diff --git a/auth/auth.go b/auth/auth.go index c15cb9ab..53d5d839 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -3,13 +3,14 @@ package auth import ( "net/http" + "github.com/filebrowser/filebrowser/v2/settings" "github.com/filebrowser/filebrowser/v2/users" ) // Auther is the authentication interface. type Auther interface { // Auth is called to authenticate a request. - Auth(r *http.Request, s users.Store, root string) (*users.User, error) + Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) // LoginPage indicates if this auther needs a login page. LoginPage() bool } diff --git a/auth/hook.go b/auth/hook.go new file mode 100644 index 00000000..3e57560e --- /dev/null +++ b/auth/hook.go @@ -0,0 +1,302 @@ +package auth + +import ( + "encoding/json" + "fmt" + "log" + "net/http" + "os" + "os/exec" + "strings" + + "github.com/filebrowser/filebrowser/v2/errors" + "github.com/filebrowser/filebrowser/v2/files" + "github.com/filebrowser/filebrowser/v2/settings" + "github.com/filebrowser/filebrowser/v2/users" +) + +// MethodHookAuth is used to identify hook auth. +const MethodHookAuth settings.AuthMethod = "hook" + +type hookCred struct { + Password string `json:"password"` + Username string `json:"username"` +} + +// HookAuth is a hook implementation of an Auther. +type HookAuth struct { + Users users.Store `json:"-"` + Settings *settings.Settings `json:"-"` + Server *settings.Server `json:"-"` + Cred hookCred `json:"-"` + Fields hookFields `json:"-"` + Command string `json:"command"` +} + +// Auth authenticates the user via a json in content body. +func (a *HookAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) { + var cred hookCred + + if r.Body == nil { + return nil, os.ErrPermission + } + + err := json.NewDecoder(r.Body).Decode(&cred) + if err != nil { + return nil, os.ErrPermission + } + + a.Users = usr + a.Settings = stg + a.Server = srv + a.Cred = cred + + action, err := a.RunCommand() + if err != nil { + return nil, err + } + + switch action { + case "auth": + u, err := a.SaveUser() + if err != nil { + return nil, err + } + return u, nil + case "block": + return nil, os.ErrPermission + case "pass": + u, err := a.Users.Get(a.Server.Root, a.Cred.Username) + if err != nil || !users.CheckPwd(a.Cred.Password, u.Password) { + return nil, os.ErrPermission + } + return u, nil + default: + return nil, fmt.Errorf("invalid hook action: %s", action) + } +} + +// LoginPage tells that hook auth requires a login page. +func (a *HookAuth) LoginPage() bool { + return true +} + +// RunCommand starts the hook command and returns the action +func (a *HookAuth) RunCommand() (string, error) { + command := strings.Split(a.Command, " ") + envMapping := func(key string) string { + switch key { + case "USERNAME": + return a.Cred.Username + case "PASSWORD": + return a.Cred.Password + default: + return os.Getenv(key) + } + } + for i, arg := range command { + if i == 0 { + continue + } + command[i] = os.Expand(arg, envMapping) + } + + cmd := exec.Command(command[0], command[1:]...) //nolint:gosec + cmd.Env = append(os.Environ(), fmt.Sprintf("USERNAME=%s", a.Cred.Username)) + cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", a.Cred.Password)) + out, err := cmd.Output() + if err != nil { + return "", err + } + + a.GetValues(string(out)) + + return a.Fields.Values["hook.action"], nil +} + +// GetValues creates a map with values from the key-value format string +func (a *HookAuth) GetValues(s string) { + m := map[string]string{} + + // make line breaks consistent on Windows platform + s = strings.ReplaceAll(s, "\r\n", "\n") + + // iterate input lines + for _, val := range strings.Split(s, "\n") { + v := strings.SplitN(val, "=", 2) //nolint: gomnd + + // skips non key and value format + if len(v) != 2 { //nolint: gomnd + continue + } + + fieldKey := strings.TrimSpace(v[0]) + fieldValue := strings.TrimSpace(v[1]) + + if a.Fields.IsValid(fieldKey) { + m[fieldKey] = fieldValue + } + } + + a.Fields.Values = m +} + +// SaveUser updates the existing user or creates a new one when not found +func (a *HookAuth) SaveUser() (*users.User, error) { + u, err := a.Users.Get(a.Server.Root, a.Cred.Username) + if err != nil && err != errors.ErrNotExist { + return nil, err + } + + if u == nil { + pass, err := users.HashPwd(a.Cred.Password) + if err != nil { + return nil, err + } + + // create user with the provided credentials + d := &users.User{ + Username: a.Cred.Username, + Password: pass, + Scope: a.Settings.Defaults.Scope, + Locale: a.Settings.Defaults.Locale, + ViewMode: a.Settings.Defaults.ViewMode, + SingleClick: a.Settings.Defaults.SingleClick, + Sorting: a.Settings.Defaults.Sorting, + Perm: a.Settings.Defaults.Perm, + Commands: a.Settings.Defaults.Commands, + HideDotfiles: a.Settings.Defaults.HideDotfiles, + } + u = a.GetUser(d) + + userHome, err := a.Settings.MakeUserDir(u.Username, u.Scope, a.Server.Root) + if err != nil { + return nil, fmt.Errorf("user: failed to mkdir user home dir: [%s]", userHome) + } + u.Scope = userHome + log.Printf("user: %s, home dir: [%s].", u.Username, userHome) + + err = a.Users.Save(u) + if err != nil { + return nil, err + } + } else if p := !users.CheckPwd(a.Cred.Password, u.Password); len(a.Fields.Values) > 1 || p { + u = a.GetUser(u) + + // update the password when it doesn't match the current + if p { + pass, err := users.HashPwd(a.Cred.Password) + if err != nil { + return nil, err + } + u.Password = pass + } + + // update user with provided fields + err := a.Users.Update(u) + if err != nil { + return nil, err + } + } + + return u, nil +} + +// GetUser returns a User filled with hook values or provided defaults +func (a *HookAuth) GetUser(d *users.User) *users.User { + // adds all permissions when user is admin + isAdmin := a.Fields.GetBoolean("user.perm.admin", d.Perm.Admin) + perms := users.Permissions{ + Admin: isAdmin, + Execute: isAdmin || a.Fields.GetBoolean("user.perm.execute", d.Perm.Execute), + Create: isAdmin || a.Fields.GetBoolean("user.perm.create", d.Perm.Create), + Rename: isAdmin || a.Fields.GetBoolean("user.perm.rename", d.Perm.Rename), + Modify: isAdmin || a.Fields.GetBoolean("user.perm.modify", d.Perm.Modify), + Delete: isAdmin || a.Fields.GetBoolean("user.perm.delete", d.Perm.Delete), + Share: isAdmin || a.Fields.GetBoolean("user.perm.share", d.Perm.Share), + Download: isAdmin || a.Fields.GetBoolean("user.perm.download", d.Perm.Download), + } + user := users.User{ + ID: d.ID, + Username: d.Username, + Password: d.Password, + Scope: a.Fields.GetString("user.scope", d.Scope), + Locale: a.Fields.GetString("user.locale", d.Locale), + ViewMode: users.ViewMode(a.Fields.GetString("user.viewMode", string(d.ViewMode))), + SingleClick: a.Fields.GetBoolean("user.singleClick", d.SingleClick), + Sorting: files.Sorting{ + Asc: a.Fields.GetBoolean("user.sorting.asc", d.Sorting.Asc), + By: a.Fields.GetString("user.sorting.by", d.Sorting.By), + }, + Commands: a.Fields.GetArray("user.commands", d.Commands), + HideDotfiles: a.Fields.GetBoolean("user.hideDotfiles", d.HideDotfiles), + Perm: perms, + LockPassword: true, + } + + return &user +} + +// hookFields is used to access fields from the hook +type hookFields struct { + Values map[string]string +} + +// validHookFields contains names of the fields that can be used +var validHookFields = []string{ + "hook.action", + "user.scope", + "user.locale", + "user.viewMode", + "user.singleClick", + "user.sorting.by", + "user.sorting.asc", + "user.commands", + "user.hideDotfiles", + "user.perm.admin", + "user.perm.execute", + "user.perm.create", + "user.perm.rename", + "user.perm.modify", + "user.perm.delete", + "user.perm.share", + "user.perm.download", +} + +// IsValid checks if the provided field is on the valid fields list +func (hf *hookFields) IsValid(field string) bool { + for _, val := range validHookFields { + if field == val { + return true + } + } + + return false +} + +// GetString returns the string value or provided default +func (hf *hookFields) GetString(k, dv string) string { + val, ok := hf.Values[k] + if ok { + return val + } + return dv +} + +// GetBoolean returns the bool value or provided default +func (hf *hookFields) GetBoolean(k string, dv bool) bool { + val, ok := hf.Values[k] + if ok { + return val == "true" + } + return dv +} + +// GetArray returns the array value or provided default +func (hf *hookFields) GetArray(k string, dv []string) []string { + val, ok := hf.Values[k] + if ok && strings.TrimSpace(val) != "" { + return strings.Split(val, " ") + } + return dv +} diff --git a/auth/json.go b/auth/json.go index 81edfb41..48f4c599 100644 --- a/auth/json.go +++ b/auth/json.go @@ -26,7 +26,7 @@ type JSONAuth struct { } // Auth authenticates the user via a json in content body. -func (a JSONAuth) Auth(r *http.Request, sto users.Store, root string) (*users.User, error) { +func (a JSONAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) { var cred jsonCred if r.Body == nil { @@ -51,7 +51,7 @@ func (a JSONAuth) Auth(r *http.Request, sto users.Store, root string) (*users.Us } } - u, err := sto.Get(root, cred.Username) + u, err := usr.Get(srv.Root, cred.Username) if err != nil || !users.CheckPwd(cred.Password, u.Password) { return nil, os.ErrPermission } diff --git a/auth/none.go b/auth/none.go index 43b60f06..f137ebc1 100644 --- a/auth/none.go +++ b/auth/none.go @@ -14,8 +14,8 @@ const MethodNoAuth settings.AuthMethod = "noauth" type NoAuth struct{} // Auth uses authenticates user 1. -func (a NoAuth) Auth(r *http.Request, sto users.Store, root string) (*users.User, error) { - return sto.Get(root, uint(1)) +func (a NoAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) { + return usr.Get(srv.Root, uint(1)) } // LoginPage tells that no auth doesn't require a login page. diff --git a/auth/proxy.go b/auth/proxy.go index f9387509..d4b19315 100644 --- a/auth/proxy.go +++ b/auth/proxy.go @@ -18,9 +18,9 @@ type ProxyAuth struct { } // Auth authenticates the user via an HTTP header. -func (a ProxyAuth) Auth(r *http.Request, sto users.Store, root string) (*users.User, error) { +func (a ProxyAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) { username := r.Header.Get(a.Header) - user, err := sto.Get(root, username) + user, err := usr.Get(srv.Root, username) if err == errors.ErrNotExist { return nil, os.ErrPermission } diff --git a/cmd/config.go b/cmd/config.go index 47a62397..c94b1ba9 100644 --- a/cmd/config.go +++ b/cmd/config.go @@ -35,6 +35,7 @@ func addConfigFlags(flags *pflag.FlagSet) { flags.String("auth.method", string(auth.MethodJSONAuth), "authentication type") flags.String("auth.header", "", "HTTP header for auth.method=proxy") + flags.String("auth.command", "", "command for auth.method=hook") flags.String("recaptcha.host", "https://www.google.com", "use another host for ReCAPTCHA. recaptcha.net might be useful in China") flags.String("recaptcha.key", "", "ReCaptcha site key") @@ -114,6 +115,20 @@ func getAuthentication(flags *pflag.FlagSet, defaults ...interface{}) (settings. auther = jsonAuth } + if method == auth.MethodHookAuth { + command := mustGetString(flags, "auth.command") + + if command == "" { + command = defaultAuther["command"].(string) + } + + if command == "" { + checkErr(nerrors.New("you must set the flag 'auth.command' for method 'hook'")) + } + + auther = &auth.HookAuth{Command: command} + } + if auther == nil { panic(errors.ErrInvalidAuthMethod) } diff --git a/cmd/config_import.go b/cmd/config_import.go index 7871a9f8..b87eb4e3 100644 --- a/cmd/config_import.go +++ b/cmd/config_import.go @@ -70,6 +70,8 @@ The path must be for a json or yaml file.`, auther = getAuther(auth.NoAuth{}, rawAuther).(*auth.NoAuth) case auth.MethodProxyAuth: auther = getAuther(auth.ProxyAuth{}, rawAuther).(*auth.ProxyAuth) + case auth.MethodHookAuth: + auther = getAuther(&auth.HookAuth{}, rawAuther).(*auth.HookAuth) default: checkErr(errors.New("invalid auth method")) } diff --git a/frontend/src/components/Sidebar.vue b/frontend/src/components/Sidebar.vue index 3db65648..a3f4c3ae 100644 --- a/frontend/src/components/Sidebar.vue +++ b/frontend/src/components/Sidebar.vue @@ -45,7 +45,7 @@