be verified, this is a security risk'\n prefix:\n type: string\n description: Specifying a prefix you can restrict all operations to a given path within the remote SFTP server.\n disable_concurrent_reads:\n type: boolean\n description: Concurrent reads are safe to use and disabling them will degrade performance. Some servers automatically delete files once they are downloaded. Using concurrent reads is problematic with such servers.\n buffer_size:\n type: integer\n minimum: 0\n maximum: 16\n example: 2\n description: The size of the buffer (in MB) to use for transfers. By enabling buffering, the reads and writes, from/to the remote SFTP server, are split in multiple concurrent requests and this allows data to be transferred at a faster rate, over high latency networks, by overlapping round-trip times. With buffering enabled, resuming uploads is not supported and a file cannot be opened for both reading and writing at the same time. 0 means disabled.\n equality_check_mode:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Defines how to check if this config points to the same server as another config. If different configs point to the same server the renaming between the fs configs is allowed:\n * `0` username and endpoint must match. This is the default\n * `1` only the endpoint must match\n HTTPFsConfig:\n type: object\n properties:\n endpoint:\n type: string\n description: 'HTTP/S endpoint URL. SFTPGo will use this URL as base, for example for the `stat` API, SFTPGo will add `/stat/{name}`'\n username:\n type: string\n password:\n $ref: '#/components/schemas/Secret'\n api_key:\n $ref: '#/components/schemas/Secret'\n skip_tls_verify:\n type: boolean\n equality_check_mode:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Defines how to check if this config points to the same server as another config. If different configs point to the same server the renaming between the fs configs is allowed:\n * `0` username and endpoint must match. This is the default\n * `1` only the endpoint must match\n FilesystemConfig:\n type: object\n properties:\n provider:\n $ref: '#/components/schemas/FsProviders'\n osconfig:\n $ref: '#/components/schemas/OSFsConfig'\n s3config:\n $ref: '#/components/schemas/S3Config'\n gcsconfig:\n $ref: '#/components/schemas/GCSConfig'\n azblobconfig:\n $ref: '#/components/schemas/AzureBlobFsConfig'\n cryptconfig:\n $ref: '#/components/schemas/CryptFsConfig'\n sftpconfig:\n $ref: '#/components/schemas/SFTPFsConfig'\n httpconfig:\n $ref: '#/components/schemas/HTTPFsConfig'\n description: Storage filesystem details\n BaseVirtualFolder:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n name:\n type: string\n description: unique name for this virtual folder\n mapped_path:\n type: string\n description: absolute filesystem path to use as virtual folder\n description:\n type: string\n description: optional description\n used_quota_size:\n type: integer\n format: int64\n used_quota_files:\n type: integer\n format: int32\n last_quota_update:\n type: integer\n format: int64\n description: Last quota update as unix timestamp in milliseconds\n users:\n type: array\n items:\n type: string\n description: list of usernames associated with this virtual folder\n filesystem:\n $ref: '#/components/schemas/FilesystemConfig'\n description: 'Defines the filesystem for the virtual folder and the used quota limits. The same folder can be shared among multiple users and each user can have different quota limits or a different virtual path.'\n VirtualFolder:\n allOf:\n - $ref: '#/components/schemas/BaseVirtualFolder'\n - type: object\n properties:\n virtual_path:\n type: string\n quota_size:\n type: integer\n format: int64\n description: 'Quota as size in bytes. 0 means unlimited, -1 means included in user quota. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed'\n quota_files:\n type: integer\n format: int32\n description: 'Quota as number of files. 0 means unlimited, , -1 means included in user quota. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed'\n required:\n - virtual_path\n description: 'A virtual folder is a mapping between a SFTPGo virtual path and a filesystem path outside the user home directory. The specified paths must be absolute and the virtual path cannot be \"/\", it must be a sub directory. The parent directory for the specified virtual path must exist. SFTPGo will try to automatically create any missing parent directory for the configured virtual folders at user login.'\n User:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n status:\n type: integer\n enum:\n - 0\n - 1\n description: |\n status:\n * `0` user is disabled, login is not allowed\n * `1` user is enabled\n username:\n type: string\n description: username is unique\n email:\n type: string\n format: email\n description:\n type: string\n description: 'optional description, for example the user full name'\n expiration_date:\n type: integer\n format: int64\n description: expiration date as unix timestamp in milliseconds. An expired account cannot login. 0 means no expiration\n password:\n type: string\n format: password\n description: If the password has no known hashing algo prefix it will be stored, by default, using bcrypt, argon2id is supported too. You can send a password hashed as bcrypt ($2a$ prefix), argon2id, pbkdf2 or unix crypt and it will be stored as is. For security reasons this field is omitted when you search/get users\n public_keys:\n type: array\n items:\n type: string\n example: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUWwDwEWhTbF0MqAsp/oXK1HR2cElhM8oo1uVmL3ZeDKDiTm4ljMr92wfTgIGDqIoxmVqgYIkAOAhuykAVWBzc= user@host\n description: Public keys in OpenSSH format.\n has_password:\n type: boolean\n description: Indicates whether the password is set\n home_dir:\n type: string\n description: path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path\n virtual_folders:\n type: array\n items:\n $ref: '#/components/schemas/VirtualFolder'\n description: mapping between virtual SFTPGo paths and virtual folders\n uid:\n type: integer\n format: int32\n minimum: 0\n maximum: 2147483647\n description: 'if you run SFTPGo as root user, the created files and directories will be assigned to this uid. 0 means no change, the owner will be the user that runs SFTPGo. Ignored on windows'\n gid:\n type: integer\n format: int32\n minimum: 0\n maximum: 2147483647\n description: 'if you run SFTPGo as root user, the created files and directories will be assigned to this gid. 0 means no change, the group will be the one of the user that runs SFTPGo. Ignored on windows'\n max_sessions:\n type: integer\n format: int32\n description: Limit the sessions that a user can open. 0 means unlimited\n quota_size:\n type: integer\n format: int64\n description: Quota as size in bytes. 0 means unlimited. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed\n quota_files:\n type: integer\n format: int32\n description: Quota as number of files. 0 means unlimited. Please note that quota is updated if files are added/removed via SFTPGo otherwise a quota scan or a manual quota update is needed\n permissions:\n type: object\n additionalProperties:\n type: array\n items:\n $ref: '#/components/schemas/Permission'\n minItems: 1\n minProperties: 1\n description: 'hash map with directory as key and an array of permissions as value. Directories must be absolute paths, permissions for root directory (\"/\") are required'\n example:\n /:\n - '*'\n /somedir:\n - list\n - download\n used_quota_size:\n type: integer\n format: int64\n used_quota_files:\n type: integer\n format: int32\n last_quota_update:\n type: integer\n format: int64\n description: Last quota update as unix timestamp in milliseconds\n upload_bandwidth:\n type: integer\n description: 'Maximum upload bandwidth as KB/s, 0 means unlimited'\n download_bandwidth:\n type: integer\n description: 'Maximum download bandwidth as KB/s, 0 means unlimited'\n upload_data_transfer:\n type: integer\n description: 'Maximum data transfer allowed for uploads as MB. 0 means no limit'\n download_data_transfer:\n type: integer\n description: 'Maximum data transfer allowed for downloads as MB. 0 means no limit'\n total_data_transfer:\n type: integer\n description: 'Maximum total data transfer as MB. 0 means unlimited. You can set a total data transfer instead of the individual values for uploads and downloads'\n used_upload_data_transfer:\n type: integer\n description: 'Uploaded size, as bytes, since the last reset'\n used_download_data_transfer:\n type: integer\n description: 'Downloaded size, as bytes, since the last reset'\n created_at:\n type: integer\n format: int64\n description: 'creation time as unix timestamp in milliseconds. It will be 0 for users created before v2.2.0'\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in milliseconds\n last_login:\n type: integer\n format: int64\n description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes\n first_download:\n type: integer\n format: int64\n description: first download time as unix timestamp in milliseconds\n first_upload:\n type: integer\n format: int64\n description: first upload time as unix timestamp in milliseconds\n last_password_change:\n type: integer\n format: int64\n description: last password change time as unix timestamp in milliseconds\n filters:\n $ref: '#/components/schemas/UserFilters'\n filesystem:\n $ref: '#/components/schemas/FilesystemConfig'\n additional_info:\n type: string\n description: Free form text field for external systems\n groups:\n type: array\n items:\n $ref: '#/components/schemas/GroupMapping'\n oidc_custom_fields:\n type: object\n additionalProperties: true\n description: 'This field is passed to the pre-login hook if custom OIDC token fields have been configured. Field values can be of any type (this is a free form object) and depend on the type of the configured OIDC token fields'\n role:\n type: string\n AdminPreferences:\n type: object\n properties:\n hide_user_page_sections:\n type: integer\n description: 'Allow to hide some sections from the user page. These are not security settings and are not enforced server side in any way. They are only intended to simplify the user page in the WebAdmin UI. 1 means hide groups section, 2 means hide filesystem section, \"users_base_dir\" must be set in the config file otherwise this setting is ignored, 4 means hide virtual folders section, 8 means hide profile section, 16 means hide ACLs section, 32 means hide disk and bandwidth quota limits section, 64 means hide advanced settings section. The settings can be combined'\n default_users_expiration:\n type: integer\n description: 'Defines the default expiration for newly created users as number of days. 0 means no expiration'\n AdminFilters:\n type: object\n properties:\n allow_list:\n type: array\n items:\n type: string\n description: 'only clients connecting from these IP/Mask are allowed. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example \"192.0.2.0/24\" or \"2001:db8::/32\"'\n example:\n - 192.0.2.0/24\n - '2001:db8::/32'\n allow_api_key_auth:\n type: boolean\n description: 'API key auth allows to impersonate this administrator with an API key'\n require_two_factor:\n type: boolean\n require_password_change:\n type: boolean\n totp_config:\n $ref: '#/components/schemas/AdminTOTPConfig'\n recovery_codes:\n type: array\n items:\n $ref: '#/components/schemas/RecoveryCode'\n preferences:\n $ref: '#/components/schemas/AdminPreferences'\n Admin:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n status:\n type: integer\n enum:\n - 0\n - 1\n description: |\n status:\n * `0` user is disabled, login is not allowed\n * `1` user is enabled\n username:\n type: string\n description: username is unique\n description:\n type: string\n description: 'optional description, for example the admin full name'\n password:\n type: string\n format: password\n description: Admin password. For security reasons this field is omitted when you search/get admins\n email:\n type: string\n format: email\n permissions:\n type: array\n items:\n $ref: '#/components/schemas/AdminPermissions'\n filters:\n $ref: '#/components/schemas/AdminFilters'\n additional_info:\n type: string\n description: Free form text field\n groups:\n type: array\n items:\n $ref: '#/components/schemas/AdminGroupMapping'\n description: 'Groups automatically selected for new users created by this admin. The admin will still be able to choose different groups. These settings are only used for this admin UI and they will be ignored in REST API/hooks.'\n created_at:\n type: integer\n format: int64\n description: 'creation time as unix timestamp in milliseconds. It will be 0 for admins created before v2.2.0'\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in milliseconds\n last_login:\n type: integer\n format: int64\n description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes\n role:\n type: string\n description: 'If set the admin can only administer users with the same role. Role admins cannot have the \"*\" permission'\n AdminProfile:\n type: object\n properties:\n email:\n type: string\n format: email\n description:\n type: string\n allow_api_key_auth:\n type: boolean\n description: 'If enabled, you can impersonate this admin, in REST API, using an API key. If disabled admin credentials are required for impersonation'\n UserProfile:\n type: object\n properties:\n email:\n type: string\n format: email\n description:\n type: string\n allow_api_key_auth:\n type: boolean\n description: 'If enabled, you can impersonate this user, in REST API, using an API key. If disabled user credentials are required for impersonation'\n public_keys:\n type: array\n items:\n type: string\n example: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEUWwDwEWhTbF0MqAsp/oXK1HR2cElhM8oo1uVmL3ZeDKDiTm4ljMr92wfTgIGDqIoxmVqgYIkAOAhuykAVWBzc= user@host\n description: Public keys in OpenSSH format\n APIKey:\n type: object\n properties:\n id:\n type: string\n description: unique key identifier\n name:\n type: string\n description: User friendly key name\n key:\n type: string\n format: password\n description: We store the hash of the key. This is just like a password. For security reasons this field is omitted when you search/get API keys\n scope:\n $ref: '#/components/schemas/APIKeyScope'\n created_at:\n type: integer\n format: int64\n description: creation time as unix timestamp in milliseconds\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in milliseconds\n last_use_at:\n type: integer\n format: int64\n description: last use time as unix timestamp in milliseconds. It is saved at most once every 10 minutes\n expires_at:\n type: integer\n format: int64\n description: expiration time as unix timestamp in milliseconds\n description:\n type: string\n description: optional description\n user:\n type: string\n description: username associated with this API key. If empty and the scope is \"user scope\" the key can impersonate any user\n admin:\n type: string\n description: admin associated with this API key. If empty and the scope is \"admin scope\" the key can impersonate any admin\n QuotaUsage:\n type: object\n properties:\n used_quota_size:\n type: integer\n format: int64\n used_quota_files:\n type: integer\n format: int32\n TransferQuotaUsage:\n type: object\n properties:\n used_upload_data_transfer:\n type: integer\n format: int64\n description: 'The value must be specified as bytes'\n used_download_data_transfer:\n type: integer\n format: int64\n description: 'The value must be specified as bytes'\n Transfer:\n type: object\n properties:\n operation_type:\n type: string\n enum:\n - upload\n - download\n description: |\n Operations:\n * `upload`\n * `download`\n path:\n type: string\n description: file path for the upload/download\n start_time:\n type: integer\n format: int64\n description: start time as unix timestamp in milliseconds\n size:\n type: integer\n format: int64\n description: bytes transferred\n ConnectionStatus:\n type: object\n properties:\n username:\n type: string\n description: connected username\n connection_id:\n type: string\n description: unique connection identifier\n client_version:\n type: string\n description: client version\n remote_address:\n type: string\n description: Remote address for the connected client\n connection_time:\n type: integer\n format: int64\n description: connection time as unix timestamp in milliseconds\n command:\n type: string\n description: Last SSH/FTP command or WebDAV method\n last_activity:\n type: integer\n format: int64\n description: last client activity as unix timestamp in milliseconds\n protocol:\n type: string\n enum:\n - SFTP\n - SCP\n - SSH\n - FTP\n - DAV\n active_transfers:\n type: array\n items:\n $ref: '#/components/schemas/Transfer'\n node:\n type: string\n description: 'Node identifier, omitted for single node installations'\n FolderRetention:\n type: object\n properties:\n path:\n type: string\n description: 'virtual directory path as seen by users, if no other specific retention is defined, the retention applies for sub directories too. For example if retention is defined for the paths \"/\" and \"/sub\" then the retention for \"/\" is applied for any file outside the \"/sub\" directory'\n example: '/'\n retention:\n type: integer\n description: retention time in hours. All the files with a modification time older than the defined value will be deleted. 0 means exclude this path\n example: 24\n delete_empty_dirs:\n type: boolean\n description: if enabled, empty directories will be deleted\n RetentionCheck:\n type: object\n properties:\n username:\n type: string\n description: username to which the retention check refers\n folders:\n type: array\n items:\n $ref: '#/components/schemas/FolderRetention'\n start_time:\n type: integer\n format: int64\n description: check start time as unix timestamp in milliseconds\n QuotaScan:\n type: object\n properties:\n username:\n type: string\n description: username to which the quota scan refers\n start_time:\n type: integer\n format: int64\n description: scan start time as unix timestamp in milliseconds\n FolderQuotaScan:\n type: object\n properties:\n name:\n type: string\n description: folder name to which the quota scan refers\n start_time:\n type: integer\n format: int64\n description: scan start time as unix timestamp in milliseconds\n DefenderEntry:\n type: object\n properties:\n id:\n type: string\n ip:\n type: string\n score:\n type: integer\n description: the score increases whenever a violation is detected, such as an attempt to log in using an incorrect password or invalid username. If the score exceeds the configured threshold, the IP is banned. Omitted for banned IPs\n ban_time:\n type: string\n format: date-time\n description: date time until the IP is banned. For already banned hosts, the ban time is increased each time a new violation is detected. Omitted if the IP is not banned\n SSHHostKey:\n type: object\n properties:\n path:\n type: string\n fingerprint:\n type: string\n algorithms:\n type: array\n items:\n type: string\n SSHBinding:\n type: object\n properties:\n address:\n type: string\n description: TCP address the server listen on\n port:\n type: integer\n description: the port used for serving requests\n apply_proxy_config:\n type: boolean\n description: 'apply the proxy configuration, if any'\n WebDAVBinding:\n type: object\n properties:\n address:\n type: string\n description: TCP address the server listen on\n port:\n type: integer\n description: the port used for serving requests\n enable_https:\n type: boolean\n min_tls_version:\n $ref: '#/components/schemas/TLSVersions'\n client_auth_type:\n type: integer\n description: 1 means that client certificate authentication is required in addition to HTTP basic authentication\n tls_cipher_suites:\n type: array\n items:\n type: string\n description: 'List of supported cipher suites for TLS version 1.2. If empty a default list of secure cipher suites is used, with a preference order based on hardware performance'\n prefix:\n type: string\n description: 'Prefix for WebDAV resources, if empty WebDAV resources will be available at the `/` URI'\n proxy_allowed:\n type: array\n items:\n type: string\n description: 'List of IP addresses and IP ranges allowed to set proxy headers'\n PassiveIPOverride:\n type: object\n properties:\n networks:\n type: array\n items:\n type: string\n ip:\n type: string\n FTPDBinding:\n type: object\n properties:\n address:\n type: string\n description: TCP address the server listen on\n port:\n type: integer\n description: the port used for serving requests\n apply_proxy_config:\n type: boolean\n description: 'apply the proxy configuration, if any'\n tls_mode:\n type: integer\n enum:\n - 0\n - 1\n - 2\n description: |\n TLS mode:\n * `0` - clear or explicit TLS\n * `1` - explicit TLS required\n * `2` - implicit TLS\n min_tls_version:\n $ref: '#/components/schemas/TLSVersions'\n force_passive_ip:\n type: string\n description: External IP address for passive connections\n passive_ip_overrides:\n type: array\n items:\n $ref: '#/components/schemas/PassiveIPOverride'\n client_auth_type:\n type: integer\n description: 1 means that client certificate authentication is required in addition to FTP authentication\n tls_cipher_suites:\n type: array\n items:\n type: string\n description: 'List of supported cipher suites for TLS version 1.2. If empty a default list of secure cipher suites is used, with a preference order based on hardware performance'\n passive_connections_security:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Active connections security:\n * `0` - require matching peer IP addresses of control and data connection\n * `1` - disable any checks\n active_connections_security:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Active connections security:\n * `0` - require matching peer IP addresses of control and data connection\n * `1` - disable any checks\n ignore_ascii_transfer_type:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Ignore client requests to perform ASCII translations:\n * `0` - ASCII translations are enabled\n * `1` - ASCII translations are silently ignored\n debug:\n type: boolean\n description: 'If enabled any FTP command will be logged'\n SSHServiceStatus:\n type: object\n properties:\n is_active:\n type: boolean\n bindings:\n type: array\n items:\n $ref: '#/components/schemas/SSHBinding'\n nullable: true\n host_keys:\n type: array\n items:\n $ref: '#/components/schemas/SSHHostKey'\n nullable: true\n ssh_commands:\n type: array\n items:\n type: string\n authentications:\n type: array\n items:\n $ref: '#/components/schemas/SSHAuthentications'\n public_key_algorithms:\n type: array\n items:\n type: string\n macs:\n type: array\n items:\n type: string\n kex_algorithms:\n type: array\n items:\n type: string\n ciphers:\n type: array\n items:\n type: string\n FTPPassivePortRange:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n FTPServiceStatus:\n type: object\n properties:\n is_active:\n type: boolean\n bindings:\n type: array\n items:\n $ref: '#/components/schemas/FTPDBinding'\n nullable: true\n passive_port_range:\n $ref: '#/components/schemas/FTPPassivePortRange'\n WebDAVServiceStatus:\n type: object\n properties:\n is_active:\n type: boolean\n bindings:\n type: array\n items:\n $ref: '#/components/schemas/WebDAVBinding'\n nullable: true\n DataProviderStatus:\n type: object\n properties:\n is_active:\n type: boolean\n driver:\n type: string\n error:\n type: string\n MFAStatus:\n type: object\n properties:\n is_active:\n type: boolean\n totp_configs:\n type: array\n items:\n $ref: '#/components/schemas/TOTPConfig'\n ServicesStatus:\n type: object\n properties:\n ssh:\n $ref: '#/components/schemas/SSHServiceStatus'\n ftp:\n $ref: '#/components/schemas/FTPServiceStatus'\n webdav:\n $ref: '#/components/schemas/WebDAVServiceStatus'\n data_provider:\n $ref: '#/components/schemas/DataProviderStatus'\n defender:\n type: object\n properties:\n is_active:\n type: boolean\n mfa:\n $ref: '#/components/schemas/MFAStatus'\n allow_list:\n type: object\n properties:\n is_active:\n type: boolean\n rate_limiters:\n type: object\n properties:\n is_active:\n type: boolean\n protocols:\n type: array\n items:\n type: string\n example: SSH\n Share:\n type: object\n properties:\n id:\n type: string\n description: auto-generated unique share identifier\n name:\n type: string\n description:\n type: string\n description: optional description\n scope:\n $ref: '#/components/schemas/ShareScope'\n paths:\n type: array\n items:\n type: string\n description: 'paths to files or directories, for share scope write this array must contain exactly one directory. Paths will not be validated on save so you can also create them after creating the share'\n example:\n - '/dir1'\n - '/dir2/file.txt'\n - '/dir3/subdir'\n username:\n type: string\n created_at:\n type: integer\n format: int64\n description: 'creation time as unix timestamp in milliseconds'\n updated_at:\n type: integer\n format: int64\n description: 'last update time as unix timestamp in milliseconds'\n last_use_at:\n type: integer\n format: int64\n description: last use time as unix timestamp in milliseconds\n expires_at:\n type: integer\n format: int64\n description: 'optional share expiration, as unix timestamp in milliseconds. 0 means no expiration'\n password:\n type: string\n description: 'optional password to protect the share. The special value \"[**redacted**]\" means that a password has been set, you can use this value if you want to preserve the current password when you update a share'\n max_tokens:\n type: integer\n description: 'maximum allowed access tokens. 0 means no limit'\n used_tokens:\n type: integer\n allow_from:\n type: array\n items:\n type: string\n description: 'Limit the share availability to these IP/Mask. IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291, for example \"192.0.2.0/24\" or \"2001:db8::/32\". An empty list means no restrictions'\n example:\n - 192.0.2.0/24\n - '2001:db8::/32'\n GroupUserSettings:\n type: object\n properties:\n home_dir:\n type: string\n max_sessions:\n type: integer\n format: int32\n quota_size:\n type: integer\n format: int64\n quota_files:\n type: integer\n format: int32\n permissions:\n type: object\n additionalProperties:\n type: array\n items:\n $ref: '#/components/schemas/Permission'\n minItems: 1\n minProperties: 1\n description: 'hash map with directory as key and an array of permissions as value. Directories must be absolute paths, permissions for root directory (\"/\") are required'\n example:\n /:\n - '*'\n /somedir:\n - list\n - download\n upload_bandwidth:\n type: integer\n description: 'Maximum upload bandwidth as KB/s'\n download_bandwidth:\n type: integer\n description: 'Maximum download bandwidth as KB/s'\n upload_data_transfer:\n type: integer\n description: 'Maximum data transfer allowed for uploads as MB'\n download_data_transfer:\n type: integer\n description: 'Maximum data transfer allowed for downloads as MB'\n total_data_transfer:\n type: integer\n description: 'Maximum total data transfer as MB'\n expires_in:\n type: integer\n description: 'Account expiration in number of days from creation. 0 means no expiration'\n filters:\n $ref: '#/components/schemas/BaseUserFilters'\n filesystem:\n $ref: '#/components/schemas/FilesystemConfig'\n Role:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n name:\n type: string\n description: name is unique\n description:\n type: string\n description: 'optional description'\n created_at:\n type: integer\n format: int64\n description: creation time as unix timestamp in milliseconds\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in milliseconds\n users:\n type: array\n items:\n type: string\n description: list of usernames associated with this group\n admins:\n type: array\n items:\n type: string\n description: list of admins usernames associated with this group\n Group:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n name:\n type: string\n description: name is unique\n description:\n type: string\n description: 'optional description'\n created_at:\n type: integer\n format: int64\n description: creation time as unix timestamp in milliseconds\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in milliseconds\n user_settings:\n $ref: '#/components/schemas/GroupUserSettings'\n virtual_folders:\n type: array\n items:\n $ref: '#/components/schemas/VirtualFolder'\n description: mapping between virtual SFTPGo paths and folders\n users:\n type: array\n items:\n type: string\n description: list of usernames associated with this group\n admins:\n type: array\n items:\n type: string\n description: list of admins usernames associated with this group\n GroupMapping:\n type: object\n properties:\n name:\n type: string\n description: group name\n type:\n enum:\n - 1\n - 2\n - 3\n description: |\n Group type:\n * `1` - Primary group\n * `2` - Secondary group\n * `3` - Membership only, no settings are inherited from this group type\n AdminGroupMappingOptions:\n type: object\n properties:\n add_to_users_as:\n enum:\n - 0\n - 1\n - 2\n description: |\n Add to new users as:\n * `0` - the admin's group will be added as membership group for new users\n * `1` - the admin's group will be added as primary group for new users\n * `2` - the admin's group will be added as secondary group for new users\n AdminGroupMapping:\n type: object\n properties:\n name:\n type: string\n description: group name\n options:\n $ref: '#/components/schemas/AdminGroupMappingOptions'\n BackupData:\n type: object\n properties:\n users:\n type: array\n items:\n $ref: '#/components/schemas/User'\n folders:\n type: array\n items:\n $ref: '#/components/schemas/BaseVirtualFolder'\n groups:\n type: array\n items:\n $ref: '#/components/schemas/Group'\n admins:\n type: array\n items:\n $ref: '#/components/schemas/Admin'\n api_keys:\n type: array\n items:\n $ref: '#/components/schemas/APIKey'\n shares:\n type: array\n items:\n $ref: '#/components/schemas/Share'\n event_actions:\n type: array\n items:\n $ref: '#/components/schemas/EventAction'\n event_rules:\n type: array\n items:\n $ref: '#/components/schemas/EventRule'\n roles:\n type: array\n items:\n $ref: '#/components/schemas/Role'\n version:\n type: integer\n PwdChange:\n type: object\n properties:\n current_password:\n type: string\n new_password:\n type: string\n DirEntry:\n type: object\n properties:\n name:\n type: string\n description: name of the file (or subdirectory) described by the entry. This name is the final element of the path (the base name), not the entire path\n size:\n type: integer\n format: int64\n description: file size, omitted for folders and non regular files\n mode:\n type: integer\n description: |\n File mode and permission bits. More details here: https://golang.org/pkg/io/fs/#FileMode.\n Let's see some examples:\n - for a directory mode&2147483648 != 0\n - for a symlink mode&134217728 != 0\n - for a regular file mode&2401763328 == 0\n last_modified:\n type: string\n format: date-time\n FsEvent:\n type: object\n properties:\n id:\n type: string\n timestamp:\n type: integer\n format: int64\n description: 'unix timestamp in nanoseconds'\n action:\n $ref: '#/components/schemas/FsEventAction'\n username:\n type: string\n fs_path:\n type: string\n fs_target_path:\n type: string\n virtual_path:\n type: string\n virtual_target_path:\n type: string\n ssh_cmd:\n type: string\n file_size:\n type: integer\n format: int64\n elapsed:\n type: integer\n format: int64\n description: elapsed time as milliseconds\n status:\n $ref: '#/components/schemas/FsEventStatus'\n protocol:\n $ref: '#/components/schemas/EventProtocols'\n ip:\n type: string\n session_id:\n type: string\n fs_provider:\n $ref: '#/components/schemas/FsProviders'\n bucket:\n type: string\n endpoint:\n type: string\n open_flags:\n type: string\n role:\n type: string\n instance_id:\n type: string\n ProviderEvent:\n type: object\n properties:\n id:\n type: string\n timestamp:\n type: integer\n format: int64\n description: 'unix timestamp in nanoseconds'\n action:\n $ref: '#/components/schemas/ProviderEventAction'\n username:\n type: string\n ip:\n type: string\n object_type:\n $ref: '#/components/schemas/ProviderEventObjectType'\n object_name:\n type: string\n object_data:\n type: string\n format: byte\n description: 'base64 of the JSON serialized object with sensitive fields removed'\n role:\n type: string\n instance_id:\n type: string\n LogEvent:\n type: object\n properties:\n id:\n type: string\n timestamp:\n type: integer\n format: int64\n description: 'unix timestamp in nanoseconds'\n event:\n $ref: '#/components/schemas/LogEventType'\n protocol:\n $ref: '#/components/schemas/EventProtocols'\n username:\n type: string\n ip:\n type: string\n message:\n type: string\n role:\n type: string\n instance_id:\n type: string\n KeyValue:\n type: object\n properties:\n key:\n type: string\n value:\n type: string\n RenameConfig:\n allOf:\n - $ref: '#/components/schemas/KeyValue'\n - type: object\n properties:\n update_modtime:\n type: boolean\n description: 'Update modification time. This setting is not recursive and only applies to storage providers that support changing modification times'\n HTTPPart:\n type: object\n properties:\n name:\n type: string\n headers:\n type: array\n items:\n $ref: '#/components/schemas/KeyValue'\n description: 'Additional headers. Content-Disposition header is automatically set. Content-Type header is automatically detect for files to attach'\n filepath:\n type: string\n description: 'path to the file to be sent as an attachment'\n body:\n type: string\n EventActionHTTPConfig:\n type: object\n properties:\n endpoint:\n type: string\n description: HTTP endpoint\n example: https://example.com\n username:\n type: string\n password:\n $ref: '#/components/schemas/Secret'\n headers:\n type: array\n items:\n $ref: '#/components/schemas/KeyValue'\n description: headers to add\n timeout:\n type: integer\n minimum: 1\n maximum: 180\n description: 'Ignored for multipart requests with files as attachments'\n skip_tls_verify:\n type: boolean\n description: 'if enabled the HTTP client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.'\n method:\n type: string\n enum:\n - GET\n - POST\n - PUT\n - DELETE\n query_parameters:\n type: array\n items:\n $ref: '#/components/schemas/KeyValue'\n body:\n type: string\n description: HTTP POST/PUT body\n parts:\n type: array\n items:\n $ref: '#/components/schemas/HTTPPart'\n description: 'Multipart requests allow to combine one or more sets of data into a single body. For each part, you can set a file path or a body as text. Placeholders are supported in file path, body, header values.'\n EventActionCommandConfig:\n type: object\n properties:\n cmd:\n type: string\n description: absolute path to the command to execute\n args:\n type: array\n items:\n type: string\n description: 'command line arguments'\n timeout:\n type: integer\n minimum: 1\n maximum: 120\n env_vars:\n type: array\n items:\n $ref: '#/components/schemas/KeyValue'\n EventActionEmailConfig:\n type: object\n properties:\n recipients:\n type: array\n items:\n type: string\n bcc:\n type: array\n items:\n type: string\n subject:\n type: string\n body:\n type: string\n content_type:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Content type:\n * `0` text/plain\n * `1` text/html\n attachments:\n type: array\n items:\n type: string\n description: 'list of file paths to attach. The total size is limited to 10 MB'\n EventActionDataRetentionConfig:\n type: object\n properties:\n folders:\n type: array\n items:\n $ref: '#/components/schemas/FolderRetention'\n EventActionFsCompress:\n type: object\n properties:\n name:\n type: string\n description: 'Full path to the (zip) archive to create. The parent dir must exist'\n paths:\n type: array\n items:\n type: string\n description: 'paths to add the archive'\n EventActionFilesystemConfig:\n type: object\n properties:\n type:\n $ref: '#/components/schemas/FilesystemActionTypes'\n renames:\n type: array\n items:\n $ref: '#/components/schemas/RenameConfig'\n mkdirs:\n type: array\n items:\n type: string\n deletes:\n type: array\n items:\n type: string\n exist:\n type: array\n items:\n type: string\n copy:\n type: array\n items:\n $ref: '#/components/schemas/KeyValue'\n compress:\n $ref: '#/components/schemas/EventActionFsCompress'\n EventActionPasswordExpiration:\n type: object\n properties:\n threshold:\n type: integer\n description: 'An email notification will be generated for users whose password expires in a number of days less than or equal to this threshold'\n EventActionUserInactivity:\n type: object\n properties:\n disable_threshold:\n type: integer\n description: 'Inactivity threshold, in days, before disabling the account'\n delete_threshold:\n type: integer\n description: 'Inactivity threshold, in days, before deleting the account'\n EventActionIDPAccountCheck:\n type: object\n properties:\n mode:\n type: integer\n enum:\n - 0\n - 1\n description: |\n Account check mode:\n * `0` Create or update the account\n * `1` Create the account if it doesn't exist\n template_user:\n type: string\n description: 'SFTPGo user template in JSON format'\n template_admin:\n type: string\n description: 'SFTPGo admin template in JSON format'\n BaseEventActionOptions:\n type: object\n properties:\n http_config:\n $ref: '#/components/schemas/EventActionHTTPConfig'\n cmd_config:\n $ref: '#/components/schemas/EventActionCommandConfig'\n email_config:\n $ref: '#/components/schemas/EventActionEmailConfig'\n retention_config:\n $ref: '#/components/schemas/EventActionDataRetentionConfig'\n fs_config:\n $ref: '#/components/schemas/EventActionFilesystemConfig'\n pwd_expiration_config:\n $ref: '#/components/schemas/EventActionPasswordExpiration'\n user_inactivity_config:\n $ref: '#/components/schemas/EventActionUserInactivity'\n idp_config:\n $ref: '#/components/schemas/EventActionIDPAccountCheck'\n BaseEventAction:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n name:\n type: string\n description: unique name\n description:\n type: string\n description: optional description\n type:\n $ref: '#/components/schemas/EventActionTypes'\n options:\n $ref: '#/components/schemas/BaseEventActionOptions'\n rules:\n type: array\n items:\n type: string\n description: list of event rules names associated with this action\n EventActionOptions:\n type: object\n properties:\n is_failure_action:\n type: boolean\n stop_on_failure:\n type: boolean\n execute_sync:\n type: boolean\n EventAction:\n allOf:\n - $ref: '#/components/schemas/BaseEventAction'\n - type: object\n properties:\n order:\n type: integer\n description: execution order\n relation_options:\n $ref: '#/components/schemas/EventActionOptions'\n EventActionMinimal:\n type: object\n properties:\n name:\n type: string\n order:\n type: integer\n description: execution order\n relation_options:\n $ref: '#/components/schemas/EventActionOptions'\n ConditionPattern:\n type: object\n properties:\n pattern:\n type: string\n inverse_match:\n type: boolean\n ConditionOptions:\n type: object\n properties:\n names:\n type: array\n items:\n $ref: '#/components/schemas/ConditionPattern'\n group_names:\n type: array\n items:\n $ref: '#/components/schemas/ConditionPattern'\n role_names:\n type: array\n items:\n $ref: '#/components/schemas/ConditionPattern'\n fs_paths:\n type: array\n items:\n $ref: '#/components/schemas/ConditionPattern'\n protocols:\n type: array\n items:\n type: string\n enum:\n - SFTP\n - SCP\n - SSH\n - FTP\n - DAV\n - HTTP\n - HTTPShare\n - OIDC\n provider_objects:\n type: array\n items:\n type: string\n enum:\n - user\n - group\n - admin\n - api_key\n - share\n - event_action\n - event_rule\n min_size:\n type: integer\n format: int64\n max_size:\n type: integer\n format: int64\n event_statuses:\n type: array\n items:\n type: integer\n enum:\n - 1\n - 2\n - 3\n description: |\n Event status:\n - `1` OK\n - `2` Failed\n - `3` Quota exceeded\n concurrent_execution:\n type: boolean\n description: allow concurrent execution from multiple nodes\n Schedule:\n type: object\n properties:\n hour:\n type: string\n day_of_week:\n type: string\n day_of_month:\n type: string\n month:\n type: string\n EventConditions:\n type: object\n properties:\n fs_events:\n type: array\n items:\n type: string\n enum:\n - upload\n - download\n - delete\n - rename\n - mkdir\n - rmdir\n - copy\n - ssh_cmd\n - pre-upload\n - pre-download\n - pre-delete\n - first-upload\n - first-download\n provider_events:\n type: array\n items:\n type: string\n enum:\n - add\n - update\n - delete\n schedules:\n type: array\n items:\n $ref: '#/components/schemas/Schedule'\n idp_login_event:\n type: integer\n enum:\n - 0\n - 1\n - 2\n description: |\n IDP login events:\n - `0` any login event\n - `1` user login event\n - `2` admin login event\n options:\n $ref: '#/components/schemas/ConditionOptions'\n BaseEventRule:\n type: object\n properties:\n id:\n type: integer\n format: int32\n minimum: 1\n name:\n type: string\n description: unique name\n status:\n type: integer\n enum:\n - 0\n - 1\n description: |\n status:\n * `0` disabled\n * `1` enabled\n description:\n type: string\n description: optional description\n created_at:\n type: integer\n format: int64\n description: creation time as unix timestamp in milliseconds\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in millisecond\n trigger:\n $ref: '#/components/schemas/EventTriggerTypes'\n conditions:\n $ref: '#/components/schemas/EventConditions'\n EventRule:\n allOf:\n - $ref: '#/components/schemas/BaseEventRule'\n - type: object\n properties:\n actions:\n type: array\n items:\n $ref: '#/components/schemas/EventAction'\n EventRuleMinimal:\n allOf:\n - $ref: '#/components/schemas/BaseEventRule'\n - type: object\n properties:\n actions:\n type: array\n items:\n $ref: '#/components/schemas/EventActionMinimal'\n IPListEntry:\n type: object\n properties:\n ipornet:\n type: string\n description: IP address or network in CIDR format, for example `192.168.1.2/32`, `192.168.0.0/24`, `2001:db8::/32`\n description:\n type: string\n description: optional description\n type:\n $ref: '#/components/schemas/IPListType'\n mode:\n $ref: '#/components/schemas/IPListMode'\n protocols:\n type: integer\n description: Defines the protocol the entry applies to. `0` means all the supported protocols, 1 SSH, 2 FTP, 4 WebDAV, 8 HTTP. Protocols can be combined, for example 3 means SSH and FTP\n created_at:\n type: integer\n format: int64\n description: creation time as unix timestamp in milliseconds\n updated_at:\n type: integer\n format: int64\n description: last update time as unix timestamp in millisecond\n ApiResponse:\n type: object\n properties:\n message:\n type: string\n description: 'message, can be empty'\n error:\n type: string\n description: error description if any\n VersionInfo:\n type: object\n properties:\n version:\n type: string\n build_date:\n type: string\n commit_hash:\n type: string\n features:\n type: array\n items:\n type: string\n description: 'Features for the current build. Available features are `portable`, `bolt`, `mysql`, `sqlite`, `pgsql`, `s3`, `gcs`, `azblob`, `metrics`, `unixcrypt`. If a feature is available it has a `+` prefix, otherwise a `-` prefix'\n Token:\n type: object\n properties:\n access_token:\n type: string\n expires_at:\n type: string\n format: date-time\n securitySchemes:\n BasicAuth:\n type: http\n scheme: basic\n BearerAuth:\n type: http\n scheme: bearer\n bearerFormat: JWT\n APIKeyAuth:\n type: apiKey\n in: header\n name: X-SFTPGO-API-KEY\n description: 'API key to use for authentication. API key authentication is intrinsically less secure than using a short lived JWT token. You should prefer API key authentication only for machine-to-machine communications in trusted environments. If no admin/user is associated to the provided key you need to add \".username\" at the end of the key. For example if your API key is \"6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof\" and you want to impersonate the admin with username \"myadmin\" you have to use \"6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof.myadmin\" as API key. When using API key authentication you cannot manage API keys, update the impersonated admin, change password or public keys for the impersonated user.'\n" }, { "path": "openapi/swagger-ui/index.css", "content": "html {\n box-sizing: border-box;\n overflow: -moz-scrollbars-vertical;\n overflow-y: scroll;\n}\n\n*,\n*:before,\n*:after {\n box-sizing: inherit;\n}\n\nbody {\n margin: 0;\n background: #fafafa;\n}\n" }, { "path": "openapi/swagger-ui/index.html", "content": "\n\n\n \n \n Swagger UI\n \n \n \n \n \n\n \n
\n \n \n \n \n\n" }, { "path": "openapi/swagger-ui/swagger-initializer.js", "content": "window.onload = function() {\n //\n\n // the following lines will be replaced by docker/configurator, when it runs in a docker-container\n window.ui = SwaggerUIBundle({\n url: \"../openapi.yaml\",\n dom_id: '#swagger-ui',\n deepLinking: true,\n presets: [\n SwaggerUIBundle.presets.apis,\n SwaggerUIStandalonePreset\n ],\n plugins: [\n SwaggerUIBundle.plugins.DownloadUrl\n ],\n layout: \"StandaloneLayout\"\n });\n\n //\n};\n" }, { "path": "openapi/swagger-ui/swagger-ui-bundle.js", "content": "/*! For license information please see swagger-ui-bundle.js.LICENSE.txt */\n!function webpackUniversalModuleDefinition(s,o){\"object\"==typeof exports&&\"object\"==typeof module?module.exports=o():\"function\"==typeof define&&define.amd?define([],o):\"object\"==typeof exports?exports.SwaggerUIBundle=o():s.SwaggerUIBundle=o()}(this,(()=>(()=>{var s={251:(s,o)=>{o.read=function(s,o,i,a,u){var _,w,x=8*u-a-1,C=(1<>1,L=-7,B=i?u-1:0,$=i?-1:1,U=s[o+B];for(B+=$,_=U&(1<<-L)-1,U>>=-L,L+=x;L>0;_=256*_+s[o+B],B+=$,L-=8);for(w=_&(1<<-L)-1,_>>=-L,L+=a;L>0;w=256*w+s[o+B],B+=$,L-=8);if(0===_)_=1-j;else{if(_===C)return w?NaN:1/0*(U?-1:1);w+=Math.pow(2,a),_-=j}return(U?-1:1)*w*Math.pow(2,_-a)},o.write=function(s,o,i,a,u,_){var w,x,C,j=8*_-u-1,L=(1<>1,$=23===u?Math.pow(2,-24)-Math.pow(2,-77):0,U=a?0:_-1,V=a?1:-1,z=o<0||0===o&&1/o<0?1:0;for(o=Math.abs(o),isNaN(o)||o===1/0?(x=isNaN(o)?1:0,w=L):(w=Math.floor(Math.log(o)/Math.LN2),o*(C=Math.pow(2,-w))<1&&(w--,C*=2),(o+=w+B>=1?$/C:$*Math.pow(2,1-B))*C>=2&&(w++,C/=2),w+B>=L?(x=0,w=L):w+B>=1?(x=(o*C-1)*Math.pow(2,u),w+=B):(x=o*Math.pow(2,B-1)*Math.pow(2,u),w=0));u>=8;s[i+U]=255&x,U+=V,x/=256,u-=8);for(w=w<0;s[i+U]=255&w,U+=V,w/=256,j-=8);s[i+U-V]|=128*z}},462:(s,o,i)=>{\"use strict\";var a=i(40975);s.exports=a},659:(s,o,i)=>{var a=i(51873),u=Object.prototype,_=u.hasOwnProperty,w=u.toString,x=a?a.toStringTag:void 0;s.exports=function getRawTag(s){var o=_.call(s,x),i=s[x];try{s[x]=void 0;var a=!0}catch(s){}var u=w.call(s);return a&&(o?s[x]=i:delete s[x]),u}},694:(s,o,i)=>{\"use strict\";i(91599);var a=i(37257);i(12560),s.exports=a},953:(s,o,i)=>{\"use strict\";s.exports=i(53375)},1733:s=>{var o=/[^\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f]+/g;s.exports=function asciiWords(s){return s.match(o)||[]}},1882:(s,o,i)=>{var a=i(72552),u=i(23805);s.exports=function isFunction(s){if(!u(s))return!1;var o=a(s);return\"[object Function]\"==o||\"[object GeneratorFunction]\"==o||\"[object AsyncFunction]\"==o||\"[object Proxy]\"==o}},1907:(s,o,i)=>{\"use strict\";var a=i(41505),u=Function.prototype,_=u.call,w=a&&u.bind.bind(_,_);s.exports=a?w:function(s){return function(){return _.apply(s,arguments)}}},2205:function(s,o,i){var a;a=void 0!==i.g?i.g:this,s.exports=function(s){if(s.CSS&&s.CSS.escape)return s.CSS.escape;var cssEscape=function(s){if(0==arguments.length)throw new TypeError(\"`CSS.escape` requires an argument.\");for(var o,i=String(s),a=i.length,u=-1,_=\"\",w=i.charCodeAt(0);++u=1&&o<=31||127==o||0==u&&o>=48&&o<=57||1==u&&o>=48&&o<=57&&45==w?\"\\\\\"+o.toString(16)+\" \":0==u&&1==a&&45==o||!(o>=128||45==o||95==o||o>=48&&o<=57||o>=65&&o<=90||o>=97&&o<=122)?\"\\\\\"+i.charAt(u):i.charAt(u):_+=\"�\";return _};return s.CSS||(s.CSS={}),s.CSS.escape=cssEscape,cssEscape}(a)},2209:(s,o,i)=>{\"use strict\";var a,u=i(9404),_=function productionTypeChecker(){invariant(!1,\"ImmutablePropTypes type checking code is stripped in production.\")};_.isRequired=_;var w=function getProductionTypeChecker(){return _};function getPropType(s){var o=typeof s;return Array.isArray(s)?\"array\":s instanceof RegExp?\"object\":s instanceof u.Iterable?\"Immutable.\"+s.toSource().split(\" \")[0]:o}function createChainableTypeChecker(s){function checkType(o,i,a,u,_,w){for(var x=arguments.length,C=Array(x>6?x-6:0),j=6;j>\",null!=i[a]?s.apply(void 0,[i,a,u,_,w].concat(C)):o?new Error(\"Required \"+_+\" `\"+w+\"` was not specified in `\"+u+\"`.\"):void 0}var o=checkType.bind(null,!1);return o.isRequired=checkType.bind(null,!0),o}function createIterableSubclassTypeChecker(s,o){return function createImmutableTypeChecker(s,o){return createChainableTypeChecker((function validate(i,a,u,_,w){var x=i[a];if(!o(x)){var C=getPropType(x);return new Error(\"Invalid \"+_+\" `\"+w+\"` of type `\"+C+\"` supplied to `\"+u+\"`, expected `\"+s+\"`.\")}return null}))}(\"Iterable.\"+s,(function(s){return u.Iterable.isIterable(s)&&o(s)}))}(a={listOf:w,mapOf:w,orderedMapOf:w,setOf:w,orderedSetOf:w,stackOf:w,iterableOf:w,recordOf:w,shape:w,contains:w,mapContains:w,orderedMapContains:w,list:_,map:_,orderedMap:_,set:_,orderedSet:_,stack:_,seq:_,record:_,iterable:_}).iterable.indexed=createIterableSubclassTypeChecker(\"Indexed\",u.Iterable.isIndexed),a.iterable.keyed=createIterableSubclassTypeChecker(\"Keyed\",u.Iterable.isKeyed),s.exports=a},2404:(s,o,i)=>{var a=i(60270);s.exports=function isEqual(s,o){return a(s,o)}},2523:s=>{s.exports=function baseFindIndex(s,o,i,a){for(var u=s.length,_=i+(a?1:-1);a?_--:++_{\"use strict\";var a=i(45951),u=Object.defineProperty;s.exports=function(s,o){try{u(a,s,{value:o,configurable:!0,writable:!0})}catch(i){a[s]=o}return o}},2694:(s,o,i)=>{\"use strict\";var a=i(6925);function emptyFunction(){}function emptyFunctionWithReset(){}emptyFunctionWithReset.resetWarningCache=emptyFunction,s.exports=function(){function shim(s,o,i,u,_,w){if(w!==a){var x=new Error(\"Calling PropTypes validators directly is not supported by the `prop-types` package. Use PropTypes.checkPropTypes() to call them. Read more at http://fb.me/use-check-prop-types\");throw x.name=\"Invariant Violation\",x}}function getShim(){return shim}shim.isRequired=shim;var s={array:shim,bigint:shim,bool:shim,func:shim,number:shim,object:shim,string:shim,symbol:shim,any:shim,arrayOf:getShim,element:shim,elementType:shim,instanceOf:getShim,node:shim,objectOf:getShim,oneOf:getShim,oneOfType:getShim,shape:getShim,exact:getShim,checkPropTypes:emptyFunctionWithReset,resetWarningCache:emptyFunction};return s.PropTypes=s,s}},2874:s=>{s.exports={}},2875:(s,o,i)=>{\"use strict\";var a=i(23045),u=i(80376);s.exports=Object.keys||function keys(s){return a(s,u)}},2955:(s,o,i)=>{\"use strict\";var a,u=i(65606);function _defineProperty(s,o,i){return(o=function _toPropertyKey(s){var o=function _toPrimitive(s,o){if(\"object\"!=typeof s||null===s)return s;var i=s[Symbol.toPrimitive];if(void 0!==i){var a=i.call(s,o||\"default\");if(\"object\"!=typeof a)return a;throw new TypeError(\"@@toPrimitive must return a primitive value.\")}return(\"string\"===o?String:Number)(s)}(s,\"string\");return\"symbol\"==typeof o?o:String(o)}(o))in s?Object.defineProperty(s,o,{value:i,enumerable:!0,configurable:!0,writable:!0}):s[o]=i,s}var _=i(86238),w=Symbol(\"lastResolve\"),x=Symbol(\"lastReject\"),C=Symbol(\"error\"),j=Symbol(\"ended\"),L=Symbol(\"lastPromise\"),B=Symbol(\"handlePromise\"),$=Symbol(\"stream\");function createIterResult(s,o){return{value:s,done:o}}function readAndResolve(s){var o=s[w];if(null!==o){var i=s[$].read();null!==i&&(s[L]=null,s[w]=null,s[x]=null,o(createIterResult(i,!1)))}}function onReadable(s){u.nextTick(readAndResolve,s)}var U=Object.getPrototypeOf((function(){})),V=Object.setPrototypeOf((_defineProperty(a={get stream(){return this[$]},next:function next(){var s=this,o=this[C];if(null!==o)return Promise.reject(o);if(this[j])return Promise.resolve(createIterResult(void 0,!0));if(this[$].destroyed)return new Promise((function(o,i){u.nextTick((function(){s[C]?i(s[C]):o(createIterResult(void 0,!0))}))}));var i,a=this[L];if(a)i=new Promise(function wrapForNext(s,o){return function(i,a){s.then((function(){o[j]?i(createIterResult(void 0,!0)):o[B](i,a)}),a)}}(a,this));else{var _=this[$].read();if(null!==_)return Promise.resolve(createIterResult(_,!1));i=new Promise(this[B])}return this[L]=i,i}},Symbol.asyncIterator,(function(){return this})),_defineProperty(a,\"return\",(function _return(){var s=this;return new Promise((function(o,i){s[$].destroy(null,(function(s){s?i(s):o(createIterResult(void 0,!0))}))}))})),a),U);s.exports=function createReadableStreamAsyncIterator(s){var o,i=Object.create(V,(_defineProperty(o={},$,{value:s,writable:!0}),_defineProperty(o,w,{value:null,writable:!0}),_defineProperty(o,x,{value:null,writable:!0}),_defineProperty(o,C,{value:null,writable:!0}),_defineProperty(o,j,{value:s._readableState.endEmitted,writable:!0}),_defineProperty(o,B,{value:function value(s,o){var a=i[$].read();a?(i[L]=null,i[w]=null,i[x]=null,s(createIterResult(a,!1))):(i[w]=s,i[x]=o)},writable:!0}),o));return i[L]=null,_(s,(function(s){if(s&&\"ERR_STREAM_PREMATURE_CLOSE\"!==s.code){var o=i[x];return null!==o&&(i[L]=null,i[w]=null,i[x]=null,o(s)),void(i[C]=s)}var a=i[w];null!==a&&(i[L]=null,i[w]=null,i[x]=null,a(createIterResult(void 0,!0))),i[j]=!0})),s.on(\"readable\",onReadable.bind(null,i)),i}},3110:(s,o,i)=>{const a=i(5187),u=i(85015),_=i(98023),w=i(53812),x=i(23805),C=i(85105),j=i(86804);class Namespace{constructor(s){this.elementMap={},this.elementDetection=[],this.Element=j.Element,this.KeyValuePair=j.KeyValuePair,s&&s.noDefault||this.useDefault(),this._attributeElementKeys=[],this._attributeElementArrayKeys=[]}use(s){return s.namespace&&s.namespace({base:this}),s.load&&s.load({base:this}),this}useDefault(){return this.register(\"null\",j.NullElement).register(\"string\",j.StringElement).register(\"number\",j.NumberElement).register(\"boolean\",j.BooleanElement).register(\"array\",j.ArrayElement).register(\"object\",j.ObjectElement).register(\"member\",j.MemberElement).register(\"ref\",j.RefElement).register(\"link\",j.LinkElement),this.detect(a,j.NullElement,!1).detect(u,j.StringElement,!1).detect(_,j.NumberElement,!1).detect(w,j.BooleanElement,!1).detect(Array.isArray,j.ArrayElement,!1).detect(x,j.ObjectElement,!1),this}register(s,o){return this._elements=void 0,this.elementMap[s]=o,this}unregister(s){return this._elements=void 0,delete this.elementMap[s],this}detect(s,o,i){return void 0===i||i?this.elementDetection.unshift([s,o]):this.elementDetection.push([s,o]),this}toElement(s){if(s instanceof this.Element)return s;let o;for(let i=0;i{const o=s[0].toUpperCase()+s.substr(1);this._elements[o]=this.elementMap[s]}))),this._elements}get serialiser(){return new C(this)}}C.prototype.Namespace=Namespace,s.exports=Namespace},3121:(s,o,i)=>{\"use strict\";var a=i(65482),u=Math.min;s.exports=function(s){var o=a(s);return o>0?u(o,9007199254740991):0}},3209:(s,o,i)=>{var a=i(91596),u=i(53320),_=i(36306),w=\"__lodash_placeholder__\",x=128,C=Math.min;s.exports=function mergeData(s,o){var i=s[1],j=o[1],L=i|j,B=L<131,$=j==x&&8==i||j==x&&256==i&&s[7].length<=o[8]||384==j&&o[7].length<=o[8]&&8==i;if(!B&&!$)return s;1&j&&(s[2]=o[2],L|=1&i?0:4);var U=o[3];if(U){var V=s[3];s[3]=V?a(V,U,o[4]):U,s[4]=V?_(s[3],w):o[4]}return(U=o[5])&&(V=s[5],s[5]=V?u(V,U,o[6]):U,s[6]=V?_(s[5],w):o[6]),(U=o[7])&&(s[7]=U),j&x&&(s[8]=null==s[8]?o[8]:C(s[8],o[8])),null==s[9]&&(s[9]=o[9]),s[0]=o[0],s[1]=L,s}},3650:(s,o,i)=>{var a=i(74335)(Object.keys,Object);s.exports=a},3656:(s,o,i)=>{s=i.nmd(s);var a=i(9325),u=i(89935),_=o&&!o.nodeType&&o,w=_&&s&&!s.nodeType&&s,x=w&&w.exports===_?a.Buffer:void 0,C=(x?x.isBuffer:void 0)||u;s.exports=C},4509:(s,o,i)=>{var a=i(12651);s.exports=function mapCacheHas(s){return a(this,s).has(s)}},4640:s=>{\"use strict\";var o=String;s.exports=function(s){try{return o(s)}catch(s){return\"Object\"}}},4664:(s,o,i)=>{var a=i(79770),u=i(63345),_=Object.prototype.propertyIsEnumerable,w=Object.getOwnPropertySymbols,x=w?function(s){return null==s?[]:(s=Object(s),a(w(s),(function(o){return _.call(s,o)})))}:u;s.exports=x},4901:(s,o,i)=>{var a=i(72552),u=i(30294),_=i(40346),w={};w[\"[object Float32Array]\"]=w[\"[object Float64Array]\"]=w[\"[object Int8Array]\"]=w[\"[object Int16Array]\"]=w[\"[object Int32Array]\"]=w[\"[object Uint8Array]\"]=w[\"[object Uint8ClampedArray]\"]=w[\"[object Uint16Array]\"]=w[\"[object Uint32Array]\"]=!0,w[\"[object Arguments]\"]=w[\"[object Array]\"]=w[\"[object ArrayBuffer]\"]=w[\"[object Boolean]\"]=w[\"[object DataView]\"]=w[\"[object Date]\"]=w[\"[object Error]\"]=w[\"[object Function]\"]=w[\"[object Map]\"]=w[\"[object Number]\"]=w[\"[object Object]\"]=w[\"[object RegExp]\"]=w[\"[object Set]\"]=w[\"[object String]\"]=w[\"[object WeakMap]\"]=!1,s.exports=function baseIsTypedArray(s){return _(s)&&u(s.length)&&!!w[a(s)]}},4993:(s,o,i)=>{\"use strict\";var a=i(16946),u=i(74239);s.exports=function(s){return a(u(s))}},5187:s=>{s.exports=function isNull(s){return null===s}},5419:s=>{s.exports=function(s,o,i,a){var u=new Blob(void 0!==a?[a,s]:[s],{type:i||\"application/octet-stream\"});if(void 0!==window.navigator.msSaveBlob)window.navigator.msSaveBlob(u,o);else{var _=window.URL&&window.URL.createObjectURL?window.URL.createObjectURL(u):window.webkitURL.createObjectURL(u),w=document.createElement(\"a\");w.style.display=\"none\",w.href=_,w.setAttribute(\"download\",o),void 0===w.download&&w.setAttribute(\"target\",\"_blank\"),document.body.appendChild(w),w.click(),setTimeout((function(){document.body.removeChild(w),window.URL.revokeObjectURL(_)}),200)}}},5556:(s,o,i)=>{s.exports=i(2694)()},5861:(s,o,i)=>{var a=i(55580),u=i(68223),_=i(32804),w=i(76545),x=i(28303),C=i(72552),j=i(47473),L=\"[object Map]\",B=\"[object Promise]\",$=\"[object Set]\",U=\"[object WeakMap]\",V=\"[object DataView]\",z=j(a),Y=j(u),Z=j(_),ee=j(w),ie=j(x),ae=C;(a&&ae(new a(new ArrayBuffer(1)))!=V||u&&ae(new u)!=L||_&&ae(_.resolve())!=B||w&&ae(new w)!=$||x&&ae(new x)!=U)&&(ae=function(s){var o=C(s),i=\"[object Object]\"==o?s.constructor:void 0,a=i?j(i):\"\";if(a)switch(a){case z:return V;case Y:return L;case Z:return B;case ee:return $;case ie:return U}return o}),s.exports=ae},6048:s=>{s.exports=function negate(s){if(\"function\"!=typeof s)throw new TypeError(\"Expected a function\");return function(){var o=arguments;switch(o.length){case 0:return!s.call(this);case 1:return!s.call(this,o[0]);case 2:return!s.call(this,o[0],o[1]);case 3:return!s.call(this,o[0],o[1],o[2])}return!s.apply(this,o)}}},6188:s=>{\"use strict\";s.exports=Math.max},6205:s=>{s.exports={ROOT:0,GROUP:1,POSITION:2,SET:3,RANGE:4,REPETITION:5,REFERENCE:6,CHAR:7}},6233:(s,o,i)=>{const a=i(6048),u=i(10316),_=i(92340);class ArrayElement extends u{constructor(s,o,i){super(s||[],o,i),this.element=\"array\"}primitive(){return\"array\"}get(s){return this.content[s]}getValue(s){const o=this.get(s);if(o)return o.toValue()}getIndex(s){return this.content[s]}set(s,o){return this.content[s]=this.refract(o),this}remove(s){const o=this.content.splice(s,1);return o.length?o[0]:null}map(s,o){return this.content.map(s,o)}flatMap(s,o){return this.map(s,o).reduce(((s,o)=>s.concat(o)),[])}compactMap(s,o){const i=[];return this.forEach((a=>{const u=s.bind(o)(a);u&&i.push(u)})),i}filter(s,o){return new _(this.content.filter(s,o))}reject(s,o){return this.filter(a(s),o)}reduce(s,o){let i,a;void 0!==o?(i=0,a=this.refract(o)):(i=1,a=\"object\"===this.primitive()?this.first.value:this.first);for(let o=i;o{s.bind(o)(i,this.refract(a))}))}shift(){return this.content.shift()}unshift(s){this.content.unshift(this.refract(s))}push(s){return this.content.push(this.refract(s)),this}add(s){this.push(s)}findElements(s,o){const i=o||{},a=!!i.recursive,u=void 0===i.results?[]:i.results;return this.forEach(((o,i,_)=>{a&&void 0!==o.findElements&&o.findElements(s,{results:u,recursive:a}),s(o,i,_)&&u.push(o)})),u}find(s){return new _(this.findElements(s,{recursive:!0}))}findByElement(s){return this.find((o=>o.element===s))}findByClass(s){return this.find((o=>o.classes.includes(s)))}getById(s){return this.find((o=>o.id.toValue()===s)).first}includes(s){return this.content.some((o=>o.equals(s)))}contains(s){return this.includes(s)}empty(){return new this.constructor([])}\"fantasy-land/empty\"(){return this.empty()}concat(s){return new this.constructor(this.content.concat(s.content))}\"fantasy-land/concat\"(s){return this.concat(s)}\"fantasy-land/map\"(s){return new this.constructor(this.map(s))}\"fantasy-land/chain\"(s){return this.map((o=>s(o)),this).reduce(((s,o)=>s.concat(o)),this.empty())}\"fantasy-land/filter\"(s){return new this.constructor(this.content.filter(s))}\"fantasy-land/reduce\"(s,o){return this.content.reduce(s,o)}get length(){return this.content.length}get isEmpty(){return 0===this.content.length}get first(){return this.getIndex(0)}get second(){return this.getIndex(1)}get last(){return this.getIndex(this.length-1)}}ArrayElement.empty=function empty(){return new this},ArrayElement[\"fantasy-land/empty\"]=ArrayElement.empty,\"undefined\"!=typeof Symbol&&(ArrayElement.prototype[Symbol.iterator]=function symbol(){return this.content[Symbol.iterator]()}),s.exports=ArrayElement},6499:(s,o,i)=>{\"use strict\";var a=i(1907),u=0,_=Math.random(),w=a(1..toString);s.exports=function(s){return\"Symbol(\"+(void 0===s?\"\":s)+\")_\"+w(++u+_,36)}},6549:s=>{\"use strict\";s.exports=Object.getOwnPropertyDescriptor},6925:s=>{\"use strict\";s.exports=\"SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED\"},7057:(s,o,i)=>{\"use strict\";var a=i(11470).charAt,u=i(90160),_=i(64932),w=i(60183),x=i(59550),C=\"String Iterator\",j=_.set,L=_.getterFor(C);w(String,\"String\",(function(s){j(this,{type:C,string:u(s),index:0})}),(function next(){var s,o=L(this),i=o.string,u=o.index;return u>=i.length?x(void 0,!0):(s=a(i,u),o.index+=s.length,x(s,!1))}))},7176:(s,o,i)=>{\"use strict\";var a,u=i(73126),_=i(75795);try{a=[].__proto__===Array.prototype}catch(s){if(!s||\"object\"!=typeof s||!(\"code\"in s)||\"ERR_PROTO_ACCESS\"!==s.code)throw s}var w=!!a&&_&&_(Object.prototype,\"__proto__\"),x=Object,C=x.getPrototypeOf;s.exports=w&&\"function\"==typeof w.get?u([w.get]):\"function\"==typeof C&&function getDunder(s){return C(null==s?s:x(s))}},7309:(s,o,i)=>{var a=i(62006)(i(24713));s.exports=a},7376:s=>{\"use strict\";s.exports=!0},7463:(s,o,i)=>{\"use strict\";var a=i(98828),u=i(62250),_=/#|\\.prototype\\./,isForced=function(s,o){var i=x[w(s)];return i===j||i!==C&&(u(o)?a(o):!!o)},w=isForced.normalize=function(s){return String(s).replace(_,\".\").toLowerCase()},x=isForced.data={},C=isForced.NATIVE=\"N\",j=isForced.POLYFILL=\"P\";s.exports=isForced},7666:(s,o,i)=>{var a=i(84851),u=i(953);function _extends(){var o;return s.exports=_extends=a?u(o=a).call(o):function(s){for(var o=1;o{const a=i(6205);o.wordBoundary=()=>({type:a.POSITION,value:\"b\"}),o.nonWordBoundary=()=>({type:a.POSITION,value:\"B\"}),o.begin=()=>({type:a.POSITION,value:\"^\"}),o.end=()=>({type:a.POSITION,value:\"$\"})},8068:s=>{\"use strict\";var o=(()=>{var s=Object.defineProperty,o=Object.getOwnPropertyDescriptor,i=Object.getOwnPropertyNames,a=Object.getOwnPropertySymbols,u=Object.prototype.hasOwnProperty,_=Object.prototype.propertyIsEnumerable,__defNormalProp=(o,i,a)=>i in o?s(o,i,{enumerable:!0,configurable:!0,writable:!0,value:a}):o[i]=a,__spreadValues=(s,o)=>{for(var i in o||(o={}))u.call(o,i)&&__defNormalProp(s,i,o[i]);if(a)for(var i of a(o))_.call(o,i)&&__defNormalProp(s,i,o[i]);return s},__publicField=(s,o,i)=>__defNormalProp(s,\"symbol\"!=typeof o?o+\"\":o,i),w={};((o,i)=>{for(var a in i)s(o,a,{get:i[a],enumerable:!0})})(w,{DEFAULT_OPTIONS:()=>C,DEFAULT_UUID_LENGTH:()=>x,default:()=>B});var x=6,C={dictionary:\"alphanum\",shuffle:!0,debug:!1,length:x,counter:0},j=class _ShortUniqueId{constructor(s={}){__publicField(this,\"counter\"),__publicField(this,\"debug\"),__publicField(this,\"dict\"),__publicField(this,\"version\"),__publicField(this,\"dictIndex\",0),__publicField(this,\"dictRange\",[]),__publicField(this,\"lowerBound\",0),__publicField(this,\"upperBound\",0),__publicField(this,\"dictLength\",0),__publicField(this,\"uuidLength\"),__publicField(this,\"_digit_first_ascii\",48),__publicField(this,\"_digit_last_ascii\",58),__publicField(this,\"_alpha_lower_first_ascii\",97),__publicField(this,\"_alpha_lower_last_ascii\",123),__publicField(this,\"_hex_last_ascii\",103),__publicField(this,\"_alpha_upper_first_ascii\",65),__publicField(this,\"_alpha_upper_last_ascii\",91),__publicField(this,\"_number_dict_ranges\",{digits:[this._digit_first_ascii,this._digit_last_ascii]}),__publicField(this,\"_alpha_dict_ranges\",{lowerCase:[this._alpha_lower_first_ascii,this._alpha_lower_last_ascii],upperCase:[this._alpha_upper_first_ascii,this._alpha_upper_last_ascii]}),__publicField(this,\"_alpha_lower_dict_ranges\",{lowerCase:[this._alpha_lower_first_ascii,this._alpha_lower_last_ascii]}),__publicField(this,\"_alpha_upper_dict_ranges\",{upperCase:[this._alpha_upper_first_ascii,this._alpha_upper_last_ascii]}),__publicField(this,\"_alphanum_dict_ranges\",{digits:[this._digit_first_ascii,this._digit_last_ascii],lowerCase:[this._alpha_lower_first_ascii,this._alpha_lower_last_ascii],upperCase:[this._alpha_upper_first_ascii,this._alpha_upper_last_ascii]}),__publicField(this,\"_alphanum_lower_dict_ranges\",{digits:[this._digit_first_ascii,this._digit_last_ascii],lowerCase:[this._alpha_lower_first_ascii,this._alpha_lower_last_ascii]}),__publicField(this,\"_alphanum_upper_dict_ranges\",{digits:[this._digit_first_ascii,this._digit_last_ascii],upperCase:[this._alpha_upper_first_ascii,this._alpha_upper_last_ascii]}),__publicField(this,\"_hex_dict_ranges\",{decDigits:[this._digit_first_ascii,this._digit_last_ascii],alphaDigits:[this._alpha_lower_first_ascii,this._hex_last_ascii]}),__publicField(this,\"_dict_ranges\",{_number_dict_ranges:this._number_dict_ranges,_alpha_dict_ranges:this._alpha_dict_ranges,_alpha_lower_dict_ranges:this._alpha_lower_dict_ranges,_alpha_upper_dict_ranges:this._alpha_upper_dict_ranges,_alphanum_dict_ranges:this._alphanum_dict_ranges,_alphanum_lower_dict_ranges:this._alphanum_lower_dict_ranges,_alphanum_upper_dict_ranges:this._alphanum_upper_dict_ranges,_hex_dict_ranges:this._hex_dict_ranges}),__publicField(this,\"log\",((...s)=>{const o=[...s];o[0]=\"[short-unique-id] \".concat(s[0]),!0!==this.debug||\"undefined\"==typeof console||null===console||console.log(...o)})),__publicField(this,\"_normalizeDictionary\",((s,o)=>{let i;if(s&&Array.isArray(s)&&s.length>1)i=s;else{i=[],this.dictIndex=0;const o=\"_\".concat(s,\"_dict_ranges\"),a=this._dict_ranges[o];let u=0;for(const[,s]of Object.entries(a)){const[o,i]=s;u+=Math.abs(i-o)}i=new Array(u);let _=0;for(const[,s]of Object.entries(a)){this.dictRange=s,this.lowerBound=this.dictRange[0],this.upperBound=this.dictRange[1];const o=this.lowerBound<=this.upperBound,a=this.lowerBound,u=this.upperBound;if(o)for(let s=a;su;s--)i[_++]=String.fromCharCode(s),this.dictIndex=s}i.length=_}if(o){for(let s=i.length-1;s>0;s--){const o=Math.floor(Math.random()*(s+1));[i[s],i[o]]=[i[o],i[s]]}}return i})),__publicField(this,\"setDictionary\",((s,o)=>{this.dict=this._normalizeDictionary(s,o),this.dictLength=this.dict.length,this.setCounter(0)})),__publicField(this,\"seq\",(()=>this.sequentialUUID())),__publicField(this,\"sequentialUUID\",(()=>{const s=this.dictLength,o=this.dict;let i=this.counter;const a=[];do{const u=i%s;i=Math.trunc(i/s),a.push(o[u])}while(0!==i);const u=a.join(\"\");return this.counter+=1,u})),__publicField(this,\"rnd\",((s=this.uuidLength||x)=>this.randomUUID(s))),__publicField(this,\"randomUUID\",((s=this.uuidLength||x)=>{if(null==s||s<1)throw new Error(\"Invalid UUID Length Provided\");const o=new Array(s),i=this.dictLength,a=this.dict;for(let u=0;uthis.formattedUUID(s,o))),__publicField(this,\"formattedUUID\",((s,o)=>{const i={$r:this.randomUUID,$s:this.sequentialUUID,$t:this.stamp};return s.replace(/\\$[rs]\\d{0,}|\\$t0|\\$t[1-9]\\d{1,}/g,(s=>{const a=s.slice(0,2),u=Number.parseInt(s.slice(2),10);return\"$s\"===a?i[a]().padStart(u,\"0\"):\"$t\"===a&&o?i[a](u,o):i[a](u)}))})),__publicField(this,\"availableUUIDs\",((s=this.uuidLength)=>Number.parseFloat(([...new Set(this.dict)].length**s).toFixed(0)))),__publicField(this,\"_collisionCache\",new Map),__publicField(this,\"approxMaxBeforeCollision\",((s=this.availableUUIDs(this.uuidLength))=>{const o=s,i=this._collisionCache.get(o);if(void 0!==i)return i;const a=Number.parseFloat(Math.sqrt(Math.PI/2*s).toFixed(20));return this._collisionCache.set(o,a),a})),__publicField(this,\"collisionProbability\",((s=this.availableUUIDs(this.uuidLength),o=this.uuidLength)=>Number.parseFloat((this.approxMaxBeforeCollision(s)/this.availableUUIDs(o)).toFixed(20)))),__publicField(this,\"uniqueness\",((s=this.availableUUIDs(this.uuidLength))=>{const o=Number.parseFloat((1-this.approxMaxBeforeCollision(s)/s).toFixed(20));return o>1?1:o<0?0:o})),__publicField(this,\"getVersion\",(()=>this.version)),__publicField(this,\"stamp\",((s,o)=>{const i=Math.floor(+(o||new Date)/1e3).toString(16);if(\"number\"==typeof s&&0===s)return i;if(\"number\"!=typeof s||s<10)throw new Error([\"Param finalLength must be a number greater than or equal to 10,\",\"or 0 if you want the raw hexadecimal timestamp\"].join(\"\\n\"));const a=s-9,u=Math.round(Math.random()*(a>15?15:a)),_=this.randomUUID(a);return\"\".concat(_.substring(0,u)).concat(i).concat(_.substring(u)).concat(u.toString(16))})),__publicField(this,\"parseStamp\",((s,o)=>{if(o&&!/t0|t[1-9]\\d{1,}/.test(o))throw new Error(\"Cannot extract date from a formated UUID with no timestamp in the format\");const i=o?o.replace(/\\$[rs]\\d{0,}|\\$t0|\\$t[1-9]\\d{1,}/g,(s=>{const o={$r:s=>[...Array(s)].map((()=>\"r\")).join(\"\"),$s:s=>[...Array(s)].map((()=>\"s\")).join(\"\"),$t:s=>[...Array(s)].map((()=>\"t\")).join(\"\")},i=s.slice(0,2),a=Number.parseInt(s.slice(2),10);return o[i](a)})).replace(/^(.*?)(t{8,})(.*)$/g,((o,i,a)=>s.substring(i.length,i.length+a.length))):s;if(8===i.length)return new Date(1e3*Number.parseInt(i,16));if(i.length<10)throw new Error(\"Stamp length invalid\");const a=Number.parseInt(i.substring(i.length-1),16);return new Date(1e3*Number.parseInt(i.substring(a,a+8),16))})),__publicField(this,\"setCounter\",(s=>{this.counter=s})),__publicField(this,\"validate\",((s,o)=>{const i=o?this._normalizeDictionary(o):this.dict;return s.split(\"\").every((s=>i.includes(s)))}));const o=__spreadValues(__spreadValues({},C),s);this.counter=0,this.debug=!1,this.dict=[],this.version=\"5.3.2\";const{dictionary:i,shuffle:a,length:u,counter:_}=o;this.uuidLength=u,this.setDictionary(i,a),this.setCounter(_),this.debug=o.debug,this.log(this.dict),this.log(\"Generator instantiated with Dictionary Size \".concat(this.dictLength,\" and counter set to \").concat(this.counter)),this.log=this.log.bind(this),this.setDictionary=this.setDictionary.bind(this),this.setCounter=this.setCounter.bind(this),this.seq=this.seq.bind(this),this.sequentialUUID=this.sequentialUUID.bind(this),this.rnd=this.rnd.bind(this),this.randomUUID=this.randomUUID.bind(this),this.fmt=this.fmt.bind(this),this.formattedUUID=this.formattedUUID.bind(this),this.availableUUIDs=this.availableUUIDs.bind(this),this.approxMaxBeforeCollision=this.approxMaxBeforeCollision.bind(this),this.collisionProbability=this.collisionProbability.bind(this),this.uniqueness=this.uniqueness.bind(this),this.getVersion=this.getVersion.bind(this),this.stamp=this.stamp.bind(this),this.parseStamp=this.parseStamp.bind(this)}};__publicField(j,\"default\",j);var L,B=j;return L=w,((a,_,w,x)=>{if(_&&\"object\"==typeof _||\"function\"==typeof _)for(let C of i(_))u.call(a,C)||C===w||s(a,C,{get:()=>_[C],enumerable:!(x=o(_,C))||x.enumerable});return a})(s({},\"__esModule\",{value:!0}),L)})();s.exports=o.default,\"undefined\"!=typeof window&&(o=o.default)},9325:(s,o,i)=>{var a=i(34840),u=\"object\"==typeof self&&self&&self.Object===Object&&self,_=a||u||Function(\"return this\")();s.exports=_},9404:function(s){s.exports=function(){\"use strict\";var s=Array.prototype.slice;function createClass(s,o){o&&(s.prototype=Object.create(o.prototype)),s.prototype.constructor=s}function Iterable(s){return isIterable(s)?s:Seq(s)}function KeyedIterable(s){return isKeyed(s)?s:KeyedSeq(s)}function IndexedIterable(s){return isIndexed(s)?s:IndexedSeq(s)}function SetIterable(s){return isIterable(s)&&!isAssociative(s)?s:SetSeq(s)}function isIterable(s){return!(!s||!s[o])}function isKeyed(s){return!(!s||!s[i])}function isIndexed(s){return!(!s||!s[a])}function isAssociative(s){return isKeyed(s)||isIndexed(s)}function isOrdered(s){return!(!s||!s[u])}createClass(KeyedIterable,Iterable),createClass(IndexedIterable,Iterable),createClass(SetIterable,Iterable),Iterable.isIterable=isIterable,Iterable.isKeyed=isKeyed,Iterable.isIndexed=isIndexed,Iterable.isAssociative=isAssociative,Iterable.isOrdered=isOrdered,Iterable.Keyed=KeyedIterable,Iterable.Indexed=IndexedIterable,Iterable.Set=SetIterable;var o=\"@@__IMMUTABLE_ITERABLE__@@\",i=\"@@__IMMUTABLE_KEYED__@@\",a=\"@@__IMMUTABLE_INDEXED__@@\",u=\"@@__IMMUTABLE_ORDERED__@@\",_=\"delete\",w=5,x=1<>>0;if(\"\"+i!==o||4294967295===i)return NaN;o=i}return o<0?ensureSize(s)+o:o}function returnTrue(){return!0}function wholeSlice(s,o,i){return(0===s||void 0!==i&&s<=-i)&&(void 0===o||void 0!==i&&o>=i)}function resolveBegin(s,o){return resolveIndex(s,o,0)}function resolveEnd(s,o){return resolveIndex(s,o,o)}function resolveIndex(s,o,i){return void 0===s?i:s<0?Math.max(0,o+s):void 0===o?s:Math.min(o,s)}var $=0,U=1,V=2,z=\"function\"==typeof Symbol&&Symbol.iterator,Y=\"@@iterator\",Z=z||Y;function Iterator(s){this.next=s}function iteratorValue(s,o,i,a){var u=0===s?o:1===s?i:[o,i];return a?a.value=u:a={value:u,done:!1},a}function iteratorDone(){return{value:void 0,done:!0}}function hasIterator(s){return!!getIteratorFn(s)}function isIterator(s){return s&&\"function\"==typeof s.next}function getIterator(s){var o=getIteratorFn(s);return o&&o.call(s)}function getIteratorFn(s){var o=s&&(z&&s[z]||s[Y]);if(\"function\"==typeof o)return o}function isArrayLike(s){return s&&\"number\"==typeof s.length}function Seq(s){return null==s?emptySequence():isIterable(s)?s.toSeq():seqFromValue(s)}function KeyedSeq(s){return null==s?emptySequence().toKeyedSeq():isIterable(s)?isKeyed(s)?s.toSeq():s.fromEntrySeq():keyedSeqFromValue(s)}function IndexedSeq(s){return null==s?emptySequence():isIterable(s)?isKeyed(s)?s.entrySeq():s.toIndexedSeq():indexedSeqFromValue(s)}function SetSeq(s){return(null==s?emptySequence():isIterable(s)?isKeyed(s)?s.entrySeq():s:indexedSeqFromValue(s)).toSetSeq()}Iterator.prototype.toString=function(){return\"[Iterator]\"},Iterator.KEYS=$,Iterator.VALUES=U,Iterator.ENTRIES=V,Iterator.prototype.inspect=Iterator.prototype.toSource=function(){return this.toString()},Iterator.prototype[Z]=function(){return this},createClass(Seq,Iterable),Seq.of=function(){return Seq(arguments)},Seq.prototype.toSeq=function(){return this},Seq.prototype.toString=function(){return this.__toString(\"Seq {\",\"}\")},Seq.prototype.cacheResult=function(){return!this._cache&&this.__iterateUncached&&(this._cache=this.entrySeq().toArray(),this.size=this._cache.length),this},Seq.prototype.__iterate=function(s,o){return seqIterate(this,s,o,!0)},Seq.prototype.__iterator=function(s,o){return seqIterator(this,s,o,!0)},createClass(KeyedSeq,Seq),KeyedSeq.prototype.toKeyedSeq=function(){return this},createClass(IndexedSeq,Seq),IndexedSeq.of=function(){return IndexedSeq(arguments)},IndexedSeq.prototype.toIndexedSeq=function(){return this},IndexedSeq.prototype.toString=function(){return this.__toString(\"Seq [\",\"]\")},IndexedSeq.prototype.__iterate=function(s,o){return seqIterate(this,s,o,!1)},IndexedSeq.prototype.__iterator=function(s,o){return seqIterator(this,s,o,!1)},createClass(SetSeq,Seq),SetSeq.of=function(){return SetSeq(arguments)},SetSeq.prototype.toSetSeq=function(){return this},Seq.isSeq=isSeq,Seq.Keyed=KeyedSeq,Seq.Set=SetSeq,Seq.Indexed=IndexedSeq;var ee,ie,ae,ce=\"@@__IMMUTABLE_SEQ__@@\";function ArraySeq(s){this._array=s,this.size=s.length}function ObjectSeq(s){var o=Object.keys(s);this._object=s,this._keys=o,this.size=o.length}function IterableSeq(s){this._iterable=s,this.size=s.length||s.size}function IteratorSeq(s){this._iterator=s,this._iteratorCache=[]}function isSeq(s){return!(!s||!s[ce])}function emptySequence(){return ee||(ee=new ArraySeq([]))}function keyedSeqFromValue(s){var o=Array.isArray(s)?new ArraySeq(s).fromEntrySeq():isIterator(s)?new IteratorSeq(s).fromEntrySeq():hasIterator(s)?new IterableSeq(s).fromEntrySeq():\"object\"==typeof s?new ObjectSeq(s):void 0;if(!o)throw new TypeError(\"Expected Array or iterable object of [k, v] entries, or keyed object: \"+s);return o}function indexedSeqFromValue(s){var o=maybeIndexedSeqFromValue(s);if(!o)throw new TypeError(\"Expected Array or iterable object of values: \"+s);return o}function seqFromValue(s){var o=maybeIndexedSeqFromValue(s)||\"object\"==typeof s&&new ObjectSeq(s);if(!o)throw new TypeError(\"Expected Array or iterable object of values, or keyed object: \"+s);return o}function maybeIndexedSeqFromValue(s){return isArrayLike(s)?new ArraySeq(s):isIterator(s)?new IteratorSeq(s):hasIterator(s)?new IterableSeq(s):void 0}function seqIterate(s,o,i,a){var u=s._cache;if(u){for(var _=u.length-1,w=0;w<=_;w++){var x=u[i?_-w:w];if(!1===o(x[1],a?x[0]:w,s))return w+1}return w}return s.__iterateUncached(o,i)}function seqIterator(s,o,i,a){var u=s._cache;if(u){var _=u.length-1,w=0;return new Iterator((function(){var s=u[i?_-w:w];return w++>_?iteratorDone():iteratorValue(o,a?s[0]:w-1,s[1])}))}return s.__iteratorUncached(o,i)}function fromJS(s,o){return o?fromJSWith(o,s,\"\",{\"\":s}):fromJSDefault(s)}function fromJSWith(s,o,i,a){return Array.isArray(o)?s.call(a,i,IndexedSeq(o).map((function(i,a){return fromJSWith(s,i,a,o)}))):isPlainObj(o)?s.call(a,i,KeyedSeq(o).map((function(i,a){return fromJSWith(s,i,a,o)}))):o}function fromJSDefault(s){return Array.isArray(s)?IndexedSeq(s).map(fromJSDefault).toList():isPlainObj(s)?KeyedSeq(s).map(fromJSDefault).toMap():s}function isPlainObj(s){return s&&(s.constructor===Object||void 0===s.constructor)}function is(s,o){if(s===o||s!=s&&o!=o)return!0;if(!s||!o)return!1;if(\"function\"==typeof s.valueOf&&\"function\"==typeof o.valueOf){if((s=s.valueOf())===(o=o.valueOf())||s!=s&&o!=o)return!0;if(!s||!o)return!1}return!(\"function\"!=typeof s.equals||\"function\"!=typeof o.equals||!s.equals(o))}function deepEqual(s,o){if(s===o)return!0;if(!isIterable(o)||void 0!==s.size&&void 0!==o.size&&s.size!==o.size||void 0!==s.__hash&&void 0!==o.__hash&&s.__hash!==o.__hash||isKeyed(s)!==isKeyed(o)||isIndexed(s)!==isIndexed(o)||isOrdered(s)!==isOrdered(o))return!1;if(0===s.size&&0===o.size)return!0;var i=!isAssociative(s);if(isOrdered(s)){var a=s.entries();return o.every((function(s,o){var u=a.next().value;return u&&is(u[1],s)&&(i||is(u[0],o))}))&&a.next().done}var u=!1;if(void 0===s.size)if(void 0===o.size)\"function\"==typeof s.cacheResult&&s.cacheResult();else{u=!0;var _=s;s=o,o=_}var w=!0,x=o.__iterate((function(o,a){if(i?!s.has(o):u?!is(o,s.get(a,j)):!is(s.get(a,j),o))return w=!1,!1}));return w&&s.size===x}function Repeat(s,o){if(!(this instanceof Repeat))return new Repeat(s,o);if(this._value=s,this.size=void 0===o?1/0:Math.max(0,o),0===this.size){if(ie)return ie;ie=this}}function invariant(s,o){if(!s)throw new Error(o)}function Range(s,o,i){if(!(this instanceof Range))return new Range(s,o,i);if(invariant(0!==i,\"Cannot step a Range by 0\"),s=s||0,void 0===o&&(o=1/0),i=void 0===i?1:Math.abs(i),oa?iteratorDone():iteratorValue(s,u,i[o?a-u++:u++])}))},createClass(ObjectSeq,KeyedSeq),ObjectSeq.prototype.get=function(s,o){return void 0===o||this.has(s)?this._object[s]:o},ObjectSeq.prototype.has=function(s){return this._object.hasOwnProperty(s)},ObjectSeq.prototype.__iterate=function(s,o){for(var i=this._object,a=this._keys,u=a.length-1,_=0;_<=u;_++){var w=a[o?u-_:_];if(!1===s(i[w],w,this))return _+1}return _},ObjectSeq.prototype.__iterator=function(s,o){var i=this._object,a=this._keys,u=a.length-1,_=0;return new Iterator((function(){var w=a[o?u-_:_];return _++>u?iteratorDone():iteratorValue(s,w,i[w])}))},ObjectSeq.prototype[u]=!0,createClass(IterableSeq,IndexedSeq),IterableSeq.prototype.__iterateUncached=function(s,o){if(o)return this.cacheResult().__iterate(s,o);var i=getIterator(this._iterable),a=0;if(isIterator(i))for(var u;!(u=i.next()).done&&!1!==s(u.value,a++,this););return a},IterableSeq.prototype.__iteratorUncached=function(s,o){if(o)return this.cacheResult().__iterator(s,o);var i=getIterator(this._iterable);if(!isIterator(i))return new Iterator(iteratorDone);var a=0;return new Iterator((function(){var o=i.next();return o.done?o:iteratorValue(s,a++,o.value)}))},createClass(IteratorSeq,IndexedSeq),IteratorSeq.prototype.__iterateUncached=function(s,o){if(o)return this.cacheResult().__iterate(s,o);for(var i,a=this._iterator,u=this._iteratorCache,_=0;_=a.length){var o=i.next();if(o.done)return o;a[u]=o.value}return iteratorValue(s,u,a[u++])}))},createClass(Repeat,IndexedSeq),Repeat.prototype.toString=function(){return 0===this.size?\"Repeat []\":\"Repeat [ \"+this._value+\" \"+this.size+\" times ]\"},Repeat.prototype.get=function(s,o){return this.has(s)?this._value:o},Repeat.prototype.includes=function(s){return is(this._value,s)},Repeat.prototype.slice=function(s,o){var i=this.size;return wholeSlice(s,o,i)?this:new Repeat(this._value,resolveEnd(o,i)-resolveBegin(s,i))},Repeat.prototype.reverse=function(){return this},Repeat.prototype.indexOf=function(s){return is(this._value,s)?0:-1},Repeat.prototype.lastIndexOf=function(s){return is(this._value,s)?this.size:-1},Repeat.prototype.__iterate=function(s,o){for(var i=0;i=0&&o=0&&ii?iteratorDone():iteratorValue(s,_++,w)}))},Range.prototype.equals=function(s){return s instanceof Range?this._start===s._start&&this._end===s._end&&this._step===s._step:deepEqual(this,s)},createClass(Collection,Iterable),createClass(KeyedCollection,Collection),createClass(IndexedCollection,Collection),createClass(SetCollection,Collection),Collection.Keyed=KeyedCollection,Collection.Indexed=IndexedCollection,Collection.Set=SetCollection;var le=\"function\"==typeof Math.imul&&-2===Math.imul(4294967295,2)?Math.imul:function imul(s,o){var i=65535&(s|=0),a=65535&(o|=0);return i*a+((s>>>16)*a+i*(o>>>16)<<16>>>0)|0};function smi(s){return s>>>1&1073741824|3221225471&s}function hash(s){if(!1===s||null==s)return 0;if(\"function\"==typeof s.valueOf&&(!1===(s=s.valueOf())||null==s))return 0;if(!0===s)return 1;var o=typeof s;if(\"number\"===o){if(s!=s||s===1/0)return 0;var i=0|s;for(i!==s&&(i^=4294967295*s);s>4294967295;)i^=s/=4294967295;return smi(i)}if(\"string\"===o)return s.length>Se?cachedHashString(s):hashString(s);if(\"function\"==typeof s.hashCode)return s.hashCode();if(\"object\"===o)return hashJSObj(s);if(\"function\"==typeof s.toString)return hashString(s.toString());throw new Error(\"Value type \"+o+\" cannot be hashed.\")}function cachedHashString(s){var o=Pe[s];return void 0===o&&(o=hashString(s),xe===we&&(xe=0,Pe={}),xe++,Pe[s]=o),o}function hashString(s){for(var o=0,i=0;i0)switch(s.nodeType){case 1:return s.uniqueID;case 9:return s.documentElement&&s.documentElement.uniqueID}}var fe,ye=\"function\"==typeof WeakMap;ye&&(fe=new WeakMap);var be=0,_e=\"__immutablehash__\";\"function\"==typeof Symbol&&(_e=Symbol(_e));var Se=16,we=255,xe=0,Pe={};function assertNotInfinite(s){invariant(s!==1/0,\"Cannot perform this action with an infinite size.\")}function Map(s){return null==s?emptyMap():isMap(s)&&!isOrdered(s)?s:emptyMap().withMutations((function(o){var i=KeyedIterable(s);assertNotInfinite(i.size),i.forEach((function(s,i){return o.set(i,s)}))}))}function isMap(s){return!(!s||!s[Re])}createClass(Map,KeyedCollection),Map.of=function(){var o=s.call(arguments,0);return emptyMap().withMutations((function(s){for(var i=0;i=o.length)throw new Error(\"Missing value for key: \"+o[i]);s.set(o[i],o[i+1])}}))},Map.prototype.toString=function(){return this.__toString(\"Map {\",\"}\")},Map.prototype.get=function(s,o){return this._root?this._root.get(0,void 0,s,o):o},Map.prototype.set=function(s,o){return updateMap(this,s,o)},Map.prototype.setIn=function(s,o){return this.updateIn(s,j,(function(){return o}))},Map.prototype.remove=function(s){return updateMap(this,s,j)},Map.prototype.deleteIn=function(s){return this.updateIn(s,(function(){return j}))},Map.prototype.update=function(s,o,i){return 1===arguments.length?s(this):this.updateIn([s],o,i)},Map.prototype.updateIn=function(s,o,i){i||(i=o,o=void 0);var a=updateInDeepMap(this,forceIterator(s),o,i);return a===j?void 0:a},Map.prototype.clear=function(){return 0===this.size?this:this.__ownerID?(this.size=0,this._root=null,this.__hash=void 0,this.__altered=!0,this):emptyMap()},Map.prototype.merge=function(){return mergeIntoMapWith(this,void 0,arguments)},Map.prototype.mergeWith=function(o){return mergeIntoMapWith(this,o,s.call(arguments,1))},Map.prototype.mergeIn=function(o){var i=s.call(arguments,1);return this.updateIn(o,emptyMap(),(function(s){return\"function\"==typeof s.merge?s.merge.apply(s,i):i[i.length-1]}))},Map.prototype.mergeDeep=function(){return mergeIntoMapWith(this,deepMerger,arguments)},Map.prototype.mergeDeepWith=function(o){var i=s.call(arguments,1);return mergeIntoMapWith(this,deepMergerWith(o),i)},Map.prototype.mergeDeepIn=function(o){var i=s.call(arguments,1);return this.updateIn(o,emptyMap(),(function(s){return\"function\"==typeof s.mergeDeep?s.mergeDeep.apply(s,i):i[i.length-1]}))},Map.prototype.sort=function(s){return OrderedMap(sortFactory(this,s))},Map.prototype.sortBy=function(s,o){return OrderedMap(sortFactory(this,o,s))},Map.prototype.withMutations=function(s){var o=this.asMutable();return s(o),o.wasAltered()?o.__ensureOwner(this.__ownerID):this},Map.prototype.asMutable=function(){return this.__ownerID?this:this.__ensureOwner(new OwnerID)},Map.prototype.asImmutable=function(){return this.__ensureOwner()},Map.prototype.wasAltered=function(){return this.__altered},Map.prototype.__iterator=function(s,o){return new MapIterator(this,s,o)},Map.prototype.__iterate=function(s,o){var i=this,a=0;return this._root&&this._root.iterate((function(o){return a++,s(o[1],o[0],i)}),o),a},Map.prototype.__ensureOwner=function(s){return s===this.__ownerID?this:s?makeMap(this.size,this._root,s,this.__hash):(this.__ownerID=s,this.__altered=!1,this)},Map.isMap=isMap;var Te,Re=\"@@__IMMUTABLE_MAP__@@\",$e=Map.prototype;function ArrayMapNode(s,o){this.ownerID=s,this.entries=o}function BitmapIndexedNode(s,o,i){this.ownerID=s,this.bitmap=o,this.nodes=i}function HashArrayMapNode(s,o,i){this.ownerID=s,this.count=o,this.nodes=i}function HashCollisionNode(s,o,i){this.ownerID=s,this.keyHash=o,this.entries=i}function ValueNode(s,o,i){this.ownerID=s,this.keyHash=o,this.entry=i}function MapIterator(s,o,i){this._type=o,this._reverse=i,this._stack=s._root&&mapIteratorFrame(s._root)}function mapIteratorValue(s,o){return iteratorValue(s,o[0],o[1])}function mapIteratorFrame(s,o){return{node:s,index:0,__prev:o}}function makeMap(s,o,i,a){var u=Object.create($e);return u.size=s,u._root=o,u.__ownerID=i,u.__hash=a,u.__altered=!1,u}function emptyMap(){return Te||(Te=makeMap(0))}function updateMap(s,o,i){var a,u;if(s._root){var _=MakeRef(L),w=MakeRef(B);if(a=updateNode(s._root,s.__ownerID,0,void 0,o,i,_,w),!w.value)return s;u=s.size+(_.value?i===j?-1:1:0)}else{if(i===j)return s;u=1,a=new ArrayMapNode(s.__ownerID,[[o,i]])}return s.__ownerID?(s.size=u,s._root=a,s.__hash=void 0,s.__altered=!0,s):a?makeMap(u,a):emptyMap()}function updateNode(s,o,i,a,u,_,w,x){return s?s.update(o,i,a,u,_,w,x):_===j?s:(SetRef(x),SetRef(w),new ValueNode(o,a,[u,_]))}function isLeafNode(s){return s.constructor===ValueNode||s.constructor===HashCollisionNode}function mergeIntoNode(s,o,i,a,u){if(s.keyHash===a)return new HashCollisionNode(o,a,[s.entry,u]);var _,x=(0===i?s.keyHash:s.keyHash>>>i)&C,j=(0===i?a:a>>>i)&C;return new BitmapIndexedNode(o,1<>>=1)w[C]=1&i?o[_++]:void 0;return w[a]=u,new HashArrayMapNode(s,_+1,w)}function mergeIntoMapWith(s,o,i){for(var a=[],u=0;u>1&1431655765))+(s>>2&858993459))+(s>>4)&252645135,s+=s>>8,127&(s+=s>>16)}function setIn(s,o,i,a){var u=a?s:arrCopy(s);return u[o]=i,u}function spliceIn(s,o,i,a){var u=s.length+1;if(a&&o+1===u)return s[o]=i,s;for(var _=new Array(u),w=0,x=0;x=qe)return createNodes(s,C,a,u);var U=s&&s===this.ownerID,V=U?C:arrCopy(C);return $?x?L===B-1?V.pop():V[L]=V.pop():V[L]=[a,u]:V.push([a,u]),U?(this.entries=V,this):new ArrayMapNode(s,V)}},BitmapIndexedNode.prototype.get=function(s,o,i,a){void 0===o&&(o=hash(i));var u=1<<((0===s?o:o>>>s)&C),_=this.bitmap;return _&u?this.nodes[popCount(_&u-1)].get(s+w,o,i,a):a},BitmapIndexedNode.prototype.update=function(s,o,i,a,u,_,x){void 0===i&&(i=hash(a));var L=(0===o?i:i>>>o)&C,B=1<=ze)return expandNodes(s,z,$,L,Z);if(U&&!Z&&2===z.length&&isLeafNode(z[1^V]))return z[1^V];if(U&&Z&&1===z.length&&isLeafNode(Z))return Z;var ee=s&&s===this.ownerID,ie=U?Z?$:$^B:$|B,ae=U?Z?setIn(z,V,Z,ee):spliceOut(z,V,ee):spliceIn(z,V,Z,ee);return ee?(this.bitmap=ie,this.nodes=ae,this):new BitmapIndexedNode(s,ie,ae)},HashArrayMapNode.prototype.get=function(s,o,i,a){void 0===o&&(o=hash(i));var u=(0===s?o:o>>>s)&C,_=this.nodes[u];return _?_.get(s+w,o,i,a):a},HashArrayMapNode.prototype.update=function(s,o,i,a,u,_,x){void 0===i&&(i=hash(a));var L=(0===o?i:i>>>o)&C,B=u===j,$=this.nodes,U=$[L];if(B&&!U)return this;var V=updateNode(U,s,o+w,i,a,u,_,x);if(V===U)return this;var z=this.count;if(U){if(!V&&--z0&&a=0&&s>>o&C;if(a>=this.array.length)return new VNode([],s);var u,_=0===a;if(o>0){var x=this.array[a];if((u=x&&x.removeBefore(s,o-w,i))===x&&_)return this}if(_&&!u)return this;var j=editableVNode(this,s);if(!_)for(var L=0;L>>o&C;if(u>=this.array.length)return this;if(o>0){var _=this.array[u];if((a=_&&_.removeAfter(s,o-w,i))===_&&u===this.array.length-1)return this}var x=editableVNode(this,s);return x.array.splice(u+1),a&&(x.array[u]=a),x};var Xe,Qe,et={};function iterateList(s,o){var i=s._origin,a=s._capacity,u=getTailOffset(a),_=s._tail;return iterateNodeOrLeaf(s._root,s._level,0);function iterateNodeOrLeaf(s,o,i){return 0===o?iterateLeaf(s,i):iterateNode(s,o,i)}function iterateLeaf(s,w){var C=w===u?_&&_.array:s&&s.array,j=w>i?0:i-w,L=a-w;return L>x&&(L=x),function(){if(j===L)return et;var s=o?--L:j++;return C&&C[s]}}function iterateNode(s,u,_){var C,j=s&&s.array,L=_>i?0:i-_>>u,B=1+(a-_>>u);return B>x&&(B=x),function(){for(;;){if(C){var s=C();if(s!==et)return s;C=null}if(L===B)return et;var i=o?--B:L++;C=iterateNodeOrLeaf(j&&j[i],u-w,_+(i<=s.size||o<0)return s.withMutations((function(s){o<0?setListBounds(s,o).set(0,i):setListBounds(s,0,o+1).set(o,i)}));o+=s._origin;var a=s._tail,u=s._root,_=MakeRef(B);return o>=getTailOffset(s._capacity)?a=updateVNode(a,s.__ownerID,0,o,i,_):u=updateVNode(u,s.__ownerID,s._level,o,i,_),_.value?s.__ownerID?(s._root=u,s._tail=a,s.__hash=void 0,s.__altered=!0,s):makeList(s._origin,s._capacity,s._level,u,a):s}function updateVNode(s,o,i,a,u,_){var x,j=a>>>i&C,L=s&&j0){var B=s&&s.array[j],$=updateVNode(B,o,i-w,a,u,_);return $===B?s:((x=editableVNode(s,o)).array[j]=$,x)}return L&&s.array[j]===u?s:(SetRef(_),x=editableVNode(s,o),void 0===u&&j===x.array.length-1?x.array.pop():x.array[j]=u,x)}function editableVNode(s,o){return o&&s&&o===s.ownerID?s:new VNode(s?s.array.slice():[],o)}function listNodeFor(s,o){if(o>=getTailOffset(s._capacity))return s._tail;if(o<1<0;)i=i.array[o>>>a&C],a-=w;return i}}function setListBounds(s,o,i){void 0!==o&&(o|=0),void 0!==i&&(i|=0);var a=s.__ownerID||new OwnerID,u=s._origin,_=s._capacity,x=u+o,j=void 0===i?_:i<0?_+i:u+i;if(x===u&&j===_)return s;if(x>=j)return s.clear();for(var L=s._level,B=s._root,$=0;x+$<0;)B=new VNode(B&&B.array.length?[void 0,B]:[],a),$+=1<<(L+=w);$&&(x+=$,u+=$,j+=$,_+=$);for(var U=getTailOffset(_),V=getTailOffset(j);V>=1<U?new VNode([],a):z;if(z&&V>U&&x<_&&z.array.length){for(var Z=B=editableVNode(B,a),ee=L;ee>w;ee-=w){var ie=U>>>ee&C;Z=Z.array[ie]=editableVNode(Z.array[ie],a)}Z.array[U>>>w&C]=z}if(j<_&&(Y=Y&&Y.removeAfter(a,0,j)),x>=V)x-=V,j-=V,L=w,B=null,Y=Y&&Y.removeBefore(a,0,x);else if(x>u||V>>L&C;if(ae!==V>>>L&C)break;ae&&($+=(1<u&&(B=B.removeBefore(a,L,x-$)),B&&Vu&&(u=x.size),isIterable(w)||(x=x.map((function(s){return fromJS(s)}))),a.push(x)}return u>s.size&&(s=s.setSize(u)),mergeIntoCollectionWith(s,o,a)}function getTailOffset(s){return s>>w<=x&&w.size>=2*_.size?(a=(u=w.filter((function(s,o){return void 0!==s&&C!==o}))).toKeyedSeq().map((function(s){return s[0]})).flip().toMap(),s.__ownerID&&(a.__ownerID=u.__ownerID=s.__ownerID)):(a=_.remove(o),u=C===w.size-1?w.pop():w.set(C,void 0))}else if(L){if(i===w.get(C)[1])return s;a=_,u=w.set(C,[o,i])}else a=_.set(o,w.size),u=w.set(w.size,[o,i]);return s.__ownerID?(s.size=a.size,s._map=a,s._list=u,s.__hash=void 0,s):makeOrderedMap(a,u)}function ToKeyedSequence(s,o){this._iter=s,this._useKeys=o,this.size=s.size}function ToIndexedSequence(s){this._iter=s,this.size=s.size}function ToSetSequence(s){this._iter=s,this.size=s.size}function FromEntriesSequence(s){this._iter=s,this.size=s.size}function flipFactory(s){var o=makeSequence(s);return o._iter=s,o.size=s.size,o.flip=function(){return s},o.reverse=function(){var o=s.reverse.apply(this);return o.flip=function(){return s.reverse()},o},o.has=function(o){return s.includes(o)},o.includes=function(o){return s.has(o)},o.cacheResult=cacheResultThrough,o.__iterateUncached=function(o,i){var a=this;return s.__iterate((function(s,i){return!1!==o(i,s,a)}),i)},o.__iteratorUncached=function(o,i){if(o===V){var a=s.__iterator(o,i);return new Iterator((function(){var s=a.next();if(!s.done){var o=s.value[0];s.value[0]=s.value[1],s.value[1]=o}return s}))}return s.__iterator(o===U?$:U,i)},o}function mapFactory(s,o,i){var a=makeSequence(s);return a.size=s.size,a.has=function(o){return s.has(o)},a.get=function(a,u){var _=s.get(a,j);return _===j?u:o.call(i,_,a,s)},a.__iterateUncached=function(a,u){var _=this;return s.__iterate((function(s,u,w){return!1!==a(o.call(i,s,u,w),u,_)}),u)},a.__iteratorUncached=function(a,u){var _=s.__iterator(V,u);return new Iterator((function(){var u=_.next();if(u.done)return u;var w=u.value,x=w[0];return iteratorValue(a,x,o.call(i,w[1],x,s),u)}))},a}function reverseFactory(s,o){var i=makeSequence(s);return i._iter=s,i.size=s.size,i.reverse=function(){return s},s.flip&&(i.flip=function(){var o=flipFactory(s);return o.reverse=function(){return s.flip()},o}),i.get=function(i,a){return s.get(o?i:-1-i,a)},i.has=function(i){return s.has(o?i:-1-i)},i.includes=function(o){return s.includes(o)},i.cacheResult=cacheResultThrough,i.__iterate=function(o,i){var a=this;return s.__iterate((function(s,i){return o(s,i,a)}),!i)},i.__iterator=function(o,i){return s.__iterator(o,!i)},i}function filterFactory(s,o,i,a){var u=makeSequence(s);return a&&(u.has=function(a){var u=s.get(a,j);return u!==j&&!!o.call(i,u,a,s)},u.get=function(a,u){var _=s.get(a,j);return _!==j&&o.call(i,_,a,s)?_:u}),u.__iterateUncached=function(u,_){var w=this,x=0;return s.__iterate((function(s,_,C){if(o.call(i,s,_,C))return x++,u(s,a?_:x-1,w)}),_),x},u.__iteratorUncached=function(u,_){var w=s.__iterator(V,_),x=0;return new Iterator((function(){for(;;){var _=w.next();if(_.done)return _;var C=_.value,j=C[0],L=C[1];if(o.call(i,L,j,s))return iteratorValue(u,a?j:x++,L,_)}}))},u}function countByFactory(s,o,i){var a=Map().asMutable();return s.__iterate((function(u,_){a.update(o.call(i,u,_,s),0,(function(s){return s+1}))})),a.asImmutable()}function groupByFactory(s,o,i){var a=isKeyed(s),u=(isOrdered(s)?OrderedMap():Map()).asMutable();s.__iterate((function(_,w){u.update(o.call(i,_,w,s),(function(s){return(s=s||[]).push(a?[w,_]:_),s}))}));var _=iterableClass(s);return u.map((function(o){return reify(s,_(o))}))}function sliceFactory(s,o,i,a){var u=s.size;if(void 0!==o&&(o|=0),void 0!==i&&(i===1/0?i=u:i|=0),wholeSlice(o,i,u))return s;var _=resolveBegin(o,u),w=resolveEnd(i,u);if(_!=_||w!=w)return sliceFactory(s.toSeq().cacheResult(),o,i,a);var x,C=w-_;C==C&&(x=C<0?0:C);var j=makeSequence(s);return j.size=0===x?x:s.size&&x||void 0,!a&&isSeq(s)&&x>=0&&(j.get=function(o,i){return(o=wrapIndex(this,o))>=0&&ox)return iteratorDone();var s=u.next();return a||o===U?s:iteratorValue(o,C-1,o===$?void 0:s.value[1],s)}))},j}function takeWhileFactory(s,o,i){var a=makeSequence(s);return a.__iterateUncached=function(a,u){var _=this;if(u)return this.cacheResult().__iterate(a,u);var w=0;return s.__iterate((function(s,u,x){return o.call(i,s,u,x)&&++w&&a(s,u,_)})),w},a.__iteratorUncached=function(a,u){var _=this;if(u)return this.cacheResult().__iterator(a,u);var w=s.__iterator(V,u),x=!0;return new Iterator((function(){if(!x)return iteratorDone();var s=w.next();if(s.done)return s;var u=s.value,C=u[0],j=u[1];return o.call(i,j,C,_)?a===V?s:iteratorValue(a,C,j,s):(x=!1,iteratorDone())}))},a}function skipWhileFactory(s,o,i,a){var u=makeSequence(s);return u.__iterateUncached=function(u,_){var w=this;if(_)return this.cacheResult().__iterate(u,_);var x=!0,C=0;return s.__iterate((function(s,_,j){if(!x||!(x=o.call(i,s,_,j)))return C++,u(s,a?_:C-1,w)})),C},u.__iteratorUncached=function(u,_){var w=this;if(_)return this.cacheResult().__iterator(u,_);var x=s.__iterator(V,_),C=!0,j=0;return new Iterator((function(){var s,_,L;do{if((s=x.next()).done)return a||u===U?s:iteratorValue(u,j++,u===$?void 0:s.value[1],s);var B=s.value;_=B[0],L=B[1],C&&(C=o.call(i,L,_,w))}while(C);return u===V?s:iteratorValue(u,_,L,s)}))},u}function concatFactory(s,o){var i=isKeyed(s),a=[s].concat(o).map((function(s){return isIterable(s)?i&&(s=KeyedIterable(s)):s=i?keyedSeqFromValue(s):indexedSeqFromValue(Array.isArray(s)?s:[s]),s})).filter((function(s){return 0!==s.size}));if(0===a.length)return s;if(1===a.length){var u=a[0];if(u===s||i&&isKeyed(u)||isIndexed(s)&&isIndexed(u))return u}var _=new ArraySeq(a);return i?_=_.toKeyedSeq():isIndexed(s)||(_=_.toSetSeq()),(_=_.flatten(!0)).size=a.reduce((function(s,o){if(void 0!==s){var i=o.size;if(void 0!==i)return s+i}}),0),_}function flattenFactory(s,o,i){var a=makeSequence(s);return a.__iterateUncached=function(a,u){var _=0,w=!1;function flatDeep(s,x){var C=this;s.__iterate((function(s,u){return(!o||x0}function zipWithFactory(s,o,i){var a=makeSequence(s);return a.size=new ArraySeq(i).map((function(s){return s.size})).min(),a.__iterate=function(s,o){for(var i,a=this.__iterator(U,o),u=0;!(i=a.next()).done&&!1!==s(i.value,u++,this););return u},a.__iteratorUncached=function(s,a){var u=i.map((function(s){return s=Iterable(s),getIterator(a?s.reverse():s)})),_=0,w=!1;return new Iterator((function(){var i;return w||(i=u.map((function(s){return s.next()})),w=i.some((function(s){return s.done}))),w?iteratorDone():iteratorValue(s,_++,o.apply(null,i.map((function(s){return s.value}))))}))},a}function reify(s,o){return isSeq(s)?o:s.constructor(o)}function validateEntry(s){if(s!==Object(s))throw new TypeError(\"Expected [K, V] tuple: \"+s)}function resolveSize(s){return assertNotInfinite(s.size),ensureSize(s)}function iterableClass(s){return isKeyed(s)?KeyedIterable:isIndexed(s)?IndexedIterable:SetIterable}function makeSequence(s){return Object.create((isKeyed(s)?KeyedSeq:isIndexed(s)?IndexedSeq:SetSeq).prototype)}function cacheResultThrough(){return this._iter.cacheResult?(this._iter.cacheResult(),this.size=this._iter.size,this):Seq.prototype.cacheResult.call(this)}function defaultComparator(s,o){return s>o?1:s=0;i--)o={value:arguments[i],next:o};return this.__ownerID?(this.size=s,this._head=o,this.__hash=void 0,this.__altered=!0,this):makeStack(s,o)},Stack.prototype.pushAll=function(s){if(0===(s=IndexedIterable(s)).size)return this;assertNotInfinite(s.size);var o=this.size,i=this._head;return s.reverse().forEach((function(s){o++,i={value:s,next:i}})),this.__ownerID?(this.size=o,this._head=i,this.__hash=void 0,this.__altered=!0,this):makeStack(o,i)},Stack.prototype.pop=function(){return this.slice(1)},Stack.prototype.unshift=function(){return this.push.apply(this,arguments)},Stack.prototype.unshiftAll=function(s){return this.pushAll(s)},Stack.prototype.shift=function(){return this.pop.apply(this,arguments)},Stack.prototype.clear=function(){return 0===this.size?this:this.__ownerID?(this.size=0,this._head=void 0,this.__hash=void 0,this.__altered=!0,this):emptyStack()},Stack.prototype.slice=function(s,o){if(wholeSlice(s,o,this.size))return this;var i=resolveBegin(s,this.size);if(resolveEnd(o,this.size)!==this.size)return IndexedCollection.prototype.slice.call(this,s,o);for(var a=this.size-i,u=this._head;i--;)u=u.next;return this.__ownerID?(this.size=a,this._head=u,this.__hash=void 0,this.__altered=!0,this):makeStack(a,u)},Stack.prototype.__ensureOwner=function(s){return s===this.__ownerID?this:s?makeStack(this.size,this._head,s,this.__hash):(this.__ownerID=s,this.__altered=!1,this)},Stack.prototype.__iterate=function(s,o){if(o)return this.reverse().__iterate(s);for(var i=0,a=this._head;a&&!1!==s(a.value,i++,this);)a=a.next;return i},Stack.prototype.__iterator=function(s,o){if(o)return this.reverse().__iterator(s);var i=0,a=this._head;return new Iterator((function(){if(a){var o=a.value;return a=a.next,iteratorValue(s,i++,o)}return iteratorDone()}))},Stack.isStack=isStack;var at,ct=\"@@__IMMUTABLE_STACK__@@\",lt=Stack.prototype;function makeStack(s,o,i,a){var u=Object.create(lt);return u.size=s,u._head=o,u.__ownerID=i,u.__hash=a,u.__altered=!1,u}function emptyStack(){return at||(at=makeStack(0))}function mixin(s,o){var keyCopier=function(i){s.prototype[i]=o[i]};return Object.keys(o).forEach(keyCopier),Object.getOwnPropertySymbols&&Object.getOwnPropertySymbols(o).forEach(keyCopier),s}lt[ct]=!0,lt.withMutations=$e.withMutations,lt.asMutable=$e.asMutable,lt.asImmutable=$e.asImmutable,lt.wasAltered=$e.wasAltered,Iterable.Iterator=Iterator,mixin(Iterable,{toArray:function(){assertNotInfinite(this.size);var s=new Array(this.size||0);return this.valueSeq().__iterate((function(o,i){s[i]=o})),s},toIndexedSeq:function(){return new ToIndexedSequence(this)},toJS:function(){return this.toSeq().map((function(s){return s&&\"function\"==typeof s.toJS?s.toJS():s})).__toJS()},toJSON:function(){return this.toSeq().map((function(s){return s&&\"function\"==typeof s.toJSON?s.toJSON():s})).__toJS()},toKeyedSeq:function(){return new ToKeyedSequence(this,!0)},toMap:function(){return Map(this.toKeyedSeq())},toObject:function(){assertNotInfinite(this.size);var s={};return this.__iterate((function(o,i){s[i]=o})),s},toOrderedMap:function(){return OrderedMap(this.toKeyedSeq())},toOrderedSet:function(){return OrderedSet(isKeyed(this)?this.valueSeq():this)},toSet:function(){return Set(isKeyed(this)?this.valueSeq():this)},toSetSeq:function(){return new ToSetSequence(this)},toSeq:function(){return isIndexed(this)?this.toIndexedSeq():isKeyed(this)?this.toKeyedSeq():this.toSetSeq()},toStack:function(){return Stack(isKeyed(this)?this.valueSeq():this)},toList:function(){return List(isKeyed(this)?this.valueSeq():this)},toString:function(){return\"[Iterable]\"},__toString:function(s,o){return 0===this.size?s+o:s+\" \"+this.toSeq().map(this.__toStringMapper).join(\", \")+\" \"+o},concat:function(){return reify(this,concatFactory(this,s.call(arguments,0)))},includes:function(s){return this.some((function(o){return is(o,s)}))},entries:function(){return this.__iterator(V)},every:function(s,o){assertNotInfinite(this.size);var i=!0;return this.__iterate((function(a,u,_){if(!s.call(o,a,u,_))return i=!1,!1})),i},filter:function(s,o){return reify(this,filterFactory(this,s,o,!0))},find:function(s,o,i){var a=this.findEntry(s,o);return a?a[1]:i},forEach:function(s,o){return assertNotInfinite(this.size),this.__iterate(o?s.bind(o):s)},join:function(s){assertNotInfinite(this.size),s=void 0!==s?\"\"+s:\",\";var o=\"\",i=!0;return this.__iterate((function(a){i?i=!1:o+=s,o+=null!=a?a.toString():\"\"})),o},keys:function(){return this.__iterator($)},map:function(s,o){return reify(this,mapFactory(this,s,o))},reduce:function(s,o,i){var a,u;return assertNotInfinite(this.size),arguments.length<2?u=!0:a=o,this.__iterate((function(o,_,w){u?(u=!1,a=o):a=s.call(i,a,o,_,w)})),a},reduceRight:function(s,o,i){var a=this.toKeyedSeq().reverse();return a.reduce.apply(a,arguments)},reverse:function(){return reify(this,reverseFactory(this,!0))},slice:function(s,o){return reify(this,sliceFactory(this,s,o,!0))},some:function(s,o){return!this.every(not(s),o)},sort:function(s){return reify(this,sortFactory(this,s))},values:function(){return this.__iterator(U)},butLast:function(){return this.slice(0,-1)},isEmpty:function(){return void 0!==this.size?0===this.size:!this.some((function(){return!0}))},count:function(s,o){return ensureSize(s?this.toSeq().filter(s,o):this)},countBy:function(s,o){return countByFactory(this,s,o)},equals:function(s){return deepEqual(this,s)},entrySeq:function(){var s=this;if(s._cache)return new ArraySeq(s._cache);var o=s.toSeq().map(entryMapper).toIndexedSeq();return o.fromEntrySeq=function(){return s.toSeq()},o},filterNot:function(s,o){return this.filter(not(s),o)},findEntry:function(s,o,i){var a=i;return this.__iterate((function(i,u,_){if(s.call(o,i,u,_))return a=[u,i],!1})),a},findKey:function(s,o){var i=this.findEntry(s,o);return i&&i[0]},findLast:function(s,o,i){return this.toKeyedSeq().reverse().find(s,o,i)},findLastEntry:function(s,o,i){return this.toKeyedSeq().reverse().findEntry(s,o,i)},findLastKey:function(s,o){return this.toKeyedSeq().reverse().findKey(s,o)},first:function(){return this.find(returnTrue)},flatMap:function(s,o){return reify(this,flatMapFactory(this,s,o))},flatten:function(s){return reify(this,flattenFactory(this,s,!0))},fromEntrySeq:function(){return new FromEntriesSequence(this)},get:function(s,o){return this.find((function(o,i){return is(i,s)}),void 0,o)},getIn:function(s,o){for(var i,a=this,u=forceIterator(s);!(i=u.next()).done;){var _=i.value;if((a=a&&a.get?a.get(_,j):j)===j)return o}return a},groupBy:function(s,o){return groupByFactory(this,s,o)},has:function(s){return this.get(s,j)!==j},hasIn:function(s){return this.getIn(s,j)!==j},isSubset:function(s){return s=\"function\"==typeof s.includes?s:Iterable(s),this.every((function(o){return s.includes(o)}))},isSuperset:function(s){return(s=\"function\"==typeof s.isSubset?s:Iterable(s)).isSubset(this)},keyOf:function(s){return this.findKey((function(o){return is(o,s)}))},keySeq:function(){return this.toSeq().map(keyMapper).toIndexedSeq()},last:function(){return this.toSeq().reverse().first()},lastKeyOf:function(s){return this.toKeyedSeq().reverse().keyOf(s)},max:function(s){return maxFactory(this,s)},maxBy:function(s,o){return maxFactory(this,o,s)},min:function(s){return maxFactory(this,s?neg(s):defaultNegComparator)},minBy:function(s,o){return maxFactory(this,o?neg(o):defaultNegComparator,s)},rest:function(){return this.slice(1)},skip:function(s){return this.slice(Math.max(0,s))},skipLast:function(s){return reify(this,this.toSeq().reverse().skip(s).reverse())},skipWhile:function(s,o){return reify(this,skipWhileFactory(this,s,o,!0))},skipUntil:function(s,o){return this.skipWhile(not(s),o)},sortBy:function(s,o){return reify(this,sortFactory(this,o,s))},take:function(s){return this.slice(0,Math.max(0,s))},takeLast:function(s){return reify(this,this.toSeq().reverse().take(s).reverse())},takeWhile:function(s,o){return reify(this,takeWhileFactory(this,s,o))},takeUntil:function(s,o){return this.takeWhile(not(s),o)},valueSeq:function(){return this.toIndexedSeq()},hashCode:function(){return this.__hash||(this.__hash=hashIterable(this))}});var ut=Iterable.prototype;ut[o]=!0,ut[Z]=ut.values,ut.__toJS=ut.toArray,ut.__toStringMapper=quoteString,ut.inspect=ut.toSource=function(){return this.toString()},ut.chain=ut.flatMap,ut.contains=ut.includes,mixin(KeyedIterable,{flip:function(){return reify(this,flipFactory(this))},mapEntries:function(s,o){var i=this,a=0;return reify(this,this.toSeq().map((function(u,_){return s.call(o,[_,u],a++,i)})).fromEntrySeq())},mapKeys:function(s,o){var i=this;return reify(this,this.toSeq().flip().map((function(a,u){return s.call(o,a,u,i)})).flip())}});var pt=KeyedIterable.prototype;function keyMapper(s,o){return o}function entryMapper(s,o){return[o,s]}function not(s){return function(){return!s.apply(this,arguments)}}function neg(s){return function(){return-s.apply(this,arguments)}}function quoteString(s){return\"string\"==typeof s?JSON.stringify(s):String(s)}function defaultZipper(){return arrCopy(arguments)}function defaultNegComparator(s,o){return so?-1:0}function hashIterable(s){if(s.size===1/0)return 0;var o=isOrdered(s),i=isKeyed(s),a=o?1:0;return murmurHashOfSize(s.__iterate(i?o?function(s,o){a=31*a+hashMerge(hash(s),hash(o))|0}:function(s,o){a=a+hashMerge(hash(s),hash(o))|0}:o?function(s){a=31*a+hash(s)|0}:function(s){a=a+hash(s)|0}),a)}function murmurHashOfSize(s,o){return o=le(o,3432918353),o=le(o<<15|o>>>-15,461845907),o=le(o<<13|o>>>-13,5),o=le((o=o+3864292196^s)^o>>>16,2246822507),o=smi((o=le(o^o>>>13,3266489909))^o>>>16)}function hashMerge(s,o){return s^o+2654435769+(s<<6)+(s>>2)}return pt[i]=!0,pt[Z]=ut.entries,pt.__toJS=ut.toObject,pt.__toStringMapper=function(s,o){return JSON.stringify(o)+\": \"+quoteString(s)},mixin(IndexedIterable,{toKeyedSeq:function(){return new ToKeyedSequence(this,!1)},filter:function(s,o){return reify(this,filterFactory(this,s,o,!1))},findIndex:function(s,o){var i=this.findEntry(s,o);return i?i[0]:-1},indexOf:function(s){var o=this.keyOf(s);return void 0===o?-1:o},lastIndexOf:function(s){var o=this.lastKeyOf(s);return void 0===o?-1:o},reverse:function(){return reify(this,reverseFactory(this,!1))},slice:function(s,o){return reify(this,sliceFactory(this,s,o,!1))},splice:function(s,o){var i=arguments.length;if(o=Math.max(0|o,0),0===i||2===i&&!o)return this;s=resolveBegin(s,s<0?this.count():this.size);var a=this.slice(0,s);return reify(this,1===i?a:a.concat(arrCopy(arguments,2),this.slice(s+o)))},findLastIndex:function(s,o){var i=this.findLastEntry(s,o);return i?i[0]:-1},first:function(){return this.get(0)},flatten:function(s){return reify(this,flattenFactory(this,s,!1))},get:function(s,o){return(s=wrapIndex(this,s))<0||this.size===1/0||void 0!==this.size&&s>this.size?o:this.find((function(o,i){return i===s}),void 0,o)},has:function(s){return(s=wrapIndex(this,s))>=0&&(void 0!==this.size?this.size===1/0||s{\"use strict\";i(71340);var a=i(92046);s.exports=a.Object.assign},9957:(s,o,i)=>{\"use strict\";var a=Function.prototype.call,u=Object.prototype.hasOwnProperty,_=i(66743);s.exports=_.call(a,u)},9999:(s,o,i)=>{var a=i(37217),u=i(83729),_=i(16547),w=i(74733),x=i(43838),C=i(93290),j=i(23007),L=i(92271),B=i(48948),$=i(50002),U=i(83349),V=i(5861),z=i(76189),Y=i(77199),Z=i(35529),ee=i(56449),ie=i(3656),ae=i(87730),ce=i(23805),le=i(38440),pe=i(95950),de=i(37241),fe=\"[object Arguments]\",ye=\"[object Function]\",be=\"[object Object]\",_e={};_e[fe]=_e[\"[object Array]\"]=_e[\"[object ArrayBuffer]\"]=_e[\"[object DataView]\"]=_e[\"[object Boolean]\"]=_e[\"[object Date]\"]=_e[\"[object Float32Array]\"]=_e[\"[object Float64Array]\"]=_e[\"[object Int8Array]\"]=_e[\"[object Int16Array]\"]=_e[\"[object Int32Array]\"]=_e[\"[object Map]\"]=_e[\"[object Number]\"]=_e[be]=_e[\"[object RegExp]\"]=_e[\"[object Set]\"]=_e[\"[object String]\"]=_e[\"[object Symbol]\"]=_e[\"[object Uint8Array]\"]=_e[\"[object Uint8ClampedArray]\"]=_e[\"[object Uint16Array]\"]=_e[\"[object Uint32Array]\"]=!0,_e[\"[object Error]\"]=_e[ye]=_e[\"[object WeakMap]\"]=!1,s.exports=function baseClone(s,o,i,Se,we,xe){var Pe,Te=1&o,Re=2&o,$e=4&o;if(i&&(Pe=we?i(s,Se,we,xe):i(s)),void 0!==Pe)return Pe;if(!ce(s))return s;var qe=ee(s);if(qe){if(Pe=z(s),!Te)return j(s,Pe)}else{var ze=V(s),We=ze==ye||\"[object GeneratorFunction]\"==ze;if(ie(s))return C(s,Te);if(ze==be||ze==fe||We&&!we){if(Pe=Re||We?{}:Z(s),!Te)return Re?B(s,x(Pe,s)):L(s,w(Pe,s))}else{if(!_e[ze])return we?s:{};Pe=Y(s,ze,Te)}}xe||(xe=new a);var He=xe.get(s);if(He)return He;xe.set(s,Pe),le(s)?s.forEach((function(a){Pe.add(baseClone(a,o,i,a,s,xe))})):ae(s)&&s.forEach((function(a,u){Pe.set(u,baseClone(a,o,i,u,s,xe))}));var Ye=qe?void 0:($e?Re?U:$:Re?de:pe)(s);return u(Ye||s,(function(a,u){Ye&&(a=s[u=a]),_(Pe,u,baseClone(a,o,i,u,s,xe))})),Pe}},10023:(s,o,i)=>{const a=i(6205),INTS=()=>[{type:a.RANGE,from:48,to:57}],WORDS=()=>[{type:a.CHAR,value:95},{type:a.RANGE,from:97,to:122},{type:a.RANGE,from:65,to:90}].concat(INTS()),WHITESPACE=()=>[{type:a.CHAR,value:9},{type:a.CHAR,value:10},{type:a.CHAR,value:11},{type:a.CHAR,value:12},{type:a.CHAR,value:13},{type:a.CHAR,value:32},{type:a.CHAR,value:160},{type:a.CHAR,value:5760},{type:a.RANGE,from:8192,to:8202},{type:a.CHAR,value:8232},{type:a.CHAR,value:8233},{type:a.CHAR,value:8239},{type:a.CHAR,value:8287},{type:a.CHAR,value:12288},{type:a.CHAR,value:65279}];o.words=()=>({type:a.SET,set:WORDS(),not:!1}),o.notWords=()=>({type:a.SET,set:WORDS(),not:!0}),o.ints=()=>({type:a.SET,set:INTS(),not:!1}),o.notInts=()=>({type:a.SET,set:INTS(),not:!0}),o.whitespace=()=>({type:a.SET,set:WHITESPACE(),not:!1}),o.notWhitespace=()=>({type:a.SET,set:WHITESPACE(),not:!0}),o.anyChar=()=>({type:a.SET,set:[{type:a.CHAR,value:10},{type:a.CHAR,value:13},{type:a.CHAR,value:8232},{type:a.CHAR,value:8233}],not:!0})},10043:(s,o,i)=>{\"use strict\";var a=i(54018),u=String,_=TypeError;s.exports=function(s){if(a(s))return s;throw new _(\"Can't set \"+u(s)+\" as a prototype\")}},10076:s=>{\"use strict\";s.exports=Function.prototype.call},10124:(s,o,i)=>{var a=i(9325);s.exports=function(){return a.Date.now()}},10300:(s,o,i)=>{\"use strict\";var a=i(13930),u=i(82159),_=i(36624),w=i(4640),x=i(73448),C=TypeError;s.exports=function(s,o){var i=arguments.length<2?x(s):o;if(u(i))return _(a(i,s));throw new C(w(s)+\" is not iterable\")}},10316:(s,o,i)=>{const a=i(2404),u=i(55973),_=i(92340);class Element{constructor(s,o,i){o&&(this.meta=o),i&&(this.attributes=i),this.content=s}freeze(){Object.isFrozen(this)||(this._meta&&(this.meta.parent=this,this.meta.freeze()),this._attributes&&(this.attributes.parent=this,this.attributes.freeze()),this.children.forEach((s=>{s.parent=this,s.freeze()}),this),this.content&&Array.isArray(this.content)&&Object.freeze(this.content),Object.freeze(this))}primitive(){}clone(){const s=new this.constructor;return s.element=this.element,this.meta.length&&(s._meta=this.meta.clone()),this.attributes.length&&(s._attributes=this.attributes.clone()),this.content?this.content.clone?s.content=this.content.clone():Array.isArray(this.content)?s.content=this.content.map((s=>s.clone())):s.content=this.content:s.content=this.content,s}toValue(){return this.content instanceof Element?this.content.toValue():this.content instanceof u?{key:this.content.key.toValue(),value:this.content.value?this.content.value.toValue():void 0}:this.content&&this.content.map?this.content.map((s=>s.toValue()),this):this.content}toRef(s){if(\"\"===this.id.toValue())throw Error(\"Cannot create reference to an element that does not contain an ID\");const o=new this.RefElement(this.id.toValue());return s&&(o.path=s),o}findRecursive(...s){if(arguments.length>1&&!this.isFrozen)throw new Error(\"Cannot find recursive with multiple element names without first freezing the element. Call `element.freeze()`\");const o=s.pop();let i=new _;const append=(s,o)=>(s.push(o),s),checkElement=(s,i)=>{i.element===o&&s.push(i);const a=i.findRecursive(o);return a&&a.reduce(append,s),i.content instanceof u&&(i.content.key&&checkElement(s,i.content.key),i.content.value&&checkElement(s,i.content.value)),s};return this.content&&(this.content.element&&checkElement(i,this.content),Array.isArray(this.content)&&this.content.reduce(checkElement,i)),s.isEmpty||(i=i.filter((o=>{let i=o.parents.map((s=>s.element));for(const o in s){const a=s[o],u=i.indexOf(a);if(-1===u)return!1;i=i.splice(0,u)}return!0}))),i}set(s){return this.content=s,this}equals(s){return a(this.toValue(),s)}getMetaProperty(s,o){if(!this.meta.hasKey(s)){if(this.isFrozen){const s=this.refract(o);return s.freeze(),s}this.meta.set(s,o)}return this.meta.get(s)}setMetaProperty(s,o){this.meta.set(s,o)}get element(){return this._storedElement||\"element\"}set element(s){this._storedElement=s}get content(){return this._content}set content(s){if(s instanceof Element)this._content=s;else if(s instanceof _)this.content=s.elements;else if(\"string\"==typeof s||\"number\"==typeof s||\"boolean\"==typeof s||\"null\"===s||null==s)this._content=s;else if(s instanceof u)this._content=s;else if(Array.isArray(s))this._content=s.map(this.refract);else{if(\"object\"!=typeof s)throw new Error(\"Cannot set content to given value\");this._content=Object.keys(s).map((o=>new this.MemberElement(o,s[o])))}}get meta(){if(!this._meta){if(this.isFrozen){const s=new this.ObjectElement;return s.freeze(),s}this._meta=new this.ObjectElement}return this._meta}set meta(s){s instanceof this.ObjectElement?this._meta=s:this.meta.set(s||{})}get attributes(){if(!this._attributes){if(this.isFrozen){const s=new this.ObjectElement;return s.freeze(),s}this._attributes=new this.ObjectElement}return this._attributes}set attributes(s){s instanceof this.ObjectElement?this._attributes=s:this.attributes.set(s||{})}get id(){return this.getMetaProperty(\"id\",\"\")}set id(s){this.setMetaProperty(\"id\",s)}get classes(){return this.getMetaProperty(\"classes\",[])}set classes(s){this.setMetaProperty(\"classes\",s)}get title(){return this.getMetaProperty(\"title\",\"\")}set title(s){this.setMetaProperty(\"title\",s)}get description(){return this.getMetaProperty(\"description\",\"\")}set description(s){this.setMetaProperty(\"description\",s)}get links(){return this.getMetaProperty(\"links\",[])}set links(s){this.setMetaProperty(\"links\",s)}get isFrozen(){return Object.isFrozen(this)}get parents(){let{parent:s}=this;const o=new _;for(;s;)o.push(s),s=s.parent;return o}get children(){if(Array.isArray(this.content))return new _(this.content);if(this.content instanceof u){const s=new _([this.content.key]);return this.content.value&&s.push(this.content.value),s}return this.content instanceof Element?new _([this.content]):new _}get recursiveChildren(){const s=new _;return this.children.forEach((o=>{s.push(o),o.recursiveChildren.forEach((o=>{s.push(o)}))})),s}}s.exports=Element},10392:s=>{s.exports=function getValue(s,o){return null==s?void 0:s[o]}},10487:(s,o,i)=>{\"use strict\";var a=i(96897),u=i(30655),_=i(73126),w=i(12205);s.exports=function callBind(s){var o=_(arguments),i=s.length-(arguments.length-1);return a(o,1+(i>0?i:0),!0)},u?u(s.exports,\"apply\",{value:w}):s.exports.apply=w},10776:(s,o,i)=>{var a=i(30756),u=i(95950);s.exports=function getMatchData(s){for(var o=u(s),i=o.length;i--;){var _=o[i],w=s[_];o[i]=[_,w,a(w)]}return o}},10866:(s,o,i)=>{const a=i(6048),u=i(92340);class ObjectSlice extends u{map(s,o){return this.elements.map((i=>s.bind(o)(i.value,i.key,i)))}filter(s,o){return new ObjectSlice(this.elements.filter((i=>s.bind(o)(i.value,i.key,i))))}reject(s,o){return this.filter(a(s.bind(o)))}forEach(s,o){return this.elements.forEach(((i,a)=>{s.bind(o)(i.value,i.key,i,a)}))}keys(){return this.map(((s,o)=>o.toValue()))}values(){return this.map((s=>s.toValue()))}}s.exports=ObjectSlice},11002:s=>{\"use strict\";s.exports=Function.prototype.apply},11042:(s,o,i)=>{\"use strict\";var a=i(85582),u=i(1907),_=i(24443),w=i(87170),x=i(36624),C=u([].concat);s.exports=a(\"Reflect\",\"ownKeys\")||function ownKeys(s){var o=_.f(x(s)),i=w.f;return i?C(o,i(s)):o}},11091:(s,o,i)=>{\"use strict\";var a=i(45951),u=i(76024),_=i(92361),w=i(62250),x=i(13846).f,C=i(7463),j=i(92046),L=i(28311),B=i(61626),$=i(49724);i(36128);var wrapConstructor=function(s){var Wrapper=function(o,i,a){if(this instanceof Wrapper){switch(arguments.length){case 0:return new s;case 1:return new s(o);case 2:return new s(o,i)}return new s(o,i,a)}return u(s,this,arguments)};return Wrapper.prototype=s.prototype,Wrapper};s.exports=function(s,o){var i,u,U,V,z,Y,Z,ee,ie,ae=s.target,ce=s.global,le=s.stat,pe=s.proto,de=ce?a:le?a[ae]:a[ae]&&a[ae].prototype,fe=ce?j:j[ae]||B(j,ae,{})[ae],ye=fe.prototype;for(V in o)u=!(i=C(ce?V:ae+(le?\".\":\"#\")+V,s.forced))&&de&&$(de,V),Y=fe[V],u&&(Z=s.dontCallGetSet?(ie=x(de,V))&&ie.value:de[V]),z=u&&Z?Z:o[V],(i||pe||typeof Y!=typeof z)&&(ee=s.bind&&u?L(z,a):s.wrap&&u?wrapConstructor(z):pe&&w(z)?_(z):z,(s.sham||z&&z.sham||Y&&Y.sham)&&B(ee,\"sham\",!0),B(fe,V,ee),pe&&($(j,U=ae+\"Prototype\")||B(j,U,{}),B(j[U],V,z),s.real&&ye&&(i||!ye[V])&&B(ye,V,z)))}},11287:s=>{s.exports=function getHolder(s){return s.placeholder}},11331:(s,o,i)=>{var a=i(72552),u=i(28879),_=i(40346),w=Function.prototype,x=Object.prototype,C=w.toString,j=x.hasOwnProperty,L=C.call(Object);s.exports=function isPlainObject(s){if(!_(s)||\"[object Object]\"!=a(s))return!1;var o=u(s);if(null===o)return!0;var i=j.call(o,\"constructor\")&&o.constructor;return\"function\"==typeof i&&i instanceof i&&C.call(i)==L}},11470:(s,o,i)=>{\"use strict\";var a=i(1907),u=i(65482),_=i(90160),w=i(74239),x=a(\"\".charAt),C=a(\"\".charCodeAt),j=a(\"\".slice),createMethod=function(s){return function(o,i){var a,L,B=_(w(o)),$=u(i),U=B.length;return $<0||$>=U?s?\"\":void 0:(a=C(B,$))<55296||a>56319||$+1===U||(L=C(B,$+1))<56320||L>57343?s?x(B,$):a:s?j(B,$,$+2):L-56320+(a-55296<<10)+65536}};s.exports={codeAt:createMethod(!1),charAt:createMethod(!0)}},11842:(s,o,i)=>{var a=i(82819),u=i(9325);s.exports=function createBind(s,o,i){var _=1&o,w=a(s);return function wrapper(){return(this&&this!==u&&this instanceof wrapper?w:s).apply(_?i:this,arguments)}}},12205:(s,o,i)=>{\"use strict\";var a=i(66743),u=i(11002),_=i(13144);s.exports=function applyBind(){return _(a,u,arguments)}},12242:(s,o,i)=>{const a=i(10316);s.exports=class BooleanElement extends a{constructor(s,o,i){super(s,o,i),this.element=\"boolean\"}primitive(){return\"boolean\"}}},12507:(s,o,i)=>{var a=i(28754),u=i(49698),_=i(63912),w=i(13222);s.exports=function createCaseFirst(s){return function(o){o=w(o);var i=u(o)?_(o):void 0,x=i?i[0]:o.charAt(0),C=i?a(i,1).join(\"\"):o.slice(1);return x[s]()+C}}},12560:(s,o,i)=>{\"use strict\";i(99363);var a=i(19287),u=i(45951),_=i(14840),w=i(93742);for(var x in a)_(u[x],x),w[x]=w.Array},12651:(s,o,i)=>{var a=i(74218);s.exports=function getMapData(s,o){var i=s.__data__;return a(o)?i[\"string\"==typeof o?\"string\":\"hash\"]:i.map}},12749:(s,o,i)=>{var a=i(81042),u=Object.prototype.hasOwnProperty;s.exports=function hashHas(s){var o=this.__data__;return a?void 0!==o[s]:u.call(o,s)}},13144:(s,o,i)=>{\"use strict\";var a=i(66743),u=i(11002),_=i(10076),w=i(47119);s.exports=w||a.call(_,u)},13222:(s,o,i)=>{var a=i(77556);s.exports=function toString(s){return null==s?\"\":a(s)}},13846:(s,o,i)=>{\"use strict\";var a=i(39447),u=i(13930),_=i(22574),w=i(75817),x=i(4993),C=i(70470),j=i(49724),L=i(73648),B=Object.getOwnPropertyDescriptor;o.f=a?B:function getOwnPropertyDescriptor(s,o){if(s=x(s),o=C(o),L)try{return B(s,o)}catch(s){}if(j(s,o))return w(!u(_.f,s,o),s[o])}},13930:(s,o,i)=>{\"use strict\";var a=i(41505),u=Function.prototype.call;s.exports=a?u.bind(u):function(){return u.apply(u,arguments)}},14248:s=>{s.exports=function arraySome(s,o){for(var i=-1,a=null==s?0:s.length;++i{s.exports=function arrayPush(s,o){for(var i=-1,a=o.length,u=s.length;++i{const a=i(10316);s.exports=class RefElement extends a{constructor(s,o,i){super(s||[],o,i),this.element=\"ref\",this.path||(this.path=\"element\")}get path(){return this.attributes.get(\"path\")}set path(s){this.attributes.set(\"path\",s)}}},14744:s=>{\"use strict\";var o=function isMergeableObject(s){return function isNonNullObject(s){return!!s&&\"object\"==typeof s}(s)&&!function isSpecial(s){var o=Object.prototype.toString.call(s);return\"[object RegExp]\"===o||\"[object Date]\"===o||function isReactElement(s){return s.$$typeof===i}(s)}(s)};var i=\"function\"==typeof Symbol&&Symbol.for?Symbol.for(\"react.element\"):60103;function cloneUnlessOtherwiseSpecified(s,o){return!1!==o.clone&&o.isMergeableObject(s)?deepmerge(function emptyTarget(s){return Array.isArray(s)?[]:{}}(s),s,o):s}function defaultArrayMerge(s,o,i){return s.concat(o).map((function(s){return cloneUnlessOtherwiseSpecified(s,i)}))}function getKeys(s){return Object.keys(s).concat(function getEnumerableOwnPropertySymbols(s){return Object.getOwnPropertySymbols?Object.getOwnPropertySymbols(s).filter((function(o){return Object.propertyIsEnumerable.call(s,o)})):[]}(s))}function propertyIsOnObject(s,o){try{return o in s}catch(s){return!1}}function mergeObject(s,o,i){var a={};return i.isMergeableObject(s)&&getKeys(s).forEach((function(o){a[o]=cloneUnlessOtherwiseSpecified(s[o],i)})),getKeys(o).forEach((function(u){(function propertyIsUnsafe(s,o){return propertyIsOnObject(s,o)&&!(Object.hasOwnProperty.call(s,o)&&Object.propertyIsEnumerable.call(s,o))})(s,u)||(propertyIsOnObject(s,u)&&i.isMergeableObject(o[u])?a[u]=function getMergeFunction(s,o){if(!o.customMerge)return deepmerge;var i=o.customMerge(s);return\"function\"==typeof i?i:deepmerge}(u,i)(s[u],o[u],i):a[u]=cloneUnlessOtherwiseSpecified(o[u],i))})),a}function deepmerge(s,i,a){(a=a||{}).arrayMerge=a.arrayMerge||defaultArrayMerge,a.isMergeableObject=a.isMergeableObject||o,a.cloneUnlessOtherwiseSpecified=cloneUnlessOtherwiseSpecified;var u=Array.isArray(i);return u===Array.isArray(s)?u?a.arrayMerge(s,i,a):mergeObject(s,i,a):cloneUnlessOtherwiseSpecified(i,a)}deepmerge.all=function deepmergeAll(s,o){if(!Array.isArray(s))throw new Error(\"first argument should be an array\");return s.reduce((function(s,i){return deepmerge(s,i,o)}),{})};var a=deepmerge;s.exports=a},14792:(s,o,i)=>{var a=i(13222),u=i(55808);s.exports=function capitalize(s){return u(a(s).toLowerCase())}},14840:(s,o,i)=>{\"use strict\";var a=i(52623),u=i(74284).f,_=i(61626),w=i(49724),x=i(54878),C=i(76264)(\"toStringTag\");s.exports=function(s,o,i,j){var L=i?s:s&&s.prototype;L&&(w(L,C)||u(L,C,{configurable:!0,value:o}),j&&!a&&_(L,\"toString\",x))}},14974:s=>{s.exports=function safeGet(s,o){if((\"constructor\"!==o||\"function\"!=typeof s[o])&&\"__proto__\"!=o)return s[o]}},15287:(s,o)=>{\"use strict\";var i=Symbol.for(\"react.element\"),a=Symbol.for(\"react.portal\"),u=Symbol.for(\"react.fragment\"),_=Symbol.for(\"react.strict_mode\"),w=Symbol.for(\"react.profiler\"),x=Symbol.for(\"react.provider\"),C=Symbol.for(\"react.context\"),j=Symbol.for(\"react.forward_ref\"),L=Symbol.for(\"react.suspense\"),B=Symbol.for(\"react.memo\"),$=Symbol.for(\"react.lazy\"),U=Symbol.iterator;var V={isMounted:function(){return!1},enqueueForceUpdate:function(){},enqueueReplaceState:function(){},enqueueSetState:function(){}},z=Object.assign,Y={};function E(s,o,i){this.props=s,this.context=o,this.refs=Y,this.updater=i||V}function F(){}function G(s,o,i){this.props=s,this.context=o,this.refs=Y,this.updater=i||V}E.prototype.isReactComponent={},E.prototype.setState=function(s,o){if(\"object\"!=typeof s&&\"function\"!=typeof s&&null!=s)throw Error(\"setState(...): takes an object of state variables to update or a function which returns an object of state variables.\");this.updater.enqueueSetState(this,s,o,\"setState\")},E.prototype.forceUpdate=function(s){this.updater.enqueueForceUpdate(this,s,\"forceUpdate\")},F.prototype=E.prototype;var Z=G.prototype=new F;Z.constructor=G,z(Z,E.prototype),Z.isPureReactComponent=!0;var ee=Array.isArray,ie=Object.prototype.hasOwnProperty,ae={current:null},ce={key:!0,ref:!0,__self:!0,__source:!0};function M(s,o,a){var u,_={},w=null,x=null;if(null!=o)for(u in void 0!==o.ref&&(x=o.ref),void 0!==o.key&&(w=\"\"+o.key),o)ie.call(o,u)&&!ce.hasOwnProperty(u)&&(_[u]=o[u]);var C=arguments.length-2;if(1===C)_.children=a;else if(1{var a=i(96131);s.exports=function arrayIncludes(s,o){return!!(null==s?0:s.length)&&a(s,o,0)>-1}},15340:()=>{},15377:(s,o,i)=>{\"use strict\";var a=i(92861).Buffer,u=i(64634),_=i(74372),w=ArrayBuffer.isView||function isView(s){try{return _(s),!0}catch(s){return!1}},x=\"undefined\"!=typeof Uint8Array,C=\"undefined\"!=typeof ArrayBuffer&&\"undefined\"!=typeof Uint8Array,j=C&&(a.prototype instanceof Uint8Array||a.TYPED_ARRAY_SUPPORT);s.exports=function toBuffer(s,o){if(s instanceof a)return s;if(\"string\"==typeof s)return a.from(s,o);if(C&&w(s)){if(0===s.byteLength)return a.alloc(0);if(j){var i=a.from(s.buffer,s.byteOffset,s.byteLength);if(i.byteLength===s.byteLength)return i}var _=s instanceof Uint8Array?s:new Uint8Array(s.buffer,s.byteOffset,s.byteLength),L=a.from(_);if(L.length===s.byteLength)return L}if(x&&s instanceof Uint8Array)return a.from(s);var B=u(s);if(B)for(var $=0;$255||~~U!==U)throw new RangeError(\"Array items must be numbers in the range 0-255.\")}if(B||a.isBuffer(s)&&s.constructor&&\"function\"==typeof s.constructor.isBuffer&&s.constructor.isBuffer(s))return a.from(s);throw new TypeError('The \"data\" argument must be a string, an Array, a Buffer, a Uint8Array, or a DataView.')}},15389:(s,o,i)=>{var a=i(93663),u=i(87978),_=i(83488),w=i(56449),x=i(50583);s.exports=function baseIteratee(s){return\"function\"==typeof s?s:null==s?_:\"object\"==typeof s?w(s)?u(s[0],s[1]):a(s):x(s)}},15972:(s,o,i)=>{\"use strict\";var a=i(49724),u=i(62250),_=i(39298),w=i(92522),x=i(57382),C=w(\"IE_PROTO\"),j=Object,L=j.prototype;s.exports=x?j.getPrototypeOf:function(s){var o=_(s);if(a(o,C))return o[C];var i=o.constructor;return u(i)&&o instanceof i?i.prototype:o instanceof j?L:null}},16038:(s,o,i)=>{var a=i(5861),u=i(40346);s.exports=function baseIsSet(s){return u(s)&&\"[object Set]\"==a(s)}},16426:s=>{s.exports=function(){var s=document.getSelection();if(!s.rangeCount)return function(){};for(var o=document.activeElement,i=[],a=0;a{var a=i(43360),u=i(75288),_=Object.prototype.hasOwnProperty;s.exports=function assignValue(s,o,i){var w=s[o];_.call(s,o)&&u(w,i)&&(void 0!==i||o in s)||a(s,o,i)}},16708:(s,o,i)=>{\"use strict\";var a,u=i(65606);function CorkedRequest(s){var o=this;this.next=null,this.entry=null,this.finish=function(){!function onCorkedFinish(s,o,i){var a=s.entry;s.entry=null;for(;a;){var u=a.callback;o.pendingcb--,u(i),a=a.next}o.corkedRequestsFree.next=s}(o,s)}}s.exports=Writable,Writable.WritableState=WritableState;var _={deprecate:i(94643)},w=i(40345),x=i(48287).Buffer,C=(void 0!==i.g?i.g:\"undefined\"!=typeof window?window:\"undefined\"!=typeof self?self:{}).Uint8Array||function(){};var j,L=i(75896),B=i(65291).getHighWaterMark,$=i(86048).F,U=$.ERR_INVALID_ARG_TYPE,V=$.ERR_METHOD_NOT_IMPLEMENTED,z=$.ERR_MULTIPLE_CALLBACK,Y=$.ERR_STREAM_CANNOT_PIPE,Z=$.ERR_STREAM_DESTROYED,ee=$.ERR_STREAM_NULL_VALUES,ie=$.ERR_STREAM_WRITE_AFTER_END,ae=$.ERR_UNKNOWN_ENCODING,ce=L.errorOrDestroy;function nop(){}function WritableState(s,o,_){a=a||i(25382),s=s||{},\"boolean\"!=typeof _&&(_=o instanceof a),this.objectMode=!!s.objectMode,_&&(this.objectMode=this.objectMode||!!s.writableObjectMode),this.highWaterMark=B(this,s,\"writableHighWaterMark\",_),this.finalCalled=!1,this.needDrain=!1,this.ending=!1,this.ended=!1,this.finished=!1,this.destroyed=!1;var w=!1===s.decodeStrings;this.decodeStrings=!w,this.defaultEncoding=s.defaultEncoding||\"utf8\",this.length=0,this.writing=!1,this.corked=0,this.sync=!0,this.bufferProcessing=!1,this.onwrite=function(s){!function onwrite(s,o){var i=s._writableState,a=i.sync,_=i.writecb;if(\"function\"!=typeof _)throw new z;if(function onwriteStateUpdate(s){s.writing=!1,s.writecb=null,s.length-=s.writelen,s.writelen=0}(i),o)!function onwriteError(s,o,i,a,_){--o.pendingcb,i?(u.nextTick(_,a),u.nextTick(finishMaybe,s,o),s._writableState.errorEmitted=!0,ce(s,a)):(_(a),s._writableState.errorEmitted=!0,ce(s,a),finishMaybe(s,o))}(s,i,a,o,_);else{var w=needFinish(i)||s.destroyed;w||i.corked||i.bufferProcessing||!i.bufferedRequest||clearBuffer(s,i),a?u.nextTick(afterWrite,s,i,w,_):afterWrite(s,i,w,_)}}(o,s)},this.writecb=null,this.writelen=0,this.bufferedRequest=null,this.lastBufferedRequest=null,this.pendingcb=0,this.prefinished=!1,this.errorEmitted=!1,this.emitClose=!1!==s.emitClose,this.autoDestroy=!!s.autoDestroy,this.bufferedRequestCount=0,this.corkedRequestsFree=new CorkedRequest(this)}function Writable(s){var o=this instanceof(a=a||i(25382));if(!o&&!j.call(Writable,this))return new Writable(s);this._writableState=new WritableState(s,this,o),this.writable=!0,s&&(\"function\"==typeof s.write&&(this._write=s.write),\"function\"==typeof s.writev&&(this._writev=s.writev),\"function\"==typeof s.destroy&&(this._destroy=s.destroy),\"function\"==typeof s.final&&(this._final=s.final)),w.call(this)}function doWrite(s,o,i,a,u,_,w){o.writelen=a,o.writecb=w,o.writing=!0,o.sync=!0,o.destroyed?o.onwrite(new Z(\"write\")):i?s._writev(u,o.onwrite):s._write(u,_,o.onwrite),o.sync=!1}function afterWrite(s,o,i,a){i||function onwriteDrain(s,o){0===o.length&&o.needDrain&&(o.needDrain=!1,s.emit(\"drain\"))}(s,o),o.pendingcb--,a(),finishMaybe(s,o)}function clearBuffer(s,o){o.bufferProcessing=!0;var i=o.bufferedRequest;if(s._writev&&i&&i.next){var a=o.bufferedRequestCount,u=new Array(a),_=o.corkedRequestsFree;_.entry=i;for(var w=0,x=!0;i;)u[w]=i,i.isBuf||(x=!1),i=i.next,w+=1;u.allBuffers=x,doWrite(s,o,!0,o.length,u,\"\",_.finish),o.pendingcb++,o.lastBufferedRequest=null,_.next?(o.corkedRequestsFree=_.next,_.next=null):o.corkedRequestsFree=new CorkedRequest(o),o.bufferedRequestCount=0}else{for(;i;){var C=i.chunk,j=i.encoding,L=i.callback;if(doWrite(s,o,!1,o.objectMode?1:C.length,C,j,L),i=i.next,o.bufferedRequestCount--,o.writing)break}null===i&&(o.lastBufferedRequest=null)}o.bufferedRequest=i,o.bufferProcessing=!1}function needFinish(s){return s.ending&&0===s.length&&null===s.bufferedRequest&&!s.finished&&!s.writing}function callFinal(s,o){s._final((function(i){o.pendingcb--,i&&ce(s,i),o.prefinished=!0,s.emit(\"prefinish\"),finishMaybe(s,o)}))}function finishMaybe(s,o){var i=needFinish(o);if(i&&(function prefinish(s,o){o.prefinished||o.finalCalled||(\"function\"!=typeof s._final||o.destroyed?(o.prefinished=!0,s.emit(\"prefinish\")):(o.pendingcb++,o.finalCalled=!0,u.nextTick(callFinal,s,o)))}(s,o),0===o.pendingcb&&(o.finished=!0,s.emit(\"finish\"),o.autoDestroy))){var a=s._readableState;(!a||a.autoDestroy&&a.endEmitted)&&s.destroy()}return i}i(56698)(Writable,w),WritableState.prototype.getBuffer=function getBuffer(){for(var s=this.bufferedRequest,o=[];s;)o.push(s),s=s.next;return o},function(){try{Object.defineProperty(WritableState.prototype,\"buffer\",{get:_.deprecate((function writableStateBufferGetter(){return this.getBuffer()}),\"_writableState.buffer is deprecated. Use _writableState.getBuffer instead.\",\"DEP0003\")})}catch(s){}}(),\"function\"==typeof Symbol&&Symbol.hasInstance&&\"function\"==typeof Function.prototype[Symbol.hasInstance]?(j=Function.prototype[Symbol.hasInstance],Object.defineProperty(Writable,Symbol.hasInstance,{value:function value(s){return!!j.call(this,s)||this===Writable&&(s&&s._writableState instanceof WritableState)}})):j=function realHasInstance(s){return s instanceof this},Writable.prototype.pipe=function(){ce(this,new Y)},Writable.prototype.write=function(s,o,i){var a=this._writableState,_=!1,w=!a.objectMode&&function _isUint8Array(s){return x.isBuffer(s)||s instanceof C}(s);return w&&!x.isBuffer(s)&&(s=function _uint8ArrayToBuffer(s){return x.from(s)}(s)),\"function\"==typeof o&&(i=o,o=null),w?o=\"buffer\":o||(o=a.defaultEncoding),\"function\"!=typeof i&&(i=nop),a.ending?function writeAfterEnd(s,o){var i=new ie;ce(s,i),u.nextTick(o,i)}(this,i):(w||function validChunk(s,o,i,a){var _;return null===i?_=new ee:\"string\"==typeof i||o.objectMode||(_=new U(\"chunk\",[\"string\",\"Buffer\"],i)),!_||(ce(s,_),u.nextTick(a,_),!1)}(this,a,s,i))&&(a.pendingcb++,_=function writeOrBuffer(s,o,i,a,u,_){if(!i){var w=function decodeChunk(s,o,i){s.objectMode||!1===s.decodeStrings||\"string\"!=typeof o||(o=x.from(o,i));return o}(o,a,u);a!==w&&(i=!0,u=\"buffer\",a=w)}var C=o.objectMode?1:a.length;o.length+=C;var j=o.length-1))throw new ae(s);return this._writableState.defaultEncoding=s,this},Object.defineProperty(Writable.prototype,\"writableBuffer\",{enumerable:!1,get:function get(){return this._writableState&&this._writableState.getBuffer()}}),Object.defineProperty(Writable.prototype,\"writableHighWaterMark\",{enumerable:!1,get:function get(){return this._writableState.highWaterMark}}),Writable.prototype._write=function(s,o,i){i(new V(\"_write()\"))},Writable.prototype._writev=null,Writable.prototype.end=function(s,o,i){var a=this._writableState;return\"function\"==typeof s?(i=s,s=null,o=null):\"function\"==typeof o&&(i=o,o=null),null!=s&&this.write(s,o),a.corked&&(a.corked=1,this.uncork()),a.ending||function endWritable(s,o,i){o.ending=!0,finishMaybe(s,o),i&&(o.finished?u.nextTick(i):s.once(\"finish\",i));o.ended=!0,s.writable=!1}(this,a,i),this},Object.defineProperty(Writable.prototype,\"writableLength\",{enumerable:!1,get:function get(){return this._writableState.length}}),Object.defineProperty(Writable.prototype,\"destroyed\",{enumerable:!1,get:function get(){return void 0!==this._writableState&&this._writableState.destroyed},set:function set(s){this._writableState&&(this._writableState.destroyed=s)}}),Writable.prototype.destroy=L.destroy,Writable.prototype._undestroy=L.undestroy,Writable.prototype._destroy=function(s,o){o(s)}},16946:(s,o,i)=>{\"use strict\";var a=i(1907),u=i(98828),_=i(45807),w=Object,x=a(\"\".split);s.exports=u((function(){return!w(\"z\").propertyIsEnumerable(0)}))?function(s){return\"String\"===_(s)?x(s,\"\"):w(s)}:w},16962:(s,o)=>{o.aliasToReal={each:\"forEach\",eachRight:\"forEachRight\",entries:\"toPairs\",entriesIn:\"toPairsIn\",extend:\"assignIn\",extendAll:\"assignInAll\",extendAllWith:\"assignInAllWith\",extendWith:\"assignInWith\",first:\"head\",conforms:\"conformsTo\",matches:\"isMatch\",property:\"get\",__:\"placeholder\",F:\"stubFalse\",T:\"stubTrue\",all:\"every\",allPass:\"overEvery\",always:\"constant\",any:\"some\",anyPass:\"overSome\",apply:\"spread\",assoc:\"set\",assocPath:\"set\",complement:\"negate\",compose:\"flowRight\",contains:\"includes\",dissoc:\"unset\",dissocPath:\"unset\",dropLast:\"dropRight\",dropLastWhile:\"dropRightWhile\",equals:\"isEqual\",identical:\"eq\",indexBy:\"keyBy\",init:\"initial\",invertObj:\"invert\",juxt:\"over\",omitAll:\"omit\",nAry:\"ary\",path:\"get\",pathEq:\"matchesProperty\",pathOr:\"getOr\",paths:\"at\",pickAll:\"pick\",pipe:\"flow\",pluck:\"map\",prop:\"get\",propEq:\"matchesProperty\",propOr:\"getOr\",props:\"at\",symmetricDifference:\"xor\",symmetricDifferenceBy:\"xorBy\",symmetricDifferenceWith:\"xorWith\",takeLast:\"takeRight\",takeLastWhile:\"takeRightWhile\",unapply:\"rest\",unnest:\"flatten\",useWith:\"overArgs\",where:\"conformsTo\",whereEq:\"isMatch\",zipObj:\"zipObject\"},o.aryMethod={1:[\"assignAll\",\"assignInAll\",\"attempt\",\"castArray\",\"ceil\",\"create\",\"curry\",\"curryRight\",\"defaultsAll\",\"defaultsDeepAll\",\"floor\",\"flow\",\"flowRight\",\"fromPairs\",\"invert\",\"iteratee\",\"memoize\",\"method\",\"mergeAll\",\"methodOf\",\"mixin\",\"nthArg\",\"over\",\"overEvery\",\"overSome\",\"rest\",\"reverse\",\"round\",\"runInContext\",\"spread\",\"template\",\"trim\",\"trimEnd\",\"trimStart\",\"uniqueId\",\"words\",\"zipAll\"],2:[\"add\",\"after\",\"ary\",\"assign\",\"assignAllWith\",\"assignIn\",\"assignInAllWith\",\"at\",\"before\",\"bind\",\"bindAll\",\"bindKey\",\"chunk\",\"cloneDeepWith\",\"cloneWith\",\"concat\",\"conformsTo\",\"countBy\",\"curryN\",\"curryRightN\",\"debounce\",\"defaults\",\"defaultsDeep\",\"defaultTo\",\"delay\",\"difference\",\"divide\",\"drop\",\"dropRight\",\"dropRightWhile\",\"dropWhile\",\"endsWith\",\"eq\",\"every\",\"filter\",\"find\",\"findIndex\",\"findKey\",\"findLast\",\"findLastIndex\",\"findLastKey\",\"flatMap\",\"flatMapDeep\",\"flattenDepth\",\"forEach\",\"forEachRight\",\"forIn\",\"forInRight\",\"forOwn\",\"forOwnRight\",\"get\",\"groupBy\",\"gt\",\"gte\",\"has\",\"hasIn\",\"includes\",\"indexOf\",\"intersection\",\"invertBy\",\"invoke\",\"invokeMap\",\"isEqual\",\"isMatch\",\"join\",\"keyBy\",\"lastIndexOf\",\"lt\",\"lte\",\"map\",\"mapKeys\",\"mapValues\",\"matchesProperty\",\"maxBy\",\"meanBy\",\"merge\",\"mergeAllWith\",\"minBy\",\"multiply\",\"nth\",\"omit\",\"omitBy\",\"overArgs\",\"pad\",\"padEnd\",\"padStart\",\"parseInt\",\"partial\",\"partialRight\",\"partition\",\"pick\",\"pickBy\",\"propertyOf\",\"pull\",\"pullAll\",\"pullAt\",\"random\",\"range\",\"rangeRight\",\"rearg\",\"reject\",\"remove\",\"repeat\",\"restFrom\",\"result\",\"sampleSize\",\"some\",\"sortBy\",\"sortedIndex\",\"sortedIndexOf\",\"sortedLastIndex\",\"sortedLastIndexOf\",\"sortedUniqBy\",\"split\",\"spreadFrom\",\"startsWith\",\"subtract\",\"sumBy\",\"take\",\"takeRight\",\"takeRightWhile\",\"takeWhile\",\"tap\",\"throttle\",\"thru\",\"times\",\"trimChars\",\"trimCharsEnd\",\"trimCharsStart\",\"truncate\",\"union\",\"uniqBy\",\"uniqWith\",\"unset\",\"unzipWith\",\"without\",\"wrap\",\"xor\",\"zip\",\"zipObject\",\"zipObjectDeep\"],3:[\"assignInWith\",\"assignWith\",\"clamp\",\"differenceBy\",\"differenceWith\",\"findFrom\",\"findIndexFrom\",\"findLastFrom\",\"findLastIndexFrom\",\"getOr\",\"includesFrom\",\"indexOfFrom\",\"inRange\",\"intersectionBy\",\"intersectionWith\",\"invokeArgs\",\"invokeArgsMap\",\"isEqualWith\",\"isMatchWith\",\"flatMapDepth\",\"lastIndexOfFrom\",\"mergeWith\",\"orderBy\",\"padChars\",\"padCharsEnd\",\"padCharsStart\",\"pullAllBy\",\"pullAllWith\",\"rangeStep\",\"rangeStepRight\",\"reduce\",\"reduceRight\",\"replace\",\"set\",\"slice\",\"sortedIndexBy\",\"sortedLastIndexBy\",\"transform\",\"unionBy\",\"unionWith\",\"update\",\"xorBy\",\"xorWith\",\"zipWith\"],4:[\"fill\",\"setWith\",\"updateWith\"]},o.aryRearg={2:[1,0],3:[2,0,1],4:[3,2,0,1]},o.iterateeAry={dropRightWhile:1,dropWhile:1,every:1,filter:1,find:1,findFrom:1,findIndex:1,findIndexFrom:1,findKey:1,findLast:1,findLastFrom:1,findLastIndex:1,findLastIndexFrom:1,findLastKey:1,flatMap:1,flatMapDeep:1,flatMapDepth:1,forEach:1,forEachRight:1,forIn:1,forInRight:1,forOwn:1,forOwnRight:1,map:1,mapKeys:1,mapValues:1,partition:1,reduce:2,reduceRight:2,reject:1,remove:1,some:1,takeRightWhile:1,takeWhile:1,times:1,transform:2},o.iterateeRearg={mapKeys:[1],reduceRight:[1,0]},o.methodRearg={assignInAllWith:[1,0],assignInWith:[1,2,0],assignAllWith:[1,0],assignWith:[1,2,0],differenceBy:[1,2,0],differenceWith:[1,2,0],getOr:[2,1,0],intersectionBy:[1,2,0],intersectionWith:[1,2,0],isEqualWith:[1,2,0],isMatchWith:[2,1,0],mergeAllWith:[1,0],mergeWith:[1,2,0],padChars:[2,1,0],padCharsEnd:[2,1,0],padCharsStart:[2,1,0],pullAllBy:[2,1,0],pullAllWith:[2,1,0],rangeStep:[1,2,0],rangeStepRight:[1,2,0],setWith:[3,1,2,0],sortedIndexBy:[2,1,0],sortedLastIndexBy:[2,1,0],unionBy:[1,2,0],unionWith:[1,2,0],updateWith:[3,1,2,0],xorBy:[1,2,0],xorWith:[1,2,0],zipWith:[1,2,0]},o.methodSpread={assignAll:{start:0},assignAllWith:{start:0},assignInAll:{start:0},assignInAllWith:{start:0},defaultsAll:{start:0},defaultsDeepAll:{start:0},invokeArgs:{start:2},invokeArgsMap:{start:2},mergeAll:{start:0},mergeAllWith:{start:0},partial:{start:1},partialRight:{start:1},without:{start:1},zipAll:{start:0}},o.mutate={array:{fill:!0,pull:!0,pullAll:!0,pullAllBy:!0,pullAllWith:!0,pullAt:!0,remove:!0,reverse:!0},object:{assign:!0,assignAll:!0,assignAllWith:!0,assignIn:!0,assignInAll:!0,assignInAllWith:!0,assignInWith:!0,assignWith:!0,defaults:!0,defaultsAll:!0,defaultsDeep:!0,defaultsDeepAll:!0,merge:!0,mergeAll:!0,mergeAllWith:!0,mergeWith:!0},set:{set:!0,setWith:!0,unset:!0,update:!0,updateWith:!0}},o.realToAlias=function(){var s=Object.prototype.hasOwnProperty,i=o.aliasToReal,a={};for(var u in i){var _=i[u];s.call(a,_)?a[_].push(u):a[_]=[u]}return a}(),o.remap={assignAll:\"assign\",assignAllWith:\"assignWith\",assignInAll:\"assignIn\",assignInAllWith:\"assignInWith\",curryN:\"curry\",curryRightN:\"curryRight\",defaultsAll:\"defaults\",defaultsDeepAll:\"defaultsDeep\",findFrom:\"find\",findIndexFrom:\"findIndex\",findLastFrom:\"findLast\",findLastIndexFrom:\"findLastIndex\",getOr:\"get\",includesFrom:\"includes\",indexOfFrom:\"indexOf\",invokeArgs:\"invoke\",invokeArgsMap:\"invokeMap\",lastIndexOfFrom:\"lastIndexOf\",mergeAll:\"merge\",mergeAllWith:\"mergeWith\",padChars:\"pad\",padCharsEnd:\"padEnd\",padCharsStart:\"padStart\",propertyOf:\"get\",rangeStep:\"range\",rangeStepRight:\"rangeRight\",restFrom:\"rest\",spreadFrom:\"spread\",trimChars:\"trim\",trimCharsEnd:\"trimEnd\",trimCharsStart:\"trimStart\",zipAll:\"zip\"},o.skipFixed={castArray:!0,flow:!0,flowRight:!0,iteratee:!0,mixin:!0,rearg:!0,runInContext:!0},o.skipRearg={add:!0,assign:!0,assignIn:!0,bind:!0,bindKey:!0,concat:!0,difference:!0,divide:!0,eq:!0,gt:!0,gte:!0,isEqual:!0,lt:!0,lte:!0,matchesProperty:!0,merge:!0,multiply:!0,overArgs:!0,partial:!0,partialRight:!0,propertyOf:!0,random:!0,range:!0,rangeRight:!0,subtract:!0,zip:!0,zipObject:!0,zipObjectDeep:!0}},17255:(s,o,i)=>{var a=i(47422);s.exports=function basePropertyDeep(s){return function(o){return a(o,s)}}},17285:s=>{function source(s){return s?\"string\"==typeof s?s:s.source:null}function lookahead(s){return concat(\"(?=\",s,\")\")}function concat(...s){return s.map((s=>source(s))).join(\"\")}function either(...s){return\"(\"+s.map((s=>source(s))).join(\"|\")+\")\"}s.exports=function xml(s){const o=concat(/[A-Z_]/,function optional(s){return concat(\"(\",s,\")?\")}(/[A-Z0-9_.-]*:/),/[A-Z0-9_.-]*/),i={className:\"symbol\",begin:/&[a-z]+;|&#[0-9]+;|&#x[a-f0-9]+;/},a={begin:/\\s/,contains:[{className:\"meta-keyword\",begin:/#?[a-z_][a-z1-9_-]+/,illegal:/\\n/}]},u=s.inherit(a,{begin:/\\(/,end:/\\)/}),_=s.inherit(s.APOS_STRING_MODE,{className:\"meta-string\"}),w=s.inherit(s.QUOTE_STRING_MODE,{className:\"meta-string\"}),x={endsWithParent:!0,illegal:/`]+/}]}]}]};return{name:\"HTML, XML\",aliases:[\"html\",\"xhtml\",\"rss\",\"atom\",\"xjb\",\"xsd\",\"xsl\",\"plist\",\"wsf\",\"svg\"],case_insensitive:!0,contains:[{className:\"meta\",begin://,relevance:10,contains:[a,w,_,u,{begin:/\\[/,end:/\\]/,contains:[{className:\"meta\",begin://,contains:[a,u,w,_]}]}]},s.COMMENT(//,{relevance:10}),{begin://,relevance:10},i,{className:\"meta\",begin:/<\\?xml/,end:/\\?>/,relevance:10},{className:\"tag\",begin:/)/,end:/>/,keywords:{name:\"style\"},contains:[x],starts:{end:/<\\/style>/,returnEnd:!0,subLanguage:[\"css\",\"xml\"]}},{className:\"tag\",begin:/)/,end:/>/,keywords:{name:\"script\"},contains:[x],starts:{end:/<\\/script>/,returnEnd:!0,subLanguage:[\"javascript\",\"handlebars\",\"xml\"]}},{className:\"tag\",begin:/<>|<\\/>/},{className:\"tag\",begin:concat(//,/>/,/\\s/)))),end:/\\/?>/,contains:[{className:\"name\",begin:o,relevance:0,starts:x}]},{className:\"tag\",begin:concat(/<\\//,lookahead(concat(o,/>/))),contains:[{className:\"name\",begin:o,relevance:0},{begin:/>/,relevance:0,endsParent:!0}]}]}}},17400:(s,o,i)=>{var a=i(99374),u=1/0;s.exports=function toFinite(s){return s?(s=a(s))===u||s===-1/0?17976931348623157e292*(s<0?-1:1):s==s?s:0:0===s?s:0}},17533:s=>{s.exports=function yaml(s){var o=\"true false yes no null\",i=\"[\\\\w#;/?:@&=+$,.~*'()[\\\\]]+\",a={className:\"string\",relevance:0,variants:[{begin:/'/,end:/'/},{begin:/\"/,end:/\"/},{begin:/\\S+/}],contains:[s.BACKSLASH_ESCAPE,{className:\"template-variable\",variants:[{begin:/\\{\\{/,end:/\\}\\}/},{begin:/%\\{/,end:/\\}/}]}]},u=s.inherit(a,{variants:[{begin:/'/,end:/'/},{begin:/\"/,end:/\"/},{begin:/[^\\s,{}[\\]]+/}]}),_={className:\"number\",begin:\"\\\\b[0-9]{4}(-[0-9][0-9]){0,2}([Tt \\\\t][0-9][0-9]?(:[0-9][0-9]){2})?(\\\\.[0-9]*)?([ \\\\t])*(Z|[-+][0-9][0-9]?(:[0-9][0-9])?)?\\\\b\"},w={end:\",\",endsWithParent:!0,excludeEnd:!0,keywords:o,relevance:0},x={begin:/\\{/,end:/\\}/,contains:[w],illegal:\"\\\\n\",relevance:0},C={begin:\"\\\\[\",end:\"\\\\]\",contains:[w],illegal:\"\\\\n\",relevance:0},j=[{className:\"attr\",variants:[{begin:\"\\\\w[\\\\w :\\\\/.-]*:(?=[ \\t]|$)\"},{begin:'\"\\\\w[\\\\w :\\\\/.-]*\":(?=[ \\t]|$)'},{begin:\"'\\\\w[\\\\w :\\\\/.-]*':(?=[ \\t]|$)\"}]},{className:\"meta\",begin:\"^---\\\\s*$\",relevance:10},{className:\"string\",begin:\"[\\\\|>]([1-9]?[+-])?[ ]*\\\\n( +)[^ ][^\\\\n]*\\\\n(\\\\2[^\\\\n]+\\\\n?)*\"},{begin:\"<%[%=-]?\",end:\"[%-]?%>\",subLanguage:\"ruby\",excludeBegin:!0,excludeEnd:!0,relevance:0},{className:\"type\",begin:\"!\\\\w+!\"+i},{className:\"type\",begin:\"!<\"+i+\">\"},{className:\"type\",begin:\"!\"+i},{className:\"type\",begin:\"!!\"+i},{className:\"meta\",begin:\"&\"+s.UNDERSCORE_IDENT_RE+\"$\"},{className:\"meta\",begin:\"\\\\*\"+s.UNDERSCORE_IDENT_RE+\"$\"},{className:\"bullet\",begin:\"-(?=[ ]|$)\",relevance:0},s.HASH_COMMENT_MODE,{beginKeywords:o,keywords:{literal:o}},_,{className:\"number\",begin:s.C_NUMBER_RE+\"\\\\b\",relevance:0},x,C,a],L=[...j];return L.pop(),L.push(u),w.contains=L,{name:\"YAML\",case_insensitive:!0,aliases:[\"yml\"],contains:j}}},17670:(s,o,i)=>{var a=i(12651);s.exports=function mapCacheDelete(s){var o=a(this,s).delete(s);return this.size-=o?1:0,o}},17965:(s,o,i)=>{\"use strict\";var a=i(16426),u={\"text/plain\":\"Text\",\"text/html\":\"Url\",default:\"Text\"};s.exports=function copy(s,o){var i,_,w,x,C,j,L=!1;o||(o={}),i=o.debug||!1;try{if(w=a(),x=document.createRange(),C=document.getSelection(),(j=document.createElement(\"span\")).textContent=s,j.ariaHidden=\"true\",j.style.all=\"unset\",j.style.position=\"fixed\",j.style.top=0,j.style.clip=\"rect(0, 0, 0, 0)\",j.style.whiteSpace=\"pre\",j.style.webkitUserSelect=\"text\",j.style.MozUserSelect=\"text\",j.style.msUserSelect=\"text\",j.style.userSelect=\"text\",j.addEventListener(\"copy\",(function(a){if(a.stopPropagation(),o.format)if(a.preventDefault(),void 0===a.clipboardData){i&&console.warn(\"unable to use e.clipboardData\"),i&&console.warn(\"trying IE specific stuff\"),window.clipboardData.clearData();var _=u[o.format]||u.default;window.clipboardData.setData(_,s)}else a.clipboardData.clearData(),a.clipboardData.setData(o.format,s);o.onCopy&&(a.preventDefault(),o.onCopy(a.clipboardData))})),document.body.appendChild(j),x.selectNodeContents(j),C.addRange(x),!document.execCommand(\"copy\"))throw new Error(\"copy command was unsuccessful\");L=!0}catch(a){i&&console.error(\"unable to copy using execCommand: \",a),i&&console.warn(\"trying IE specific stuff\");try{window.clipboardData.setData(o.format||\"text\",s),o.onCopy&&o.onCopy(window.clipboardData),L=!0}catch(a){i&&console.error(\"unable to copy using clipboardData: \",a),i&&console.error(\"falling back to prompt\"),_=function format(s){var o=(/mac os x/i.test(navigator.userAgent)?\"⌘\":\"Ctrl\")+\"+C\";return s.replace(/#{\\s*key\\s*}/g,o)}(\"message\"in o?o.message:\"Copy to clipboard: #{key}, Enter\"),window.prompt(_,s)}}finally{C&&(\"function\"==typeof C.removeRange?C.removeRange(x):C.removeAllRanges()),j&&document.body.removeChild(j),w()}return L}},18073:(s,o,i)=>{var a=i(85087),u=i(54641),_=i(70981);s.exports=function createRecurry(s,o,i,w,x,C,j,L,B,$){var U=8&o;o|=U?32:64,4&(o&=~(U?64:32))||(o&=-4);var V=[s,o,x,U?C:void 0,U?j:void 0,U?void 0:C,U?void 0:j,L,B,$],z=i.apply(void 0,V);return a(s)&&u(z,V),z.placeholder=w,_(z,s,o)}},19123:(s,o,i)=>{var a=i(65606),u=i(31499),_=i(88310).Stream;function resolve(s,o,i){var a,_=function create_indent(s,o){return new Array(o||0).join(s||\"\")}(o,i=i||0),w=s;if(\"object\"==typeof s&&((w=s[a=Object.keys(s)[0]])&&w._elem))return w._elem.name=a,w._elem.icount=i,w._elem.indent=o,w._elem.indents=_,w._elem.interrupt=w,w._elem;var x,C=[],j=[];function get_attributes(s){Object.keys(s).forEach((function(o){C.push(function attribute(s,o){return s+'=\"'+u(o)+'\"'}(o,s[o]))}))}switch(typeof w){case\"object\":if(null===w)break;w._attr&&get_attributes(w._attr),w._cdata&&j.push((\"/g,\"]]]]>\")+\"]]>\"),w.forEach&&(x=!1,j.push(\"\"),w.forEach((function(s){\"object\"==typeof s?\"_attr\"==Object.keys(s)[0]?get_attributes(s._attr):j.push(resolve(s,o,i+1)):(j.pop(),x=!0,j.push(u(s)))})),x||j.push(\"\"));break;default:j.push(u(w))}return{name:a,interrupt:!1,attributes:C,content:j,icount:i,indents:_,indent:o}}function format(s,o,i){if(\"object\"!=typeof o)return s(!1,o);var a=o.interrupt?1:o.content.length;function proceed(){for(;o.content.length;){var u=o.content.shift();if(void 0!==u){if(interrupt(u))return;format(s,u)}}s(!1,(a>1?o.indents:\"\")+(o.name?\"\":\"\")+(o.indent&&!i?\"\\n\":\"\")),i&&i()}function interrupt(o){return!!o.interrupt&&(o.interrupt.append=s,o.interrupt.end=proceed,o.interrupt=!1,s(!0),!0)}if(s(!1,o.indents+(o.name?\"<\"+o.name:\"\")+(o.attributes.length?\" \"+o.attributes.join(\" \"):\"\")+(a?o.name?\">\":\"\":o.name?\"/>\":\"\")+(o.indent&&a>1?\"\\n\":\"\")),!a)return s(!1,o.indent?\"\\n\":\"\");interrupt(o)||proceed()}s.exports=function xml(s,o){\"object\"!=typeof o&&(o={indent:o});var i=o.stream?new _:null,u=\"\",w=!1,x=o.indent?!0===o.indent?\" \":o.indent:\"\",C=!0;function delay(s){C?a.nextTick(s):s()}function append(s,o){if(void 0!==o&&(u+=o),s&&!w&&(i=i||new _,w=!0),s&&w){var a=u;delay((function(){i.emit(\"data\",a)})),u=\"\"}}function add(s,o){format(append,resolve(s,x,x?1:0),o)}function end(){if(i){var s=u;delay((function(){i.emit(\"data\",s),i.emit(\"end\"),i.readable=!1,i.emit(\"close\")}))}}return delay((function(){C=!1})),o.declaration&&function addXmlDeclaration(s){var o={version:\"1.0\",encoding:s.encoding||\"UTF-8\"};s.standalone&&(o.standalone=s.standalone),add({\"?xml\":{_attr:o}}),u=u.replace(\"/>\",\"?>\")}(o.declaration),s&&s.forEach?s.forEach((function(o,i){var a;i+1===s.length&&(a=end),add(o,a)})):add(s,end),i?(i.readable=!0,i):u},s.exports.element=s.exports.Element=function element(){var s={_elem:resolve(Array.prototype.slice.call(arguments)),push:function(s){if(!this.append)throw new Error(\"not assigned to a parent!\");var o=this,i=this._elem.indent;format(this.append,resolve(s,i,this._elem.icount+(i?1:0)),(function(){o.append(!0)}))},close:function(s){void 0!==s&&this.push(s),this.end&&this.end()}};return s}},19219:s=>{s.exports=function cacheHas(s,o){return s.has(o)}},19287:s=>{\"use strict\";s.exports={CSSRuleList:0,CSSStyleDeclaration:0,CSSValueList:0,ClientRectList:0,DOMRectList:0,DOMStringList:0,DOMTokenList:1,DataTransferItemList:0,FileList:0,HTMLAllCollection:0,HTMLCollection:0,HTMLFormElement:0,HTMLSelectElement:0,MediaList:0,MimeTypeArray:0,NamedNodeMap:0,NodeList:1,PaintRequestList:0,Plugin:0,PluginArray:0,SVGLengthList:0,SVGNumberList:0,SVGPathSegList:0,SVGPointList:0,SVGStringList:0,SVGTransformList:0,SourceBufferList:0,StyleSheetList:0,TextTrackCueList:0,TextTrackList:0,TouchList:0}},19358:(s,o,i)=>{\"use strict\";var a=i(85582),u=i(49724),_=i(61626),w=i(88280),x=i(79192),C=i(19595),j=i(54829),L=i(34084),B=i(32096),$=i(39259),U=i(85884),V=i(39447),z=i(7376);s.exports=function(s,o,i,Y){var Z=\"stackTraceLimit\",ee=Y?2:1,ie=s.split(\".\"),ae=ie[ie.length-1],ce=a.apply(null,ie);if(ce){var le=ce.prototype;if(!z&&u(le,\"cause\")&&delete le.cause,!i)return ce;var pe=a(\"Error\"),de=o((function(s,o){var i=B(Y?o:s,void 0),a=Y?new ce(s):new ce;return void 0!==i&&_(a,\"message\",i),U(a,de,a.stack,2),this&&w(le,this)&&L(a,this,de),arguments.length>ee&&$(a,arguments[ee]),a}));if(de.prototype=le,\"Error\"!==ae?x?x(de,pe):C(de,pe,{name:!0}):V&&Z in ce&&(j(de,ce,Z),j(de,ce,\"prepareStackTrace\")),C(de,ce),!z)try{le.name!==ae&&_(le,\"name\",ae),le.constructor=de}catch(s){}return de}}},19570:(s,o,i)=>{var a=i(37334),u=i(93243),_=i(83488),w=u?function(s,o){return u(s,\"toString\",{configurable:!0,enumerable:!1,value:a(o),writable:!0})}:_;s.exports=w},19595:(s,o,i)=>{\"use strict\";var a=i(49724),u=i(11042),_=i(13846),w=i(74284);s.exports=function(s,o,i){for(var x=u(o),C=w.f,j=_.f,L=0;L{\"use strict\";var a=i(23034);s.exports=a},19846:(s,o,i)=>{\"use strict\";var a=i(20798),u=i(98828),_=i(45951).String;s.exports=!!Object.getOwnPropertySymbols&&!u((function(){var s=Symbol(\"symbol detection\");return!_(s)||!(Object(s)instanceof Symbol)||!Symbol.sham&&a&&a<41}))},19931:(s,o,i)=>{var a=i(31769),u=i(68090),_=i(68969),w=i(77797);s.exports=function baseUnset(s,o){return o=a(o,s),null==(s=_(s,o))||delete s[w(u(o))]}},20181:(s,o,i)=>{var a=/^\\s+|\\s+$/g,u=/^[-+]0x[0-9a-f]+$/i,_=/^0b[01]+$/i,w=/^0o[0-7]+$/i,x=parseInt,C=\"object\"==typeof i.g&&i.g&&i.g.Object===Object&&i.g,j=\"object\"==typeof self&&self&&self.Object===Object&&self,L=C||j||Function(\"return this\")(),B=Object.prototype.toString,$=Math.max,U=Math.min,now=function(){return L.Date.now()};function isObject(s){var o=typeof s;return!!s&&(\"object\"==o||\"function\"==o)}function toNumber(s){if(\"number\"==typeof s)return s;if(function isSymbol(s){return\"symbol\"==typeof s||function isObjectLike(s){return!!s&&\"object\"==typeof s}(s)&&\"[object Symbol]\"==B.call(s)}(s))return NaN;if(isObject(s)){var o=\"function\"==typeof s.valueOf?s.valueOf():s;s=isObject(o)?o+\"\":o}if(\"string\"!=typeof s)return 0===s?s:+s;s=s.replace(a,\"\");var i=_.test(s);return i||w.test(s)?x(s.slice(2),i?2:8):u.test(s)?NaN:+s}s.exports=function debounce(s,o,i){var a,u,_,w,x,C,j=0,L=!1,B=!1,V=!0;if(\"function\"!=typeof s)throw new TypeError(\"Expected a function\");function invokeFunc(o){var i=a,_=u;return a=u=void 0,j=o,w=s.apply(_,i)}function shouldInvoke(s){var i=s-C;return void 0===C||i>=o||i<0||B&&s-j>=_}function timerExpired(){var s=now();if(shouldInvoke(s))return trailingEdge(s);x=setTimeout(timerExpired,function remainingWait(s){var i=o-(s-C);return B?U(i,_-(s-j)):i}(s))}function trailingEdge(s){return x=void 0,V&&a?invokeFunc(s):(a=u=void 0,w)}function debounced(){var s=now(),i=shouldInvoke(s);if(a=arguments,u=this,C=s,i){if(void 0===x)return function leadingEdge(s){return j=s,x=setTimeout(timerExpired,o),L?invokeFunc(s):w}(C);if(B)return x=setTimeout(timerExpired,o),invokeFunc(C)}return void 0===x&&(x=setTimeout(timerExpired,o)),w}return o=toNumber(o)||0,isObject(i)&&(L=!!i.leading,_=(B=\"maxWait\"in i)?$(toNumber(i.maxWait)||0,o):_,V=\"trailing\"in i?!!i.trailing:V),debounced.cancel=function cancel(){void 0!==x&&clearTimeout(x),j=0,a=C=u=x=void 0},debounced.flush=function flush(){return void 0===x?w:trailingEdge(now())},debounced}},20317:s=>{s.exports=function mapToArray(s){var o=-1,i=Array(s.size);return s.forEach((function(s,a){i[++o]=[a,s]})),i}},20334:(s,o,i)=>{\"use strict\";var a=i(48287).Buffer;class NonError extends Error{constructor(s){super(NonError._prepareSuperMessage(s)),Object.defineProperty(this,\"name\",{value:\"NonError\",configurable:!0,writable:!0}),Error.captureStackTrace&&Error.captureStackTrace(this,NonError)}static _prepareSuperMessage(s){try{return JSON.stringify(s)}catch{return String(s)}}}const u=[{property:\"name\",enumerable:!1},{property:\"message\",enumerable:!1},{property:\"stack\",enumerable:!1},{property:\"code\",enumerable:!0}],_=Symbol(\".toJSON called\"),destroyCircular=({from:s,seen:o,to_:i,forceEnumerable:w,maxDepth:x,depth:C})=>{const j=i||(Array.isArray(s)?[]:{});if(o.push(s),C>=x)return j;if(\"function\"==typeof s.toJSON&&!0!==s[_])return(s=>{s[_]=!0;const o=s.toJSON();return delete s[_],o})(s);for(const[i,u]of Object.entries(s))\"function\"==typeof a&&a.isBuffer(u)?j[i]=\"[object Buffer]\":\"function\"!=typeof u&&(u&&\"object\"==typeof u?o.includes(s[i])?j[i]=\"[Circular]\":(C++,j[i]=destroyCircular({from:s[i],seen:o.slice(),forceEnumerable:w,maxDepth:x,depth:C})):j[i]=u);for(const{property:o,enumerable:i}of u)\"string\"==typeof s[o]&&Object.defineProperty(j,o,{value:s[o],enumerable:!!w||i,configurable:!0,writable:!0});return j};s.exports={serializeError:(s,o={})=>{const{maxDepth:i=Number.POSITIVE_INFINITY}=o;return\"object\"==typeof s&&null!==s?destroyCircular({from:s,seen:[],forceEnumerable:!0,maxDepth:i,depth:0}):\"function\"==typeof s?`[Function: ${s.name||\"anonymous\"}]`:s},deserializeError:(s,o={})=>{const{maxDepth:i=Number.POSITIVE_INFINITY}=o;if(s instanceof Error)return s;if(\"object\"==typeof s&&null!==s&&!Array.isArray(s)){const o=new Error;return destroyCircular({from:s,seen:[],to_:o,maxDepth:i,depth:0}),o}return new NonError(s)}}},20426:s=>{var o=Object.prototype.hasOwnProperty;s.exports=function baseHas(s,i){return null!=s&&o.call(s,i)}},20575:(s,o,i)=>{\"use strict\";var a=i(3121);s.exports=function(s){return a(s.length)}},20798:(s,o,i)=>{\"use strict\";var a,u,_=i(45951),w=i(96794),x=_.process,C=_.Deno,j=x&&x.versions||C&&C.version,L=j&&j.v8;L&&(u=(a=L.split(\".\"))[0]>0&&a[0]<4?1:+(a[0]+a[1])),!u&&w&&(!(a=w.match(/Edge\\/(\\d+)/))||a[1]>=74)&&(a=w.match(/Chrome\\/(\\d+)/))&&(u=+a[1]),s.exports=u},20850:(s,o,i)=>{\"use strict\";s.exports=i(46076)},20999:(s,o,i)=>{var a=i(69302),u=i(36800);s.exports=function createAssigner(s){return a((function(o,i){var a=-1,_=i.length,w=_>1?i[_-1]:void 0,x=_>2?i[2]:void 0;for(w=s.length>3&&\"function\"==typeof w?(_--,w):void 0,x&&u(i[0],i[1],x)&&(w=_<3?void 0:w,_=1),o=Object(o);++a<_;){var C=i[a];C&&s(o,C,a,w)}return o}))}},21549:(s,o,i)=>{var a=i(22032),u=i(63862),_=i(66721),w=i(12749),x=i(35749);function Hash(s){var o=-1,i=null==s?0:s.length;for(this.clear();++o{var a=i(16547),u=i(43360);s.exports=function copyObject(s,o,i,_){var w=!i;i||(i={});for(var x=-1,C=o.length;++x{var a=i(51873),u=i(37828),_=i(75288),w=i(25911),x=i(20317),C=i(84247),j=a?a.prototype:void 0,L=j?j.valueOf:void 0;s.exports=function equalByTag(s,o,i,a,j,B,$){switch(i){case\"[object DataView]\":if(s.byteLength!=o.byteLength||s.byteOffset!=o.byteOffset)return!1;s=s.buffer,o=o.buffer;case\"[object ArrayBuffer]\":return!(s.byteLength!=o.byteLength||!B(new u(s),new u(o)));case\"[object Boolean]\":case\"[object Date]\":case\"[object Number]\":return _(+s,+o);case\"[object Error]\":return s.name==o.name&&s.message==o.message;case\"[object RegExp]\":case\"[object String]\":return s==o+\"\";case\"[object Map]\":var U=x;case\"[object Set]\":var V=1&a;if(U||(U=C),s.size!=o.size&&!V)return!1;var z=$.get(s);if(z)return z==o;a|=2,$.set(s,o);var Y=w(U(s),U(o),a,j,B,$);return $.delete(s),Y;case\"[object Symbol]\":if(L)return L.call(s)==L.call(o)}return!1}},22032:(s,o,i)=>{var a=i(81042);s.exports=function hashClear(){this.__data__=a?a(null):{},this.size=0}},22225:s=>{var o=\"\\\\ud800-\\\\udfff\",i=\"\\\\u2700-\\\\u27bf\",a=\"a-z\\\\xdf-\\\\xf6\\\\xf8-\\\\xff\",u=\"A-Z\\\\xc0-\\\\xd6\\\\xd8-\\\\xde\",_=\"\\\\xac\\\\xb1\\\\xd7\\\\xf7\\\\x00-\\\\x2f\\\\x3a-\\\\x40\\\\x5b-\\\\x60\\\\x7b-\\\\xbf\\\\u2000-\\\\u206f \\\\t\\\\x0b\\\\f\\\\xa0\\\\ufeff\\\\n\\\\r\\\\u2028\\\\u2029\\\\u1680\\\\u180e\\\\u2000\\\\u2001\\\\u2002\\\\u2003\\\\u2004\\\\u2005\\\\u2006\\\\u2007\\\\u2008\\\\u2009\\\\u200a\\\\u202f\\\\u205f\\\\u3000\",w=\"[\"+_+\"]\",x=\"\\\\d+\",C=\"[\"+i+\"]\",j=\"[\"+a+\"]\",L=\"[^\"+o+_+x+i+a+u+\"]\",B=\"(?:\\\\ud83c[\\\\udde6-\\\\uddff]){2}\",$=\"[\\\\ud800-\\\\udbff][\\\\udc00-\\\\udfff]\",U=\"[\"+u+\"]\",V=\"(?:\"+j+\"|\"+L+\")\",z=\"(?:\"+U+\"|\"+L+\")\",Y=\"(?:['’](?:d|ll|m|re|s|t|ve))?\",Z=\"(?:['’](?:D|LL|M|RE|S|T|VE))?\",ee=\"(?:[\\\\u0300-\\\\u036f\\\\ufe20-\\\\ufe2f\\\\u20d0-\\\\u20ff]|\\\\ud83c[\\\\udffb-\\\\udfff])?\",ie=\"[\\\\ufe0e\\\\ufe0f]?\",ae=ie+ee+(\"(?:\\\\u200d(?:\"+[\"[^\"+o+\"]\",B,$].join(\"|\")+\")\"+ie+ee+\")*\"),ce=\"(?:\"+[C,B,$].join(\"|\")+\")\"+ae,le=RegExp([U+\"?\"+j+\"+\"+Y+\"(?=\"+[w,U,\"$\"].join(\"|\")+\")\",z+\"+\"+Z+\"(?=\"+[w,U+V,\"$\"].join(\"|\")+\")\",U+\"?\"+V+\"+\"+Y,U+\"+\"+Z,\"\\\\d*(?:1ST|2ND|3RD|(?![123])\\\\dTH)(?=\\\\b|[a-z_])\",\"\\\\d*(?:1st|2nd|3rd|(?![123])\\\\dth)(?=\\\\b|[A-Z_])\",x,ce].join(\"|\"),\"g\");s.exports=function unicodeWords(s){return s.match(le)||[]}},22551:(s,o,i)=>{\"use strict\";var a=i(96540),u=i(69982);function p(s){for(var o=\"https://reactjs.org/docs/error-decoder.html?invariant=\"+s,i=1;i