feat(sftp-server): public key login (#7668)

2024-12-25 21:15:06 +08:00
parent db5c601cfe
commit 77d0c78bfd
7 changed files with 289 additions and 2 deletions
--- a/server/handles/sshkey.go
+++ b/server/handles/sshkey.go
@ -0,0 +1,124 @@
+package handles
+
+import (
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/server/common"
+	"github.com/gin-gonic/gin"
+	"strconv"
+)
+
+type SSHKeyAddReq struct {
+	Title string `json:"title" binding:"required"`
+	Key   string `json:"key" binding:"required"`
+}
+
+func AddMyPublicKey(c *gin.Context) {
+	userObj, ok := c.Value("user").(*model.User)
+	if !ok || userObj.IsGuest() {
+		common.ErrorStrResp(c, "user invalid", 401)
+		return
+	}
+	var req SSHKeyAddReq
+	if err := c.ShouldBind(&req); err != nil {
+		common.ErrorStrResp(c, "request invalid", 400)
+		return
+	}
+	if req.Title == "" {
+		common.ErrorStrResp(c, "request invalid", 400)
+		return
+	}
+	key := &model.SSHPublicKey{
+		Title:  req.Title,
+		KeyStr: req.Key,
+		UserId: userObj.ID,
+	}
+	err, parsed := op.CreateSSHPublicKey(key)
+	if !parsed {
+		common.ErrorStrResp(c, "provided key invalid", 400)
+		return
+	} else if err != nil {
+		common.ErrorResp(c, err, 500, true)
+		return
+	}
+	common.SuccessResp(c)
+}
+
+func ListMyPublicKey(c *gin.Context) {
+	userObj, ok := c.Value("user").(*model.User)
+	if !ok || userObj.IsGuest() {
+		common.ErrorStrResp(c, "user invalid", 401)
+		return
+	}
+	list(c, userObj)
+}
+
+func DeleteMyPublicKey(c *gin.Context) {
+	userObj, ok := c.Value("user").(*model.User)
+	if !ok || userObj.IsGuest() {
+		common.ErrorStrResp(c, "user invalid", 401)
+		return
+	}
+	keyId, err := strconv.Atoi(c.Query("id"))
+	if err != nil {
+		common.ErrorStrResp(c, "id format invalid", 400)
+		return
+	}
+	key, err := op.GetSSHPublicKeyByIdAndUserId(uint(keyId), userObj.ID)
+	if err != nil {
+		common.ErrorStrResp(c, "failed to get public key", 404)
+		return
+	}
+	err = op.DeleteSSHPublicKeyById(key.ID)
+	if err != nil {
+		common.ErrorResp(c, err, 500, true)
+		return
+	}
+	common.SuccessResp(c)
+}
+
+func ListPublicKeys(c *gin.Context) {
+	userId, err := strconv.Atoi(c.Query("uid"))
+	if err != nil {
+		common.ErrorStrResp(c, "user id format invalid", 400)
+		return
+	}
+	userObj, err := op.GetUserById(uint(userId))
+	if err != nil {
+		common.ErrorStrResp(c, "user invalid", 404)
+		return
+	}
+	list(c, userObj)
+}
+
+func DeletePublicKey(c *gin.Context) {
+	keyId, err := strconv.Atoi(c.Query("id"))
+	if err != nil {
+		common.ErrorStrResp(c, "id format invalid", 400)
+		return
+	}
+	err = op.DeleteSSHPublicKeyById(uint(keyId))
+	if err != nil {
+		common.ErrorResp(c, err, 500, true)
+		return
+	}
+	common.SuccessResp(c)
+}
+
+func list(c *gin.Context, userObj *model.User) {
+	var req model.PageReq
+	if err := c.ShouldBind(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	req.Validate()
+	keys, total, err := op.GetSSHPublicKeyByUserId(userObj.ID, req.Page, req.PerPage)
+	if err != nil {
+		common.ErrorResp(c, err, 500, true)
+		return
+	}
+	common.SuccessResp(c, common.PageResp{
+		Content: keys,
+		Total:   total,
+	})
+}
--- a/server/router.go
+++ b/server/router.go
@ -52,6 +52,9 @@ func Init(e *gin.Engine) {
 	api.POST("/auth/login/ldap", handles.LoginLdap)
 	auth.GET("/me", handles.CurrentUser)
 	auth.POST("/me/update", handles.UpdateCurrent)
+	auth.GET("/me/sshkey/list", handles.ListMyPublicKey)
+	auth.POST("/me/sshkey/add", handles.AddMyPublicKey)
+	auth.POST("/me/sshkey/delete", handles.DeleteMyPublicKey)
 	auth.POST("/auth/2fa/generate", handles.Generate2FA)
 	auth.POST("/auth/2fa/verify", handles.Verify2FA)
 	auth.GET("/auth/logout", handles.LogOut)
@ -102,6 +105,8 @@ func admin(g *gin.RouterGroup) {
 	user.POST("/cancel_2fa", handles.Cancel2FAById)
 	user.POST("/delete", handles.DeleteUser)
 	user.POST("/del_cache", handles.DelUserCache)
+	user.GET("/sshkey/list", handles.ListPublicKeys)
+	user.POST("/sshkey/delete", handles.DeletePublicKey)

 	storage := g.Group("/storage")
 	storage.GET("/list", handles.ListStorages)
--- a/server/sftp.go
+++ b/server/sftp.go
@ -12,6 +12,7 @@ import (
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ssh"
 	"net/http"
+	"time"
 )

 type SftpDriver struct {
@ -35,6 +36,7 @@ func (d *SftpDriver) GetConfig() *sftpd.Config {
 		NoClientAuth:         true,
 		NoClientAuthCallback: d.NoClientAuth,
 		PasswordCallback:     d.PasswordAuth,
+		PublicKeyCallback:    d.PublicKeyAuth,
 		AuthLogCallback:      d.AuthLogCallback,
 		BannerCallback:       d.GetBanner,
 	}
@ -85,14 +87,37 @@ func (d *SftpDriver) PasswordAuth(conn ssh.ConnMetadata, password []byte) (*ssh.
 	if err != nil {
 		return nil, err
 	}
+	if userObj.Disabled || !userObj.CanFTPAccess() {
+		return nil, errors.New("user is not allowed to access via SFTP")
+	}
 	passHash := model.StaticHash(string(password))
 	if err = userObj.ValidatePwdStaticHash(passHash); err != nil {
 		return nil, err
 	}
+	return nil, nil
+}
+
+func (d *SftpDriver) PublicKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+	userObj, err := op.GetUserByName(conn.User())
+	if err != nil {
+		return nil, err
+	}
 	if userObj.Disabled || !userObj.CanFTPAccess() {
 		return nil, errors.New("user is not allowed to access via SFTP")
 	}
-	return nil, nil
+	keys, _, err := op.GetSSHPublicKeyByUserId(userObj.ID, 1, -1)
+	if err != nil {
+		return nil, err
+	}
+	marshal := string(key.Marshal())
+	for _, sk := range keys {
+		if marshal == sk.KeyStr {
+			sk.LastUsedTime = time.Now()
+			_ = op.UpdateSSHPublicKey(&sk)
+			return nil, nil
+		}
+	}
+	return nil, errors.New("public key refused")
 }

 func (d *SftpDriver) AuthLogCallback(conn ssh.ConnMetadata, method string, err error) {