forked from drakkan/sftpgo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvfs.go
457 lines (420 loc) · 14.5 KB
/
vfs.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
// Package vfs provides local and remote filesystems support
package vfs
import (
"errors"
"fmt"
"io"
"net/url"
"os"
"path"
"path/filepath"
"runtime"
"strings"
"time"
"github.com/eikenb/pipeat"
"github.com/drakkan/sftpgo/kms"
"github.com/drakkan/sftpgo/logger"
"github.com/drakkan/sftpgo/utils"
)
const dirMimeType = "inode/directory"
var (
validAzAccessTier = []string{"", "Archive", "Hot", "Cool"}
errStorageSizeUnavailable = errors.New("unable to get available size for this storage backend")
)
// Fs defines the interface for filesystem backends
type Fs interface {
Name() string
ConnectionID() string
Stat(name string) (os.FileInfo, error)
Lstat(name string) (os.FileInfo, error)
Open(name string, offset int64) (File, *pipeat.PipeReaderAt, func(), error)
Create(name string, flag int) (File, *PipeWriter, func(), error)
Rename(source, target string) error
Remove(name string, isDir bool) error
Mkdir(name string) error
Symlink(source, target string) error
Chown(name string, uid int, gid int) error
Chmod(name string, mode os.FileMode) error
Chtimes(name string, atime, mtime time.Time) error
Truncate(name string, size int64) error
ReadDir(dirname string) ([]os.FileInfo, error)
Readlink(name string) (string, error)
IsUploadResumeSupported() bool
IsAtomicUploadSupported() bool
CheckRootPath(username string, uid int, gid int) bool
ResolvePath(sftpPath string) (string, error)
IsNotExist(err error) bool
IsPermission(err error) bool
IsNotSupported(err error) bool
ScanRootDirContents() (int, int64, error)
GetDirSize(dirname string) (int, int64, error)
GetAtomicUploadPath(name string) string
GetRelativePath(name string) string
Walk(root string, walkFn filepath.WalkFunc) error
Join(elem ...string) string
HasVirtualFolders() bool
GetMimeType(name string) (string, error)
GetAvailableDiskSize(dirName string) (int64, error)
Close() error
}
// File defines an interface representing a SFTPGo file
type File interface {
io.Reader
io.Writer
io.Closer
io.ReaderAt
io.WriterAt
io.Seeker
Stat() (os.FileInfo, error)
Name() string
Truncate(size int64) error
}
// ErrVfsUnsupported defines the error for an unsupported VFS operation
var ErrVfsUnsupported = errors.New("Not supported")
// QuotaCheckResult defines the result for a quota check
type QuotaCheckResult struct {
HasSpace bool
AllowedSize int64
AllowedFiles int
UsedSize int64
UsedFiles int
QuotaSize int64
QuotaFiles int
}
// GetRemainingSize returns the remaining allowed size
func (q *QuotaCheckResult) GetRemainingSize() int64 {
if q.QuotaSize > 0 {
return q.QuotaSize - q.UsedSize
}
return 0
}
// GetRemainingFiles returns the remaining allowed files
func (q *QuotaCheckResult) GetRemainingFiles() int {
if q.QuotaFiles > 0 {
return q.QuotaFiles - q.UsedFiles
}
return 0
}
// S3FsConfig defines the configuration for S3 based filesystem
type S3FsConfig struct {
Bucket string `json:"bucket,omitempty"`
// KeyPrefix is similar to a chroot directory for local filesystem.
// If specified then the SFTP user will only see objects that starts
// with this prefix and so you can restrict access to a specific
// folder. The prefix, if not empty, must not start with "/" and must
// end with "/".
// If empty the whole bucket contents will be available
KeyPrefix string `json:"key_prefix,omitempty"`
Region string `json:"region,omitempty"`
AccessKey string `json:"access_key,omitempty"`
AccessSecret *kms.Secret `json:"access_secret,omitempty"`
Endpoint string `json:"endpoint,omitempty"`
StorageClass string `json:"storage_class,omitempty"`
// The buffer size (in MB) to use for multipart uploads. The minimum allowed part size is 5MB,
// and if this value is set to zero, the default value (5MB) for the AWS SDK will be used.
// The minimum allowed value is 5.
// Please note that if the upload bandwidth between the SFTP client and SFTPGo is greater than
// the upload bandwidth between SFTPGo and S3 then the SFTP client have to wait for the upload
// of the last parts to S3 after it ends the file upload to SFTPGo, and it may time out.
// Keep this in mind if you customize these parameters.
UploadPartSize int64 `json:"upload_part_size,omitempty"`
// How many parts are uploaded in parallel
UploadConcurrency int `json:"upload_concurrency,omitempty"`
}
func (c *S3FsConfig) checkCredentials() error {
if c.AccessKey == "" && !c.AccessSecret.IsEmpty() {
return errors.New("access_key cannot be empty with access_secret not empty")
}
if c.AccessSecret.IsEmpty() && c.AccessKey != "" {
return errors.New("access_secret cannot be empty with access_key not empty")
}
if c.AccessSecret.IsEncrypted() && !c.AccessSecret.IsValid() {
return errors.New("invalid encrypted access_secret")
}
if !c.AccessSecret.IsEmpty() && !c.AccessSecret.IsValidInput() {
return errors.New("invalid access_secret")
}
return nil
}
// EncryptCredentials encrypts access secret if it is in plain text
func (c *S3FsConfig) EncryptCredentials(additionalData string) error {
if c.AccessSecret.IsPlain() {
c.AccessSecret.SetAdditionalData(additionalData)
err := c.AccessSecret.Encrypt()
if err != nil {
return err
}
}
return nil
}
// Validate returns an error if the configuration is not valid
func (c *S3FsConfig) Validate() error {
if c.AccessSecret == nil {
c.AccessSecret = kms.NewEmptySecret()
}
if c.Bucket == "" {
return errors.New("bucket cannot be empty")
}
if c.Region == "" {
return errors.New("region cannot be empty")
}
if err := c.checkCredentials(); err != nil {
return err
}
if c.KeyPrefix != "" {
if strings.HasPrefix(c.KeyPrefix, "/") {
return errors.New("key_prefix cannot start with /")
}
c.KeyPrefix = path.Clean(c.KeyPrefix)
if !strings.HasSuffix(c.KeyPrefix, "/") {
c.KeyPrefix += "/"
}
}
if c.UploadPartSize != 0 && (c.UploadPartSize < 5 || c.UploadPartSize > 5000) {
return errors.New("upload_part_size cannot be != 0, lower than 5 (MB) or greater than 5000 (MB)")
}
if c.UploadConcurrency < 0 || c.UploadConcurrency > 64 {
return fmt.Errorf("invalid upload concurrency: %v", c.UploadConcurrency)
}
return nil
}
// GCSFsConfig defines the configuration for Google Cloud Storage based filesystem
type GCSFsConfig struct {
Bucket string `json:"bucket,omitempty"`
// KeyPrefix is similar to a chroot directory for local filesystem.
// If specified then the SFTP user will only see objects that starts
// with this prefix and so you can restrict access to a specific
// folder. The prefix, if not empty, must not start with "/" and must
// end with "/".
// If empty the whole bucket contents will be available
KeyPrefix string `json:"key_prefix,omitempty"`
CredentialFile string `json:"-"`
Credentials *kms.Secret `json:"credentials,omitempty"`
// 0 explicit, 1 automatic
AutomaticCredentials int `json:"automatic_credentials,omitempty"`
StorageClass string `json:"storage_class,omitempty"`
}
// Validate returns an error if the configuration is not valid
func (c *GCSFsConfig) Validate(credentialsFilePath string) error {
if c.Credentials == nil {
c.Credentials = kms.NewEmptySecret()
}
if c.Bucket == "" {
return errors.New("bucket cannot be empty")
}
if c.KeyPrefix != "" {
if strings.HasPrefix(c.KeyPrefix, "/") {
return errors.New("key_prefix cannot start with /")
}
c.KeyPrefix = path.Clean(c.KeyPrefix)
if !strings.HasSuffix(c.KeyPrefix, "/") {
c.KeyPrefix += "/"
}
}
if c.Credentials.IsEncrypted() && !c.Credentials.IsValid() {
return errors.New("invalid encrypted credentials")
}
if !c.Credentials.IsValidInput() && c.AutomaticCredentials == 0 {
fi, err := os.Stat(credentialsFilePath)
if err != nil {
return fmt.Errorf("invalid credentials %v", err)
}
if fi.Size() == 0 {
return errors.New("credentials cannot be empty")
}
}
return nil
}
// AzBlobFsConfig defines the configuration for Azure Blob Storage based filesystem
type AzBlobFsConfig struct {
Container string `json:"container,omitempty"`
// Storage Account Name, leave blank to use SAS URL
AccountName string `json:"account_name,omitempty"`
// Storage Account Key leave blank to use SAS URL.
// The access key is stored encrypted based on the kms configuration
AccountKey *kms.Secret `json:"account_key,omitempty"`
// Optional endpoint. Default is "blob.core.windows.net".
// If you use the emulator the endpoint must include the protocol,
// for example "http://127.0.0.1:10000"
Endpoint string `json:"endpoint,omitempty"`
// Shared access signature URL, leave blank if using account/key
SASURL string `json:"sas_url,omitempty"`
// KeyPrefix is similar to a chroot directory for local filesystem.
// If specified then the SFTPGo userd will only see objects that starts
// with this prefix and so you can restrict access to a specific
// folder. The prefix, if not empty, must not start with "/" and must
// end with "/".
// If empty the whole bucket contents will be available
KeyPrefix string `json:"key_prefix,omitempty"`
// The buffer size (in MB) to use for multipart uploads.
// If this value is set to zero, the default value (1MB) for the Azure SDK will be used.
// Please note that if the upload bandwidth between the SFTPGo client and SFTPGo server is
// greater than the upload bandwidth between SFTPGo and Azure then the SFTP client have
// to wait for the upload of the last parts to Azure after it ends the file upload to SFTPGo,
// and it may time out.
// Keep this in mind if you customize these parameters.
UploadPartSize int64 `json:"upload_part_size,omitempty"`
// How many parts are uploaded in parallel
UploadConcurrency int `json:"upload_concurrency,omitempty"`
// Set to true if you use an Azure emulator such as Azurite
UseEmulator bool `json:"use_emulator,omitempty"`
// Blob Access Tier
AccessTier string `json:"access_tier,omitempty"`
}
// EncryptCredentials encrypts access secret if it is in plain text
func (c *AzBlobFsConfig) EncryptCredentials(additionalData string) error {
if c.AccountKey.IsPlain() {
c.AccountKey.SetAdditionalData(additionalData)
if err := c.AccountKey.Encrypt(); err != nil {
return err
}
}
return nil
}
func (c *AzBlobFsConfig) checkCredentials() error {
if c.AccountName == "" || !c.AccountKey.IsValidInput() {
return errors.New("credentials cannot be empty or invalid")
}
if c.AccountKey.IsEncrypted() && !c.AccountKey.IsValid() {
return errors.New("invalid encrypted account_key")
}
return nil
}
// Validate returns an error if the configuration is not valid
func (c *AzBlobFsConfig) Validate() error {
if c.AccountKey == nil {
c.AccountKey = kms.NewEmptySecret()
}
if c.SASURL != "" {
_, err := url.Parse(c.SASURL)
return err
}
if c.Container == "" {
return errors.New("container cannot be empty")
}
if err := c.checkCredentials(); err != nil {
return err
}
if c.KeyPrefix != "" {
if strings.HasPrefix(c.KeyPrefix, "/") {
return errors.New("key_prefix cannot start with /")
}
c.KeyPrefix = path.Clean(c.KeyPrefix)
if !strings.HasSuffix(c.KeyPrefix, "/") {
c.KeyPrefix += "/"
}
}
if c.UploadPartSize < 0 || c.UploadPartSize > 100 {
return fmt.Errorf("invalid upload part size: %v", c.UploadPartSize)
}
if c.UploadConcurrency < 0 || c.UploadConcurrency > 64 {
return fmt.Errorf("invalid upload concurrency: %v", c.UploadConcurrency)
}
if !utils.IsStringInSlice(c.AccessTier, validAzAccessTier) {
return fmt.Errorf("invalid access tier %#v, valid values: \"''%v\"", c.AccessTier, strings.Join(validAzAccessTier, ", "))
}
return nil
}
// CryptFsConfig defines the configuration to store local files as encrypted
type CryptFsConfig struct {
Passphrase *kms.Secret `json:"passphrase,omitempty"`
}
// EncryptCredentials encrypts access secret if it is in plain text
func (c *CryptFsConfig) EncryptCredentials(additionalData string) error {
if c.Passphrase.IsPlain() {
c.Passphrase.SetAdditionalData(additionalData)
if err := c.Passphrase.Encrypt(); err != nil {
return err
}
}
return nil
}
// Validate returns an error if the configuration is not valid
func (c *CryptFsConfig) Validate() error {
if c.Passphrase == nil || c.Passphrase.IsEmpty() {
return errors.New("invalid passphrase")
}
if !c.Passphrase.IsValidInput() {
return errors.New("passphrase cannot be empty or invalid")
}
if c.Passphrase.IsEncrypted() && !c.Passphrase.IsValid() {
return errors.New("invalid encrypted passphrase")
}
return nil
}
// PipeWriter defines a wrapper for pipeat.PipeWriterAt.
type PipeWriter struct {
writer *pipeat.PipeWriterAt
err error
done chan bool
}
// NewPipeWriter initializes a new PipeWriter
func NewPipeWriter(w *pipeat.PipeWriterAt) *PipeWriter {
return &PipeWriter{
writer: w,
err: nil,
done: make(chan bool),
}
}
// Close waits for the upload to end, closes the pipeat.PipeWriterAt and returns an error if any.
func (p *PipeWriter) Close() error {
p.writer.Close() //nolint:errcheck // the returned error is always null
<-p.done
return p.err
}
// Done unlocks other goroutines waiting on Close().
// It must be called when the upload ends
func (p *PipeWriter) Done(err error) {
p.err = err
p.done <- true
}
// WriteAt is a wrapper for pipeat WriteAt
func (p *PipeWriter) WriteAt(data []byte, off int64) (int, error) {
return p.writer.WriteAt(data, off)
}
// Write is a wrapper for pipeat Write
func (p *PipeWriter) Write(data []byte) (int, error) {
return p.writer.Write(data)
}
// IsDirectory checks if a path exists and is a directory
func IsDirectory(fs Fs, path string) (bool, error) {
fileInfo, err := fs.Stat(path)
if err != nil {
return false, err
}
return fileInfo.IsDir(), err
}
// IsLocalOsFs returns true if fs is a local filesystem implementation
func IsLocalOsFs(fs Fs) bool {
return fs.Name() == osFsName
}
// IsCryptOsFs returns true if fs is an encrypted local filesystem implementation
func IsCryptOsFs(fs Fs) bool {
return fs.Name() == cryptFsName
}
// IsSFTPFs returns true if fs is a SFTP filesystem
func IsSFTPFs(fs Fs) bool {
return strings.HasPrefix(fs.Name(), sftpFsName)
}
// IsLocalOrSFTPFs returns true if fs is local or SFTP
func IsLocalOrSFTPFs(fs Fs) bool {
return IsLocalOsFs(fs) || IsSFTPFs(fs)
}
// SetPathPermissions calls fs.Chown.
// It does nothing for local filesystem on windows
func SetPathPermissions(fs Fs, path string, uid int, gid int) {
if uid == -1 && gid == -1 {
return
}
if IsLocalOsFs(fs) {
if runtime.GOOS == "windows" {
return
}
}
if err := fs.Chown(path, uid, gid); err != nil {
fsLog(fs, logger.LevelWarn, "error chowning path %v: %v", path, err)
}
}
func fsLog(fs Fs, level logger.LogLevel, format string, v ...interface{}) {
logger.Log(level, fs.Name(), fs.ConnectionID(), format, v...)
}