feat: filebrowser with encfs

auth/auth.go

@@ -0,0 +1,16 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+// Auther is the authentication interface.
+type Auther interface {
+	// Auth is called to authenticate a request.
+	Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error)
+	// LoginPage indicates if this auther needs a login page.
+	LoginPage() bool
+}

auth/hook.go

@@ -0,0 +1,303 @@
+package auth
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+	"strings"
+
+	fbErrors "github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/files"
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+// MethodHookAuth is used to identify hook auth.
+const MethodHookAuth settings.AuthMethod = "hook"
+
+type hookCred struct {
+	Password string `json:"password"`
+	Username string `json:"username"`
+}
+
+// HookAuth is a hook implementation of an Auther.
+type HookAuth struct {
+	Users    users.Store        `json:"-"`
+	Settings *settings.Settings `json:"-"`
+	Server   *settings.Server   `json:"-"`
+	Cred     hookCred           `json:"-"`
+	Fields   hookFields         `json:"-"`
+	Command  string             `json:"command"`
+}
+
+// Auth authenticates the user via a json in content body.
+func (a *HookAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) {
+	var cred hookCred
+
+	if r.Body == nil {
+		return nil, os.ErrPermission
+	}
+
+	err := json.NewDecoder(r.Body).Decode(&cred)
+	if err != nil {
+		return nil, os.ErrPermission
+	}
+
+	a.Users = usr
+	a.Settings = stg
+	a.Server = srv
+	a.Cred = cred
+
+	action, err := a.RunCommand()
+	if err != nil {
+		return nil, err
+	}
+
+	switch action {
+	case "auth":
+		u, err := a.SaveUser()
+		if err != nil {
+			return nil, err
+		}
+		return u, nil
+	case "block":
+		return nil, os.ErrPermission
+	case "pass":
+		u, err := a.Users.Get(a.Server.Root, a.Cred.Username)
+		if err != nil || !users.CheckPwd(a.Cred.Password, u.Password) {
+			return nil, os.ErrPermission
+		}
+		return u, nil
+	default:
+		return nil, fmt.Errorf("invalid hook action: %s", action)
+	}
+}
+
+// LoginPage tells that hook auth requires a login page.
+func (a *HookAuth) LoginPage() bool {
+	return true
+}
+
+// RunCommand starts the hook command and returns the action
+func (a *HookAuth) RunCommand() (string, error) {
+	command := strings.Split(a.Command, " ")
+	envMapping := func(key string) string {
+		switch key {
+		case "USERNAME":
+			return a.Cred.Username
+		case "PASSWORD":
+			return a.Cred.Password
+		default:
+			return os.Getenv(key)
+		}
+	}
+	for i, arg := range command {
+		if i == 0 {
+			continue
+		}
+		command[i] = os.Expand(arg, envMapping)
+	}
+
+	cmd := exec.Command(command[0], command[1:]...) //nolint:gosec
+	cmd.Env = append(os.Environ(), fmt.Sprintf("USERNAME=%s", a.Cred.Username))
+	cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", a.Cred.Password))
+	out, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+
+	a.GetValues(string(out))
+
+	return a.Fields.Values["hook.action"], nil
+}
+
+// GetValues creates a map with values from the key-value format string
+func (a *HookAuth) GetValues(s string) {
+	m := map[string]string{}
+
+	// make line breaks consistent on Windows platform
+	s = strings.ReplaceAll(s, "\r\n", "\n")
+
+	// iterate input lines
+	for _, val := range strings.Split(s, "\n") {
+		v := strings.SplitN(val, "=", 2)
+
+		// skips non key and value format
+		if len(v) != 2 {
+			continue
+		}
+
+		fieldKey := strings.TrimSpace(v[0])
+		fieldValue := strings.TrimSpace(v[1])
+
+		if a.Fields.IsValid(fieldKey) {
+			m[fieldKey] = fieldValue
+		}
+	}
+
+	a.Fields.Values = m
+}
+
+// SaveUser updates the existing user or creates a new one when not found
+func (a *HookAuth) SaveUser() (*users.User, error) {
+	u, err := a.Users.Get(a.Server.Root, a.Cred.Username)
+	if err != nil && !errors.Is(err, fbErrors.ErrNotExist) {
+		return nil, err
+	}
+
+	if u == nil {
+		pass, err := users.HashPwd(a.Cred.Password)
+		if err != nil {
+			return nil, err
+		}
+
+		// create user with the provided credentials
+		d := &users.User{
+			Username:     a.Cred.Username,
+			Password:     pass,
+			Scope:        a.Settings.Defaults.Scope,
+			Locale:       a.Settings.Defaults.Locale,
+			ViewMode:     a.Settings.Defaults.ViewMode,
+			SingleClick:  a.Settings.Defaults.SingleClick,
+			Sorting:      a.Settings.Defaults.Sorting,
+			Perm:         a.Settings.Defaults.Perm,
+			Commands:     a.Settings.Defaults.Commands,
+			HideDotfiles: a.Settings.Defaults.HideDotfiles,
+		}
+		u = a.GetUser(d)
+
+		userHome, err := a.Settings.MakeUserDir(u.Username, u.Scope, a.Server.Root)
+		if err != nil {
+			return nil, fmt.Errorf("user: failed to mkdir user home dir: [%s]", userHome)
+		}
+		u.Scope = userHome
+		log.Printf("user: %s, home dir: [%s].", u.Username, userHome)
+
+		err = a.Users.Save(u)
+		if err != nil {
+			return nil, err
+		}
+	} else if p := !users.CheckPwd(a.Cred.Password, u.Password); len(a.Fields.Values) > 1 || p {
+		u = a.GetUser(u)
+
+		// update the password when it doesn't match the current
+		if p {
+			pass, err := users.HashPwd(a.Cred.Password)
+			if err != nil {
+				return nil, err
+			}
+			u.Password = pass
+		}
+
+		// update user with provided fields
+		err := a.Users.Update(u)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return u, nil
+}
+
+// GetUser returns a User filled with hook values or provided defaults
+func (a *HookAuth) GetUser(d *users.User) *users.User {
+	// adds all permissions when user is admin
+	isAdmin := a.Fields.GetBoolean("user.perm.admin", d.Perm.Admin)
+	perms := users.Permissions{
+		Admin:    isAdmin,
+		Execute:  isAdmin || a.Fields.GetBoolean("user.perm.execute", d.Perm.Execute),
+		Create:   isAdmin || a.Fields.GetBoolean("user.perm.create", d.Perm.Create),
+		Rename:   isAdmin || a.Fields.GetBoolean("user.perm.rename", d.Perm.Rename),
+		Modify:   isAdmin || a.Fields.GetBoolean("user.perm.modify", d.Perm.Modify),
+		Delete:   isAdmin || a.Fields.GetBoolean("user.perm.delete", d.Perm.Delete),
+		Share:    isAdmin || a.Fields.GetBoolean("user.perm.share", d.Perm.Share),
+		Download: isAdmin || a.Fields.GetBoolean("user.perm.download", d.Perm.Download),
+	}
+	user := users.User{
+		ID:          d.ID,
+		Username:    d.Username,
+		Password:    d.Password,
+		Scope:       a.Fields.GetString("user.scope", d.Scope),
+		Locale:      a.Fields.GetString("user.locale", d.Locale),
+		ViewMode:    users.ViewMode(a.Fields.GetString("user.viewMode", string(d.ViewMode))),
+		SingleClick: a.Fields.GetBoolean("user.singleClick", d.SingleClick),
+		Sorting: files.Sorting{
+			Asc: a.Fields.GetBoolean("user.sorting.asc", d.Sorting.Asc),
+			By:  a.Fields.GetString("user.sorting.by", d.Sorting.By),
+		},
+		Commands:     a.Fields.GetArray("user.commands", d.Commands),
+		HideDotfiles: a.Fields.GetBoolean("user.hideDotfiles", d.HideDotfiles),
+		Perm:         perms,
+		LockPassword: true,
+	}
+
+	return &user
+}
+
+// hookFields is used to access fields from the hook
+type hookFields struct {
+	Values map[string]string
+}
+
+// validHookFields contains names of the fields that can be used
+var validHookFields = []string{
+	"hook.action",
+	"user.scope",
+	"user.locale",
+	"user.viewMode",
+	"user.singleClick",
+	"user.sorting.by",
+	"user.sorting.asc",
+	"user.commands",
+	"user.hideDotfiles",
+	"user.perm.admin",
+	"user.perm.execute",
+	"user.perm.create",
+	"user.perm.rename",
+	"user.perm.modify",
+	"user.perm.delete",
+	"user.perm.share",
+	"user.perm.download",
+}
+
+// IsValid checks if the provided field is on the valid fields list
+func (hf *hookFields) IsValid(field string) bool {
+	for _, val := range validHookFields {
+		if field == val {
+			return true
+		}
+	}
+
+	return false
+}
+
+// GetString returns the string value or provided default
+func (hf *hookFields) GetString(k, dv string) string {
+	val, ok := hf.Values[k]
+	if ok {
+		return val
+	}
+	return dv
+}
+
+// GetBoolean returns the bool value or provided default
+func (hf *hookFields) GetBoolean(k string, dv bool) bool {
+	val, ok := hf.Values[k]
+	if ok {
+		return val == "true"
+	}
+	return dv
+}
+
+// GetArray returns the array value or provided default
+func (hf *hookFields) GetArray(k string, dv []string) []string {
+	val, ok := hf.Values[k]
+	if ok && strings.TrimSpace(val) != "" {
+		return strings.Split(val, " ")
+	}
+	return dv
+}

auth/json.go

@@ -0,0 +1,108 @@
+package auth
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+// MethodJSONAuth is used to identify json auth.
+const MethodJSONAuth settings.AuthMethod = "json"
+
+type jsonCred struct {
+	Password  string `json:"password"`
+	Username  string `json:"username"`
+	ReCaptcha string `json:"recaptcha"`
+}
+
+// JSONAuth is a json implementation of an Auther.
+type JSONAuth struct {
+	ReCaptcha *ReCaptcha `json:"recaptcha" yaml:"recaptcha"`
+}
+
+// Auth authenticates the user via a json in content body.
+func (a JSONAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, srv *settings.Server) (*users.User, error) {
+	var cred jsonCred
+
+	if r.Body == nil {
+		return nil, os.ErrPermission
+	}
+
+	err := json.NewDecoder(r.Body).Decode(&cred)
+	if err != nil {
+		return nil, os.ErrPermission
+	}
+
+	// If ReCaptcha is enabled, check the code.
+	if a.ReCaptcha != nil && a.ReCaptcha.Secret != "" {
+		ok, err := a.ReCaptcha.Ok(cred.ReCaptcha) //nolint:govet
+
+		if err != nil {
+			return nil, err
+		}
+
+		if !ok {
+			return nil, os.ErrPermission
+		}
+	}
+
+	u, err := usr.Get(srv.Root, cred.Username)
+	if err != nil || !users.CheckPwd(cred.Password, u.Password) {
+		return nil, os.ErrPermission
+	}
+
+	return u, nil
+}
+
+// LoginPage tells that json auth doesn't require a login page.
+func (a JSONAuth) LoginPage() bool {
+	return true
+}
+
+const reCaptchaAPI = "/recaptcha/api/siteverify"
+
+// ReCaptcha identifies a recaptcha connection.
+type ReCaptcha struct {
+	Host   string `json:"host"`
+	Key    string `json:"key"`
+	Secret string `json:"secret"`
+}
+
+// Ok checks if a reCaptcha responde is correct.
+func (r *ReCaptcha) Ok(response string) (bool, error) {
+	body := url.Values{}
+	body.Set("secret", r.Secret)
+	body.Add("response", response)
+
+	client := &http.Client{}
+
+	resp, err := client.Post(
+		r.Host+reCaptchaAPI,
+		"application/x-www-form-urlencoded",
+		strings.NewReader(body.Encode()),
+	)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return false, nil
+	}
+
+	var data struct {
+		Success bool `json:"success"`
+	}
+
+	err = json.NewDecoder(resp.Body).Decode(&data)
+	if err != nil {
+		return false, err
+	}
+
+	return data.Success, nil
+}

auth/none.go

@@ -0,0 +1,24 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+// MethodNoAuth is used to identify no auth.
+const MethodNoAuth settings.AuthMethod = "noauth"
+
+// NoAuth is no auth implementation of auther.
+type NoAuth struct{}
+
+// Auth uses authenticates user 1.
+func (a NoAuth) Auth(_ *http.Request, usr users.Store, _ *settings.Settings, srv *settings.Server) (*users.User, error) {
+	return usr.Get(srv.Root, uint(1))
+}
+
+// LoginPage tells that no auth doesn't require a login page.
+func (a NoAuth) LoginPage() bool {
+	return false
+}

auth/proxy.go

@@ -0,0 +1,35 @@
+package auth
+
+import (
+	"errors"
+	"net/http"
+	"os"
+
+	fbErrors "github.com/filebrowser/filebrowser/v2/errors"
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+// MethodProxyAuth is used to identify no auth.
+const MethodProxyAuth settings.AuthMethod = "proxy"
+
+// ProxyAuth is a proxy implementation of an auther.
+type ProxyAuth struct {
+	Header string `json:"header"`
+}
+
+// Auth authenticates the user via an HTTP header.
+func (a ProxyAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, srv *settings.Server) (*users.User, error) {
+	username := r.Header.Get(a.Header)
+	user, err := usr.Get(srv.Root, username)
+	if errors.Is(err, fbErrors.ErrNotExist) {
+		return nil, os.ErrPermission
+	}
+
+	return user, err
+}
+
+// LoginPage tells that proxy auth doesn't require a login page.
+func (a ProxyAuth) LoginPage() bool {
+	return false
+}

auth/storage.go

@@ -0,0 +1,33 @@
+package auth
+
+import (
+	"github.com/filebrowser/filebrowser/v2/settings"
+	"github.com/filebrowser/filebrowser/v2/users"
+)
+
+// StorageBackend is a storage backend for auth storage.
+type StorageBackend interface {
+	Get(settings.AuthMethod) (Auther, error)
+	Save(Auther) error
+}
+
+// Storage is a auth storage.
+type Storage struct {
+	back  StorageBackend
+	users *users.Storage
+}
+
+// NewStorage creates a auth storage from a backend.
+func NewStorage(back StorageBackend, userStore *users.Storage) *Storage {
+	return &Storage{back: back, users: userStore}
+}
+
+// Get wraps a StorageBackend.Get.
+func (s *Storage) Get(t settings.AuthMethod) (Auther, error) {
+	return s.back.Get(t)
+}
+
+// Save wraps a StorageBackend.Save.
+func (s *Storage) Save(a Auther) error {
+	return s.back.Save(a)
+}