[update] add download\upload\connect action pem validate

d0792ee3 · Eric · 04326cc4 · d0792ee3 · d0792ee3 · d0792ee3
Commit d0792ee3 authored Jun 11, 2019 by Eric
Hide whitespace changes
Inline Side-by-side

Showing with 80 additions and 0 deletions

sftp.go pkg/handler/sftp.go +24 -0

sftpvolume.go pkg/httpd/sftpvolume.go +50 -0

assets.go pkg/model/assets.go +6 -0

No files found.
--- a/pkg/handler/sftp.go
+++ b/pkg/handler/sftp.go
@@ -116,6 +116,11 @@ func (fs *sftpHandler) Filelist(r *sftp.Request) (sftp.ListerAt, error) {
 		return nil, sftp.ErrSshFxNoSuchFile
 	}
 	realPath = sysUserDir.ParsePath(r.Filepath)
+	if !fs.validatePermission(hostDir.asset.ID, sysUserDir.systemUser.ID, model.ConnectAction) {
+		return nil, sftp.ErrSshFxPermissionDenied
+	}
 	if sysUserDir.client == nil {
 		client, conn, err := fs.GetSftpClient(hostDir.asset, sysUserDir.systemUser)
 		if err != nil {
@@ -155,6 +160,11 @@ func (fs *sftpHandler) Filecmd(r *sftp.Request) (err error) {
 	}
 	hostDir := fs.hosts[pathNames[0]]
 	suDir := hostDir.suMaps[pathNames[1]]
+	if !fs.validatePermission(hostDir.asset.ID, suDir.systemUser.ID, model.ConnectAction) {
+		return sftp.ErrSshFxPermissionDenied
+	}
 	if suDir.client == nil {
 		client, conn, err := fs.GetSftpClient(hostDir.asset, suDir.systemUser)
 		if err != nil {
@@ -210,6 +220,11 @@ func (fs *sftpHandler) Filewrite(r *sftp.Request) (io.WriterAt, error) {
 	}
 	hostDir := fs.hosts[pathNames[0]]
 	suDir := hostDir.suMaps[pathNames[1]]
+	if !fs.validatePermission(hostDir.asset.ID, suDir.systemUser.ID, model.UploadAction) {
+		return nil, sftp.ErrSshFxPermissionDenied
+	}
 	if suDir.client == nil {
 		client, conn, err := fs.GetSftpClient(hostDir.asset, suDir.systemUser)
 		if err != nil {
@@ -246,6 +261,9 @@ func (fs *sftpHandler) Fileread(r *sftp.Request) (io.ReaderAt, error) {
 	}
 	hostDir := fs.hosts[pathNames[0]]
 	suDir := hostDir.suMaps[pathNames[1]]
+	if !fs.validatePermission(hostDir.asset.ID, suDir.systemUser.ID, model.DownloadAction) {
+		return nil, sftp.ErrSshFxPermissionDenied
+	}
 	if suDir.client == nil {
 		ftpClient, client, err := fs.GetSftpClient(hostDir.asset, suDir.systemUser)
 		if err != nil {
@@ -312,6 +330,12 @@ func (fs *sftpHandler) Close() {
 	}
 }
+func (fs *sftpHandler) validatePermission(aid, suid, operate string) bool {
+	return service.ValidateUserAssetPermission(
+		fs.user.ID, aid, suid, operate,
+	)
+}
 type HostNameDir struct {
 	rootPath string
 	hostname string

--- a/pkg/httpd/sftpvolume.go
+++ b/pkg/httpd/sftpvolume.go
@@ -117,6 +117,9 @@ func (u *UserVolume) Info(path string) (elfinder.FileDir, error) {
 	if path == sysUserVol.suPath {
 		return sysUserVol.info(), nil
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.ConnectAction) {
+		return rest, os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(path)
 	if sysUserVol.client == nil {
@@ -261,6 +264,11 @@ func (u *UserVolume) GetFile(path string) (reader io.ReadCloser, err error) {
 	if !ok {
 		return nil, os.ErrNotExist
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.DownloadAction) {
+		return nil, os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(path)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -337,6 +345,9 @@ func (u *UserVolume) UploadFile(dir, filename string, reader io.Reader) (elfinde
 	}
 	realFilenamePath := filepath.Join(realPath, filename)
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.UploadAction) {
+		return rest, os.ErrPermission
+	}
 	fd, err := sysUserVol.client.Create(realFilenamePath)
 	if err != nil {
@@ -416,6 +427,16 @@ func (u *UserVolume) MergeChunk(cid, total int, dirPath, filename string) (elfin
 	if !ok {
 		return rest, os.ErrNotExist
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.UploadAction) {
+		for i := 0; i <= total; i++ {
+			partPath := fmt.Sprintf("%s.%d_%d.part_%d",
+				filepath.Join(u.localTmpPath, dirPath, filename), i, total, cid)
+			_ = os.Remove(partPath)
+		}
+		return rest, os.ErrPermission
+	}
 	realDirPath := sysUserVol.ParsePath(dirPath)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -511,6 +532,11 @@ func (u *UserVolume) MakeDir(dir, newDirname string) (elfinder.FileDir, error) {
 	if !ok {
 		return rest, os.ErrNotExist
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.ConnectAction) {
+		return rest, os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(dir)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -574,6 +600,11 @@ func (u *UserVolume) MakeFile(dir, newFilename string) (elfinder.FileDir, error)
 	if !ok {
 		return rest, os.ErrNotExist
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.ConnectAction) {
+		return rest, os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(dir)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -633,6 +664,10 @@ func (u *UserVolume) Rename(oldNamePath, newName string) (elfinder.FileDir, erro
 		return rest, os.ErrPermission
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.ConnectAction) {
+		return rest, os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(oldNamePath)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -698,6 +733,11 @@ func (u *UserVolume) Remove(path string) error {
 	if sysUserVol.suPath == path {
 		return os.ErrPermission
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.ConnectAction) {
+		return os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(path)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -760,6 +800,10 @@ func (u *UserVolume) Paste(dir, filename, suffix string, reader io.ReadCloser) (
 	if !ok {
 		return rest, os.ErrNotExist
 	}
+	if !u.validatePermission(hostVol.asset.ID, sysUserVol.systemUser.ID, model.UploadAction) {
+		return rest, os.ErrPermission
+	}
 	realPath := sysUserVol.ParsePath(dir)
 	if sysUserVol.client == nil {
 		sftClient, conn, err := u.GetSftpClient(hostVol.asset, sysUserVol.systemUser)
@@ -846,6 +890,12 @@ func (u *UserVolume) CreateFTPLog(data *model.FTPLog) {
 	}
 }
+func (u *UserVolume) validatePermission(aid, suid, operate string) bool {
+	return service.ValidateUserAssetPermission(
+		u.user.ID, aid, suid, operate,
+	)
+}
 type hostnameVolume struct {
 	VID      string
 	homePath string

--- a/pkg/model/assets.go
+++ b/pkg/model/assets.go
@@ -178,6 +178,12 @@ func SortAssetNodesByKey(assetNodes []Node) {
 const LoginModeManual = "manual"
+const (
+	ConnectAction  = "connect"
+	UploadAction   = "upload_file"
+	DownloadAction = "download_file"
+)
 type SystemUser struct {
 	ID         string   `json:"id"`
 	Name       string   `json:"name"`