1package httpd 2 3import ( 4 "bytes" 5 "context" 6 "crypto/tls" 7 "crypto/x509" 8 "encoding/json" 9 "errors" 10 "fmt" 11 "html/template" 12 "net/http" 13 "net/http/httptest" 14 "net/url" 15 "os" 16 "path" 17 "path/filepath" 18 "runtime" 19 "strings" 20 "testing" 21 "time" 22 23 "github.com/go-chi/chi/v5" 24 "github.com/go-chi/jwtauth/v5" 25 "github.com/klauspost/compress/zip" 26 "github.com/lestrrat-go/jwx/jwa" 27 "github.com/lestrrat-go/jwx/jwt" 28 "github.com/rs/xid" 29 "github.com/stretchr/testify/assert" 30 "github.com/stretchr/testify/require" 31 32 "github.com/drakkan/sftpgo/v2/common" 33 "github.com/drakkan/sftpgo/v2/dataprovider" 34 "github.com/drakkan/sftpgo/v2/kms" 35 "github.com/drakkan/sftpgo/v2/sdk" 36 "github.com/drakkan/sftpgo/v2/sdk/plugin" 37 "github.com/drakkan/sftpgo/v2/util" 38 "github.com/drakkan/sftpgo/v2/vfs" 39) 40 41const ( 42 httpdCert = `-----BEGIN CERTIFICATE----- 43MIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw 44RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu 45dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw 46OTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD 47VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA 48IgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA 49NXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM 503+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME 51GDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG 52SM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY 53/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI 54dV4vKmHUzwK/eIx+8Ay3neE= 55-----END CERTIFICATE-----` 56 httpdKey = `-----BEGIN EC PARAMETERS----- 57BgUrgQQAIg== 58-----END EC PARAMETERS----- 59-----BEGIN EC PRIVATE KEY----- 60MIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3 61UM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq 62WvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV 63CzgWkxiz7XE4lgUwX44FCXZM3+JeUbI= 64-----END EC PRIVATE KEY-----` 65 caCRT = `-----BEGIN CERTIFICATE----- 66MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0 67QXV0aDAeFw0yMTAxMDIyMTIwNTVaFw0yMjA3MDIyMTMwNTJaMBMxETAPBgNVBAMT 68CENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4Tiho5xW 69AC15JRkMwfp3/TJwI2As7MY5dele5cmdr5bHAE+sRKqC+Ti88OJWCV5saoyax/1S 70CjxJlQMZMl169P1QYJskKjdG2sdv6RLWLMgwSNRRjxp/Bw9dHdiEb9MjLgu28Jro 719peQkHcRHeMf5hM9WvlIJGrdzbC4hUehmqggcqgARainBkYjf0SwuWxHeu4nMqkp 72Ak5tcSTLCjHfEFHZ9Te0TIPG5YkWocQKyeLgu4lvuU+DD2W2lym+YVUtRMGs1Env 73k7p+N0DcGU26qfzZ2sF5ZXkqm7dBsGQB9pIxwc2Q8T1dCIyP9OQCKVILdc5aVFf1 74cryQFHYzYNNZXFlIBims5VV5Mgfp8ESHQSue+v6n6ykecLEyKt1F1Y/MWY/nWUSI 758zdq83jdBAZVjo9MSthxVn57/06s/hQca65IpcTZV2gX0a+eRlAVqaRbAhL3LaZe 76bYsW3WHKoUOftwemuep3nL51TzlXZVL7Oz/ClGaEOsnGG9KFO6jh+W768qC0zLQI 77CdE7v2Zex98sZteHCg9fGJHIaYoF0aJG5P3WI5oZf2fy7UIYN9ADLFZiorCXAZEh 78CSU6mDoRViZ4RGR9GZxbDZ9KYn7O8M/KCR72bkQg73TlMsk1zSXEw0MKLUjtsw6c 79rZ0Jt8t3sRatHO3JrYHALMt9vZfyNCZp0IsCAwEAAaNFMEMwDgYDVR0PAQH/BAQD 80AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO1yCNAGr/zQTJIi8lw3 81w5OiuBvMMA0GCSqGSIb3DQEBCwUAA4ICAQA6gCNuM7r8mnx674dm31GxBjQy5ZwB 827CxDzYEvL/oiZ3Tv3HlPfN2LAAsJUfGnghh9DOytenL2CTZWjl/emP5eijzmlP+9 83zva5I6CIMCf/eDDVsRdO244t0o4uG7+At0IgSDM3bpVaVb4RHZNjEziYChsEYY8d 84HK6iwuRSvFniV6yhR/Vj1Ymi9yZ5xclqseLXiQnUB0PkfIk23+7s42cXB16653fH 85O/FsPyKBLiKJArizLYQc12aP3QOrYoYD9+fAzIIzew7A5C0aanZCGzkuFpO6TRlD 86Tb7ry9Gf0DfPpCgxraH8tOcmnqp/ka3hjqo/SRnnTk0IFrmmLdarJvjD46rKwBo4 87MjyAIR1mQ5j8GTlSFBmSgETOQ/EYvO3FPLmra1Fh7L+DvaVzTpqI9fG3TuyyY+Ri 88Fby4ycTOGSZOe5Fh8lqkX5Y47mCUJ3zHzOA1vUJy2eTlMRGpu47Eb1++Vm6EzPUP 892EF5aD+zwcssh+atZvQbwxpgVqVcyLt91RSkKkmZQslh0rnlTb68yxvUnD3zw7So 90o6TAf9UvwVMEvdLT9NnFd6hwi2jcNte/h538GJwXeBb8EkfpqLKpTKyicnOdkamZ 917E9zY8SHNRYMwB9coQ/W8NvufbCgkvOoLyMXk5edbXofXl3PhNGOlraWbghBnzf5 92r3rwjFsQOoZotA== 93-----END CERTIFICATE-----` 94 caKey = `-----BEGIN RSA PRIVATE KEY----- 95MIIJKQIBAAKCAgEA4Tiho5xWAC15JRkMwfp3/TJwI2As7MY5dele5cmdr5bHAE+s 96RKqC+Ti88OJWCV5saoyax/1SCjxJlQMZMl169P1QYJskKjdG2sdv6RLWLMgwSNRR 97jxp/Bw9dHdiEb9MjLgu28Jro9peQkHcRHeMf5hM9WvlIJGrdzbC4hUehmqggcqgA 98RainBkYjf0SwuWxHeu4nMqkpAk5tcSTLCjHfEFHZ9Te0TIPG5YkWocQKyeLgu4lv 99uU+DD2W2lym+YVUtRMGs1Envk7p+N0DcGU26qfzZ2sF5ZXkqm7dBsGQB9pIxwc2Q 1008T1dCIyP9OQCKVILdc5aVFf1cryQFHYzYNNZXFlIBims5VV5Mgfp8ESHQSue+v6n 1016ykecLEyKt1F1Y/MWY/nWUSI8zdq83jdBAZVjo9MSthxVn57/06s/hQca65IpcTZ 102V2gX0a+eRlAVqaRbAhL3LaZebYsW3WHKoUOftwemuep3nL51TzlXZVL7Oz/ClGaE 103OsnGG9KFO6jh+W768qC0zLQICdE7v2Zex98sZteHCg9fGJHIaYoF0aJG5P3WI5oZ 104f2fy7UIYN9ADLFZiorCXAZEhCSU6mDoRViZ4RGR9GZxbDZ9KYn7O8M/KCR72bkQg 10573TlMsk1zSXEw0MKLUjtsw6crZ0Jt8t3sRatHO3JrYHALMt9vZfyNCZp0IsCAwEA 106AQKCAgAV+ElERYbaI5VyufvVnFJCH75ypPoc6sVGLEq2jbFVJJcq/5qlZCC8oP1F 107Xj7YUR6wUiDzK1Hqb7EZ2SCHGjlZVrCVi+y+NYAy7UuMZ+r+mVSkdhmypPoJPUVv 108GOTqZ6VB46Cn3eSl0WknvoWr7bD555yPmEuiSc5zNy74yWEJTidEKAFGyknowcTK 109sG+w1tAuPLcUKQ44DGB+rgEkcHL7C5EAa7upzx0C3RmZFB+dTAVyJdkBMbFuOhTS 110sB7DLeTplR7/4mp9da7EQw51ZXC1DlZOEZt++4/desXsqATNAbva1OuzrLG7mMKe 111N/PCBh/aERQcsCvgUmaXqGQgqN1Jhw8kbXnjZnVd9iE7TAh7ki3VqNy1OMgTwOex 112bBYWaCqHuDYIxCjeW0qLJcn0cKQ13FVYrxgInf4Jp82SQht5b/zLL3IRZEyKcLJF 113kL6g1wlmTUTUX0z8eZzlM0ZCrqtExjgElMO/rV971nyNV5WU8Og3NmE8/slqMrmJ 114DlrQr9q0WJsDKj1IMe46EUM6ix7bbxC5NIfJ96dgdxZDn6ghjca6iZYqqUACvmUj 115cq08s3R4Ouw9/87kn11wwGBx2yDueCwrjKEGc0RKjweGbwu0nBxOrkJ8JXz6bAv7 1161OKfYaX3afI9B8x4uaiuRs38oBQlg9uAYFfl4HNBPuQikGLmsQKCAQEA8VjFOsaz 117y6NMZzKXi7WZ48uu3ed5x3Kf6RyDr1WvQ1jkBMv9b6b8Gp1CRnPqviRBto9L8QAg 118bCXZTqnXzn//brskmW8IZgqjAlf89AWa53piucu9/hgidrHRZobs5gTqev28uJdc 119zcuw1g8c3nCpY9WeTjHODzX5NXYRLFpkazLfYa6c8Q9jZR4KKrpdM+66fxL0JlOd 1207dN0oQtEqEAugsd3cwkZgvWhY4oM7FGErrZoDLy273ZdJzi/vU+dThyVzfD8Ab8u 121VxxuobVMT/S608zbe+uaiUdov5s96OkCl87403UNKJBH+6LNb3rjBBLE9NPN5ET9 122JLQMrYd+zj8jQwKCAQEA7uU5I9MOufo9bIgJqjY4Ie1+Ex9DZEMUYFAvGNCJCVcS 123mwOdGF8AWzIavTLACmEDJO7t/OrBdoo4L7IEsCNjgA3WiIwIMiWUVqveAGUMEXr6 124TRI5EolV6FTqqIP6AS+BAeBq7G1ELgsTrWNHh11rW3+3kBMuOCn77PUQ8WHwcq/r 125teZcZn4Ewcr6P7cBODgVvnBPhe/J8xHS0HFVCeS1CvaiNYgees5yA80Apo9IPjDJ 126YWawLjmH5wUBI5yDFVp067wjqJnoKPSoKwWkZXqUk+zgFXx5KT0gh/c5yh1frASp 127q6oaYnHEVC5qj2SpT1GFLonTcrQUXiSkiUudvNu1GQKCAQEAmko+5GFtRe0ihgLQ 1284S76r6diJli6AKil1Fg3U1r6zZpBQ1PJtJxTJQyN9w5Z7q6tF/GqAesrzxevQdvQ 129rCImAPtA3ZofC2UXawMnIjWHHx6diNvYnV1+gtUQ4nO1dSOFZ5VZFcUmPiZO6boF 130oaryj3FcX+71JcJCjEvrlKhA9Es0hXUkvfMxfs5if4he1zlyHpTWYr4oA4egUugq 131P0mwskikc3VIyvEO+NyjgFxo72yLPkFSzemkidN8uKDyFqKtnlfGM7OuA2CY1WZa 1323+67lXWshx9KzyJIs92iCYkU8EoPxtdYzyrV6efdX7x27v60zTOut5TnJJS6WiF6 133Do5MkwKCAQAxoR9IyP0DN/BwzqYrXU42Bi+t603F04W1KJNQNWpyrUspNwv41yus 134xnD1o0hwH41Wq+h3JZIBfV+E0RfWO9Pc84MBJQ5C1LnHc7cQH+3s575+Km3+4tcd 135CB8j2R8kBeloKWYtLdn/Mr/ownpGreqyvIq2/LUaZ+Z1aMgXTYB1YwS16mCBzmZQ 136mEl62RsAwe4KfSyYJ6OtwqMoOJMxFfliiLBULK4gVykqjvk2oQeiG+KKQJoTUFJi 137dRCyhD5bPkqR+qjxyt+HOqSBI4/uoROi05AOBqjpH1DVzk+MJKQOiX1yM0l98CKY 138Vng+x+vAla/0Zh+ucajVkgk4mKPxazdpAoIBAQC17vWk4KYJpF2RC3pKPcQ0PdiX 139bN35YNlvyhkYlSfDNdyH3aDrGiycUyW2mMXUgEDFsLRxHMTL+zPC6efqO6sTAJDY 140cBptsW4drW/qo8NTx3dNOisLkW+mGGJOR/w157hREFr29ymCVMYu/Z7fVWIeSpCq 141p3u8YX8WTljrxwSczlGjvpM7uJx3SfYRM4TUoy+8wU8bK74LywLa5f60bQY6Dye0 142Gqd9O6OoPfgcQlwjC5MiAofeqwPJvU0hQOPoehZyNLAmOCWXTYWaTP7lxO1r6+NE 143M3hGYqW3W8Ixua71OskCypBZg/HVlIP/lzjRzdx+VOB2hbWVth2Iup/Z1egW 144-----END RSA PRIVATE KEY-----` 145 caCRL = `-----BEGIN X509 CRL----- 146MIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN 147MjEwMTAyMjEzNDA1WhcNMjMwMTAyMjEzNDA1WjAkMCICEQC+l04DbHWMyC3fG09k 148VXf+Fw0yMTAxMDIyMTM0MDVaoCMwITAfBgNVHSMEGDAWgBTtcgjQBq/80EySIvJc 149N8OTorgbzDANBgkqhkiG9w0BAQsFAAOCAgEAEJ7z+uNc8sqtxlOhSdTGDzX/xput 150E857kFQkSlMnU2whQ8c+XpYrBLA5vIZJNSSwohTpM4+zVBX/bJpmu3wqqaArRO9/ 151YcW5mQk9Anvb4WjQW1cHmtNapMTzoC9AiYt/OWPfy+P6JCgCr4Hy6LgQyIRL6bM9 152VYTalolOm1qa4Y5cIeT7iHq/91mfaqo8/6MYRjLl8DOTROpmw8OS9bCXkzGKdCat 153AbAzwkQUSauyoCQ10rpX+Y64w9ng3g4Dr20aCqPf5osaqplEJ2HTK8ljDTidlslv 1549anQj8ax3Su89vI8+hK+YbfVQwrThabgdSjQsn+veyx8GlP8WwHLAQ379KjZjWg+ 155OlOSwBeU1vTdP0QcB8X5C2gVujAyuQekbaV86xzIBOj7vZdfHZ6ee30TZ2FKiMyg 1567/N2OqW0w77ChsjB4MSHJCfuTgIeg62GzuZXLM+Q2Z9LBdtm4Byg+sm/P52adOEg 157gVb2Zf4KSvsAmA0PIBlu449/QXUFcMxzLFy7mwTeZj2B4Ln0Hm0szV9f9R8MwMtB 158SyLYxVH+mgqaR6Jkk22Q/yYyLPaELfafX5gp/AIXG8n0zxfVaTvK3auSgb1Q6ZLS 1595QH9dSIsmZHlPq7GoSXmKpMdjUL8eaky/IMteioyXgsBiATzl5L2dsw6MTX3MDF0 160QbDK+MzhmbKfDxs= 161-----END X509 CRL-----` 162 client1Crt = `-----BEGIN CERTIFICATE----- 163MIIEITCCAgmgAwIBAgIRAIppZHoj1hM80D7WzTEKLuAwDQYJKoZIhvcNAQELBQAw 164EzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjEwMTAyMjEyMzEwWhcNMjIwNzAyMjEz 165MDUxWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A 166MIIBCgKCAQEAoKbYY9MdF2kF/nhBESIiZTdVYtA8XL9xrIZyDj9EnCiTxHiVbJtH 167XVwszqSl5TRrotPmnmAQcX3r8OCk+z+RQZ0QQj257P3kG6q4rNnOcWCS5xEd20jP 168yhQ3m+hMGfZsotNTQze1ochuQgLUN6IPyPxZkH22ia3jX4iu1eo/QxeLYHj1UHw4 1693Cii9yE+j5kPUC21xmnrGKdUrB55NYLXHx6yTIqYR5znSOVB8oJi18/hwdZmH859 170DHhm0Hx1HrS+jbjI3+CMorZJ3WUyNf+CkiVLD3xYutPbxzEpwiqkG/XYzLH0habT 171cDcILo18n+o3jvem2KWBrDhyairjIDscwQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC 172A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSJ5GIv 173zIrE4ZSQt2+CGblKTDswizAfBgNVHSMEGDAWgBTtcgjQBq/80EySIvJcN8OTorgb 174zDANBgkqhkiG9w0BAQsFAAOCAgEALh4f5GhvNYNou0Ab04iQBbLEdOu2RlbK1B5n 175K9P/umYenBHMY/z6HT3+6tpcHsDuqE8UVdq3f3Gh4S2Gu9m8PRitT+cJ3gdo9Plm 1763rD4ufn/s6rGg3ppydXcedm17492tbccUDWOBZw3IO/ASVq13WPgT0/Kev7cPq0k 177sSdSNhVeXqx8Myc2/d+8GYyzbul2Kpfa7h9i24sK49E9ftnSmsIvngONo08eT1T0 1783wAOyK2981LIsHaAWcneShKFLDB6LeXIT9oitOYhiykhFlBZ4M1GNlSNfhQ8IIQP 179xbqMNXCLkW4/BtLhGEEcg0QVso6Kudl9rzgTfQknrdF7pHp6rS46wYUjoSyIY6dl 180oLmnoAVJX36J3QPWelePI9e07X2wrTfiZWewwgw3KNRWjd6/zfPLe7GoqXnK1S2z 181PT8qMfCaTwKTtUkzXuTFvQ8bAo2My/mS8FOcpkt2oQWeOsADHAUX7fz5BCoa2DL3 182k/7Mh4gVT+JYZEoTwCFuYHgMWFWe98naqHi9lB4yR981p1QgXgxO7qBeipagKY1F 183LlH1iwXUqZ3MZnkNA+4e1Fglsw3sa/rC+L98HnznJ/YbTfQbCP6aQ1qcOymrjMud 1847MrFwqZjtd/SK4Qx1VpK6jGEAtPgWBTUS3p9ayg6lqjMBjsmySWfvRsDQbq6P5Ct 185O/e3EH8= 186-----END CERTIFICATE-----` 187 client1Key = `-----BEGIN RSA PRIVATE KEY----- 188MIIEpAIBAAKCAQEAoKbYY9MdF2kF/nhBESIiZTdVYtA8XL9xrIZyDj9EnCiTxHiV 189bJtHXVwszqSl5TRrotPmnmAQcX3r8OCk+z+RQZ0QQj257P3kG6q4rNnOcWCS5xEd 19020jPyhQ3m+hMGfZsotNTQze1ochuQgLUN6IPyPxZkH22ia3jX4iu1eo/QxeLYHj1 191UHw43Cii9yE+j5kPUC21xmnrGKdUrB55NYLXHx6yTIqYR5znSOVB8oJi18/hwdZm 192H859DHhm0Hx1HrS+jbjI3+CMorZJ3WUyNf+CkiVLD3xYutPbxzEpwiqkG/XYzLH0 193habTcDcILo18n+o3jvem2KWBrDhyairjIDscwQIDAQABAoIBAEBSjVFqtbsp0byR 194aXvyrtLX1Ng7h++at2jca85Ihq//jyqbHTje8zPuNAKI6eNbmb0YGr5OuEa4pD9N 195ssDmMsKSoG/lRwwcm7h4InkSvBWpFShvMgUaohfHAHzsBYxfnh+TfULsi0y7c2n6 196t/2OZcOTRkkUDIITnXYiw93ibHHv2Mv2bBDu35kGrcK+c2dN5IL5ZjTjMRpbJTe2 19744RBJbdTxHBVSgoGBnugF+s2aEma6Ehsj70oyfoVpM6Aed5kGge0A5zA1JO7WCn9 198Ay/DzlULRXHjJIoRWd2NKvx5n3FNppUc9vJh2plRHalRooZ2+MjSf8HmXlvG2Hpb 199ScvmWgECgYEA1G+A/2KnxWsr/7uWIJ7ClcGCiNLdk17Pv3DZ3G4qUsU2ITftfIbb 200tU0Q/b19na1IY8Pjy9ptP7t74/hF5kky97cf1FA8F+nMj/k4+wO8QDI8OJfzVzh9 201PwielA5vbE+xmvis5Hdp8/od1Yrc/rPSy2TKtPFhvsqXjqoUmOAjDP8CgYEAwZjH 2029dt1sc2lx/rMxihlWEzQ3JPswKW9/LJAmbRBoSWF9FGNjbX7uhWtXRKJkzb8ZAwa 20388azluNo2oftbDD/+jw8b2cDgaJHlLAkSD4O1D1RthW7/LKD15qZ/oFsRb13NV85 204ZNKtwslXGbfVNyGKUVFm7fVA8vBAOUey+LKDFj8CgYEAg8WWstOzVdYguMTXXuyb 205ruEV42FJaDyLiSirOvxq7GTAKuLSQUg1yMRBIeQEo2X1XU0JZE3dLodRVhuO4EXP 206g7Dn4X7Th9HSvgvNuIacowWGLWSz4Qp9RjhGhXhezUSx2nseY6le46PmFavJYYSR 2074PBofMyt4PcyA6Cknh+KHmkCgYEAnTriG7ETE0a7v4DXUpB4TpCEiMCy5Xs2o8Z5 208ZNva+W+qLVUWq+MDAIyechqeFSvxK6gRM69LJ96lx+XhU58wJiFJzAhT9rK/g+jS 209bsHH9WOfu0xHkuHA5hgvvV2Le9B2wqgFyva4HJy82qxMxCu/VG/SMqyfBS9OWbb7 210ibQhdq0CgYAl53LUWZsFSZIth1vux2LVOsI8C3X1oiXDGpnrdlQ+K7z57hq5EsRq 211GC+INxwXbvKNqp5h0z2MvmKYPDlGVTgw8f8JjM7TkN17ERLcydhdRrMONUryZpo8 2121xTob+8blyJgfxZUIAKbMbMbIiU0WAF0rfD/eJJwS4htOW/Hfv4TGA== 213-----END RSA PRIVATE KEY-----` 214 // client 2 crt is revoked 215 client2Crt = `-----BEGIN CERTIFICATE----- 216MIIEITCCAgmgAwIBAgIRAL6XTgNsdYzILd8bT2RVd/4wDQYJKoZIhvcNAQELBQAw 217EzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjEwMTAyMjEyMzIwWhcNMjIwNzAyMjEz 218MDUxWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A 219MIIBCgKCAQEA6xjW5KQR3/OFQtV5M75WINqQ4AzXSu6DhSz/yumaaQZP/UxY+6hi 220jcrFzGo9MMie/Sza8DhkXOFAl2BelUubrOeB2cl+/Gr8OCyRi2Gv6j3zCsuN/4jQ 221tNaoez/IbkDvI3l/ZpzBtnuNY2RiemGgHuORXHRVf3qVlsw+npBIRW5rM2HkO/xG 222oZjeBErWVu390Lyn+Gvk2TqQDnkutWnxUC60/zPlHhXZ4BwaFAekbSnjsSDB1YFM 223s8HwW4oBryoxdj3/+/qLrBHt75IdLw3T7/V1UDJQM3EvSQOr12w4egpldhtsC871 224nnBQZeY6qA5feffIwwg/6lJm70o6S6OX6wIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC 225A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTB84v5 226t9HqhLhMODbn6oYkEQt3KzAfBgNVHSMEGDAWgBTtcgjQBq/80EySIvJcN8OTorgb 227zDANBgkqhkiG9w0BAQsFAAOCAgEALGtBCve5k8tToL3oLuXp/oSik6ovIB/zq4I/ 2284zNMYPU31+ZWz6aahysgx1JL1yqTa3Qm8o2tu52MbnV10dM7CIw7c/cYa+c+OPcG 2295LF97kp13X+r2axy+CmwM86b4ILaDGs2Qyai6VB6k7oFUve+av5o7aUrNFpqGCJz 230HWdtHZSVA3JMATzy0TfWanwkzreqfdw7qH0yZ9bDURlBKAVWrqnCstva9jRuv+AI 231eqxr/4Ro986TFjJdoAP3Vr16CPg7/B6GA/KmsBWJrpeJdPWq4i2gpLKvYZoy89qD 232mUZf34RbzcCtV4NvV1DadGnt4us0nvLrvS5rL2+2uWD09kZYq9RbLkvgzF/cY0fz 233i7I1bi5XQ+alWe0uAk5ZZL/D+GTRYUX1AWwCqwJxmHrMxcskMyO9pXvLyuSWRDLo 234YNBrbX9nLcfJzVCp+X+9sntTHjs4l6Cw+fLepJIgtgqdCHtbhTiv68vSM6cgb4br 2356n2xrXRKuioiWFOrTSRr+oalZh8dGJ/xvwY8IbWknZAvml9mf1VvfE7Ma5P777QM 236fsbYVTq0Y3R/5hIWsC3HA5z6MIM8L1oRe/YyhP3CTmrCHkVKyDOosGXpGz+JVcyo 237cfYkY5A3yFKB2HaCwZSfwFmRhxkrYWGEbHv3Cd9YkZs1J3hNhGFZyVMC9Uh0S85a 2386zdDidU= 239-----END CERTIFICATE-----` 240 client2Key = `-----BEGIN RSA PRIVATE KEY----- 241MIIEpAIBAAKCAQEA6xjW5KQR3/OFQtV5M75WINqQ4AzXSu6DhSz/yumaaQZP/UxY 242+6hijcrFzGo9MMie/Sza8DhkXOFAl2BelUubrOeB2cl+/Gr8OCyRi2Gv6j3zCsuN 243/4jQtNaoez/IbkDvI3l/ZpzBtnuNY2RiemGgHuORXHRVf3qVlsw+npBIRW5rM2Hk 244O/xGoZjeBErWVu390Lyn+Gvk2TqQDnkutWnxUC60/zPlHhXZ4BwaFAekbSnjsSDB 2451YFMs8HwW4oBryoxdj3/+/qLrBHt75IdLw3T7/V1UDJQM3EvSQOr12w4egpldhts 246C871nnBQZeY6qA5feffIwwg/6lJm70o6S6OX6wIDAQABAoIBAFatstVb1KdQXsq0 247cFpui8zTKOUiduJOrDkWzTygAmlEhYtrccdfXu7OWz0x0lvBLDVGK3a0I/TGrAzj 2484BuFY+FM/egxTVt9in6fmA3et4BS1OAfCryzUdfK6RV//8L+t+zJZ/qKQzWnugpy 249QYjDo8ifuMFwtvEoXizaIyBNLAhEp9hnrv+Tyi2O2gahPvCHsD48zkyZRCHYRstD 250NH5cIrwz9/RJgPO1KI+QsJE7Nh7stR0sbr+5TPU4fnsL2mNhMUF2TJrwIPrc1yp+ 251YIUjdnh3SO88j4TQT3CIrWi8i4pOy6N0dcVn3gpCRGaqAKyS2ZYUj+yVtLO4KwxZ 252SZ1lNvECgYEA78BrF7f4ETfWSLcBQ3qxfLs7ibB6IYo2x25685FhZjD+zLXM1AKb 253FJHEXUm3mUYrFJK6AFEyOQnyGKBOLs3S6oTAswMPbTkkZeD1Y9O6uv0AHASLZnK6 254pC6ub0eSRF5LUyTQ55Jj8D7QsjXJueO8v+G5ihWhNSN9tB2UA+8NBmkCgYEA+weq 255cvoeMIEMBQHnNNLy35bwfqrceGyPIRBcUIvzQfY1vk7KW6DYOUzC7u+WUzy/hA52 256DjXVVhua2eMQ9qqtOav7djcMc2W9RbLowxvno7K5qiCss013MeWk64TCWy+WMp5A 257AVAtOliC3hMkIKqvR2poqn+IBTh1449agUJQqTMCgYEAu06IHGq1GraV6g9XpGF5 258wqoAlMzUTdnOfDabRilBf/YtSr+J++ThRcuwLvXFw7CnPZZ4TIEjDJ7xjj3HdxeE 259fYYjineMmNd40UNUU556F1ZLvJfsVKizmkuCKhwvcMx+asGrmA+tlmds4p3VMS50 260KzDtpKzLWlmU/p/RINWlRmkCgYBy0pHTn7aZZx2xWKqCDg+L2EXPGqZX6wgZDpu7 261OBifzlfM4ctL2CmvI/5yPmLbVgkgBWFYpKUdiujsyyEiQvWTUKhn7UwjqKDHtcsk 262G6p7xS+JswJrzX4885bZJ9Oi1AR2yM3sC9l0O7I4lDbNPmWIXBLeEhGMmcPKv/Kc 26391Ff4wKBgQCF3ur+Vt0PSU0ucrPVHjCe7tqazm0LJaWbPXL1Aw0pzdM2EcNcW/MA 264w0kqpr7MgJ94qhXCBcVcfPuFN9fBOadM3UBj1B45Cz3pptoK+ScI8XKno6jvVK/p 265xr5cb9VBRBtB9aOKVfuRhpatAfS2Pzm2Htae9lFn7slGPUmu2hkjDw== 266-----END RSA PRIVATE KEY-----` 267) 268 269type failingWriter struct { 270} 271 272func (r *failingWriter) Write(p []byte) (n int, err error) { 273 return 0, errors.New("write error") 274} 275 276func (r *failingWriter) WriteHeader(statusCode int) {} 277 278func (r *failingWriter) Header() http.Header { 279 return make(http.Header) 280} 281 282func TestShouldBind(t *testing.T) { 283 c := Conf{ 284 Bindings: []Binding{ 285 { 286 Port: 10000, 287 }, 288 }, 289 } 290 require.True(t, c.ShouldBind()) 291 292 c.Bindings[0].Port = 0 293 require.False(t, c.ShouldBind()) 294 295 if runtime.GOOS != osWindows { 296 c.Bindings[0].Address = "/absolute/path" 297 require.True(t, c.ShouldBind()) 298 } 299} 300 301func TestGetRespStatus(t *testing.T) { 302 var err error 303 err = util.NewMethodDisabledError("") 304 respStatus := getRespStatus(err) 305 assert.Equal(t, http.StatusForbidden, respStatus) 306 err = fmt.Errorf("generic error") 307 respStatus = getRespStatus(err) 308 assert.Equal(t, http.StatusInternalServerError, respStatus) 309 respStatus = getRespStatus(plugin.ErrNoSearcher) 310 assert.Equal(t, http.StatusNotImplemented, respStatus) 311} 312 313func TestMappedStatusCode(t *testing.T) { 314 err := os.ErrPermission 315 code := getMappedStatusCode(err) 316 assert.Equal(t, http.StatusForbidden, code) 317 err = os.ErrNotExist 318 code = getMappedStatusCode(err) 319 assert.Equal(t, http.StatusNotFound, code) 320 err = common.ErrQuotaExceeded 321 code = getMappedStatusCode(err) 322 assert.Equal(t, http.StatusRequestEntityTooLarge, code) 323 err = os.ErrClosed 324 code = getMappedStatusCode(err) 325 assert.Equal(t, http.StatusInternalServerError, code) 326} 327 328func TestGCSWebInvalidFormFile(t *testing.T) { 329 form := make(url.Values) 330 form.Set("username", "test_username") 331 form.Set("fs_provider", "2") 332 req, _ := http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode())) 333 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 334 err := req.ParseForm() 335 assert.NoError(t, err) 336 _, err = getFsConfigFromPostFields(req) 337 assert.EqualError(t, err, http.ErrNotMultipart.Error()) 338} 339 340func TestInvalidToken(t *testing.T) { 341 admin := dataprovider.Admin{ 342 Username: "admin", 343 } 344 errFake := errors.New("fake error") 345 asJSON, err := json.Marshal(admin) 346 assert.NoError(t, err) 347 req, _ := http.NewRequest(http.MethodPut, path.Join(adminPath, admin.Username), bytes.NewBuffer(asJSON)) 348 rctx := chi.NewRouteContext() 349 rctx.URLParams.Add("username", admin.Username) 350 req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) 351 req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake)) 352 rr := httptest.NewRecorder() 353 updateAdmin(rr, req) 354 assert.Equal(t, http.StatusBadRequest, rr.Code) 355 rr = httptest.NewRecorder() 356 deleteAdmin(rr, req) 357 assert.Equal(t, http.StatusBadRequest, rr.Code) 358 359 adminPwd := pwdChange{ 360 CurrentPassword: "old", 361 NewPassword: "new", 362 } 363 asJSON, err = json.Marshal(adminPwd) 364 assert.NoError(t, err) 365 req, _ = http.NewRequest(http.MethodPut, "", bytes.NewBuffer(asJSON)) 366 req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) 367 req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake)) 368 rr = httptest.NewRecorder() 369 changeAdminPassword(rr, req) 370 assert.Equal(t, http.StatusInternalServerError, rr.Code) 371 adm := getAdminFromToken(req) 372 assert.Empty(t, adm.Username) 373 374 rr = httptest.NewRecorder() 375 readUserFolder(rr, req) 376 assert.Equal(t, http.StatusBadRequest, rr.Code) 377 assert.Contains(t, rr.Body.String(), "Invalid token claims") 378 379 rr = httptest.NewRecorder() 380 getUserFile(rr, req) 381 assert.Equal(t, http.StatusBadRequest, rr.Code) 382 assert.Contains(t, rr.Body.String(), "Invalid token claims") 383 384 rr = httptest.NewRecorder() 385 getUserFilesAsZipStream(rr, req) 386 assert.Equal(t, http.StatusBadRequest, rr.Code) 387 assert.Contains(t, rr.Body.String(), "Invalid token claims") 388 389 rr = httptest.NewRecorder() 390 getShares(rr, req) 391 assert.Equal(t, http.StatusBadRequest, rr.Code) 392 assert.Contains(t, rr.Body.String(), "Invalid token claims") 393 394 rr = httptest.NewRecorder() 395 getShareByID(rr, req) 396 assert.Equal(t, http.StatusBadRequest, rr.Code) 397 assert.Contains(t, rr.Body.String(), "Invalid token claims") 398 399 rr = httptest.NewRecorder() 400 addShare(rr, req) 401 assert.Equal(t, http.StatusBadRequest, rr.Code) 402 assert.Contains(t, rr.Body.String(), "Invalid token claims") 403 404 rr = httptest.NewRecorder() 405 updateShare(rr, req) 406 assert.Equal(t, http.StatusBadRequest, rr.Code) 407 assert.Contains(t, rr.Body.String(), "Invalid token claims") 408 409 rr = httptest.NewRecorder() 410 deleteShare(rr, req) 411 assert.Equal(t, http.StatusBadRequest, rr.Code) 412 assert.Contains(t, rr.Body.String(), "Invalid token claims") 413 414 rr = httptest.NewRecorder() 415 getUserPublicKeys(rr, req) 416 assert.Equal(t, http.StatusBadRequest, rr.Code) 417 assert.Contains(t, rr.Body.String(), "Invalid token claims") 418 419 rr = httptest.NewRecorder() 420 setUserPublicKeys(rr, req) 421 assert.Equal(t, http.StatusBadRequest, rr.Code) 422 assert.Contains(t, rr.Body.String(), "Invalid token claims") 423 424 rr = httptest.NewRecorder() 425 generateTOTPSecret(rr, req) 426 assert.Equal(t, http.StatusBadRequest, rr.Code) 427 assert.Contains(t, rr.Body.String(), "Invalid token claims") 428 429 rr = httptest.NewRecorder() 430 saveTOTPConfig(rr, req) 431 assert.Equal(t, http.StatusBadRequest, rr.Code) 432 assert.Contains(t, rr.Body.String(), "Invalid token claims") 433 434 rr = httptest.NewRecorder() 435 getRecoveryCodes(rr, req) 436 assert.Equal(t, http.StatusBadRequest, rr.Code) 437 assert.Contains(t, rr.Body.String(), "Invalid token claims") 438 439 rr = httptest.NewRecorder() 440 generateRecoveryCodes(rr, req) 441 assert.Equal(t, http.StatusBadRequest, rr.Code) 442 assert.Contains(t, rr.Body.String(), "Invalid token claims") 443 444 rr = httptest.NewRecorder() 445 getUserProfile(rr, req) 446 assert.Equal(t, http.StatusBadRequest, rr.Code) 447 assert.Contains(t, rr.Body.String(), "Invalid token claims") 448 449 rr = httptest.NewRecorder() 450 updateUserProfile(rr, req) 451 assert.Equal(t, http.StatusBadRequest, rr.Code) 452 assert.Contains(t, rr.Body.String(), "Invalid token claims") 453 454 rr = httptest.NewRecorder() 455 getAdminProfile(rr, req) 456 assert.Equal(t, http.StatusBadRequest, rr.Code) 457 assert.Contains(t, rr.Body.String(), "Invalid token claims") 458 459 rr = httptest.NewRecorder() 460 updateAdminProfile(rr, req) 461 assert.Equal(t, http.StatusBadRequest, rr.Code) 462 assert.Contains(t, rr.Body.String(), "Invalid token claims") 463 464 rr = httptest.NewRecorder() 465 loadData(rr, req) 466 assert.Equal(t, http.StatusBadRequest, rr.Code) 467 assert.Contains(t, rr.Body.String(), "Invalid token claims") 468 469 rr = httptest.NewRecorder() 470 loadDataFromRequest(rr, req) 471 assert.Equal(t, http.StatusBadRequest, rr.Code) 472 assert.Contains(t, rr.Body.String(), "Invalid token claims") 473 474 rr = httptest.NewRecorder() 475 addUser(rr, req) 476 assert.Equal(t, http.StatusBadRequest, rr.Code) 477 assert.Contains(t, rr.Body.String(), "Invalid token claims") 478 479 rr = httptest.NewRecorder() 480 disableUser2FA(rr, req) 481 assert.Equal(t, http.StatusBadRequest, rr.Code) 482 assert.Contains(t, rr.Body.String(), "Invalid token claims") 483 484 rr = httptest.NewRecorder() 485 updateUser(rr, req) 486 assert.Equal(t, http.StatusBadRequest, rr.Code) 487 assert.Contains(t, rr.Body.String(), "Invalid token claims") 488 489 rr = httptest.NewRecorder() 490 deleteUser(rr, req) 491 assert.Equal(t, http.StatusBadRequest, rr.Code) 492 assert.Contains(t, rr.Body.String(), "Invalid token claims") 493 494 rr = httptest.NewRecorder() 495 handleWebRestore(rr, req) 496 assert.Equal(t, http.StatusBadRequest, rr.Code) 497 assert.Contains(t, rr.Body.String(), "invalid token claims") 498 499 rr = httptest.NewRecorder() 500 handleWebAddUserPost(rr, req) 501 assert.Equal(t, http.StatusBadRequest, rr.Code) 502 assert.Contains(t, rr.Body.String(), "invalid token claims") 503 504 rr = httptest.NewRecorder() 505 handleWebUpdateUserPost(rr, req) 506 assert.Equal(t, http.StatusBadRequest, rr.Code) 507 assert.Contains(t, rr.Body.String(), "invalid token claims") 508 509 rr = httptest.NewRecorder() 510 updateFolder(rr, req) 511 assert.Equal(t, http.StatusBadRequest, rr.Code) 512 assert.Contains(t, rr.Body.String(), "Invalid token claims") 513 514 rr = httptest.NewRecorder() 515 deleteFolder(rr, req) 516 assert.Equal(t, http.StatusBadRequest, rr.Code) 517 assert.Contains(t, rr.Body.String(), "Invalid token claims") 518 519 rr = httptest.NewRecorder() 520 handleWebUpdateFolderPost(rr, req) 521 assert.Equal(t, http.StatusBadRequest, rr.Code) 522 assert.Contains(t, rr.Body.String(), "invalid token claims") 523 524 rr = httptest.NewRecorder() 525 addAdmin(rr, req) 526 assert.Equal(t, http.StatusBadRequest, rr.Code) 527 assert.Contains(t, rr.Body.String(), "Invalid token claims") 528 529 rr = httptest.NewRecorder() 530 disableAdmin2FA(rr, req) 531 assert.Equal(t, http.StatusBadRequest, rr.Code) 532 assert.Contains(t, rr.Body.String(), "Invalid token claims") 533 534 rr = httptest.NewRecorder() 535 addAPIKey(rr, req) 536 assert.Equal(t, http.StatusBadRequest, rr.Code) 537 assert.Contains(t, rr.Body.String(), "Invalid token claims") 538 539 rr = httptest.NewRecorder() 540 updateAPIKey(rr, req) 541 assert.Equal(t, http.StatusBadRequest, rr.Code) 542 assert.Contains(t, rr.Body.String(), "Invalid token claims") 543 544 rr = httptest.NewRecorder() 545 deleteAPIKey(rr, req) 546 assert.Equal(t, http.StatusBadRequest, rr.Code) 547 assert.Contains(t, rr.Body.String(), "Invalid token claims") 548 549 rr = httptest.NewRecorder() 550 handleWebAddAdminPost(rr, req) 551 assert.Equal(t, http.StatusBadRequest, rr.Code) 552 assert.Contains(t, rr.Body.String(), "invalid token claims") 553 554 server := httpdServer{} 555 server.initializeRouter() 556 rr = httptest.NewRecorder() 557 server.handleWebClientTwoFactorRecoveryPost(rr, req) 558 assert.Equal(t, http.StatusNotFound, rr.Code) 559 560 rr = httptest.NewRecorder() 561 server.handleWebClientTwoFactorPost(rr, req) 562 assert.Equal(t, http.StatusNotFound, rr.Code) 563 564 rr = httptest.NewRecorder() 565 server.handleWebAdminTwoFactorRecoveryPost(rr, req) 566 assert.Equal(t, http.StatusNotFound, rr.Code) 567 568 rr = httptest.NewRecorder() 569 server.handleWebAdminTwoFactorPost(rr, req) 570 assert.Equal(t, http.StatusNotFound, rr.Code) 571} 572 573func TestUpdateWebAdminInvalidClaims(t *testing.T) { 574 server := httpdServer{} 575 server.initializeRouter() 576 577 rr := httptest.NewRecorder() 578 admin := dataprovider.Admin{ 579 Username: "", 580 Password: "password", 581 } 582 c := jwtTokenClaims{ 583 Username: admin.Username, 584 Permissions: admin.Permissions, 585 Signature: admin.GetSignature(), 586 } 587 token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin) 588 assert.NoError(t, err) 589 590 form := make(url.Values) 591 form.Set(csrfFormToken, createCSRFToken()) 592 form.Set("status", "1") 593 req, _ := http.NewRequest(http.MethodPost, path.Join(webAdminPath, "admin"), bytes.NewBuffer([]byte(form.Encode()))) 594 rctx := chi.NewRouteContext() 595 rctx.URLParams.Add("username", "admin") 596 req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) 597 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 598 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 599 handleWebUpdateAdminPost(rr, req) 600 assert.Equal(t, http.StatusOK, rr.Code) 601 assert.Contains(t, rr.Body.String(), "Invalid token claims") 602} 603 604func TestRetentionInvalidTokenClaims(t *testing.T) { 605 username := "retentionuser" 606 user := dataprovider.User{ 607 BaseUser: sdk.BaseUser{ 608 Username: username, 609 Password: "pwd", 610 HomeDir: filepath.Join(os.TempDir(), username), 611 Status: 1, 612 }, 613 } 614 user.Permissions = make(map[string][]string) 615 user.Permissions["/"] = []string{dataprovider.PermAny} 616 user.Filters.AllowAPIKeyAuth = true 617 err := dataprovider.AddUser(&user, "", "") 618 assert.NoError(t, err) 619 folderRetention := []common.FolderRetention{ 620 { 621 Path: "/", 622 Retention: 0, 623 DeleteEmptyDirs: true, 624 }, 625 } 626 asJSON, err := json.Marshal(folderRetention) 627 assert.NoError(t, err) 628 req, _ := http.NewRequest(http.MethodPost, retentionBasePath+"/"+username+"/check?notifications=Email", bytes.NewBuffer(asJSON)) 629 630 rctx := chi.NewRouteContext() 631 rctx.URLParams.Add("username", username) 632 633 req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) 634 req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errors.New("error"))) 635 rr := httptest.NewRecorder() 636 startRetentionCheck(rr, req) 637 assert.Equal(t, http.StatusBadRequest, rr.Code) 638 assert.Contains(t, rr.Body.String(), "Invalid token claims") 639 640 err = dataprovider.DeleteUser(username, "", "") 641 assert.NoError(t, err) 642} 643 644func TestCSRFToken(t *testing.T) { 645 // invalid token 646 err := verifyCSRFToken("token") 647 if assert.Error(t, err) { 648 assert.Contains(t, err.Error(), "unable to verify form token") 649 } 650 // bad audience 651 claims := make(map[string]interface{}) 652 now := time.Now().UTC() 653 654 claims[jwt.JwtIDKey] = xid.New().String() 655 claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second) 656 claims[jwt.ExpirationKey] = now.Add(tokenDuration) 657 claims[jwt.AudienceKey] = tokenAudienceAPI 658 659 _, tokenString, err := csrfTokenAuth.Encode(claims) 660 assert.NoError(t, err) 661 err = verifyCSRFToken(tokenString) 662 if assert.Error(t, err) { 663 assert.Contains(t, err.Error(), "form token is not valid") 664 } 665 666 r := GetHTTPRouter() 667 fn := verifyCSRFHeader(r) 668 rr := httptest.NewRecorder() 669 req, _ := http.NewRequest(http.MethodDelete, path.Join(userPath, "username"), nil) 670 fn.ServeHTTP(rr, req) 671 assert.Equal(t, http.StatusForbidden, rr.Code) 672 assert.Contains(t, rr.Body.String(), "Invalid token") 673 674 req.Header.Set(csrfHeaderToken, tokenString) 675 rr = httptest.NewRecorder() 676 fn.ServeHTTP(rr, req) 677 assert.Equal(t, http.StatusForbidden, rr.Code) 678 assert.Contains(t, rr.Body.String(), "the token is not valid") 679 680 csrfTokenAuth = jwtauth.New("PS256", util.GenerateRandomBytes(32), nil) 681 tokenString = createCSRFToken() 682 assert.Empty(t, tokenString) 683 684 csrfTokenAuth = jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil) 685} 686 687func TestCreateTokenError(t *testing.T) { 688 server := httpdServer{ 689 tokenAuth: jwtauth.New("PS256", util.GenerateRandomBytes(32), nil), 690 } 691 rr := httptest.NewRecorder() 692 admin := dataprovider.Admin{ 693 Username: "admin", 694 Password: "password", 695 } 696 req, _ := http.NewRequest(http.MethodGet, tokenPath, nil) 697 698 server.generateAndSendToken(rr, req, admin) 699 assert.Equal(t, http.StatusInternalServerError, rr.Code) 700 701 rr = httptest.NewRecorder() 702 user := dataprovider.User{ 703 BaseUser: sdk.BaseUser{ 704 Username: "u", 705 Password: "pwd", 706 }, 707 } 708 req, _ = http.NewRequest(http.MethodGet, userTokenPath, nil) 709 710 server.generateAndSendUserToken(rr, req, "", user) 711 assert.Equal(t, http.StatusInternalServerError, rr.Code) 712 713 rr = httptest.NewRecorder() 714 form := make(url.Values) 715 form.Set("username", admin.Username) 716 form.Set("password", admin.Password) 717 form.Set(csrfFormToken, createCSRFToken()) 718 req, _ = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode()))) 719 req.RemoteAddr = "127.0.0.1:1234" 720 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 721 server.handleWebAdminLoginPost(rr, req) 722 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 723 // req with no content type 724 req, _ = http.NewRequest(http.MethodPost, webLoginPath, nil) 725 rr = httptest.NewRecorder() 726 server.handleWebAdminLoginPost(rr, req) 727 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 728 req, _ = http.NewRequest(http.MethodPost, webAdminSetupPath, nil) 729 rr = httptest.NewRecorder() 730 server.loginAdmin(rr, req, &admin, false, nil) 731 // req with no POST body 732 req, _ = http.NewRequest(http.MethodGet, webLoginPath+"?a=a%C3%AO%GG", nil) 733 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 734 rr = httptest.NewRecorder() 735 server.handleWebAdminLoginPost(rr, req) 736 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 737 req, _ = http.NewRequest(http.MethodGet, webLoginPath+"?a=a%C3%A1%G2", nil) 738 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 739 rr = httptest.NewRecorder() 740 handleWebAdminChangePwdPost(rr, req) 741 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 742 assert.Contains(t, rr.Body.String(), "invalid URL escape") 743 744 req, _ = http.NewRequest(http.MethodGet, webLoginPath+"?a=a%C3%A2%G3", nil) 745 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 746 _, err := getAdminFromPostFields(req) 747 assert.Error(t, err) 748 749 req, _ = http.NewRequest(http.MethodPost, webClientLoginPath+"?a=a%C3%AO%GG", bytes.NewBuffer([]byte(form.Encode()))) 750 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 751 rr = httptest.NewRecorder() 752 server.handleWebClientLoginPost(rr, req) 753 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 754 755 req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%C3%AO%GA", bytes.NewBuffer([]byte(form.Encode()))) 756 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 757 rr = httptest.NewRecorder() 758 handleWebClientChangePwdPost(rr, req) 759 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 760 assert.Contains(t, rr.Body.String(), "invalid URL escape") 761 762 req, _ = http.NewRequest(http.MethodPost, webClientProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode()))) 763 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 764 rr = httptest.NewRecorder() 765 handleWebClientProfilePost(rr, req) 766 assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) 767 768 req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode()))) 769 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 770 rr = httptest.NewRecorder() 771 handleWebAdminProfilePost(rr, req) 772 assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) 773 774 req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode()))) 775 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 776 rr = httptest.NewRecorder() 777 server.handleWebAdminTwoFactorPost(rr, req) 778 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 779 assert.Contains(t, rr.Body.String(), "invalid URL escape") 780 781 req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode()))) 782 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 783 rr = httptest.NewRecorder() 784 server.handleWebAdminTwoFactorRecoveryPost(rr, req) 785 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 786 assert.Contains(t, rr.Body.String(), "invalid URL escape") 787 788 req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode()))) 789 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 790 rr = httptest.NewRecorder() 791 server.handleWebClientTwoFactorPost(rr, req) 792 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 793 assert.Contains(t, rr.Body.String(), "invalid URL escape") 794 795 req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode()))) 796 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 797 rr = httptest.NewRecorder() 798 server.handleWebClientTwoFactorRecoveryPost(rr, req) 799 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 800 assert.Contains(t, rr.Body.String(), "invalid URL escape") 801 802 req, _ = http.NewRequest(http.MethodPost, webAdminForgotPwdPath+"?a=a%C3%A1%GD", bytes.NewBuffer([]byte(form.Encode()))) 803 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 804 rr = httptest.NewRecorder() 805 handleWebAdminForgotPwdPost(rr, req) 806 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 807 assert.Contains(t, rr.Body.String(), "invalid URL escape") 808 809 req, _ = http.NewRequest(http.MethodPost, webClientForgotPwdPath+"?a=a%C2%A1%GD", bytes.NewBuffer([]byte(form.Encode()))) 810 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 811 rr = httptest.NewRecorder() 812 handleWebClientForgotPwdPost(rr, req) 813 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 814 assert.Contains(t, rr.Body.String(), "invalid URL escape") 815 816 req, _ = http.NewRequest(http.MethodPost, webAdminResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode()))) 817 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 818 rr = httptest.NewRecorder() 819 server.handleWebAdminPasswordResetPost(rr, req) 820 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 821 assert.Contains(t, rr.Body.String(), "invalid URL escape") 822 823 req, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode()))) 824 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 825 rr = httptest.NewRecorder() 826 server.handleWebClientPasswordResetPost(rr, req) 827 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 828 assert.Contains(t, rr.Body.String(), "invalid URL escape") 829 830 req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%K3%AO%GA", bytes.NewBuffer([]byte(form.Encode()))) 831 832 _, err = getShareFromPostFields(req) 833 if assert.Error(t, err) { 834 assert.Contains(t, err.Error(), "invalid URL escape") 835 } 836 837 username := "webclientuser" 838 user = dataprovider.User{ 839 BaseUser: sdk.BaseUser{ 840 Username: username, 841 Password: "clientpwd", 842 HomeDir: filepath.Join(os.TempDir(), username), 843 Status: 1, 844 Description: "test user", 845 }, 846 } 847 user.Permissions = make(map[string][]string) 848 user.Permissions["/"] = []string{dataprovider.PermAny} 849 user.Filters.AllowAPIKeyAuth = true 850 err = dataprovider.AddUser(&user, "", "") 851 assert.NoError(t, err) 852 853 rr = httptest.NewRecorder() 854 form = make(url.Values) 855 form.Set("username", user.Username) 856 form.Set("password", "clientpwd") 857 form.Set(csrfFormToken, createCSRFToken()) 858 req, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode()))) 859 req.RemoteAddr = "127.0.0.1:4567" 860 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 861 server.handleWebClientLoginPost(rr, req) 862 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 863 864 err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req) 865 assert.Error(t, err) 866 867 err = dataprovider.DeleteUser(username, "", "") 868 assert.NoError(t, err) 869 870 admin.Username += "1" 871 admin.Status = 1 872 admin.Filters.AllowAPIKeyAuth = true 873 admin.Permissions = []string{dataprovider.PermAdminAny} 874 err = dataprovider.AddAdmin(&admin, "", "") 875 assert.NoError(t, err) 876 877 err = authenticateAdminWithAPIKey(admin.Username, "", server.tokenAuth, req) 878 assert.Error(t, err) 879 880 err = dataprovider.DeleteAdmin(admin.Username, "", "") 881 assert.NoError(t, err) 882} 883 884func TestAPIKeyAuthForbidden(t *testing.T) { 885 r := GetHTTPRouter() 886 fn := forbidAPIKeyAuthentication(r) 887 rr := httptest.NewRecorder() 888 req, _ := http.NewRequest(http.MethodGet, versionPath, nil) 889 fn.ServeHTTP(rr, req) 890 assert.Equal(t, http.StatusBadRequest, rr.Code) 891 assert.Contains(t, rr.Body.String(), "Invalid token claims") 892} 893 894func TestJWTTokenValidation(t *testing.T) { 895 tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil) 896 claims := make(map[string]interface{}) 897 claims["username"] = "admin" 898 claims[jwt.ExpirationKey] = time.Now().UTC().Add(-1 * time.Hour) 899 token, _, err := tokenAuth.Encode(claims) 900 assert.NoError(t, err) 901 902 r := GetHTTPRouter() 903 fn := jwtAuthenticatorAPI(r) 904 rr := httptest.NewRecorder() 905 req, _ := http.NewRequest(http.MethodGet, userPath, nil) 906 ctx := jwtauth.NewContext(req.Context(), token, nil) 907 fn.ServeHTTP(rr, req.WithContext(ctx)) 908 assert.Equal(t, http.StatusUnauthorized, rr.Code) 909 910 fn = jwtAuthenticatorWebAdmin(r) 911 rr = httptest.NewRecorder() 912 req, _ = http.NewRequest(http.MethodGet, webUserPath, nil) 913 ctx = jwtauth.NewContext(req.Context(), token, nil) 914 fn.ServeHTTP(rr, req.WithContext(ctx)) 915 assert.Equal(t, http.StatusFound, rr.Code) 916 assert.Equal(t, webLoginPath, rr.Header().Get("Location")) 917 918 fn = jwtAuthenticatorWebClient(r) 919 rr = httptest.NewRecorder() 920 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 921 ctx = jwtauth.NewContext(req.Context(), token, nil) 922 fn.ServeHTTP(rr, req.WithContext(ctx)) 923 assert.Equal(t, http.StatusFound, rr.Code) 924 assert.Equal(t, webClientLoginPath, rr.Header().Get("Location")) 925 926 errTest := errors.New("test error") 927 permFn := checkPerm(dataprovider.PermAdminAny) 928 fn = permFn(r) 929 rr = httptest.NewRecorder() 930 req, _ = http.NewRequest(http.MethodGet, userPath, nil) 931 ctx = jwtauth.NewContext(req.Context(), token, errTest) 932 fn.ServeHTTP(rr, req.WithContext(ctx)) 933 assert.Equal(t, http.StatusBadRequest, rr.Code) 934 935 permFn = checkPerm(dataprovider.PermAdminAny) 936 fn = permFn(r) 937 rr = httptest.NewRecorder() 938 req, _ = http.NewRequest(http.MethodGet, webUserPath, nil) 939 req.RequestURI = webUserPath 940 ctx = jwtauth.NewContext(req.Context(), token, errTest) 941 fn.ServeHTTP(rr, req.WithContext(ctx)) 942 assert.Equal(t, http.StatusBadRequest, rr.Code) 943 944 permClientFn := checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled) 945 fn = permClientFn(r) 946 rr = httptest.NewRecorder() 947 req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil) 948 req.RequestURI = webClientProfilePath 949 ctx = jwtauth.NewContext(req.Context(), token, errTest) 950 fn.ServeHTTP(rr, req.WithContext(ctx)) 951 assert.Equal(t, http.StatusBadRequest, rr.Code) 952 953 rr = httptest.NewRecorder() 954 req, _ = http.NewRequest(http.MethodPost, userPublicKeysPath, nil) 955 req.RequestURI = userPublicKeysPath 956 ctx = jwtauth.NewContext(req.Context(), token, errTest) 957 fn.ServeHTTP(rr, req.WithContext(ctx)) 958 assert.Equal(t, http.StatusBadRequest, rr.Code) 959} 960 961func TestUpdateContextFromCookie(t *testing.T) { 962 server := httpdServer{ 963 tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil), 964 } 965 req, _ := http.NewRequest(http.MethodGet, tokenPath, nil) 966 claims := make(map[string]interface{}) 967 claims["a"] = "b" 968 token, _, err := server.tokenAuth.Encode(claims) 969 assert.NoError(t, err) 970 971 ctx := jwtauth.NewContext(req.Context(), token, nil) 972 server.updateContextFromCookie(req.WithContext(ctx)) 973} 974 975func TestCookieExpiration(t *testing.T) { 976 server := httpdServer{ 977 tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil), 978 } 979 err := errors.New("test error") 980 rr := httptest.NewRecorder() 981 req, _ := http.NewRequest(http.MethodGet, tokenPath, nil) 982 ctx := jwtauth.NewContext(req.Context(), nil, err) 983 server.checkCookieExpiration(rr, req.WithContext(ctx)) 984 cookie := rr.Header().Get("Set-Cookie") 985 assert.Empty(t, cookie) 986 987 req, _ = http.NewRequest(http.MethodGet, tokenPath, nil) 988 claims := make(map[string]interface{}) 989 claims["a"] = "b" 990 token, _, err := server.tokenAuth.Encode(claims) 991 assert.NoError(t, err) 992 ctx = jwtauth.NewContext(req.Context(), token, nil) 993 server.checkCookieExpiration(rr, req.WithContext(ctx)) 994 cookie = rr.Header().Get("Set-Cookie") 995 assert.Empty(t, cookie) 996 997 admin := dataprovider.Admin{ 998 Username: "newtestadmin", 999 Password: "password", 1000 Permissions: []string{dataprovider.PermAdminAny}, 1001 } 1002 claims = make(map[string]interface{}) 1003 claims[claimUsernameKey] = admin.Username 1004 claims[claimPermissionsKey] = admin.Permissions 1005 claims[jwt.SubjectKey] = admin.GetSignature() 1006 claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute) 1007 claims[jwt.AudienceKey] = tokenAudienceAPI 1008 token, _, err = server.tokenAuth.Encode(claims) 1009 assert.NoError(t, err) 1010 req, _ = http.NewRequest(http.MethodGet, tokenPath, nil) 1011 ctx = jwtauth.NewContext(req.Context(), token, nil) 1012 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1013 cookie = rr.Header().Get("Set-Cookie") 1014 assert.Empty(t, cookie) 1015 1016 admin.Status = 0 1017 err = dataprovider.AddAdmin(&admin, "", "") 1018 assert.NoError(t, err) 1019 req, _ = http.NewRequest(http.MethodGet, tokenPath, nil) 1020 ctx = jwtauth.NewContext(req.Context(), token, nil) 1021 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1022 cookie = rr.Header().Get("Set-Cookie") 1023 assert.Empty(t, cookie) 1024 1025 admin.Status = 1 1026 admin.Filters.AllowList = []string{"172.16.1.0/24"} 1027 err = dataprovider.UpdateAdmin(&admin, "", "") 1028 assert.NoError(t, err) 1029 req, _ = http.NewRequest(http.MethodGet, tokenPath, nil) 1030 ctx = jwtauth.NewContext(req.Context(), token, nil) 1031 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1032 cookie = rr.Header().Get("Set-Cookie") 1033 assert.Empty(t, cookie) 1034 1035 admin, err = dataprovider.AdminExists(admin.Username) 1036 assert.NoError(t, err) 1037 claims = make(map[string]interface{}) 1038 claims[claimUsernameKey] = admin.Username 1039 claims[claimPermissionsKey] = admin.Permissions 1040 claims[jwt.SubjectKey] = admin.GetSignature() 1041 claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute) 1042 claims[jwt.AudienceKey] = tokenAudienceAPI 1043 token, _, err = server.tokenAuth.Encode(claims) 1044 assert.NoError(t, err) 1045 req, _ = http.NewRequest(http.MethodGet, tokenPath, nil) 1046 req.RemoteAddr = "192.168.8.1:1234" 1047 ctx = jwtauth.NewContext(req.Context(), token, nil) 1048 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1049 cookie = rr.Header().Get("Set-Cookie") 1050 assert.Empty(t, cookie) 1051 1052 req, _ = http.NewRequest(http.MethodGet, tokenPath, nil) 1053 req.RemoteAddr = "172.16.1.12:4567" 1054 ctx = jwtauth.NewContext(req.Context(), token, nil) 1055 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1056 cookie = rr.Header().Get("Set-Cookie") 1057 assert.True(t, strings.HasPrefix(cookie, "jwt=")) 1058 1059 err = dataprovider.DeleteAdmin(admin.Username, "", "") 1060 assert.NoError(t, err) 1061 // now check client cookie expiration 1062 username := "client" 1063 user := dataprovider.User{ 1064 BaseUser: sdk.BaseUser{ 1065 Username: username, 1066 Password: "clientpwd", 1067 HomeDir: filepath.Join(os.TempDir(), username), 1068 Status: 1, 1069 Description: "test user", 1070 }, 1071 } 1072 user.Permissions = make(map[string][]string) 1073 user.Permissions["/"] = []string{"*"} 1074 1075 claims = make(map[string]interface{}) 1076 claims[claimUsernameKey] = user.Username 1077 claims[claimPermissionsKey] = user.Filters.WebClient 1078 claims[jwt.SubjectKey] = user.GetSignature() 1079 claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute) 1080 claims[jwt.AudienceKey] = tokenAudienceWebClient 1081 token, _, err = server.tokenAuth.Encode(claims) 1082 assert.NoError(t, err) 1083 1084 rr = httptest.NewRecorder() 1085 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1086 ctx = jwtauth.NewContext(req.Context(), token, nil) 1087 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1088 cookie = rr.Header().Get("Set-Cookie") 1089 assert.Empty(t, cookie) 1090 // the password will be hashed and so the signature will change 1091 err = dataprovider.AddUser(&user, "", "") 1092 assert.NoError(t, err) 1093 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1094 ctx = jwtauth.NewContext(req.Context(), token, nil) 1095 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1096 cookie = rr.Header().Get("Set-Cookie") 1097 assert.Empty(t, cookie) 1098 1099 user, err = dataprovider.UserExists(user.Username) 1100 assert.NoError(t, err) 1101 user.Filters.AllowedIP = []string{"172.16.4.0/24"} 1102 err = dataprovider.UpdateUser(&user, "", "") 1103 assert.NoError(t, err) 1104 1105 user, err = dataprovider.UserExists(user.Username) 1106 assert.NoError(t, err) 1107 claims = make(map[string]interface{}) 1108 claims[claimUsernameKey] = user.Username 1109 claims[claimPermissionsKey] = user.Filters.WebClient 1110 claims[jwt.SubjectKey] = user.GetSignature() 1111 claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute) 1112 claims[jwt.AudienceKey] = tokenAudienceWebClient 1113 token, _, err = server.tokenAuth.Encode(claims) 1114 assert.NoError(t, err) 1115 1116 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1117 req.RemoteAddr = "172.16.3.12:4567" 1118 ctx = jwtauth.NewContext(req.Context(), token, nil) 1119 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1120 cookie = rr.Header().Get("Set-Cookie") 1121 assert.Empty(t, cookie) 1122 1123 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1124 req.RemoteAddr = "172.16.4.16:4567" 1125 ctx = jwtauth.NewContext(req.Context(), token, nil) 1126 server.checkCookieExpiration(rr, req.WithContext(ctx)) 1127 cookie = rr.Header().Get("Set-Cookie") 1128 assert.NotEmpty(t, cookie) 1129 1130 err = dataprovider.DeleteUser(user.Username, "", "") 1131 assert.NoError(t, err) 1132} 1133 1134func TestGetURLParam(t *testing.T) { 1135 req, _ := http.NewRequest(http.MethodGet, adminPwdPath, nil) 1136 rctx := chi.NewRouteContext() 1137 rctx.URLParams.Add("val", "testuser%C3%A0") 1138 rctx.URLParams.Add("inval", "testuser%C3%AO%GG") 1139 req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) 1140 escaped := getURLParam(req, "val") 1141 assert.Equal(t, "testuserà", escaped) 1142 escaped = getURLParam(req, "inval") 1143 assert.Equal(t, "testuser%C3%AO%GG", escaped) 1144} 1145 1146func TestChangePwdValidationErrors(t *testing.T) { 1147 err := doChangeAdminPassword(nil, "", "", "") 1148 require.Error(t, err) 1149 err = doChangeAdminPassword(nil, "a", "b", "c") 1150 require.Error(t, err) 1151 err = doChangeAdminPassword(nil, "a", "a", "a") 1152 require.Error(t, err) 1153 1154 req, _ := http.NewRequest(http.MethodPut, adminPwdPath, nil) 1155 err = doChangeAdminPassword(req, "currentpwd", "newpwd", "newpwd") 1156 assert.Error(t, err) 1157} 1158 1159func TestRenderUnexistingFolder(t *testing.T) { 1160 rr := httptest.NewRecorder() 1161 req, _ := http.NewRequest(http.MethodPost, folderPath, nil) 1162 renderFolder(rr, req, "path not mapped", http.StatusOK) 1163 assert.Equal(t, http.StatusNotFound, rr.Code) 1164} 1165 1166func TestCloseConnectionHandler(t *testing.T) { 1167 req, _ := http.NewRequest(http.MethodDelete, activeConnectionsPath+"/connectionID", nil) 1168 rctx := chi.NewRouteContext() 1169 rctx.URLParams.Add("connectionID", "") 1170 req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) 1171 rr := httptest.NewRecorder() 1172 handleCloseConnection(rr, req) 1173 assert.Equal(t, http.StatusBadRequest, rr.Code) 1174} 1175 1176func TestRenderInvalidTemplate(t *testing.T) { 1177 tmpl, err := template.New("test").Parse("{{.Count}}") 1178 if assert.NoError(t, err) { 1179 noMatchTmpl := "no_match" 1180 adminTemplates[noMatchTmpl] = tmpl 1181 rw := httptest.NewRecorder() 1182 renderAdminTemplate(rw, noMatchTmpl, map[string]string{}) 1183 assert.Equal(t, http.StatusInternalServerError, rw.Code) 1184 clientTemplates[noMatchTmpl] = tmpl 1185 renderClientTemplate(rw, noMatchTmpl, map[string]string{}) 1186 assert.Equal(t, http.StatusInternalServerError, rw.Code) 1187 } 1188} 1189 1190func TestQuotaScanInvalidFs(t *testing.T) { 1191 user := dataprovider.User{ 1192 BaseUser: sdk.BaseUser{ 1193 Username: "test", 1194 HomeDir: os.TempDir(), 1195 }, 1196 FsConfig: vfs.Filesystem{ 1197 Provider: sdk.S3FilesystemProvider, 1198 }, 1199 } 1200 common.QuotaScans.AddUserQuotaScan(user.Username) 1201 err := doUserQuotaScan(user) 1202 assert.Error(t, err) 1203} 1204 1205func TestVerifyTLSConnection(t *testing.T) { 1206 oldCertMgr := certMgr 1207 1208 caCrlPath := filepath.Join(os.TempDir(), "testcrl.crt") 1209 certPath := filepath.Join(os.TempDir(), "testh.crt") 1210 keyPath := filepath.Join(os.TempDir(), "testh.key") 1211 err := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm) 1212 assert.NoError(t, err) 1213 err = os.WriteFile(certPath, []byte(httpdCert), os.ModePerm) 1214 assert.NoError(t, err) 1215 err = os.WriteFile(keyPath, []byte(httpdKey), os.ModePerm) 1216 assert.NoError(t, err) 1217 1218 certMgr, err = common.NewCertManager(certPath, keyPath, "", "webdav_test") 1219 assert.NoError(t, err) 1220 1221 certMgr.SetCARevocationLists([]string{caCrlPath}) 1222 err = certMgr.LoadCRLs() 1223 assert.NoError(t, err) 1224 1225 crt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key)) 1226 assert.NoError(t, err) 1227 x509crt, err := x509.ParseCertificate(crt.Certificate[0]) 1228 assert.NoError(t, err) 1229 1230 server := httpdServer{} 1231 state := tls.ConnectionState{ 1232 PeerCertificates: []*x509.Certificate{x509crt}, 1233 } 1234 1235 err = server.verifyTLSConnection(state) 1236 assert.Error(t, err) // no verified certification chain 1237 1238 crt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey)) 1239 assert.NoError(t, err) 1240 1241 x509CAcrt, err := x509.ParseCertificate(crt.Certificate[0]) 1242 assert.NoError(t, err) 1243 1244 state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt}) 1245 err = server.verifyTLSConnection(state) 1246 assert.NoError(t, err) 1247 1248 crt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key)) 1249 assert.NoError(t, err) 1250 x509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0]) 1251 assert.NoError(t, err) 1252 1253 state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt}) 1254 state.PeerCertificates = []*x509.Certificate{x509crtRevoked} 1255 err = server.verifyTLSConnection(state) 1256 assert.EqualError(t, err, common.ErrCrtRevoked.Error()) 1257 1258 err = os.Remove(caCrlPath) 1259 assert.NoError(t, err) 1260 err = os.Remove(certPath) 1261 assert.NoError(t, err) 1262 err = os.Remove(keyPath) 1263 assert.NoError(t, err) 1264 1265 certMgr = oldCertMgr 1266} 1267 1268func TestGetFolderFromTemplate(t *testing.T) { 1269 folder := vfs.BaseVirtualFolder{ 1270 MappedPath: "Folder%name%", 1271 Description: "Folder %name% desc", 1272 } 1273 folderName := "folderTemplate" 1274 folderTemplate := getFolderFromTemplate(folder, folderName) 1275 require.Equal(t, folderName, folderTemplate.Name) 1276 require.Equal(t, fmt.Sprintf("Folder%v", folderName), folderTemplate.MappedPath) 1277 require.Equal(t, fmt.Sprintf("Folder %v desc", folderName), folderTemplate.Description) 1278 1279 folder.FsConfig.Provider = sdk.CryptedFilesystemProvider 1280 folder.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%name%") 1281 folderTemplate = getFolderFromTemplate(folder, folderName) 1282 require.Equal(t, folderName, folderTemplate.FsConfig.CryptConfig.Passphrase.GetPayload()) 1283 1284 folder.FsConfig.Provider = sdk.GCSFilesystemProvider 1285 folder.FsConfig.GCSConfig.KeyPrefix = "prefix%name%/" 1286 folderTemplate = getFolderFromTemplate(folder, folderName) 1287 require.Equal(t, fmt.Sprintf("prefix%v/", folderName), folderTemplate.FsConfig.GCSConfig.KeyPrefix) 1288 1289 folder.FsConfig.Provider = sdk.AzureBlobFilesystemProvider 1290 folder.FsConfig.AzBlobConfig.KeyPrefix = "a%name%" 1291 folder.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%name%") 1292 folderTemplate = getFolderFromTemplate(folder, folderName) 1293 require.Equal(t, "a"+folderName, folderTemplate.FsConfig.AzBlobConfig.KeyPrefix) 1294 require.Equal(t, "pwd"+folderName, folderTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload()) 1295 1296 folder.FsConfig.Provider = sdk.SFTPFilesystemProvider 1297 folder.FsConfig.SFTPConfig.Prefix = "%name%" 1298 folder.FsConfig.SFTPConfig.Username = "sftp_%name%" 1299 folder.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%name%") 1300 folderTemplate = getFolderFromTemplate(folder, folderName) 1301 require.Equal(t, folderName, folderTemplate.FsConfig.SFTPConfig.Prefix) 1302 require.Equal(t, "sftp_"+folderName, folderTemplate.FsConfig.SFTPConfig.Username) 1303 require.Equal(t, "sftp"+folderName, folderTemplate.FsConfig.SFTPConfig.Password.GetPayload()) 1304} 1305 1306func TestGetUserFromTemplate(t *testing.T) { 1307 user := dataprovider.User{ 1308 BaseUser: sdk.BaseUser{ 1309 Status: 1, 1310 }, 1311 } 1312 user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{ 1313 BaseVirtualFolder: vfs.BaseVirtualFolder{ 1314 Name: "Folder%username%", 1315 }, 1316 }) 1317 1318 username := "userTemplate" 1319 password := "pwdTemplate" 1320 templateFields := userTemplateFields{ 1321 Username: username, 1322 Password: password, 1323 } 1324 1325 userTemplate := getUserFromTemplate(user, templateFields) 1326 require.Len(t, userTemplate.VirtualFolders, 1) 1327 require.Equal(t, "Folder"+username, userTemplate.VirtualFolders[0].Name) 1328 1329 user.FsConfig.Provider = sdk.CryptedFilesystemProvider 1330 user.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%password%") 1331 userTemplate = getUserFromTemplate(user, templateFields) 1332 require.Equal(t, password, userTemplate.FsConfig.CryptConfig.Passphrase.GetPayload()) 1333 1334 user.FsConfig.Provider = sdk.GCSFilesystemProvider 1335 user.FsConfig.GCSConfig.KeyPrefix = "%username%%password%" 1336 userTemplate = getUserFromTemplate(user, templateFields) 1337 require.Equal(t, username+password, userTemplate.FsConfig.GCSConfig.KeyPrefix) 1338 1339 user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider 1340 user.FsConfig.AzBlobConfig.KeyPrefix = "a%username%" 1341 user.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%password%%username%") 1342 userTemplate = getUserFromTemplate(user, templateFields) 1343 require.Equal(t, "a"+username, userTemplate.FsConfig.AzBlobConfig.KeyPrefix) 1344 require.Equal(t, "pwd"+password+username, userTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload()) 1345 1346 user.FsConfig.Provider = sdk.SFTPFilesystemProvider 1347 user.FsConfig.SFTPConfig.Prefix = "%username%" 1348 user.FsConfig.SFTPConfig.Username = "sftp_%username%" 1349 user.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%password%") 1350 userTemplate = getUserFromTemplate(user, templateFields) 1351 require.Equal(t, username, userTemplate.FsConfig.SFTPConfig.Prefix) 1352 require.Equal(t, "sftp_"+username, userTemplate.FsConfig.SFTPConfig.Username) 1353 require.Equal(t, "sftp"+password, userTemplate.FsConfig.SFTPConfig.Password.GetPayload()) 1354} 1355 1356func TestJWTTokenCleanup(t *testing.T) { 1357 server := httpdServer{ 1358 tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil), 1359 } 1360 admin := dataprovider.Admin{ 1361 Username: "newtestadmin", 1362 Password: "password", 1363 Permissions: []string{dataprovider.PermAdminAny}, 1364 } 1365 claims := make(map[string]interface{}) 1366 claims[claimUsernameKey] = admin.Username 1367 claims[claimPermissionsKey] = admin.Permissions 1368 claims[jwt.SubjectKey] = admin.GetSignature() 1369 claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute) 1370 _, token, err := server.tokenAuth.Encode(claims) 1371 assert.NoError(t, err) 1372 1373 req, _ := http.NewRequest(http.MethodGet, versionPath, nil) 1374 assert.True(t, isTokenInvalidated(req)) 1375 1376 req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token)) 1377 1378 invalidatedJWTTokens.Store(token, time.Now().Add(-tokenDuration).UTC()) 1379 require.True(t, isTokenInvalidated(req)) 1380 startCleanupTicker(100 * time.Millisecond) 1381 assert.Eventually(t, func() bool { return !isTokenInvalidated(req) }, 1*time.Second, 200*time.Millisecond) 1382 stopCleanupTicker() 1383} 1384 1385func TestProxyHeaders(t *testing.T) { 1386 username := "adminTest" 1387 password := "testPwd" 1388 admin := dataprovider.Admin{ 1389 Username: username, 1390 Password: password, 1391 Permissions: []string{dataprovider.PermAdminAny}, 1392 Status: 1, 1393 Filters: dataprovider.AdminFilters{ 1394 AllowList: []string{"172.19.2.0/24"}, 1395 }, 1396 } 1397 1398 err := dataprovider.AddAdmin(&admin, "", "") 1399 assert.NoError(t, err) 1400 1401 testIP := "10.29.1.9" 1402 validForwardedFor := "172.19.2.6" 1403 b := Binding{ 1404 Address: "", 1405 Port: 8080, 1406 EnableWebAdmin: true, 1407 EnableWebClient: false, 1408 ProxyAllowed: []string{testIP, "10.8.0.0/30"}, 1409 } 1410 err = b.parseAllowedProxy() 1411 assert.NoError(t, err) 1412 server := newHttpdServer(b, "", "", CorsConfig{Enabled: true}, "") 1413 server.initializeRouter() 1414 testServer := httptest.NewServer(server.router) 1415 defer testServer.Close() 1416 1417 req, err := http.NewRequest(http.MethodGet, tokenPath, nil) 1418 assert.NoError(t, err) 1419 req.Header.Set("X-Forwarded-For", validForwardedFor) 1420 req.Header.Set(xForwardedProto, "https") 1421 req.RemoteAddr = "127.0.0.1:123" 1422 req.SetBasicAuth(username, password) 1423 rr := httptest.NewRecorder() 1424 testServer.Config.Handler.ServeHTTP(rr, req) 1425 assert.Equal(t, http.StatusUnauthorized, rr.Code) 1426 assert.Contains(t, rr.Body.String(), "login from IP 127.0.0.1 not allowed") 1427 1428 req.RemoteAddr = testIP 1429 rr = httptest.NewRecorder() 1430 testServer.Config.Handler.ServeHTTP(rr, req) 1431 assert.Equal(t, http.StatusOK, rr.Code) 1432 1433 req.RemoteAddr = "10.8.0.2" 1434 rr = httptest.NewRecorder() 1435 testServer.Config.Handler.ServeHTTP(rr, req) 1436 assert.Equal(t, http.StatusOK, rr.Code) 1437 1438 form := make(url.Values) 1439 form.Set("username", username) 1440 form.Set("password", password) 1441 form.Set(csrfFormToken, createCSRFToken()) 1442 req, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode()))) 1443 assert.NoError(t, err) 1444 req.RemoteAddr = testIP 1445 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 1446 rr = httptest.NewRecorder() 1447 testServer.Config.Handler.ServeHTTP(rr, req) 1448 assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) 1449 assert.Contains(t, rr.Body.String(), "login from IP 10.29.1.9 not allowed") 1450 1451 req, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode()))) 1452 assert.NoError(t, err) 1453 req.RemoteAddr = testIP 1454 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 1455 req.Header.Set("X-Forwarded-For", validForwardedFor) 1456 rr = httptest.NewRecorder() 1457 testServer.Config.Handler.ServeHTTP(rr, req) 1458 assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String()) 1459 cookie := rr.Header().Get("Set-Cookie") 1460 assert.NotContains(t, cookie, "Secure") 1461 1462 req, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode()))) 1463 assert.NoError(t, err) 1464 req.RemoteAddr = testIP 1465 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 1466 req.Header.Set("X-Forwarded-For", validForwardedFor) 1467 req.Header.Set(xForwardedProto, "https") 1468 rr = httptest.NewRecorder() 1469 testServer.Config.Handler.ServeHTTP(rr, req) 1470 assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String()) 1471 cookie = rr.Header().Get("Set-Cookie") 1472 assert.Contains(t, cookie, "Secure") 1473 1474 req, err = http.NewRequest(http.MethodPost, webLoginPath, bytes.NewBuffer([]byte(form.Encode()))) 1475 assert.NoError(t, err) 1476 req.RemoteAddr = testIP 1477 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 1478 req.Header.Set("X-Forwarded-For", validForwardedFor) 1479 req.Header.Set(xForwardedProto, "http") 1480 rr = httptest.NewRecorder() 1481 testServer.Config.Handler.ServeHTTP(rr, req) 1482 assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String()) 1483 cookie = rr.Header().Get("Set-Cookie") 1484 assert.NotContains(t, cookie, "Secure") 1485 1486 err = dataprovider.DeleteAdmin(username, "", "") 1487 assert.NoError(t, err) 1488} 1489 1490func TestRecoverer(t *testing.T) { 1491 recoveryPath := "/recovery" 1492 b := Binding{ 1493 Address: "", 1494 Port: 8080, 1495 EnableWebAdmin: true, 1496 EnableWebClient: false, 1497 } 1498 server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi") 1499 server.initializeRouter() 1500 server.router.Get(recoveryPath, func(w http.ResponseWriter, r *http.Request) { 1501 panic("panic") 1502 }) 1503 testServer := httptest.NewServer(server.router) 1504 defer testServer.Close() 1505 1506 req, err := http.NewRequest(http.MethodGet, recoveryPath, nil) 1507 assert.NoError(t, err) 1508 rr := httptest.NewRecorder() 1509 testServer.Config.Handler.ServeHTTP(rr, req) 1510 assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) 1511 1512 server.router = chi.NewRouter() 1513 server.router.Use(recoverer) 1514 server.router.Get(recoveryPath, func(w http.ResponseWriter, r *http.Request) { 1515 panic("panic") 1516 }) 1517 testServer = httptest.NewServer(server.router) 1518 defer testServer.Close() 1519 1520 req, err = http.NewRequest(http.MethodGet, recoveryPath, nil) 1521 assert.NoError(t, err) 1522 rr = httptest.NewRecorder() 1523 testServer.Config.Handler.ServeHTTP(rr, req) 1524 assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) 1525} 1526 1527func TestCompressorAbortHandler(t *testing.T) { 1528 defer func() { 1529 rcv := recover() 1530 assert.Equal(t, http.ErrAbortHandler, rcv) 1531 }() 1532 1533 connection := &Connection{ 1534 BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", dataprovider.User{}), 1535 request: nil, 1536 } 1537 share := &dataprovider.Share{} 1538 renderCompressedFiles(&failingWriter{}, connection, "", nil, share) 1539} 1540 1541func TestZipErrors(t *testing.T) { 1542 user := dataprovider.User{ 1543 BaseUser: sdk.BaseUser{ 1544 HomeDir: filepath.Clean(os.TempDir()), 1545 }, 1546 } 1547 user.Permissions = make(map[string][]string) 1548 user.Permissions["/"] = []string{dataprovider.PermAny} 1549 connection := &Connection{ 1550 BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user), 1551 request: nil, 1552 } 1553 1554 testDir := filepath.Join(os.TempDir(), "testDir") 1555 err := os.MkdirAll(testDir, os.ModePerm) 1556 assert.NoError(t, err) 1557 1558 wr := zip.NewWriter(&failingWriter{}) 1559 err = wr.Close() 1560 if assert.Error(t, err) { 1561 assert.Contains(t, err.Error(), "write error") 1562 } 1563 1564 err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/") 1565 if assert.Error(t, err) { 1566 assert.Contains(t, err.Error(), "write error") 1567 } 1568 1569 testFilePath := filepath.Join(testDir, "ziptest.zip") 1570 err = os.WriteFile(testFilePath, util.GenerateRandomBytes(65535), os.ModePerm) 1571 assert.NoError(t, err) 1572 err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)), 1573 "/"+filepath.Base(testDir)) 1574 if assert.Error(t, err) { 1575 assert.Contains(t, err.Error(), "write error") 1576 } 1577 1578 connection.User.Permissions["/"] = []string{dataprovider.PermListItems} 1579 err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)), 1580 "/"+filepath.Base(testDir)) 1581 assert.ErrorIs(t, err, os.ErrPermission) 1582 1583 // creating a virtual folder to a missing path stat is ok but readdir fails 1584 user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{ 1585 BaseVirtualFolder: vfs.BaseVirtualFolder{ 1586 MappedPath: filepath.Join(os.TempDir(), "mapped"), 1587 }, 1588 VirtualPath: "/vpath", 1589 }) 1590 connection.User = user 1591 wr = zip.NewWriter(bytes.NewBuffer(make([]byte, 0))) 1592 err = addZipEntry(wr, connection, user.VirtualFolders[0].VirtualPath, "/") 1593 assert.Error(t, err) 1594 1595 user.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{ 1596 Path: "/", 1597 DeniedPatterns: []string{"*.zip"}, 1598 }) 1599 err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/") 1600 assert.ErrorIs(t, err, os.ErrPermission) 1601 1602 err = os.RemoveAll(testDir) 1603 assert.NoError(t, err) 1604} 1605 1606func TestWebAdminRedirect(t *testing.T) { 1607 b := Binding{ 1608 Address: "", 1609 Port: 8080, 1610 EnableWebAdmin: true, 1611 EnableWebClient: false, 1612 } 1613 server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi") 1614 server.initializeRouter() 1615 testServer := httptest.NewServer(server.router) 1616 defer testServer.Close() 1617 1618 req, err := http.NewRequest(http.MethodGet, webRootPath, nil) 1619 assert.NoError(t, err) 1620 rr := httptest.NewRecorder() 1621 testServer.Config.Handler.ServeHTTP(rr, req) 1622 assert.Equal(t, http.StatusMovedPermanently, rr.Code, rr.Body.String()) 1623 assert.Equal(t, webLoginPath, rr.Header().Get("Location")) 1624 1625 req, err = http.NewRequest(http.MethodGet, webBasePath, nil) 1626 assert.NoError(t, err) 1627 rr = httptest.NewRecorder() 1628 testServer.Config.Handler.ServeHTTP(rr, req) 1629 assert.Equal(t, http.StatusMovedPermanently, rr.Code, rr.Body.String()) 1630 assert.Equal(t, webLoginPath, rr.Header().Get("Location")) 1631} 1632 1633func TestParseRangeRequests(t *testing.T) { 1634 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-24" 1635 fileSize := int64(169740) 1636 rangeHeader := "bytes=24-24" 1637 offset, size, err := parseRangeRequest(rangeHeader[6:], fileSize) 1638 require.NoError(t, err) 1639 resp := fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1640 assert.Equal(t, "bytes 24-24/169740", resp) 1641 require.Equal(t, int64(1), size) 1642 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-" 1643 rangeHeader = "bytes=24-" 1644 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1645 require.NoError(t, err) 1646 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1647 assert.Equal(t, "bytes 24-169739/169740", resp) 1648 require.Equal(t, int64(169716), size) 1649 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-1" 1650 rangeHeader = "bytes=-1" 1651 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1652 require.NoError(t, err) 1653 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1654 assert.Equal(t, "bytes 169739-169739/169740", resp) 1655 require.Equal(t, int64(1), size) 1656 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-100" 1657 rangeHeader = "bytes=-100" 1658 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1659 require.NoError(t, err) 1660 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1661 assert.Equal(t, "bytes 169640-169739/169740", resp) 1662 require.Equal(t, int64(100), size) 1663 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-30" 1664 rangeHeader = "bytes=20-30" 1665 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1666 require.NoError(t, err) 1667 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1668 assert.Equal(t, "bytes 20-30/169740", resp) 1669 require.Equal(t, int64(11), size) 1670 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169739" 1671 rangeHeader = "bytes=20-169739" 1672 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1673 require.NoError(t, err) 1674 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1675 assert.Equal(t, "bytes 20-169739/169740", resp) 1676 require.Equal(t, int64(169720), size) 1677 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169740" 1678 rangeHeader = "bytes=20-169740" 1679 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1680 require.NoError(t, err) 1681 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1682 assert.Equal(t, "bytes 20-169739/169740", resp) 1683 require.Equal(t, int64(169720), size) 1684 // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169741" 1685 rangeHeader = "bytes=20-169741" 1686 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1687 require.NoError(t, err) 1688 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1689 assert.Equal(t, "bytes 20-169739/169740", resp) 1690 require.Equal(t, int64(169720), size) 1691 //curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=0-" > /dev/null 1692 rangeHeader = "bytes=0-" 1693 offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize) 1694 require.NoError(t, err) 1695 resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize) 1696 assert.Equal(t, "bytes 0-169739/169740", resp) 1697 require.Equal(t, int64(169740), size) 1698 // now test errors 1699 rangeHeader = "bytes=0-a" 1700 _, _, err = parseRangeRequest(rangeHeader[6:], fileSize) 1701 require.Error(t, err) 1702 rangeHeader = "bytes=" 1703 _, _, err = parseRangeRequest(rangeHeader[6:], fileSize) 1704 require.Error(t, err) 1705 rangeHeader = "bytes=-" 1706 _, _, err = parseRangeRequest(rangeHeader[6:], fileSize) 1707 require.Error(t, err) 1708 rangeHeader = "bytes=500-300" 1709 _, _, err = parseRangeRequest(rangeHeader[6:], fileSize) 1710 require.Error(t, err) 1711 rangeHeader = "bytes=5000000" 1712 _, _, err = parseRangeRequest(rangeHeader[6:], fileSize) 1713 require.Error(t, err) 1714} 1715 1716func TestRequestHeaderErrors(t *testing.T) { 1717 req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1718 req.Header.Set("If-Unmodified-Since", "not a date") 1719 res := checkIfUnmodifiedSince(req, time.Now()) 1720 assert.Equal(t, condNone, res) 1721 1722 req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil) 1723 res = checkIfModifiedSince(req, time.Now()) 1724 assert.Equal(t, condNone, res) 1725 1726 req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil) 1727 res = checkIfRange(req, time.Now()) 1728 assert.Equal(t, condNone, res) 1729 1730 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1731 req.Header.Set("If-Modified-Since", "not a date") 1732 res = checkIfModifiedSince(req, time.Now()) 1733 assert.Equal(t, condNone, res) 1734 1735 req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1736 req.Header.Set("If-Range", time.Now().Format(http.TimeFormat)) 1737 res = checkIfRange(req, time.Time{}) 1738 assert.Equal(t, condFalse, res) 1739 1740 req.Header.Set("If-Range", "invalid if range date") 1741 res = checkIfRange(req, time.Now()) 1742 assert.Equal(t, condFalse, res) 1743 modTime := getFileObjectModTime(time.Time{}) 1744 assert.Empty(t, modTime) 1745} 1746 1747func TestConnection(t *testing.T) { 1748 user := dataprovider.User{ 1749 BaseUser: sdk.BaseUser{ 1750 Username: "test_httpd_user", 1751 HomeDir: filepath.Clean(os.TempDir()), 1752 }, 1753 FsConfig: vfs.Filesystem{ 1754 Provider: sdk.GCSFilesystemProvider, 1755 GCSConfig: vfs.GCSFsConfig{ 1756 GCSFsConfig: sdk.GCSFsConfig{ 1757 Bucket: "test_bucket_name", 1758 Credentials: kms.NewPlainSecret("invalid JSON payload"), 1759 }, 1760 }, 1761 }, 1762 } 1763 user.Permissions = make(map[string][]string) 1764 user.Permissions["/"] = []string{dataprovider.PermAny} 1765 connection := &Connection{ 1766 BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user), 1767 request: nil, 1768 } 1769 assert.Empty(t, connection.GetClientVersion()) 1770 assert.Empty(t, connection.GetRemoteAddress()) 1771 assert.Empty(t, connection.GetCommand()) 1772 name := "missing file name" 1773 _, err := connection.getFileReader(name, 0, http.MethodGet) 1774 assert.Error(t, err) 1775 connection.User.FsConfig.Provider = sdk.LocalFilesystemProvider 1776 _, err = connection.getFileReader(name, 0, http.MethodGet) 1777 assert.ErrorIs(t, err, os.ErrNotExist) 1778} 1779 1780func TestGetFileWriterErrors(t *testing.T) { 1781 user := dataprovider.User{ 1782 BaseUser: sdk.BaseUser{ 1783 Username: "test_httpd_user", 1784 HomeDir: "invalid", 1785 }, 1786 } 1787 user.Permissions = make(map[string][]string) 1788 user.Permissions["/"] = []string{dataprovider.PermAny} 1789 connection := &Connection{ 1790 BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user), 1791 request: nil, 1792 } 1793 _, err := connection.getFileWriter("name") 1794 assert.Error(t, err) 1795 1796 user.FsConfig.Provider = sdk.S3FilesystemProvider 1797 user.FsConfig.S3Config = vfs.S3FsConfig{ 1798 S3FsConfig: sdk.S3FsConfig{ 1799 Bucket: "b", 1800 Region: "us-west-1", 1801 AccessKey: "key", 1802 AccessSecret: kms.NewPlainSecret("secret"), 1803 }, 1804 } 1805 connection = &Connection{ 1806 BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user), 1807 request: nil, 1808 } 1809 _, err = connection.getFileWriter("/path") 1810 assert.Error(t, err) 1811} 1812 1813func TestHTTPDFile(t *testing.T) { 1814 user := dataprovider.User{ 1815 BaseUser: sdk.BaseUser{ 1816 Username: "test_httpd_user", 1817 HomeDir: filepath.Clean(os.TempDir()), 1818 }, 1819 } 1820 user.Permissions = make(map[string][]string) 1821 user.Permissions["/"] = []string{dataprovider.PermAny} 1822 connection := &Connection{ 1823 BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user), 1824 request: nil, 1825 } 1826 1827 fs, err := user.GetFilesystem("") 1828 assert.NoError(t, err) 1829 1830 name := "fileName" 1831 p := filepath.Join(os.TempDir(), name) 1832 err = os.WriteFile(p, []byte("contents"), os.ModePerm) 1833 assert.NoError(t, err) 1834 file, err := os.Open(p) 1835 assert.NoError(t, err) 1836 err = file.Close() 1837 assert.NoError(t, err) 1838 1839 baseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, p, p, name, common.TransferDownload, 1840 0, 0, 0, false, fs) 1841 httpdFile := newHTTPDFile(baseTransfer, nil, nil) 1842 // the file is closed, read should fail 1843 buf := make([]byte, 100) 1844 _, err = httpdFile.Read(buf) 1845 assert.Error(t, err) 1846 err = httpdFile.Close() 1847 assert.Error(t, err) 1848 err = httpdFile.Close() 1849 assert.ErrorIs(t, err, common.ErrTransferClosed) 1850 err = os.Remove(p) 1851 assert.NoError(t, err) 1852 1853 httpdFile.writer = file 1854 httpdFile.File = nil 1855 httpdFile.ErrTransfer = nil 1856 err = httpdFile.closeIO() 1857 assert.Error(t, err) 1858 assert.Error(t, httpdFile.ErrTransfer) 1859 assert.Equal(t, err, httpdFile.ErrTransfer) 1860} 1861 1862func TestChangeUserPwd(t *testing.T) { 1863 req, _ := http.NewRequest(http.MethodPost, webChangeClientPwdPath, nil) 1864 err := doChangeUserPassword(req, "", "", "") 1865 if assert.Error(t, err) { 1866 assert.Contains(t, err.Error(), "please provide the current password and the new one two times") 1867 } 1868 err = doChangeUserPassword(req, "a", "b", "c") 1869 if assert.Error(t, err) { 1870 assert.Contains(t, err.Error(), "the two password fields do not match") 1871 } 1872 err = doChangeUserPassword(req, "a", "b", "b") 1873 if assert.Error(t, err) { 1874 assert.Contains(t, err.Error(), "invalid token claims") 1875 } 1876} 1877 1878func TestWebUserInvalidClaims(t *testing.T) { 1879 server := httpdServer{} 1880 server.initializeRouter() 1881 1882 rr := httptest.NewRecorder() 1883 user := dataprovider.User{ 1884 BaseUser: sdk.BaseUser{ 1885 Username: "", 1886 Password: "pwd", 1887 }, 1888 } 1889 c := jwtTokenClaims{ 1890 Username: user.Username, 1891 Permissions: nil, 1892 Signature: user.GetSignature(), 1893 } 1894 token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient) 1895 assert.NoError(t, err) 1896 1897 req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil) 1898 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1899 handleClientGetFiles(rr, req) 1900 assert.Equal(t, http.StatusForbidden, rr.Code) 1901 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1902 1903 rr = httptest.NewRecorder() 1904 req, _ = http.NewRequest(http.MethodGet, webClientDirsPath, nil) 1905 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1906 handleClientGetDirContents(rr, req) 1907 assert.Equal(t, http.StatusForbidden, rr.Code) 1908 assert.Contains(t, rr.Body.String(), "invalid token claims") 1909 1910 rr = httptest.NewRecorder() 1911 req, _ = http.NewRequest(http.MethodGet, webClientDownloadZipPath, nil) 1912 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1913 handleWebClientDownloadZip(rr, req) 1914 assert.Equal(t, http.StatusForbidden, rr.Code) 1915 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1916 1917 rr = httptest.NewRecorder() 1918 req, _ = http.NewRequest(http.MethodGet, webClientEditFilePath, nil) 1919 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1920 handleClientEditFile(rr, req) 1921 assert.Equal(t, http.StatusForbidden, rr.Code) 1922 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1923 1924 rr = httptest.NewRecorder() 1925 req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil) 1926 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1927 handleClientUpdateShareGet(rr, req) 1928 assert.Equal(t, http.StatusForbidden, rr.Code) 1929 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1930 1931 rr = httptest.NewRecorder() 1932 req, _ = http.NewRequest(http.MethodPost, webClientSharePath, nil) 1933 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1934 handleClientAddSharePost(rr, req) 1935 assert.Equal(t, http.StatusForbidden, rr.Code) 1936 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1937 1938 rr = httptest.NewRecorder() 1939 req, _ = http.NewRequest(http.MethodPost, webClientSharePath+"/id", nil) 1940 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1941 handleClientUpdateSharePost(rr, req) 1942 assert.Equal(t, http.StatusForbidden, rr.Code) 1943 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1944 1945 rr = httptest.NewRecorder() 1946 req, _ = http.NewRequest(http.MethodGet, webClientSharesPath, nil) 1947 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1948 handleClientGetShares(rr, req) 1949 assert.Equal(t, http.StatusForbidden, rr.Code) 1950 assert.Contains(t, rr.Body.String(), "Invalid token claims") 1951} 1952 1953func TestInvalidClaims(t *testing.T) { 1954 server := httpdServer{} 1955 server.initializeRouter() 1956 1957 rr := httptest.NewRecorder() 1958 user := dataprovider.User{ 1959 BaseUser: sdk.BaseUser{ 1960 Username: "", 1961 Password: "pwd", 1962 }, 1963 } 1964 c := jwtTokenClaims{ 1965 Username: user.Username, 1966 Permissions: nil, 1967 Signature: user.GetSignature(), 1968 } 1969 token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient) 1970 assert.NoError(t, err) 1971 form := make(url.Values) 1972 form.Set(csrfFormToken, createCSRFToken()) 1973 form.Set("public_keys", "") 1974 req, _ := http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode()))) 1975 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 1976 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1977 handleWebClientProfilePost(rr, req) 1978 assert.Equal(t, http.StatusForbidden, rr.Code) 1979 1980 admin := dataprovider.Admin{ 1981 Username: "", 1982 Password: user.Password, 1983 } 1984 c = jwtTokenClaims{ 1985 Username: admin.Username, 1986 Permissions: nil, 1987 Signature: admin.GetSignature(), 1988 } 1989 token, err = c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin) 1990 assert.NoError(t, err) 1991 form = make(url.Values) 1992 form.Set(csrfFormToken, createCSRFToken()) 1993 form.Set("allow_api_key_auth", "") 1994 req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode()))) 1995 req.Header.Set("Content-Type", "application/x-www-form-urlencoded") 1996 req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) 1997 handleWebAdminProfilePost(rr, req) 1998 assert.Equal(t, http.StatusForbidden, rr.Code) 1999} 2000 2001func TestTLSReq(t *testing.T) { 2002 req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil) 2003 assert.NoError(t, err) 2004 req.TLS = &tls.ConnectionState{} 2005 assert.True(t, isTLS(req)) 2006 req.TLS = nil 2007 ctx := context.WithValue(req.Context(), forwardedProtoKey, "https") 2008 assert.True(t, isTLS(req.WithContext(ctx))) 2009 ctx = context.WithValue(req.Context(), forwardedProtoKey, "http") 2010 assert.False(t, isTLS(req.WithContext(ctx))) 2011 assert.Equal(t, "context value forwarded proto", forwardedProtoKey.String()) 2012} 2013 2014func TestSigningKey(t *testing.T) { 2015 signingPassphrase := "test" 2016 server1 := httpdServer{ 2017 signingPassphrase: signingPassphrase, 2018 } 2019 server1.initializeRouter() 2020 2021 server2 := httpdServer{ 2022 signingPassphrase: signingPassphrase, 2023 } 2024 server2.initializeRouter() 2025 2026 user := dataprovider.User{ 2027 BaseUser: sdk.BaseUser{ 2028 Username: "", 2029 Password: "pwd", 2030 }, 2031 } 2032 c := jwtTokenClaims{ 2033 Username: user.Username, 2034 Permissions: nil, 2035 Signature: user.GetSignature(), 2036 } 2037 token, err := c.createTokenResponse(server1.tokenAuth, tokenAudienceWebClient) 2038 assert.NoError(t, err) 2039 accessToken := token["access_token"].(string) 2040 assert.NotEmpty(t, accessToken) 2041 _, err = server1.tokenAuth.Decode(accessToken) 2042 assert.NoError(t, err) 2043 _, err = server2.tokenAuth.Decode(accessToken) 2044 assert.NoError(t, err) 2045} 2046 2047func TestLoginLinks(t *testing.T) { 2048 b := Binding{ 2049 EnableWebAdmin: true, 2050 EnableWebClient: false, 2051 } 2052 assert.False(t, b.showClientLoginURL()) 2053 b = Binding{ 2054 EnableWebAdmin: false, 2055 EnableWebClient: true, 2056 } 2057 assert.False(t, b.showAdminLoginURL()) 2058 b = Binding{ 2059 EnableWebAdmin: true, 2060 EnableWebClient: true, 2061 } 2062 assert.True(t, b.showAdminLoginURL()) 2063 assert.True(t, b.showClientLoginURL()) 2064 b.HideLoginURL = 3 2065 assert.False(t, b.showAdminLoginURL()) 2066 assert.False(t, b.showClientLoginURL()) 2067 b.HideLoginURL = 1 2068 assert.True(t, b.showAdminLoginURL()) 2069 assert.False(t, b.showClientLoginURL()) 2070 b.HideLoginURL = 2 2071 assert.False(t, b.showAdminLoginURL()) 2072 assert.True(t, b.showClientLoginURL()) 2073} 2074 2075func TestResetCodesCleanup(t *testing.T) { 2076 resetCode := newResetCode(util.GenerateUniqueID(), false) 2077 resetCode.ExpiresAt = time.Now().Add(-1 * time.Minute).UTC() 2078 resetCodes.Store(resetCode.Code, resetCode) 2079 cleanupExpiredResetCodes() 2080 _, ok := resetCodes.Load(resetCode.Code) 2081 assert.False(t, ok) 2082} 2083 2084func TestUserCanResetPassword(t *testing.T) { 2085 req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil) 2086 assert.NoError(t, err) 2087 req.RemoteAddr = "172.16.9.2:55080" 2088 2089 u := dataprovider.User{} 2090 assert.True(t, isUserAllowedToResetPassword(req, &u)) 2091 u.Filters.DeniedProtocols = []string{common.ProtocolHTTP} 2092 assert.False(t, isUserAllowedToResetPassword(req, &u)) 2093 u.Filters.DeniedProtocols = nil 2094 u.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled} 2095 assert.False(t, isUserAllowedToResetPassword(req, &u)) 2096 u.Filters.WebClient = nil 2097 u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword} 2098 assert.False(t, isUserAllowedToResetPassword(req, &u)) 2099 u.Filters.DeniedLoginMethods = nil 2100 u.Filters.AllowedIP = []string{"127.0.0.1/8"} 2101 assert.False(t, isUserAllowedToResetPassword(req, &u)) 2102} 2103