Documentation
¶
Overview ¶
Package dataprovider provides data access. It abstract different data providers and exposes a common API. Currently the supported data providers are: PostreSQL (9+), MySQL (4.1+) and SQLite 3.x
Index ¶
- Constants
- Variables
- func AddUser(p Provider, user User) error
- func Close(p Provider) error
- func DeleteUser(p Provider, user User) error
- func GetProviderStatus(p Provider) error
- func GetQuotaTracking() int
- func GetUsedQuota(p Provider, username string) (int, int64, error)
- func Initialize(cnf Config, basePath string) error
- func ReloadConfig() error
- func UpdateLastLogin(p Provider, user User) error
- func UpdateUser(p Provider, user User) error
- func UpdateUserQuota(p Provider, user User, filesAdd int, sizeAdd int64, reset bool) error
- type Actions
- type BackupData
- type BoltProvider
- type Config
- type Filesystem
- type MemoryProvider
- type MethodDisabledError
- type MySQLProvider
- type PGSQLProvider
- type Provider
- type RecordNotFoundError
- type SQLiteProvider
- type User
- func CheckKeyboardInteractiveAuth(p Provider, username, authProgram string, ...) (User, error)
- func CheckUserAndPass(p Provider, username string, password string) (User, error)
- func CheckUserAndPubKey(p Provider, username string, pubKey string) (User, string, error)
- func DumpUsers(p Provider) ([]User, error)
- func GetUserByID(p Provider, ID int64) (User, error)
- func GetUsers(p Provider, limit int, offset int, order string, username string) ([]User, error)
- func HideUserSensitiveData(user *User) User
- func UserExists(p Provider, username string) (User, error)
- func (u User) GetAllowedIPAsString() string
- func (u *User) GetBandwidthAsString() string
- func (u User) GetDeniedIPAsString() string
- func (u *User) GetExpirationDateAsString() string
- func (u *User) GetFilesystem(connectionID string) (vfs.Fs, error)
- func (u *User) GetFiltersAsJSON() ([]byte, error)
- func (u *User) GetFsConfigAsJSON() ([]byte, error)
- func (u *User) GetGID() int
- func (u *User) GetHomeDir() string
- func (u *User) GetInfoString() string
- func (u *User) GetPermissionsAsJSON() ([]byte, error)
- func (u *User) GetPermissionsAsString() string
- func (u *User) GetPermissionsForPath(p string) []string
- func (u *User) GetPublicKeysAsJSON() ([]byte, error)
- func (u *User) GetQuotaSummary() string
- func (u *User) GetUID() int
- func (u *User) HasPerm(permission, path string) bool
- func (u *User) HasPerms(permissions []string, path string) bool
- func (u *User) HasQuotaRestrictions() bool
- func (u *User) IsLoginAllowed(remoteAddr string) bool
- type UserFilters
- type ValidationError
Constants ¶
const ( // SQLiteDataProviderName name for SQLite database provider SQLiteDataProviderName = "sqlite" // PGSQLDataProviderName name for PostgreSQL database provider PGSQLDataProviderName = "postgresql" // MySQLDataProviderName name for MySQL database provider MySQLDataProviderName = "mysql" // BoltDataProviderName name for bbolt key/value store provider BoltDataProviderName = "bolt" // MemoryDataProviderName name for memory provider MemoryDataProviderName = "memory" )
const ( // All permissions are granted PermAny = "*" // List items such as files and directories is allowed PermListItems = "list" // download files is allowed PermDownload = "download" // upload files is allowed PermUpload = "upload" // overwrite an existing file, while uploading, is allowed // upload permission is required to allow file overwrite PermOverwrite = "overwrite" // delete files or directories is allowed PermDelete = "delete" // rename files or directories is allowed PermRename = "rename" // create directories is allowed PermCreateDirs = "create_dirs" // create symbolic links is allowed PermCreateSymlinks = "create_symlinks" // changing file or directory permissions is allowed PermChmod = "chmod" // changing file or directory owner and group is allowed PermChown = "chown" // changing file or directory access and modification time is allowed PermChtimes = "chtimes" )
Available permissions for SFTP users
Variables ¶
var ( // SupportedProviders data provider configured in the sftpgo.conf file must match of these strings SupportedProviders = []string{SQLiteDataProviderName, PGSQLDataProviderName, MySQLDataProviderName, BoltDataProviderName, MemoryDataProviderName} // ValidPerms list that contains all the valid permissions for an user ValidPerms = []string{PermAny, PermListItems, PermDownload, PermUpload, PermOverwrite, PermRename, PermDelete, PermCreateDirs, PermCreateSymlinks, PermChmod, PermChown, PermChtimes} )
Functions ¶
func AddUser ¶
AddUser adds a new SFTP user. ManageUsers configuration must be set to 1 to enable this method
func Close ¶
Close releases all provider resources. This method is used in test cases. Closing an uninitialized provider is not supported
func DeleteUser ¶
DeleteUser deletes an existing SFTP user. ManageUsers configuration must be set to 1 to enable this method
func GetProviderStatus ¶
GetProviderStatus returns an error if the provider is not available
func GetQuotaTracking ¶
func GetQuotaTracking() int
GetQuotaTracking returns the configured mode for user's quota tracking
func GetUsedQuota ¶
GetUsedQuota returns the used quota for the given SFTP user. TrackQuota must be >=1 to enable this method
func Initialize ¶
Initialize the data provider. An error is returned if the configured driver is invalid or if the data provider cannot be initialized
func ReloadConfig ¶
func ReloadConfig() error
ReloadConfig reloads provider configuration. Currently only implemented for memory provider, allows to reload the users from the configured file, if defined
func UpdateLastLogin ¶
UpdateLastLogin updates the last login fields for the given SFTP user
func UpdateUser ¶
UpdateUser updates an existing SFTP user. ManageUsers configuration must be set to 1 to enable this method
func UpdateUserQuota ¶
UpdateUserQuota updates the quota for the given SFTP user adding filesAdd and sizeAdd. If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.
Types ¶
type Actions ¶
type Actions struct {
// Valid values are add, update, delete. Empty slice to disable
ExecuteOn []string `json:"execute_on" mapstructure:"execute_on"`
// Absolute path to the command to execute, empty to disable
Command string `json:"command" mapstructure:"command"`
// The URL to notify using an HTTP POST.
// The action is added to the query string. For example <url>?action=update.
// The user is sent serialized as json inside the POST body.
// Empty to disable
HTTPNotificationURL string `json:"http_notification_url" mapstructure:"http_notification_url"`
}
Actions to execute on user create, update, delete. An external command can be executed and/or an HTTP notification can be fired
type BackupData ¶
type BackupData struct {
Users []User `json:"users"`
}
BackupData defines the structure for the backup/restore files
type BoltProvider ¶
type BoltProvider struct {
// contains filtered or unexported fields
}
BoltProvider auth provider for bolt key/value store
type Config ¶
type Config struct {
// Driver name, must be one of the SupportedProviders
Driver string `json:"driver" mapstructure:"driver"`
// Database name. For driver sqlite this can be the database name relative to the config dir
// or the absolute path to the SQLite database.
Name string `json:"name" mapstructure:"name"`
// Database host
Host string `json:"host" mapstructure:"host"`
// Database port
Port int `json:"port" mapstructure:"port"`
// Database username
Username string `json:"username" mapstructure:"username"`
// Database password
Password string `json:"password" mapstructure:"password"`
// Used for drivers mysql and postgresql.
// 0 disable SSL/TLS connections.
// 1 require ssl.
// 2 set ssl mode to verify-ca for driver postgresql and skip-verify for driver mysql.
// 3 set ssl mode to verify-full for driver postgresql and preferred for driver mysql.
SSLMode int `json:"sslmode" mapstructure:"sslmode"`
// Custom database connection string.
// If not empty this connection string will be used instead of build one using the previous parameters
ConnectionString string `json:"connection_string" mapstructure:"connection_string"`
// Database table for SFTP users
UsersTable string `json:"users_table" mapstructure:"users_table"`
// Set to 0 to disable users management, 1 to enable
ManageUsers int `json:"manage_users" mapstructure:"manage_users"`
// Set the preferred way to track users quota between the following choices:
// 0, disable quota tracking. REST API to scan user dir and update quota will do nothing
// 1, quota is updated each time a user upload or delete a file even if the user has no quota restrictions
// 2, quota is updated each time a user upload or delete a file but only for users with quota restrictions.
// With this configuration the "quota scan" REST API can still be used to periodically update space usage
// for users without quota restrictions
TrackQuota int `json:"track_quota" mapstructure:"track_quota"`
// Sets the maximum number of open connections for mysql and postgresql driver.
// Default 0 (unlimited)
PoolSize int `json:"pool_size" mapstructure:"pool_size"`
// Users' default base directory.
// If no home dir is defined while adding a new user, and this value is
// a valid absolute path, then the user home dir will be automatically
// defined as the path obtained joining the base dir and the username
UsersBaseDir string `json:"users_base_dir" mapstructure:"users_base_dir"`
// Actions to execute on user add, update, delete.
// Update action will not be fired for internal updates such as the last login or the user quota fields.
Actions Actions `json:"actions" mapstructure:"actions"`
// Absolute path to an external program to use for users authentication. Leave empty to use builtin
// authentication.
// The external program can read the following environment variables to get info about the user trying
// to authenticate:
//
// - SFTPGO_AUTHD_USERNAME
// - SFTPGO_AUTHD_PASSWORD, not empty for password authentication
// - SFTPGO_AUTHD_PUBLIC_KEY, not empty for public key authentication
//
// The content of these variables is _not_ quoted. They may contain special characters. They are under the
// control of a possibly malicious remote user.
//
// The program must respond on the standard output with a valid SFTPGo user serialized as json if the
// authentication succeed or an user with an empty username if the authentication fails.
// If the authentication succeed the user will be automatically added/updated inside the defined data provider.
// Actions defined for user added/updated will not be executed in this case.
// The external program should check authentication only, if there are login restrictions such as user
// disabled, expired, login allowed only from specific IP addresses it is enough to populate the matching user
// fields and these conditions will be checked in the same way as for builtin users.
// The external auth program must finish within 15 seconds.
// This method is slower than built-in authentication methods, but it's very flexible as anyone can
// easily write his own authentication programs.
ExternalAuthProgram string `json:"external_auth_program" mapstructure:"external_auth_program"`
// ExternalAuthScope defines the scope for the external authentication program.
// - 0 means all supported authetication scopes, the external program will be used for password,
// public key and keyboard interactive authentication
// - 1 means passwords only
// - 2 means public keys only
// - 4 means keyboard interactive only
// you can combine the scopes, for example 3 means password and public key, 5 password and keyboard
// interactive and so on
ExternalAuthScope int `json:"external_auth_scope" mapstructure:"external_auth_scope"`
// CredentialsPath defines the directory for storing user provided credential files such as
// Google Cloud Storage credentials. It can be a path relative to the config dir or an
// absolute path
CredentialsPath string `json:"credentials_path" mapstructure:"credentials_path"`
}
Config provider configuration
type Filesystem ¶
type Filesystem struct {
// 0 local filesystem, 1 Amazon S3 compatible, 2 Google Cloud Storage
Provider int `json:"provider"`
S3Config vfs.S3FsConfig `json:"s3config,omitempty"`
GCSConfig vfs.GCSFsConfig `json:"gcsconfig,omitempty"`
}
Filesystem defines cloud storage filesystem details
type MemoryProvider ¶
type MemoryProvider struct {
// contains filtered or unexported fields
}
MemoryProvider auth provider for a memory store
type MethodDisabledError ¶
type MethodDisabledError struct {
// contains filtered or unexported fields
}
MethodDisabledError raised if a method is disabled in config file. For example, if user management is disabled, this error is raised every time an user operation is done using the REST API
func (*MethodDisabledError) Error ¶
func (e *MethodDisabledError) Error() string
Method disabled error details
type MySQLProvider ¶
type MySQLProvider struct {
// contains filtered or unexported fields
}
MySQLProvider auth provider for MySQL/MariaDB database
type PGSQLProvider ¶
type PGSQLProvider struct {
// contains filtered or unexported fields
}
PGSQLProvider auth provider for PostgreSQL database
type Provider ¶
type Provider interface {
// contains filtered or unexported methods
}
Provider interface that data providers must implement.
type RecordNotFoundError ¶
type RecordNotFoundError struct {
// contains filtered or unexported fields
}
RecordNotFoundError raised if a requested user is not found
func (*RecordNotFoundError) Error ¶
func (e *RecordNotFoundError) Error() string
type SQLiteProvider ¶
type SQLiteProvider struct {
// contains filtered or unexported fields
}
SQLiteProvider auth provider for SQLite database
type User ¶
type User struct {
// Database unique identifier
ID int64 `json:"id"`
// 1 enabled, 0 disabled (login is not allowed)
Status int `json:"status"`
// Username
Username string `json:"username"`
// Account expiration date as unix timestamp in milliseconds. An expired account cannot login.
// 0 means no expiration
ExpirationDate int64 `json:"expiration_date"`
// Password used for password authentication.
// For users created using SFTPGo REST API the password is be stored using argon2id hashing algo.
// Checking passwords stored with bcrypt, pbkdf2, md5crypt and sha512crypt is supported too.
Password string `json:"password,omitempty"`
// PublicKeys used for public key authentication. At least one between password and a public key is mandatory
PublicKeys []string `json:"public_keys,omitempty"`
// The user cannot upload or download files outside this directory. Must be an absolute path
HomeDir string `json:"home_dir"`
// If sftpgo runs as root system user then the created files and directories will be assigned to this system UID
UID int `json:"uid"`
// If sftpgo runs as root system user then the created files and directories will be assigned to this system GID
GID int `json:"gid"`
// Maximum concurrent sessions. 0 means unlimited
MaxSessions int `json:"max_sessions"`
// Maximum size allowed as bytes. 0 means unlimited
QuotaSize int64 `json:"quota_size"`
// Maximum number of files allowed. 0 means unlimited
QuotaFiles int `json:"quota_files"`
// List of the granted permissions
Permissions map[string][]string `json:"permissions"`
// Used quota as bytes
UsedQuotaSize int64 `json:"used_quota_size"`
// Used quota as number of files
UsedQuotaFiles int `json:"used_quota_files"`
// Last quota update as unix timestamp in milliseconds
LastQuotaUpdate int64 `json:"last_quota_update"`
// Maximum upload bandwidth as KB/s, 0 means unlimited
UploadBandwidth int64 `json:"upload_bandwidth"`
// Maximum download bandwidth as KB/s, 0 means unlimited
DownloadBandwidth int64 `json:"download_bandwidth"`
// Last login as unix timestamp in milliseconds
LastLogin int64 `json:"last_login"`
// Additional restrictions
Filters UserFilters `json:"filters"`
// Filesystem configuration details
FsConfig Filesystem `json:"filesystem"`
}
User defines an SFTP user
func CheckKeyboardInteractiveAuth ¶
func CheckKeyboardInteractiveAuth(p Provider, username, authProgram string, client ssh.KeyboardInteractiveChallenge) (User, error)
CheckKeyboardInteractiveAuth checks the keyboard interactive authentication and returns the authenticated user or an error
func CheckUserAndPass ¶
CheckUserAndPass retrieves the SFTP user with the given username and password if a match is found or an error
func CheckUserAndPubKey ¶
CheckUserAndPubKey retrieves the SFTP user with the given username and public key if a match is found or an error
func GetUserByID ¶
GetUserByID returns the user with the given database ID if a match is found or an error
func GetUsers ¶
GetUsers returns an array of users respecting limit and offset and filtered by username exact match if not empty
func HideUserSensitiveData ¶
HideUserSensitiveData hides user sensitive data
func UserExists ¶
UserExists checks if the given SFTP username exists, returns an error if no match is found
func (User) GetAllowedIPAsString ¶
GetAllowedIPAsString returns the allowed IP as comma separated string
func (*User) GetBandwidthAsString ¶
GetBandwidthAsString returns bandwidth limits if defines
func (User) GetDeniedIPAsString ¶
GetDeniedIPAsString returns the denied IP as comma separated string
func (*User) GetExpirationDateAsString ¶
GetExpirationDateAsString returns expiration date formatted as YYYY-MM-DD
func (*User) GetFilesystem ¶
GetFilesystem returns the filesystem for this user
func (*User) GetFiltersAsJSON ¶
GetFiltersAsJSON returns the filters as json byte array
func (*User) GetFsConfigAsJSON ¶
GetFsConfigAsJSON returns the filesystem config as json byte array
func (*User) GetHomeDir ¶
GetHomeDir returns the shortest path name equivalent to the user's home directory
func (*User) GetInfoString ¶
GetInfoString returns user's info as string. Storage provider, number of public keys, max sessions, uid, gid, denied and allowed IP/Mask are returned
func (*User) GetPermissionsAsJSON ¶
GetPermissionsAsJSON returns the permissions as json byte array
func (*User) GetPermissionsAsString ¶
GetPermissionsAsString returns the user's permissions as comma separated string
func (*User) GetPermissionsForPath ¶
GetPermissionsForPath returns the permissions for the given path. The path must be an SFTP path
func (*User) GetPublicKeysAsJSON ¶
GetPublicKeysAsJSON returns the public keys as json byte array
func (*User) GetQuotaSummary ¶
GetQuotaSummary returns used quota and limits if defined
func (*User) HasQuotaRestrictions ¶
HasQuotaRestrictions returns true if there is a quota restriction on number of files or size or both
func (*User) IsLoginAllowed ¶
IsLoginAllowed return true if the login is allowed from the specified remoteAddr. If AllowedIP is defined only the specified IP/Mask can login. If DeniedIP is defined the specified IP/Mask cannot login. If an IP is both allowed and denied then login will be denied
type UserFilters ¶
type UserFilters struct {
// only clients connecting from these IP/Mask are allowed.
// IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291
// for example "192.0.2.0/24" or "2001:db8::/32"
AllowedIP []string `json:"allowed_ip"`
// clients connecting from these IP/Mask are not allowed.
// Denied rules will be evaluated before allowed ones
DeniedIP []string `json:"denied_ip"`
}
UserFilters defines additional restrictions for a user
type ValidationError ¶
type ValidationError struct {
// contains filtered or unexported fields
}
ValidationError raised if input data is not valid
Source Files