servo: sftpgo: allow read-only media access via password auth

This commit is contained in:
2024-08-27 13:52:40 +00:00
parent 861014bca3
commit 29886d7f10
2 changed files with 23 additions and 5 deletions

View File

@@ -37,15 +37,15 @@
wantedBy = [ "nfs.service" "sftpgo.service" ];
file.text = ''
- media/ read-only: Videos, Music, Books, etc
- playground/ read-write: use it to share files with other users of this server, inaccessible from the www
- pub/ read-only: content made to be shared with the www
- playground/ read-write*: use it to share files with other users of this server, inaccessible from the www
*if you can't write to it, make sure you're connected to the WiFi and not mobile.
'';
};
sane.fs."/var/export/playground/README.md" = {
wantedBy = [ "nfs.service" "sftpgo.service" ];
file.text = ''
this directory is intentionally read+write by anyone with access (i.e. on the LAN).
this directory is intentionally read+write by anyone with access.
- share files
- write poetry
- be a friendly troll

View File

@@ -71,6 +71,9 @@ TRUSTED_CREDS = [
# $<method>$<salt>$<hash>
"$6$Zq3c2u4ghUH4S6EP$pOuRt13sEKfX31OqPbbd1LuhS21C9MICMc94iRdTAgdAcJ9h95gQH/6Jf6Ie4Obb0oxQtojRJ1Pd/9QHOlFMW." #< m. rocket boy
]
TRUSTED_VIEWING_OR_PLAYGROUND_CREDS = [
"$6$iikDajz5b.YH1.on$tfSzzBEtX8IeDiJJXCasOTxRTd7cFDKXU6dhlWYVhK6xDeJhV2fh6bmm1WIHItjIth9Eh9zNgUB8xibMIWCm/."
];
def mkAuthOk(username: str, permissions: dict[str, list[str]]) -> dict:
return dict(
@@ -112,8 +115,8 @@ def isLan(ip: str) -> bool:
def isWireguard(ip: str) -> bool:
return ip.startswith("10.0.10.")
def isTrustedCred(password: str) -> bool:
for cred in TRUSTED_CREDS:
def isTrustedCred(password: str, credlist: list[str] = TRUSTED_CREDS) -> bool:
for cred in credlist:
if passlib.hosts.linux_context.verify(password, cred):
return True
@@ -131,6 +134,21 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
"/playground": PERM_RW,
"/.public_for_test": PERM_RO,
})
if isTrustedCred(password, TRUSTED_VIEWING_OR_PLAYGROUND_CREDS) and username != "colin":
return mkAuthOk(username, permissions = {
# error prone, but... not the worst if i miss something
"/": PERM_LIST,
"/media/archive": PERM_DENY,
"/media/Books": PERM_RO,
"/media/collections": PERM_DENY,
"/media/games": PERM_RO,
"/media/Music": PERM_RO,
"/media/Pictures": PERM_RO,
"/media/torrents": PERM_DENY,
"/media/Videos": PERM_RO,
"/playground": PERM_RW,
"/.public_for_test": PERM_RO,
})
if isWireguard(ip):
# allow any user from wireguard
return mkAuthOk(username, permissions = {